SHARE
TWEET

#AgentTesla_041018

VRad Oct 6th, 2018 (edited) 5,344 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
  2.  
  3. https://pastebin.com/JYShuXn4
  4. FAQ:
  5. https://radetskiy.wordpress.com/?s=11882
  6. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
  7.  
  8. shema
  9. --------------
  10. email > attach (RTF) > 11-882 > GET > .exe
  11.  
  12. email_headers
  13. --------------
  14. Received: from baichuan.com.tw (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
  15.     by mail2.victim.com for <user2@org2.victim.com>; Thu, 4 Oct 2018 23:05:31 +0300 (EEST)
  16.     (envelope-from info@baichuan.com.tw)
  17. Reply-To: CHUAN ENTERPRISE <info@baichuan.com.tw>
  18. From: "CHUAN ENTERPRISE" <info@baichuan.com.tw>
  19. To: user2@org2.victim.com
  20. Subject: Our New Quotation
  21. Date: 04 Oct 2018 13:05:11 -0700
  22.  
  23. files
  24. --------------
  25. SHA-256 60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070
  26. File name   OUR NEW ORDER.dat
  27. File size   8.16 KB
  28.  
  29. SHA-256 8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d
  30. File name   U.exe
  31. File size   529 KB
  32.  
  33. payload_sources
  34. --------------
  35. 202.143.99.109  modimedia{.} in
  36.  
  37. activity
  38. **************
  39.  
  40. proc
  41. --------------
  42. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  43. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  44. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  45. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  46. "C:\Windows\System32\eventvwr.exe"
  47. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  48. "C:\tmp\d1aa47d0-9602-4db5-b86c-fd55bdf26098.exe" C:\tmp\1b7d96b9-b11b-40b0-9f9c-2719884c5bd7.tmp
  49.  
  50. netwrk
  51. --------------
  52. 202.143.99.109  modimedia{.} in     GET /zom/U.exe HTTP/1.1     Mozilla/4.0
  53. 216.146.38.70   checkip.dyndns{.} org   GET / HTTP/1.1
  54. 204.141.43.210  S: 220 mx.zohomail{.} com SMTP Server
  55.  
  56. comp
  57. --------------
  58. EQNEDT32.EXE        1668    202.143.99.109  80  ESTABLISHED
  59. [System Process]    0   216.146.38.70   80  TIME_WAIT
  60. namegsdsgd.exe      3304    204.141.43.210  587 ESTABLISHED     > smtp.zoho(!) 
  61.  
  62. persist
  63. --------------
  64. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              05.10.2018 16:34   
  65. MyOtApp         c:\tmp\myotapp\myotapp.exe  29.01.1992 1:03
  66.  
  67. # # #
  68. https://www.virustotal.com/#/file/60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070/community
  69. https://www.virustotal.com/#/file/8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d/community
  70. https://analyze.intezer.com/#/analyses/9d1f4f9f-23fe-4fa6-95fd-ded6a9454c7e
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top