VRad

#AgentTesla_041018

Oct 6th, 2018
5,388
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
  2.  
  3. https://pastebin.com/JYShuXn4
  4. FAQ:
  5. https://radetskiy.wordpress.com/?s=11882
  6. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
  7.  
  8. shema
  9. --------------
  10. email > attach (RTF) > 11-882 > GET > .exe
  11.  
  12. email_headers
  13. --------------
  14. Received: from baichuan.com.tw (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
  15. by mail2.victim.com for <user2@org2.victim.com>; Thu, 4 Oct 2018 23:05:31 +0300 (EEST)
  16. (envelope-from info@baichuan.com.tw)
  17. Reply-To: CHUAN ENTERPRISE <info@baichuan.com.tw>
  18. From: "CHUAN ENTERPRISE" <info@baichuan.com.tw>
  19. To: user2@org2.victim.com
  20. Subject: Our New Quotation
  21. Date: 04 Oct 2018 13:05:11 -0700
  22.  
  23. files
  24. --------------
  25. SHA-256 60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070
  26. File name OUR NEW ORDER.dat
  27. File size 8.16 KB
  28.  
  29. SHA-256 8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d
  30. File name U.exe
  31. File size 529 KB
  32.  
  33. payload_sources
  34. --------------
  35. 202.143.99.109 modimedia{.} in
  36.  
  37. activity
  38. **************
  39.  
  40. proc
  41. --------------
  42. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  43. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  44. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  45. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  46. "C:\Windows\System32\eventvwr.exe"
  47. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  48. "C:\tmp\d1aa47d0-9602-4db5-b86c-fd55bdf26098.exe" C:\tmp\1b7d96b9-b11b-40b0-9f9c-2719884c5bd7.tmp
  49.  
  50. netwrk
  51. --------------
  52. 202.143.99.109 modimedia{.} in GET /zom/U.exe HTTP/1.1 Mozilla/4.0
  53. 216.146.38.70 checkip.dyndns{.} org GET / HTTP/1.1
  54. 204.141.43.210 S: 220 mx.zohomail{.} com SMTP Server
  55.  
  56. comp
  57. --------------
  58. EQNEDT32.EXE 1668 202.143.99.109 80 ESTABLISHED
  59. [System Process] 0 216.146.38.70 80 TIME_WAIT
  60. namegsdsgd.exe 3304 204.141.43.210 587 ESTABLISHED > smtp.zoho(!)
  61.  
  62. persist
  63. --------------
  64. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05.10.2018 16:34
  65. MyOtApp c:\tmp\myotapp\myotapp.exe 29.01.1992 1:03
  66.  
  67. # # #
  68. https://www.virustotal.com/#/file/60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070/community
  69. https://www.virustotal.com/#/file/8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d/community
  70. https://analyze.intezer.com/#/analyses/9d1f4f9f-23fe-4fa6-95fd-ded6a9454c7e
RAW Paste Data