Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.adoc
samples.md5
samples.sha1
samples.sha256

README.adoc

RTM - Indicators of Compromise

ESET detection names

  • Win32/Spy.RTM.A

  • Win32/Spy.RTM.B

  • Win32/Spy.RTM.C

  • Win32/Spy.RTM.D

  • Win32/Spy.RTM.E

  • Win32/Spy.RTM.F

  • Win32/Spy.RTM.G

  • Win32/Spy.RTM.H

  • Win32/Spy.RTM.I

  • Win32/Hvnc.AD

  • Win64/Spy.RTM.A

Host based indicators

Files

%PROGRAMDATA%\Winlogon\winlogon.lnk
%PROGRAMDATA%\Winlogon\*.dtt

Registry

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
	Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host
HKLU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
	Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host

Network indicators

C&C server domains

f72bba81c921.livejournal.com/data/rss
webstatisticaonline.tech
vpntap.top
rtm.dev
cainmoon.net
micro4n.top
ssdcool.top
cash-money-analitica.bit
money-cash-analitica.bit
vpnomnet.bit
vpnkeep.bit
fde05d0573da.bit
d47ea26b7faa.bit
feb96eb2aa59.bit

C&C server IP addresses

5.154.190.167
5.154.190.168
5.154.190.189
5.154.191.57
5.154.191.154
5.154.191.174
5.154.191.225
37.1.206.78
88.208.28.147
91.207.7.69
91.215.153.31
93.170.168.218
93.190.139.66
95.183.52.182
109.236.82.150
109.248.32.152
131.72.138.169
138.201.104.161
154.70.153.125
158.255.6.150
158.255.208.197
185.61.149.70
185.61.149.78
185.82.201.45
185.82.216.14
185.128.42.237
185.141.27.249
185.169.229.42
188.138.71.117
200.74.240.80
200.74.240.134
212.48.90.155
213.184.127.137
217.23.6.29

Samples

All hashes are SHA-1.

Droppers/Downloaders

0961119783365e8b4dff12df7c7ae9f7388a410c
662b4daea4b07e7c95f4a58cf0be0f0281c81c67
859f66a7057304e72eaff58ded1a2aeae29a41dc
42a4b04446a20993ddae98b2be6d5a797376d4b6
48bc113ec8ba20b8b80cd5d4da92051a19d1032b
025c718ba31e43db1b87dc13f94a61a9338c11ce
059a114c2ec56434251cec7db4828418335cf29a
4a084e70fa2e6425c68c692b560acae68f89e69f
77a7735d0f83610e4d581850dd89ea15b6c5f699
83db465d10e6f403cf28ed714fbdf5e218b8fb41
8b77419e6c006303f078e77e6c1ca21547b8bdd1
9ac461ef9848367f46bf64649d46de955c4afc66
a1c7b51747ad13c5a1df470098a4585e1f24a5c4
a6d3e97d832d17d589c1a0aa24baaeccd73a2b39
e9fe3259bceb852ec1b8e5a01ff19eb7e3b08fbc
f539f5f3847d60ef6b6bfe32be76fe190b9298b0
e36f88d67cd50a9bc2e5d30cbf26577ffadd4a90
d125a868c393c3490d2d24016edb159a2a5ad0a9
92a1c9fc9069744653d4d3733ebf8669a84351b9
9d2fd31c086f0e982f6b973ee5951173ab69d0b2
cca9ade798a61450adbbcac5e433dadde11867ba
fca3d02a53e66d8975997ff2b03c8008a254a508
312a487b2830c62845f6feaf11d4af7c25783f1a
c4844acd88eeb104a05a775e475bc48e05a238e7
c824ee17138d2002a712744c3012fc51355fb044
85a6d6938680b30bac2c755a502f6b4f104643a3
d0390f4bcd5c0a952c012fbd034e78dbe88ed184
43a4c65da2c112c42e910f4e6ea359c759064d52
5b38be812c5e21fb9efb01eea845704cf9978a6d
c6e3aa123a52762bf2690b97cc79148eedd0e1e0
136185555755c537522e5ccc8a0d7487dc9dcffa
7c48114467776541032206fd9ae22be8490c45ba
f89e56dd9ca78cec02d0a2b95803843c59234082
1e3061c49cf62821ca17b835b7ff8d9d8a3bb6c2
f667d946acbc69d70ea0978b9b6878d232665cad
49994863baffba440212bd24232df21fbf93d812
7c1b6b1713bd923fc243dfec80002fe9b93eb292
b74f71560e48488d2153ae2fb51207a0ac206e2b

Main DLL (winlogon.lnk)

30c8b60ccd66eafb4c861584f45fe80dab71ee22
471a8fd0aa32ce61cf5e4ebece95527d1b234de6
42b990344d77b22578b0a35adda62c0bc02a09a5
be06b838e8b4b2e6bf59ceaafa3fbbb4cebdc522
f9183b6e29fee2c3467fc591bae9bb5fe9975027
c8f0c4a88397c16695e1352a48c538fb02f1cb16
e942145c0f3549bf7be79cbf5a4031cf6614af19
0705bda19096b05130e5768ea8efdaa864ddaff0
c75273cd886c3ea18a5be7e99b11044f88abd3ef
e0f377551d5b6553eedf9a0c3ef23eabfc7a937e
e7777db52fc9d34d57253db242f9c195d24836d8
ef7de8d746c413a8925aa6a01f7130cfc7eac2df
00fe6cf9c85821a2a2479083acb538ee49c8c141
5d6a96466e60f15b296d9b0d4cb3e095957d0aa4
9172dd756893fe9e68b2dcc85613e7346d1a25ef
5f357fbb6ae832f7a0fcfa824fa4026db4000a0a
ebdd585edfe6ff9359a38cb7fb65871f418c6c33
c3ba475f4e160a153c3baada8042b6aca5d06618
f6755195445ce89f61df8ad6aaf2bf491804224a
4a670cc34e59ea94e88c19eef6a4106cf5411624
5153886fec6cfed815601e68678286633bc564ec
4d83f2f601036bc770857f96ab16017b0afb6927
be83dd98b269bb2faf9e28e35734d3bfcf635166
f4c746696b0f5bb565d445ec49dd912993de6361
d8f3c6a1bb43d014fa34eaaae41a8d9eefd7c3b6
31b7215c892a0064a6f59c16d68a1decf39012a9
5521cce3e5e68eb6b8f7fa129daf143151436b2d
da0c6236909ea861b2d24794e88ff44c051ade64
822e05f998f5d727d5a663d06273da507ef5f135
5b7355ea8152b95a7ab9bb91e5836bf7acc39993
1f100e41213be79deacc86a9246e1d0b8a76d64b
fd4b98893de80ef3fe83b58017df9718993d8bcb
6f036c802384826b630aec70d9833b5b0ed735eb
1e4b84be1e4287c9787cd56009e1e2adb3348db8
6cf45111b2d71862803cf91f2a79780149c46a27
af862050a01972db36589653dc8b155e2b3e2f8c
b31a565e7c29b861b182c9880b5d38cb4211ab8f
dde57ff3b630a1b4052c3ef290bb361de96eab06
bdf77429c785514bf308f7c1d1e9ddca63a33ac8
2f6fd3b5a7611d72f9f9eb60b04471f9bebc738f
0b40873f86c2e6c676dfc003c232aa3167654172
d6004423e7b80d47b6215c9d1875122e128899ed
c4834a4e548b82ffe5d90042c78311b537564fe6
5cc1ac4f0cc6df3f0dbe2b53864a0f47899939c8
4733cf689dcc588b94fd0fba7ad4d93973486752
7175b734aa1273710008a2af6398f8bfc55f7f6b
cab9247484a6c7a10672b7ca8849dd7b4577be02
daa0673cb1d3eb7dbe8aa435997ecd9e1da228fd
f04300e901870efa9c9e49c440baaac23b0ce96c
9a131fc27f5397e32596e81df22260885b53cdfd
094ac3c414a9e6028afa5cdc0d4b4f3aa98b92ca
9a3e89d62795a1cb0747d279a6fdf65bfc8d5c8d
df1a4c99791570a2d203075581a6aeef59ece02b
94e21bac5c0fc0d8d583a0b9b1daf5d18528cc9f
aa0fa4584768ce9e16d67d8c529233e99ff1bbf0

Modules

VNC

8966319882494077C21F66A8354E2CBCA0370464

Browser data collector

03DE8622BE6B2F75A364A275995C3411626C4D9F

1c_2_kl

b1ee562e1f69efc6fba58b88753be7d0b3e4cfab

Persistence

2f3a181450f06284b042941e59a257a96cd39365

PDB file name

getapula.pdb

Strings

ZKRT
winhttp.dll
WinHttpOpen
WinHttpCloseHandle
WinHttpConnect
WinHttpOpenRequest
WinHttpReadData
WinHttpCrackUrl
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpSetOption
Software\\
keylogger.last-data
keylogger.last-wnd-caption
keylogger.last-exe-path
FRTnBm6glKEZf60
kosmos
botnet-prefix
botnet-id
cc.connect-interval
GetSystemDefaultUILanguage
RTM_ModuleEP
scan-files
crypt32.dll
CryptUnprotectData
post-install-report
cc.url.1
cc.url.2
__
 x32
 x64
,
modules.
modules-data.
core
msg
del-module
unload
uninstall
uninstall-lock
find-files
shutdown
reboot
cfg-set-str-a
cfg-set-str-w
cfg-set-dw
cfg-get-str-a
cfg-get-str-w
cfg-get-dw
cfg-del-param
screenshot
dns
lpe-runas-flags
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
EditionID
Service Pack
SP
CSDVersion
CurrentVersion
CurrentBuildNumber
scards.monitoring-interval
 files found
image/png
.png
ROOT
csrss.exe
OldFile
Updated
dbo.detected
bsi.dll?
online.payment.ru
bankline.ru
/ic/login.zhtml
/servlets/ibc
faktura.ru
/iclient/
ibank2
bco.vtb24.ru
elbrus.raiffeisen
elba.raiffeisen
handybank.
wupos.westernunion
online.sberbank.
Unk
SberBank_PC
BSS
BSS_PC
iBank2_PC
Faktura
PCB
InterPro
RosBank
SberBank_BO
INIST
Inversion
Interbank
iBank2
BiCrypt
VTB24
1C
SGB
Raiffeisen
HandyBank
WU
SberBank_Fiz
CFT
WinPost
SBIS
ClBank
QiwiCashier
ISCC
WebMoney
XTC
iFOBS
TRANSAQ
OSMP
IExplore
Firefox
0xFFFFFFFF
WWW_GetWindowInfo
\",\"
gdiplus.dll
GdipGetImageEncodersSize
GdipGetImageEncoders
GdiplusStartup
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipSaveImageToStream
ole32.dll
GetHGlobalFromStream
CreateStreamOnHGlobal
kernel32.dll
CloseHandle
user32.dll
ToUnicode
CloseClipboard
WinSCard.dll
SCardFreeMemory
SCardListReadersW
SCardEstablishContext
SCardReleaseContext
SCardGetStatusChangeW
SeShutdownPrivilege
auto-elevate
Elevating success
Elevating failed
reload
Reloaded
ntdll.dll
RtlAdjustPrivilege
ZwShutdownSystem
new-cc
hosts-add
hosts-clear
dbo-scan
scard-off
modules-off
dbo-detector-off
multiinstance-off
keylogger-off
dnsapi.dll
DnsQuery_A
DnsRecordListFree
dns.dot-bit.org
193.183.98.154
106.186.17.181
50.116.23.211
130.255.73.90
109.69.8.34
File already updated
post-install-report-url
527D67BF-0D37-46D8-895F-D662E8A12190
3998A1EC-1726-42CA-830C-D6E966D21411
5B42B658-6029-44FD-9561-1ED64E89A0AA
692B2F88-60F4-45A4-88E2-946F98E12773
A69D400E-70E8-45F4-9438-80734E1FEA72
SYSTEM\\CurrentControlSet\\services\\Disk\\Enum
sdtf
D2
GET
POST
HTTP/1.1
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nConnection: Close
Accept: t
http://vpnomnet.bit/r/z.php
http://vpnkeep.bit/r/z.php
non
?a=started&fid=
*.*
*.dtt
.dtt
rundll32.exe
open
regedit.exe
BUTTON
STATIC
msctls_progress32
DISPLAY
Windows Registry Error
Windows >\u00041\u0004=\u00040\u0004@\u0004C\u00046\u00048\u0004;\u00040\u0004 ?\u0004>\u00042\u0004@\u00045\u00046\u00044\u00045\u0004=\u0004=\u0004K\u00045\u0004 7\u00040\u0004?\u00048\u0004A\u00048\u0004 @\u00045\u00045\u0004A\u0004B\u0004@\u00040\u0004
Windows has encountered a corrupted registry records
\u0018\u0004A\u0004?\u0004@\u00040\u00042\u00048\u0004B\u0004L\u0004 7\u00040\u0004?\u00048\u0004A\u00048\u0004
Restore records
\u0018\u0004A\u0004?\u0004@\u00040\u00042\u00048\u0004B\u0004L\u0004 7\u00040\u0004?\u00048\u0004A\u00048\u0004 8\u0004 ?\u0004@\u0004>\u00042\u00045\u0004@\u00048\u0004B\u0004L\u0004 =\u00040\u0004 >\u0004H\u00048\u00041\u0004:\u00048\u0004
Restore records and check for errors
\u001f\u0004>\u00044\u0004@\u0004>\u00041\u0004=\u00045\u00045\u0004 >\u00041\u0004 M\u0004B\u0004>\u00049\u0004 >\u0004H\u00048\u00041\u0004:\u00045\u0004
More details about this error
\u001e\u00041\u0004=\u00040\u0004@\u0004C\u00046\u00045\u0004=\u0004K\u0004 ?\u0004>\u00042\u0004@\u00045\u00046\u00044\u00045\u0004=\u0004=\u0004K\u00045\u0004 7\u00040\u0004?\u00048\u0004A\u00048\u0004 2\u0004 @\u00045\u00045\u0004A\u0004B\u0004@\u00045\u0004 Windows.
Multiple corrupted records has been found in Windows registry.
\u0014\u0004;\u0004O\u0004 C\u0004A\u0004B\u0004@\u00040\u0004=\u00045\u0004=\u00048\u0004O\u0004 >\u0004H\u00048\u00041\u0004:\u00048\u0004, Windows 8\u0004A\u0004?\u0004@\u00040\u00042\u00048\u0004B\u0004 ?\u0004>\u00042\u0004@\u00045\u00046\u00044\u00045\u0004=\u0004=\u0004K\u00045\u0004 7\u00040\u0004?\u00048\u0004A\u00048\u0004.
To resolve this problem, Windows restore these records.
\u0014\u00045\u0004B\u00040\u0004;\u00048\u0004 >\u0004H\u00048\u00041\u0004:\u00048\u0004: \u001d\u00045\u00042\u00045\u0004@\u0004=\u0004K\u00049\u0004 4\u00045\u0004A\u0004:\u0004@\u00048\u0004?\u0004B\u0004>\u0004@\u0004
Error details: Incorrect descriptor
\u001f\u0004>\u00042\u0004@\u00045\u00046\u00044\u00045\u0004=\u0004=\u0004K\u00045\u0004 7\u00040\u0004?\u00048\u0004A\u00048\u0004:
Corrupted records:
\u001a\u0004>\u0004;\u00048\u0004G\u00045\u0004A\u0004B\u00042\u0004>\u0004 7\u00040\u0004?\u00048\u0004A\u00045\u00049\u0004: 3
Corrupted records count: 3
\u001e\u0004B\u0004<\u00045\u0004=\u00040\u0004
Cancel
\u001e\u0004H\u00048\u00041\u0004:\u00040\u0004: \u001d\u00045\u00042\u00045\u0004@\u0004=\u0004K\u00049\u0004 4\u00045\u0004A\u0004:\u0004@\u00048\u0004?\u0004B\u0004>\u0004@\u0004\r\n\u001a\u0004>\u00044\u0004 >\u0004H\u00048\u00041\u0004:\u00048\u0004: 0xc0005071
Error: Incorrect descriptor\r\nError code: 0xc0005071
Microsoft Windows
\u001f\u0004@\u0004>\u00042\u00045\u0004@\u0004:\u00040\u0004 4\u00045\u0004A\u0004:\u0004@\u00048\u0004?\u0004B\u0004>\u0004@\u0004>\u00042\u0004 @\u00045\u00045\u0004A\u0004B\u0004@\u00040\u0004 Windows
Windows checking registry descriptors
\u001f\u0004>\u00046\u00040\u0004;\u0004C\u00049\u0004A\u0004B\u00040\u0004, ?\u0004>\u00044\u0004>\u00046\u00044\u00048\u0004B\u00045\u0004...
Please, whait...
runas
\",DllGetClassObject host
.1
#32770
SysCredential
ComboBoxEx32
ComboBox
Edit
CLIPBOARD
.exe
WbemScripting.SWbemLocator
localhost
root\\CIMV2
SELECT * FROM Win32_NetworkAdapterConfiguration Where IPEnabled = True
WQL
root\\SecurityCenter
SELECT * FROM AntiVirusProduct
\\VarFileInfo\\Translation
\\StringFileInfo\\
ProductVersion
wclnt.exe
cbmain.ex
ibank.odb
internetbanktools.exe
LegalCopyright
ProductName
bicrypt
faktura
client.jks
intpro.exe
npbssplugin.dll
bssax.ocx
cbsmain.dll
isclient.exe
1cv8.exe
1cv8c.exe
1cv8s.exe
1cv7.exe
1cv7l.exe
1cv7s.exe
sgbclient.exe
rclient.exe
cft - bank client
winpost.exe
sbis.exe
sbis.dll
clbank.exe
qiwicashier.exe
iscc.exe
webmoney.exe
_ftcgpk.exe
wallet.dat
ifobsclient.exe
transaq.exe
maratl.exe
1\u00040\u0004=\u0004:\u0004
bank
SunAwtFrame
SunAwtDialog
\u0012\u0004E\u0004>\u00044\u0004 2\u0004 A\u00048\u0004A\u0004B\u00045\u0004<\u0004C\u0004
MozillaWindowClass
IEFrame
\u001b\u0004>\u00043\u00048\u0004=\u0004
TLoginWindow
TfmISClient
TInitialForm
\u001a\u0004;\u0004N\u0004G\u0004 M\u0004;\u00045\u0004:\u0004B\u0004@\u0004>\u0004=\u0004=\u0004>\u00049\u0004 ?\u0004>\u00044\u0004?\u00048\u0004A\u00048\u0004
obj_button
obj_static
tpanel
tbsvkcontrolscroller
Tahoma
*.pif
pif
.job
Software\\Microsoft\\Windows\\CurrentVersion\\Run
Windows Update
Tasks\\
Microsoft Corporation
Updating Windows components.
Author
PT0S
schedule
Winlogon
\\winlogon.lnk
\",DllGetClassObject
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon
Shell
\\\\.\\PhysicalDrive
bootmgr
ntldr
Global\\
drivers\\etc\\hosts
ipconfig /flushdns
iexplore.exe
firefox.exe
xb
You can’t perform that action at this time.