otx.alienvault.com
Open in
urlscan Pro
143.204.98.83
Public Scan
URL:
https://otx.alienvault.com/pulse/6144852424a73a80ade66aa3
Submission: On September 17 via api from US — Scanned from DE
Submission: On September 17 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
× * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (158036) Suggest Edit Clone Embed Download Report Spam SNAKES ON A DOMAIN: AN ANALYSIS OF A PYTHON MALWARE LOADER * Created 32 minutes ago by AlienVault * Public * TLP: White Huntress recently investigated a suspicious link file persisting in a user’s startup folder. The file was named “sysmon.lnk” and looked a bit fishy. After some quick initial investigation, we found that the link was executing a malicious Python script that was used to inject a remote access Trojan (RAT) onto the system. Along the way, Huntress encountered a total of six consecutive payloads and some new offensive tooling which we found pretty interesting. Towards the end, Huntress also experimented with some custom scripts for de-obfuscating data and extracting configuration from the final RAT, resulting in some juicy indicators of compromise (IOCs) with 0 detections on VirusTotal (as of June 2021). Reference: https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader Tags: python, powershell, cobalt strike, RAT, Ursu Malware Families: Cobalt Strike - S0154 , Trojan:MSIL/Ursu Att&ck IDs: T1055 - Process Injection , T1127 - Trusted Developer Utilities Proxy Execution , T1547 - Boot or Logon Autostart Execution , T1140 - Deobfuscate/Decode Files or Information , T1102 - Web Service , T1056 - Input Capture , T1105 - Ingress Tool Transfer , T1059 - Command and Scripting Interpreter , T1566 - Phishing , T1027 - Obfuscated Files or Information , T1055.012 - Process Hollowing , T1573 - Encrypted Channel , T1562 - Impair Defenses , T1497 - Virtualization/Sandbox Evasion Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (12) * Related Pulses (4) * Comments (0) * History (0) FileHash-MD5 (1)Domain (3)FileHash-SHA1 (1)FileHash-SHA256 (7) TYPES OF INDICATORS Show 10 25 50 100 entries Search: type indicator Role title Added Active related Pulses domainwindowsupdatecdn.cnSep 17, 2021, 12:08:05 PM3 domainhuugbbvuay4.cnSep 17, 2021, 12:08:05 PM3 domaingjghvga7ffgb.xyzSep 17, 2021, 12:08:05 PM5 FileHash-SHA256dd1fa3398a9cb727677501fd740d47e03f982621101cc7e6ab8dac457dca9125Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2569b775dfc58b5f82645a3c3165294d51c18f82ec1b19ac8a41bb320bee92484edSep 17, 2021, 12:08:05 PM3 FileHash-SHA2564591eda045e3587a714bb11062eb258f82ee6f0637e6aa4d90f2d0b447a48ef7Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2564417298524182564aed69261b6c556bdce1e5b812edc8a2addfc21998447d3c6Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2563e442cda613415aedf80b8a1cfa4181bf4b85c548c043b88334e4067dd6600a6Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2562ccadfc32db49e67e80089f30c81f91dfff4b20b8fc61714df9e2348542007fdSep 17, 2021, 12:08:05 PM3 FileHash-SHA256169f5dbcd664c0b4fd65233e553ff605b30e974b6b16c90a1fb03404f1b01980Sep 17, 2021, 12:08:05 PM3 SHOWING 1 TO 10 OF 12 ENTRIES 1 2 Next COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2021 AlienVault, Inc. * Legal * Status