Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #tvrat #teamviewer #rat
- https://pastebin.com/mxZdTDsp
- attack_vector
- --------------
- email attach (.pdf.scr) > %temp%\1.exe > AppData\Roaming\d4igle\svcc.exe
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 046621a50d4e26db3f794b13f2cea6c8c64e15a136381be405f4d8a40e19dd6e
- File name Витяг Миколів.pdf .7z [7-zip archive data, version 0.4]
- File size 4.19 MB
- SHA-256 e770993d29bac6c6ddb1354f5e5d319aa197ca9a2e99a5459c6c9de0cc0265eb
- File name Витяг Миколів.pdf .scr [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 4.56 MB
- SHA-256 5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210
- File name 1.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 4 MB
- SHA-256 478c6f1d7db6aab851be5822ff5a43a1f6c138695be7073141e3068d471d5a08
- File name 2.pdf [PDF document, version 1.7]
- File size 89.5 KB
- SHA-256 99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8
- File name svcc.exe [PE32 executable (GUI) Intel 80386, for MS Windows] Signed file, valid signature(!)
- File size 10.13 MB
- activity
- **************
- netwrk
- --------------
- ssl
- 52.232.106.174 client.teamviewer.com Client Hello
- http
- 23.62.99.57 ocsp.usertrust.com GET /MFEwTzBNMEswS... HTTP/1.1 Microsoft-CryptoAPI/6.1
- 95.100.97.19 ocsp.comodoca.com GET /MFEwTzBNME HTTP/1.1 Microsoft-CryptoAPI/6.1
- 162.241.201.229 GET /stats/update.php?id=xxxxxxxxxx&stat=db****** HTTP/1.1 Mozilla/5.0 (Windows NT 5.1)
- comp
- --------------
- [system] localhost 49295 188.172.246.189 5938 TIME_WAIT
- [system] localhost 49301 52.232.106.174 443 TIME_WAIT
- lsass.exe localhost 49302 23.62.99.57 80 ESTABLISHED
- lsass.exe localhost 49303 95.100.97.19 80 ESTABLISHED
- svcc.exe localhost 49300 169.50.154.229 5938 ESTABLISHED
- svcc.exe localhost 49304 162.241.201.229 80 ESTABLISHED
- [system] localhost 49295 at-vie-anx-p002.teamviewer.com 5938 TIME_WAIT
- [system] localhost 49301 52.232.106.174 https TIME_WAIT
- lsass.exe localhost 49302 a23-62-99-57.deploy.static.akamaitechnologies.com http ESTABLISHED
- lsass.exe localhost 49303 a95-100-97-19.deploy.static.akamaitechnologies.com http ESTABLISHED
- svcc.exe localhost 49300 nl-ams-ibm-r004.teamviewer.com 5938 ESTABLISHED
- svcc.exe localhost 49305 162-241-201-229.unifiedlayer.com http CLOSE_WAIT
- proc
- --------------
- "C:\Users\operator\Desktop\Витяг Миколів.pdf .scr" /S
- C:\tmp\1.exe
- C:\Windows\system32\cmd.exe /C "m6u1dx.exe x -p5daab0f3137c3ec2ea276b3f269e0a07 C:\tmp\g0plvgq94xol.bmp -aoa -oC:\Users\operator\AppData\Roaming"
- C:\Windows\system32\cmd.exe /C "start "" C:\Users\operator\AppData\Roaming\d4igle\svcc.exe"
- "C:\Program Files\PDF\PDFXCview.exe" "C:\tmp\2.pdf"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 08.02.2019 19:43
- svcc
- TeamViewer 8 TeamViewer GmbH
- c:\users\operator\appdata\roaming\d4igle\svcc.exe 03.06.2015 18:09
- drop
- --------------
- C:\tmp\1.exe
- C:\tmp\2.pdf
- C:\Users\operator\AppData\Roaming\d4igle\ exe , ddl
- C:\Users\operator\AppData\Roaming\d4igle\svcc.exe
- C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_Desktop.exe
- C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_Resource_en.dll
- C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_StaticRes.dll
- C:\Users\operator\AppData\Roaming\d4igle\x64\install.exe
- C:\Users\operator\AppData\Roaming\d4igle\x86\install.exe
- # # #
- https://www.virustotal.com/#/file/046621a50d4e26db3f794b13f2cea6c8c64e15a136381be405f4d8a40e19dd6e/details
- https://www.virustotal.com/#/file/e770993d29bac6c6ddb1354f5e5d319aa197ca9a2e99a5459c6c9de0cc0265eb/details
- https://analyze.intezer.com/#/analyses/294d6450-1b46-4e66-a2f1-6cec49d47c43
- https://www.virustotal.com/#/file/5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210/details
- https://analyze.intezer.com/#/analyses/478074ad-485d-44b3-8016-d3a2265661bd
- https://www.virustotal.com/#/file/478c6f1d7db6aab851be5822ff5a43a1f6c138695be7073141e3068d471d5a08/details
- https://www.virustotal.com/#/file/99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8/details
- https://analyze.intezer.com/#/analyses/ae27b5bb-5ad7-4f5a-a211-820fd2ebe9be
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement