VRad

#Agenttesla_161018

Oct 19th, 2018
505
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Agenttesla #RAT #Keylogger #NET #0199.19 #RTF #11882
  2.  
  3. https://pastebin.com/d5DxTRrB
  4. previous contact:
  5. 04/10/18 https://pastebin.com/JYShuXn4
  6. 11/10/18 https://pastebin.com/bkCSvJvM
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
  9.  
  10. from @Techhelplistcom :
  11. "smtp variant.
  12. sending to and from cwl.cus@cargoworldlogistics.in
  13. password is Cuscargo123+"
  14.  
  15. attack_vector
  16. --------------
  17. multiple email attach > (xml.rels) > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  18.  
  19. email_headers
  20. --------------
  21. Received: from sk.com ([180.166.191.164])
  22. by srv2.victim1.com (8.15.2/8.15.2) with ESMTP id w9GITeKP080450
  23. for <boss@org7.victim1.com>; Tue, 16 Oct 2018 21:29:42 +0300 (EEST)
  24. (envelope-from tonykim87@sk.com)
  25. Reply-To: silverlighttrading@live.com
  26. From: Kim Young-jin Tony <tonykim87@sk.com>
  27. To: boss@org7.victim1.com
  28. Subject: Re: Re: Signed Contract Agreeement For You boss@org7.victim1.com
  29. Date: 17 Oct 2018 02:29:27 +0800
  30.  
  31. files
  32. --------------
  33. SHA-256 68bdce3424d9a40d84430944185983281ddf9a91186291a4c6b19049d95c8d8a
  34. File name Contract_Agreement.pdf (!) Contain Contract_Agreement.docx > document.xml.rels > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  35. File size 39.67 KB
  36.  
  37. SHA-256 77a2bdcd7bfa3d4ba7eea2539af3108c76615714a9a10eceb0dc997f045aa13d
  38. File name Contract_Agreement.docx (!) > document.xml.rels > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  39. File size 12.75 KB
  40.  
  41. SHA-256 65109c78e9d570b035d138ce4cc1c3a49652f0ef9d257b12e848612645620a1d
  42. File name Contract_Agreement.doc (RTF) (!) > 11882 > GET exe
  43. File size 53.38 KB
  44.  
  45. SHA-256 d2edb631e79218e1d52983a54928debfd275ad53b316bdd61425a811d948b16a
  46. File name ItvsncjBnvcpjHkX.doc (RTF) (!) > 11882 > GET exe
  47. File size 52.33 KB
  48.  
  49. SHA-256 b36264221df581616ff26ae39dbf0425bde324be75a94af3c90d100d0b702704
  50. File name mine001.exe > corrupted?
  51. File size 857 KB
  52.  
  53. activity
  54. **************
  55. payload share.dmca.gripe/ItvsncjBnvcpjHkX.doc
  56. payload2 3arabsports.net/admin/mine001.exe
  57.  
  58. netwrk
  59. --------------
  60. n/a, must be SMTP
  61.  
  62. comp
  63. --------------
  64. n/a - exe is corrupted/crashed
  65.  
  66. proc
  67. --------------
  68. n/a
  69.  
  70. persist
  71. --------------
  72. n/a, must be HCU
  73.  
  74. drop
  75. --------------
  76. n/a
  77.  
  78. # # #
  79. https://www.virustotal.com/#/file/68bdce3424d9a40d84430944185983281ddf9a91186291a4c6b19049d95c8d8a/details
  80. https://www.virustotal.com/#/file/77a2bdcd7bfa3d4ba7eea2539af3108c76615714a9a10eceb0dc997f045aa13d/details
  81. https://www.virustotal.com/#/file/65109c78e9d570b035d138ce4cc1c3a49652f0ef9d257b12e848612645620a1d/details
  82. https://www.virustotal.com/#/file/d2edb631e79218e1d52983a54928debfd275ad53b316bdd61425a811d948b16a/details
  83. https://www.virustotal.com/#/domain/3arabsports.net
  84. https://www.virustotal.com/#/file/b36264221df581616ff26ae39dbf0425bde324be75a94af3c90d100d0b702704/details
  85. https://analyze.intezer.com/#/analyses/e62ca4fd-b7f3-4d0e-a127-a32bc35a5e6f
RAW Paste Data