In this brief analysis I’ll take a look at who’s behind GoatRAT in terms of social media activity C&C servers and actual personally identifiable information.
Personally identifiable information:
hxxp://bit[.]ly/nubankmodulo
hxxp://goatrat[.]com/apks/apk20[.]apk
Sample MD5s:
6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7
9a8e85cf1bbd32c71f0efa42ffedf1a0
hxxp://api[.]goatrat[.]com:3008
Social Media:
hxxp://t[.]me/sickoDevz
hxxp://t[.]me/goatmalware
Web site:
hxxp://criminalmw[.]fun
hxxp://clientes[.]criminalmw[.]fun
WhatsApp – +5511987457894
ba5833b49e2c6501f5bbce90b7948a85
Code Signing Certificate Signed By: Mr[.] Paxton Doyle PhD
SSL: 94ba7810ece1a1b227e6a5b509c8bb228e7285a1a5cee5f0ee26542783d4b09a
Sample C&C servers:
104[.]244[.]75[.]74
138[.]197[.]166[.]92
142[.]251[.]143[.]110
142[.]251[.]143[.]129
142[.]251[.]143[.]142
142[.]251[.]143[.]163
142[.]251[.]143[.]193
142[.]54[.]162[.]114
159[.]69[.]27[.]103
174[.]128[.]250[.]164
185[.]204[.]1[.]84
185[.]225[.]68[.]133
188[.]214[.]132[.]49
216[.]239[.]32[.]36
216[.]239[.]34[.]36
31[.]133[.]1[.]108
51[.]148[.]150[.]203
51[.]81[.]93[.]37
80[.]241[.]214[.]102
82[.]128[.]229[.]109
93[.]115[.]91[.]66
95[.]216[.]209[.]129
Sample C&C servers:
tgutjgo6kvqdst5ock[.]com
olbvu5pv2apkc57zfeg[.]com
hxxp://h4j7ewfdpwfzg6g6[.]com – 185[.]177[.]206[.]72
hxxp://3ajzfjsxou4yzn3jw552dg[.]com – 87[.]236[.]195[.]198
hxxp://f53ia7lqhbg54y7xd7ydp3[.]com – 178[.]63[.]41[.]183
hxxp://lblhluz7or[.]com – 178[.]63[.]41[.]183
hxxp://inylslu7vfq24vb[.]com – 185[.]177[.]206[.]72
51[.]81[.]56[.]136
89[.]163[.]128[.]25
81[.]7[.]16[.]177
81[.]170[.]128[.]221
109[.]70[.]100[.]71
158[.]255[.]1[.]112
j6jvmwqorhq4xpjkcy26d3i4au6pz6nyroqxreefmnl7yxgcruxzkmyd[.]onion
Sample Photos:
*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog authored by Dancho Danchev. Read the original post at: https://ddanchev.blogspot.com/2024/01/whos-behind-goatrat.html