SHARE
TWEET

#Agenttesla_090119

VRad Jan 10th, 2019 (edited) 194 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #agenttesla #RAT #Keylogger #NET #11882
  2.  
  3. https://pastebin.com/MdDfZDdb
  4.  
  5. previous contact:
  6. 16/10/18    https://pastebin.com/d5DxTRrB
  7. 04/10/18    https://pastebin.com/JYShuXn4
  8. 11/10/18    https://pastebin.com/bkCSvJvM
  9.  
  10. FAQ:
  11. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
  12.  
  13. attack_vector
  14. --------------
  15. email attach .xlsx > 11882 > EQNEDT32 > GET 1 URL > AppData\Roaming\*.exe
  16.  
  17. email_headers
  18. --------------
  19. Received: from rpi.co.id ([188.165.89.102])
  20.     by srv8.victim1.com for <user0@org7.victim1.com>;
  21.     (envelope-from purchasing@rpi.co.id)
  22. From: "Jiangsu Chunlant" <purchasing@rpi.co.id>
  23. To: user0@org7.victim1.com
  24. Subject: RFQ
  25. Date: 09 Jan 2019 06:52:43 +0100
  26.  
  27. files
  28. --------------
  29. SHA-256 7c01c705fecd3dc50931c07dcfffef00f1d7120ac8eb894240f1ed6292f19b63
  30. File name   quotation.xlsx      [Microsoft Excel 2007+]
  31. File size   62.52 KB
  32.  
  33. SHA-256 41eb6e7b3f70e89eb96b9f6eca720757308d871c17c444b1a0d6f0f2ced97477
  34. File name   BPH.exe         [PE32 executable (GUI) Intel 80386, for MS Windows]
  35. File size   1.08 MB
  36.  
  37. activity
  38. **************
  39.  
  40. PL_SRC  http://guideofgeorgia.org/gcf/BLE/BPH.exe
  41.  
  42. netwrk
  43. --------------
  44. http_get
  45. 62.212.33.98    guideofgeorgia.org  GET /gcf/BLE/BPH.exe HTTP/1.1   Mozilla/4.0
  46. 52.200.143.163  checkip.amazonaws.com   GET / HTTP/1.1
  47.  
  48. ssl_msa
  49. 198.54.122.60   mail.privateemail.com   587
  50.  
  51. comp
  52. --------------
  53. EQNEDT32.EXE    1980    TCP 62.212.33.98    80  ESTABLISHED
  54.  
  55. BPH.exe     3088    TCP 198.54.122.60   587 ESTABLISHED
  56. BPH.exe     3088    TCP 52.200.143.163  80  ESTABLISHED
  57. [System]    0   TCP 198.54.122.60   587 TIME_WAIT
  58. BPH.exe     3088    TCP 52.200.143.163  80  ESTABLISHED
  59.  
  60. proc
  61. --------------
  62. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  63. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
  64. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
  65. "C:\tmp\dd32ba3b-9b64-4486-805b-6de0297e8e05.exe" C:\tmp\9cb8c2c4-4c32-4a67-b13d-9ef3e31ecae6.tmp
  66.  
  67. persist
  68. --------------
  69. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              09.01.2019 9:08
  70. lsjdklsl.exe           
  71. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
  72.  
  73. drop
  74. --------------
  75. C:\Users\operator\AppData\Roaming\lsjdklsl.exe
  76. C:\tmp\dd32ba3b-9b64-4486-805b-6de0297e8e05.exe
  77.  
  78. # # #
  79. https://www.virustotal.com/#/file/7c01c705fecd3dc50931c07dcfffef00f1d7120ac8eb894240f1ed6292f19b63/details
  80. https://www.virustotal.com/#/file/41eb6e7b3f70e89eb96b9f6eca720757308d871c17c444b1a0d6f0f2ced97477/details
  81. https://analyze.intezer.com/#/analyses/38d35537-83e6-4d41-a910-d152cb7d407e
  82.  
  83. VR
  84.  
  85. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top