Pages

Sunday, February 10, 2013

Trojan 'Nap" aka Kelihos/Hlux status update by DeepEnd Research and samples



FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with  the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012).  The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.

Please read the rest of our post here http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html

You can download the associated binaries (97 files) and pcap below.





Download



Download the file set (97 files, see the listing below). Email me if you need the password
Download the pcap  (no password) - for 0C921935F0880B5C2161B3905F8A3069



Files Information


 97 files, there are a few variants, the files are recent and mostly active. 
01B43C0C8D620E8B88D846E4C9287CCD
036ADB0D4B856C2A5E16175BD089FF24
03F3B93A9B3D70D9BB9AD829A5F2361D
0481B4B12C8C69B735CAC2A918B52790
0530898731D7165DBABBF6BF252BA77E
08862142D7313A1D431D67E0E755EFC7
093586512549F2D016AD4C70F4F8E5C8
0BF067750C7406CF3373525DD09C293C
0C921935F0880B5C2161B3905F8A3069
0FEAAA4ADC31728E54B006AB9A7E6AFA
15B6DFADD045E8282C4927F8BDD69D3E
15B9C9632510FB4D387D4A02ABF830DD
1B342E6682167571B55AB59F3DD38D1E
1C04C6B4E0BBBC99CCEE489270C98622
1E08449CE5848B6ADFEE48B1582EAEEF
223D32E3F6BB9C5A6AD3CD58B898EFA1
223F7E425BD28AE13A54B2D0017D1E81
22AE2A6FF14C58265B5C79FBC25A91B6
2304FA9A6A67984CA0FF9E9BF561817A
23585DCBA9DFD4719ECC20B2D662D983
25B4C1C68C58D7D559E8682117D7C01F
288E85A4A7756268EBDED1F356531E03
28A417B0EA5BE796720463607F06CCC9
2B4A5F1C8225D9043AE1302DCCD7063B
2F091B59382F6CA9E1233EE38B171B2E
30EA180ECE416600DABC5ADA0F630D06
352A8AB0D5C7DB40F865B0E7E03B1D96
36C90E73120A419B4B00E66177040F43
3774D5BD50F4286531FEDF716D83FC6E
396B88D48CC04A8C37F4409F65EA8A97
3A76AA2439112479635D7172DB2440B1
3B6A3354B71CD674D4BC27646D270502
3D0F09DA5C5DBDB2124AEB0953F355B7
3D711B47C8FDE2C6A5E62D6AD0BA7BB5
44B342383E286465D74A838EE0780DDA
49B6D19F9307C3BBA460C936ADE26B70
4B6DFE2A4B0EF515275AC84B378D5F6F
4C2DB57ED5D27F54120765A9FA9C3BC7
51D3E04AF7E29A1E3A1748E03F0BD578
56AD23082E5E73AAEB95E5A915DF5444
5ACA74320003576F79CF6EDD0629CC13
5B947FEAA5BFA951C94B11BB9EEA9BC3
5BA7D2DE0CCC58F104240610BF297E6E
5BECB2498EA801ED010DD073007E20CE
5FFE38CA9FE07394D1BC5C270E83B253
63C926F659C3EDEC0B85C91898622A4D
69170C0C9FB4EEC6A630C4C9182505F0
6AA100C459E854A9A334B10468EAD014
6B873B6D21ECC9ADF7246D644B23FB84
6F6B016A5DB1791188D7C98A464292CC
70FD6A11E482D756BEF27546AA112206
72C1BEC266B23AF5CB12AE2F669D8784
7316D0EE9C0B6C23C7CEB2D04DC6B665
766A50581F6E47FF94126C5DBBD9FB01
76B7BB0CC2E3623078BF9E9A9A343CE1
77E2D2A1E508EA30D548293E2C36D64F
787F39D70D2BEC3139A6EA7690B88464
7E1B91800F2FE9974C7BB18A7097D933
7F7E0C58BDF1E47059DD84FFB301F6B7
8005E44761B842370D43299B29B0F16A
80E595253D3E02071D2564BA8296D308
84741D6DFFC996D35B8DC0A01111A5DE
9010DD12A1419E0F0098FD10CA324E23
9424EB9DE0558193A6B4D9607C23CBD5
9C075FB471DC66394090C8BFAA4739A4
9CA42C5B352DEFB53F8D30C16B36697A
A13B21423C5AE7BA318D0D26E672AD22
A15F02836309B819DE10068ED49D5D87
A56577564E52251C54B27D4CA62C266F
A78BE2345E524515E0DD1CCCA3C524F9
A8ABECD7C571AAEE6C964514133585F3
A910A324394B56022C7AC10DB22EC3F6
B1ABD1279A28F22B86A15D6DAFBC28A5
B568CF0982C867CD499F953E43738511
B63F25D5B02FE00D9423A7CCC0C3CCE2
B66475ED30943C0056C9402DCAECB8B9
BB5560123C62588988BC22C704CD9E03
C06414E1994BF4EFA41911CA81099411
C465888536A6785883079043F38143BD
C98F3F5709292D6D97AD96C1A8459A81
CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94
CCA50DCB8A30B325BF10CED5DAE4D51A
CE391D2B2036365D8943257FE1CB967E
D4CBEABAE5B4D4BAF14F554C8E9A4E86
DCE41A00FB703B6A6324CE4F4C4DB143
DE5FDBAD9274B21EA5391F48441D33D8
DEAF70F248599985FC32B083F16F251A
DF1A932144BF2C6E50FD090FDC1F1408
DFE01E12671BBDD7EC0F8BEBA08EC440
E2F8F5C80566BF32E1841B3C5A669D42
E453463A428A71A5DB19FC18807E747B
EB17EB2F02FA871C005C569B3299FCBA
EB4DBB18D00321A809A6C4D8594DDF5A
F5A6FC81A4F5AE6DEBFAC463DD49E1C2
F604C7E4EC3A12A83E0852A9D7FE75CA
F96EBF8128BFC6965C73A2659718C663
FE501F12B34701CF8AF5DD307C314862
    

No comments:

Post a Comment