SHARE
TWEET

#AgentTesla_111018

VRad Oct 11th, 2018 (edited) 380 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
  2.  
  3. https://pastebin.com/bkCSvJvM
  4. previous_contact:
  5. https://pastebin.com/JYShuXn4
  6. FAQ:
  7. https://radetskiy.wordpress.com/?s=11882
  8. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
  9.  
  10. attack_vector
  11. --------------
  12. email (attach) RTF > 11882 > GET > %temp%\MyOtApp\MyOtApp.exe
  13.  
  14. email_headers
  15. --------------
  16. Received: from balaban54.com (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
  17.     by srv3.victim1.com (8.15.2/8.15.2) with ESMTP id w9B92O6x072468
  18.     for <user0@org5.victim1.com>; Thu, 11 Oct 2018 12:02:24 +0300 (EEST)
  19.     (envelope-from info@balaban54.com)
  20. Reply-To: BALABAN GLOBAL TRADING COMPANIES <info@balaban54.com>
  21. From: "BALABAN GLOBAL TRADING COMPANIES" <info@balaban54.com>
  22. To: user0@org5.victim1.com
  23. Subject: KINDLY ATTEND TO OUR RFQ
  24. Date: 11 Oct 2018 02:02:15 -0700
  25.  
  26. email_subjects
  27. --------------
  28. KINDLY ATTEND TO OUR RFQ
  29.  
  30. files
  31. --------------
  32. SHA-256 2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998
  33. File name   Quotation-1.doc
  34. File size   8.14 KB
  35.  
  36. SHA-256 2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027
  37. File name   tt.exe  !..This program must be run under Win32
  38. File size   632 KB
  39.  
  40. activity
  41. **************
  42.  
  43. netwrk
  44. --------------
  45. 111.118.215.27  lockoutindia{.} com GET /zwe/tt.exe HTTP/1.1    Mozilla/4.0
  46. 216.146.43.71   checkip.dyndns{.} org   GET / HTTP/1.1  
  47. DNS > MX    Standard query response 0x2ffe A smtp.egest-eg{.} com CNAME us2.smtp.mailhostbox{.} com (!) SMTP
  48. A 208.91.199.225 A 208.91.199.223 A 208.91.198.143 A 208.91.199.224
  49.  
  50. comp
  51. --------------
  52. EQNEDT32.EXE        2424    111.118.215.27  80  ESTABLISHED
  53. [System Process]    0   216.146.43.71   80  TIME_WAIT
  54. namehdtfhrf.exe     3068    208.91.198.143  25  SYN_SENT
  55.  
  56. proc
  57. --------------
  58. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  59. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  60. "C:\Users\operator\AppData\Roaming\namehdtfhrf.exe"
  61. "C:\Windows\System32\eventvwr.exe"
  62. "C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe" C:\tmp\3382a653-d961-4e00-b429-50a18e4a7fc0.tmp
  63. "C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe" C:\tmp\8ad986ff-cc55-4a6a-91ac-6a48c89ba336.tmp
  64. "C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe" C:\tmp\8fe3b2a2-8f4c-4c22-a591-c689c77342e8.tmp
  65.  
  66. persist
  67. --------------
  68. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  11.10.2018 21:08   
  69. MyOtApp         c:\tmp\myotapp\myotapp.exe  02.02.1992 9:11
  70.  
  71. drop
  72. --------------
  73. C:\tmp\MyOtApp\MyOtApp.exe
  74. C:\tmp\15610947-2987-4d1b-8f5a-71573168b9ca.exe
  75. C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe
  76. C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe
  77. C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe
  78. C:\Users\operator\AppData\Roaming\namehdtfhrf.exe
  79.  
  80. # # #
  81. https://www.virustotal.com/#/file/2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998/community
  82. https://www.virustotal.com/#/file/2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027/community
  83. https://analyze.intezer.com/#/analyses/6cb94330-23ee-4756-8755-3b714d671cd3
  84.  
  85. A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top