Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
- https://pastebin.com/YCVjJ8A6
- previous_contact:
- 10/02/21 https://pastebin.com/9JXvM5ix
- 07/12/20 https://pastebin.com/20AVUqZ6
- 04/12/20 https://pastebin.com/PYFMBfkg
- 15/06/20 https://pastebin.com/pma5MQAW
- 12/06/20 https://pastebin.com/SKNts0Es
- 29/10/19 https://pastebin.com/RinpBPvy
- 03/09/19 https://pastebin.com/zhJvDz8M
- 09/01/19 https://pastebin.com/MdDfZDdb
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- attack_vector
- --------------
- email > URL to onedrive > TGZ > EXE > !delay 3 min! > exfil to smtp.1and1.es:587
- email_headers
- --------------
- Received: from ns1.uzbektourism.uz (uzbektourism.uz [185.8.212.70])
- Received: from [127.0.0.1] (port=41628 helo=webmail.uzbektourism.uz)
- by ns1.uzbektourism.uz with esmtpa (Exim 4.92.3)
- (envelope-from <edo@uzbektourism.uz>)
- id 1lF6J3-0006bG-0c; Thu, 25 Feb 2021 07:23:09 +0500
- Date: Wed, 24 Feb 2021 21:23:08 -0500
- From: Denya Varchenko <edo@uzbektourism.uz>
- To: undisclosed-recipients:;
- Subject: Примітка щодо оплати від 25.02.2021
- Return-Path: <edo@uzbektourism.uz>
- User-Agent: Roundcube Webmail/1.4.9
- Message-ID: <588e4943ae9ad2a004835db4ef7e3a6d@uzbektourism.uz>
- files
- --------------
- SHA-256 7726430ea25c3201f975b29a2ac6ae1fb71e840724623923091cd7dad4bcf9b3
- File name Примітка щодо оплати.tgz [ GZIP ]
- File size 396.84 KB (406368 bytes)
- SHA-256 2de6c276a823e738998aba2b325fa8a30e8a1412f4aec6a6a3644402b74ee318
- File name Примітка щодо оплати.exe / InternalNameSpaceE.exe [ .NET executable ]
- File size 487.00 KB (498688 bytes)
- unpacked from exe
- --------------
- SHA-256 e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
- File name child1.bin [ .NET executable ]
- File size 10.00 KB (10240 bytes)
- activity
- **************
- PL_SCR https://onedrive.live.com/download?cid=52717AB489920A9B&resid=52717AB489920A9B%21119&authkey=AJhitQVVdzj3cl0
- previous
- (25/02/21) https://onedrive.live.com/download?cid=44BBFEE50A375AFB&resid=44BBFEE50A375AFB!3900&authkey=AE3hRpZjTZyiajM
- (07/12/20) https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21282&authkey=AIrAAExjvidyMqA
- (04/12/20) https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21277&authkey=ANqq4raBmU8qCug
- C2 212.227.15.158:587 [smtp.1and1.es]
- netwrk
- --------------
- 212.227.15.158 smtp.1and1.es Client Hello
- comp
- --------------
- Примітка щодо оплати.exe 2692 TCP 212.227.15.158 587 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\Примітка щодо оплати.exe
- C:\Users\operator\Desktop\Примітка щодо оплати.exe
- persist
- --------------
- n/a
- drop
- --------------
- n/a
- # # #
- https://www.virustotal.com/gui/file/7726430ea25c3201f975b29a2ac6ae1fb71e840724623923091cd7dad4bcf9b3/details
- https://www.virustotal.com/gui/file/2de6c276a823e738998aba2b325fa8a30e8a1412f4aec6a6a3644402b74ee318/details
- https://analyze.intezer.com/analyses/a5221c50-14a5-404d-9f9a-9d4b52ab490f
- https://www.unpac.me/results/d4a36c02-ea34-49b0-b30e-96f2e84722bf
- https://www.virustotal.com/gui/file/e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44/details
- https://analyze.intezer.com/analyses/a98643ef-2ad8-40f0-9e4c-88028304ecfd
- VR
Add Comment
Please, Sign In to add comment
