otx.alienvault.com
Open in
urlscan Pro
13.224.193.107
Public Scan
URL:
https://otx.alienvault.com/pulse/6144852424a73a80ade66aa3?scan=1&utm_userid=swimlanecyou&utm_medium=inproduct&utm_source=ot...
Submission: On September 17 via api from US — Scanned from DE
Submission: On September 17 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form _ngcontent-qgp-c132="" novalidate="" class="login ng-untouched ng-pristine ng-invalid" id="welcomeLoginForm-pulse-detail" __bizdiag="-695151727" __biza="WJ__">
<div _ngcontent-qgp-c132="" class="form-group"><label _ngcontent-qgp-c132="" for="id_login">Username</label><input _ngcontent-qgp-c132="" container="body" formcontrolname="login" id="id_login" name="login" placement="right" type="text"
class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div>
<div _ngcontent-qgp-c132="" class="form-group"><label _ngcontent-qgp-c132="" for="id_password">Password</label><input _ngcontent-qgp-c132="" container="body" formcontrolname="password" id="id_password" name="password" placement="right"
type="password" class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div><button _ngcontent-qgp-c132="" id="loginBtn" type="submit" class="btn btn-att disabled" disabled=""> Log in
<i _ngcontent-qgp-c132="" aria-hidden="true" class="fa fa-chevron-right smaller"></i></button>
<div _ngcontent-qgp-c132="" class="remember-checkbox"><label _ngcontent-qgp-c132=""><input _ngcontent-qgp-c132="" id="id_remember" name="remember" type="checkbox"> REMEMBER ME</label></div>
</form>Text Content
× * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (158036) Suggest Edit Clone Embed Download Report Spam SNAKES ON A DOMAIN: AN ANALYSIS OF A PYTHON MALWARE LOADER * Created 32 minutes ago by AlienVault * Public * TLP: White Huntress recently investigated a suspicious link file persisting in a user’s startup folder. The file was named “sysmon.lnk” and looked a bit fishy. After some quick initial investigation, we found that the link was executing a malicious Python script that was used to inject a remote access Trojan (RAT) onto the system. Along the way, Huntress encountered a total of six consecutive payloads and some new offensive tooling which we found pretty interesting. Towards the end, Huntress also experimented with some custom scripts for de-obfuscating data and extracting configuration from the final RAT, resulting in some juicy indicators of compromise (IOCs) with 0 detections on VirusTotal (as of June 2021). Reference: https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader Tags: python, powershell, cobalt strike, RAT, Ursu Malware Families: Cobalt Strike - S0154 , Trojan:MSIL/Ursu Att&ck IDs: T1055 - Process Injection , T1127 - Trusted Developer Utilities Proxy Execution , T1547 - Boot or Logon Autostart Execution , T1140 - Deobfuscate/Decode Files or Information , T1102 - Web Service , T1056 - Input Capture , T1105 - Ingress Tool Transfer , T1059 - Command and Scripting Interpreter , T1566 - Phishing , T1027 - Obfuscated Files or Information , T1055.012 - Process Hollowing , T1573 - Encrypted Channel , T1562 - Impair Defenses , T1497 - Virtualization/Sandbox Evasion Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (12) * Related Pulses (4) * Comments (0) * History (0) FileHash-MD5 (1)Domain (3)FileHash-SHA1 (1)FileHash-SHA256 (7) TYPES OF INDICATORS Show 10 25 50 100 entries Search: type indicator Role title Added Active related Pulses domainwindowsupdatecdn.cnSep 17, 2021, 12:08:05 PM3 domainhuugbbvuay4.cnSep 17, 2021, 12:08:05 PM3 domaingjghvga7ffgb.xyzSep 17, 2021, 12:08:05 PM5 FileHash-SHA256dd1fa3398a9cb727677501fd740d47e03f982621101cc7e6ab8dac457dca9125Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2569b775dfc58b5f82645a3c3165294d51c18f82ec1b19ac8a41bb320bee92484edSep 17, 2021, 12:08:05 PM3 FileHash-SHA2564591eda045e3587a714bb11062eb258f82ee6f0637e6aa4d90f2d0b447a48ef7Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2564417298524182564aed69261b6c556bdce1e5b812edc8a2addfc21998447d3c6Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2563e442cda613415aedf80b8a1cfa4181bf4b85c548c043b88334e4067dd6600a6Sep 17, 2021, 12:08:05 PM3 FileHash-SHA2562ccadfc32db49e67e80089f30c81f91dfff4b20b8fc61714df9e2348542007fdSep 17, 2021, 12:08:05 PM3 FileHash-SHA256169f5dbcd664c0b4fd65233e553ff605b30e974b6b16c90a1fb03404f1b01980Sep 17, 2021, 12:08:05 PM3 SHOWING 1 TO 10 OF 12 ENTRIES 1 2 Next COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2021 AlienVault, Inc. * Legal * Status Login to Initiate Scan × * Sign Up * Log In or Username Password Log in REMEMBER ME Recover Your Password | Resend Verification Email