Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
- https://pastebin.com/20AVUqZ6
- previous_contact:
- 04/12/20 https://pastebin.com/PYFMBfkg
- 15/06/20 https://pastebin.com/pma5MQAW
- 12/06/20 https://pastebin.com/SKNts0Es
- 29/10/19 https://pastebin.com/RinpBPvy
- 03/09/19 https://pastebin.com/zhJvDz8M
- 09/01/19 https://pastebin.com/MdDfZDdb
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- attack_vector
- --------------
- email > URL to onedrive > TGZ > EXE > exfil to smtp.1and1.es:587
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 602f146907a0a3c018021258fbd79a14c373bc7c155a831c959121b34c96bb7f
- File name 39202 071220.tgz [ gzip compressed data ]
- File size 1.55 MB (1624248 bytes)
- SHA-256 276b4f0604ba02c08af9202ad2761f452f10e4adc061eefa713fbd055aa0b4c0
- File name 39202 071220.exe [ .NET executable ]
- File size 1.80 MB (1891328 bytes)
- activity
- **************
- PL_SCR https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21282&authkey=AIrAAExjvidyMqA
- previous (04/12/20):
- https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21277&authkey=ANqq4raBmU8qCug
- C2 212.227.15.142:587 [smtp.1and1.es]
- 212.227.15.158:587 [smtp.1and1.es]
- !Steals private information from local Internet browsers
- --------------
- C:\Users\operator\AppData\Roaming\Opera Software\Opera Stable
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\profiles.ini
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\key4.db
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\logins.json
- C:\Users\operator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
- C:\Users\operator\AppData\Roaming\Comodo\IceDragon\profiles.ini
- !Harvests credentials from local FTP client softwares
- --------------
- C:\Users\operator\AppData\Roaming\FTPGetter\servers.xml
- C:\Users\operator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
- C:\Users\operator\AppData\Roaming\CoreFTP\sites.idx
- !Harvests information related to installed mail clients
- --------------
- C:\Users\operator\AppData\Roaming\Postbox\profiles.ini
- C:\Users\operator\AppData\Roaming\eM Client
- C:\Users\operator\AppData\Roaming\Thunderbird\profiles.ini
- C:\Users\operator\AppData\Roaming\The Bat!
- C:\Users\operator\AppData\Roaming\Claws-mail\clawsrc
- C:\Users\operator\AppData\Roaming\Pocomail\accounts.ini
- netwrk
- --------------
- 212.227.15.158 smtp.1and1.es Client Hello
- comp
- --------------
- 39202 071220.exe 3424 TCP 212.227.15.142 587 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\39202 071220.exe [4044]
- C:\Users\operator\Desktop\39202 071220.exe [2164]
- C:\Users\operator\Desktop\39202 071220.exe [3424]
- persist
- --------------
- n/a
- drop
- --------------
- n/a
- # # #
- https://www.virustotal.com/gui/file/602f146907a0a3c018021258fbd79a14c373bc7c155a831c959121b34c96bb7f/details
- https://www.virustotal.com/gui/file/276b4f0604ba02c08af9202ad2761f452f10e4adc061eefa713fbd055aa0b4c0/details
- https://analyze.intezer.com/analyses/81115223-7b13-4773-bc20-97373c847814
- VR
Add Comment
Please, Sign In to add comment