API tools faq
paste
Advertisement
Bank_Security

SombRAT Malware IOCs

Bank_Security
Nov 12th, 2020
13,637
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.43 KB | None | 0 0
raw download clone embed print report
  1. Indicators of Compromise (IoCs):
  2.  
  3. Indicator
  4.  
  5. Type
  6.  
  7. Description
  8.  
  9. 130fa726df5a58e9334cc28dc62e3ebaa0b7c0d637fce1a66daff66ee05a9437
  10.  
  11. SHA256
  12.  
  13. SombRAT x86 loader
  14.  
  15. 8062e1582525534b9c52c5d9a38d6b012746484a2714a14febe2d07af02c32d5
  16.  
  17. SHA256
  18.  
  19. SombRAT x86 loader
  20.  
  21. d69764b22d1b68aa9462f1f5f0bf18caebbcff4d592083f80dbce39c64890295
  22.  
  23. SHA256
  24.  
  25. SombRAT x86 loader
  26.  
  27. f6ecdae3ae4769aaafc8a0faab30cb66dab8c9d3fff27764ff208be7a455125c
  28.  
  29. SHA256
  30.  
  31. SombRAT x86 loader
  32.  
  33. 561bf3f3db67996ce81d98f1df91bfa28fb5fc8472ed64606ef8427a97fd8cdd
  34.  
  35. SHA256
  36.  
  37. SombRAT x86 payload (memory dump)
  38.  
  39. 8323094c43fcd2da44f60b46f043f7ca4ad6a2106b6561598e94008ece46168b
  40.  
  41. SHA256
  42.  
  43. SombRAT x86 payload
  44.  
  45. ee0f4afee2940bbe895c1f1f60b8967291a2662ac9dca9f07d9edf400d34b58a
  46.  
  47. ee0f4afee2940bbe895c1f1f60b8967291a2662ac9dca9f07d9edf400d34b58a
  48.  
  49. SHA256
  50.  
  51. SombRAT x86 payload (UPX)
  52.  
  53. 70d63029c65c21c4681779e1968b88dc6923f92408fe5c7e9ca6cb86d7ba713a
  54.  
  55. SHA256
  56.  
  57. SombRAT encoded payload (x64)
  58.  
  59. 79009ee869cec789a3d2735e0a81a546b33e320ee6ae950ba236a9f417ebf763
  60.  
  61. SHA256
  62.  
  63. SombRAT decoded payload (x64)
  64.  
  65. d8189ebdec637fc83276654635343fb422672fc5e3e2818df211fb7c878a3155
  66.  
  67. SHA256
  68.  
  69. Payload stager
  70.  
  71. fa74f70baa15561c28c793b189102149d3fb4f24147adc5efbd8656221c0960b
  72.  
  73. SHA256
  74.  
  75. GO-socks5 proxy
  76.  
  77. c0db3dadf2e270240bb5cad8a652e5e11e3afe41b8ee106d67d47b06f5163261
  78.  
  79. SHA256
  80.  
  81. Pcheck proxy
  82.  
  83. 6df8271ae0380737734b2dd6d46d0db3a30ba35d7379710a9fb05d1510495b49
  84.  
  85. SHA256
  86.  
  87. Pcheck proxy
  88.  
  89. 7424d6daab8407e85285709dd27b8cce7c633d3d4a39050883ad9d82b85198bf
  90.  
  91. SHA256
  92.  
  93. Pscan port scanner
  94.  
  95. svolcdst.exe
  96.  
  97. Filename
  98.  
  99. SombRAT loader
  100.  
  101. tunnusvcen.exe
  102.  
  103. Filename
  104.  
  105. SombRAT loader
  106.  
  107. C:\Projects\Sombra\_Bin\x64\Release\Sombra.pdb
  108.  
  109. PDB path
  110.  
  111. SombRAT x64
  112.  
  113. C:\Wokrflow\CostaRicto\Release\CostaBricks.pdb
  114.  
  115. PDB path
  116.  
  117. SombRAT loader
  118.  
  119. %HOSTNAME%UI724
  120.  
  121. Mutex
  122.  
  123. Run-once mutex
  124.  
  125. %HOSTNAME%SUI724
  126.  
  127. Mutex
  128.  
  129. Run-once mutex
  130.  
  131. sbibd[.]net
  132.  
  133. Domain
  134.  
  135. SombRAT C2
  136.  
  137. infosportals[.]com
  138.  
  139. Domain
  140.  
  141. SombRAT C2
  142.  
  143. akams[.]in
  144.  
  145. Domain
  146.  
  147. SombRAT C2
  148.  
  149. newspointview[.]com
  150.  
  151. Domain
  152.  
  153. SombRAT C2
  154.  
  155. 159.65.31.84
  156.  
  157. IP
  158.  
  159. SombRAT hosting place
  160.  
  161. 212.83.61.227
  162.  
  163. IP
  164.  
  165. sbibd[.]net
  166.  
  167. 144.217.53.146
  168.  
  169. IP
  170.  
  171. sbibd[.]net, akams[.]in, infosportals[.]com
  172.  
  173. 45.89.175.206
  174.  
  175. IP
  176.  
  177. akams[.]in
  178.  
  179. 45.138.172.54
  180.  
  181. IP
  182.  
  183. newspointview[.]com
  184.  
  185. 212.114.52.98
  186.  
  187. IP
  188.  
  189. infosportals[.]com
  190.  
  191.  
  192.  
  193. MITRE ATT&CK:
  194.  
  195. Tactic
  196.  
  197. ID
  198.  
  199. Name
  200.  
  201. Description
  202.  
  203. Initial Access
  204.  
  205. T1078
  206.  
  207. Valid Accounts
  208.  
  209. Suspected initial compromise using stolen credentials
  210.  
  211. Execution
  212.  
  213. T1106
  214.  
  215. Execution through API
  216.  
  217. SombRAT – C2 command
  218.  
  219. T1053/005
  220.  
  221. Scheduled Task/Job: Scheduled Task
  222.  
  223. Used to download SombRAT loader
  224.  
  225. T1059/001
  226.  
  227. Command and Scripting Interpreter: PowerShell
  228.  
  229. Used to load x64 SombRAT
  230.  
  231. Defence Evasion
  232.  
  233. T1055
  234.  
  235. Process Injection
  236.  
  237. Invoke-ReflectivePEInjection PowerSploit module
  238.  
  239. T1140
  240.  
  241. Deobfuscate/Decode Files or Information
  242.  
  243. SombRAT – Decode strings and custom storage data
  244.  
  245. Discovery
  246.  
  247. T1057
  248.  
  249. Process Discovery
  250.  
  251. SombRAT – C2 command
  252.  
  253. T1082
  254.  
  255. System Information Discovery
  256.  
  257. SombRAT – C2 command
  258.  
  259. T1124
  260.  
  261. System Time Discovery
  262.  
  263. SombRAT – C2 command
  264.  
  265. T1046
  266.  
  267. Network Service Scanning
  268.  
  269. pscan, nmap
  270.  
  271. Collection
  272.  
  273. T1560/003
  274.  
  275. Archive Collected Data: Archive via Custom Method
  276.  
  277. SombRAT – Custom storage file
  278.  
  279. Command and Control
  280.  
  281. T1572
  282.  
  283. Protocol Tunneling
  284.  
  285. SombRAT - DNS tunnelling for C2
  286.  
  287. T1071/001
  288.  
  289. Application Layer Protocol: Web Protocols
  290.  
  291. SombRAT – HTTP for C2
  292.  
  293. T1573/002
  294.  
  295. Encrypted Channel: Asymmetric Cryptography
  296.  
  297. SombRAT – RSA for C2 encryption
  298.  
  299. T1090/002
  300.  
  301. Proxy: External Proxy
  302.  
  303. pcheck HTTP/S proxy, GO SOCKS5 proxy, PuTTY
  304.  
  305. Exfiltration
  306.  
  307. T1041
  308.  
  309. Exfiltration Over C2 Channel
  310.  
  311. SombRAT
  312.  
  313.  
  314.  
  315. Yara Hunting Rules:
  316.  
  317. import "pe"
  318. import "hash"
  319.  
  320. rule costaricto_vm_dropper
  321. {
  322. meta:
  323. description = "Rule to detect SombRAT loader by code similarity"
  324. author = "BlackBerry Threat Hunting and Intelligence Team"
  325.  
  326. strings:
  327. // vm class name
  328. $classname = "VMBASERUNNER" ascii wide nocase
  329.  
  330. // start of vm bytecode
  331. $vmbytecode = {37C7359438C73594}
  332.  
  333. // start of encrypted payload
  334. $encpayload_1 = {77D2C7AC59B2EB0DF37028AC950971FB}
  335.  
  336. // binary string from enc payload (some payloads differ only in the header)
  337. $encpayload_2 = {06359D29C83125C321C201CF9AE7D1626B8F4281C33617EECE86BD106C628FE593936F00C2C
  338. 68E28843BE5374F876840FCD1BFD014D5DEFF4BA8EB6A5FFFB24F932138B04C1BE6D5BD8BB572B8116799AE1C8F0
  339. D5DB774ABA4884B9E706981FC3740B4CD891F8A0EA6900D41B675CFC98A}
  340.  
  341. // vm execution loop
  342. $vmcode_1 = {8B ?? 08 8B ?? 0C 89 ?? 29 ?? C1 ?? 02 39 ?? 74 4E 83 ?? ?? 08 8D ?? ?? 8B ?? ?? 8D ?? 01 89 ?? 8B ?? ?? 66 83 ?? 08 00 75 28 8B ?? ?? 8D ?? 04 5? 5? E8 ?? ?? FF FF 8B ?? ?? 83 ?? 0C 5? 8B ?? 0C 89 ?? 5? FF ?? 14 83 C4 08 8B ?? 8B ?? 08 8B ?? 0C 89 ?? 29 ?? C1 ?? 02 39 ?? 89 ?? 75 B9}
  343.  
  344. // vm execution loop (sample from Nov 2019)
  345. $vmcode_2 = {8B ?? 4? 89 ?? 8B ?? 08 8B ?? 88 33 ?? 66 39 ?? 08 75 19 8D ?? 04 5? 8D ?? 08 E8 ?? ?? 00 00 8B ?? 8D ?? 0C 5? 5? FF ?? 5? 5? 8B ?? 8B ?? 0C 2B ?? 08 C1 ?? 02 3B ?? 75 C7}
  346.  
  347. condition:
  348. uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and any of them
  349. }
  350.  
  351. rule costaricto_vm_dropper_pdb_path
  352. {
  353. meta:
  354. description = "Rule to detect samples with CostaRicto PDB path"
  355. author = "BlackBerry Threat Hunting and Intelligence Team"
  356. pdb_string = "C:\\Wokrflow\\CostaRicto\\Release\\CostaBricks.pdb"
  357.  
  358. strings:
  359. $a = "CostaRicto" ascii wide nocase
  360. $b = "CostaBricks.pdb" ascii wide nocase
  361. $c1 = "C:\\Wokrflow\\" ascii wide nocase
  362. $c2 = "Release" ascii wide nocase
  363. $c3 = ".pdb" ascii wide nocase
  364. condition:
  365. uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b or all of ($c*))
  366. }
  367.  
  368. rule costaricto_sobmrat_pdb_path
  369. {
  370. meta:
  371. description = "Rule to detect samples with SombRAT PDB path"
  372. author = "BlackBerry Threat Hunting and Intelligence Team"
  373. pdb_string = "C:\\Projects\\Sombra\\_Bin\\x64\\Release\\Sombra.pdb"
  374. pdb_string_2 = "c:\\projects\\sombra\\libraries"
  375.  
  376. strings:
  377. $a = "\\Projects\\Sombra\\" ascii wide nocase
  378. $b = "Sombra.pdb" ascii wide nocase
  379.  
  380. condition:
  381. uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b)
  382. }
  383.  
  384. rule costaricto_backdoored_blink
  385. {
  386. meta:
  387. description = "Rule to detect backdoored Blink application"
  388. author = "BlackBerry Threat Hunting and Intelligence Team"
  389.  
  390. strings:
  391. $a1 = "Failed to open target application process!"
  392. $a2 = "Machine architecture mismatch between target application and this application!"
  393. $a3 = "Failed to create new communication pipe!"
  394. $b = "Plauger, licensed by Dinkumware, Ltd."
  395.  
  396. condition:
  397. uint16(0) == 0x5a4d and filesize < 5MB and filesize > 50KB and ($b and 1 of ($a*))
  398. }
  399.  
  400. rule costaricto_rich_header
  401. {
  402. meta:
  403. description = "Rule to detect Rich header associated with CostaRicto campaign"
  404. author = "BlackBerry Threat Hunting and Intelligence Team"
  405.  
  406. condition:
  407. pe.rich_signature.toolid(0xf1, 40116) and
  408. pe.rich_signature.toolid(0xf3, 40116) and
  409. pe.rich_signature.toolid(0xf2, 40116) and
  410. pe.rich_signature.toolid(0x105, 26706) and
  411. pe.rich_signature.toolid(0x104, 26706) and
  412. pe.rich_signature.toolid(0x103, 26706) and
  413. pe.rich_signature.toolid(0x93, 30729) and
  414. pe.rich_signature.toolid(0x109, 27023) and
  415. pe.rich_signature.toolid(0xff, 27023) and
  416. pe.rich_signature.toolid(0x97, 0) and
  417. pe.rich_signature.toolid(0x102, 27023)
  418. }
  419.  
  420. rule costaricto_rich_header_august
  421. {
  422. meta:
  423. description = "Rule to detect Rich header associated with CostaRicto campaign"
  424. author = "BlackBerry Threat Hunting and Intelligence Team"
  425.  
  426. condition:
  427. pe.rich_signature.toolid(0xf1, 40116) and
  428. pe.rich_signature.toolid(0xf2, 40116) and
  429. pe.rich_signature.toolid(0xf3, 40116) and
  430. pe.rich_signature.toolid(0x102, 26428) and
  431. pe.rich_signature.toolid(0x103, 26131) and
  432. pe.rich_signature.toolid(0x104, 26131) and
  433. pe.rich_signature.toolid(0x105, 26131) and
  434. pe.rich_signature.toolid(0x103, 26433) and
  435. pe.rich_signature.toolid(0x104, 26433) and
  436. pe.rich_signature.toolid(0x109, 26428) and
  437. pe.rich_signature.toolid(0x93, 30729) and
  438. pe.rich_signature.toolid(0xff, 26428)
  439. }
  440.  
  441. rule costaricto_rich_xor_key
  442. {
  443. meta:
  444. description = "Rule to detect Rich header associated with CostaRicto campaign"
  445. author = "BlackBerry Threat Hunting and Intelligence Team"
  446. condition:
  447. // x86 droppers
  448. pe.rich_signature.key == 0x2e8d923f or
  449. pe.rich_signature.key == 0x97d94c45 or
  450.  
  451. // x86 payload
  452. pe.rich_signature.key == 0xef257087 or
  453. pe.rich_signature.key == 0x4f257087 or
  454. pe.rich_signature.key == 0x1e816e7e or
  455.  
  456. // x64 payload
  457. pe.rich_signature.key == 0xd1e5ae6c or
  458. pe.rich_signature.key == 0x5df9c60b
  459. }
  460.  
  461. rule costaricto_sombrat_unpacked
  462. {
  463. meta:
  464. description = "Rule to detect unpacked SombRAT backdoor"
  465. author = "BlackBerry Threat Hunting and Intelligence Team"
  466.  
  467. strings:
  468. // class names
  469. $a1 = "PEHeadersBackup"
  470. $a2 = "PeLoaderDummy"
  471. $a3 = "PeLoaderLocal"
  472. $a4 = "PeLoaderBaseClass"
  473. $a5 = "PDTaskman"
  474. $a6 = "PDMessageParamArray"
  475. $a7 = "NetworkDriverLayerWebsockets"
  476. $a8 = "NetworkDriverLayerDNSReader"
  477. $a9 = "WaitForPluginIOCPFullyClosed"
  478.  
  479. // substitution-encrypted strings
  480. $b1 = "~ydcv{{rs{~|r" // installedlike
  481. $b2 = "~yg{vcqxez" // winplatform
  482. $b3 = "~yqxezvc~xyvttrgcrs" // informationaccepted
  483. $b4 = "xvsqexzdcxevpr" // loadfromstorage
  484. $b5 = "xvsqexzzrzxen" // loadfrommemory
  485. $b7 = "xgrydcxevpr" // openstorage
  486. $b8 = "g{bp~y{xvstxzg{rcr" // pluginloadcomplete
  487. $b9 = "g{bp~yby{xvs" // pluginunload
  488.  
  489. // AES-encrypted strings
  490. $c1 = {44 5B 7F 52 0C 13 52 1A 16 45 4C 75 65 72 60 53}
  491.  
  492. // RSA public key
  493. $d1 = {EF C9 77 B9 A3 8E 48 92 77 C8 E1 E1 0C 46 35 2B}
  494.  
  495. condition:
  496. uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and any of them
  497. }
  498.  
  499. rule costaricto_pcheck_proxy
  500. {
  501. meta:
  502. description = "Rule to detect a custom proxy tool related to the CostaRicto campaign"
  503. author = "BlackBerry Threat Hunting and Intelligence Team"
  504. strings:
  505. $a = "exe.exe host host_port proxy_host proxy_port"
  506. $b = "Tool jobs done"
  507.  
  508. condition:
  509. uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and ($a or $b)
  510. }
  511.  
  512. rule costaricto_pscan_port_scanner
  513. {
  514. meta:
  515. description = "Rule to detect a custom proxy tool related to the CostaRicto campaign"
  516. author = "BlackBerry Threat Hunting and Intelligence Team"
  517. strings:
  518. $a1 = "Invalid arguments count (ver "
  519. $a2 = "Example: ./pscan"
  520. $a3 = "127-130.0.0.1"
  521. $b1 = "[output.txt]"
  522. $b2 = "Invalid ip address range"
  523.  
  524. condition:
  525. uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and any of ($a*) or all of ($b*)
  526. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!