Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #agenttesla #RAT #Keylogger #NET #11882
- https://pastebin.com/MdDfZDdb
- previous contact:
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
- attack_vector
- --------------
- email attach .xlsx > 11882 > EQNEDT32 > GET 1 URL > AppData\Roaming\*.exe
- email_headers
- --------------
- Received: from rpi.co.id ([188.165.89.102])
- by srv8.victim1.com for <user0@org7.victim1.com>;
- (envelope-from purchasing@rpi.co.id)
- From: "Jiangsu Chunlant" <purchasing@rpi.co.id>
- To: user0@org7.victim1.com
- Subject: RFQ
- Date: 09 Jan 2019 06:52:43 +0100
- files
- --------------
- SHA-256 7c01c705fecd3dc50931c07dcfffef00f1d7120ac8eb894240f1ed6292f19b63
- File name quotation.xlsx [Microsoft Excel 2007+]
- File size 62.52 KB
- SHA-256 41eb6e7b3f70e89eb96b9f6eca720757308d871c17c444b1a0d6f0f2ced97477
- File name BPH.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.08 MB
- activity
- **************
- PL_SRC http://guideofgeorgia.org/gcf/BLE/BPH.exe
- netwrk
- --------------
- http_get
- 62.212.33.98 guideofgeorgia.org GET /gcf/BLE/BPH.exe HTTP/1.1 Mozilla/4.0
- 52.200.143.163 checkip.amazonaws.com GET / HTTP/1.1
- ssl_msa
- 198.54.122.60 mail.privateemail.com 587
- comp
- --------------
- EQNEDT32.EXE 1980 TCP 62.212.33.98 80 ESTABLISHED
- BPH.exe 3088 TCP 198.54.122.60 587 ESTABLISHED
- BPH.exe 3088 TCP 52.200.143.163 80 ESTABLISHED
- [System] 0 TCP 198.54.122.60 587 TIME_WAIT
- BPH.exe 3088 TCP 52.200.143.163 80 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\operator\AppData\Roaming\lsjdklsl.exe
- C:\Users\operator\AppData\Roaming\lsjdklsl.exe
- "C:\tmp\dd32ba3b-9b64-4486-805b-6de0297e8e05.exe" C:\tmp\9cb8c2c4-4c32-4a67-b13d-9ef3e31ecae6.tmp
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.01.2019 9:08
- lsjdklsl.exe
- C:\Users\operator\AppData\Roaming\lsjdklsl.exe
- drop
- --------------
- C:\Users\operator\AppData\Roaming\lsjdklsl.exe
- C:\tmp\dd32ba3b-9b64-4486-805b-6de0297e8e05.exe
- # # #
- https://www.virustotal.com/#/file/7c01c705fecd3dc50931c07dcfffef00f1d7120ac8eb894240f1ed6292f19b63/details
- https://www.virustotal.com/#/file/41eb6e7b3f70e89eb96b9f6eca720757308d871c17c444b1a0d6f0f2ced97477/details
- https://analyze.intezer.com/#/analyses/38d35537-83e6-4d41-a910-d152cb7d407e
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement