ioc[.]one - OSINT Cyber Threat Intelligence Database

T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques

Tags

country:	United States Of America
attack-pattern:	Data Clipboard Data - T1414 Chat Messages - T1552.008 Exploits - T1587.004 Exploits - T1588.005 Hooking - T1617 Malware - T1587.001 Malware - T1588.001 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Clipboard Data - T1115 Connection Proxy - T1090 Hooking - T1179 Rundll32 - T1085 Hooking

Show in Graph

Common Information

Type	Value
UUID	89cdee8b-bbe2-4377-a71a-7fa094af87eb
Fingerprint	8422991b2cbf8603
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 4, 2016, 11 a.m.
Added to db	Sept. 26, 2022, 9:32 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques
Title	T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques
Detected Hints/Tags/Attributes	75/2/88

Source URLs

	Redirection	Url
Details	Source	http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	researchcenter.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	CVE	14	cve-2012-1856
Details	CVE	48	cve-2015-1641
Details	File	1	tmp.doc
Details	File	4	hccutils.dll
Details	File	1	resn32.dll
Details	File	1	hccutils.inf
Details	File	1	hjwe.dat
Details	File	4	igfxtray.exe
Details	File	1	qhnj.dat
Details	File	1	qqmgr.dll
Details	File	1	qqmgr.inf
Details	File	1	resn32.dat
Details	File	1	tyeu.dat
Details	File	1	vnkd.dat
Details	File	1	dtl.dat
Details	File	5	infdefaultinstall.exe
Details	File	2	%appdata%\intel\resn32.dll
Details	File	1	%appdata%\intel\igfxtray.exe
Details	File	1018	rundll32.exe
Details	File	1260	explorer.exe
Details	File	127	c:\windows\system32\rundll32.exe
Details	File	1	hccutil.dll
Details	File	212	winlogon.exe
Details	File	165	csrss.exe
Details	File	18	logonui.exe
Details	File	63	ctfmon.exe
Details	File	1	drwtsn32.exe
Details	File	15	explore.exe
Details	File	8	dbgview.exe
Details	File	50	userinit.exe
Details	File	478	lsass.exe
Details	File	142	wmiprvse.exe
Details	File	306	services.exe
Details	File	3	inetinfo.exe
Details	File	119	avp.exe
Details	File	28	rtvscan.exe
Details	File	55	dwm.exe
Details	File	12	qqpcrtp.exe
Details	File	1	tasking.exe
Details	File	62	taskhost.exe
Details	File	117	taskmgr.exe
Details	File	1	suerinit.exe
Details	File	1	%public%\downloads\update\log.txt
Details	File	1	%allusersprofile%\documents\my document\log.txt
Details	File	85	log.txt
Details	File	2	c:\\windows\\temp\\log.txt
Details	File	1	capturedll.dll
Details	File	1	kplugin.dll
Details	File	1	hqwe.dat
Details	File	1	%appdata%\intel\data\dtl.dat
Details	File	1	%appdata%\intel\hccutils.dll
Details	File	1	%appdata%\intel\hccutils.inf
Details	File	1	%appdata%\intel\hjwe.dat
Details	File	1	%appdata%\intel\qhnj.dat
Details	File	1	%appdata%\intel\qqmgr.dll
Details	File	1	%appdata%\intel\qqmgr.inf
Details	File	1	%appdata%\intel\resn32.dat
Details	File	1	%appdata%\intel\tyeu.dat
Details	File	1	%appdata%\intel\vnkd.dat
Details	sha256	1	d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c
Details	sha256	1	bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f
Details	sha256	1	ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a
Details	sha256	1	aa28db689f73d77babd1c763c53b3e63950f6a15b7c1a974c7481a216dda9afd
Details	sha256	1	1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7
Details	sha256	1	bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b
Details	sha256	1	7daf3c3dbecb60bee3d5eb3320b20f2648cf26bd9203564ce162c97dcb132569
Details	sha256	1	3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9
Details	sha256	1	f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27
Details	sha256	1	21a5818822a0b2d52a068d1e3339ed4c767f4d83b081bf17b837e9b6e112ee61
Details	sha256	1	c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3
Details	sha256	1	2b973adbb2addf62cf36cef9975cb0193a7ff0b960e2cff2c80560126bee6f37
Details	sha256	1	e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926
Details	sha256	1	5fc3dc25276b01d6cb2fb821b83aa596f1d64ae8430c5576b953e3220a01d9aa
Details	sha256	1	c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465
Details	sha256	1	157e0a9323eaaa911b3847d64ca0d08be8cd26b2573687be461627e410cb1b3f
Details	sha256	1	00add5c817f89b9ec490885be39398f878fa64a5c3564eaca679226cf73d929e
Details	sha256	1	3fa05f2f73a0c44a5f51f28319c4dc5b8198fb25e1cfcbea5327c9f1b3a871d4
Details	IPv4	1	198.55.120.143
Details	MITRE ATT&CK Techniques	1	T9000
Details	MITRE ATT&CK Techniques	2	T5000
Details	Pdb	1	h:\work\project\infinstallbypassuac\release\bypassuac.pdb
Details	Pdb	1	d:\work\t9000\hccutils_m4\release\hccutils.pdb
Details	Pdb	1	d:\work\t9000\resn_m2\release\resn32.pdb
Details	Pdb	1	e:\work\project\t9000\windows\target\flashdiskthief.pdb
Details	Windows Registry Key	16	HKLM\Software
Details	Windows Registry Key	1	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Eupdate
Details	Windows Registry Key	1	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update
Details	Windows Registry Key	49	HKLM\Software\Microsoft\Windows