crypter - X-Industry - Red Sky Alliance
2024-03-28T19:27:08Z
https://redskyalliance.org/xindustry/feed/tag/crypter
Possible Identity of a Kuwaiti Hacker NYANxCAT
https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat
2020-10-19T16:38:36.000Z
2020-10-19T16:38:36.000Z
Yury Polozov
https://redskyalliance.org/members/YuryPolozov
<div><h2> </h2>
<p><a href="{{#staticFileLink}}8051471253,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8051471253,RESIZE_400x{{/staticFileLink}}" width="250" alt="8051471253?profile=RESIZE_400x" /></a>NYANxCAT is a prolific hacker who programs new pieces and versions of malware, shares it widely, and records blackhat hacker educational YouTube videos which has over 150,000 views. He uses GitHub repository, sells his hacker tools and services using PayPal and Bitcoin. In this report, we discuss some of the samples of NYANXCat malware, his business models, and possible Kuwaiti identity.</p>
<table width="100%">
<tbody>
<tr>
<td>
<p><em>(Figure 1. NYANxCAT GitHub logo)</em></p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p><strong>NYANxCAT Hacker Profile</strong></p>
<p><strong>Name: </strong> possible name: Hmoud [Humooud] Meshal Aljraid [Al-Jerid].</p>
<p> Possible name in Arabic: حمود الجريّد.</p>
<p><strong>Location: </strong> Likely location: Kuwait.</p>
<p>possible location: ST 58 HOUSE# 8, Jahra, Kuwait</p>
<p><strong>Aliases:</strong> NYANxCAT, NYAN-x-CAT, NYAN_x_CAT, NYAN CAT, nyancat, NC, humooud.m, HumoudMJ, hmj_7, bomish3l.</p>
<p><strong>Email: </strong> humooud.m@gmail.com, NYANxCAT@protonmail.com, NYANxCAT@pm.me</p>
<p><strong>Profiles: </strong> github[.]com/NYAN-x-CAT “NYAN CAT”.</p>
<p>twitter[.]com/NYAN_x_CAT “n”, joined June 2016, posts starting July 2019.</p>
<p>twitter[.]com/HumoudMJ, joined December 2009.</p>
<p>Google ID: 106720573170316530671.</p>
<p>youtube[.]com/c/NYANCATx/about, started in Nov 20, 2018.</p>
<p>youtube[.]com/c/Bomish3l/, active 2013-2017.</p>
<p>pastebin[.]com/u/NYANxCAT PRO account started January 2018.</p>
<p>sellix[.]io/NYANxCAT.</p>
<p>Discord: NYANxCAT#0662 (Lime Server: 388 members).</p>
<p><strong>Bitcoin:</strong> 12DaUTCemhDEzNw7cAFg9FndzcWkYZt6C8, 1jVe7d8GQB8z2ZqK6U8SCYAgeCJuYxaFo.</p>
<p><strong>Hacker forums:</strong> hackforums[.]net, cracked[.]to.</p>
<p><strong>Programming languages:</strong> C#, Visual Basic .NET, JavaScript</p>
<p><strong>Programmed: </strong> LimeCrypter, VBS-Shell, Bitcoin Address Grabber v0.3.5, Lime-Miner, Lime-Dropper-1, Dropless-Malware v0.1, Csharp-Loader, Anti Analysis v0.2, Disable Windows Defender v1.1.</p>
<p><strong>Edited/improved:</strong> Revenge-RAT v0.3, Neshta 1.0.</p>
<p><strong>Languages: </strong> English, Arabic.</p>
<p><strong> </strong></p>
<p><strong>Details</strong></p>
<p><strong>NYANxCAT Possible Identity </strong></p>
<p>NYANxCAT stays under the radar for Google/Youtube, PayPal, Github and other services, as he claims his blackhat hacking videos, tools, and malware are only “for educational purposes.” At the same time, NYANxCAT hides his real-life identity behind aliases. During his recent hacker career, he was also using semi-private tools such as Protonmail for communication and Bitcoin for donations and payments. Despite these measures, Red Sky Alliance analysts were able to analyze NYANxCAT’s communications and identify a possible hint to his real identity:</p>
<p><a href="{{#staticFileLink}}8051519295,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8051519295,RESIZE_710x{{/staticFileLink}}" width="400" alt="8051519295?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 2. NYANxCAT hacking video and a PayPal donation link</em></p>
<p>Some of the NYANxCat’s hacking videos had a Paypal donation link given via an URL shortener: bit[.]ly/2B07Jaa (Figure 2).<a>[1]</a> This link is connected to Paypal hosted button id UEAXKSXDFJ2X6 and exposes email address humooud.m@gmail.com (Figure 3).</p>
<p style="text-align:center;"><a href="{{#staticFileLink}}8051521082,RESIZE_584x{{/staticFileLink}}"><img src="{{#staticFileLink}}8051521082,RESIZE_584x{{/staticFileLink}}" width="258" alt="8051521082?profile=RESIZE_584x" /></a></p>
<p style="text-align:center;"><em>Figure 3. NYANxCAT linked PayPal page exposes his personal Gmail address</em></p>
<p>Analysis of the past uses of humooud.m@gmail.com shows that this email was used in 2017 to register domain odin-samsung[.]com. These records expose possible NYANxCAT identity as Hmoud Aljraid and his possible address in Jahra, Kuwait (Table 1).</p>
<p>Table 1. WHOIS historic record includes NYANxCAT’s email address</p>
<table>
<tbody>
<tr>
<td width="247">
<p>Domain Name:</p>
</td>
<td width="199">
<p>odin-samsung[.]com</p>
</td>
</tr>
<tr>
<td width="247">
<p>Time Period:</p>
</td>
<td width="199">
<p>2017-02-09 – 2018-02-12</p>
</td>
</tr>
<tr>
<td width="247">
<p>Registrant Name:</p>
</td>
<td width="199">
<p><strong>Hmoud Aljraid</strong></p>
</td>
</tr>
<tr>
<td width="247">
<p>Registrant Address:</p>
</td>
<td width="199">
<p>ST 58 HOUSE# 8 Jahra KU 65852 KW</p>
</td>
</tr>
<tr>
<td width="247">
<p>Registrant Phone:</p>
</td>
<td width="199">
<p>965.9982545</p>
</td>
</tr>
<tr>
<td width="247">
<p>Registrant Email:</p>
</td>
<td width="199">
<p><strong>humooud.m@gmail.com</strong></p>
</td>
</tr>
</tbody>
</table>
<p>Note that “Humooud” and “Hmoud” are likely the same Arabic name that could be written in English in more than two ways.</p>
<p>Additional research on humooud.m@gmail.com reveals that it is connected to Google User ID 106720573170316530671. That is listed as Humoud Meshal and is active leaving Google reviews in the vicinity of Kuwait City in the last 3 years, and Sri Lanka 6 years ago (Figure 4).<a>[2]</a></p>
<p><em><a href="{{#staticFileLink}}8051590496,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8051590496,RESIZE_400x{{/staticFileLink}}" width="400" alt="8051590496?profile=RESIZE_400x" /></a></em></p>
<p style="text-align:center;"><em>Figure 4. Humoud Meshal’s locations in Kuwait and Sri Lanka</em></p>
<p> </p>
<p>Kuwaiti location matches cases when NYANxCAT actually put Kuwait as his country on his accounts (e.g. Github).<a>[3]</a> Past Sri Lankan location matches the nature of his past domain registration activity (Table 1). Most of NYANxCAT persona content is in English, but he is still able to have a conversation in Arabic as could be seen in some of his Youtube threads (Figure 5).</p>
<p style="text-align:center;"><a href="{{#staticFileLink}}8051592266,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8051592266,RESIZE_710x{{/staticFileLink}}" width="710" alt="8051592266?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 5. NYANxCAT is proficient in Arabic, Youtube comments</em></p>
<p>The search for Humoud Meshal’s user picture reveals connection to technical Arabic blog bomish3l[.]com. This blog references additional Youtube “Bomish3l” and Twitter @HumoudMJ accounts (Figure 6).</p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}8051592871,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8051592871,RESIZE_584x{{/staticFileLink}}" width="500" alt="8051592871?profile=RESIZE_584x" /></a></em></p>
<p style="text-align:center;"><em>Figure 6. Humoud’s photo on Twitter (left) and on his autotranslated blog (right)</em></p>
<p>Humoud’s Twitter account, @HumoudMJ follows a number of exploit-related accounts. He lists his name in Arabic, that autotranslates as Hammoud Al-Jerid which matches the historic WHOIS record (Table 1).</p>
<p>Humoud’s Youtube account had videos on a couple of topics including Android and hacking, e.g. video, “Hacking devices in wireless networks using your Android phone”.<a>[4]</a> It is interesting that that YouTube account was posting videos since 2013, last one was in 2017. But in 2018, we see another YouTube channel becoming active: NYANxCAT.<a>[5]</a></p>
<p>Humoud Meshal aka Humoud Aljraid uses aliases like HumoudMJ or hmj_7, so it is logical that Meshal is his middle name (M), while Aljraid/Al Jerid is his last [J].<a>[6]</a></p>
<p>As NYAnxCAT and Humoud accounts are connected via the used PayPal and Gmail accounts, Kuwaiti location, hacking interest, and language capabilities, we assess with medium confidence that Humoud is the real NYANxCAT identity (see The NYANxCAT Hacker Profile above).</p>
<p><strong>From Donations to Services</strong></p>
<p>NYANxCAT was trying to monetize his notoriety in various ways. He would often include donation links into his source code and educational videos – often it was his Bitcoin addresses, sometimes PayPal donation link (see above, Figure 2,3).</p>
<p><a href="{{#staticFileLink}}8051595687,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8051595687,RESIZE_584x{{/staticFileLink}}" width="500" alt="8051595687?profile=RESIZE_584x" /></a></p>
<p style="text-align:center;"><em>Figure 7. NYANxCAT hacker shop at Sellix as of July 2020</em></p>
<p> </p>
<p>NYANxCAT created a personal shop page at Sellix. Earlier this year, he was selling three items: his C# hacking tools and malware coding services, his hacker tool Lime Crypter, and his malware Mass Logger (Figure 7). Later in October 2020, NYANxCAT removed the offer of the programming services, leaving the malware and the hacking tool for sale.</p>
<p><strong>NYANxCAT Samples</strong></p>
<p>We analyze various malicious samples associated with NYANxCAT – mostly recent ones from September 2020. These samples cover different stages of malicious attacks, some of them are source code and crypters used for weaponization – preparation of the attack. Some are the delivery mechanism for later stage malware. Others are installation artifacts. See the brief description below and the Indicators table attached. We also included some personal strings: emails, cryptocurrency addresses, aliases. Those are useful for the profile building, but they are also helping find new samples in the wild as they often have strings with NYANcCAT aliases or his Github page. When listing indicators, we do not include “NYAN CAT” alias as it brings some true positives, but also bring many false positive as it was an original popular meme name that was adopted by this hacker.</p>
<p><strong>LimeCrypter</strong></p>
<p>NYANxCAT programmed and is promoting and distributing his hacker tool called LimeCrypter (also Lime-Crypter). One of the latest LimeCrypter version seen in the wild is 2.0.7552.41963, executable sample hash:</p>
<p>f55a23559bb981f9a054297b003293b890b8caa2b7abccef9464b817787352a6.<a>[7]</a></p>
<p>This hacker tool calls to NYANxCAT hidden paste on Pastebin for the list of recent upgrades and added features. It claims a first release date of 18 July 2020, and the last update as of this writing, 8 October 2020.<a>[8]</a> NyanxCAT Github shows that he was working on the LimeCrypter since at least August 2019, possibly since 2018.<a>[9]</a></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}8051605498,RESIZE_400x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8051605498,RESIZE_400x{{/staticFileLink}}" width="394" alt="8051605498?profile=RESIZE_400x" /></a></em></p>
<p style="text-align:center;"><em>Figure 8. NYANxCAT’s Youtube video shows LimeCrypter made a malware undetectable</em></p>
<p>Since August 2020, NYANxCAT posted four videos explaining and promoting this hacker tool, showcasing how it helps to avoid antivirus detections (Figure 8).<a>[10]</a></p>
<p><strong>RATs </strong></p>
<p>AsyncRAT by NYANxCAT can often be seen among samples in the wild. Executable sample hash:</p>
<p>22096a0846ab1399647bb2cc5596c649fa6508d2bd09db05476b27acd9d4eea2.<a>[11]</a> Async RAT can be detected using Yara rule win_asyncrat by Johannes Bader @viql.<a>[12]</a></p>
<p>Archived sample containing another NYANxCAT-related RAT, Revenge-RAT v3, could be found using the following hash: 2cf26e5fe9f31386d57170cc51ec46d6e4b73e4760826d65ca1a7afc8c82acc2.<a>[13]</a></p>
<p><strong>Downloaders</strong></p>
<p>A few small NYANxCAT related samples in the wild represent various downloaders (droppers). Those include JS Downloader, VBS Shell, and a number of unidentified droppers (see Indicators Table attached below). A sample of JS Downloader code with payload URL could be found using this hash:</p>
<p>5747ad762067a8a6617d2a4362304c24e11b21d6deed2da2adb31b8d55a4607c.<a>[14]</a></p>
<p><strong>Miners</strong></p>
<p>Some of the NYANxCAT-related malware has cryptomining capabilities. One example is NYANxCAT-branded Lime Miner, executable sample hash:</p>
<p>74de28d70ee4bd414597561b696f865cb3c88fd3626161d36c423d35154e11a5.<a>[15]</a> Another example is a case of AsyncRAT.exe with Monero cryptocurrency mining capability (see Indicators below).</p>
<p><strong>Modifications</strong></p>
<p>It was also common for NYANxCAT to take an old piece of malicious code and to adapt/modify it for more malicious potential. Examples are Revenge-RAT v0.3, Neshta 1.0 – modified and branded by NYANxCAT.<a>[16]</a></p>
<p><strong>Waiving Responsibility</strong></p>
<p>NYANxCAT often includes a waiver that his code is not for malicious use. But examining samples of code signed by NYANxCAT we can see them dropping ransomware, backdoors, and other kind of malware.<a>[17]</a> Moreover, studying NYANxCAT videos confirms those are not just sandbox exercises, but involve actual victims.</p>
<p><strong>Conclusion</strong></p>
<p>NYANxCAT started his blackhat hacker career in at least 2018. While he is not the most advanced, his opportunistic behavior and abuse of legitimate services such as YouTube and Github allows him to rapidly expand his criminal network and is negatively affecting the number of his victims.</p>
<p> </p>
<p><strong>Indicators</strong></p>
<table width="624">
<tbody>
<tr>
<td width="229">
<p>Indicator</p>
</td>
<td width="52">
<p>Type</p>
</td>
<td width="60">
<p>Kill_Chain_Phase</p>
</td>
<td width="66">
<p>First_Seen</p>
</td>
<td width="66">
<p>Last_Seen</p>
</td>
<td width="90">
<p>Comments</p>
</td>
<td width="62">
<p>Attribution</p>
</td>
</tr>
<tr>
<td width="229">
<p>9b62966982e91013c608f2542df01411704fe40c8d0cd63ced524f4ed33bab8d</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/28/20</p>
</td>
<td width="66">
<p>9/28/20</p>
</td>
<td width="90">
<p>LimeCrypter version 2.0.7529.980</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>90c2bb06bf684b2e6204418abeee6c81a552d997b163599e8da60c035223a230</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/27/20</p>
</td>
<td width="66">
<p>9/27/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>b7460d79341ad3ad3acd17703fbf9e1f3b1fdbd1cff7ab8e3607899ced8c61bc</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/22/20</p>
</td>
<td width="66">
<p>9/22/20</p>
</td>
<td width="90">
<p>AsyncRAT.exe</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>5747ad762067a8a6617d2a4362304c24e11b21d6deed2da2adb31b8d55a4607c</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/25/20</p>
</td>
<td width="66">
<p>9/25/20</p>
</td>
<td width="90">
<p>JS Downloader by NYANxCAT</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>github[.]com/NYAN-x-CAT</p>
</td>
<td width="52">
<p>URL</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>10/13/17</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>NyanxCat’s malware repositories</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>pastebin[.]com/raw/WJD0PWxV</p>
</td>
<td width="52">
<p>URL</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/28/20</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>LimeCrypter calls this URL for a change log</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>humooud.m@gmail.com</p>
</td>
<td width="52">
<p>Email</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>8/16/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>NyanxCat’s PayPal account email</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>NYANxCAT@protonmail.com</p>
</td>
<td width="52">
<p>Email</p>
</td>
<td width="60">
<p>NA</p>
</td>
<td width="66">
<p>10/15/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>Hacker email</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>NYANxCAT@pm.me</p>
</td>
<td width="52">
<p>Email</p>
</td>
<td width="60">
<p>NA</p>
</td>
<td width="66">
<p>1/9/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>Hacker email</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>NYANxCAT</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="60">
<p>NA</p>
</td>
<td width="66">
<p>1/9/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>Hacker alias</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>NYAN_x_CAT</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="60">
<p>NA</p>
</td>
<td width="66">
<p>1/9/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>Hacker alias</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>NYAN-x-CAT</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="60">
<p>NA</p>
</td>
<td width="66">
<p>1/9/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>Hacker alias</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>12DaUTCemhDEzNw7cAFg9FndzcWkYZt6C8</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>5/27/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>NyanxCat’s Bitcoin address</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>1jVe7d8GQB8z2ZqK6U8SCYAgeCJuYxaFo</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>1/9/19</p>
</td>
<td width="66">
<p>10/14/20</p>
</td>
<td width="90">
<p>NyanxCat’s Bitcoin address</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>2cf26e5fe9f31386d57170cc51ec46d6e4b73e4760826d65ca1a7afc8c82acc2</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/14/20</p>
</td>
<td width="66">
<p>9/14/20</p>
</td>
<td width="90">
<p>Revenge-RAT v3 - NYANxCAT</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>e62cc243c2bb10a2613a64f8b59ad27ec6f7592868902b6793dceb230b8f72bf</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>nyanxcat.vbs</p>
</td>
<td width="52">
<p>File</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>914b759c186e0cdb0e82c4bbbbd5257fd1c7a60db0e77bbc24778362ee549bce</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>f8890477e760cdb8f4a4fdbf8e8b5b1a224bc87046875b9ee17a9fcb93d2f118</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Exploitation</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="66">
<p>9/13/20</p>
</td>
<td width="90">
<p>File type Win32 EXE</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>233587a133e3e112f42a5b456c94fca514d364f10b532291c1cc3c0aea92526e</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/11/20</p>
</td>
<td width="66">
<p>9/11/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>ec5d16ff69ca2221bd60f41049f9862fe4cba0dd238959d78620140a00331250</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/11/20</p>
</td>
<td width="66">
<p>9/11/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>54ea7614e8220bf4cad9ccd2c87d1470e341ef14b9d7c02ebe432a9c3139b8ab</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/10/20</p>
</td>
<td width="66">
<p>9/10/20</p>
</td>
<td width="90">
<p>VBS-Shell by NYANxCAT: ASCII Pascal program text</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p><a href="http://f0439583.xsph">http://f0439583.xsph</a>[.]ru/Cryptolocker.exe</p>
</td>
<td width="52">
<p>URL</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/14/20</p>
</td>
<td width="66">
<p>9/14/20</p>
</td>
<td width="90">
<p>Ransomware</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>4b7bf7d3fac0ae3fe45a3d126bd07b65d5c824a5a423823f7c8900d9da4a1a1e</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/10/20</p>
</td>
<td width="66">
<p>9/10/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>00714fae672b284458a4784ee651ed42bf51ec5fead0cf4c17082f75ac5f782b</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/9/20</p>
</td>
<td width="66">
<p>9/9/20</p>
</td>
<td width="90">
<p>Bitcoin Address Grabber v0.3.5</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>74de28d70ee4bd414597561b696f865cb3c88fd3626161d36c423d35154e11a5</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/9/20</p>
</td>
<td width="66">
<p>9/9/20</p>
</td>
<td width="90">
<p>Lime Miner 0.3.0.0: File type Win32 EXE</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>f1ad4dbe66d9570c067889cbb0876c3771c6750e6e5a96c3d784336fcc5c88a4</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/8/20</p>
</td>
<td width="66">
<p>9/8/20</p>
</td>
<td width="90">
<p>Lime-Crypter 1.0.0.0</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>5882452922bf3c291f64ce3cfe5ad557dc8911a101495aa923fb3c521c0446fd</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/8/20</p>
</td>
<td width="66">
<p>9/8/20</p>
</td>
<td width="90">
<p>Lime-Crypter 1.0.0.0</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>aca10c4a756f850bbb748715d2b5ba1e3466a6309d630a99f834dcc61abfc945</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/8/20</p>
</td>
<td width="66">
<p>9/8/20</p>
</td>
<td width="90">
<p>Lime-Crypter 1.0.0.0</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>22096a0846ab1399647bb2cc5596c649fa6508d2bd09db05476b27acd9d4eea2</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/7/20</p>
</td>
<td width="66">
<p>9/7/20</p>
</td>
<td width="90">
<p>AsyncRAT.exe</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>a74af46f97845d0da1d2e761b85f42664c77ca1f2378a3c1e22fc1d0e2dd5188</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/7/20</p>
</td>
<td width="66">
<p>9/7/20</p>
</td>
<td width="90">
<p>VBS-Shell by NYANxCAT: ASCII Pascal program text</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>0430bad23899d3b9ec9e52f587e944075b793f55f3f2f32283910343668a6785</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/6/20</p>
</td>
<td width="66">
<p>9/6/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>96de85fba7d85672bf59601c518aba429a8415089851772f66ae2df59848139b</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/4/20</p>
</td>
<td width="66">
<p>9/4/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>2f7371a3095fceb9b99bcb2abc176a142c37ca95940c91c58d3321ed54310bd2</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>110716c7f7f1e2f7e4b6237015ee2855efac37b609977ad451c1b0c8b54d0b63</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>34f3f6477224c8e17c31fd434470ee098a621b2732b5e8d9ca59f2c6ef5acf57</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="90">
<p>VBS-Shell by NYANxCAT: ASCII Pascal program text</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>9f5bfe12e454f8b67649e52cc064032f0b149492428729fdf7e8c41d6bec6fcb</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="90">
<p>VBS-Shell by NYANxCAT: ASCII Pascal program text</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>https://pashupatipaints[.]com/test/minAZ34EXEitscr.exe</p>
</td>
<td width="52">
<p>URL</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="66">
<p>9/7/20</p>
</td>
<td width="90">
<p> </p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>f55a23559bb981f9a054297b003293b890b8caa2b7abccef9464b817787352a6</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/24/20</p>
</td>
<td width="66">
<p>9/24/20</p>
</td>
<td width="90">
<p>LimeCrypter Version 2.0.7552.41963</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>365ee8918af55945cfa1a4a8bf30b214814c23833261b3a67117a6237d961806</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/23/20</p>
</td>
<td width="66">
<p>9/23/20</p>
</td>
<td width="90">
<p> </p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>2e64a2918346eaa8b5441a6904d2741c37079456b00c91f2801a3d01c94f4dd5</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/22/20</p>
</td>
<td width="66">
<p>9/22/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>39f394baf297dcabc3bdcbc0f71b2f14a96d0e44df88a16d0f9e4f8bc2d3c3e6</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/19/20</p>
</td>
<td width="66">
<p>9/19/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>dced2da7db2861a40ac1a32cc5eb4d2205c0be6cf49f9f9bd2710fb98ee6cbc2</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/18/20</p>
</td>
<td width="66">
<p>9/18/20</p>
</td>
<td width="90">
<p>AsyncRAT.exe</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>e7eb31d13152158739d663eeabf2dfde8455deb4a4ffa0587e45676583e5f7e7</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>9/17/20</p>
</td>
<td width="66">
<p>9/17/20</p>
</td>
<td width="90">
<p>Neshta malware edited by NYANxCAT for powershell</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>8b226dc5916d9c78eb1e3790241128d2d4ce6cd0b9124230d7574e62f0a28f4c</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>9/15/20</p>
</td>
<td width="66">
<p>9/15/20</p>
</td>
<td width="90">
<p>Lime-Crypter.exe version 1.0.0.0</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>3e905ce85036d960c7f68c5fc7f848e1f9fb5c550d9e97998be111938b2ac0da</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/27/20</p>
</td>
<td width="66">
<p>9/27/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>033859addb85933297132cf3dc356c2b3780f9e10638149ae9ec8559aae00930</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="66">
<p>9/3/20</p>
</td>
<td width="90">
<p>Dropper</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>4d4e12de934064e401442a81e83563bfb2c98fb845b115eb60e5b6ce3e2639e2</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>9/1/20</p>
</td>
<td width="66">
<p>9/1/20</p>
</td>
<td width="90">
<p>JS Downloader</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>d64cb13bb5820b9618e5733537794b8de03a35387b626f26ce20921625dabf53</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>8/31/20</p>
</td>
<td width="66">
<p>9/26/20</p>
</td>
<td width="90">
<p>Neshta malware edited by NYANxCAT for powershell</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>dbc0a745c62c9aef393f732f718149fc5abaffe30ddb1d55d978a8bf17e9ae01</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Weaponization</p>
</td>
<td width="66">
<p>3/6/20</p>
</td>
<td width="66">
<p>9/2/20</p>
</td>
<td width="90">
<p>Revenge-RAT v3 - NYANxCAT.zip</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>97ca0ed6e618f457b56df8201689affb1a4c5410d29e222730966a36b6176047</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>8/30/20</p>
</td>
<td width="66">
<p>8/30/20</p>
</td>
<td width="90">
<p>LimeRAT.exe Version 0.1.9.0</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>6450208e47c71ac8bfb8dc35e3c37fbeb01c02c021b162352fc8eb44e03af3e6</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>8/28/20</p>
</td>
<td width="66">
<p>8/28/20</p>
</td>
<td width="90">
<p>Dropper/ VBS Shell by NYAN CAT</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>431dea8a2af305cd0b8d735efbadb1a46f1025b96838bb8b282bab502b001f49</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Delivery</p>
</td>
<td width="66">
<p>8/27/20</p>
</td>
<td width="66">
<p>8/27/20</p>
</td>
<td width="90">
<p>NJ RAT</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>165749a5f359e0316396cddd2e461f14f11756b62f786561019de99ded742af1</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>8/26/20</p>
</td>
<td width="66">
<p>8/26/20</p>
</td>
<td width="90">
<p>Angryzip.exe version 1.0.0.0</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
<tr>
<td width="229">
<p>eb8276581ad494331c5586593e9bd533e3545db82eeb00872e0685dc67546305</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="60">
<p>Installation</p>
</td>
<td width="66">
<p>8/25/20</p>
</td>
<td width="66">
<p>8/25/20</p>
</td>
<td width="90">
<p>AsyncRAT.exe with Monero cryptocurrency mining</p>
</td>
<td width="62">
<p>NYANxCAT</p>
</td>
</tr>
</tbody>
</table>
<p><strong> </strong></p>
<p>Download indicators in CSV format: <a href="{{#staticFileLink}}8051612254,original{{/staticFileLink}}">IR-20-292-001_Hmoud Aljraid NYANxCAT.csv</a></p>
<p><strong>Appendix A. Additional Imagery</strong></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}8051606854,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8051606854,RESIZE_584x{{/staticFileLink}}" width="500" alt="8051606854?profile=RESIZE_584x" /></a></em></p>
<p style="text-align:center;"><em>Figure 9. Humoud’s Soundcloud Profile Picture</em></p>
<p> </p>
<p>Serial: IR-20-292-001</p>
<p>Country: KW, US</p>
<p>Report Date: 20201018</p>
<p>Industries: All</p>
<h2>--- </h2>
<p>Red Sky Alliance has been tracking hacker threats for the past 7 years. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com. </p>
<p>Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p><a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a></p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p> </p>
<p><a>[1]</a> <a href="http://www.youtube">www.youtube</a>[.]com/watch?v=N16d_zvIgTg</p>
<p><a>[2]</a> google[.]com/maps/contrib/106720573170316530671/reviews/</p>
<p><a>[3]</a> github[.]com/NYAN-x-CAT</p>
<p><a>[4]</a> youtube[.]com/watch?v=30BV5U9OGv0, Jun 11, 2014.</p>
<p><a>[5]</a> youtube[.]com/c/Bomish3l/videos</p>
<p>and youtube[.]com/c/NYANCATx/about</p>
<p><a>[6]</a> soundcloud[.]com/hmj_7/</p>
<p><a>[7]</a> virustotal[.]com/gui/file/f55a23559bb981f9a054297b003293b890b8caa2b7abccef9464b817787352a6/</p>
<p><a>[8]</a> Pastebin[.]com/raw/WJD0PWxV</p>
<p><a>[9]</a> github[.]com/NYAN-x-CAT/Lime-Crypter</p>
<p><a>[10]</a> www[.]youtube[.]com/watch?v=_dYngLbXUno</p>
<p><a>[11]</a> virustotal[.]com/gui/file/22096a0846ab1399647bb2cc5596c649fa6508d2bd09db05476b27acd9d4eea2/details</p>
<p><a>[12]</a> virustotal[.]com/gui/file/504fc502fef2fceaae027edb0e037e4e39a0ee62ca9f15ab316c70e8d6e5b740/details</p>
<p><a>[13]</a> virustotal[.]com/gui/file/2cf26e5fe9f31386d57170cc51ec46d6e4b73e4760826d65ca1a7afc8c82acc2/details</p>
<p><a>[14]</a> virustotal[.]com/gui/file/5747ad762067a8a6617d2a4362304c24e11b21d6deed2da2adb31b8d55a4607c/content/strings</p>
<p><a>[15]</a> virustotal[.]com/gui/file/74de28d70ee4bd414597561b696f865cb3c88fd3626161d36c423d35154e11a5/details</p>
<p><a>[16]</a> virustotal[.]com/gui/file/e7eb31d13152158739d663eeabf2dfde8455deb4a4ffa0587e45676583e5f7e7/details</p>
<p><a>[17]</a> 6450208e47c71ac8bfb8dc35e3c37fbeb01c02c021b162352fc8eb44e03af3e6</p>
<p>and virustotal[.]com/gui/url/922efd801fc095b488126248f7c55d3d897fc14376d4d22a48966427ee8a421a/detection</p>
<p>and 165749a5f359e0316396cddd2e461f14f11756b62f786561019de99ded742af1</p>
<p> </p>
<p> </p></div>