Threat Intelligence

I have been working on a malware investigation for a few weeks. A compromised system was suspected of participating in an attack on another system on the internet. Having identified the suspect machine through firewall, wireless system, and other logs, I notified the end user and it was surrendered for a forensic examination.

Using the Live Response Collection tools found on BriMorLabs’ website, I was able to make short order of evidence collection, including disk and memory images. The collection of tools produces a file called netstat_anb_results.txt. This file lists the processes (executables) running on the system and any network connections they are making.

I found two executables of interest that were making numerous connections to unknown IP addresses:

cloud.exe               SHA-256: 98407b1e2dc4a0899bcf939e0acbb0decf09fc40d39534b43acbf285e6cc02e1
AnonymizerLauncher.exe  SHA-256: 88422956f7cfd37c4cd75b8dd9c7332e9060206059916558855e3e2670e4e07f

I was able to find both of these executables on disk using Autopsy. The interesting thing is that they both evaded Windows 10 builtin antivirus as well as another AV scanner. I was able to identify the infection using two other scanners which flagged a number of other artifacts. Below is a hash list of the malicious files identified by the scanners.

b707dd3e001d0b871559467d06d6a26409d7d8789999ddc99ba9d9cd88bb2df8  AGLoader_212118.dll
b707dd3e001d0b871559467d06d6a26409d7d8789999ddc99ba9d9cd88bb2df8  AGLoader_327919.dll
f48f25e9897d49c375533f317304227ff8e417e8086665eb8b814f34ac2f3689  AGService_212120.exe
5318febd4bf291dde9eab892579318b77ab7eace482811138cae7aeda518f6fd  AGUtils_212122.dll
88422956f7cfd37c4cd75b8dd9c7332e9060206059916558855e3e2670e4e07f  AnonymizerLauncher_212124.exe
bdc394b5f85e6dfc9e8fc3c824f20f98be8cc85875002713aeb17f42fba5f7bc  AnonymizerLauncher_327925.exe_bak
ee84a1142a20459421b52f1facb3e0416ff5652389896b4c31af4e263c2d024f  AnonymizerVersion_327927.dll
98407b1e2dc4a0899bcf939e0acbb0decf09fc40d39534b43acbf285e6cc02e1  Cloud_229568.exe
6855333f619e77e0ef6797b040951a9b361687cec623e4e1f6b6bf954a3f6801  Dissp_731163.dll
8db0d6a0e7d0d663515574f48a7da5d65f32742e6263c53d5d8e01ff6af5f10c  DriverDownloader_764289.exe
9e7081de15de0fe336a185844aa61694dde1bd5050f1bb50837d75a7b834400c  DriverEasy_Setup_764291.exe
0cb5bdc4b7a98750e1bd53217e704a14f1f920d22ed6f02c0f16c69cb4c699f1  FreeScreencast_763340.exe
99a207e8683d8da8cf23158906e02b1c737da71954eae39af4ae04295f472ede  MainService_229576.exe
3bfd7fa592888ebdc32ba81847d02ff686dcc2c1f250f7b0cd6c52da9b19d32f  PGChk_229587.exe
c112ac6f594bf25000d5eb714edffb21d9ac04fae68f6dbc6eee6221b116d323  PGCommon_229589.dll
2021c50f11472dd81e95edbaf7397d586e56a8503efe300ad0b8c18bae1ec10c  PGHelp_229591.exe
118c066652ea4fc456554379f5ebbb5ff7dc4fd219f70c6cd233b63e2603bead  PGLog_229593.exe
cda5b73e41ca23bf08c6a142756cbf036d2c6dac8e68ecdb595fef8dd6f1821d  PGNet_229595.exe
b2128dd9831ba6dba165839513fd504c3185874cc8438931490216f832948932  PGUpd_229597.exe
7bc465d81803c8eead31e862d093ee2ebc850e45c9b85202995170e6f28c66ce  ProxyGate_229599.exe
28ebfeea4509b9ce596a14b6c54682617f519a7432ccbee4d8519dadebc69e64  Socket_229603.exe
1e60e9c870d89dbb6160bd9481ef0cd2b98b0d8c65cb029d455cc6337aa1442d  TrafficMonitor_229605.exe
32db72c4fa16fbf624e255bdaed1411d457938c6d74b9fae72de1a6cd9ba49cf  pmls64_229549.dll
21b8579a92a1bb2de3affcaf5c7fb466541bca67f8440e24fde952cc832c72f6  pmls_1174782.dll
21b8579a92a1bb2de3affcaf5c7fb466541bca67f8440e24fde952cc832c72f6  pmls_229547.dll
ec54f7473aafd205879072eaea15ce4939684536b54148b5d3820254dfaaad08  pmph_229553.dll
d06a42dab66a34d08f1d5202d22c97539bb5c97aef4633ea53f00628138bd211  pmropn32_229557.exe
20f7d41cda01b9778088fa2c36e7dd5f9cdecea866d58977984214b9bc68e39c  pmropn64_229559.exe
381b6135bd063c7db60dd9396b541e835f659bfe79ffb7836da5f495fad9f526  pmropn_229555.exe
c63062142c765cf9ae95e36063f85f000fd8f9c2a0e8509f584dae0c296a2c5b  pmservice_229561.exe
792a4199e9b511e2503693865aa5d270882f3788c1fa7ec46a1a6fd4e7449380  proxycheck_328169.exe
aaf972647af71aa3ce48fcddd58198cb7bb1195ef9ec5304020dea8197df6348  proxycheck_328171.exe_bak
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  proxycheck_433554.exe
b77ae66458c9b0735d7db9c367f977381e6fd8d1c0a4a81736643892eca59a25  proxycheck_433571.exe
ab0f5505961e3bdca91edea9baeb166119f43cdc1b9da4d8316f3f2024eba682  proxycheck_625367.exe
ce5091ab9b2e40dbadcf0374df1b34a88c6e5aee23578fc27a85778bd5b0e1da  uninstaller_212126.exe

I believe these executables allow an attacker to leverage the victim machine to do whatever the attacker wants. In this case, I believe these machines were used for a credential stuffing attack based on other indicators that I cannot release.

These executables were connecting to over 100 IP addresses. I have de-duped the list of IPs and I am including them here. It should be noted that it is unknown if these IPs are malicious or not, but given what I have found on the compromised systems, I believe they are suspect and worthy of blocking in your environment. These IPs all made a TCP connection from the compromised system usually on port 443, however, there were a few connections on TCP 80. However, I did notice some odd connections using other ports in the 400 range.

104.126.114.7
104.17.65.4
104.18.191.240
104.19.148.8
104.19.150.54
104.19.251.106
104.20.110.39
104.20.130.56
104.20.200.57
104.244.37.20
104.36.115.110
107.151.3.106
107.151.3.130
107.178.240.89
13.249.182.239
13.249.188.21
13.249.188.72
13.249.188.97
13.249.191.91
13.35.78.106
13.35.78.113
13.35.78.124
13.35.78.13
13.35.78.77
13.75.115.40
146.20.128.115
146.20.128.208
146.20.128.45
146.20.128.65
146.20.128.86
146.20.128.93
146.20.132.109
146.20.132.210
146.20.132.65
152.195.19.194
168.61.170.191
172.217.10.2
172.217.10.226
172.217.10.234
172.217.10.34
172.217.11.14
172.217.11.34
172.217.11.46
172.217.12.130
172.217.12.198
172.217.197.156
172.217.3.104
172.217.3.110
172.217.3.97
172.217.6.194
172.217.6.196
172.217.6.230
172.217.7.10
172.217.7.2
173.239.42.214
18.205.118.151
185.167.164.39
185.167.164.47
185.167.164.51
192.243.250.58
192.65.229.35
209.15.224.17
209.205.217.82
23.22.146.48
23.227.138.196
3.136.111.98
3.216.15.254
3.222.101.176
31.13.71.36
31.13.71.7
34.216.95.178
34.251.32.16
34.95.108.35
34.95.113.12
34.95.113.198
35.186.219.42
35.186.236.204
35.190.72.21
35.201.84.63
35.207.24.140
35.227.208.151
35.231.41.163
35.244.186.129
40.79.65.200
50.115.92.11
52.205.105.204
52.23.191.201
52.7.238.61
54.164.134.168
54.175.31.187
54.239.17.112
54.68.182.72
54.86.129.194
54.88.211.144
66.180.64.123
67.220.185.74
69.147.92.11
79.141.165.81
8.41.222.100
98.126.5.106

I am attaching an Autopsy Known File database file that you can load into autopsy and identify files listed above by MD5 hash. Please note, the file hashes above are SHA256 hashes.

suspected_malware.kdb (Right click, save as.  The file is in SQL LITE format)

MD5: 9536a2b9adc7dae8cf3216c916799cd5

SHA256: 8e497f33b85896f7a8bfc0bf465beb8ca80459ece9f53d30fe5712e97408a487