MIFR-10077745.r1.v2
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
US-CERT
2020-05-08T11:20:28-04:00
BMachine
89
7.1.0
purchaseorderno.89764125.doc
1021803
data
MD5
f86ec79467abbcf6c040ef8cddbac660
SHA1
8729edd552627df4be4dec19d2f9618fe70dbb47
SHA256
1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f
SHA512
4c92975bdb3384b764f7bceb25f00e15947b11727d88ae595f328c02ed1ead53691ee3c2cbc6e3b4cddfcc9bc69b1385e000670d80eb5168f950efa72e413ca6
SSDEEP
12288:Xbzbzb1Dz3BE9UY8xC538Uq8wJ1d6e9N8OM7svY7yEpb1TpU5G4RU:X//xDY7538l7J1wg8OMJBpvUG4RU
7.074611
Dropped
Dropped
~WRD8811.tmp
607744
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5
7c5d7ec22dafa11e5981fce7de75ae4d
SHA1
35a1aa16695d1eb81ee7a96ebd85331a0fbec607
SHA256
c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
SHA512
3c568850f0f051f9d5ec6a360a1c35d171963f5c11d7afc769623bb80f8429628333d7e23ad297e56e2fd0a3f7f5c5e8ab946e21880a5ccc63b99ba83a8cd7b0
SSDEEP
12288:XkzuU5OFic3B7quDB+XQf9UAEWJ5d2lzS7FUCVzxnkclFZp:0aU5OFJlaQfRXzeCjkg
Microsoft Visual C# v7.0 / Basic .NET
7.768194
Dropped
Dropped_By
Resolved_To
indogulf.hopto.org
Characterized_By
Resolved_To
Resolved_To
Related_To
indogulf.hopto.org
Domain Name: HOPTO.ORG
Domain ID: D20065021-LROR
WHOIS Server:
Referral URL: http://www.srsplus.com
Updated Date: 2015-12-21T17:43:40Z
Creation Date: 2000-02-17T19:56:50Z
Registry Expiry Date: 2021-02-17T19:56:50Z
Sponsoring Registrar: TLDS L.L.C. d/b/a SRSPlus
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant ID: cm8dnqb78dtu7b9c
Registrant Name: Domain Operations No-IP.com
Registrant Organization: Vitalwerks Internet Solutions, LLC
Registrant Street: 425 Maestro Dr.
Registrant Street: Second Floor
Registrant City: Reno
Registrant State/Province: NV
Registrant Postal Code: 89511
Registrant Country: US
Registrant Phone: +1.17758531883
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@no-ip.com
Admin ID: cm8dnqb78dtu7b9c
Admin Name: Domain Operations No-IP.com
Admin Organization: Vitalwerks Internet Solutions, LLC
Admin Street: 425 Maestro Dr.
Admin Street: Second Floor
Admin City: Reno
Admin State/Province: NV
Admin Postal Code: 89511
Admin Country: US
Admin Phone: +1.17758531883
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@no-ip.com
Tech ID: cm8dnqb78dtu7b9c
Tech Name: Domain Operations No-IP.com
Tech Organization: Vitalwerks Internet Solutions, LLC
Tech Street: 425 Maestro Dr.
Tech Street: Second Floor
Tech City: Reno
Tech State/Province: NV
Tech Postal Code: 89511
Tech Country: US
Tech Phone: +1.17758531883
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@no-ip.com
Name Server: NF1.NO-IP.COM
Name Server: NF2.NO-IP.COM
Name Server: NF3.NO-IP.COM
Name Server: NF4.NO-IP.COM
Name Server: NF5.NO-IP.COM
DNSSEC: unsigned
~WRD8911.tmp
6144
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
55d5959618d96e4e36e6580717f52da1
SHA1
60d4aafb1e8940bbd3c0dab75216055f168e0a7a
SHA256
edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782
SHA512
4ee7973a654c805af940c8a85f8193a8d41adda0c5458066a6ed08e6e47bc538257c79d9c97611cd86c78c88a0325127f1d56969f4fec2b5276815492d875d38
SSDEEP
96:Qr5bRPmb7FENmEVnCZsV+k5t8Wz3JbCMKFcP0b4jmK94Ctyc:g18W8Xs3JbCMf0kqeyc
5.352524
Dropped_By
Dropped_By
104.255.68.92
Resolved_To
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
f86ec79467abbcf6c040ef8cddbac660
SHA1
8729edd552627df4be4dec19d2f9618fe70dbb47
SHA256
1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f
NCCIC
2020-05-08T15:21:04+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
7c5d7ec22dafa11e5981fce7de75ae4d
SHA1
35a1aa16695d1eb81ee7a96ebd85331a0fbec607
SHA256
c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
NCCIC
2020-05-08T15:21:04+00:00
Malicious Domain
Domain Watchlist
indogulf.hopto.org
NCCIC
2020-05-08T15:21:04+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
55d5959618d96e4e36e6580717f52da1
SHA1
60d4aafb1e8940bbd3c0dab75216055f168e0a7a
SHA256
edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782
NCCIC
2020-05-08T15:21:04+00:00
MAEC Characterization of f86ec79467abbcf6c040ef8cddbac660
ClamAV
Rtf.Dropper.Agent-1699578
McAfee
Generic Dropper.ahb
NetGate
Exploit.Win32.Agent
Symantec
Bloodhound.RTF.3
Antiy
Trojan/Generic.ASExplot.7A
BitDefender
Trojan.GenericKD.3825160
Microsoft Security Essentials
Exploit:Win32/CVE-2015-1641
Sophos
Troj/RTFDrp-AE
TrendMicro House Call
TROJ_AR.2539E986
TrendMicro
TROJ_AR.2539E986
Emsisoft
Trojan.GenericKD.3825160 (B)
Ahnlab
RTF/Exploit
ESET
Win32/Exploit.Agent.NOW trojan
NANOAV
Exploit.Rtf.RTF.ekbjwo
TACHYON
Suspicious/RTF.GDO.Gen
Quick Heal
Exp.RTF.Heur.Gen.A
Ikarus
Trojan.Win32.Exploit
CVE-2015-1641
dropper
trojan
MAEC Characterization of 7c5d7ec22dafa11e5981fce7de75ae4d
McAfee
Fareit-FEW!7C5D7EC22DAF
K7
Trojan ( 004f26a41 )
Cyren
W32/Trojan.SW.gen!Eldorado
Symantec
Heur.AdvML.B
Antiy
Trojan/Win32.Inject
BitDefender
Gen:Variant.Zusy.220725
Sophos
Troj/MSIL-HIE
TrendMicro House Call
TROJ_FR.EF301573
TrendMicro
TROJ_FR.EF301573
Emsisoft
Gen:Variant.Zusy.220725 (B)
Avira
HEUR/AGEN.1101621
Ahnlab
Trojan/Win32.Limitail
ESET
a variant of MSIL/Kryptik.GLC trojan
NANOAV
Trojan.Win32.Kryptik.eldmai
Ikarus
Trojan.MSIL.Crypt
command-and-control
MAEC Characterization of 55d5959618d96e4e36e6580717f52da1
K7
Trojan ( 0055e3dd1 )
Antiy
Trojan/Win32.TSGeneric
Sophos
Troj/Inject-BZQ
TrendMicro House Call
TROJ_KRYPTIK.NPW
TrendMicro
TROJ_KRYPTIK.NPW
Avira
TR/Agent.tssn
VirusBlokAda
Trojan.Inject
ESET
Win32/Agent.YAI trojan
NANOAV
Virus.Win32.Gen.ccmw
TACHYON
Trojan/W32.Inject.6144.AH
Filseclab
Trojan.Inject.aaokk.nzvg
Quick Heal
Trojan.Dynamer
Ikarus
Trojan.Win32.Agent
virus
10077745.r1.v2
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected