#Agenttesla_090119

1. #IOC #OptiData #VR #agenttesla #RAT #Keylogger #NET #11882
2.  
3. https://pastebin.com/MdDfZDdb
4.  
5. previous contact:
6. 16/10/18 https://pastebin.com/d5DxTRrB
7. 04/10/18 https://pastebin.com/JYShuXn4
8. 11/10/18 https://pastebin.com/bkCSvJvM
9.  
10. FAQ:
11. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
12.  
13. attack_vector
14. --------------
15. email attach .xlsx > 11882 > EQNEDT32 > GET 1 URL > AppData\Roaming\*.exe
16.  
17. email_headers
18. --------------
19. Received: from rpi.co.id ([188.165.89.102])
20. by srv8.victim1.com for <user0@org7.victim1.com>;
21. (envelope-from purchasing@rpi.co.id)
22. From: "Jiangsu Chunlant" <purchasing@rpi.co.id>
23. To: user0@org7.victim1.com
24. Subject: RFQ
25. Date: 09 Jan 2019 06:52:43 +0100
26.  
27. files
28. --------------
29. SHA-256 7c01c705fecd3dc50931c07dcfffef00f1d7120ac8eb894240f1ed6292f19b63
30. File name quotation.xlsx [Microsoft Excel 2007+]
31. File size 62.52 KB
32.  
33. SHA-256 41eb6e7b3f70e89eb96b9f6eca720757308d871c17c444b1a0d6f0f2ced97477
34. File name BPH.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
35. File size 1.08 MB
36.  
37. activity
38. **************
39.  
40. PL_SRC http://guideofgeorgia.org/gcf/BLE/BPH.exe
41.  
42. netwrk
43. --------------
44. http_get
45. 62.212.33.98 guideofgeorgia.org GET /gcf/BLE/BPH.exe HTTP/1.1 Mozilla/4.0
46. 52.200.143.163 checkip.amazonaws.com GET / HTTP/1.1
47.  
48. ssl_msa
49. 198.54.122.60 mail.privateemail.com 587
50.  
51. comp
52. --------------
53. EQNEDT32.EXE 1980 TCP 62.212.33.98 80 ESTABLISHED
54.  
55. BPH.exe 3088 TCP 198.54.122.60 587 ESTABLISHED
56. BPH.exe 3088 TCP 52.200.143.163 80 ESTABLISHED
57. [System] 0 TCP 198.54.122.60 587 TIME_WAIT
58. BPH.exe 3088 TCP 52.200.143.163 80 ESTABLISHED
59.  
60. proc
61. --------------
62. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
63. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
64. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
65. "C:\tmp\dd32ba3b-9b64-4486-805b-6de0297e8e05.exe" C:\tmp\9cb8c2c4-4c32-4a67-b13d-9ef3e31ecae6.tmp
66.  
67. persist
68. --------------
69. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.01.2019 9:08
70. lsjdklsl.exe
71. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
72.  
73. drop
74. --------------
75. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
76. C:\tmp\dd32ba3b-9b64-4486-805b-6de0297e8e05.exe
77.  
78. # # #
79. https://www.virustotal.com/#/file/7c01c705fecd3dc50931c07dcfffef00f1d7120ac8eb894240f1ed6292f19b63/details
80. https://www.virustotal.com/#/file/41eb6e7b3f70e89eb96b9f6eca720757308d871c17c444b1a0d6f0f2ced97477/details
81. https://analyze.intezer.com/#/analyses/38d35537-83e6-4d41-a910-d152cb7d407e
82.  
83. VR
84.  
85. @