EVILNUM UNLEASHES PYVIL RAT

 


EVILNUM UNLEASHES PYVIL RAT

 

The Evilnum group use different components written in JavaScript and C# as well as tools bought from the Malware-as-a-Service provider Golden Chickens. Among the tools used by the Evilnum group are More_eggs, TerraPreter, TerraStealer, and TerraTV too. The group is known to target FinTech companies and is abusing the usage of the Know Your Customer(KYC) procedure to start the infection. The Evilnum group release a new Python-scripted RAT which is known as a PyVil RAT that was compiled with py2exe, which can download new modules to expand functionality.PyVil RAT possesses different functionalities and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne to steal credentials.

Indicators of Compromise

Domains

voipasst[.]com
voipreq12[.]com
telecomwl[.]com
crm-domain[.]net
leads-management[.]net
fxmt4x[.]com
xlmfx[.]com
telefx[.]net
voipssupport[.]com
trquotesys[.]com
extrasectr[.]com
veritechx[.]com
quotingtrx[.]com
vvxtech[.]net
corpxtech[.]com

IP addresses

193.56.28[.]201
185.236.230[.]25
5.206.227[.]81
176.107.188[.]175


File Hash

db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
4ce0954ca7173bd696afe8f44bf48027b3d4d630c0cce414b95d6715e662b5fb
0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
4e396586fd6dfcc24686aae73ba5c336939ee7a7aa9ffb76a1f78867926c6e4b
5aa1109d057e830d6f3faf4b6ff6f69075d158dadb5f46794b3e07685922d09d
25c119a7ee5b53212b5992992907a7772610b491ce2992c860dc206d0f3f844d
e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
6136309a207b89ccd423f8c087a9cdd633d8f5e78b8ebd576b7750b49274c532
0c920e7dfdd0028d9d15344c2e9c64ae57c2c9417dc7b22b865fdfe0cc0b8b1f
79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
c4b90fdec0848ad68abe18a42889ec0e5e45b7678afbf0353fedf53915b76275
79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
4574239efb728913fd379cc914039b1d7fa8c3ac8d6e3503d6f5bc73de504c96
79b032dbb8ade21b97be5dcaa63c974b6cdbb3c6f32b4abf2872288ae43ea4a6
1a3f39dc604dbca691aefeaf1d5a372fbca3650003d4145671525a2960e1239e
bdc20527d5afc4f13fa45c9182c8f58eb88cb4edc76aa38be83d95fd3365ce0a
048388c04738763c0ec57124e3a88fc82a545639636fb5ed6cd397881dd6ced9
11d9a87b144c0eaf71e8dea1b08117d464ed7f24a6e716e935e0c7f3a7e03edc
0b95c8c70d2dad47baef15d0299cd7e273e8a59ae0420921632b21789a80aef0

 

 

Comments

Post a Comment

Popular posts from this blog

Revil Ransomware Targeted Kaseya

Image
  Revil Ransomware Targeted Kaseya   REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. The REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform.   Indicators of Compromise URLs/Domains: architekturbuero-wagner.net mindpackstudios.com vitavia.lt bouncingbonanza.com lukeshepley.wordpress.com igfap.com bockamp.com levihotelspa.fi exenberger.at tinyagency.com familypark40.com alfa-stroy72.com boompinoy.com mdacares.com architecturalfiberglass.org slupetzky.at sinal.org qualitus.com deepsouthclothingcompany.com groupe-frayssinet.fr synlab.lt kamienny-dywan24.pl ilcdover.com humancondition.co...
Read more

BANDOOK(RAT)

Image
    BANDOOK(RAT)-Malware   The payload in this attack is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server sends basic information about the infected machine and waits for additional commands from the server. Indicators of Compromise File Hash MD5 27f8d8bbbeeda5fc439ee18d9d4da343 44584c8d010242fddb44afe5ce860872 a6501c62b3a6ffa8d028a88138fe509f 7c15ee5b9a12dacaace8fb62271f12f1 4e9e12c98cfbc5f3aa3c1345bd063fa0 7ef261c151519e66ec369c63e4b1aed4 6effed1b1bb5e9ed6aafacb075c1d4e2 0475771b8bc3efc28b1834f3add608f3 045ce6679ed4086e2ded58470e24c15a 28ad9ace11919b57bf54...
Read more

Buer Loader provides malware-as-a-service

Image
  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...
Read more