Sign in
Follow

ET TROJAN Turkojan C&C nxt Command (nxt)

 

 IP AddressPortHostname
Source 157.55.130.164 (United States) 40028  
Destination (local) 41041  

 

Description:

 

False Positive:

  • PROBABLY
  • Possible code reuse or someone picked up old malware.
  • Suspicious:
    • Endpoint belongs to Microsoft. It is not in published Azure space, but it is adjacent to that space.
    • No PTR, no reverse DNS services or threat crowd turn it up.
    • Ports are 40k plus.
    • Traffic is all, or appears to be, encrypted.
  • Not suspicious:
    • Matching text is small.
    • Turkojan is very old malware. The probability that new infections are happening is low.
    • No other events on this system.

 

Action:

  • Enough indicators here to scan if possible.
  • This is an Android phone on the WiFi.
  • False Positive since this is a windows RAT.
  • No further action.

Comments

Powered by Zendesk