Necurs - another x64 rootkit - Page 8

Re: Necurs - another x64 rootkit

#28989 by tim
Mon Aug 08, 2016 3:14 pm

Extracted config from above sample

{
    "filepath": "syshost32",
    "url": "/locator.php",
    "version": 24,
    "convertIP": 1,
    "vmCheck": 1,
    "seed": 5,
    "event": "NitrGB"
    "filename": "syshost.exe",
    "domains": [
        "jfbbrj3bbbd.bit"
    ],
    "dnsServers": [
        "178.32.31.41",
        "94.231.81.244",
        "91.213.8.35",
        "151.236.6.6",
        "119.252.20.75",
        "198.100.146.51",
        "192.121.170.170",
        "78.47.34.12",
        "108.61.210.58",
        "109.69.8.34",
        "87.98.175.85",
        "106.186.17.181",
        "107.170.95.180"
    ],
    "p2pKey": {
        "blob": "BgIAAACkAABSU0ExAAgAAAEAAQDnSqoESRdKjV//ystqaWJtjhBExSvYW4XCvfcu6zNPqTD9+UBm+nQkB1xp1oXMeKTkCdqnqHYtz9HrS1JlxuyjjelunHqHRIA4I0QAyqd4g2j5sDTbCPIJgt0wtHs40PJ/j2Xak1rGGibUmnw70GnWSVjjqS6LmS/vcUytW8ECZ2X8Cz9N2sXnlC4qlONXuVKlj2QVl0H1dPgl47WA3+5Bx+xvMSeo5x5/6duthkxC5j+JRzB4M6ql",
        "md5": "6684357313ed921faf70ad77322935bc"
    },
    "httpKey": {
        "blob": "BgIAAACkAABSU0ExAAQAAAEAAQB5+qRbaNnUo+jteL59OVbEmq0ZrkhEwz0oTJrEJfbkb74A+fsARCYCl35yKhmXUefMzQ2DtwA1dAGBkfDkL1uYCtQPV3wbfkmn29MxejQmG+R37YXeb/aRAm3Fsw==",
        "md5": "baf7275215b48d23d49e3bb5b9758e0a"
    }
}

The C2 comes back with 404 Not Found

Username

tim

Posts

Joined

Sat Aug 31, 2013 8:38 am