Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Virustotal Link:
- https://www.virustotal.com/#/file/fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e/details
- Sandbox Sessions:
- https://app.any.run/tasks/050e2570-c079-4258-8906-e642ec34a790
- https://cape.contextis.com/analysis/29783/
- https://sandbox.pikker.ee/analysis/884371/summary/
- https://www.hybrid-analysis.com/sample/fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e
- https://www.joesandbox.com/analysis/103265/0/html
- https://app.sndbox.com/sample/1a8c812f-a596-4565-870e-1f3260364bcc/static
- Intezer Analysis:
- https://analyze.intezer.com/#/analyses/89e5ccce-9e50-4fe8-a1c7-ef94ca3cff50
- Potential Packer:
- Armadillo v1.71
- YARA Hits:
- CN_disclosed_20180208_Mal1 - Detects malware from disclosed CN malware set
- ZxShell_Related_Malware_CN_Group_Jul17_2 - Detects a ZxShell related sample from a CN threat group
- Backdoor_Nitol_Jun17 - Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
- Additional YARA hits:
- BASE64_table - Look for Base64 table
- network_tcp_listen - Listen for incoming communication
- network_tcp_socket - Communications over RAW socket
- network_dns - Communications use DNS
- win_mutex - Create or check mutex
- win_registry - Affect system registries
- win_files_operation - Affect private profile
- Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
- Suricata Alerts:
- ET TROJAN [PTsecurity] Botnet Nitol.B Checkin
- Example Service that gets created - Binary name changes each time:
- service_start_name =>
- start_type => 2
- password =>
- display_name => Microsoft .Net Frameworek COMi+ Suppoot
- filepath => C:\Windows\debug\lkghost.exe
- service_name => Serpiei
- filepath_r => C:\Windows\Debug\lkghost.exe
- service_handle => 0x004bce10
- desired_access => 983551
- service_type => 272
- error_control => 1
- service_manager_handle => 0x004bcf50
- Potential DGA DNS Requests:
- llgddg5h.nnnn.eu.org
- y5z2yev2.nnnn.eu.org
- 1xnhwm1js.nnnn.eu.org
- otksqvgzn.nnnn.eu.org
- y913wupojb.nnnn.eu.org
- ev8af4pklj.nnnn.eu.org
- eticshy9xk.nnnn.eu.org
- ehxb3oihl.nnnn.eu.org
- vdec1jtct0.nnnn.eu.org
- lcp6mr2ksi.nnnn.eu.org
- ogpvdon4cn.nnnn.eu.org
- omtke6uey.nnnn.eu.org
- yo1dzkj0qs.nnnn.eu.org
- 8x2mgaddoe.nnnn.eu.org
- e1mpmuiax3.nnnn.eu.org
- 4mfm9znoqh.nnnn.eu.org
- 1d7cphje41.nnnn.eu.org
- ip4znstixl.nnnn.eu.org
- idjyyyhk7m.nnnn.eu.org
- hkz9rhw7sh.nnnn.eu.org
- y2gckqw3up.nnnn.eu.org
- inox9eunlt.nnnn.eu.org
- 4zfdgcw0on.nnnn.eu.org
- by9rswrd8.nnnn.eu.org
- ronxjwmomc.nnnn.eu.org
- e2wrqxhvv.nnnn.eu.org
- ymv0ts3rg.nnnn.eu.org
- lsxidpvscw.nnnn.eu.org
- egmzuk6mvk.nnnn.eu.org
- llzh3zvov.nnnn.eu.org
- rkmugrcep.nnnn.eu.org
- rpaj57qjzy.nnnn.eu.org
- ow9q1imhnw.nnnn.eu.org
- 8kyp92zaq4.nnnn.eu.org
- yof27acqxc.nnnn.eu.org
- vtadqxgdjt.nnnn.eu.org
- offtzkieqm.nnnn.eu.org
- vzetotztme.nnnn.eu.org
- ug4ao6kggz.nnnn.eu.org
- r46scrlvxk.nnnn.eu.org
- bedoq5vned.nnnn.eu.org
- ls7loiih.nnnn.eu.org
- u0np68q8xl.nnnn.eu.org
- h4sugn3zit.nnnn.eu.org
- 1wdfifbb7r.nnnn.eu.org
- bqzpftil0g.nnnn.eu.org
- lg2k5rnffq.nnnn.eu.org
- llmgzhwwpy.nnnn.eu.org
- rilrnd24gm.nnnn.eu.org
- hczwkqcvvv.nnnn.eu.org
- yw06omgcm1.nnnn.eu.org
- 8jnnvo0e7.nnnn.eu.org
- jy3vqzu.nnnn.eu.org
- lzl9ott7vi.nnnn.eu.org
- e8cxgcxnit.nnnn.eu.org
- o2fwscz2yg.nnnn.eu.org
- rkwt1l7tnd.nnnn.eu.org
- uft3kyfqub.nnnn.eu.org
- lesisjijsz.nnnn.eu.org
- oa8jmunwsz.nnnn.eu.org
- vk3udhhrcc.nnnn.eu.org
- vxxrkfq49m.nnnn.eu.org
- ohyrmc8jju.nnnn.eu.org
- yck1igpt7.nnnn.eu.org
- ustbcp6ex2.nnnn.eu.org
- muwphlav3.nnnn.eu.org
- y4neoy5ygq.nnnn.eu.org
- 1kietvodgs.nnnn.eu.org
- 6g0wnlnku.nnnn.eu.org
- btonbljpof.nnnn.eu.org
- v6ov214pyf.nnnn.eu.org
- rdlignel9v.nnnn.eu.org
- eohyfr4x0y.nnnn.eu.org
- uliqvwd6jk.nnnn.eu.org
- o3yhimexc8.nnnn.eu.org
- etbn8mdlc.nnnn.eu.org
- oncgtsrzqf.nnnn.eu.org
- yvw6jrdox.nnnn.eu.org
- onemplfjrz.nnnn.eu.org
- enbqbduyow.nnnn.eu.org
- eegnjsqdvd.nnnn.eu.org
- 5zzsjcxxt.nnnn.eu.org
- bckq3d5dqf.nnnn.eu.org
- rxgljf0jcp.nnnn.eu.org
- hve8cxk9ci.nnnn.eu.org
- luhjh3ahox.nnnn.eu.org
- oojixa1u26.nnnn.eu.org
- hqdvv7px5s.nnnn.eu.org
- yvq4lig94.nnnn.eu.org
- yhrv6ebeq.nnnn.eu.org
- rdrwuctrwd.nnnn.eu.org
- rrcvfphtz.nnnn.eu.org
- r5huq5urjc.nnnn.eu.org
- br8lx7eqbn.nnnn.eu.org
- ypxeb7ylv.nnnn.eu.org
- euxy5wkkfr.nnnn.eu.org
- lx2s1sx79.nnnn.eu.org
- 4l4evwesep.nnnn.eu.org
- 1j9hlgtyfr.nnnn.eu.org
- vnsszzc2zl.nnnn.eu.org
- 8uiokim8a5.nnnn.eu.org
- 8vrk3x8nd.nnnn.eu.org
- bdtmmrqoxg.nnnn.eu.org
- vfpefryb5s.nnnn.eu.org
- h35iuiouv7.nnnn.eu.org
- rvkuvdhqw.nnnn.eu.org
- 4uwojhnndi.nnnn.eu.org
- rc6mxymh2o.nnnn.eu.org
- 8dlsgvlxf.nnnn.eu.org
- yqcfdssq3j.nnnn.eu.org
- iuaccgkkj.nnnn.eu.org
- ipqjjwsra.nnnn.eu.org
- 48anynalgg.nnnn.eu.org
- ybxg2cfoti.nnnn.eu.org
- lew8zzb95j.nnnn.eu.org
- ocjl0yss51.nnnn.eu.org
- hwugg4jzi.nnnn.eu.org
- ryrtmm5eon.nnnn.eu.org
- 1lyg73o3tq.nnnn.eu.org
- uuj4zmxiqa.nnnn.eu.org
- hikh5obxf9.nnnn.eu.org
- efqox6pcb5.nnnn.eu.org
- l7ho5jugx.nnnn.eu.org
- lr05x7fm2j.nnnn.eu.org
- 1ysdeb2fqz.nnnn.eu.org
- ovuuo4u6mo.nnnn.eu.org
- 46qfkg1q4o.nnnn.eu.org
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement