Here are my notes on the latest malware sample using CVE-2019-0541 to target Poland and drop .NET RAT. I’m going to focus on finding similarities between this case, and previous .NET rat connecting to the same IP address dropped by a COVI-19 document.
Name: conhost.exe MD5: 0acecad57c4015e14d9b3bb02b433d3e Reference: https://app.any.run/tasks/7b677e50-4515-4958-b53d-5a871e2e97cd/ Firstly, we’ll start the investigation from the older sample, that was used together with COVID-19 document lure, potentially targeting Ukraine. Unfortunately, at the time that I’ve noticed the sample, the C2 wasn’t responding so we’ll have to stick with the already finished Any.
Article Link: https://w3ndige.com/blog/2020-04-10-investigating-dotnet-rat-similarities/