A forum for reverse engineering, OS internals and malware analysis 

Forum for completed malware requests.
 #31912  by r0ny
 Sat Jul 28, 2018 4:49 am
In DarkHydrus’s case, the preferred payload retrieved in their previous attacks were exclusively open-source legitimate tools which they abuse for malicious purposes, such as Meterpreter and Cobalt Strike. However, in this instance, it appears that this group used a custom PowerShell based payload that we call RogueRobin.

ref:https://researchcenter.paloaltonetworks ... overnment/

IOCs:
.iqy file: cc1966eff7bed11c1faada0bb0ed0c8715404abd936cfa816cef61863a0c1dd6

bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d

Thanks,