1.8 KiB
Network Indikators:
C2:
77.73.133.83:15647
34.107.35.186:15647
DNS:
FLZBJBRSKJRhSMQ.FLZBJBRSKJRhSMQ
Other associated URLs:
hxxps://pastebin[.]com/raw/NdY0fAXm
eth0[.]me // Probably only used to get the victims public IP.
Malicious File Hashes:
0f83091af8806a425ef68a3db6373d48800066e59abec2545fffe3d9f2fac988 - obs-installer-setupx64-29.685.zip
88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd - NppShell64.dll
0132c185e69550ae7fa93410b2898ef4b2d43b793bd40ccc98dd4ee9111b4f5c - Unknown binary packed into NppShell64.dll
d9f67a975a877aa95e76821542311adb21704988d8452916d5b51feeeff3e720 - Setup.txt
250b3c35923f0e1d9bdd79ac35f9f66666ab0646828187771ccfc26648ae8762 - 1.qsp
ec8149d7c157e53108c089f07b8d2bf1156b8c1f8632c938a2130279927e2367 - 45 (binary data, obfuscated AutoIT3.exe)
a7e6636cd2ba510513484cfea9201884f64f7b664951402b909caf9728704ec2 - 4 (malicious shell command script)
8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3 - S(.a3x) (Malicious AutoIT Script)
a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910 - Final Payload SectopRat/ArechClient2
8a94861424eac30e36085d408100510a9af570f6dd61a4c633d7e918e4317548 - Second sample (Not analysed)
FilePath:
C:\Users<USER>\AppData\Local\Temp\5col3ccv.tda\
CommandLine
powershell get-process avastui
powershell get-process avgui
findstr /V /R "^ibXEdmiVmigethPmiCeveAlmmdbbRGVlGZgkrkVHBRdIphNCcvDTejGGhntqwKrSktcyZDvWGxUklCdjCVwceeizaHYEiVGRNbvySICSZHhIac$" 45
StringDumps :
https://pastebin.com/raw/pjBNEQDw <= Original (Contains some obfuscated Strings)
https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/strings_dump/Arechclient2.txt <= SectopRat (cleaned)
Additional IoC as found by @1ZZR4H :
https://raw.githubusercontent.com/CronUp/Malware-IOCs/main/2023-01-17_Arechclient2_GoogleAds