CyberThreatIntel/China/APT/Chimera/CSV/Database.csv
2020-10-11 21:25:17 +02:00

15 KiB

1IDThreatHashVhashTimeSignatureCommentary
20APT19ed4043b9a410016fb57c57cefb8bda4eeef1b222194fd68eb17650e353a4eea4125066655d155555129z87fz39za00176z12017-05-22 21:21:474d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 81 c3 1c 60 01 00 ff d3 48 89 c3 49 89 f8 68 04 00 00 00 5a ff d0 41 b8 f0 b5 a2 56 68 05 00 00 00 5a ff d3 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Variant use EICAR string as fake alert + ReflectiveLoader
30APT1988c7058e0190a72f01c3371b8b893d7b08d25fa6c35521c0440d959be4e0d574125066655d155555129z87fz39za00176z12017-05-22 21:21:474d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 81 c3 1c 60 01 00 ff d3 48 89 c3 49 89 f8 68 04 00 00 00 5a ff d0 41 b8 f0 b5 a2 56 68 05 00 00 00 5a ff d3 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
41APT19399a07f32a3d29c3feac66fe71fc6694d456f8de4894f92743f4e9031500b9e9125066655d155555129z76fz39za00176z12016-07-28 20:17:374d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 81 c3 40 4a 01 00 ff d3 48 89 c3 49 89 f8 68 04 00 00 00 5a ff d0 41 b8 f0 b5 a2 56 68 05 00 00 00 5a ff d3 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
52APT19f286f5e10d39dbbfec1aa1667912d63d31f88f787f9a1cb7a87b9e88fdb1209a125056655d15551.z12016-11-11 04:08:324d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 3c 6e 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f0 00 00 00 5c 55 0c 75 63 ef 98 0b 7f c4 5cVariant pivot, ordinal way -> execute
63APT19d6dc1b71a7358107087235a29eff5a195f52d1f482f017135024227fe7278bb1125056655d15551258z88fz39za00176z12018-09-05 21:54:004d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 40 64 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
74APT19cfc7b6a8ad0959f4ea3f6b6f09492ea93961938008b61279567f1bddf1a7bc06125056655d15551158z8drza00166z12020-06-23 19:21:264d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 d8 5f 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Different formating and technics, code reuse, use the stackfor the strings
85APT192f8e39e97dfd31bb434618acab9be13ca142f8ed5d84b6b1eec2ad51e0708d52125056655d1555129z8frza00166z12019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
95APT19f625ac3b2c790e92810a05823a5ea8ce4c9741278a377c3f7e69b65a33affa04125056655d1555129z8frza00166z12019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
105APT19d03f975148e13019971f60857322ce49b923ae0cabd477cd282b97fdf3f906a3125056655d1555129z8frza00166z12019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
115APT195f133e7b1c41a09fe9c41f841b2a4bdbc9046c21c731391811cbfbc7508cc28a125056655d1555129z8frza00166z12019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
125APT19d352c4b9852fb132913f526cd9ae8d68291b288a30a3c5dfe810a1ea9ae851b1125056655d1555129z8frza00166z12019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader
135APT19275026846522fe61c312b0a739f4d1272eb99d8b66f55a5083e30f22aeb0217f135056655d15151"z2019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Evasive method on the calls of API
145APT1923dceade2359f8b2575ebd8ed0039e31c80d6961b309eeb6fe5562b00beea8ce135056655d15151"z2019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Evasive method on the calls of API
155APT19c0e7dacc3f1aef4b11c99cbdebd368abefb4dc901137fabcdfee238048cd5401135056655d15151"z2019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Evasive method on the calls of API
165APT198639245501bc7aa29bd32fb4640eb29234191be4d91ea679fb64cc00ebb13d2e135056655d15151"z2019-12-05 12:01:494d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Evasive method on the calls of API
176Chimeraf7d8e3458210963963742f5c66527ed3a9e465e2410a3343fe5487a934e85d44125056651d15555143z32z717z1dz31z900157z2020-08-01 03:10:574d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Variant using localhost
186Chimera8a343368941ce2c500224256a96aec952b00786b2500746ac184553d99b9f912125056651d15555143z32z717z1dz31z900157z2020-09-04 19:37:334d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Pivoting on external IP
196Chimerafbe327350c11038f64cec12eb7343ac2dcfcc66ced70a8216f9f8053479edbb3125056651d15555143z32z717z1dz31z900157z2020-08-01 03:10:574d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
206Chimera57557d0f6a3989d9676e92607b6d6f700930c26f41f12d47bee79c5df0913334125056651d15555143z32z717z1dz31z900157z2020-09-04 19:37:334d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Pivot implant
216Chimera4644e922a0a46e560f1115b8078ee6978568d2d838645b84293cdb6f8c797fff125056651d15555143z32z717z1dz31z900157z2020-09-04 19:37:334d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
226Chimerada0d8dc8a3c034275d3a98471009dc65fc54afda5fc4f36a778c060e4113c429125056651d15555143z32z717z1dz31z900157z2020-09-04 19:37:334d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
236Chimeracc02448dbfe5290451ff2f7f13f96b96590d31774c3c72e6b2e236e7755dbd31125056651d15555143z32z717z1dz31z900157z2020-08-01 03:10:574d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
246Chimera801cac0879575ea2cf5dafd72d1676836c3ac8bc4264635c4461c3ee90a79297125056651d15555143z32z717z1dz31z900157z2020-08-01 03:10:574d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Pivoting on external Domain
256Chimerac50a67746b3b10a5961f1dfbd1acccd52f0a9ff049fb47edf6e973c8f90bc185125056651d15555143z32z717z1dz31z900157z2020-08-01 03:10:574d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule but different header
267Chimerab9e9a707e3449e55d78a2b8b90b5fd2f83b99119bef9d4bb2c3537b8d7ec178c125056655d1515|z2018-09-27 23:00:204d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b3 18 00 00 ff d3 48 81 c3 38 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Internal Pivot
277Chimera02a8ad2110256bbd1f08ba9e2de7a38c93a59a7dc131136e5aff1a35cb17eb71125056655d1515|z2018-09-27 23:00:204d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b3 18 00 00 ff d3 48 81 c3 38 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Internal Pivot
287Chimera6e09590db5e55a763fd74087e1e582770cd0616f098ca083a25d49c62e533ce5125056655d1515|z2018-09-27 23:00:204d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b3 18 00 00 ff d3 48 81 c3 38 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Internal Pivot
298Chimera3d842f42a7caa4e088a4c7a28ef866a9ac1e0f75be929beed99cc73838ad8507125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
308Chimerab2ebbcd9700e0ac2e0b54e3599f95f389a6c206c2c1236287de48757c89b8f80125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
318Chimera10b5ede60b9c5d7857a4462c4c3fd531b1793a37bd366f9cb6cb675289858aab125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
328Chimeraf9cebbde1d4c61fdce981c73d24274dbe3f2707f6f42f76fcabe689ebcb1965d125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
338Chimerae8b94f00131ffad10638c7f3e323ae501e2164b101f9544eb91678ffcf8eb6b9125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
348Chimerae00f032ddecf958b9ed4fbdd9ca52f44ed7b25a260ab08e842f8d4f174f8c344125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
358Chimera76e6b9102e44d048fcdcb4e567cdd50754fd3e952f76a5c1b4cfcec8ccbe129b125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP
368Chimera222a38b7a34bf52dea4bcd6b39d30a25b8b2485a684c42f702d237f2e09bfb29125056651d15555143z42z78z1dz31z900156z12020-06-27 02:27:294d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01Same PE + junk code at the end ?
379Chimeraf6d89ff139f4169e8a67332a0fd55b6c9beda0b619b1332ddc07d9a860558bab125056655d15555153z42z737z1dz31z900185z512020-04-17 23:08:284d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 eb 18 00 00 ff d3 48 81 c3 00 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01matching with rule -> Internal IP