Suspicious Prometei Botnet Activity

Published: 2024-01-07
Last Updated: 2024-01-07 20:23:34 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

On the 31 Dec 2023, after trying multiple username/password combination, actor using IP successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of  these files have been identified to be related to the Prometei trojan by Virustotal. The file sqhost.exe [6] was last found by Talos [7] used with the Prometei botnet as a trojan coin miner. 

Some of the commands run by the actor after successful login.

The files uploaded to the honeypot are a combination of Windows and Linux executables. 

Indicators of Compromize

7z.exe:        ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
7z.dll:           a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
rdpcIip.exe:  f4ac4f735b9ff260a275734d86610dccb8558d1a54c6d6a78a94c33b6aaf6e39 
sqhost.exe:  7affd78df02298ce6e779833bb4f222193e65acf05488de5ba8c5388a3dd8e89
upnpsetup:   0ca3a4c2800f9454cdcbb8398a7ec97b00f90f4234c7c5e48e206a8352d86750 ->  ELF 64-bit LSB executable
updates1.7z: 608b2c8220a595a9766e2fdc5c91899dda635f97bc505e1a41e523aaddb11652
updates2.7z: 6f39d02f27e3241224bb16e4753091b9d4ae2b4d0108a3fde2e3ebad0e1627bf
zsvc:               d470e24adff149f1cb6710d2a005d8c07693ab0159de7cdc5e661c4879e2db58 -> ELF 64-bit LSB executable


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives