Pulse Detail — Threat Intelligence

PULSE NAME

Evilnum Unleashes PyVil RAT

WHITE Evilnum AlienVault 2020-09-03 Modified: 2021-02-12

IOCs

HIGH VOLUME

In recent weeks, the Nocturnus team has observed new activity from the Evilnum Group, including several notable changes from tactics observed previously. These variations include a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed PyVil RAT.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1555 T1555.003 T1003 T1056.001 T1539 T1057 T1518.001 T1082 T1113 T1132 T1105 T1071 T1573 T1041 T1059.006 T1204.002 T1036 T1059.007

MALWARE FAMILIES

PyVil RAT LaZagne - S0349

Indicators of Compromise (10 / 79 total)

All domain FileHash-SHA256 FileHash-MD5 FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	aad36ffbe3fc85f853751f4329a346e9	MD5 of db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1	2020-09-03
FileHash-MD5	ffee111b993de52e2034e31953dee86b	MD5 of c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720	2020-09-03
FileHash-MD5	6706b28accb971bd98738649725456a9	MD5 of a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d	2020-09-03
FileHash-MD5	fc00819c4cdc8609313041cf345a7dca	MD5 of 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90	2020-09-03
FileHash-MD5	48cf7f7b4180b1c4fb3ac3e149917130	MD5 of cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68	2020-09-03
FileHash-MD5	5ec381a8f872063715b055bb9ab1e323	MD5 of c4b90fdec0848ad68abe18a42889ec0e5e45b7678afbf0353fedf53915b76275	2020-09-03
FileHash-MD5	6363ddf8a20345c0201868b209afbd63	MD5 of 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce	2020-09-03
FileHash-MD5	2b33321ead1744461759d9c092b3c7d4	MD5 of 0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c	2020-09-03
FileHash-MD5	cb908352d719b9e0a7142c4110ae502e	MD5 of f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e	2020-09-03
FileHash-MD5	8b346ef17943e7923e44e80c5b129a47	MD5 of e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f	2020-09-03

References (2)

↗ https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat ↗ https://www.cybereason.com/hubfs/Evilnum%20IOCs.pdf