ThreatActor on Custom Tools, Reverse Engineering, and Threat Research

ThreatActor on Custom Tools, Reverse Engineering, and Threat Researchhttps://blog.xorhex.com/categories/threatactor/Recent content in ThreatActor on Custom Tools, Reverse Engineering, and Threat ResearchHugo -- gohugo.ioenWed, 02 Jun 2021 00:00:00 +0000RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructurehttps://blog.xorhex.com/blog/reddeltaplugxchangeup/Wed, 02 Jun 2021 00:00:00 +0000https://blog.xorhex.com/blog/reddeltaplugxchangeup/<table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td>Family</td> <td>PlugX - RedDelta Variant</td> </tr> <tr> <td>Threat Actor</td> <td>Mustang Panda</td> </tr> <tr> <td>Encrypted</td> <td>1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600</td> </tr> <tr> <td>Decryption Key</td> <td>0x78, 0x61, 0x6c, 0x72, 0x45, 0x5a, 0x6f, 0x78, 0x43, 0x59, 0x73, 0x71, 0x6c, 0x52, 0x6e, 0x77, 0x78, 0x46, 0x63, 0x43, 0x46</td> </tr> <tr> <td>Key Length</td> <td>21</td> </tr> <tr> <td>Decrypted</td> <td>ec1c29cb6674ffce989576c51413a6f9cbb4a8a41cbd30ec628182485a937160</td> </tr> <tr> <td>Config C2</td> <td>101.36.125.203:965</td> </tr> <tr> <td>Config C2</td> <td>101.36.125.203:110</td> </tr> <tr> <td>Config C2</td> <td>vitedannews.com:965</td> </tr> <tr> <td>Config C2</td> <td>vitedannews.com:110</td> </tr> </tbody> </table>Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Confighttps://blog.xorhex.com/blog/mustangpandaplugx-2/Thu, 27 May 2021 00:00:00 +0000https://blog.xorhex.com/blog/mustangpandaplugx-2/<table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td>Family</td> <td>PlugX - Variant: <code>XXXXXXXX</code> Config Check</td> </tr> <tr> <td>Threat Actor</td> <td>Mustang Panda / Red Delta</td> </tr> <tr> <td>Encrypted</td> <td>de0f65a421ce8ee4a927f4f9228f29ff12be69ac71edecb18c35cb5101e4c3cf</td> </tr> <tr> <td>Decrypted</td> <td>2bfd100498f70938dedef42116af09af2db77ef1315edcea0ffd62c93015ddf5</td> </tr> <tr> <td>XOR Decyption Key</td> <td>0x4b, 0x73, 0x51, 0x4f, 0x74, 0x6d, 0x49, 0x68, 0x63, 0x43</td> </tr> <tr> <td>XOR Decryption Key Length</td> <td>10</td> </tr> </tbody> </table>Mustang Panda PlugX - 45.251.240.55 Pivothttps://blog.xorhex.com/blog/mustangpandaplugx-1/Mon, 17 May 2021 00:00:00 +0000https://blog.xorhex.com/blog/mustangpandaplugx-1/<table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td>Family</td> <td>PlugX</td> </tr> <tr> <td>Threat Actor</td> <td>Mustang Panda</td> </tr> <tr> <td>Encrypted</td> <td>589e87d4ac0a2c350e98642ac53f4940fcfec38226c16509da21bb551a8f8a36</td> </tr> <tr> <td>Decrypted</td> <td>dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4</td> </tr> </tbody> </table>