VRad

#AgentTesla_111018

Oct 11th, 2018
450
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
  2.  
  3. https://pastebin.com/bkCSvJvM
  4. previous_contact:
  5. https://pastebin.com/JYShuXn4
  6. FAQ:
  7. https://radetskiy.wordpress.com/?s=11882
  8. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
  9.  
  10. attack_vector
  11. --------------
  12. email (attach) RTF > 11882 > GET > %temp%\MyOtApp\MyOtApp.exe
  13.  
  14. email_headers
  15. --------------
  16. Received: from balaban54.com (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
  17. by srv3.victim1.com (8.15.2/8.15.2) with ESMTP id w9B92O6x072468
  18. for <user0@org5.victim1.com>; Thu, 11 Oct 2018 12:02:24 +0300 (EEST)
  19. (envelope-from info@balaban54.com)
  20. Reply-To: BALABAN GLOBAL TRADING COMPANIES <info@balaban54.com>
  21. From: "BALABAN GLOBAL TRADING COMPANIES" <info@balaban54.com>
  22. To: user0@org5.victim1.com
  23. Subject: KINDLY ATTEND TO OUR RFQ
  24. Date: 11 Oct 2018 02:02:15 -0700
  25.  
  26. email_subjects
  27. --------------
  28. KINDLY ATTEND TO OUR RFQ
  29.  
  30. files
  31. --------------
  32. SHA-256 2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998
  33. File name Quotation-1.doc
  34. File size 8.14 KB
  35.  
  36. SHA-256 2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027
  37. File name tt.exe !..This program must be run under Win32
  38. File size 632 KB
  39.  
  40. activity
  41. **************
  42.  
  43. netwrk
  44. --------------
  45. 111.118.215.27 lockoutindia{.} com GET /zwe/tt.exe HTTP/1.1 Mozilla/4.0
  46. 216.146.43.71 checkip.dyndns{.} org GET / HTTP/1.1
  47. DNS > MX Standard query response 0x2ffe A smtp.egest-eg{.} com CNAME us2.smtp.mailhostbox{.} com (!) SMTP
  48. A 208.91.199.225 A 208.91.199.223 A 208.91.198.143 A 208.91.199.224
  49.  
  50. comp
  51. --------------
  52. EQNEDT32.EXE 2424 111.118.215.27 80 ESTABLISHED
  53. [System Process] 0 216.146.43.71 80 TIME_WAIT
  54. namehdtfhrf.exe 3068 208.91.198.143 25 SYN_SENT
  55.  
  56. proc
  57. --------------
  58. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  59. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  60. "C:\Users\operator\AppData\Roaming\namehdtfhrf.exe"
  61. "C:\Windows\System32\eventvwr.exe"
  62. "C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe" C:\tmp\3382a653-d961-4e00-b429-50a18e4a7fc0.tmp
  63. "C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe" C:\tmp\8ad986ff-cc55-4a6a-91ac-6a48c89ba336.tmp
  64. "C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe" C:\tmp\8fe3b2a2-8f4c-4c22-a591-c689c77342e8.tmp
  65.  
  66. persist
  67. --------------
  68. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11.10.2018 21:08
  69. MyOtApp c:\tmp\myotapp\myotapp.exe 02.02.1992 9:11
  70.  
  71. drop
  72. --------------
  73. C:\tmp\MyOtApp\MyOtApp.exe
  74. C:\tmp\15610947-2987-4d1b-8f5a-71573168b9ca.exe
  75. C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe
  76. C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe
  77. C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe
  78. C:\Users\operator\AppData\Roaming\namehdtfhrf.exe
  79.  
  80. # # #
  81. https://www.virustotal.com/#/file/2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998/community
  82. https://www.virustotal.com/#/file/2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027/community
  83. https://analyze.intezer.com/#/analyses/6cb94330-23ee-4756-8755-3b714d671cd3
  84.  
  85. A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
RAW Paste Data