Email forward chain: 60e1212e3f5b039d10d0c40d77ea82d6bf679555553e36efc16894d7ba38e301

From: Redgate - Frankie <redgate@vip.163.com> 
Sent: Tuesday, March 17, 2020 10:23 PM
To: Info-Proces__substg1.0_0F030102
sChemical <Info-ProcessChemical@tkinet.com>
Subject: RE: RE: PO (COVID-19)
Dear info-processchemical,
Please find attached our stamped and signed PO
Please send me your Performa invoice in order to make the bank transfer this week.
PROTEGE-TE SEMPRE A TI E AOS OUTROS CONTRA O #CORONAVIRUS!
Best Regards
RCL - Frankie
****************************************************
REDGATE (H.K.) TRADING DEVELOPMENT CO., LTD.
Tel: 8620 - 3730 3456
Fax: 8620 - 3730 3466
Mobile: 86 - 137 5180 1340
E-mail: redgate@vip.163.com <mailto:redgate@vip.163.com>

Will drop a GuLoader pretending to be a batch file: d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a

VBCrypter is still the same, delivery: hxxps://drive.google[.]com/uc?export=download&id=1xz02BCj0obD4UPgs0CMtu_6GXxCEYXzS

suspect key 522 bytes '43a9794c90c36e6c2eea70de1c62075d182cab716446a092026de603f02a3982ecf3225238c91773d63519e581adb0a8c07654770d4d4998aab88f0a5530e28994fa869de1147bbd7e3bc12f29b358ae697dfc7eb597f1e353be3710fd378ad33d002fa3891a24c427426a36d2fe01f91183a5c85e9e9ae9fb09e05ba68133dae54bd7ee3221cc0e8c8c123c7a0465ff76ce4dcf06e842f0600f44614e88db244a5180f4da6b75153493bb87230b0e061ed4f6196befeb3a0816ed68f78e842bf25828fb3f721d1bdddd97c1ff8aea84fb538e5447298375e594c9e6d30d6165cfd605791bacfa9ab918400ca890938ba359375af0742c7b8d9b72ed7c13c5b077ddad80c4f7a2a0621ea41250973b914c60dfa5987ad4c636a11a37245e6eb6202756866cfd4ba70a694d19b5e1e4dcf4aa88ab41817dccdeecc33e896416bdc82ebad11548aff1b36ff5635de88ce29db130b2e9cb251787f26b44316bbf07713463d7bd4e58f85b769e6a0632352d45b7d9fc92d2ce1d2f3d148fdab5670e197f0b2266550042c0c04670ae399933aa0281033a1c76249443789582bc10587e85b4280e9fa94968c7efbb573f423a52082a4d9f231f6e3c4a219c2bc2b85f268c5c2f73a6514f111197c1ff8aea84fb538e5447298375e594c9e6d30d6165cfd605791bacfa9ab918400ca890938ba359375af0742c7b8d9b72ed7c13c5b077ddad80c4f7a2a0621e'

Decoded payload: 325488aeb875af06e07f609aa1d1a4357a125c714bb3d143da70ee18887f7441

Appears to be Agent Tesla

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a.md

d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a.md

Files

d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a.md

Latest commit

History

d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a.md

File metadata and controls