Pack it Secretly: Earth Preta’s Updated Stealthy Strategies ----------------------------------------------------------------------------------------------------------------------------- Indicators of Compromise ----------------------------------------------------------------------------------------------------------------------------- SHA256 ----------------------------------------------------------------------------------------------------------------------------- Trojan.Win32.TONEINS File Hash (SHA256) libcef.dll 3fd8cd848e89e792d3915bfc0b485de80d7615a1422047c589ac0b34f4c9e7b0 libcef.dll 10d37878e595e76513156a538c34d23b1533b84f984609b405b84e74a26a7381 libcef.dll 0a43705f5c10aad9317c49c81d9f12db4aee5e2557a39020973d25019955d345 libcef.dll 7cc2a21bcb3d58c2c82cee3e6b97c34aff1892d52658ecb5d10659c266c53b16 libcef.dll 8b98e8669d1ba49b66c07199638ae6012adf7d5d93c1ca3bf31d6329506da58a libcef.dll 87f6adcd16f8a65096f4c192d52107fff98f411b1e166ded69cf3800d8a2933d ----------------------------------------------------------------------------------------------------------------------------- Backdoor.Win32.TONESHELL File Hash (SHA256) coreclr.dll a8b31d491f4e7f41e7a7c3aeb35030ba3363dfb34ae74c84b02c25df125db23d ~$Australian embassy help letter.docx 1f7d961d9c15aa8f4b9b5a2e17de277aaded55f11aefed34b3ebd0af545f5448 coreclr.dll e4189bd43996250dfb525f64844525343a80bf9dc2039d46cb8ccc430a24a0ce coreclr.dll 2a61fc95c432328d2600615a5bbbe8f0ee75fad2035417879a742cc58306e071 ~$List of terrorist personnel at the border.docx e79aef1efd60d55274d42d2da0a8158f131dcd56234cfc1b77d1600ceed7977e ~$Notic(20221010).docx 3d18ef92a3d5f97d9be130fdda90d49dbcd661f3d2b992c3c539789df5ff379c ----------------------------------------------------------------------------------------------------------------------------- Trojan.Win32.PUBLOAD File Hash (SHA256) EVENT.dll 7e2e4943099652a5367ff2c3ee7fc664791cf17a405505514f3660c8dedd6fb0 - 946b09e543ea9f1fe37dd9958a03ee061f00d711a04b5810e31e8bf9849e7f90 EVENT.dll ef6a278bb6e09a67622de7b1c3403c4a5cb80ab2c0038654431b84feadb8fd79 EVENT.dll 5d5d5dbd752da8a96414d067b352501a67067abbb6b18b623c55a3ae68f969a6 EVENT.dll ae9824355384c7ea34035ebc7e8832b6fb17e227a79efa72e4501cb9ddd2dd0a EVENT.dll e8357cacdccdb4670f6ae427a781f36a9c4b268907f83c1ce3502a0fd9ce2606 ----------------------------------------------------------------------------------------------------------------------------- Backdoor.Win32.CLEXEC File Hash (SHA256) SensorAware.dll cfe1447e7515ad831fcfedb9a5c1a721885b0542b775e4028a277a27e724ec73 ----------------------------------------------------------------------------------------------------------------------------- Trojan.Win32.HIUPAN File Hash (SHA256) u2ec.dll 4bdc913cef96b0abd0c1a8231a7961ac901fc9c28f87bba3b8c59e6928c0cda4 usb.ini 12216b083ce2461c338bf571411ab53cd28fc0e3361add69a0b1c6d22b57e9c1 ----------------------------------------------------------------------------------------------------------------------------- Backdoor.Win32.ACNSHELL File Hash (SHA256) rzlog4cpp.dll 28a992ea7b9df22a7b7bcc04ecb3f3b89e5ea022f03b765bf1f12edd61df779f ----------------------------------------------------------------------------------------------------------------------------- Trojan.Win32.NUPAKAGE File Hash (SHA256) package.exe 634977a24e8fb2e3e82a0cddfe8d007375d387415eb131cce74ca03e0e93565f pak.exe c835577f1ddf66a957dd0f92599f45cb67e7f3ea4e073a98df962fc3d9a3fbe0 meg.exe 2937580b16e70f82e27cfbc3524c2661340b8814794cc15cb0d534f5312db0e0 psvc.exe c2f5a12ebaeb39d4861e4c3b35253e68e6d5dc78f8598d74bc85db21aeb504e8 ----------------------------------------------------------------------------------------------------------------------------- Trojan.Win32.ZPAKAGE File Hash (SHA256) fp.exe 711c0e83f4e626a7b54e3948b281a71915a056c5341c8f509ecba535bc199bee ----------------------------------------------------------------------------------------------------------------------------- Trojan.Win32.ABPASS File Hash (SHA256) 3.exe 869e2a35107f7469cc0a8eef44d2eaf311ce8c6fff7acd3e429b11167c6bcd57 ----------------------------------------------------------------------------------------------------------------------------- Trojan.Win32.CCPASS File Hash (SHA256) msedge.dll 9635bc2009415b05cfb3fa1c5f40042916891d7e289502572f5d20043dc0e2a8 ----------------------------------------------------------------------------------------------------------------------------- Backdoor.Win32.COOLCLIENT File Hash (SHA256) GoogleUpdate.zip 12a04989fdbcf7fa2f70a708521968e609b0d247acf842fe8c0e5f5bac3a09db googleupdate.exe 6f924de3f160984740fbac66cf9546125330fc00f4f5d2dbf05601d9d930b7d9 goopdate.ja 6b703611c93f20513fee6080ff9fdd23f3c73db5b21a63324ef9e36e4d728b22 libvlc.dll 055fa35e8153242417d39c75e10e0de0758c05a9f31409926744c3f5ceeb4100 loader.ja c07bc0b020f1250c69ee6ab804dd08095d42fe1fb80f591d2bb198a4409f2300 time.sig a61ed84f72ac995156a18450864444edc20ae7859fb4fa667b14a61416841659 ----------------------------------------------------------------------------------------------------------------------------- Backdoor.Win32.TROCLIENT File Hash (SHA256) walk.rar c3bbf0600f3833f3eaddb2e8c65d68e2a858644cf22b67851fff3e379cfbf08c NetSky.exe fb5edfcba99e2df2b7f6f40e8615f5cb247803180464e584161c7c91405aae4a RzLog4CPP_Logger.dll c47590218e7a933350e09d3fe7e01cdf5e3cff1130557380ad96c2106ac15ab1 local.plg 9182bb02d99a62357918ad459ccdbb8edb21d1e61a225d350db94e22525f273f free.plg 4c79bb9fbac4b189898095f81d4ee1ba7877cfbd16c6a10f933ca564ced737d2 main.plg 950bcbf83029f47e85f615494b4922cd0cdc04ca2c3d9699a0fb5d1fd2076dc5 alloc.plg 26f7ed0b66fd464caab9d648127ad17e8cd46d50fee94704627308a377dd821b ----------------------------------------------------------------------------------------------------------------------------- Backdoor.Win32.QMAGENT File Hash (SHA256) Documents.rar 19001883ec8d29ae6c8e54d4219631d1b0098e1fd246234a171a67509e87b621 IOTtest.exe 2139e3df912887b34b4d59fca098a8d511ea10530d7168b280acca844513ffad qmqtt_example.exe 77e9dd17c26f4755bf0844991ea92363a9031fbf094f904c2c3953e97575fe99 qmqtt_example.exe 4936b873cfe066ec5efce01ef8fb1605f8bc29a98408a13bc8fe4462b2f09c5a Test.exe 5231a0e725a70ee9b56cb461a3884755f2dbde58264040151b5224c2795f85f7 qmqtt_example.exe 1f9c3a12631b13f4fd128f93a8d14e63fb8e9e8529e55da1bfc0f2274b819671 ----------------------------------------------------------------------------------------------------------------------------- C&C servers 23.106.122.81 38.54.33.228 212.114.52.210 158.255.2.63 closed.theworkpc.com 188.127.237.27 appcloud.appmdb.com ----------------------------------------------------------------------------------------------------------------------------- Google Drive links Distributed links Owner’s gmail account https://drive.google.com/uc?id=1T9D_qOHQd9a-wiKeJL8oWs-8j-WAMGSQ&export=download phonemyatthu98@gmail.com https://drive.google.com/uc?id=1RQJF6T06p-jHJdN0yCbhrqMgT7U9AMOK&export=download yannaingoo0072022@gmail.com https://drive.google.com/uc?id=1YXMF6d9-TJLvg-EDn-1nPtm6qkIvPMEw&export=download https://drive.google.com/uc?id=1tyBkJ8gkaQXShYZG53jXwygj5TiVMvNK&export=download