API tools faq
paste
Advertisement
VRad

#Agenttesla_291019

VRad
Oct 29th, 2019
820
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.58 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #agenttesla #RAT #RTF #11882 #passwdstealer #FTP
  2.  
  3. https://pastebin.com/RinpBPvy
  4.  
  5. Confirmed with help from @James_inthe_box
  6.  
  7. previous_contact:
  8. 03/09/19 https://pastebin.com/zhJvDz8M
  9. 09/01/19 https://pastebin.com/MdDfZDdb
  10. 16/10/18 https://pastebin.com/d5DxTRrB
  11. 04/10/18 https://pastebin.com/JYShuXn4
  12. 11/10/18 https://pastebin.com/bkCSvJvM
  13.  
  14. FAQ:
  15. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
  16.  
  17. attack_vector
  18. --------------
  19. email attach .DOC (RTF) > 11882 > GET 1URL > \AppData\Roaming\*.exe
  20.  
  21. email_headers
  22. --------------
  23. Return-Path: <jnpack@ukr.net>
  24. Received: from relay2.grserver.gr (relay2.grserver.gr [185.4.132.177])
  25. Received: from relay2.grserver.gr (localhost.localdomain [127.0.0.1])
  26. Received: from linux1217.grserver.gr (linux1217.grserver.gr [185.138.42.56])
  27. Received: from linux1217.grserver.gr (localhost [IPv6:::1])
  28. Received: from [45.87.184.62] ([45.87.184.62]) by webmail.orosimo.gr (Horde
  29. Framework) with HTTP
  30. Date: Tue, 29 Oct 2019 08:10:37 +0200
  31. From: jnpack@ukr.net
  32. To: user00@victim88.org
  33. Subject: FW: Повідомлення про оплату № 105 / 29.10.2019
  34. User-Agent: Horde Application Framework 5
  35. X-FE-ORIG-ENV-FROM: jnpack@ukr.net
  36. X-FEAS-CLIENT-IP: 185.4.132.177
  37.  
  38. files
  39. --------------
  40. SHA-256 bfec950a05ecb5bfa12a6f5c65362ab723d7682fd039c672f9ddac2642fcb7e7
  41. File name 105-191029.doc [Rich Text Format data, unknown version]
  42. File size 186.76 KB (191243 bytes)
  43.  
  44. SHA-256 32c00dc6978ae858c41ab67e9f74a43f93f9081eaaab9f1e55b689377f336f5c
  45. File name caps.jpg [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
  46. File size 182.5 KB (186880 bytes)
  47.  
  48. SHA-256 60d8919a8d1a1be3f02b67254f487067b8a58cc8e3545d0fe3f160de7849f566
  49. File name vzB3P.bin [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
  50. File size 332 KB (339968 bytes)
  51.  
  52. activity
  53. **************
  54. PL_SCR http://bit.ly/2plrVkH >> (redirect) https://s.put.re/AnkMeJcY.jpg
  55. https://paste.ee/r/vzB3P
  56.  
  57. C2 212.47.208.135:59696 / 212.47.208.135:21
  58.  
  59. netwrk
  60. --------------
  61. [ssl]
  62. 104.27.143.252 s.put.re Client Hello
  63. 104.18.48.20 paste.ee Client Hello
  64.  
  65. [http]
  66. 67.199.248.10 bit.ly GET /2plrVkH HTTP/1.1 Mozilla/4.0
  67. 34.196.181.158 checkip.amazonaws.com GET / HTTP/1.1 moUA
  68.  
  69. [ftp]
  70. 212.47.208.135:21 cpf.radicenter.eu
  71.  
  72. comp
  73. --------------
  74. EQNEDT32.EXE 3180 TCP 67.199.248.10 80 ESTABLISHED
  75. EQNEDT32.EXE 3180 TCP 104.27.143.252 443 ESTABLISHED
  76. - - - - - - -
  77. [System] 0 TCP 212.47.208.135 59696 TIME_WAIT
  78. SystemIDE.exe 2244 TCP 104.18.48.20 443 ESTABLISHED
  79. SystemIDE.exe 2244 TCP 34.196.181.158 80 ESTABLISHED
  80. SystemIDE.exe 2244 TCP 212.47.208.135 21 ESTABLISHED
  81. - - - - - - -
  82. [System] 0 TCP cpf.radicenter.eu 59696 TIME_WAIT
  83. [System] 0 TCP 104.18.48.20 https TIME_WAIT
  84. SystemIDE.exe 2244 TCP ec2-34-196-181-158.compute-1.amazonaws.com http CLOSE_WAIT
  85. SystemIDE.exe 2244 TCP localhost 52040 cpf.radicenter.eu ftp ESTABLISHED
  86.  
  87. proc
  88. --------------
  89. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  90. C:\Users\operator\AppData\Roaming\9087654356798654.exe
  91. C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn SystemIDE.exe /tr C:\tmp\SystemIDE.exe
  92. ... [another context]
  93. C:\Windows\system32\svchost.exe -k netsvcs
  94. C:\Windows\system32\taskeng.exe {7B826DDB-152D-42E2-9E14-5B10AF3D696E} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  95. C:\tmp\SystemIDE.exe
  96.  
  97. persist
  98. --------------
  99. schtask
  100. \SystemIDE.exe c:\tmp\systemide.exe 29.10.2019 6:17
  101.  
  102. drop
  103. --------------
  104. C:\tmp\Temporary Internet Files\Content.IE5\1OD34V4M\caps[1].jpg
  105. C:\Users\operator\AppData\Roaming\9087654356798654.exe
  106. C:\tmp\SystemIDE.exe
  107. C:\tmp\637079440188346875_949d0af0-f617-4479-b939-c5cacb236eab.db
  108.  
  109. # # #
  110. https://www.abuseipdb.com/check/185.4.132.177
  111.  
  112. https://www.virustotal.com/gui/file/bfec950a05ecb5bfa12a6f5c65362ab723d7682fd039c672f9ddac2642fcb7e7/details
  113. https://www.virustotal.com/gui/file/32c00dc6978ae858c41ab67e9f74a43f93f9081eaaab9f1e55b689377f336f5c/details
  114. https://analyze.intezer.com/#/analyses/cf99561e-18f9-4e6d-842a-13932e0ab65d
  115.  
  116. https://www.virustotal.com/gui/file/60d8919a8d1a1be3f02b67254f487067b8a58cc8e3545d0fe3f160de7849f566/details
  117. https://analyze.intezer.com/#/analyses/756d94fa-bffb-4edf-a30d-86e77489b0f3
  118.  
  119. https://urlscan.io/result/c44e8a7e-e799-4dcc-b48e-6e0e0bb91ea0#transactions
  120. https://www.virustotal.com/gui/url/7e57ab47fac2e357748abd48d33a2fb9fefb750594aaf2ccc0122b284ceaa285/details
  121. https://www.virustotal.com/gui/url/ccb75e6ac8c4736d107e98f85cc2370f40289c91cc300e858acdfbadd18bec2c/details
  122.  
  123.  
  124. VR
  125.  
  126. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!