MAR-10296782-2.v1 – WELLMESS | CISA
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 46bf53fa-3c80-4e4d-aa06-7c6e193216e5 |
| Fingerprint | af182b416c7b8585 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | July 16, 2020, midnight |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | Malware Analysis Report (AR20-198B) |
| Title | MAR-10296782-2.v1 – WELLMESS | CISA |
| Detected Hints/Tags/Attributes | 114/3/120 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Autonomous System Number | 1 | AS203913 |
|
| Details | Autonomous System Number | 1 | AS14613 |
|
| Details | Autonomous System Number | 1 | AS135752 |
|
| Details | Domain | 145 | www.us-cert.gov |
|
| Details | Domain | 98 | www.ncsc.gov.uk |
|
| Details | Domain | 1 | wellmess.net |
|
| Details | Domain | 6 | botlib.post |
|
| Details | Domain | 1 | x643.microsoft |
|
| Details | Domain | 1 | this.ua |
|
| Details | Domain | 1 | chat.download |
|
| Details | Domain | 4 | runspace.open |
|
| Details | Domain | 7 | random.next |
|
| Details | Domain | 1 | transportprotocol.post |
|
| Details | Domain | 12 | whois.ripe.net |
|
| Details | Domain | 1 | lubnanet.com |
|
| Details | Domain | 1 | estnoc.ee |
|
| Details | Domain | 1 | sg.leaseweb.com |
|
| Details | Domain | 1 | www.tocici.com |
|
| Details | Domain | 3 | rdap.arin.net |
|
| Details | Domain | 5 | botlib.work |
|
| Details | Domain | 5 | whois.apnic.net |
|
| Details | Domain | 1 | evokedigital.in |
|
| Details | Domain | 4 | botlib.download |
|
| Details | Domain | 4 | botlib.new |
|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 1 | noc@lubnanet.com |
||
| Details | 1 | eu-legal@estnoc.ee |
||
| Details | 1 | webmaster@estnoc.ee |
||
| Details | 1 | apnic@sg.leaseweb.com |
||
| Details | 1 | abuse@sg.leaseweb.com |
||
| Details | 1 | query@evokedigital.in |
||
| Details | 1 | radhe@evokedigital.in |
||
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 1 | extract.bin |
|
| Details | File | 9 | powercfg.exe |
|
| Details | File | 6 | powershell.dll |
|
| Details | File | 1 | variable.url |
|
| Details | File | 1 | variable.max |
|
| Details | File | 1 | variable.key |
|
| Details | File | 1 | publickey.key |
|
| Details | File | 1 | publickey.pub |
|
| Details | File | 3 | this.max |
|
| Details | File | 1 | botchat.ps |
|
| Details | File | 2125 | cmd.exe |
|
| Details | File | 4 | rijndaelmanaged.key |
|
| Details | File | 4 | botlib.key |
|
| Details | File | 4 | botlib.ini |
|
| Details | md5 | 3 | f18ced8772e9d1a640b8b4a731dfb6e0 |
|
| Details | md5 | 3 | 4d38ac3319b167f6c8acb16b70297111 |
|
| Details | md5 | 3 | a32e1202257a2945bf0f878c58490af8 |
|
| Details | md5 | 3 | 861879f402fe3080ab058c0c88536be4 |
|
| Details | md5 | 3 | 2f9f4f2a9d438cdc944f79bdf44a18f8 |
|
| Details | md5 | 3 | ae7a46529a0f74fb83beeb1ab2c68c5c |
|
| Details | md5 | 4 | 3a9cdd8a5cbc3ab10ad64c4bb641b41f |
|
| Details | md5 | 3 | 967fcf185634def5177f74b0f703bdc0 |
|
| Details | md5 | 3 | c5d5cb99291fa4b2a68b5ea3ff9d9f9a |
|
| Details | md5 | 4 | 01d322dcac438d2bb6bce2bae8d613cb |
|
| Details | md5 | 3 | 8777a9796565effa01b03cf1cea9d24d |
|
| Details | md5 | 3 | 507bb551bd7073f846760d8b357b7aa9 |
|
| Details | md5 | 22 | f34d5f2d4577ed6d9ceec516c1f5a744 |
|
| Details | md5 | 1 | b90f84adffd98c3c63291dc54f766f18 |
|
| Details | md5 | 1 | 25e1daba00e54a31c1d9bb459988f669 |
|
| Details | md5 | 1 | bb5030c93de573a2819699404e0436be |
|
| Details | md5 | 1 | f662c2f95c916d5bd4f0c939236a81e9 |
|
| Details | md5 | 5 | dae02f32a21e03ce65412f6e56942daa |
|
| Details | md5 | 1 | 668481e5e1971f610581ea0b01b617b5 |
|
| Details | md5 | 1 | ced7014e20c39fba49386f6aef5e1203 |
|
| Details | md5 | 1 | 1d4922f19bd3e79cfdf93cd91be7af27 |
|
| Details | md5 | 1 | da55cd9f0f50ad5c82000ca03bfaa4be |
|
| Details | md5 | 1 | e3b0c44298fc1c149afbf4c8996fb924 |
|
| Details | sha1 | 1 | 92f7b470c5a2c95a4df04c2c5cd50780f6dbdda1 |
|
| Details | sha1 | 1 | 23033dcad2d60574ea8a65862431f46b950e54c3 |
|
| Details | sha1 | 2 | e45f89c923d0361ce8f9c64a63031860a76b2d10 |
|
| Details | sha1 | 1 | 01a71390892fad77987aa09a630b04ff72e37d5d |
|
| Details | sha1 | 1 | a57c896486564d7663a4dce6fbf723a1deb81378 |
|
| Details | sha1 | 1 | 709878e13633e44b45ad1ab569ad34e3dc1efd3b |
|
| Details | sha1 | 1 | db4f07ecefd1e290d727379ded4f15a0d4a59f88 |
|
| Details | sha256 | 7 | 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2 |
|
| Details | sha256 | 9 | 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb |
|
| Details | sha256 | 8 | 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee |
|
| Details | sha256 | 7 | 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a |
|
| Details | sha256 | 7 | e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09 |
|
| Details | sha256 | 7 | fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950 |
|
| Details | sha256 | 3 | 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854 |
|
| Details | sha256 | 7 | a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064 |
|
| Details | sha256 | 7 | 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2 |
|
| Details | sha256 | 8 | 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75 |
|
| Details | sha256 | 8 | 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494 |
|
| Details | sha256 | 7 | 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18 |
|
| Details | sha256 | 16 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
| Details | IPv4 | 5 | 103.73.188.101 |
|
| Details | IPv4 | 5 | 141.98.212.55 |
|
| Details | IPv4 | 5 | 192.48.88.107 |
|
| Details | IPv4 | 6 | 209.58.186.196 |
|
| Details | IPv4 | 6 | 85.93.2.116 |
|
| Details | IPv4 | 1 | 85.93.2.0 |
|
| Details | IPv4 | 1 | 85.93.2.255 |
|
| Details | IPv4 | 1 | 141.98.212.0 |
|
| Details | IPv4 | 1 | 141.98.212.255 |
|
| Details | IPv4 | 2 | 209.58.184.0 |
|
| Details | IPv4 | 2 | 209.58.191.255 |
|
| Details | IPv4 | 1 | 200.200.200.221 |
|
| Details | IPv4 | 1 | 1.9.1.8 |
|
| Details | IPv4 | 1 | 192.48.88.0 |
|
| Details | IPv4 | 1 | 192.48.91.255 |
|
| Details | IPv4 | 2 | 200.200.200.150 |
|
| Details | IPv4 | 1 | 103.73.188.0 |
|
| Details | IPv4 | 1 | 103.73.191.255 |
|
| Details | Threat Actor Identifier - APT | 665 | APT29 |
|
| Details | Url | 42 | http://www.us-cert.gov/tlp. |
|
| Details | Url | 5 | https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development |
|
| Details | Url | 1 | http://85.93.2.116 |
|
| Details | Url | 1 | https://rdap.arin.net/registry/ip/192.48.88.0 |
|
| Details | Url | 1 | http://www.tocici.com |
|
| Details | Url | 1 | https://rdap.arin.net/registry/entity/tocic |
|
| Details | Url | 12 | https://www.cisa.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 3 | rule CISA_10296782_01 : trojan WELLMESS {
meta:
Author = "CISA Code & Media Analysis"
Date = "2020-07-06"
Last_Modified = "20200706_1017"
Actor = "n/a"
Category = "Trojan"
Family = "WellMess"
Description = "Detects WellMess implant and SangFor Exploit"
MD5_1 = "4d38ac3319b167f6c8acb16b70297111"
SHA256_1 = "7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee"
MD5_2 = "a32e1202257a2945bf0f878c58490af8"
SHA256_2 = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"
MD5_3 = "861879f402fe3080ab058c0c88536be4"
SHA256_3 = "14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2"
MD5_4 = "2f9f4f2a9d438cdc944f79bdf44a18f8"
SHA256_4 = "e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09"
MD5_5 = "ae7a46529a0f74fb83beeb1ab2c68c5c"
SHA256_5 = "fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950"
MD5_6 = "f18ced8772e9d1a640b8b4a731dfb6e0"
SHA256_6 = "953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a"
MD5_7 = "3a9cdd8a5cbc3ab10ad64c4bb641b41f"
SHA256_7 = "5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb"
MD5_8 = "967fcf185634def5177f74b0f703bdc0"
SHA256_8 = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
MD5_9 = "c5d5cb99291fa4b2a68b5ea3ff9d9f9a"
SHA256_9 = "65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75"
MD5_10 = "01d322dcac438d2bb6bce2bae8d613cb"
SHA256_10 = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
MD5_11 = "8777a9796565effa01b03cf1cea9d24d"
SHA256_11 = "83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18"
MD5_12 = "507bb551bd7073f846760d8b357b7aa9"
SHA256_12 = "47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854"
strings:
$0 = "/home/ubuntu/GoProject/src/bot/botlib/chat.go"
$1 = "/home/ubuntu/GoProject/src/bot/botlib.Post"
$2 = "GoProject/src/bot/botlib.deleteFile"
$3 = "ubuntu/GoProject/src/bot/botlib.generateRandomString"
$4 = "GoProject/src/bot/botlib.AES_Decrypt"
$5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
$6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
$7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
$8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
$9 = "get_keyRC6"
$10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
$11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
$12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
$13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
$14 = "GoProject/src/bot/botlib.wellMess"
$15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
$16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
$17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
$18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
$19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
$20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
$21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
$22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
$23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
$24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
$25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
$26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
$27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
condition:
($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
} |