2023-12-05-IOCs-from-loader-to-unidentified-malware.txt

2023-12-05 (TUESDAY): EMAIL --> LOADER --> UNIDENTIFIED MALWARE

REFERENCES:

- https://www.linkedin.com/posts/unit42_malwaretraffic-timelythreatintel-unit42threatintel-activity-7138177279964151809--S66
- https://twitter.com/Unit42_Intel/status/1732411660013273387

INFECTION CHAIN OF EVENTS:

- email --> disk image --> extracted loader EXE --> reverse byte order DLL --> infostealer C2

ASSOCIATED MALWARE:

- SHA256 hash: 3fb8cfe46d5222620d56a063e0be957d13a4932d97f28bc96a570abc4be1bb33
- File size: 135,168 bytes
- File name: RH2023-11.img
- File type: ISO 9660 CD-ROM filesystem data 'Order Requirement'
- File description: Disk image attached to email

- SHA256 hash: 94f8bd5887740e8276effb1254a36ff5593974ed546cd3a86912214869f2d76a
- File size: 82,944 bytes
- File name: Order Requirement.exe
- File type: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
- File description: Loader EXE extracted from the above image

- SHAAbo256 hash: 202a27e88df431dd66214115a13d064c130629cb4b8016294dd33caa790c8099
- File size: 1,120,768 bytes
- File location: hxxps://brianetaveras.byethost13[.]com/Avxsdun.dat
- File type: data
- File description: Reversed byte-order file retrieved by above loader EXE

- SHA256 hash: 2a52c4966e5b8059d23995165ae11a7e6f4aee6909d8423b2ececf0ed0245ee0
- File size: 1,120,768 bytes
- File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Avxsdun.dat with byte-order reversed to reveal DLL file
- Run method: unknown

INFECTION TRAFFIC:

- 185.27.133[.]7 port 443 - hxxps://brianetaveras.byethost13[.]com/Avxsdun.dat
- 91.92.120[.]119 port 62520 - encoded/encrypted TCP traffic