Forwarded from Exploiting Crew (Pr1vAt3)
Using the webshell, the attackers launched a PowerShell that was then used to download a payload from the following URL:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
Forwarded from Exploiting Crew (Pr1vAt3)
The Prometei Botnet :
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
Forwarded from Exploiting Crew (Pr1vAt3)
Sqhost supports the following commands:
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server
Forwarded from Exploiting Crew (Pr1vAt3)
the attackers attempted to execute C:\Windows\svchost.exe, which is the same file as sqhost.exe, and the attackers named it as svchost in earlier versions, but it wasn’t downloaded in the attack or in existence by this name. The reference for “svchost.exe” resides in different components of the malware, sometimes even in addition to “sqhost”. Our assumption is that it is used either for backwards-compatibility or it is the case that the attackers didn’t bother to change it in some places after renaming the main bot module to “sqhost.exe”.
Sqhost.exe: executed with “-watchdog” parameter, to make sure that it will keep running on the system.
Wmic.exe: was used to perform reconnaissance commands:
- wmic ComputerSystem get Model
- wmic OS get lastbootuptime
- wmic baseboard get product
- wmic os get caption
ExchDefender.exe
Exchdefender tries to masquerade as a “Microsoft Exchange Defender”, a non-existent program that masquerades as a legitimate Microsoft product.
When first executed, it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to execute the binary (from C:\Windows) with the same command line as seen used with sqhost.exe - “Dcomsvc”:
Sqhost.exe: executed with “-watchdog” parameter, to make sure that it will keep running on the system.
Wmic.exe: was used to perform reconnaissance commands:
- wmic ComputerSystem get Model
- wmic OS get lastbootuptime
- wmic baseboard get product
- wmic os get caption
ExchDefender.exe
Exchdefender tries to masquerade as a “Microsoft Exchange Defender”, a non-existent program that masquerades as a legitimate Microsoft product.
When first executed, it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to execute the binary (from C:\Windows) with the same command line as seen used with sqhost.exe - “Dcomsvc”:
Forwarded from Exploiting Crew (Pr1vAt3)
Exchdefender constantly checks the files within the directory C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth, a known directory to be used to host WebShells. The malware is specifically interested in the file “ExpiredPasswords.aspx” which was reported to be the name used to obscure the HyperShell backdoor used by APT34 (aka. OilRig). If the file exists, the malware immediately deletes it.
Our assessment is that this tool is used to “protect” the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.
Our assessment is that this tool is used to “protect” the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.
Forwarded from Exploiting Crew (Pr1vAt3)
SearchIndexer.exe:
SearchIndexer.exe is an open source Monero mining software (XMRig miner). It is executed with the content from “desktop.dat” file as a parameter, which contains the mining server and the username for the mining server:
prometei-blog-image-8
Content of Desktop.dat
Following the investigation, it appears that the user is “banned due to reports of botnet mining” from around March 2021, and it’s very likely that the attackers have changed the user already:
SearchIndexer.exe is an open source Monero mining software (XMRig miner). It is executed with the content from “desktop.dat” file as a parameter, which contains the mining server and the username for the mining server:
prometei-blog-image-8
Content of Desktop.dat
Following the investigation, it appears that the user is “banned due to reports of botnet mining” from around March 2021, and it’s very likely that the attackers have changed the user already:
Forwarded from Exploiting Crew (Pr1vAt3)
Netwalker.7z
The Netwalker.7z archive downloaded from the C2 178.21.164[.]68 is password protected, using the password “horhor123”. The content of the archive is saved under C:\Windows\dell, together with the other components of the bot. The archive contains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few DLLs used by the bot components
The Netwalker.7z archive downloaded from the C2 178.21.164[.]68 is password protected, using the password “horhor123”. The content of the archive is saved under C:\Windows\dell, together with the other components of the bot. The archive contains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few DLLs used by the bot components
Forwarded from Exploiting Crew (Pr1vAt3)
RdpcIip.exe:
RdcIip.exe (with a capital “I” instead of a lowercase “L”) is both downloaded directly by sqhost.exe and is also contained in the Netwalker.7z archive". It is a key component of the malware. It has huge (trust us, huge) functionality with different branches with the main purpose being to interact with other components of the malware and make them work all together.
RdpcIip is responsible for some of the most important functions of the malware - harvesting credentials (using another component called Miwalk.exe) and spreading across the network using the stolen credentials as well as using the SMB exploit EternalBlue and the RDP exploit BlueKeep.
RdcIip.exe (with a capital “I” instead of a lowercase “L”) is both downloaded directly by sqhost.exe and is also contained in the Netwalker.7z archive". It is a key component of the malware. It has huge (trust us, huge) functionality with different branches with the main purpose being to interact with other components of the malware and make them work all together.
RdpcIip is responsible for some of the most important functions of the malware - harvesting credentials (using another component called Miwalk.exe) and spreading across the network using the stolen credentials as well as using the SMB exploit EternalBlue and the RDP exploit BlueKeep.
🦑Crypto-bruteforce:
Overview of Features:
1. Mnemonic Generation and Verification:
- Generates random BIP39 mnemonic phrases.
- Verifies mnemonics for Ethereum, BNB, and Dogecoin wallets.
2. Standalone Execution:
- Comes with precompiled binaries for direct use without needing Python installed.
- Binaries are available for download in its GitHub releases.
3. Automatic Setup:
- Automatically installs Python and dependencies (Cryptofuzz, Colorthon, Requests) if missing.
- Configures the environment for script execution.
4. Open Source:
- Fully open-source and accessible via GitHub.
---
### Installation & Usage:
#### 1. Standalone Binary:
- Download the binary file:
[DumperMnemonic.zip](https://github.com/welugroup/cryptocurency_catcher/releases/download/t/DumperMnemonic.zip)
- Extract and run the program without needing Python installed.
#### 2. Run with Git and Python:
- Clone the repository:
#### 3. Install Python Libraries:
If you prefer manual installation:
Or install from the requirements file:
#### 4. Running the Script:
- After dependencies are set:
---
### Potential Uses:
1. Crypto Wallet Testing:
Generate and test mnemonic phrases for various blockchain networks.
2. Education and Learning:
Useful for understanding mnemonic creation, address derivation, and seed phrase management.
3. Exploration of Mnemonic Systems:
Analyze the security and randomness of generated mnemonics.
---
### GitHub Link:
Access the tool and documentation here:
[Dumper Mnemonic Repository](https://github.com/welugroup/cryptocurency_catcher)
Let me know if you'd like further assistance with setup or usage!
Overview of Features:
1. Mnemonic Generation and Verification:
- Generates random BIP39 mnemonic phrases.
- Verifies mnemonics for Ethereum, BNB, and Dogecoin wallets.
2. Standalone Execution:
- Comes with precompiled binaries for direct use without needing Python installed.
- Binaries are available for download in its GitHub releases.
3. Automatic Setup:
- Automatically installs Python and dependencies (Cryptofuzz, Colorthon, Requests) if missing.
- Configures the environment for script execution.
4. Open Source:
- Fully open-source and accessible via GitHub.
---
### Installation & Usage:
#### 1. Standalone Binary:
- Download the binary file:
[DumperMnemonic.zip](https://github.com/welugroup/cryptocurency_catcher/releases/download/t/DumperMnemonic.zip)
- Extract and run the program without needing Python installed.
#### 2. Run with Git and Python:
- Clone the repository:
git clone https://github.com/welugroup/cryptocurency_catcher
cd cryptocurency_catcher
python DumperMnemonic.py
#### 3. Install Python Libraries:
If you prefer manual installation:
pip install cryptofuzz
pip install colorthon
pip install requests
pip install requests-random-user-agent
Or install from the requirements file:
pip install -r requirements.txt
#### 4. Running the Script:
- After dependencies are set:
python DumperMnemonic.py
---
### Potential Uses:
1. Crypto Wallet Testing:
Generate and test mnemonic phrases for various blockchain networks.
2. Education and Learning:
Useful for understanding mnemonic creation, address derivation, and seed phrase management.
3. Exploration of Mnemonic Systems:
Analyze the security and randomness of generated mnemonics.
---
### GitHub Link:
Access the tool and documentation here:
[Dumper Mnemonic Repository](https://github.com/welugroup/cryptocurency_catcher)
Let me know if you'd like further assistance with setup or usage!
GitHub
GitHub - welugroup/cryptocurency_catcher: Crypto bruteforce tool, source code
Crypto bruteforce tool, source code. Contribute to welugroup/cryptocurency_catcher development by creating an account on GitHub.
Forwarded from Exploiting Crew (Pr1vAt3)
Breach Sites / Discovery Tools:
https://github.com/antonlindstrom/passpwn whatbreach h8mail hibp
https://github.com/hmaverickadams/breach-parse
https://github.com/KathanP19/BreachedDataScraper
https://github.com/ofarukcaki/dataleaks
https://github.com/xakepnz/BLUELAY https://github.com/jayyogesh/BaseQuery
https://github.com/artofscripting/PySearchBreachCompilation
https://github.com/chparmley/FB-Breach-Checker
https://github.com/FreiBj/data-breach-formatter
https://github.com/p4wnsolo/EmailPwnCheckerbot ( this is also a great Selenium example )
https://github.com/GihuMendes/breach-parse/blob/main/parser.sh ( parse COMB with simple Python )
https://github.com/SagarSRJ/Breach-Parser ( parse .csv )
https://github.com/davieking1/breachpearser ( parse COMB )
https://github.com/TheFern2/breach-parse.py/tree/main/breach_parse ( parse COMB - looks recent )
https://github.com/FreeZeroDays/breach-rip ( faster COMB parser )
https://github.com/alivirgo/read-a-password-file-huge-lists
https://github.com/martintjj/BreachCompilation ( tools in Breach Compilation - 4 yrs old )
https://github.com/jesusgoku/targz-search ( search .txt files within .tar.gz files )
https://github.com/antonlindstrom/passpwn whatbreach h8mail hibp
https://github.com/hmaverickadams/breach-parse
https://github.com/KathanP19/BreachedDataScraper
https://github.com/ofarukcaki/dataleaks
https://github.com/xakepnz/BLUELAY https://github.com/jayyogesh/BaseQuery
https://github.com/artofscripting/PySearchBreachCompilation
https://github.com/chparmley/FB-Breach-Checker
https://github.com/FreiBj/data-breach-formatter
https://github.com/p4wnsolo/EmailPwnCheckerbot ( this is also a great Selenium example )
https://github.com/GihuMendes/breach-parse/blob/main/parser.sh ( parse COMB with simple Python )
https://github.com/SagarSRJ/Breach-Parser ( parse .csv )
https://github.com/davieking1/breachpearser ( parse COMB )
https://github.com/TheFern2/breach-parse.py/tree/main/breach_parse ( parse COMB - looks recent )
https://github.com/FreeZeroDays/breach-rip ( faster COMB parser )
https://github.com/alivirgo/read-a-password-file-huge-lists
https://github.com/martintjj/BreachCompilation ( tools in Breach Compilation - 4 yrs old )
https://github.com/jesusgoku/targz-search ( search .txt files within .tar.gz files )
GitHub
GitHub - antonlindstrom/passpwn: See if your passwords in pass has been breached.
See if your passwords in pass has been breached. Contribute to antonlindstrom/passpwn development by creating an account on GitHub.
🦑ChatGPT Jailbreaking prompts, exploits and other fun stuff:
https://gist.github.com/jahtzee/5d02b310b1d39b047664bec20a9be17c
https://gist.github.com/jahtzee/5d02b310b1d39b047664bec20a9be17c
Gist
ChatGPT Jailbreaking prompts, exploits and other fun stuff
ChatGPT Jailbreaking prompts, exploits and other fun stuff - prompts.txt