Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques | Proofpoint US
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 9d97fa45-4a35-4a6d-8119-5a812780d163 |
| Fingerprint | b451bc32ec39aa9d |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 11, 2022, 2:39 p.m. |
| Added to db | Sept. 11, 2022, 12:34 p.m. |
| Last updated | Nov. 17, 2024, 7:44 p.m. |
| Headline | Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques |
| Title | Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques | Proofpoint US |
| Detected Hints/Tags/Attributes | 90/4/85 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1174 | gmail.com |
|
| Details | Domain | 2 | who-international.com |
|
| Details | Domain | 1 | www.fernandestechnical.com |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 4 | agent.py |
|
| Details | 1 | who.inter.svc@gmail.com |
||
| Details | 1 | announce@who-international.com |
||
| Details | File | 1 | who_covid19.rar |
|
| Details | File | 1 | who_covid19.doc |
|
| Details | File | 1 | covid19guide.rar |
|
| Details | File | 1 | covid19guide.doc |
|
| Details | File | 6 | covid-19.doc |
|
| Details | File | 2 | updateuav.exe |
|
| Details | File | 56 | processhacker.exe |
|
| Details | File | 74 | procmon.exe |
|
| Details | File | 6 | pestudio.exe |
|
| Details | File | 27 | procmon64.exe |
|
| Details | File | 28 | x32dbg.exe |
|
| Details | File | 23 | x64dbg.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 40 | procexp64.exe |
|
| Details | File | 64 | procexp.exe |
|
| Details | File | 5 | pslist.exe |
|
| Details | File | 29 | tcpview.exe |
|
| Details | File | 2 | tcpvcon.exe |
|
| Details | File | 8 | dbgview.exe |
|
| Details | File | 1 | rammap.exe |
|
| Details | File | 1 | rammap64.exe |
|
| Details | File | 2 | vmmap.exe |
|
| Details | File | 40 | ollydbg.exe |
|
| Details | File | 5 | agent.py |
|
| Details | File | 30 | autoruns.exe |
|
| Details | File | 15 | autorunsc.exe |
|
| Details | File | 29 | filemon.exe |
|
| Details | File | 22 | regmon.exe |
|
| Details | File | 17 | idaq.exe |
|
| Details | File | 16 | idaq64.exe |
|
| Details | File | 11 | immunitydebugger.exe |
|
| Details | File | 71 | wireshark.exe |
|
| Details | File | 30 | dumpcap.exe |
|
| Details | File | 5 | hookexplorer.exe |
|
| Details | File | 11 | importrec.exe |
|
| Details | File | 14 | petools.exe |
|
| Details | File | 17 | lordpe.exe |
|
| Details | File | 7 | sysinspector.exe |
|
| Details | File | 8 | proc_analyzer.exe |
|
| Details | File | 13 | sysanalyzer.exe |
|
| Details | File | 11 | sniff_hit.exe |
|
| Details | File | 35 | windbg.exe |
|
| Details | File | 19 | joeboxcontrol.exe |
|
| Details | File | 19 | joeboxserver.exe |
|
| Details | File | 11 | resourcehacker.exe |
|
| Details | File | 24 | fiddler.exe |
|
| Details | File | 1 | httpdebugger.exe |
|
| Details | File | 6 | dumpit.exe |
|
| Details | File | 1 | c:\programdata\usoshared\mousocore.exe |
|
| Details | File | 2 | mousocore.exe |
|
| Details | File | 7 | health_check.php |
|
| Details | File | 1 | w32.ini |
|
| Details | Github username | 3 | go-ole |
|
| Details | Github username | 2 | gonutz |
|
| Details | Github username | 3 | mitchellh |
|
| Details | Github username | 2 | stackexchange |
|
| Details | Github username | 1 | p3tr0v |
|
| Details | Github username | 3 | lxn |
|
| Details | Github username | 1 | digitalocean |
|
| Details | Github username | 1 | allendang |
|
| Details | Github username | 5 | kbinani |
|
| Details | md5 | 1 | 25b4ebca4bbc82ab5ae2e517c29d33e7 |
|
| Details | md5 | 1 | d7888fea6047b662a30bf00edac4c3ee |
|
| Details | md5 | 1 | 9cca59eec5af63e42cd845b67cf6df89 |
|
| Details | md5 | 1 | 5d5bc970f975341558b8d2c225ca0115 |
|
| Details | sha1 | 1 | 8137670512be55796f612e41602f505955b0bb0c |
|
| Details | sha1 | 1 | 178aad6c7918cc495a908944e79143a913630890 |
|
| Details | sha1 | 1 | 4f74826ed56cda233cfc12b86fd1b7da4a9f2e56 |
|
| Details | sha256 | 1 | 8ffe450597cbbfa5a703e23a8b6bbdaeda76badf2b035e75de5ffdb3af07270d |
|
| Details | sha256 | 1 | ee1bbd856bf72a79221baa0f7e97aafb6051129905d62d74a37ae7754fccc3db |
|
| Details | sha256 | 1 | 1b8c9e7c150bacd466fbe7f12b39883821f23b67cae0a427a57dc37e5ea4390f |
|
| Details | sha256 | 1 | 902c65435b6b44cfda1156b0e7c6a30b2785fa4f2cbb9b1944a66f5146ec7aa5 |
|
| Details | sha256 | 1 | 5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597 |
|
| Details | sha256 | 1 | 17e87f581f1df8d6129d65fd50ceb3dd6c4e1c223077cd7d4c595da6c3df92b2 |
|
| Details | IPv4 | 1 | 185.121.139.249 |
|
| Details | Url | 1 | https://www.fernandestechnical.com/pub/media/gitlog |
|
| Details | Url | 1 | https://www.fernandestechnical.com/pub/health_check.php |
|
| Details | Yara rule | 1 | rule Nerbian_RAT {
meta:
author = "ptrouerbach"
reference = "5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597"
malfamily = "NerbianRAT"
strings:
$args_p = "p-"
$args_s = "s-"
$args_h = "h-"
$args_P = "P-"
$hardcoded_aes_key = { 17 E8 7F 58 1F 1D F8 D6 12 9D 65 FD 50 CE B3 DD 6C 4E 1C 22 30 77 CD 7D 4C 59 5D A6 C3 DF 92 B2 }
$param_auth = "auth_post"
$param_session = "session_key"
$param_data = "data_post"
$param_addr = "addr_post"
$param_port = "port_post"
condition:
uint16be(0) == 0x4D5A and ($hardcoded_aes_key or (all of ($param*) and all of ($args*))) and filesize < 10MB
} |