API tools faq
paste
Advertisement
VRad

#agenttesla_041220

VRad
Dec 4th, 2020 (edited)
943
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.64 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
  2.  
  3. https://pastebin.com/PYFMBfkg
  4.  
  5. previous_contact:
  6. 15/06/20 https://pastebin.com/pma5MQAW
  7. 12/06/20 https://pastebin.com/SKNts0Es
  8. 29/10/19 https://pastebin.com/RinpBPvy
  9. 03/09/19 https://pastebin.com/zhJvDz8M
  10. 09/01/19 https://pastebin.com/MdDfZDdb
  11. 16/10/18 https://pastebin.com/d5DxTRrB
  12. 04/10/18 https://pastebin.com/JYShuXn4
  13. 11/10/18 https://pastebin.com/bkCSvJvM
  14.  
  15. FAQ:
  16.  
  17. attack_vector
  18. --------------
  19. email > URL to onedrive > TGZ > EXE > exfil to smtp.1and1.es:587
  20.  
  21. email_headers
  22. --------------
  23. n/a
  24.  
  25. files
  26. --------------
  27. SHA-256 d85a17b93dbc6aa7cd1e847554a5e39026945a7f0c4a6d23920b9e01e43f887f
  28. File name 71220 33922.tgz [ gzip compressed data ]
  29. File size 1.20 MB (1262247 bytes)
  30.  
  31. SHA-256 a756bdd76c7270bd93bf05a4f8affb951a4104cbf2ff001916c619e5e0d0f297
  32. File name 71220 33922.exe [ .NET executable ]
  33. File size 1.33 MB (1399296 bytes)
  34.  
  35. activity
  36. **************
  37. PL_SCR https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21277&authkey=ANqq4raBmU8qCug
  38.  
  39. C2 212.227.15.142:587 [smtp.1and1.es]
  40.  
  41.  
  42. !Steals private information from local Internet browsers
  43. --------------
  44. C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\key3.db
  45. C:\Users\operator\AppData\Local\Google\Chrome\User Data\Default\Login Data
  46. C:\Users\operator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
  47.  
  48. !Harvests credentials from local FTP client softwares
  49. --------------
  50. C:\Users\operator\AppData\Roaming\FTPGetter\servers.xml
  51. C:\Users\operator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
  52. C:\Users\operator\AppData\Roaming\CoreFTP\sites.idx
  53.  
  54. !Harvests information related to installed mail clients
  55. --------------
  56. C:\Users\operator\AppData\Roaming\Thunderbird\profiles.ini
  57. C:\Users\operator\AppData\Roaming\The Bat!
  58. C:\Users\operator\AppData\Roaming\Pocomail\accounts.ini
  59.  
  60. netwrk
  61. --------------
  62. 212.227.15.158 smtp.1and1.es Client Hello
  63.  
  64. comp
  65. --------------
  66. 71220 33922.exe 3452 TCP 212.227.15.158 587 ESTABLISHED
  67.  
  68. proc
  69. --------------
  70. C:\Users\operator\Desktop\71220 33922.exe
  71. C:\Users\operator\Desktop\71220 33922.exe "{path}"
  72. C:\Users\operator\Desktop\71220 33922.exe
  73.  
  74. persist
  75. --------------
  76. n/a
  77.  
  78. drop
  79. --------------
  80. n/a
  81.  
  82. # # #
  83. https://www.virustotal.com/gui/file/d85a17b93dbc6aa7cd1e847554a5e39026945a7f0c4a6d23920b9e01e43f887f/details
  84. https://www.virustotal.com/gui/file/a756bdd76c7270bd93bf05a4f8affb951a4104cbf2ff001916c619e5e0d0f297/details
  85. https://analyze.intezer.com/analyses/ee0c624b-f970-4a5b-bf2f-31ea8d3bc559
  86. https://www.unpac.me/results/5f650e29-c94d-488e-bf70-1b627ce19285
  87.  
  88. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!