ioc[.]one - OSINT Cyber Threat Intelligence Database

MAR-10382254-1.v1 – C2 RAT | CISA

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Vulnerabilities - T1588.006 Whois - T1596.002 Connection Proxy - T1090 Graphical User Interface - T1061 Graphical User Interface

Show in Graph

Common Information

Type	Value
UUID	5847f905-d300-430e-9091-e10f9e5b71b0
Fingerprint	4149d11cdf88b8b
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 23, 2022, midnight
Added to db	Sept. 11, 2022, 12:44 p.m.
Last updated	Nov. 17, 2024, 5:57 p.m.
Headline	Malware Analysis Report (AR22-174A)
Title	MAR-10382254-1.v1 – C2 RAT \| CISA
Detected Hints/Tags/Attributes	51/2/32

Source URLs

	Redirection	Url
Details	Source	https://us-cert.cisa.gov/ncas/analysis-reports/ar22-174a

URL Provider

Details	Provider	Source level domain
Details	cisa.gov	us-cert.cisa.gov

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	85	✔	—	https://cisa.gov/uscert/ncas/analysis-reports.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	469	www.cisa.gov
Details	Domain	2	whois.ovh.com
Details	Domain	2	ip-192-95-20.net
Details	Domain	154	us-cert.cisa.gov
Details	Domain	84	malware.us-cert.gov
Details	Domain	84	ftp.malware.us-cert.gov
Details	Email	84	submit@malware.us-cert.gov
Details	File	2	hmsvc.exe
Details	File	2	658_dump_64.exe
Details	File	4	f7_dump_64.exe
Details	md5	5	3764a0f1762a294f662f3bf86bac776f
Details	md5	5	21fa1a043460c14709ef425ce24da4fd
Details	md5	5	e9c2b8bd1583baf3493824bf7b3ec51e
Details	md5	5	de0d57bdc10fee1e1e16e225788bb8de
Details	md5	5	9b071311ecd1a72bfd715e34dbd1bd77
Details	md5	5	05d38bc82d362dd57190e3cb397f807d
Details	md5	4	199a32712998c6d736a05b2dbd24a761
Details	sha256	2	6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349
Details	sha256	2	6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d
Details	sha256	5	f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab
Details	sha256	5	66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16
Details	sha256	5	7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751
Details	sha256	5	33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b
Details	sha256	5	3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0
Details	sha256	5	4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
Details	sha256	4	88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8
Details	IPv4	2	192.95.20.8
Details	Url	43	http://www.cisa.gov/tlp.
Details	Url	53	https://us-cert.cisa.gov/forms/feedback
Details	Url	84	https://malware.us-cert.gov
Details	Yara rule	5	rule CISA_10382580_03 : loader { meta: Author = "CISA Code & Media Analysis" Incident = "10382580" Date = "2022-05-02" Last_Modified = "20220602_1200" Actor = "n/a" Category = "Loader" Family = "n/a" Description = "Detects loader samples" MD5_1 = "3764a0f1762a294f662f3bf86bac776f" SHA256_1 = "f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab" MD5_2 = "21fa1a043460c14709ef425ce24da4fd" SHA256_2 = "66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16" MD5_3 = "e9c2b8bd1583baf3493824bf7b3ec51e" SHA256_3 = "7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751" MD5_4 = "de0d57bdc10fee1e1e16e225788bb8de" SHA256_4 = "33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b" MD5_5 = "9b071311ecd1a72bfd715e34dbd1bd77" SHA256_5 = "3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0" MD5_6 = "05d38bc82d362dd57190e3cb397f807d" SHA256_6 = "4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f" strings: $s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 } $s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 } $s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 } $s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 } condition: all of them }
Details	Yara rule	4	rule CISA_10382580_01 : rat { meta: Author = "CISA Code & Media Analysis" Incident = "10382580" Date = "2022-05-25" Last_Modified = "20220602_1200" Actor = "n/a" Category = "Remote Access Tool" Family = "n/a" Description = "Detects Remote Access Tool samples" MD5_1 = "199a32712998c6d736a05b2dbd24a761" SHA256_1 = "88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8" strings: $s0 = { 0F B6 40 0F 6B C8 47 41 0F B6 40 0B 02 D1 6B C8 } $s1 = { 35 41 0F B6 00 41 88 58 01 41 88 78 02 41 88 70 } $s2 = { 66 83 F8 1E } $s3 = { 66 83 F8 52 } condition: all of them }