Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #cve_2017_11882 #EQNEDT32.EXE #AgentTesla #SMTP
- https://pastebin.com/nVTHh0rE
- previous_contact:
- 05/09/23 https://pastebin.com/fTQi4LSs
- 22/08/22 https://pastebin.com/3JGCE5hN
- 25/02/21 https://pastebin.com/YCVjJ8A6
- 10/02/21 https://pastebin.com/9JXvM5ix
- 07/12/20 https://pastebin.com/20AVUqZ6
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
- attack_vector
- --------------
- email attach .doc (RTF) > OLE (1182) > GET .exe > exfil by 587
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: 16 Jan 2024 08:16:30 -0800
- Subject: RE: ADVANCE TT SLIP // DECEMBER 2023 SOA PAYMENT
- From: Zoey wen <zoey_wen@unifelix.com>
- Received: from unknown (HELO unifelix.com) ([38.154.207.220])
- Message-ID: <20240116081630.E8FACCD2BCF942A7@unifelix.com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 b05e4eb783c9785bbd7d9453609d23379f5bab8d5e09e00b75b634146e8bdb76
- File name PROFORMA SOA.doc [ Rich Text Format data, version 1 ]
- File size 316.57 KB (324168 bytes)
- SHA-256 c99591e2e00cc7625f8b8af1eeb04b19b76e5b44f74669fe6b899fbc7b201f6b
- File name alphazx.exe [ PE32 executable, .NET executable ]
- File size 565.50 KB (579072 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR civil_topendpower_top /_errorpages /alphazx.exe
- C2 mail_kp_gov_pk : 587 [103_240_220_37]
- netwrk
- --------------
- 104_21_8_130 civil_topendpower_top 80 HTTP GET /_errorpages/alphazx.exe HTTP/1.1 Mozilla/4.0
- 208_95_112_1 ip-api_com 80 HTTP GET /line/?fields=hosting HTTP/1.1
- 103_240_220_37 mail_kp_gov_pk 587 SMTP TLSv1.2 Client Hello
- comp
- --------------
- EQNEDT32.EXE 104_21_8_130 80 ESTABLISHED
- alpha28464.exe 208_95_112_1 80 ESTABLISHED
- alpha28464.exe 103_240_220_37 587 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
- {another_context}
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\operator\AppData\Roaming\alpha28464.exe
- C:\Users\operator\AppData\Roaming\alpha28464.exe
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\Temporary Internet Files\Content.IE5\5R2UONLM\alphazx[1].htm
- C:\Users\operator\AppData\Roaming\alpha28464.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- {
- "Exfil Mode": "SMTP",
- "Port": "587",
- "Host": "mail_kp_gov_pk",
- "Username": "schedule-iv.hta@kp.gov.pk",
- "Password": "Police1@home"
- }
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/b05e4eb783c9785bbd7d9453609d23379f5bab8d5e09e00b75b634146e8bdb76/details
- https://analyze.intezer.com/analyses/a60cb8b5-b276-465f-b6f1-df56df180c2f
- https://www.virustotal.com/gui/file/c99591e2e00cc7625f8b8af1eeb04b19b76e5b44f74669fe6b899fbc7b201f6b/details
- https://analyze.intezer.com/analyses/a60cb8b5-b276-465f-b6f1-df56df180c2f/sub/c8b2afcc-9097-4eb1-bf59-101d86acce7f
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement