IoC (TT Malware Log)

Malware の IoC(Indicator)情報

◆注意◆ マルウェア解析専析家向けサイト

     FQDN, URL,IPアドレス等はそのまま掲載しています


** Caution ** Malware expert site

                    FQDN, URL, IP address etc. are posted as they are

Remexi

Malware: Remexi IoC: MD5 IoC: IPアドレス Mutex

【インディケータ情報】

■ハッシュ情報(MD5)

028515d12e9d59d272a2538045d1f636
03055149340b7a1fd218006c98b30482
25469ddaeff0dd3edb0f39bbe1dcdc46
41b2339950d50cf678c0e5b34e68f537
4bf178f778255b6e72a317c2eb8f4103
7d1efce9c06a310627f47e7d70543aaf
9f313e8ef91ac899a27575bc5af64051
aa6246dc04e9089e366cc57a447fc3a4
c981273c32b581de824e1fd66a19a281
dcb0ea3a540205ad11f32b67030c1e5a
c6721344af76403e9a7d816502dca1c8
d3a2b41b1cd953d254c0fc88071e5027
1FF40E79D673461CD33BD8B68F8BB5B8
ecae141bb068131108c1cd826c82d88b
12477223678e4a41020e66faebd3dd95
460211f1c19f8b213ffaafcdda2a7295
53e035273164f24c200262d61fa374ca

■IPアドレス

108.61.189.174


■Mutex

Local\TEMPDAHCE01
Local\zaapr
Local\reezaaprLog
Local\{Temp-00-aa-123-mr-bbb}


■Scheduled task

CacheTask_


■Directory with malicious modules

Main malware directory: %APPDATA%\Microsoft\Event Cache
Commands from C2 in subdirectory: Cache001\cde00.acf


■Events.exe persistence records in Windows system registry keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager


■Victims’ fingerprints stored in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData or
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData


■RC4 encrypted C2 commands stored in

HKCU\SOFTWARE\Microsoft\Fax


■HTTP requests template

http:///asp.asp?ui=nrg--
And bitsadmin.exe task to external network resources, addressed by IP addresses

【ブログ】

◆Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities (SecureList(Kaspersky), 2019/01/30)
https://securelist.com/chafer-used-remexi-malware/89538/