RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
Common Information
| Type | Value |
|---|---|
| UUID | 3973d05c-0482-4f1d-ad4f-941472bba134 |
| Fingerprint | cc0edef38a1c16848f5a5a663f646a09703428a94cb9c28f10c125027ddba51c |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 26, 2018, 2:11 p.m. |
| Added to db | March 10, 2024, 12:48 a.m. |
| Last updated | Aug. 30, 2024, 10:28 p.m. |
| Headline | RedAlpha: New Campaigns Discovered Targeting the Tibetan Community |
| Title | RedAlpha: New Campaigns Discovered Targeting the Tibetan Community |
| Detected Hints/Tags/Attributes | 157/3/191 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 269 | cve-2017-0199 |
|
| Details | CVE | 375 | cve-2017-11882 |
|
| Details | CVE | 117 | cve-2018-0802 |
|
| Details | Domain | 3 | doc.internetdocss.com |
|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 2 | www.hktechy.com |
|
| Details | Domain | 2 | index.ackques.com |
|
| Details | Domain | 1 | index.acques.com |
|
| Details | Domain | 2 | striker.internetdocss.com |
|
| Details | Domain | 1 | dreamisx.blog.163.com |
|
| Details | Domain | 1 | www.borlandforum.com |
|
| Details | Domain | 4126 | github.com |
|
| Details | Domain | 2 | njrat.py |
|
| Details | Domain | 2 | 220x218x70x160.ap220.ftth.ucom.ne.jp |
|
| Details | Domain | 2 | u2xu2.com |
|
| Details | Domain | 1 | hktechy.com |
|
| Details | Domain | 1 | blog.passivetotal.org |
|
| Details | Domain | 370 | www.proofpoint.com |
|
| Details | Domain | 1 | internetdocss.com |
|
| Details | Domain | 2 | item.internetdocss.com |
|
| Details | Domain | 2 | cfr.internetdocss.com |
|
| Details | Domain | 2 | tootopia.internetdocss.com |
|
| Details | Domain | 2 | oc.internetdocss.com |
|
| Details | Domain | 2 | thewire.internetdocss.com |
|
| Details | Domain | 2 | tibet.internetdocss.com |
|
| Details | Domain | 2 | savetibet.internetdocss.com |
|
| Details | Domain | 2 | blog.tibetcul.internetdocss.com |
|
| Details | Domain | 2 | rediff.internetdocss.com |
|
| Details | Domain | 2 | ndtv.internetdocss.com |
|
| Details | Domain | 2 | business.internetdocss.com |
|
| Details | Domain | 2 | apple.internetdocss.com |
|
| Details | Domain | 2 | chinaaid.internetdocss.com |
|
| Details | Domain | 2 | epochtimes.internetdocss.com |
|
| Details | Domain | 2 | docs.internetdocss.com |
|
| Details | Domain | 2 | artvoice.internetdocss.com |
|
| Details | Domain | 2 | www.apple.internetdocss.com |
|
| Details | Domain | 2 | www.doc.internetdocss.com |
|
| Details | Domain | 2 | vot.internetdocss.com |
|
| Details | Domain | 2 | video.internetdocss.com |
|
| Details | Domain | 1 | my.anti-spammail.services |
|
| Details | Domain | 2 | tk.u2xu2.com |
|
| Details | Domain | 2 | http.ackques.com |
|
| Details | Domain | 2 | sp.u2xu2.com |
|
| Details | Domain | 272 | outlook.com |
|
| Details | Domain | 2 | angtechy.com |
|
| Details | Domain | 1 | webmail-dalailama.com |
|
| Details | Domain | 2 | mail-defense.tk |
|
| Details | Domain | 1 | mail-youxinpai.com |
|
| Details | Domain | 2 | cqledu.com |
|
| Details | Domain | 1 | cqledi.org |
|
| Details | Domain | 2 | mail-aol.space |
|
| Details | Domain | 3 | mail.aol.com |
|
| Details | Domain | 2 | drlve-gooog1e.com |
|
| Details | Domain | 194 | drive.google.com |
|
| Details | Domain | 2 | login-live.space |
|
| Details | Domain | 36 | login.live.com |
|
| Details | Domain | 3 | mail-dsi-go.space |
|
| Details | Domain | 1 | mail.dsi.go.th |
|
| Details | Domain | 2 | mail-epochtimes.space |
|
| Details | Domain | 1 | mail.epochtimes.com |
|
| Details | Domain | 2 | mail.defence.lk |
|
| Details | Domain | 1 | webmail.dalailama.com |
|
| Details | Domain | 2 | mail.youxinpai.com |
|
| Details | Domain | 2 | plshl.com |
|
| Details | Domain | 2 | webmail-mpt.space |
|
| Details | Domain | 2 | webmail.mpt.net |
|
| Details | Domain | 2 | wengiguowengui.space |
|
| Details | Domain | 1 | swayam.mahaonline.gov.in |
|
| Details | Domain | 1 | molpg.mahaonline.gov.in |
|
| Details | Domain | 85 | 163.com |
|
| Details | Domain | 2 | cqyrxy.com |
|
| Details | Domain | 1 | drive-mail-google.com |
|
| Details | Domain | 1 | drive-accounts-gooogle.com |
|
| Details | Domain | 99 | qq.com |
|
| Details | Domain | 5 | www.52pojie.cn |
|
| Details | Domain | 1 | www.cimer.com.cn |
|
| Details | 2 | steven-jain@outlook.com |
||
| Details | 4 | 6060841@qq.com |
||
| Details | File | 1 | wordx86.exe |
|
| Details | File | 1 | audiox86.exe |
|
| Details | File | 1 | nethelpx86.dll |
|
| Details | File | 1 | c:\windows\nethelp.dll |
|
| Details | File | 1 | nethelp.dll |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 1 | wordx64.exe |
|
| Details | File | 1 | audiox64.dll |
|
| Details | File | 1 | nethelpx64.dll |
|
| Details | File | 1 | audiox64.exe |
|
| Details | File | 13 | client.dll |
|
| Details | File | 816 | index.html |
|
| Details | File | 96 | rar.exe |
|
| Details | File | 1 | nethelp%20x64.dll |
|
| Details | File | 1 | audio%20x64.exe |
|
| Details | File | 212 | winlogon.exe |
|
| Details | File | 1 | impboard.dll |
|
| Details | File | 1 | qww.exe |
|
| Details | File | 2 | serverdo.exe |
|
| Details | File | 2 | njrat.py |
|
| Details | File | 2 | blog.pas |
|
| Details | File | 40 | www.doc |
|
| Details | File | 1 | microsoft_word_97_-_2003___1.doc |
|
| Details | File | 2 | ww.exe |
|
| Details | File | 1 | serverdo7468.exe |
|
| Details | File | 2 | mail.ep |
|
| Details | File | 1 | thread-93849-1-1.html |
|
| Details | File | 23 | x86.dll |
|
| Details | File | 11 | x86.exe |
|
| Details | File | 38 | x64.dll |
|
| Details | File | 13 | x64.exe |
|
| Details | File | 6 | audio.exe |
|
| Details | File | 2 | c:\\windows\\nethelp.dll |
|
| Details | File | 5 | %systemroot%\\system32\\svchost.exe |
|
| Details | Github username | 5 | kevthehermit |
|
| Details | md5 | 2 | cb71f3b4f08eba58857532ac90bac77d |
|
| Details | md5 | 2 | 3697a1f9150de181026ce089c10657c3 |
|
| Details | md5 | 2 | 1412102eda0c2e5a5a85cb193dbb1524 |
|
| Details | md5 | 2 | 42256b4753724f7feb411bc9912155fd |
|
| Details | md5 | 2 | bc902a5e56cbbaa82f4af26cf9f4567e |
|
| Details | md5 | 2 | 6d1d6987d0677f40e473befab121ab1b |
|
| Details | md5 | 2 | 8f0fe2620f8dadf93eee285834e35655 |
|
| Details | md5 | 2 | cd32ce54ed94dfbde7fb85930a16597d |
|
| Details | md5 | 2 | 6dd1be1e491d5bf9cd14686c185c3009 |
|
| Details | md5 | 1 | 9098d75f516f191276ef1836aecc30d4 |
|
| Details | md5 | 2 | 5228914b534a437eb7985702e78772be |
|
| Details | md5 | 2 | e6c0ac26b473d1e0fa9f74fdf1d01af8 |
|
| Details | md5 | 2 | e28db08b2326a34958f00d68dfb034b0 |
|
| Details | md5 | 2 | 17030637d18335c7267d09ec0ebc637c |
|
| Details | md5 | 2 | c94a39d58450b81087b4f1f5fd304add |
|
| Details | md5 | 2 | 3a2b1a98c0a31ed32759f48df34b4bc8 |
|
| Details | md5 | 2 | c74608c70a59371cbf016316bebfab06 |
|
| Details | md5 | 22 | f34d5f2d4577ed6d9ceec516c1f5a744 |
|
| Details | md5 | 1 | 1b67183acc18d7641917f4fe07c1b053 |
|
| Details | md5 | 1 | 1929db297c9d7d88a6427b8603a7145b |
|
| Details | md5 | 1 | 83ffd697edd0089204779f5bfb031023 |
|
| Details | md5 | 2 | c6e336550bd1c087ee2a211781fd9280 |
|
| Details | md5 | 2 | d4ea9027edca1d01c62d9f43a2975d30 |
|
| Details | md5 | 2 | e6e566fc8a1dee3019821e84c5ad58cc |
|
| Details | md5 | 2 | af5487e77c16d987ca02d59bdcf38489 |
|
| Details | md5 | 2 | 6e109cbbd181ad567b90463d48302c72 |
|
| Details | md5 | 2 | df09df6d5ae774f280c43e3cc0e4a142 |
|
| Details | md5 | 2 | 617fd4619e215a00dae98de5980a4210 |
|
| Details | sha1 | 1 | 3142029872c39f393e765d59d68cf4f912170629 |
|
| Details | sha1 | 1 | 7e7d38b1687c5949528d35d8e405d995ac15d1b2 |
|
| Details | sha1 | 1 | 1e9a0a147198b8dfb4a33fc5bb1406635bfbe514 |
|
| Details | sha1 | 1 | 83d7ceb2e55ae3d6bbf0936376e82fe5bc97a963 |
|
| Details | sha1 | 1 | 28bc84813b9dec660fe95d590ef33e574fe16254 |
|
| Details | sha1 | 1 | e781aa54be06e010f1096fcc39a95df144659bd3 |
|
| Details | sha1 | 1 | c8e61a4282589c93774be2cddc109599316087b7 |
|
| Details | sha1 | 1 | dd3f4da890fa00b0b6032d1141f54490c093c297 |
|
| Details | sha256 | 1 | e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e |
|
| Details | sha256 | 1 | 293d5d84b2d4c4398e9e420c16c04dddf62132cd59cf7519109c6718c288adf3 |
|
| Details | sha256 | 1 | d0d02f811f7c07301e91536f2e1d908c1e67e68d89afbd2bc5bfa2cc747e67ec |
|
| Details | sha256 | 1 | 02bf5fdb11eee6ede01cc061206fe98f60a6b5c90ffead31e8f0a87ccfa414ef |
|
| Details | sha256 | 1 | 50a28a8ebc68b6c608a073278fbb4255912bf41fd0970192d439097af4670f81 |
|
| Details | sha256 | 1 | 1967bd2047fd9dabe3d95bdaee7c8e7f8d5bd0e378968a634e157ec4d72db17c |
|
| Details | IPv4 | 2 | 220.218.70.160 |
|
| Details | IPv4 | 2 | 198.44.172.97 |
|
| Details | IPv4 | 2 | 45.77.250.80 |
|
| Details | IPv4 | 2 | 122.10.84.146 |
|
| Details | IPv4 | 2 | 144.48.220.167 |
|
| Details | IPv4 | 2 | 27.126.179.158 |
|
| Details | IPv4 | 2 | 211.44.63.39 |
|
| Details | IPv4 | 2 | 142.4.62.249 |
|
| Details | IPv4 | 2 | 27.126.179.157 |
|
| Details | IPv4 | 2 | 27.126.179.156 |
|
| Details | IPv4 | 2 | 27.126.179.160 |
|
| Details | IPv4 | 2 | 27.126.179.159 |
|
| Details | IPv4 | 2 | 115.126.39.107 |
|
| Details | IPv4 | 1 | 103.245.22.117 |
|
| Details | IPv4 | 1 | 103.245.22.124 |
|
| Details | IPv4 | 1 | 103.20.193.156 |
|
| Details | IPv4 | 2 | 103.30.7.76 |
|
| Details | IPv4 | 2 | 103.30.7.77 |
|
| Details | IPv4 | 2 | 103.20.192.59 |
|
| Details | IPv4 | 2 | 103.20.195.140 |
|
| Details | IPv4 | 1 | 103.20.192.4 |
|
| Details | IPv4 | 1 | 103.20.192.248 |
|
| Details | Url | 1 | http://doc.internetdocss.com/nethelpx86.dll |
|
| Details | Url | 1 | http://doc.internetdocss.com/audiox86.exe |
|
| Details | Url | 1 | http://doc.internetdocss.com/nethelpx64.dll |
|
| Details | Url | 1 | http://doc.internetdocss.com/audiox64.exe |
|
| Details | Url | 2 | http://doc.internetdocss.com/index? |
|
| Details | Url | 1 | http://dreamisx.blog.163.com/blog/static/11500483920128 |
|
| Details | Url | 1 | http://www.borlandforum.com/impboard/impboard.dll?action=r |
|
| Details | Url | 1 | https://github.com/kevthehermit/ratdecoders/blob/master/standalone/njrat.py |
|
| Details | Url | 1 | http://blog.passivetotal.org/hashes-or-it-didnt-happen |
|
| Details | Url | 1 | https://www.proofpoint.com/us/resources/data-sheets/emerging-threats-intelligence |
|
| Details | Url | 2 | http://doc.internetdocss.com/nethelp |
|
| Details | Url | 2 | http://doc.internetdocss.com/audio |
|
| Details | Url | 2 | http://doc.internetdocss.com/word |
|
| Details | Yara rule | 2 | import "pe"
rule apt_ZZ_RedAlpha_njRat {
meta:
author = "JAG-S, Insikt Group, Recorded Future"
TLP = "White"
md5 = "c74608c70a59371cbf016316bebfab06"
date = "04-14-2018"
desc = "Second-stage njRAT, RedAlpha config"
version = "1.1"
strings:
$installName = "serverdo.exe" wide
$port = "9527" wide
$version = "0.7d" wide
$c2 = "doc.internetdocss.com" wide
condition:
uint16(0) == 0x5A4D and filesize < 50KB and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and all of them
} |