Optimizing IOC Retention Time

Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs?

An IoT botnet study from 2022 found that 90% of C2 servers had a lifetime of less than 5 days and 93% had a lifetime shorter than 14 days. Additionally, a recent writeup from Censys concludes that the median lifespan of Cobalt Strike C2 servers is 5 days. Both these studies indicate that IP and domain name indicators are short lived, yet many organizations cling on to old IOCs for much longer than so. Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.

Pyramid of Pain

David J. Bianco's pyramid of pain illustrates how much pain is caused to an adversary if their malicious actions are hindered by defenders blocking various indicators.

Indicators at the bottom of the pyramid are trivial for an adversary to replace, which is why IOCs like hashes and IP addresses tend to be very short lived. The indicator types close to the pyramid’s base are also the ones that typically are shared in threat intel feeds.

It would be nice to detect adversaries with indicators higher up in David’s pyramid of pain, but it is often difficult to craft reliable detection mechanisms for such indicators. The simple indicators at the bottom, like domains, IPs and hashes, are on the other hand very exact and practical for us defenders to work with. So in this sense the pyramid of pain applies to defenders as well, where indicators at the bottom are trivial to use and the complexity increases as we go further up. In this sense the Pyramid of Pain can also be viewed as the “Pyramid of Detection Complexity”.

Chasing Ghosts

Many IOCs are “dead” even before you get them. This IOC delay is particularly noticeable when looking at writeups of malware and botnets published by security researchers, in which the IPs and domain names shared in their IOC lists often haven’t been used for several weeks by the time the report gets published. It’s understandable that it takes time to reverse engineer a new piece of malware, compose a blog post and to get the writeup approved for publishing. Nevertheless, those old IOCs often get picked up, redistributed, and used as if they were fresh indicators. Recorded Future observed a 33-day average lead time between when their scans found a C2 server and when it is reported in other sources. Thirty-three days! Only a very small fraction of those C2 servers can be expected to still be active by the time those IOCs are shared by various threat intel providers. All the other C2 servers are dead indicators, or “Ghost IOCs” as I like to call them. Attempting to detect such Ghost IOCs in live network traffic is a waste of resources.

IOC Costs

Most network intrusion detection systems (IDS) only support a certain number of active rules or signatures, which effectively limits the number of IOCs you can look for. Other products charge the user based on the number of monitored IOCs. As an example, Tostes et al.’s paper covering the shelf life of an IOC says that Azure Sentinel Threat Intelligence charges $2.46 per ingested GB. This type of direct cost can then be compared to the cost of not alerting on a known malicious IOC that has timed out. Simplified comparisons like this typically result in poor and misleading guidance to keep using IOCs for much longer than necessary, often hundreds of days or even perpetually.

One important factor that is missing in such simplified reasoning is the cost for false positive alerts, which increases significantly when monitoring for ghost IOCs. An IP address that is being used as a botnet C2 server one week might be running a totally legitimate service another week. The risk for false positives is smaller for domain names compared to IP addresses, but hacked websites is one example where domain names often cause false positive alerts as well. One common cause for such domain IOC false positives is the frequent misuse of hacked websites for malware distribution. Such illicit use is often detected and rectified within a couple of days, in particular when this happens to a website belonging to a medium to large sized company or organization. Alerting on DNS based IOCs for a long time after last confirmed sighting therefore also increases the risk for false positives.

The cost of false positives is difficult to estimate, as it involves the time analysts spend in vain trying to verify if a particular alert was a false positive or not. Too many false positives can also cause alert fatigue or alarm burnout, much in the same way as in Aesop’s ancient fable about the boy who cried wolf.

This implies that monitoring for too many old IOCs actually increases the risk of actual sightings of malicious indicators being missed or overlooked due to alert fatigue. This line of thinking might seem contradictory and is often overlooked in research related to the shelf life of indicators. I would personally prefer to use an IOC scoring model that aims to reduce the number of false positives rather than using one that attempts to minimize the direct cost of IOC monitoring.

Pruning old IOCs

RFC 9424 states that “IOCs should be removed from detection at the end of their life to reduce the likelihood of false positives”. But how do we know if an IOC has reached end of life?

I’ve previously mentioned that researchers have found that most C2 servers are used for 5 days or less. The optimal number of days to monitor for an IOC depends on several factors, but in general we’re talking about a couple of weeks since last sighting for an IP address and maybe a little longer for domain names. The obvious exception here is DGA and RDGA domains, which typically have a lifetime of just 24 hours.

The research paper Taxonomy driven indicator scoring in MISP threat intelligence platforms introduces an interesting concept, where a score is calculated for each IOC based on factors like confidence, age and decay rate. The IOC can be considered dead or expired when the score reaches zero or if it goes below a specified threshold. The following graph from the MISP paper shows an example of how the score for an IP address IOC could decay over time.

Image: Figure 8 from Taxonomy driven indicator scoring in MISP threat intelligence platforms

Recommendations

• When publishing IOCs, make sure to also include a date for when it was last confirmed to be active, aka “last seen”.
• Ask your threat intel vendor if they can provide a last seen date for each of their indicators, or if they have some other way to determine the freshness of their indicators.
• Ensure that the IOCs you monitor for are pruned based on age or freshness to reduce the risk (and cost) for false positives.
• Prioritize long lived IOCs over short lived ones, for example by striving to use indicators higher up in the pyramid of pain, but only when this can be done without increasing the false positive rate.

Posted by Erik Hjelmvik on Thursday, 06 November 2025 12:05:00 (UTC/GMT)

Tags: #IOC​ #IDS​ #ASCII-art​

Online Network Forensics Class

I will teach a live online network forensics training on February 23-26. The full title of the class is Network Forensics for Incident Response, where we will analyze PCAP files containing network traffic from hackers and malware.

The training is split into four interactive sessions running from 13:00 to 17:00 CET (7am to 11am EDT), so that you have the other half of the day free to either practice what you learned in class or catch up with your normal job routine. The number of attendees is limited in order to provide a good environment for taking questions. A maximum of 15 attendees will be accepted. The registration will be closed once we reach this attendee limit.

📅 Dates: February 23-26 (4 days)
⏲️ Time: 13:00 to 17:00 CET (7am to 11am EDT)
💸 Price: € 920 EUR per student (828 EUR if registering before January 31)

The target audience is blue teams, incident responders and SOC analysts. The training has also been greatly appreciated by law enforcement digital forensics investigators who have taken it in the past.

Training Content

We will analyze a 14 GB PCAP data set captured on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices. As you’ve probably guessed, the capture files contain traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack! In this training you'll get hands-on experience analyzing PCAP files containing C2 and backdoor protocols, such as Cobalt Strike, TrickBot, njRAT and Meterpreter.

See our training page for more info about the “Network Forensics for Incident Response” class.

To sign up for the class, simply send an email to sales@netresec.com with your name and invoice address. We will then send you a PayPal payment link that you can use to complete your training registration.

Hope to see you there!

Cheers,
Erik Hjelmvik
Creator of NetworkMiner and founder of Netresec

Posted by Erik Hjelmvik on Monday, 20 October 2025 05:30:00 (UTC/GMT)

Tags: #Training​ #network forensics​ #PCAP​

Gh0stKCP Protocol

Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0.

@Jane_0sint recently tweeted about ValleyRAT using a new UDP based C2 protocol. I wanted to take a closer look at the protocol, so I downloaded the PCAP from any.run and opened it with CapLoader. To my surprise CapLoader claimed that the C2 traffic was using a known protocol called “KCP”.

The protocol detection feature in CapLoader compares traffic in TCP and UDP sessions to statistical models of known protocols. This means that no protocol specification or RFC is required to identify a protocol. All that is needed is some example traffic to build a protocol model from (see this XenoRAT detection video for a demonstration of this feature). In this case CapLoader’s KCP protocol model was built from UDP based C2 traffic from PseudoManuscrypt, which was reported to have been using KCP.

What is KCP?

KCP is a UDP based protocol designed as a low-latency alternative to TCP. The protocol was created by Lin Wei in the early 2010s, primarily to transport p2p voice chat audio in games. The protocol is, however, very generic and can be used to transport basically any type of data. The KCP protocol specification includes the following packet structure:

The first field “conv” is a 32 bit (4 byte) unique ID for a KCP session. This conversation ID is used to uniquely identify a connection and will remain constant throughout the connection. KCP doesn’t include any handshake mechanism for establishing new sessions, which means that KCP endpoints typically start transmitting payload data already in the first KCP packet.

The Gh0stKcp Protocol

The UDP based KCP C2 protocol used by PseudoManuscrypt as well as the ValleyRAT C2 traffic that CapLoader reported being “KCP” both deviated from the original KCP specification in several ways. For instance, KCP packets have a 24 byte header, which means that packets shorter than 24 bytes can’t be KCP. In fact, the KCP source code actually ignores UDP packets that carry less than 24 bytes of payload. Yet, both the PseudoManuscrypt and ValleyRAT UDP C2 traffic initially transmit several 12-byte packets.

Image:Flow transcript of Gh0stKCP traffic in CapLoader

These 12-byte Gh0stKCP handshake packets are generated by an open source library called HP-Socket, which includes a custom Automatic Repeat reQuest (ARQ) handshake mechanism.

The following behavior can be deduced by examining UDP traffic from Valley RAT or by analyzing the UDP handshake mechanism in HP-Socket's ArqHelper.h.

The client (bot) starts by sending an empty UDP packet to the C2 server, followed by a UDP packet carrying a 12 byte payload structured like this:

The first four bytes can be decoded as follows:

• 4f bb = Magic bytes
• 01 = Handshake command
• 00 = Handshake is not completed

The “xx” bytes represent a KCP conversation ID (conv) proposed by the bot. This initial handshake packet can easily be detected and alerted on with the following Suricata IDS signature:

The C2 server also transmits a UDP packet containing a 12 byte handshake using the exact same structure as the client. However, the C2 server proposes a 32 bit conversation ID of its own. In “normal” KCP implementations the client and server agree on a single shared conversation ID, but Gh0stKCP actually uses one separate ID for each direction. This allows the server to transmit its handshake packet without having seen the client’s handshake.

The “yy” bytes represent the C2 server’s 32-bit conversation ID (conv).

The communicating parties frequently re-transmit this initial handshake packet until they have received a handshake from the other end.

Upon receiving the other end’s handshake both the bot and C2 server acknowledge the other end’s conversation ID with a UDP packet carrying the following 12 byte payload:

Where “xx” is the sender’s conversation ID and “yy” is the other end’s conversation ID. After having received the other end’s acknowledgment packet both parties additionally transmit a final ack packet, indicating that the handshake is completed and they will start communicating using KCP. This final ack packet is identical to the previous one, except the fourth byte (handshake complete flag) has changed from 0x00 to 0x01.

From this point on Gh0stKCP communicates using the KCP protocol, with the exception that each end transmits packets using their own conversation ID rather than a common ID. The KCP traffic that follows can therefore be parsed and inspected in Wireshark with help of a KCP Lua parser, such as CandyMi’s kcp_dissector.lua.

Image: KCP traffic from ValleyRAT sample any.run in Wireshark

Finally, the Gh0stKCP session is terminated by sending a UDP packet containing the following hard coded 16 bytes:

This unique byte sequence is defined in HP-Socket as s_szUdpCloseNotify, which can be detected with the following Suricata IDS signature:

Hole Punching in NAT Firewalls

The elaborate handshake procedure used by Gh0stKCP introduces a significant delay before the C2 session is established. The handshake takes up to 500ms to complete, which is much slower than a normal TCP 3-way handshake. KCP is typically used because of its low-latency properties, but the handshake routine ruins any chance for quick establishment of Gh0stKCP sessions.

The intricate ARQ handshake routine does, however, allow for hole punching in firewalls, aka “NAT traversal”, which enables the protocol to be used for peer-to-peer communication. This p2p-enabling property could potentially be used to relay C2 communication through one or several bots, even if those bots are behind separate NAT firewalls.

Detecting Gh0stKCP with Snort and YARA

CapLoader can detect when the KCP protocol is used. However, only a few security analysts have a CapLoader license. We have therefore decided to release Surucata signatures and a YARA rule that can be used to detect Gh0stKCP.

The Suricata signatures included in this blog post can also be downloaded from here:
https://github.com/Netresec/Suricata/blob/main/netresec.rules

Our Gh0stKCP YARA rule is based on Steve Miller’s “RareEquities_KCP” rule, from Mandiant’s 2020 blog post APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Steve’s original YARA rule provides generic detection of software that uses the original KCP library. We’ve extended that rule to also look for HP-Socket’s characteristic 16-byte close command.

https://github.com/Netresec/YARA/blob/main/Gh0stKCP.yar

IOC List

Many of the IOCs in the list below are old, which is why you might not want to use them for alerting. They are included here primarily for researchers and analysts who wish to perform retrohunting to discover malware samples that use GhostKCP.

2021 (PseudoManuscrypt)

• UDP 34.64.183.91:53
• UDP 34.97.69.225:53
• UDP 160.16.200.77:53
• UDP 167.179.89.78:53
• UDP 185.116.193.219:53
• UDP 198.13.62.186:53
• UDP email.yg9[.]me:53
• UDP facebook.websmails[.]com:53
• UDP google.vrthcobj[.]com:53

2022 (PseudoManuscrypt)

• UDP 34.142.181.181:53

2025 (ValleyRAT / Winos4.0)

• UDP 27.124.3.234:8443
• UDP 43.133.39.217:80
• UDP al17[.]tk:80
• UDP xiaoxiao.fenghua678.eu[.]cc:8443

Attribution

Use of ValleyRAT is often attributed to the APT group Silver Fox (银狐), but ValleyRAT and Gh0stKCP could be used by other threat actors as well.

Posted by Erik Hjelmvik on Wednesday, 24 September 2025 09:40:00 (UTC/GMT)

Tags: #CapLoader​ #Suricata​

Define Protocol from Traffic (XenoRAT)

This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address and port number, simply by looking for traffic that behaves similar to what it was trained on. We call this Port Independent Protocol Identification (PIPI). You don’t need to define all protocols this way though since CapLoader can detect hundreds of different protocols out of the box using PIPI.

The protocol identified in the video is the XenoRAT command-and-control (C2) protocol. The identification was based on a sandbox execution of XenoRATClientScript.js on ANY.RUN. The protocol model was then tested on a PCAP file from a XenoRAT execution on Triage.

IOC List

• Url: hxxps://raw.githubusercontent[.]com/NTCHuy/hack/refs/heads/main/Client.exe
• MD5: e0b465d3bd1ec5e95aee016951d55640
• MD5: 5ab23ac79ede02166d6f5013d89738f9
• C2: Huy1612-24727.portmap[.]io:24727
• C2: 193.161.193.99:24727
• C2: 147.185.221.30:54661

Posted by Erik Hjelmvik on Thursday, 21 August 2025 12:50:00 (UTC/GMT)

Tags: #CapLoader​ #PIPI​ #ANY.RUN​

PureRAT = ResolverRAT = PureHVNC

PureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else’s PC. PureRAT provides the following features to an attacker:

• See the victims user interface
• Interact with the victim PC using mouse and keyboard
• View the webcam
• Listen to the microphone
• Record keystrokes
• Upload and download files
• Proxy network traffic through victim

What the PureRAT user interface looks like to the attacker

PureRAT is the exact same malware as what Morphisec and others call ResolverRAT. PureHVNC, on the other hand, is the predecessor to PureRAT. These three malware names are all used by threat intel companies and researchers when referring to the same malware family. We will call this malware family “PureRAT” in this blog post.

Indicators of PureRAT

Malware analysts might recognize PureRAT through properties like these ones:

• Loader is a .NET executable obfuscated with Eazfuscator.NET
• Payload is AES-256 encrypted in CBC mode
• Payload is gzip compressed
• Extracted PureRAT payload is a DLL
• PureRAT DLL is packed with .NET Reactor
• A handler is registered for the ResourceResolve event to inject a malicious .NET assembly

See analysis by eSentire, Morphisec, Kaspersky, Fortinet and 0xlibris for more reverse engineering details on PureRAT and related software from the PureCoder developer(s).

Another way to identify the malware is to run it in a sandbox and inspect the network traffic. The following characteristics are typical indicators of PureRAT:

• C2 TCP port is often 56001, 56002 or 56003
• Client (bot) first sends 04 00 00 00 (in hex), followed by a TLS handshake
• Client and server run TLS 1.0
• X.509 cert is self signed
• X.509 cert expires 9999-12-31 23:59:59 UTC

As you can see in the flow transcript above, CapLoader currently identifies this traffic as “ResolverRAT”. This detection will most likely be changed to “PureRAT” in future versions of CapLoader.

IOC List

Here are some IP:port tuples for C2 servers used by recent samples of PureRAT:

• 193.26.115.125:8883
• purebase.ddns[.]net:8883
• 45.74.10.38:56001
• 139.99.83.25:56001

Posted by Erik Hjelmvik on Tuesday, 12 August 2025 15:43:00 (UTC/GMT)

Tags: #PureCoder​

PureLogs Forensics

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share.

PureLogs infections sometimes start with a dropper/downloader (PureCrypter) that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this file:

hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf

This file isn’t really a PDF though, but more on that later. Here’s a CapLoader screenshot with some interesting flows from the infection:

The PCAP in the screenshot above comes from a sandbox execution on any.run of a file called BSN100357-HHGBM100002525.exe.

Here’s a breakdown of what happens behind the scenes in this execution:

1. Dropper connects to www.vastkupan[.]com (DNS and TLS flows).
2. A fake PDF (Daupinslenj.pdf) is downloaded over HTTPS.
3. The fake PDF is decrypted to a DLL (PureLogs), which is stored in memory.
4. InstallUtil.exe is started.
5. The PureLogs DLL is injected into the running InstallUtil process.
6. PureLogs connects to C2 server at 91.92.120.101:65535

The same dropper has also been run on JoeSandbox, with almost identical behavior. The vastkupan.com website belongs to a legitimate company (Västkupan Fastigheter).

The PDF that Wasn’t

This is what the downloaded “PDF” looks like:

So, what’s up with all that “171171” data? Let’s XOR with “711” and see what we get.

The downloaded PDF turns out to be a .NET DLL file with MD5 38d29f5ac47583f39a2ff5dc1c366f7d. This is the file that was injected into the otherwise legitimate InstallUtil process. Some PureLogs droppers use RegAsm.exe instead of InstallUtil though (see JoeSandbox and any.run).

IOC List

Droppers (MD5):

• 711d9cbf1b1c77de45c4f1b1a82347e6
• 6ff95e302e8374e4e1023fbec625f44b
• e6d7bbc53b718217b2de1b43a9193786
• a9bc0fad0b1a1d6931321bb5286bf6b7
• 09bb5446ad9055b9a1cb449db99a7302

Dropper TLS handshake signatures:

• JA3: 3b5074b1b5d032e5620f69f9f700ff0e
• JA4: t12d210700_76e208dd3e22_2dae41c691ec

Payload URLs:

• hxxps://www.vastkupan[.]com/wp-admin/js/Cicdwkknms.pdf
• hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf
• hxxps://www.new.eventawardsrussia[.]com/wp-includes/Ypeyqku.pdf

Payloads (MD5):

• ab250bb831a9715a47610f89d0998f86 (Cicdwkknms.pdf)
• cec53e8df6c115eb7494c9ad7d2963d4 (Daupinslenj.pdf)
• eedc8bb54465bd6720f28b41f7a2acf6 (Ypeyqku.pdf)

Decrypted payloads:

• MD5: 38d29f5ac47583f39a2ff5dc1c366f7d
• SHA1: fc8b0ee149027c4c02f7d44cc06cade3222bb6b6
• SHA256: 8d7729ca0b25a677287076b4461304a21813e6f15053e190975512e58754988f

PureLogs C2:

• 91.92.120.101:62520 (old)
• 91.92.120.101:65535 (new)

Update 2025-07-16

Additional PureLogs payloads have been found on vastkupan.com.

Payload URLs:

• hxxps://www.vastkupan[.]com/wp-admin/js/Cxqyoub.dat
• hxxps://www.vastkupan[.]com/wp-admin/js/Qlwxqgsag.dat

Cxqyoub.dat is decrypted by XOR-ing with "414".

Qlwxqgsag.dat is a DLL with reversed content.

Payloads (MD5):

• 22a304ea9c006e2ccb2f6110c4d3f53f (Cxqyoub.dat)
• d5b6607ee4718506eb4970c02cf286cd (XOR decrypted DLL from Cxqyoub.dat)
• 062d2a5906fac4c2ef07c6b43141e19c (Qlwxqgsag.dat)
• 40624de03bc3c53331b6e903d9e3860f (DLL from reversed Qlwxqgsag.dat)

C2 server:

• 91.92.120.102:62050

See JoeSandbox and any.run for sandbox executions of the dropper aa06d06ddb6d3801c70cc1991f393112 (retrieves Cxqyoub.dat), and JoeSandbox and any.run for c45a95dc7ebc8c78217cd996a8f6dda7 (gets Qlwxqgsag.dat).

Update 2025-07-21

Yet another PureLogs payload found on vastkupan.com.

• Dropped by: 031a9c2f44881f4db1c6f6d88a540206
• URL of encrypted DLL: hxxp://www.vastkupan[.]com/wp-admin/js/Kplbc.pdf
• Encrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77
• C2: 65.108.24.103:62050

Sandbox executions are available on JoeSandbox and any.run.

Update 2025-07-30

Additional encrypted PureLogs DLLs found on vastkupan.com

• Dropped by: 67861615d765d0c59d65e8d4454e5ffc
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Qytqk.pdf
• Encrypted DLL MD5: 668a42bdfd253e0d54716cd115479b9f
• C2: 91.92.120.102:62050 (same as Cxqyoub.dat and (Qlwxqgsag.dat)

• Dropped by: 031a9c2f44881f4db1c6f6d88a540206
• URL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Kplbc.pdf
• Encrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77
• C2: 65.108.24.103:62050

• Dropped by: 07ff4006101f117aa4f198c984a45137
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Pnnvrpjewlq.vdf
• Encrypted DLL MD5: 98cf831688941cc8bccfe1e8a33c9c16

• Dropped by: a1fd8053b49442028d66e3adea550d19
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Niose.wav
• Encrypted DLL MD5: 067086aff11080357b92931e96ecebae

• Dropped by: 3cf704e64cbba6560663ec45ce2dabc2
• URL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Frfkft.vdf
• Encrypted DLL MD5: c9bac721c9b6f2900fd3d8ed922bc759
• C2: 91.92.120.101:7705

• Dropped by: 486d6c9cbdb638f9d574c58459676ed9
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Skrcygatz.dat
• Encrypted DLL MD5: a3cf5108315a06d564c97c8367994fd1
• C2: 216.250.252.231:2080

Update 2025-07-31

Turns out the whole /wp-admin/js/ directory on Västkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops PureLogs.

• Filename: New PO 102456688.exe
• MD5: b2647b263c14226c62fe743dbff5c70a
• C2: 147.124.219.201:65535

See executions on Tria.ge and any.run for details.

Posted by Erik Hjelmvik on Wednesday, 02 July 2025 11:52:00 (UTC/GMT)

Tags: #PureLogs​ #PureCoder​ #3b5074b1b5d032e5620f69f9f700ff0e​ #JoeSandbox​

CapLoader 2.0.1 Released

This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader.

IP lookup services, like ip-api, checkip.amazonaws.com and ident.me, aren’t malicious, but malware often use such services to find out what the public IP address is of an infected machine. As Tony Robinson points out, in his recent External IP Lookup Rules post, malware does so to check for internet connectivity and determine the country of the infected PC. But I’ve also observed a third reason, which is when the threat actor resolves the victim’s public IP to then query a DNSBL service and check the IP’s reputation. I believe the DNSBL lookup is performed to evaluate the success rate of sending spam, such as emails with malicious attachments or links, from the victim PC.

If you want to learn more about how TrickBot used DNSBL then read GoSecure’s TrickBot […] and Spamhaus blog post or sign up for one of my network forensics training sessions.

Improved Protocol Detection

The precision of CapLoaders built-in port independent protocol identification has been improved and a few additional protocols can now be detected, including Interlock RAT.

Bug Fixes

The following bugs fixes and feature updates are included in this release:

• Better handling of corrupt PCAP files
• Fixed periodicity measurement inconsistency for services with more than 100 flows
• Fixed parsing bug for duplicate QUIC packets
• Improved speed and reliability of auto-extract PCAP from selection
• ThreatFox API updated to use abuse.ch Auth-Key

Posted by Erik Hjelmvik on Tuesday, 01 July 2025 13:48:00 (UTC/GMT)

Tags: #CapLoader​ #TrickBot​ #DNSBL​

Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware.

The PureLogs protocol detection was added to CapLoader in the recent 2.0 release.

The PCAP file analyzed in the video is from Brad Duncan’s fantastic malware-traffic-analysis.net website.

Indicators of Compromize (IOC):

• mxcnss.dns04.com:7702
• 176.65.144.169:7702

Posted by Erik Hjelmvik on Monday, 09 June 2025 14:26:00 (UTC/GMT)

Tags: #CapLoader​ #PureLogs​ #malware-traffic-analysis.net​ #PIPI​