SangforSSL April2020


        
            
                Markdown 1.14 KB
                                    
                        | None                    
                
                                        |
    0    0                            

            
                
                                    raw
                    download
                    clone
                    embed
                    print
                
                                    report
                
                
                            
        
        
            Title: Fake Sangfor SSL VPN being leveraged in (Unknown) APT
References:

http://www.hackdig.com/04/hack-81219.htm
http://blog.nsfocus.net/sslvpn-0407/

Reference Material

https://mp.weixin.qq.com/s/lKp_3kPNEycXqfCnVPxoDw

Affected Versions:

M6.3R1
M6.1

Indicator of Compromise
C2 | 103.216.221.19
Filename | SangforUD.EXE ; MD5 | a32e1202257a2945bf0f878c58490af8 / 434688 bytes
Filename | SangforUD.EXE ; MD5 | 967fcf185634def5177f74b0f703bdc0 / 428032 bytes
Filename | SangforUD.EXE ; MD5 | c5d5cb99291fa4b2a68b5ea3ff9d9f9a / 437760 bytes
Filename | e58b8de07372b9913ca2fbd3b103bb8f.virus ; MD5 | e58b8de07372b9913ca2fbd3b103bb8f
Filename | m.exe ; MD5 | 429be60f0e444f4d9ba1255e88093721 / 5772288 bytes
Filename | 93e9383ae8ad2371d457fc4c1035157d887a84bbfe66fbbb3769c5637de59c75 ; MD5 | 18427cdcb5729a194954f0a6b5c0835a / 5772288 bytes
Filename | SANARISOR.EXE ; MD5 | a93ece16bf430431f9cae0125701f527 / 610304 bytes
Commands Executed
systeminfo.exe
ipconfig.exe /all
cmd.exe /c set
net.exe user
HOSTNAME.EXE
net.exe user /domain
net.exe group /domain
tasklist.exe /V
whoami.exe /all