Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
- https://pastebin.com/PYFMBfkg
- previous_contact:
- 15/06/20 https://pastebin.com/pma5MQAW
- 12/06/20 https://pastebin.com/SKNts0Es
- 29/10/19 https://pastebin.com/RinpBPvy
- 03/09/19 https://pastebin.com/zhJvDz8M
- 09/01/19 https://pastebin.com/MdDfZDdb
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- attack_vector
- --------------
- email > URL to onedrive > TGZ > EXE > exfil to smtp.1and1.es:587
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 d85a17b93dbc6aa7cd1e847554a5e39026945a7f0c4a6d23920b9e01e43f887f
- File name 71220 33922.tgz [ gzip compressed data ]
- File size 1.20 MB (1262247 bytes)
- SHA-256 a756bdd76c7270bd93bf05a4f8affb951a4104cbf2ff001916c619e5e0d0f297
- File name 71220 33922.exe [ .NET executable ]
- File size 1.33 MB (1399296 bytes)
- activity
- **************
- PL_SCR https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21277&authkey=ANqq4raBmU8qCug
- C2 212.227.15.142:587 [smtp.1and1.es]
- !Steals private information from local Internet browsers
- --------------
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\key3.db
- C:\Users\operator\AppData\Local\Google\Chrome\User Data\Default\Login Data
- C:\Users\operator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
- !Harvests credentials from local FTP client softwares
- --------------
- C:\Users\operator\AppData\Roaming\FTPGetter\servers.xml
- C:\Users\operator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
- C:\Users\operator\AppData\Roaming\CoreFTP\sites.idx
- !Harvests information related to installed mail clients
- --------------
- C:\Users\operator\AppData\Roaming\Thunderbird\profiles.ini
- C:\Users\operator\AppData\Roaming\The Bat!
- C:\Users\operator\AppData\Roaming\Pocomail\accounts.ini
- netwrk
- --------------
- 212.227.15.158 smtp.1and1.es Client Hello
- comp
- --------------
- 71220 33922.exe 3452 TCP 212.227.15.158 587 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\71220 33922.exe
- C:\Users\operator\Desktop\71220 33922.exe "{path}"
- C:\Users\operator\Desktop\71220 33922.exe
- persist
- --------------
- n/a
- drop
- --------------
- n/a
- # # #
- https://www.virustotal.com/gui/file/d85a17b93dbc6aa7cd1e847554a5e39026945a7f0c4a6d23920b9e01e43f887f/details
- https://www.virustotal.com/gui/file/a756bdd76c7270bd93bf05a4f8affb951a4104cbf2ff001916c619e5e0d0f297/details
- https://analyze.intezer.com/analyses/ee0c624b-f970-4a5b-bf2f-31ea8d3bc559
- https://www.unpac.me/results/5f650e29-c94d-488e-bf70-1b627ce19285
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement