Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #cve_2017_1182 #EQNEDT32.EXE #ARS_Loader #VBS #AgentTesla
- https://pastebin.com/fTQi4LSs
- previous_contact:
- 22/08/22 https://pastebin.com/3JGCE5hN
- 25/02/21 https://pastebin.com/YCVjJ8A6
- 10/02/21 https://pastebin.com/9JXvM5ix
- 07/12/20 https://pastebin.com/20AVUqZ6
- ...
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
- attack_vector
- --------------
- email attach .xlam > OLE (1182) > ps GET .vbs > ps drop and decode .txt > exfil by 587
- # # # # # # # #
- email_headers
- # # # # # # # #
- Subject: PURCHASE ORDER
- Received: from mail0.kijuso.com ([79.141.165.228])
- From: Alexandra Iordache <sales@kijuso.com>
- Date: 4 Sep 2023 21:55:18 -0700
- Message-ID: <20230904215518.9928252E6E5E2FBC@kijuso.com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 efcfc634c5c7f22eb1e2631e5c9b95812e218b8e949f7d49060c237ce1ce6050
- File name PURCHASE ORDER .xlam [OLE with cve-2017-1182 exploit]
- File size 735.30 KB (752952 bytes)
- SHA-256 a6ef554485f41737fa531b9e3cd60c27ed677d1ac4c479e093b312c5dfd45a6e
- File name odumodu.vbs [ARS Loader]
- File size 186.67 KB (191152 bytes)
- SHA-256 637a144c6fd9c272a54dfa0afdb232409d1a73c4b0917517cba1e762d1b8b7c8
- File name abachauba.txt [reverse Base64 encoded Agent Tesla]
- File size 218.67 KB (223916 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR h11p:\\94.156.253{ .247/odumodu.vbs [loader]
- h11ps:\\uploaddeimagens{ .com{ .br/images/004/563/621/original/universo_vbs.jpeg?1690931855 + h11p:\\94.156.253{ .247/abachauba.txt [Agent Tesla]
- C2 194.36.191.196 mail{ .sokilitok{ .info 587
- netwrk
- --------------
- 94.156.253.247 80 HTTP GET /odumodu.vbs HTTP/1.1 Mozilla/4.0
- 188.114.97.9 uploaddeimagens{ .com.br 443 TLSv1 Client Hello
- 94.156.253.247 80 HTTP GET /abachauba.txt HTTP/1.1
- 194.36.191.196 mail{ .sokilitok{ .info 587 TLSv1.2 Client Hello
- comp
- --------------
- RegAsm.exe 194.36.191.196 587 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
- {another_context}
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\nogoforget.vbs"
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command ...
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command...
- "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\Temporary Internet Files\Content.IE5\JB5KY3IZ\odumodu[1].vbs
- C:\Users\operator\AppData\Roaming\nogoforget.vbs
- # # # # # # # #
- additional info
- # # # # # # # #
- https://bazaar.abuse.ch/browse/tag/chi28--awelleh3-top/ by @JAMESWT_MHT https://twitter.com/JAMESWT_MHT
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/efcfc634c5c7f22eb1e2631e5c9b95812e218b8e949f7d49060c237ce1ce6050/details
- https://analyze.intezer.com/analyses/fce1aa61-c293-4a31-a7e7-ff6e314e5e63/iocs
- https://www.virustotal.com/gui/file/a6ef554485f41737fa531b9e3cd60c27ed677d1ac4c479e093b312c5dfd45a6e/details
- https://analyze.intezer.com/analyses/68b968f0-e710-4570-aa80-fd07478cc174
- https://www.virustotal.com/gui/file/637a144c6fd9c272a54dfa0afdb232409d1a73c4b0917517cba1e762d1b8b7c8/details
- VR
Add Comment
Please, Sign In to add comment