{ "Event": { "analysis": "2", "date": "2016-01-27", "extends_uuid": "", "info": "OSINT Introducing Hi-Zor RAT by Fidelis", "publish_timestamp": "1484156943", "published": true, "threat_level_id": "1", "timestamp": "1464346759", "uuid": "56af2d05-bff0-4753-b2ed-4074950d210f", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321070", "to_ids": false, "type": "link", "uuid": "56af2dae-5358-441d-97bb-4223950d210f", "value": "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321101", "to_ids": false, "type": "link", "uuid": "56af2dcd-37b0-4f5e-a760-4070950d210f", "value": "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf" }, { "category": "Artifacts dropped", "comment": "rat payload for inocnation campaign,12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454325949", "to_ids": true, "type": "md5", "uuid": "56af2dec-db54-40ed-b12d-44a0950d210f", "value": "75d3d1f23628122a64a2f1b7ef33f5cf" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321133", "to_ids": true, "type": "sha256", "uuid": "56af2ded-7a50-467f-ab41-4bfd950d210f", "value": "cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321133", "to_ids": true, "type": "md5", "uuid": "56af2ded-ca60-403e-9d3f-4028950d210f", "value": "f25cc334809bd1c36fd94184177de8a4" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321133", "to_ids": true, "type": "sha256", "uuid": "56af2ded-9dcc-4ff4-ae67-466f950d210f", "value": "2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321257", "to_ids": true, "type": "user-agent", "uuid": "56af2e69-a158-4af8-ad95-4d71950d210f", "value": "iexplorer" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321301", "to_ids": true, "type": "hostname", "uuid": "56af2e95-0ee4-4e07-a2eb-4f0a950d210f", "value": "citrix.vipreclod.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321309", "to_ids": true, "type": "domain", "uuid": "56af2e95-d8b8-47f7-bbfc-459c950d210f", "value": "inocnation.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321374", "to_ids": false, "type": "link", "uuid": "56af2ede-7140-40ad-a15b-480b950d210f", "value": "https://github.com/fideliscyber/indicators/tree/master/FTA-1020" }, { "category": "Artifacts dropped", "comment": "initial dropper for inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321452", "to_ids": true, "type": "md5", "uuid": "56af2f2c-a788-438e-a8d9-40ac950d210f", "value": "a7bd555866ae1c161f78630a638850e7" }, { "category": "Artifacts dropped", "comment": "initial dropper for inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321452", "to_ids": true, "type": "sha256", "uuid": "56af2f2c-2804-426b-8aba-4153950d210f", "value": "fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36" }, { "category": "Artifacts dropped", "comment": "rat installer for inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321470", "to_ids": true, "type": "md5", "uuid": "56af2f3e-c1dc-43c9-987d-463a950d210f", "value": "4f4bf27b738ff8f2a89d1bc487b054a8" }, { "category": "Artifacts dropped", "comment": "rat installer for inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321471", "to_ids": true, "type": "sha256", "uuid": "56af2f3f-4ca0-430e-936b-42c7950d210f", "value": "01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae" }, { "category": "Payload installation", "comment": "rat payload for inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321507", "to_ids": true, "type": "md5", "uuid": "56af2f63-55a8-42a4-b2fa-46df950d210f", "value": "75d3d1f23628122a64a2f1b7ef33f5cf" }, { "category": "Payload installation", "comment": "rat payload for inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321508", "to_ids": true, "type": "sha256", "uuid": "56af2f64-05c0-4c4e-b1e0-4f05950d210f", "value": "cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c" }, { "category": "Payload installation", "comment": "decoy anyconnect installer used in inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321534", "to_ids": true, "type": "md5", "uuid": "56af2f7e-d078-4748-b2c6-42b8950d210f", "value": "2f7e5f91be1f5be2b2f4fda0910a4c16" }, { "category": "Payload installation", "comment": "decoy anyconnect installer used in inocnation campaign 12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454321535", "to_ids": true, "type": "sha256", "uuid": "56af2f7f-e2d0-4ad6-9b66-4c90950d210f", "value": "1ed0c71298d7e69916fb579772f67109f43c7c9c2809fd80e61fc5e680079663" }, { "category": "Payload installation", "comment": "rat payload for inocnation campaign 12/15/2015 - Xchecked via VT: cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c", "deleted": false, "disable_correlation": false, "timestamp": "1454321678", "to_ids": true, "type": "sha1", "uuid": "56af300e-4698-4085-b38e-490602de0b81", "value": "3d7b789e3a630c0bd9db0b3217f72348025b845c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321678", "to_ids": false, "type": "link", "uuid": "56af300e-49c0-4299-b3fb-48df02de0b81", "value": "https://www.virustotal.com/file/cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c/analysis/1453497583/" }, { "category": "Artifacts dropped", "comment": "rat installer for inocnation campaign 12/15/2015 - Xchecked via VT: 01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae", "deleted": false, "disable_correlation": false, "timestamp": "1454321679", "to_ids": true, "type": "sha1", "uuid": "56af300f-ce4c-4d37-962a-4bd402de0b81", "value": "13a53cbe20908d9b1c705d3901ae87655a87cfb9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321679", "to_ids": false, "type": "link", "uuid": "56af300f-6d5c-424b-8f79-434502de0b81", "value": "https://www.virustotal.com/file/01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae/analysis/1450425230/" }, { "category": "Artifacts dropped", "comment": "initial dropper for inocnation campaign 12/15/2015 - Xchecked via VT: fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36", "deleted": false, "disable_correlation": false, "timestamp": "1454321679", "to_ids": true, "type": "sha1", "uuid": "56af300f-4f1c-42db-ba5f-441702de0b81", "value": "b38a8747f2fe62d9f57921154f5d6829688a7ab7" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321680", "to_ids": false, "type": "link", "uuid": "56af3010-9ef8-4f11-a983-486f02de0b81", "value": "https://www.virustotal.com/file/fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36/analysis/1450425880/" }, { "category": "Artifacts dropped", "comment": "- Xchecked via VT: 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca", "deleted": false, "disable_correlation": false, "timestamp": "1454321680", "to_ids": true, "type": "sha1", "uuid": "56af3010-01a0-498b-ba3b-401602de0b81", "value": "8a34521175b66e073ee34870263d55611b38b1da" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454321680", "to_ids": false, "type": "link", "uuid": "56af3010-ee54-4140-b790-491102de0b81", "value": "https://www.virustotal.com/file/2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca/analysis/1452694847/" }, { "category": "Network activity", "comment": "Domain used by INOCNATION campaign,12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454326090", "to_ids": true, "type": "hostname", "uuid": "56af414a-6ae0-4748-874f-4406950d210f", "value": "mail.cbppnews.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454326147", "to_ids": false, "type": "text", "uuid": "56af4183-6a04-4a4c-bebc-4172950d210f", "value": "INOCNATION" }, { "category": "Network activity", "comment": "IP used by INOCNATION (inocnation.com) current as of this date,12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454326177", "to_ids": true, "type": "ip-dst", "uuid": "56af41a1-8fb0-4db8-b6a5-4455950d210f", "value": "87.193.23.40" }, { "category": "Network activity", "comment": "Previous IP used by INOCNATION (inocnation.com) used until Oct 2015,12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454326200", "to_ids": true, "type": "ip-dst", "uuid": "56af41b8-f8b8-4dfd-94d6-4ff5950d210f", "value": "211.104.106.41" }, { "category": "Network activity", "comment": "IP used by INOCNATION (mail.cbppnews.com) current as of this date,12/15/2015", "deleted": false, "disable_correlation": false, "timestamp": "1454326215", "to_ids": true, "type": "ip-dst", "uuid": "56af41c7-0ed4-4bbd-9da9-4b7e950d210f", "value": "202.172.32.160" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454326313", "to_ids": true, "type": "pattern-in-memory", "uuid": "56af4229-082c-493b-96b5-40c8950d210f", "value": "1a53b0cp32e46g0qio9" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464346759", "to_ids": true, "type": "yara", "uuid": "56af423c-2de8-4e99-88c5-4d35950d210f", "value": "rule dll_rat_1a53b0cp32e46g0qio7\r\n{\r\nmeta:\r\nhash1 = \"75d3d1f23628122a64a2f1b7ef33f5cf\"\r\nhash2 = \"d9821468315ccd3b9ea03161566ef18e\"\r\nhash3 = \"b9af5f5fd434a65d7aa1b55f5441c90a\"\r\nstrings:\r\n // Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0;rv:11.0) like Gecko\r\n $ = { c7 [2] 64 00 63 00 c7 [2] 69 00 62 00 c7 [2] 7a 00 7e 00 c7 [2] 2d 00 43 00 c7 [2] 59\r\n 00 2d 00 c7 [2] 3b 00 23 00 c7 [2] 3e 00 36 00 c7 [2] 2d 00 5a 00 c7 [2] 42 00 5a 00 c7 [2] 3b 00\r\n 39 00 c7 [2] 36 00 2d 00 c7 [2] 59 00 7f 00 c7 [2] 64 00 69 00 c7 [2] 68 00 63 00 c7 [2] 79 00 22\r\n 00 c7 [2] 3a 00 23 00 c7 [2] 3d 00 36 00 c7 [2] 2d 00 7f 00 c7 [2] 7b 00 37 00 c7 [2] 3c 00 3c 00\r\n c7 [2] 23 00 3d 00 c7 [2] 24 00 2d 00 c7 [2] 61 00 64 00 c7 [2] 66 00 68 00 c7 [2] 2d 00 4a 00 c7\r\n [2] 68 00 6e 00 c7 [2] 66 00 62 00 } // offset 10001566\r\n // Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n $ = { c7 [2] 23 00 24 00 c7 [2] 24 00 33 00 c7 [2] 38 00 22 00 c7 [2] 00 00 33 00 c7 [2] 24\r\n 00 25 00 c7 [2] 3f 00 39 00 c7 [2] 38 00 0a 00 c7 [2] 04 00 23 00 c7 [2] 38 00 00 00 c7 [2] 43 00\r\n 66 00 c7 [2] 6d 00 60 00 c7 [2] 67 00 52 00 c7 [2] 6e 00 63 00 c7 [2] 7b 00 67 00 c7 [2] 70 00 00\r\n 00 c7 [2] 43 00 4d 00 c7 [2] 44 00 00 00 c7 [2] 0f 00 43 00 c7 [2] 00 00 50 00 c7 [2] 49 00 4e 00\r\n c7 [2] 47 00 00 00 c7 [2] 11 00 12 00 c7 [2] 17 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 10 00 0e 00 c7\r\n [2] 11 00 06 00 c7 [2] 44 00 45 00 c7 [2] 4c 00 00 00 } // 10003D09\r\n $ = { 66 [4-7] 0d 40 83 f8 44 7c ?? }\r\n // xor word ptr [ebp+eax*2+var_5C], 14h\r\n // inc eax\r\n // cmp eax, 14h\r\n // Loop to decode a static string. It reveals the \"1a53b0cp32e46g0qio9\" static string sent in the beacon\r\n $ = { 66 [4-7] 14 40 83 f8 14 7c ?? } // 100017F0\r\n $ = { 66 [4-7] 56 40 83 f8 2d 7c ?? } // 10003621\r\n $ = { 66 [4-7] 20 40 83 f8 1a 7c ?? } // 10003640\r\n $ = { 80 [2-7] 2e 40 3d 50 02 00 00 72 ?? } // 10003930\r\n $ = \"%08x%08x%08x%08x\" wide ascii\r\n $ = \"WinHttpGetIEProxyConfigForCurrentUser\" wide ascii\r\ncondition:\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)\r\n}" } ] } }