API tools faq
paste
Advertisement
VRad

#Agenttesla_161018

VRad
Oct 19th, 2018
863
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.84 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Agenttesla #RAT #Keylogger #NET #0199.19 #RTF #11882
  2.  
  3. https://pastebin.com/d5DxTRrB
  4. previous contact:
  5. 04/10/18 https://pastebin.com/JYShuXn4
  6. 11/10/18 https://pastebin.com/bkCSvJvM
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
  9.  
  10. from @Techhelplistcom :
  11. "smtp variant.
  12. sending to and from cwl.cus@cargoworldlogistics.in
  13. password is Cuscargo123+"
  14.  
  15. attack_vector
  16. --------------
  17. multiple email attach > (xml.rels) > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  18.  
  19. email_headers
  20. --------------
  21. Received: from sk.com ([180.166.191.164])
  22. by srv2.victim1.com (8.15.2/8.15.2) with ESMTP id w9GITeKP080450
  23. for <boss@org7.victim1.com>; Tue, 16 Oct 2018 21:29:42 +0300 (EEST)
  24. (envelope-from tonykim87@sk.com)
  25. Reply-To: silverlighttrading@live.com
  26. From: Kim Young-jin Tony <tonykim87@sk.com>
  27. To: boss@org7.victim1.com
  28. Subject: Re: Re: Signed Contract Agreeement For You boss@org7.victim1.com
  29. Date: 17 Oct 2018 02:29:27 +0800
  30.  
  31. files
  32. --------------
  33. SHA-256 68bdce3424d9a40d84430944185983281ddf9a91186291a4c6b19049d95c8d8a
  34. File name Contract_Agreement.pdf (!) Contain Contract_Agreement.docx > document.xml.rels > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  35. File size 39.67 KB
  36.  
  37. SHA-256 77a2bdcd7bfa3d4ba7eea2539af3108c76615714a9a10eceb0dc997f045aa13d
  38. File name Contract_Agreement.docx (!) > document.xml.rels > GET ItvsncjBnvcpjHkX.doc (RTF) > 11882 > GET exe
  39. File size 12.75 KB
  40.  
  41. SHA-256 65109c78e9d570b035d138ce4cc1c3a49652f0ef9d257b12e848612645620a1d
  42. File name Contract_Agreement.doc (RTF) (!) > 11882 > GET exe
  43. File size 53.38 KB
  44.  
  45. SHA-256 d2edb631e79218e1d52983a54928debfd275ad53b316bdd61425a811d948b16a
  46. File name ItvsncjBnvcpjHkX.doc (RTF) (!) > 11882 > GET exe
  47. File size 52.33 KB
  48.  
  49. SHA-256 b36264221df581616ff26ae39dbf0425bde324be75a94af3c90d100d0b702704
  50. File name mine001.exe > corrupted?
  51. File size 857 KB
  52.  
  53. activity
  54. **************
  55. payload share.dmca.gripe/ItvsncjBnvcpjHkX.doc
  56. payload2 3arabsports.net/admin/mine001.exe
  57.  
  58. netwrk
  59. --------------
  60. n/a, must be SMTP
  61.  
  62. comp
  63. --------------
  64. n/a - exe is corrupted/crashed
  65.  
  66. proc
  67. --------------
  68. n/a
  69.  
  70. persist
  71. --------------
  72. n/a, must be HCU
  73.  
  74. drop
  75. --------------
  76. n/a
  77.  
  78. # # #
  79. https://www.virustotal.com/#/file/68bdce3424d9a40d84430944185983281ddf9a91186291a4c6b19049d95c8d8a/details
  80. https://www.virustotal.com/#/file/77a2bdcd7bfa3d4ba7eea2539af3108c76615714a9a10eceb0dc997f045aa13d/details
  81. https://www.virustotal.com/#/file/65109c78e9d570b035d138ce4cc1c3a49652f0ef9d257b12e848612645620a1d/details
  82. https://www.virustotal.com/#/file/d2edb631e79218e1d52983a54928debfd275ad53b316bdd61425a811d948b16a/details
  83. https://www.virustotal.com/#/domain/3arabsports.net
  84. https://www.virustotal.com/#/file/b36264221df581616ff26ae39dbf0425bde324be75a94af3c90d100d0b702704/details
  85. https://analyze.intezer.com/#/analyses/e62ca4fd-b7f3-4d0e-a127-a32bc35a5e6f
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!