← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
RATs, Hackers and Rihanna
WHITE AlienVault 2015-08-25 Modified: 2017-08-24
34
IOCs
MEDIUM VOLUME
(Fortinet) We start our correlation with the analysis of the exploit payload - a remote administration tool (RAT) with MD5 6bde5462f45a230edc7e7641dd711505 (detected as MSIL/Agent.QOO!tr). This RAT looks new to us; hence we suspected that it may either be a new RAT family or a custom RAT that was developed for a specific attacker (hacker)
ratUtilityWarriorpawanremote access toolwindowsvisual basicfortinet
Indicators of Compromise (8 / 34 total)
All domain URL hostname FileHash-MD5 email CVE
TYPEINDICATORDESCRIPTIONCREATED
URL http://notyourbusiness.net/y.exe 2017-08-24
URL http://creditbeuar.com/svchosts.exe 2017-08-24
URL http://www.creditbeuar.com/human.exe.exe 2017-08-24
URL http://149.86.66.9/spoolscv.exe 2017-08-24
URL http://kuwota.com/version-check.exe 2017-08-24
URL http://notyourbusiness.net/kelvin.jar 2017-08-24
URL http://84.19.27.254/~docswift/security.jar 2017-08-24
URL http://173.208.195.150/gu/s.exe 2017-08-24
References (1)
↗ http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-2-rats-hackers-and-rihanna