MAR-10382580-1.v1 – Unidentified RAT | CISA
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Whois - T1596.002 Connection Proxy - T1090 Graphical User Interface - T1061 Graphical User Interface
Show in Graph
Common Information
Type Value
UUID 70a64027-51f8-4ddc-9fb0-2b6814c1a0fe
Fingerprint 8d141d1dc5fb0e83
Analysis status DONE
Considered CTI value 2
Text language
Published July 18, 2022, noon
Added to db June 5, 2023, 10:32 a.m.
Last updated Nov. 17, 2024, 5:57 p.m.
Headline MAR-10382580-1.v1 – Unidentified RAT
Title MAR-10382580-1.v1 – Unidentified RAT | CISA
Detected Hints/Tags/Attributes 66/2/56
Source URLs
Redirection Url
Details Source https://www.cisa.gov/news-events/analysis-reports/ar22-174b
URL Provider
Details Provider Source level domain
Details cisa.gov www.cisa.gov
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 85 https://cisa.gov/uscert/ncas/analysis-reports.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 469 
www.cisa.gov
Details Domain 12 
whois.ripe.net
Details Domain 3 
pivps.com
Details Domain 1174 
gmail.com
Details Domain 1 
rwhois.quadranet.com
Details Domain 154 
us-cert.cisa.gov
Details Domain 84 
malware.us-cert.gov
Details Domain 84 
ftp.malware.us-cert.gov
Details Email 2 
pivps.com@gmail.com
Details Email 84 
submit@malware.us-cert.gov
Details File 2 
error_401.jsp
Details File 2 
odbccads.exe
Details File 2 
fontdrvhosts.exe
Details File 2 
winds.exe
Details File 2 
praiser.exe
Details File 4 
f7_dump_64.exe
Details File 2 
svcedge.exe
Details File 2 
%temp%\idpe988.tmp
Details File 3 
wind.exe
Details md5 5 
3764a0f1762a294f662f3bf86bac776f
Details md5 5 
21fa1a043460c14709ef425ce24da4fd
Details md5 5 
e9c2b8bd1583baf3493824bf7b3ec51e
Details md5 5 
de0d57bdc10fee1e1e16e225788bb8de
Details md5 5 
9b071311ecd1a72bfd715e34dbd1bd77
Details md5 5 
05d38bc82d362dd57190e3cb397f807d
Details md5 2 
7b1ce3fe542c6ae2919aa94e20dc860e
Details md5 4 
199a32712998c6d736a05b2dbd24a761
Details sha256 2 
28e4e7104cbffa97a0aa2f53b5ebcbcdba360ec416b34bb617e2f8891d204816
Details sha256 5 
33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b
Details sha256 5 
3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0
Details sha256 5 
66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16
Details sha256 5 
7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751
Details sha256 4 
88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8
Details sha256 2 
d071c4959d00a1ef9cce535056c6b01574d8a8104a7c3b00a237031ef930b10f
Details sha256 5 
f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab
Details sha256 5 
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
Details IPv4 2 
134.119.177.107
Details IPv4 2 
155.94.211.207
Details IPv4 2 
162.245.190.203
Details IPv4 2 
185.136.163.104
Details IPv4 1 
185.136.163.0
Details IPv4 1 
185.136.163.255
Details IPv4 1 
185.136.160.0
Details IPv4 1 
134.119.177.0
Details IPv4 1 
134.119.177.255
Details IPv4 1 
134.119.176.0
Details IPv4 2 
162.245.184.0
Details IPv4 2 
162.245.191.255
Details IPv4 2 
155.94.128.0
Details IPv4 2 
155.94.255.255
Details Url 43 
http://www.cisa.gov/tlp.
Details Url 53 
https://us-cert.cisa.gov/forms/feedback
Details Url 84 
https://malware.us-cert.gov
Details Yara rule 5 
rule CISA_10382580_03 : loader {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10382580"
		Date = "2022-05-02"
		Last_Modified = "20220602_1200"
		Actor = "n/a"
		Category = "Loader"
		Family = "n/a"
		Description = "Detects loader samples"
		MD5_1 = "3764a0f1762a294f662f3bf86bac776f"
		SHA256_1 = "f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab"
		MD5_2 = "21fa1a043460c14709ef425ce24da4fd"
		SHA256_2 = "66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16"
		MD5_3 = "e9c2b8bd1583baf3493824bf7b3ec51e"
		SHA256_3 = "7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751"
		MD5_4 = "de0d57bdc10fee1e1e16e225788bb8de"
		SHA256_4 = "33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b"
		MD5_5 = "9b071311ecd1a72bfd715e34dbd1bd77"
		SHA256_5 = "3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0"
		MD5_6 = "05d38bc82d362dd57190e3cb397f807d"
		SHA256_6 = "4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f"
	strings:
		$s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
		$s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
		$s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
		$s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
	condition:
		all of them
}
Details Yara rule 2 
rule CISA_10382580_02 : rat {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10382580"
		Date = "2022-06-02"
		Last_Modified = "20220602_1200"
		Actor = "n/a"
		Category = "RAT"
		Family = "n/a"
		Description = "Detects unidentified Remote Access Tool samples"
		MD5_1 = "7b1ce3fe542c6ae2919aa94e20dc860e"
		SHA256_1 = "d071c4959d00a1ef9cce535056c6b01574d8a8104a7c3b00a237031ef930b10f"
	strings:
		$s0 = { 48 8B 06 0F B6 04 01 32 C2 F6 C1 01 75 02 34 E7 }
		$s1 = { 88 04 0F 48 FF C1 48 8B 46 08 48 3B }
		$s2 = { 0F BE CA C1 CF 0D 8D 41 E0 80 FA 61 0F 4C C1 03 }
		$s3 = { F8 4D 8D 40 01 41 0F B6 10 84 D2 }
	condition:
		all of them
}
Details Yara rule 4 
rule CISA_10382580_01 : rat {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10382580"
		Date = "2022-05-25"
		Last_Modified = "20220602_1200"
		Actor = "n/a"
		Category = "Remote Access Tool"
		Family = "n/a"
		Description = "Detects Remote Access Tool samples"
		MD5_1 = "199a32712998c6d736a05b2dbd24a761"
		SHA256_1 = "88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8"
	strings:
		$s0 = { 0F B6 40 0F 6B C8 47 41 0F B6 40 0B 02 D1 6B C8 }
		$s1 = { 35 41 0F B6 00 41 88 58 01 41 88 78 02 41 88 70 }
		$s2 = { 66 83 F8 1E }
		$s3 = { 66 83 F8 52 }
	condition:
		all of them
}