808CIRCL2014-05-301Destory RAT malware analysis053886ab4-1f14-43b0-a822-41a9950d2109111140162277330CIRCL0053457pattern-in-memoryArtifacts dropped053886cdc-cf58-42af-8eda-40bb950d210980831401449692win3dx.DLL53458hostnameNetwork activity15388797f-f188-4f00-8e93-4210950d210980831401452927microsoft.operaa.net53460hostnameNetwork activity1538879bc-67c0-4c8a-b0fa-4035950d210980831401452988Related hostname (via passive acquisition)microsoftno.operaa.net53459ip-dstNetwork activity153887993-0318-4375-a010-4bc8950d210980831401452947123.254.104.5153461ip-dstNetwork activity1538879e3-c5e0-4bcb-a9ed-471c950d210980831401453027Older IP used for the C&C/proxy in 2013111.68.10.8353462ip-dstNetwork activity1538879f8-5f00-4fda-bc8a-4213950d210980831401453048Older IP used for the C&C/proxy in 2013111.68.10.8553616user-agentNetwork activity1538b10f6-3c4c-48d5-8c02-488e950d210980831401622773Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;53456filenamePayload installation053886be8-51ac-44aa-b81e-886b950d210980831401449448win3dx.DLL53453md5Payload installation053886b1e-06c0-4588-b163-a35d950d210980831401449246Sample A801389d08baa4144018460fbe95da5ea53454sha1Payload installation053886b57-a3d8-43a7-8f4d-472a950d210980831401449320Sample Ac1f8738b3d7ef40177becc0ffde9321a03ef961a53455sha256Payload installation053886bc8-14d4-4ef4-bf66-4795950d210980831401449425Sample A217fe60d2ecea69055f93e86225e3596709f2e1baf458476d340726fdc8d5653758CERT-BUND2014-05-09UndefinedSOGU/PlugX sample from an ongoing compromise of a manufacturing company791536cb845-a184-400f-a11c-ac48950d210950CERT-BUND139963427710021399634420312CIRCL2012-03-27UndefinedCommand and control in the 5th domain114f71b658-f864-4413-a865-05da0a000b01872MIL.be10000000003004075CIRCL2012-02-13HighAnother on-going RAT campaign314f75a819-b100-48b3-be8f-49b30a000b0152CIRCL1374591275300102.2.0