MAR-10382580.r2.v1
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
cisa
2022-07-11T12:39:56-04:00
BMachine
87
7.1.0
')
('0x284253', '')
('0x284fe3', 'Composition')
('0x285073', 'Sfwr\\irsf\\i')
('0x28507c', 'otaeMcootW')
('0x285484', 'Monitor%d[%d*%d]')
('0x28b280', 'DeleteObject')
('0x28b400', 'KERNEL32.dll')
('0x28b4a0', 'KERNEL32.dll')
('0x28b6d0', 'Advapi32.dll')
('0x28cdc0', 'KERNEL32.dll')
('0x28d230', 'ExitProcess')
('0x28d270', 'KERNEL32.dll')
('0x28d3b0', 'GetTempPathW')
('0x28d3f0', 'KERNEL32.dll')
('0x28d4a0', 'PathCombineW')
('0x28d4e0', 'SHLWAPI.dll')
--End Decoded Strings--]]>
ilasvc.exe
1056768
PE32+ executable (GUI) x86-64, for MS Windows
MD5
05d38bc82d362dd57190e3cb397f807d
SHA1
52b04d348adf7e42e7c7d6c2ec9aabbcaba07188
SHA256
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
SHA512
d03894ad9ce7a5f0e58a5e6385926263507f2571e3cbe60fce1ed5463a77152a7779d8b494ee7a6ff4986de19c0a92cbcc8dae5697d69dc196c474723ee553ef
SSDEEP
24576:mStdBO8/kIH46+jHd3JURkxXH3rg9fNJa9y5xmDYzgLu8b7oCK:mST2+qXHbg91Ja9y5MOgL3K
7.599564
7
2020-04-30 19:43:57-04:00
1024
MD5
a917582fc3e796bb1d43bfce05c0cfb3
3.105665
Sysinternals - www.sysinternals.com
Flush cached data to disk.
2.2
Sync
Copyright (C) 2016 Mark Russinovich
Sync.exe
Sysinternals Sync
2.2
.text
310784
6.453454
MD5
5fbd29958a5484173910cb06dcfc4e9e
.rdata
98304
5.168254
MD5
34b6e6a847957ef90ef9460e0f8dd3d0
.data
3584
2.609738
MD5
e32c1166142d325350f6e6443db43144
.pdata
18432
5.804487
MD5
ffc4ab2046acad015eba98898e975ad5
.rsrc
622080
7.975998
MD5
502485fa11633b4eb9eaef15fcb482a5
.reloc
2560
4.913641
MD5
69687e4a3ffbefbe782d13637ce8605a
Connected_To
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
151.106.30.120
Connected_From
Related_To
Related_To
443
TCP
% Abuse contact for '151.106.30.0 - 151.106.30.255' is 'pivps.com@gmail.com'
inetnum: 151.106.30.0 - 151.106.30.255
netname: VELIANET-FR-PINETLLC
descr: Pi NET, LLC
country: FR
org: ORG-PNL20-RIPE
admin-c: PNL16-RIPE
tech-c: PNL16-RIPE
status: LEGACY
remarks: ticket.velia.net 110128
notify: hostmaster@velia.net
mnt-by: FGK-MNT
created: 2018-04-24T19:17:51Z
last-modified: 2018-04-24T19:17:51Z
source: RIPE
organisation: ORG-PNL20-RIPE
org-name: Pi NET, LLC
org-type: OTHER
address: No 74, Tang Thiet Giap, Co Nhue
address: Tu Liem
address: 100000 Hanoi
address: Viet Nam
phone: +84 977471775
e-mail: pivps.com@gmail.com
admin-c: PNL16-RIPE
tech-c: PNL16-RIPE
abuse-c: PNL16-RIPE
mnt-ref: FGK-MNT
mnt-by: FGK-MNT
created: 2017-09-07T11:08:29Z
last-modified: 2017-09-07T11:08:29Z
source: RIPE
role: Pi NET, LLC
address: No 74, Tang Thiet Giap, Co Nhue
address: Tu Liem
address: 100000 Hanoi
address: Viet Nam
phone: +84 977471775
e-mail: pivps.com@gmail.com
nic-hdl: PNL16-RIPE
mnt-by: FGK-MNT
created: 2017-09-07T11:08:29Z
last-modified: 2017-09-07T11:08:29Z
source: RIPE
abuse-mailbox: pivps.com@gmail.com
route: 151.106.0.0/19
descr: velia.net
origin: AS29066
notify: hostmaster@velia.net
mnt-by: FGK-MNT
created: 2017-11-03T11:55:17Z
last-modified: 2017-11-03T11:55:17Z
source: RIPE
CISA_Consolidated.yara: CISA_10382580_03
Malware Artifacts
MD5
05d38bc82d362dd57190e3cb397f807d
SHA1
52b04d348adf7e42e7c7d6c2ec9aabbcaba07188
SHA256
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
NCCIC
http://plusvic.github.io/yara/
NCCIC
2022-07-11T19:42:59+00:00
Malicious IP
IP Watchlist
151.106.30.120
NCCIC
2022-07-11T19:43:00+00:00
MAEC Characterization of 05d38bc82d362dd57190e3cb397f807d
IKARUS
Trojan.Win64.Injector
ESET
a variant of Win64/Injector.HA.gen trojan
remote-access-trojan
trojan
command-and-control
10382580.r2.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected