Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #agenttesla #RAT #RTF #11882 #passwdstealer #FTP
- https://pastebin.com/RinpBPvy
- Confirmed with help from @James_inthe_box
- previous_contact:
- 03/09/19 https://pastebin.com/zhJvDz8M
- 09/01/19 https://pastebin.com/MdDfZDdb
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
- attack_vector
- --------------
- email attach .DOC (RTF) > 11882 > GET 1URL > \AppData\Roaming\*.exe
- email_headers
- --------------
- Return-Path: <jnpack@ukr.net>
- Received: from relay2.grserver.gr (relay2.grserver.gr [185.4.132.177])
- Received: from relay2.grserver.gr (localhost.localdomain [127.0.0.1])
- Received: from linux1217.grserver.gr (linux1217.grserver.gr [185.138.42.56])
- Received: from linux1217.grserver.gr (localhost [IPv6:::1])
- Received: from [45.87.184.62] ([45.87.184.62]) by webmail.orosimo.gr (Horde
- Framework) with HTTP
- Date: Tue, 29 Oct 2019 08:10:37 +0200
- From: jnpack@ukr.net
- To: user00@victim88.org
- Subject: FW: Повідомлення про оплату № 105 / 29.10.2019
- User-Agent: Horde Application Framework 5
- X-FE-ORIG-ENV-FROM: jnpack@ukr.net
- X-FEAS-CLIENT-IP: 185.4.132.177
- files
- --------------
- SHA-256 bfec950a05ecb5bfa12a6f5c65362ab723d7682fd039c672f9ddac2642fcb7e7
- File name 105-191029.doc [Rich Text Format data, unknown version]
- File size 186.76 KB (191243 bytes)
- SHA-256 32c00dc6978ae858c41ab67e9f74a43f93f9081eaaab9f1e55b689377f336f5c
- File name caps.jpg [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
- File size 182.5 KB (186880 bytes)
- SHA-256 60d8919a8d1a1be3f02b67254f487067b8a58cc8e3545d0fe3f160de7849f566
- File name vzB3P.bin [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
- File size 332 KB (339968 bytes)
- activity
- **************
- PL_SCR http://bit.ly/2plrVkH >> (redirect) https://s.put.re/AnkMeJcY.jpg
- https://paste.ee/r/vzB3P
- C2 212.47.208.135:59696 / 212.47.208.135:21
- netwrk
- --------------
- [ssl]
- 104.27.143.252 s.put.re Client Hello
- 104.18.48.20 paste.ee Client Hello
- [http]
- 67.199.248.10 bit.ly GET /2plrVkH HTTP/1.1 Mozilla/4.0
- 34.196.181.158 checkip.amazonaws.com GET / HTTP/1.1 moUA
- [ftp]
- 212.47.208.135:21 cpf.radicenter.eu
- comp
- --------------
- EQNEDT32.EXE 3180 TCP 67.199.248.10 80 ESTABLISHED
- EQNEDT32.EXE 3180 TCP 104.27.143.252 443 ESTABLISHED
- - - - - - - -
- [System] 0 TCP 212.47.208.135 59696 TIME_WAIT
- SystemIDE.exe 2244 TCP 104.18.48.20 443 ESTABLISHED
- SystemIDE.exe 2244 TCP 34.196.181.158 80 ESTABLISHED
- SystemIDE.exe 2244 TCP 212.47.208.135 21 ESTABLISHED
- - - - - - - -
- [System] 0 TCP cpf.radicenter.eu 59696 TIME_WAIT
- [System] 0 TCP 104.18.48.20 https TIME_WAIT
- SystemIDE.exe 2244 TCP ec2-34-196-181-158.compute-1.amazonaws.com http CLOSE_WAIT
- SystemIDE.exe 2244 TCP localhost 52040 cpf.radicenter.eu ftp ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\operator\AppData\Roaming\9087654356798654.exe
- C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn SystemIDE.exe /tr C:\tmp\SystemIDE.exe
- ... [another context]
- C:\Windows\system32\svchost.exe -k netsvcs
- C:\Windows\system32\taskeng.exe {7B826DDB-152D-42E2-9E14-5B10AF3D696E} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
- C:\tmp\SystemIDE.exe
- persist
- --------------
- schtask
- \SystemIDE.exe c:\tmp\systemide.exe 29.10.2019 6:17
- drop
- --------------
- C:\tmp\Temporary Internet Files\Content.IE5\1OD34V4M\caps[1].jpg
- C:\Users\operator\AppData\Roaming\9087654356798654.exe
- C:\tmp\SystemIDE.exe
- C:\tmp\637079440188346875_949d0af0-f617-4479-b939-c5cacb236eab.db
- # # #
- https://www.abuseipdb.com/check/185.4.132.177
- https://www.virustotal.com/gui/file/bfec950a05ecb5bfa12a6f5c65362ab723d7682fd039c672f9ddac2642fcb7e7/details
- https://www.virustotal.com/gui/file/32c00dc6978ae858c41ab67e9f74a43f93f9081eaaab9f1e55b689377f336f5c/details
- https://analyze.intezer.com/#/analyses/cf99561e-18f9-4e6d-842a-13932e0ab65d
- https://www.virustotal.com/gui/file/60d8919a8d1a1be3f02b67254f487067b8a58cc8e3545d0fe3f160de7849f566/details
- https://analyze.intezer.com/#/analyses/756d94fa-bffb-4edf-a30d-86e77489b0f3
- https://urlscan.io/result/c44e8a7e-e799-4dcc-b48e-6e0e0bb91ea0#transactions
- https://www.virustotal.com/gui/url/7e57ab47fac2e357748abd48d33a2fb9fefb750594aaf2ccc0122b284ceaa285/details
- https://www.virustotal.com/gui/url/ccb75e6ac8c4736d107e98f85cc2370f40289c91cc300e858acdfbadd18bec2c/details
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement