SHARE
TWEET

#Agenttesla_291019

VRad Oct 29th, 2019 (edited) 442 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #agenttesla #RAT #RTF #11882 #passwdstealer #FTP
  2.  
  3. https://pastebin.com/RinpBPvy
  4.  
  5. Confirmed with help from @James_inthe_box
  6.  
  7. previous_contact:
  8. 03/09/19    https://pastebin.com/zhJvDz8M
  9. 09/01/19    https://pastebin.com/MdDfZDdb
  10. 16/10/18    https://pastebin.com/d5DxTRrB
  11. 04/10/18    https://pastebin.com/JYShuXn4
  12. 11/10/18    https://pastebin.com/bkCSvJvM
  13.  
  14. FAQ:
  15. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
  16.  
  17. attack_vector
  18. --------------
  19. email attach .DOC (RTF) > 11882 > GET 1URL > \AppData\Roaming\*.exe
  20.  
  21. email_headers
  22. --------------
  23. Return-Path: <jnpack@ukr.net>
  24. Received: from relay2.grserver.gr (relay2.grserver.gr [185.4.132.177])
  25. Received: from relay2.grserver.gr (localhost.localdomain [127.0.0.1])
  26. Received: from linux1217.grserver.gr (linux1217.grserver.gr [185.138.42.56])
  27. Received: from linux1217.grserver.gr (localhost [IPv6:::1])
  28. Received: from [45.87.184.62] ([45.87.184.62]) by webmail.orosimo.gr (Horde
  29.  Framework) with HTTP
  30. Date: Tue, 29 Oct 2019 08:10:37 +0200
  31. From: jnpack@ukr.net
  32. To: user00@victim88.org
  33. Subject: FW: Повідомлення про оплату № 105 / 29.10.2019
  34. User-Agent: Horde Application Framework 5
  35. X-FE-ORIG-ENV-FROM: jnpack@ukr.net
  36. X-FEAS-CLIENT-IP: 185.4.132.177
  37.  
  38. files
  39. --------------
  40. SHA-256     bfec950a05ecb5bfa12a6f5c65362ab723d7682fd039c672f9ddac2642fcb7e7
  41. File name   105-191029.doc      [Rich Text Format data, unknown version]
  42. File size   186.76 KB (191243 bytes)
  43.  
  44. SHA-256     32c00dc6978ae858c41ab67e9f74a43f93f9081eaaab9f1e55b689377f336f5c
  45. File name   caps.jpg        [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
  46. File size   182.5 KB (186880 bytes)
  47.  
  48. SHA-256     60d8919a8d1a1be3f02b67254f487067b8a58cc8e3545d0fe3f160de7849f566
  49. File name   vzB3P.bin       [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
  50. File size   332 KB (339968 bytes)
  51.  
  52. activity
  53. **************
  54. PL_SCR      http://bit.ly/2plrVkH   >> (redirect) https://s.put.re/AnkMeJcY.jpg
  55.             https://paste.ee/r/vzB3P   
  56.  
  57. C2      212.47.208.135:59696    /   212.47.208.135:21  
  58.  
  59. netwrk
  60. --------------
  61. [ssl]
  62. 104.27.143.252  s.put.re        Client Hello   
  63. 104.18.48.20    paste.ee        Client Hello
  64.  
  65. [http]
  66. 67.199.248.10       bit.ly  GET /2plrVkH HTTP/1.1   Mozilla/4.0
  67. 34.196.181.158      checkip.amazonaws.com   GET / HTTP/1.1  moUA
  68.  
  69. [ftp]
  70. 212.47.208.135:21   cpf.radicenter.eu
  71.  
  72. comp
  73. --------------
  74. EQNEDT32.EXE    3180    TCP 67.199.248.10   80  ESTABLISHED
  75. EQNEDT32.EXE    3180    TCP 104.27.143.252  443 ESTABLISHED
  76. - - - - - - -
  77. [System]    0   TCP 212.47.208.135  59696   TIME_WAIT
  78. SystemIDE.exe   2244    TCP 104.18.48.20    443 ESTABLISHED
  79. SystemIDE.exe   2244    TCP 34.196.181.158  80  ESTABLISHED
  80. SystemIDE.exe   2244    TCP 212.47.208.135  21  ESTABLISHED
  81. - - - - - - -
  82. [System]    0   TCP cpf.radicenter.eu   59696   TIME_WAIT
  83. [System]    0   TCP 104.18.48.20    https   TIME_WAIT
  84. SystemIDE.exe   2244    TCP ec2-34-196-181-158.compute-1.amazonaws.com  http    CLOSE_WAIT
  85. SystemIDE.exe   2244    TCP localhost   52040   cpf.radicenter.eu   ftp ESTABLISHED
  86.  
  87. proc
  88. --------------
  89. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  90. C:\Users\operator\AppData\Roaming\9087654356798654.exe
  91. C:\Windows\system32\schtasks.exe  /create  /sc  minute  /mo  1  /tn  SystemIDE.exe /tr C:\tmp\SystemIDE.exe
  92. ... [another context]
  93. C:\Windows\system32\svchost.exe -k netsvcs
  94. C:\Windows\system32\taskeng.exe {7B826DDB-152D-42E2-9E14-5B10AF3D696E} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  95. C:\tmp\SystemIDE.exe
  96.  
  97. persist
  98. --------------
  99. schtask
  100. \SystemIDE.exe          c:\tmp\systemide.exe    29.10.2019 6:17
  101.  
  102. drop
  103. --------------
  104. C:\tmp\Temporary Internet Files\Content.IE5\1OD34V4M\caps[1].jpg
  105. C:\Users\operator\AppData\Roaming\9087654356798654.exe
  106. C:\tmp\SystemIDE.exe
  107. C:\tmp\637079440188346875_949d0af0-f617-4479-b939-c5cacb236eab.db
  108.  
  109. # # #
  110. https://www.abuseipdb.com/check/185.4.132.177
  111.  
  112. https://www.virustotal.com/gui/file/bfec950a05ecb5bfa12a6f5c65362ab723d7682fd039c672f9ddac2642fcb7e7/details
  113. https://www.virustotal.com/gui/file/32c00dc6978ae858c41ab67e9f74a43f93f9081eaaab9f1e55b689377f336f5c/details
  114. https://analyze.intezer.com/#/analyses/cf99561e-18f9-4e6d-842a-13932e0ab65d
  115.  
  116. https://www.virustotal.com/gui/file/60d8919a8d1a1be3f02b67254f487067b8a58cc8e3545d0fe3f160de7849f566/details
  117. https://analyze.intezer.com/#/analyses/756d94fa-bffb-4edf-a30d-86e77489b0f3
  118.  
  119. https://urlscan.io/result/c44e8a7e-e799-4dcc-b48e-6e0e0bb91ea0#transactions
  120. https://www.virustotal.com/gui/url/7e57ab47fac2e357748abd48d33a2fb9fefb750594aaf2ccc0122b284ceaa285/details
  121. https://www.virustotal.com/gui/url/ccb75e6ac8c4736d107e98f85cc2370f40289c91cc300e858acdfbadd18bec2c/details
  122.  
  123.  
  124. VR
  125.  
  126. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top