VRad

#tvrat_010219

Feb 13th, 2019
753
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #tvrat #teamviewer #rat
  2.  
  3. https://pastebin.com/mxZdTDsp
  4.  
  5. attack_vector
  6. --------------
  7. email attach (.pdf.scr) > %temp%\1.exe > AppData\Roaming\d4igle\svcc.exe
  8.  
  9. email_headers
  10. --------------
  11. n/a
  12.  
  13. files
  14. --------------
  15. SHA-256 046621a50d4e26db3f794b13f2cea6c8c64e15a136381be405f4d8a40e19dd6e
  16. File name Витяг Миколів.pdf .7z [7-zip archive data, version 0.4]
  17. File size 4.19 MB
  18.  
  19. SHA-256 e770993d29bac6c6ddb1354f5e5d319aa197ca9a2e99a5459c6c9de0cc0265eb
  20. File name Витяг Миколів.pdf .scr [PE32 executable (GUI) Intel 80386, for MS Windows]
  21. File size 4.56 MB
  22.  
  23. SHA-256 5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210
  24. File name 1.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
  25. File size 4 MB
  26.  
  27. SHA-256 478c6f1d7db6aab851be5822ff5a43a1f6c138695be7073141e3068d471d5a08
  28. File name 2.pdf [PDF document, version 1.7]
  29. File size 89.5 KB
  30.  
  31. SHA-256 99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8
  32. File name svcc.exe [PE32 executable (GUI) Intel 80386, for MS Windows] Signed file, valid signature(!)
  33. File size 10.13 MB
  34.  
  35. activity
  36. **************
  37.  
  38. netwrk
  39. --------------
  40. ssl
  41. 52.232.106.174 client.teamviewer.com Client Hello
  42.  
  43. http
  44. 23.62.99.57 ocsp.usertrust.com GET /MFEwTzBNMEswS... HTTP/1.1 Microsoft-CryptoAPI/6.1
  45. 95.100.97.19 ocsp.comodoca.com GET /MFEwTzBNME HTTP/1.1 Microsoft-CryptoAPI/6.1
  46.  
  47. 162.241.201.229 GET /stats/update.php?id=xxxxxxxxxx&stat=db****** HTTP/1.1 Mozilla/5.0 (Windows NT 5.1)
  48.  
  49. comp
  50. --------------
  51. [system] localhost 49295 188.172.246.189 5938 TIME_WAIT
  52. [system] localhost 49301 52.232.106.174 443 TIME_WAIT
  53. lsass.exe localhost 49302 23.62.99.57 80 ESTABLISHED
  54. lsass.exe localhost 49303 95.100.97.19 80 ESTABLISHED
  55. svcc.exe localhost 49300 169.50.154.229 5938 ESTABLISHED
  56. svcc.exe localhost 49304 162.241.201.229 80 ESTABLISHED
  57.  
  58. [system] localhost 49295 at-vie-anx-p002.teamviewer.com 5938 TIME_WAIT
  59. [system] localhost 49301 52.232.106.174 https TIME_WAIT
  60. lsass.exe localhost 49302 a23-62-99-57.deploy.static.akamaitechnologies.com http ESTABLISHED
  61. lsass.exe localhost 49303 a95-100-97-19.deploy.static.akamaitechnologies.com http ESTABLISHED
  62. svcc.exe localhost 49300 nl-ams-ibm-r004.teamviewer.com 5938 ESTABLISHED
  63. svcc.exe localhost 49305 162-241-201-229.unifiedlayer.com http CLOSE_WAIT
  64.  
  65. proc
  66. --------------
  67. "C:\Users\operator\Desktop\Витяг Миколів.pdf .scr" /S
  68. C:\tmp\1.exe
  69. C:\Windows\system32\cmd.exe /C "m6u1dx.exe x -p5daab0f3137c3ec2ea276b3f269e0a07 C:\tmp\g0plvgq94xol.bmp -aoa -oC:\Users\operator\AppData\Roaming"
  70. C:\Windows\system32\cmd.exe /C "start "" C:\Users\operator\AppData\Roaming\d4igle\svcc.exe"
  71. "C:\Program Files\PDF\PDFXCview.exe" "C:\tmp\2.pdf"
  72.  
  73. persist
  74. --------------
  75. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 08.02.2019 19:43
  76. svcc
  77. TeamViewer 8 TeamViewer GmbH
  78. c:\users\operator\appdata\roaming\d4igle\svcc.exe 03.06.2015 18:09
  79.  
  80. drop
  81. --------------
  82. C:\tmp\1.exe
  83. C:\tmp\2.pdf
  84. C:\Users\operator\AppData\Roaming\d4igle\ exe , ddl
  85. C:\Users\operator\AppData\Roaming\d4igle\svcc.exe
  86. C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_Desktop.exe
  87. C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_Resource_en.dll
  88. C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_StaticRes.dll
  89. C:\Users\operator\AppData\Roaming\d4igle\x64\install.exe
  90. C:\Users\operator\AppData\Roaming\d4igle\x86\install.exe
  91.  
  92. # # #
  93. https://www.virustotal.com/#/file/046621a50d4e26db3f794b13f2cea6c8c64e15a136381be405f4d8a40e19dd6e/details
  94. https://www.virustotal.com/#/file/e770993d29bac6c6ddb1354f5e5d319aa197ca9a2e99a5459c6c9de0cc0265eb/details
  95. https://analyze.intezer.com/#/analyses/294d6450-1b46-4e66-a2f1-6cec49d47c43
  96. https://www.virustotal.com/#/file/5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210/details
  97. https://analyze.intezer.com/#/analyses/478074ad-485d-44b3-8016-d3a2265661bd
  98. https://www.virustotal.com/#/file/478c6f1d7db6aab851be5822ff5a43a1f6c138695be7073141e3068d471d5a08/details
  99. https://www.virustotal.com/#/file/99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8/details
  100. https://analyze.intezer.com/#/analyses/ae27b5bb-5ad7-4f5a-a211-820fd2ebe9be
  101.  
  102. VR
  103.  
  104. @
RAW Paste Data