Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
- https://pastebin.com/JYShuXn4
- FAQ:
- https://radetskiy.wordpress.com/?s=11882
- https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
- shema
- --------------
- email > attach (RTF) > 11-882 > GET > .exe
- email_headers
- --------------
- Received: from baichuan.com.tw (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
- by mail2.victim.com for <user2@org2.victim.com>; Thu, 4 Oct 2018 23:05:31 +0300 (EEST)
- (envelope-from info@baichuan.com.tw)
- Reply-To: CHUAN ENTERPRISE <info@baichuan.com.tw>
- From: "CHUAN ENTERPRISE" <info@baichuan.com.tw>
- To: user2@org2.victim.com
- Subject: Our New Quotation
- Date: 04 Oct 2018 13:05:11 -0700
- files
- --------------
- SHA-256 60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070
- File name OUR NEW ORDER.dat
- File size 8.16 KB
- SHA-256 8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d
- File name U.exe
- File size 529 KB
- payload_sources
- --------------
- 202.143.99.109 modimedia{.} in
- activity
- **************
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
- "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
- "C:\Windows\System32\eventvwr.exe"
- "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
- "C:\tmp\d1aa47d0-9602-4db5-b86c-fd55bdf26098.exe" C:\tmp\1b7d96b9-b11b-40b0-9f9c-2719884c5bd7.tmp
- netwrk
- --------------
- 202.143.99.109 modimedia{.} in GET /zom/U.exe HTTP/1.1 Mozilla/4.0
- 216.146.38.70 checkip.dyndns{.} org GET / HTTP/1.1
- 204.141.43.210 S: 220 mx.zohomail{.} com SMTP Server
- comp
- --------------
- EQNEDT32.EXE 1668 202.143.99.109 80 ESTABLISHED
- [System Process] 0 216.146.38.70 80 TIME_WAIT
- namegsdsgd.exe 3304 204.141.43.210 587 ESTABLISHED > smtp.zoho(!)
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05.10.2018 16:34
- MyOtApp c:\tmp\myotapp\myotapp.exe 29.01.1992 1:03
- # # #
- https://www.virustotal.com/#/file/60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070/community
- https://www.virustotal.com/#/file/8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d/community
- https://analyze.intezer.com/#/analyses/9d1f4f9f-23fe-4fa6-95fd-ded6a9454c7e
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement