ExileRAT shares C2 with LuckyCat, targets Tibet
Tags
country: Bolivia China India
maec-delivery-vectors: Watering Hole
attack-pattern: Data Chat Messages - T1552.008 Domains - T1583.001 Domains - T1584.001 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Network Security Appliances - T1590.006 Phishing - T1660 Phishing - T1566 Scheduled Task - T1053.005 Software - T1592.002 Vulnerabilities - T1588.006 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID 2a9e7dc3-d285-4892-a265-c4e5926e1f10
Fingerprint a4802c89291c4788
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 4, 2019, 11 a.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Vulnerability Information
Title ExileRAT shares C2 with LuckyCat, targets Tibet
Detected Hints/Tags/Attributes 71/3/30
Source URLs
Redirection Url
Details Source https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html
URL Provider
Details Provider Source level domain
Details talosintelligence.com blog.talosintelligence.com
Attributes
Details Type #Events CTI Value
Details CVE 269 
cve-2017-0199
Details Domain 1174 
gmail.com
Details Domain 6 
tibet.net
Details Domain 372 
wscript.shell
Details Domain 9 
xmlhttp.open
Details Domain 74 
adodb.stream
Details Domain 1 
os.run
Details Domain 1 
mondaynews.tk
Details Domain 2 
peopleoffreeworld.tk
Details Domain 1 
gmailcom.tw
Details Domain 904 
snort.org
Details File 12 
slide1.xml
Details File 16 
app.xml
Details File 2 
syshost.exe
Details File 2126 
cmd.exe
Details File 1 
+'syshost.exe
Details File 46 
microsoft.xml
Details File 37 
'cmd.exe
Details File 409 
c:\windows\system32\cmd.exe
Details File 1 
c:\users\administrator\appdata\roaming\syshost.exe
Details File 1 
c:\data.ini
Details File 34 
acrord32.exe
Details File 2 
ccl100u.dll
Details File 1 
robins.log
Details File 2 
tibet-was-never-a-part-of-china.pps
Details sha256 1 
74e79c89a63d030ad0c0f545e79ac8f4b7910387d0d294ff9fdca91c486efcf8
Details sha256 1 
742d1178d20d2fbeea506544f0525b8182d1273d4bf58db48921db6a542871aa
Details sha256 1 
3eb026d8b778716231a07b3dbbdc99e2d3a635b1956de8a1e6efc659330e52de
Details sha256 1 
9498ddbfe296e98376187be67b768f3ba053a7cbdffeeda61e28c40bd21365f0
Details IPv4 1 
27.126.188.212