SHARE
TWEET

#tvrat_010219

VRad Feb 13th, 2019 (edited) 475 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #tvrat #teamviewer #rat
  2.  
  3. https://pastebin.com/mxZdTDsp
  4.  
  5. attack_vector
  6. --------------
  7. email attach (.pdf.scr) > %temp%\1.exe > AppData\Roaming\d4igle\svcc.exe
  8.  
  9. email_headers
  10. --------------
  11. n/a
  12.  
  13. files
  14. --------------
  15. SHA-256 046621a50d4e26db3f794b13f2cea6c8c64e15a136381be405f4d8a40e19dd6e
  16. File name   Витяг Миколів.pdf  .7z  [7-zip archive data, version 0.4]
  17. File size   4.19 MB
  18.  
  19. SHA-256 e770993d29bac6c6ddb1354f5e5d319aa197ca9a2e99a5459c6c9de0cc0265eb
  20. File name   Витяг Миколів.pdf  .scr [PE32 executable (GUI) Intel 80386, for MS Windows]
  21. File size   4.56 MB
  22.  
  23. SHA-256 5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210
  24. File name   1.exe           [PE32 executable (GUI) Intel 80386, for MS Windows]
  25. File size   4 MB
  26.  
  27. SHA-256 478c6f1d7db6aab851be5822ff5a43a1f6c138695be7073141e3068d471d5a08
  28. File name   2.pdf           [PDF document, version 1.7]
  29. File size   89.5 KB
  30.  
  31. SHA-256 99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8
  32. File name   svcc.exe        [PE32 executable (GUI) Intel 80386, for MS Windows] Signed file, valid signature(!)
  33. File size   10.13 MB
  34.  
  35. activity
  36. **************
  37.  
  38. netwrk
  39. --------------
  40. ssl
  41. 52.232.106.174  client.teamviewer.com       Client Hello   
  42.  
  43. http
  44. 23.62.99.57 ocsp.usertrust.com  GET /MFEwTzBNMEswS... HTTP/1.1  Microsoft-CryptoAPI/6.1
  45. 95.100.97.19    ocsp.comodoca.com   GET /MFEwTzBNME HTTP/1.1    Microsoft-CryptoAPI/6.1
  46.  
  47. 162.241.201.229 GET /stats/update.php?id=xxxxxxxxxx&stat=db****** HTTP/1.1  Mozilla/5.0 (Windows NT 5.1)
  48.  
  49. comp
  50. --------------
  51. [system]    localhost   49295   188.172.246.189     5938        TIME_WAIT
  52. [system]    localhost   49301   52.232.106.174      443     TIME_WAIT
  53. lsass.exe   localhost   49302   23.62.99.57     80      ESTABLISHED
  54. lsass.exe   localhost   49303   95.100.97.19        80      ESTABLISHED
  55. svcc.exe    localhost   49300   169.50.154.229      5938        ESTABLISHED
  56. svcc.exe    localhost   49304   162.241.201.229     80      ESTABLISHED
  57.  
  58. [system]    localhost   49295   at-vie-anx-p002.teamviewer.com              5938    TIME_WAIT
  59. [system]    localhost   49301   52.232.106.174                      https   TIME_WAIT
  60. lsass.exe   localhost   49302   a23-62-99-57.deploy.static.akamaitechnologies.com   http    ESTABLISHED
  61. lsass.exe   localhost   49303   a95-100-97-19.deploy.static.akamaitechnologies.com  http    ESTABLISHED
  62. svcc.exe    localhost   49300   nl-ams-ibm-r004.teamviewer.com              5938    ESTABLISHED
  63. svcc.exe    localhost   49305   162-241-201-229.unifiedlayer.com            http    CLOSE_WAIT
  64.  
  65. proc
  66. --------------
  67. "C:\Users\operator\Desktop\Витяг Миколів.pdf                              .scr" /S
  68. C:\tmp\1.exe
  69. C:\Windows\system32\cmd.exe /C "m6u1dx.exe x -p5daab0f3137c3ec2ea276b3f269e0a07 C:\tmp\g0plvgq94xol.bmp -aoa -oC:\Users\operator\AppData\Roaming"
  70. C:\Windows\system32\cmd.exe /C "start "" C:\Users\operator\AppData\Roaming\d4igle\svcc.exe"
  71. "C:\Program Files\PDF\PDFXCview.exe" "C:\tmp\2.pdf"
  72.  
  73. persist
  74. --------------
  75. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              08.02.2019 19:43   
  76. svcc   
  77. TeamViewer 8    TeamViewer GmbH
  78. c:\users\operator\appdata\roaming\d4igle\svcc.exe   03.06.2015 18:09
  79.  
  80. drop
  81. --------------
  82. C:\tmp\1.exe
  83. C:\tmp\2.pdf
  84. C:\Users\operator\AppData\Roaming\d4igle\ exe , ddl
  85. C:\Users\operator\AppData\Roaming\d4igle\svcc.exe
  86. C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_Desktop.exe
  87. C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_Resource_en.dll
  88. C:\Users\operator\AppData\Roaming\d4igle\TeamViewer_StaticRes.dll
  89. C:\Users\operator\AppData\Roaming\d4igle\x64\install.exe
  90. C:\Users\operator\AppData\Roaming\d4igle\x86\install.exe
  91.  
  92. # # #
  93. https://www.virustotal.com/#/file/046621a50d4e26db3f794b13f2cea6c8c64e15a136381be405f4d8a40e19dd6e/details
  94. https://www.virustotal.com/#/file/e770993d29bac6c6ddb1354f5e5d319aa197ca9a2e99a5459c6c9de0cc0265eb/details
  95. https://analyze.intezer.com/#/analyses/294d6450-1b46-4e66-a2f1-6cec49d47c43
  96. https://www.virustotal.com/#/file/5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210/details
  97. https://analyze.intezer.com/#/analyses/478074ad-485d-44b3-8016-d3a2265661bd
  98. https://www.virustotal.com/#/file/478c6f1d7db6aab851be5822ff5a43a1f6c138695be7073141e3068d471d5a08/details
  99. https://www.virustotal.com/#/file/99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8/details
  100. https://analyze.intezer.com/#/analyses/ae27b5bb-5ad7-4f5a-a211-820fd2ebe9be
  101.  
  102. VR
  103.  
  104. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top