Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-03-24-imodulegetbetter-proxy-account-checker.vk.csv
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
46 lines (43 sloc)
13 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| uuid | event_id | category | type | value | comment | to_ids | date | object_relation | attribute_tag | object_uuid | object_name | object_meta_category | event_info | event_member_org | event_source_org | event_distribution | event_threat_level_id | event_analysis | event_date | event_tag | event_timestamp | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0493adf5-a092-4186-b43b-d041c7cd1430 | 283 | Payload delivery | md5 | 4099ab19782d6eb801b3d08ab4011f62 | 1 | 1553477883 | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||||||
| 5c983490-60cc-40e1-a102-435a68f8e8cf | 283 | Network activity | url | http://185.180.197.55 | Credit Card Shop Checker Loader | 1 | 1553478800 | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | ||||||
| 5c98355b-50fc-451b-b945-6ae868f8e8cf | 283 | Network activity | url | http://185.62.189.136/chase_bot.php | C2 checker | 1 | 1553479003 | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | ||||||
| 5c983768-e4cc-4766-b429-3c0768f8e8cf | 283 | Network activity | url | http://185.62.189.136/start/stat.php | Account Checker Login | 1 | 1553479528 | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | ||||||
| 5c9837cb-f960-4774-baa4-3c0868f8e8cf | 283 | Payload delivery | yara | rule IModuleGetter_bin { meta: description = "IModuleGetter loader" author = "James_inthe_box" reference = "https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e" date = "2019/03" maltype = "Loader" strings: $string1 = "System.Xml" $string2 = "IModuleGetter" $string3 = "XmlDictionaryReaderQuotas" $string4 = "%USERPROFILE%\\AppData\\Local\\Temp\\NetPlatform" wide $string5 = "_settings" wide $string6 = "net.tcp://{0}:23566/IModuleGetter" wide condition: uint16(0) == 0x5A4D and all of ($string*) and filesize < 100KB } | Loader Yara | 0 | 1553479627 | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | ||||||
| 5c9837f8-032c-49dc-9009-6b1868f8e8cf | 283 | Network activity | snort | alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"IModuleGetter Loader Detected"; flow:established,to_server; content:"net|2e|tcp"; fast_pattern; content:"IModuleGetter"; reference:url,https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e; classtype:trojan-activity; sid:20166290; rev:1; metadata:created_at 2019_03_24;) | Snort Rule Loader | 1 | 1553479672 | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | ||||||
| 5c983842-a858-4053-bf23-6b1868f8e8cf | 283 | Network activity | url | http://davidich.life/1/good.txt | 1 | 1553479746 | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||||||
| 5c983223-0510-4afb-8516-6a1368f8e8cf | 283 | Payload delivery | malware-sample | cf1658a2c86de08d2cd427e83a39db313f3ac0562e41ae66224f676a84234509|4099ab19782d6eb801b3d08ab4011f62 | 1 | 1553478179 | malware-sample | 5c983223-c350-4787-92e6-6a1368f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983223-bc6c-4c15-b43b-6a1368f8e8cf | 283 | Payload delivery | filename | cf1658a2c86de08d2cd427e83a39db313f3ac0562e41ae66224f676a84234509 | 0 | 1553478179 | filename | 5c983223-c350-4787-92e6-6a1368f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983223-4998-4f6d-89a3-6a1368f8e8cf | 283 | Payload delivery | md5 | 4099ab19782d6eb801b3d08ab4011f62 | 1 | 1553478179 | md5 | 5c983223-c350-4787-92e6-6a1368f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983223-4814-4b10-b035-6a1368f8e8cf | 283 | Payload delivery | sha1 | f034d4ac5071e694dadedf877ea1b8d247c13279 | 1 | 1553478179 | sha1 | 5c983223-c350-4787-92e6-6a1368f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983223-526c-4cbb-b630-6a1368f8e8cf | 283 | Payload delivery | sha256 | cf1658a2c86de08d2cd427e83a39db313f3ac0562e41ae66224f676a84234509 | 1 | 1553478179 | sha256 | 5c983223-c350-4787-92e6-6a1368f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983223-ea50-4287-99ca-6a1368f8e8cf | 283 | Other | size-in-bytes | 15872 | 0 | 1553478179 | size-in-bytes | 5c983223-c350-4787-92e6-6a1368f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c9832df-7a80-4925-9e60-3c0768f8e8cf | 283 | Payload delivery | malware-sample | 4939ab52130eec4ae762977c10262b5397cd31ea5888b71b3fd242d5b5b0e315|559e4ae429bd1829854e6cb4eb6cc2a2 | 1 | 1553478367 | malware-sample | 5c9832df-d818-484c-9a20-3c0768f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c9832df-d2f0-4722-b693-3c0768f8e8cf | 283 | Payload delivery | filename | 4939ab52130eec4ae762977c10262b5397cd31ea5888b71b3fd242d5b5b0e315 | 0 | 1553478367 | filename | 5c9832df-d818-484c-9a20-3c0768f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c9832df-3e68-4835-a2c2-3c0768f8e8cf | 283 | Payload delivery | md5 | 559e4ae429bd1829854e6cb4eb6cc2a2 | 1 | 1553478367 | md5 | 5c9832df-d818-484c-9a20-3c0768f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c9832df-4b18-461b-b924-3c0768f8e8cf | 283 | Payload delivery | sha1 | b1e3672320dced73405e9646b2b7ec0c5dc234ea | 1 | 1553478367 | sha1 | 5c9832df-d818-484c-9a20-3c0768f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c9832df-2c08-494c-a953-3c0768f8e8cf | 283 | Payload delivery | sha256 | 4939ab52130eec4ae762977c10262b5397cd31ea5888b71b3fd242d5b5b0e315 | 1 | 1553478367 | sha256 | 5c9832df-d818-484c-9a20-3c0768f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c9832df-5fa4-4bd5-80a5-3c0768f8e8cf | 283 | Other | size-in-bytes | 130560 | 0 | 1553478367 | size-in-bytes | 5c9832df-d818-484c-9a20-3c0768f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983751-64ac-4a46-a58d-3ec268f8e8cf | 283 | Payload delivery | malware-sample | 124d730c6c69e989ec7d5faf8ec38d6c44751712396f5b83b6078889fa7bacd0|0bce8173c3d0da17a09d00205ed44899 | 1 | 1553479505 | malware-sample | 5c983751-79c0-43dc-9d8a-3ec268f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983751-552c-4113-92ea-3ec268f8e8cf | 283 | Payload delivery | filename | 124d730c6c69e989ec7d5faf8ec38d6c44751712396f5b83b6078889fa7bacd0 | 0 | 1553479505 | filename | 5c983751-79c0-43dc-9d8a-3ec268f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983751-a318-452c-a462-3ec268f8e8cf | 283 | Payload delivery | md5 | 0bce8173c3d0da17a09d00205ed44899 | 1 | 1553479505 | md5 | 5c983751-79c0-43dc-9d8a-3ec268f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983751-f5d8-4297-9f73-3ec268f8e8cf | 283 | Payload delivery | sha1 | e0a54fd5ffade8d0f6af96bf7d1ddd670a218ff5 | 1 | 1553479505 | sha1 | 5c983751-79c0-43dc-9d8a-3ec268f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983751-3488-492a-a60c-3ec268f8e8cf | 283 | Payload delivery | sha256 | 124d730c6c69e989ec7d5faf8ec38d6c44751712396f5b83b6078889fa7bacd0 | 1 | 1553479505 | sha256 | 5c983751-79c0-43dc-9d8a-3ec268f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 | |||
| 5c983751-7a00-47d5-a75d-3ec268f8e8cf | 283 | Other | size-in-bytes | 347566 | 0 | 1553479505 | size-in-bytes | 5c983751-79c0-43dc-9d8a-3ec268f8e8cf | file | file | 2019-03-24: IModuleGetBetter -> Account Checker Targeting US Financial | VK-Intel | VK-Intel | 3 | Medium | 0 | 2019-03-25 | IModuleGetter,Malware: Account Checker,CarderStore,C:\Users\ASUS\Desktop\Develop\Projects\ModuleManagerExternal\ModuleManager\obj\Release\DataLaunch.pdb,Proxy | 1553480260 |