Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
- https://pastebin.com/bkCSvJvM
- previous_contact:
- https://pastebin.com/JYShuXn4
- FAQ:
- https://radetskiy.wordpress.com/?s=11882
- https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
- attack_vector
- --------------
- email (attach) RTF > 11882 > GET > %temp%\MyOtApp\MyOtApp.exe
- email_headers
- --------------
- Received: from balaban54.com (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
- by srv3.victim1.com (8.15.2/8.15.2) with ESMTP id w9B92O6x072468
- for <user0@org5.victim1.com>; Thu, 11 Oct 2018 12:02:24 +0300 (EEST)
- (envelope-from info@balaban54.com)
- Reply-To: BALABAN GLOBAL TRADING COMPANIES <info@balaban54.com>
- From: "BALABAN GLOBAL TRADING COMPANIES" <info@balaban54.com>
- To: user0@org5.victim1.com
- Subject: KINDLY ATTEND TO OUR RFQ
- Date: 11 Oct 2018 02:02:15 -0700
- email_subjects
- --------------
- KINDLY ATTEND TO OUR RFQ
- files
- --------------
- SHA-256 2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998
- File name Quotation-1.doc
- File size 8.14 KB
- SHA-256 2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027
- File name tt.exe !..This program must be run under Win32
- File size 632 KB
- activity
- **************
- netwrk
- --------------
- 111.118.215.27 lockoutindia{.} com GET /zwe/tt.exe HTTP/1.1 Mozilla/4.0
- 216.146.43.71 checkip.dyndns{.} org GET / HTTP/1.1
- DNS > MX Standard query response 0x2ffe A smtp.egest-eg{.} com CNAME us2.smtp.mailhostbox{.} com (!) SMTP
- A 208.91.199.225 A 208.91.199.223 A 208.91.198.143 A 208.91.199.224
- comp
- --------------
- EQNEDT32.EXE 2424 111.118.215.27 80 ESTABLISHED
- [System Process] 0 216.146.43.71 80 TIME_WAIT
- namehdtfhrf.exe 3068 208.91.198.143 25 SYN_SENT
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- "C:\Users\operator\AppData\Roaming\namehdtfhrf.exe"
- "C:\Windows\System32\eventvwr.exe"
- "C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe" C:\tmp\3382a653-d961-4e00-b429-50a18e4a7fc0.tmp
- "C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe" C:\tmp\8ad986ff-cc55-4a6a-91ac-6a48c89ba336.tmp
- "C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe" C:\tmp\8fe3b2a2-8f4c-4c22-a591-c689c77342e8.tmp
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11.10.2018 21:08
- MyOtApp c:\tmp\myotapp\myotapp.exe 02.02.1992 9:11
- drop
- --------------
- C:\tmp\MyOtApp\MyOtApp.exe
- C:\tmp\15610947-2987-4d1b-8f5a-71573168b9ca.exe
- C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe
- C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe
- C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe
- C:\Users\operator\AppData\Roaming\namehdtfhrf.exe
- # # #
- https://www.virustotal.com/#/file/2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998/community
- https://www.virustotal.com/#/file/2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027/community
- https://analyze.intezer.com/#/analyses/6cb94330-23ee-4756-8755-3b714d671cd3
- A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement