A .NET rat target Mongolia
Tags
| country: | Mongolia |
| attack-pattern: | Data Msbuild - T1127.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 |
Common Information
| Type | Value |
|---|---|
| UUID | 39cfa707-1801-452f-a4c8-fd653be25c1d |
| Fingerprint | 359ec99624b56f61 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 24, 2021, 10:46 a.m. |
| Added to db | Sept. 11, 2022, 12:30 p.m. |
| Last updated | Nov. 17, 2024, 12:58 p.m. |
| Headline | A .NET rat targets Mongolia |
| Title | A .NET rat target Mongolia |
| Detected Hints/Tags/Attributes | 32/2/11 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2 |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 265 | recordedfuture.com |
|
| Details | File | 1 | os03c2.tmp |
|
| Details | File | 165 | csrss.exe |
|
| Details | File | 1 | c:\users\admin\appdata\local\temp\os03c2.tmp |
|
| Details | File | 4 | cssrs.exe |
|
| Details | md5 | 1 | 8A5AE1329F9CD824EE915FE14328D267 |
|
| Details | sha256 | 2 | 1120275dc25bc9a7b3e078138c7240fbf26c91890d829e51d9fa837fe90237ed |
|
| Details | sha256 | 1 | 2b038ad9bfb8c3f40e95e38b572bdf536d9fd2e7dd5cc0c66fbd0bdc1ed89fde |
|
| Details | sha256 | 1 | 08be2c7239acb9557454088bba877a245c8ef9b0e9eb389c65a98e1c752c5709 |
|
| Details | IPv4 | 1 | 185.82.218.40 |
|
| Details | Yara rule | 1 | rule backdoor_net {
meta:
description = "Backdoor targets Mongolia"
author = " @sebdraven "
date = "20200323"
tlp = "white"
strings:
$s1 = "RunHide"
$s2 = "Token"
$s3 = "BasicKey"
$s4 = "SessionKey"
$s5 = "AdminKeyMD5"
$s6 = "Aes256"
$s7 = "Order_Catcher"
$s8 = "Get_ComputerInfo"
$s9 = "TransData"
condition:
all of them
} |