From 8fb4e0077eefa4080add27dbfcce8d609ad5ff7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Nov=C3=A1k?= <pavel.novak1@avast.com>
Date: Wed, 24 Aug 2022 13:20:01 +0200
Subject: [PATCH] IoCs for Agent Tesla ISO Email campaign

---
 AgentTeslaISOCampaign/README.md      | 31 ++++++++++++++++++++++++++++
 AgentTeslaISOCampaign/network.txt    |  4 ++++
 AgentTeslaISOCampaign/samples.md5    |  3 +++
 AgentTeslaISOCampaign/samples.sha1   |  3 +++
 AgentTeslaISOCampaign/samples.sha256 |  3 +++
 5 files changed, 44 insertions(+)
 create mode 100644 AgentTeslaISOCampaign/README.md
 create mode 100644 AgentTeslaISOCampaign/network.txt
 create mode 100644 AgentTeslaISOCampaign/samples.md5
 create mode 100644 AgentTeslaISOCampaign/samples.sha1
 create mode 100644 AgentTeslaISOCampaign/samples.sha256

diff --git a/AgentTeslaISOCampaign/README.md b/AgentTeslaISOCampaign/README.md
new file mode 100644
index 0000000..1db8ef1
--- /dev/null
+++ b/AgentTeslaISOCampaign/README.md
@@ -0,0 +1,31 @@
+# IoC from Operation Dragon Castling
+
+Malware analysis and more technical information at <https://decoded.avast.io/pavelnovak/agenttesla-is-threatening-businesses-around-the-world-with-a-new-campaign/>
+
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [Network indicators](#network-indicators)
+
+## Samples (SHA-256)
+```
+ISO Attachment
+83fe51953a0fe44389e197244faf90afe8ee80101dc33cb294cf6ef710e5aaba
+
+AgentTesla Downloader Script
+76f707afa3d4b2678aa5af270ea9325de6f8fdc4badf7249418e785438f1b8da
+
+AgentTesla Injector
+eb455ffb1595d1a06fc850ebc49b270ae84dd609e7b52144a60bb45cf4c4eb0e
+```
+
+## Network indicators
+```
+FTP Exfiltration Server
+ftp.akmokykla.lt
+
+AgentTesla Download Servers
+assltextile.com/Su34M.jpg
+consult-mob.ro/M777.jpg
+handcosalon.com/Su57.jpg
+```
\ No newline at end of file
diff --git a/AgentTeslaISOCampaign/network.txt b/AgentTeslaISOCampaign/network.txt
new file mode 100644
index 0000000..0643741
--- /dev/null
+++ b/AgentTeslaISOCampaign/network.txt
@@ -0,0 +1,4 @@
+ftp.akmokykla.lt
+assltextile.com/Su34M.jpg
+consult-mob.ro/M777.jpg
+handcosalon.com/Su57.jpg
\ No newline at end of file
diff --git a/AgentTeslaISOCampaign/samples.md5 b/AgentTeslaISOCampaign/samples.md5
new file mode 100644
index 0000000..cad0182
--- /dev/null
+++ b/AgentTeslaISOCampaign/samples.md5
@@ -0,0 +1,3 @@
+540594cb9d666f26237e6c346a875e1a
+6664317aae5097b03ee282210c3d32b8
+c3dbb827394bed4ea054a4c50eedc161
\ No newline at end of file
diff --git a/AgentTeslaISOCampaign/samples.sha1 b/AgentTeslaISOCampaign/samples.sha1
new file mode 100644
index 0000000..09def37
--- /dev/null
+++ b/AgentTeslaISOCampaign/samples.sha1
@@ -0,0 +1,3 @@
+f3f77f07de43e480a983448c61e53a160c1b6ada
+7e3f9c2f1ebc383fd7e057e6fa32f5cdc74502d5
+683c33b67d5f09add96a60a3dd998769309edb99
\ No newline at end of file
diff --git a/AgentTeslaISOCampaign/samples.sha256 b/AgentTeslaISOCampaign/samples.sha256
new file mode 100644
index 0000000..ca42c9b
--- /dev/null
+++ b/AgentTeslaISOCampaign/samples.sha256
@@ -0,0 +1,3 @@
+83fe51953a0fe44389e197244faf90afe8ee80101dc33cb294cf6ef710e5aaba
+76f707afa3d4b2678aa5af270ea9325de6f8fdc4badf7249418e785438f1b8da
+eb455ffb1595d1a06fc850ebc49b270ae84dd609e7b52144a60bb45cf4c4eb0e
\ No newline at end of file