Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
- https://pastebin.com/9JXvM5ix
- previous_contact:
- 07/12/20 https://pastebin.com/20AVUqZ6
- 04/12/20 https://pastebin.com/PYFMBfkg
- 15/06/20 https://pastebin.com/pma5MQAW
- 12/06/20 https://pastebin.com/SKNts0Es
- 29/10/19 https://pastebin.com/RinpBPvy
- 03/09/19 https://pastebin.com/zhJvDz8M
- 09/01/19 https://pastebin.com/MdDfZDdb
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- attack_vector
- --------------
- email > URL to onedrive > TGZ > EXE > exfil to smtp.1and1.es:587
- email_headers
- --------------
- Received: from server.cdcnet.hu (server.cdcnet.hu [89.132.146.50])
- Received: from localhost (localhost.localdomain [127.0.0.1])
- by server.cdcnet.hu (Postfix) with ESMTP id C787D3C4;
- with ESMTP id MYnIjZSd9U-H; Wed, 10 Feb 2021 09:28:42 +0100 (CET)
- Received: from cdcnet.hu (localhost [IPv6:::1])
- by server.cdcnet.hu (Postfix) with ESMTP id 93B287C3;
- Date: Wed, 10 Feb 2021 03:28:34 -0500
- From: ПриватБанк | Оплата та виставлення рахунків <maglodkozvil@cdcnet.hu>
- Subject: Копія платіжного доручення
- In-Reply-To: <0d74b645da45a1b70836413c1bc66d84@artexsaigon.com.vn>
- References: <CACMRaMXLhBoJfYAQhxqSAdNu-DnLF7ktbMLxpub8i3_ngFV=LQ@mail.gmail.com>
- X-Sender: maglodkozvil@cdcnet.hu
- User-Agent: Roundcube Webmail/1.2.3
- files
- --------------
- SHA-256 c0b7cb8bb82ab3b25c87aaf5aee2679857c030bb216272dc49d2d3d157a9cc9d
- File name Платіжне доручення.tgz [ GZIP ]
- File size 484.20 KB (495821 bytes)
- SHA-256 3dfa161fda2d67e9e1a2e90308a0bdc4ef9736b8f26152fd0264dd03591e66dd
- File name Платіжне доручення.exe [ .NET executable ]
- File size 917.50 KB (939520 bytes)
- unpacked from exe
- --------------
- SHA-256 76d943b7ec3646eb97870f85001cae19a2cd552b72fb4dc00d354ce8715b80f9
- File name child1.exe [ .NET executable ]
- File size 407.50 KB (417280 bytes)
- SHA-256 2c2fbae20d46eb124ff52f0894e82490e5e1c9f044d115a5fbc590d611bea6de
- File name child2.exe [ .NET executable ]
- File size 216.00 KB (221184 bytes)
- SHA-256 2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
- File name child3.exe [ .NET executable ]
- File size 12.50 KB (12800 bytes)
- activity
- **************
- PL_SCR current
- https://onedrive.live.com/download?cid=44BBFEE50A375AFB&resid=44BBFEE50A375AFB!3900&authkey=AE3hRpZjTZyiajM
- previous
- (07/12/20) https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21282&authkey=AIrAAExjvidyMqA
- (04/12/20) https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21277&authkey=ANqq4raBmU8qCug
- C2 212.227.15.158:587 [smtp.1and1.es]
- !Steals private information from local Internet browsers
- --------------
- C:\Users\operator\AppData\Roaming\Opera Software\Opera Stable
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\profiles.ini
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\key4.db
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\logins.json
- C:\Users\operator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
- C:\Users\operator\AppData\Roaming\Comodo\IceDragon\profiles.ini
- !Harvests credentials from local FTP client softwares
- --------------
- C:\Users\operator\AppData\Roaming\FTPGetter\servers.xml
- C:\Users\operator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
- C:\Users\operator\AppData\Roaming\CoreFTP\sites.idx
- !Harvests information related to installed mail clients
- --------------
- C:\Users\operator\AppData\Roaming\Postbox\profiles.ini
- C:\Users\operator\AppData\Roaming\eM Client
- C:\Users\operator\AppData\Roaming\Thunderbird\profiles.ini
- C:\Users\operator\AppData\Roaming\The Bat!
- C:\Users\operator\AppData\Roaming\Claws-mail\clawsrc
- C:\Users\operator\AppData\Roaming\Pocomail\accounts.ini
- netwrk
- --------------
- 212.227.15.158 smtp.1and1.es Client Hello
- comp
- --------------
- Платіжне доручення.exe 1752 TCP 212.227.15.158 587 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\Платіжне доручення.exe
- C:\Users\operator\Desktop\Платіжне доручення.exe
- persist
- --------------
- n/a
- drop
- --------------
- n/a
- # # #
- https://www.virustotal.com/gui/file/c0b7cb8bb82ab3b25c87aaf5aee2679857c030bb216272dc49d2d3d157a9cc9d/details
- https://www.virustotal.com/gui/file/3dfa161fda2d67e9e1a2e90308a0bdc4ef9736b8f26152fd0264dd03591e66dd/details
- https://analyze.intezer.com/analyses/195a9005-58aa-4c4d-ad11-757597d8e9f8
- https://www.unpac.me/results/dc6cf224-7085-4875-8773-195289d3016e
- https://www.virustotal.com/gui/file/76d943b7ec3646eb97870f85001cae19a2cd552b72fb4dc00d354ce8715b80f9/details
- https://analyze.intezer.com/analyses/6ee98d18-9d85-49fa-b71c-076624798b66
- https://www.virustotal.com/gui/file/2c2fbae20d46eb124ff52f0894e82490e5e1c9f044d115a5fbc590d611bea6de/details
- https://analyze.intezer.com/analyses/86225281-c469-42a8-89f0-526359366616
- https://www.virustotal.com/gui/file/2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849/details
- https://analyze.intezer.com/analyses/0f1c3fd7-1071-4c49-bae7-2a64488a366b
- VR
Add Comment
Please, Sign In to add comment