API tools faq
paste
Advertisement
VRad

#AgentTesla_041018

VRad
Oct 6th, 2018
5,702
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.34 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
  2.  
  3. https://pastebin.com/JYShuXn4
  4. FAQ:
  5. https://radetskiy.wordpress.com/?s=11882
  6. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
  7.  
  8. shema
  9. --------------
  10. email > attach (RTF) > 11-882 > GET > .exe
  11.  
  12. email_headers
  13. --------------
  14. Received: from baichuan.com.tw (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
  15. by mail2.victim.com for <user2@org2.victim.com>; Thu, 4 Oct 2018 23:05:31 +0300 (EEST)
  16. (envelope-from info@baichuan.com.tw)
  17. Reply-To: CHUAN ENTERPRISE <info@baichuan.com.tw>
  18. From: "CHUAN ENTERPRISE" <info@baichuan.com.tw>
  19. To: user2@org2.victim.com
  20. Subject: Our New Quotation
  21. Date: 04 Oct 2018 13:05:11 -0700
  22.  
  23. files
  24. --------------
  25. SHA-256 60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070
  26. File name OUR NEW ORDER.dat
  27. File size 8.16 KB
  28.  
  29. SHA-256 8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d
  30. File name U.exe
  31. File size 529 KB
  32.  
  33. payload_sources
  34. --------------
  35. 202.143.99.109 modimedia{.} in
  36.  
  37. activity
  38. **************
  39.  
  40. proc
  41. --------------
  42. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  43. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  44. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  45. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  46. "C:\Windows\System32\eventvwr.exe"
  47. "C:\Users\operator\AppData\Roaming\namegsdsgd.exe"
  48. "C:\tmp\d1aa47d0-9602-4db5-b86c-fd55bdf26098.exe" C:\tmp\1b7d96b9-b11b-40b0-9f9c-2719884c5bd7.tmp
  49.  
  50. netwrk
  51. --------------
  52. 202.143.99.109 modimedia{.} in GET /zom/U.exe HTTP/1.1 Mozilla/4.0
  53. 216.146.38.70 checkip.dyndns{.} org GET / HTTP/1.1
  54. 204.141.43.210 S: 220 mx.zohomail{.} com SMTP Server
  55.  
  56. comp
  57. --------------
  58. EQNEDT32.EXE 1668 202.143.99.109 80 ESTABLISHED
  59. [System Process] 0 216.146.38.70 80 TIME_WAIT
  60. namegsdsgd.exe 3304 204.141.43.210 587 ESTABLISHED > smtp.zoho(!)
  61.  
  62. persist
  63. --------------
  64. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05.10.2018 16:34
  65. MyOtApp c:\tmp\myotapp\myotapp.exe 29.01.1992 1:03
  66.  
  67. # # #
  68. https://www.virustotal.com/#/file/60a27c3beb52b600ee4b7aff6dbaaf2ec34b917dba86e024a47efb7daaca8070/community
  69. https://www.virustotal.com/#/file/8364a8aeee4bd52fd498428d9438e50d8a182d95f914909a45f4405a06fa406d/community
  70. https://analyze.intezer.com/#/analyses/9d1f4f9f-23fe-4fa6-95fd-ded6a9454c7e
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!