【インディケータ情報】
■ハッシュ情報(Sha256)
| SHA-256 | Filename |
|---|---|
| EE04B324F7E25B59D3412232A79D1878632D6817C3BB49500B214BF19AFA4E2C | Mozilla.exe |
| 0BA49FEB7784E6D33D821B36C5C669D09E58B6795ACA3EEBBF104B763B3B3C20 | Updateproxy.dll |
| 33B7407E534B46BF8EC06D9F45ECD2D3C7D954340669E94CD7CEDCBAE5BAD2DD | Telnet.dll |
| 6160AF383794212B6AD8AB9D6D104BBE7AEFB22410F3AB8EA238F98DABFC48B7 | Socks.dll |
| C63B01C40038CA076072A35913F56D82E32FCEE3567650F3392B5C5DA0004548 | Shell.dll |
| D51EC4ACEAFA971E7ABD0CF4D27539A4212A448268EF1DB285CD9CE9024D6EB3 | Session.dll |
| BD8086DE44E16EFDD380E23E49C4058D956538B01E1AE999B679B6B76B643C7D | Screen.dll |
| B44A9545B697B4D46D5B96862A6F19EA72F89FED279F56309B2F245AC8380BE0 | Port.dll |
| F4DF97108F18654089CFB863F2A45AA41D17A3CE8A44CCCC474F281A20123436 | File.dll |
| D31D38403E039F5938AE8A5297F35EB5343BB9362D08499B1E07FAD3936CE6F7 | ConEmu.exe |
| A591D4D5B8D23FF12E44A301CE5D4D9BF966EBA0FC0068085B4B4EC3CE352963 | Noodles.exe |
| EEBFF21DEF49AF4E85C26523AF2AD659125A07A09DB50AC06BD3746483C89F9D | Coal.exe (Malicious executable) |
| 97B9D7E16CD6B78A090E9FA7863BD9A57EA5BBE6AE443FA788603EEE5DA0BFC3 | Abg.exe (Malicious executable) |
| B6C21C26AEF75AD709F6C9CFA84BFA15B7EE709588382CE4BC3544A04BCEB661 | 23d.exe (Malicious executable) |
| DB9B9FA9EFA53662EC27F4B74B79E745F54B6C30C547A4E5BD2754E9F635F6DB | 89d.exe (Malicious executable) |
■IPアドレス(C&C)
- 23.227.207.137
- 89.249.65.194
■ファイル
- C:\ProgramData\HIDMgr
- C:\ProgramData\Rascon
- C:\ProgramData\TrkSvr
■サービス
- HIDMgr
- RasconMan
- TrkSvr
■レジストリ
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(以上は nccgroupの情報。 引用元は https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/)
【ブログ】
◆Decoding network data from a Gh0st RAT variant (nccgroup, 2018/04/17)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
⇒ https://malware-log.hatenablog.com/entry/2018/04/17/000000_5
