SHARE
TWEET

#Agenttesla_161018

VRad Oct 19th, 2018 (edited) 485 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Agenttesla #RAT #Keylogger #NET #0199.19 #RTF #11882
  2.  
  3. https://pastebin.com/d5DxTRrB
  4. previous contact:
  5. 04/10/18 https://pastebin.com/JYShuXn4
  6. 11/10/18 https://pastebin.com/bkCSvJvM
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
  9.  
  10. from @Techhelplistcom :
  11. "smtp variant.
  12. sending to and from cwl.cus@cargoworldlogistics.in
  13. password is Cuscargo123+"
  14.  
  15. attack_vector
  16. --------------
  17. multiple email attach > (xml.rels) > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  18.  
  19. email_headers
  20. --------------
  21. Received: from sk.com ([180.166.191.164])
  22.     by srv2.victim1.com (8.15.2/8.15.2) with ESMTP id w9GITeKP080450
  23.     for <boss@org7.victim1.com>; Tue, 16 Oct 2018 21:29:42 +0300 (EEST)
  24.     (envelope-from tonykim87@sk.com)
  25. Reply-To: silverlighttrading@live.com
  26. From: Kim Young-jin Tony <tonykim87@sk.com>
  27. To: boss@org7.victim1.com
  28. Subject: Re: Re: Signed Contract Agreeement For You boss@org7.victim1.com
  29. Date: 17 Oct 2018 02:29:27 +0800
  30.  
  31. files
  32. --------------
  33. SHA-256 68bdce3424d9a40d84430944185983281ddf9a91186291a4c6b19049d95c8d8a
  34. File name   Contract_Agreement.pdf  (!) Contain Contract_Agreement.docx > document.xml.rels > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  35. File size   39.67 KB
  36.  
  37. SHA-256 77a2bdcd7bfa3d4ba7eea2539af3108c76615714a9a10eceb0dc997f045aa13d
  38. File name   Contract_Agreement.docx (!) > document.xml.rels > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  39. File size   12.75 KB
  40.  
  41. SHA-256 65109c78e9d570b035d138ce4cc1c3a49652f0ef9d257b12e848612645620a1d
  42. File name   Contract_Agreement.doc (RTF) (!) > 11882 > GET exe
  43. File size   53.38 KB
  44.  
  45. SHA-256 d2edb631e79218e1d52983a54928debfd275ad53b316bdd61425a811d948b16a
  46. File name   ItvsncjBnvcpjHkX.doc (RTF) (!) > 11882 > GET exe
  47. File size   52.33 KB
  48.  
  49. SHA-256 b36264221df581616ff26ae39dbf0425bde324be75a94af3c90d100d0b702704
  50. File name   mine001.exe > corrupted?
  51. File size   857 KB
  52.  
  53. activity
  54. **************
  55. payload     share.dmca.gripe/ItvsncjBnvcpjHkX.doc
  56. payload2    3arabsports.net/admin/mine001.exe
  57.  
  58. netwrk
  59. --------------
  60. n/a, must be SMTP
  61.  
  62. comp
  63. --------------
  64. n/a - exe is corrupted/crashed
  65.  
  66. proc
  67. --------------
  68. n/a
  69.  
  70. persist
  71. --------------
  72. n/a, must be HCU
  73.  
  74. drop
  75. --------------
  76. n/a
  77.  
  78. # # #
  79. https://www.virustotal.com/#/file/68bdce3424d9a40d84430944185983281ddf9a91186291a4c6b19049d95c8d8a/details
  80. https://www.virustotal.com/#/file/77a2bdcd7bfa3d4ba7eea2539af3108c76615714a9a10eceb0dc997f045aa13d/details
  81. https://www.virustotal.com/#/file/65109c78e9d570b035d138ce4cc1c3a49652f0ef9d257b12e848612645620a1d/details
  82. https://www.virustotal.com/#/file/d2edb631e79218e1d52983a54928debfd275ad53b316bdd61425a811d948b16a/details
  83. https://www.virustotal.com/#/domain/3arabsports.net
  84. https://www.virustotal.com/#/file/b36264221df581616ff26ae39dbf0425bde324be75a94af3c90d100d0b702704/details
  85. https://analyze.intezer.com/#/analyses/e62ca4fd-b7f3-4d0e-a127-a32bc35a5e6f
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top