= Operation Spalax -- Indicators of Compromise

An analysis of Operation Spalax is available as a https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/[blogpost on WeLiveSecurity].

== ESET detection names

- MSIL/Bladabindi.AS
- MSIL/Bladabindi.BA
- MSIL/Bladabindi.BC
- Win32/Rescoms.B
- MSIL/Agent.CFQ

== SHA-1 hashes

----
068841C9DCA03E6FEAC78DAA7950ADF6362DDBF4
0A4742BE00AF2B0E26987E5E3F37B9784BDEA826
12BF261E27956522B0990A7EA87CBFDF03CE9321
13A5C261C2B59FC416AC4B4AF004A858E272DF2F
157192200F356D0C972340AE98D5C4396D7BA51D
185664DF6E1547C8E695E6018A53124E522612A6
229BFED1D0F656125F883EC8D44D9EB85DDA1517
23292AA461768B3CF1D2A527BB9F760E5524CD5A
260E4B0352F452479D082453DD1E0D355C5C2797
28429B11C39A7FFA70A2839B9FF5C73210149F55
2E5E628F2CE5AEB2235B7FBB155B13BE2B432FFC
33C991AA0AFED58A4785E1F048C5D972EB4BB561
3751D00639C255EE53002CA1DCCABD185094BFB4
3A65745DEE2AFBFFE00569C83572723FD8C04E76
3C97CF4091233D2C2FC6A692208AE99EAF5EE9A6
3D4683F71759ED4C8C0E7D7199DC1718980DF883
3D4FA76A42B050BC188540C7F2759E7D10C9E14A
466D5DF1F085689D4DD305B4B4F7B88095C6F0DB
4682C947B330ECDC4724014E36414EE54968DCB4
4AAAC562CC6D32AE9A46AA05674EC7A9BD4D6912
55EEC354B5F1E58A8A59A7BE1CD287EC2C2CA02E
6358B2BF1DC6E8AFF646AD6AB919BE865FA19870
642EC136B72B76EBAC5D6312B6DFA6600220403B
6E81343018136B271D1F95DB536CA6B2FD1DFCD6
70EB055574E3AE5F1B17A3CF171FADB5A9D39E19
728FC6952F1D038BD1FDF01B44C4AF05E363A4BB
7E44A76B4690110E14FC939F88086F73293F9DD1
7EDB738018E0E91C257A6FC94BDBA50DAF899F90
80ABDBDC1E5BBA2D61D5D5C2C6F4DCEF91F217FB
812A407516F9712C80B70A14D6CDF282C88938C1
827EC99DF4E10E99E4095A8DDBB95398A90AE728
86A0376DE9B9EE12F86ED24091BC151EBAE7D147
86E28EB8CD37FD6602EAA55E594B2B6C930A66E7
89426C0A2AD155353FF8FEECEE1A4C463B2E7FAE
8D8DE9045ECCAE3A98EC2FA89DECA53B1E684C28
90C4FE7EB949C44607D29680B6B8A47BF294E02E
9333A67EF082C0005B82A9B1C9E002A167173197
9BDEB45C595EB98777BAF36AF66172AA716DE90F
9CFDB16851A0C9A5E698AC34CDC59D50DC8E8CF9
9F584F1AFDFF31C3EC994F7D1DB5847DEB6C0C80
A0083FCE727C42A3E5B359CE7677573175B7FEE1
A4FD08D1823E3192673D706FC7ED204C6D90862B
A69CB37AC5E7EF539422DD98132A57D8643B42BD
ABA11F423F8088617FF5D3A6AC3A08041EFE9131
AF0530B9F70E62AB47BB696AEF6F79AC28E6411D
AF2EBB666BDA08E1832C504C61942AA92DB10B03
B5385A01025431B88B4140538F6885904A496471
B5ED4D1CB148709E77D88B917FFDD858153C14CA
BC97F72E95E678D355ABD52A5D72C5CE17092F40
BF22C39210B216C2FCEA74C91672767488A8B0D0
C04F007881F757A7A2FFDC94F5763B61042173B7
C57F92CFF68BEFEEB9286EC6D85EF8FC9AE728C7
C96FF9E0DA18A66FF2907459B2200CF70A36A83E
D3A22FFBC3AB0384083CF158E2FCE9CC28605280
D993E3DA6DA34581BA6D3CA18D33356767CBECF7
DC0B25884C0379F1B3058B5DA1D6FF3DF735EF03
E40213B90338A5076559B0A4E505CB237A5BFFAB
E9290A9D4297AAF6BC05DD1CCD1A95B9C0819B82
EE5C737012942806DF0A834EBD3914BD8BB19702
F8740228FC561D4E0668DB75416DCD4BA16152EA
F9B1DB221BC531ABBF22124307F443460CE5EEC9
FD449438EB94B0DF64C7FF5580C239F11536390C
----

== IP addresses

----
179.14.171[.]7
179.14.173[.]93
181.131.216[.]115
181.131.228[.]204
181.131.231[.]245
181.131.237[.]247
181.137.112[.]215
181.137.113[.]205
181.137.118[.]201
181.137.119[.]97
181.137.123[.]124
181.137.124[.]132
181.140.198[.]107
181.140.212[.]168
181.140.213[.]212
181.140.213[.]213
181.142.172[.]125
181.142.179[.]66
181.142.184[.]22
181.49.90[.]193
181.52.100[.]157
181.52.102[.]87
181.52.103[.]140
181.52.104[.]2
181.52.107[.]55
181.52.108[.]50
181.52.110[.]207
181.52.113[.]142
181.52.113[.]157
181.52.113[.]230
181.52.113[.]57
181.52.113[.]83
181.52.252[.]110
181.58.132[.]31
181.58.133[.]54
181.58.152[.]42
181.58.154[.]33
181.58.155[.]117
181.59.9[.]81
181.61.169[.]163
181.61.170[.]142
186.145.214[.]167
186.145.214[.]199
186.145.214[.]25
186.146.240[.]244
186.147.55[.]135
186.147.55[.]19
186.81.119[.]4
186.82.241[.]203
186.82.242[.]6
186.85.86[.]143
186.85.86[.]196
186.85.86[.]226
186.85.86[.]26
186.85.87[.]246
186.85.87[.]48
190.159.206[.]164
191.88.217[.]14
200.116.77[.]118
128.90.108[.]132
128.90.108[.]177
128.90.112[.]34
128.90.112[.]142
128.90.115[.]100
128.90.115[.]244
----

== Domain names

----
amsdkjeduejfhdgerop.duckdns[.]org
asdeas.duckdns[.]org
aventura7538.duckdns[.]org
constructora823964823.duckdns[.]org
covied19.duckdns[.]org
cuarentarem.duckdns[.]org
desastre333.duckdns[.]org
doddyfire.linkpc[.]net
dominoduck2069.duckdns[.]org
dominoduck2070.duckdns[.]org
dominoduck2093.duckdns[.]org
dominoduck2094.duckdns[.]org
dominoduck2095.duckdns[.]org
dominoduck2096.duckdns[.]org
dominoduck2097.duckdns[.]org
dominoduck2098.duckdns[.]org
dominoduck2099.duckdns[.]org
dominoduck2100.duckdns[.]org
estacion373.duckdns[.]org
federa.duckdns[.]org
festivaldeamor.publicvm[.]com
hospisanjose.publicvm[.]com
inmosas.linkpc[.]net
julian.linkpc[.]net
login2020.duckdns[.]org
marianavilla3008m.duckdns[.]org
marianavilla3008n.duckdns[.]org
marzoorganigrama20202020.duckdns[.]org
mayo202020junio.duckdns[.]org
mayolomejor.duckdns[.]org
medicosta.linkpc[.]net
migracion.linkpc[.]net
nacionaliste61327.duckdns[.]org
nationalgeografics2020.duckdns[.]org
nicolas20190427.duckdns[.]org
npspwrap.duckdns[.]org
nuevoproxy.duckdns[.]org
nvidia.geforcegt[.]icu
patoquienfue.duckdns[.]org
pedrobedoya201904.duckdns[.]org
powerrangers.duckdns[.]org
proxyip.duckdns[.]org
proxyyyy.duckdns[.]org
pruebacientifica202020.duckdns[.]org
pruebanumerounoaa.duckdns[.]org
pruebaunorem.duckdns[.]org
rewt6.duckdns[.]org
ruthy.qdp6fj1uji[.]xyz
septiembresesientequevienediciembre.duckdns[.]org
shark.vfpi2hz38p[.]icu
shellbrdhwwindowsone.duckdns[.]org
subdomine2020octubrexxx.duckdns[.]org
tasagera.duckdns[.]org
tonystark2025.duckdns[.]org
trabajo2019.duckdns[.]org
treintarem.duckdns[.]org
treintaycincorem.duckdns[.]org
treintaycuatrorem.duckdns[.]org
treintaydosrem.duckdns[.]org
treintaynueverem.duckdns[.]org
treintayochorem.duckdns[.]org
treintaysieteremc.duckdns[.]org
treintayunorem.duckdns[.]org
tuluavalle3.duckdns[.]org
veinticuatroremc.duckdns[.]org
veintiochoremc.duckdns[.]org
veintiseisremcs.duckdns[.]org
veintisieteremc.duckdns[.]org
veintitressisisi.duckdns[.]org
veintiunoremco.duckdns[.]org
windonwcorpo.duckdns[.]org
windowspowershell.duckdns[.]org
administradorduck.duckdns[.]org
agosto20192019.duckdns[.]org
agrariobuenasuerte.duckdns[.]org
altamarjosexxx.publicvm[.]com
america9999000.duckdns[.]org
americadnsdu.duckdns[.]org
appleerveapple.duckdns[.]org
aquaserver.duckdns[.]org
asebly.duckdns[.]org
barcelonasevere.duckdns[.]org
barranquilla.duckdns[.]org
becerrilserver.duckdns[.]org
briserodeenero202020.duckdns[.]org
buenaventura.duckdns[.]org
callejas2013.publicvm[.]com
candyperreo.duckdns[.]org
carlosgamez.duckdns[.]org
carmelovalencia.duckdns[.]org
cartagena.duckdns[.]org
cartagenacity.duckdns[.]org
catorcednsremc.duckdns[.]org
caucasia.duckdns[.]org
cayenasserver.duckdns[.]org
contoda.duckdns[.]org
cristinahurtado.duckdns[.]org
cuartoservremc.duckdns[.]org
cucutadeportivo.duckdns[.]org
davidspain.duckdns[.]org
decimoremcdns.duckdns[.]org
dieciocohoroem.duckdns[.]org
diecisieteremc.duckdns[.]org
diesinueveremc.duckdns[.]org
dnsamericaquincejulio.duckdns[.]org
dominoduck2051.duckdns[.]org
dominoduck2052.duckdns[.]org
dominoduck2057.duckdns[.]org
dominoduck2059.duckdns[.]org
dominoduck2061.duckdns[.]org
dominoduck2063.duckdns[.]org
dominoduck2064.duckdns[.]org
dominoduck2066.duckdns[.]org
dominoduck2068.duckdns[.]org
dominoduck2071.duckdns[.]org
dominoduck2073.duckdns[.]org
dominoduck2074.duckdns[.]org
dominoduck2075.duckdns[.]org
dominoduck2076.duckdns[.]org
dominoduck2078.duckdns[.]org
dominoduck2080.duckdns[.]org
dominoduck2081.duckdns[.]org
dominoduck2082.duckdns[.]org
dominoduck2084.duckdns[.]org
dominoduck2085.duckdns[.]org
dominoduck2086.duckdns[.]org
dominoduck2087.duckdns[.]org
dominoduck2088.duckdns[.]org
dominoduck2089.duckdns[.]org
dominoduck2090.duckdns[.]org
dominoduck2091.duckdns[.]org
dominoduck2092.duckdns[.]org
domipxy8087.duckdns[.]org
duquepresi.linkpc[.]net
duquericopan.duckdns[.]org
econotas.duckdns[.]org
elagustin10.duckdns[.]org
elbrayan.duckdns[.]org
elchancle.duckdns[.]org
eljhonky.duckdns[.]org
ellider.duckdns[.]org
elpaisa.duckdns[.]org
elpatin.duckdns[.]org
elpropio.duckdns[.]org
elrompeculo.duckdns[.]org
elsalvaje.duckdns[.]org
exitoparatodo.duckdns[.]org
frankproxynue.duckdns[.]org
ibagueibague.duckdns[.]org
ivancalderon.duckdns[.]org
jblllegolahora.duckdns[.]org
juliowd.duckdns[.]org
junio2019ok.duckdns[.]org
jvlra.elagustin10.duckdns[.]org
kobebrayant202020.duckdns[.]org
lacuartaserver.duckdns[.]org
lacupula.duckdns[.]org
laesperanza.duckdns[.]org
laestoyhaciendoboja.duckdns[.]org
lapopaserver.duckdns[.]org
lastorresdnspato.duckdns[.]org
leorodriguez.duckdns[.]org
lorenzomorales.duckdns[.]org
loretico.duckdns[.]org
losfloresserver.duckdns[.]org
luissandoval.duckdns[.]org
malito.duckdns[.]org
maradonanjved.duckdns[.]org
medallo.duckdns[.]org
medellinmedell.duckdns[.]org
mgfe25r.duckdns[.]org
michaelot.duckdns[.]org
mundialseguro.duckdns[.]org
navidadserverazul.duckdns[.]org
neuvoprxych.duckdns[.]org
novalitoserdns.duckdns[.]org
noviembre201920192019.duckdns[.]org
nuevocarrera.duckdns[.]org
nuevoverde.duckdns[.]org
obrerosies.duckdns[.]org
octavoserrem.duckdns[.]org
octubre090988.duckdns[.]org
octubre20192019.duckdns[.]org
onceremcserv.duckdns[.]org
orgamarzo2020.duckdns[.]org
pachonjazul.duckdns[.]org
pedroleiba.duckdns[.]org
pelao4763.duckdns[.]org
polania.duckdns[.]org
poloniaverde.duckdns[.]org
ponymaltadns.duckdns[.]org
popayanserver.duckdns[.]org
proxypaul.duckdns[.]org
proyectoscincuenta.duckdns[.]org
prueba111.duckdns[.]org
prueba1672.duckdns[.]org
pruebadomainsvir.duckdns[.]org
pruebaremc.duckdns[.]org
quintoquinto.duckdns[.]org
quintoservrem.duckdns[.]org
raquel.duckdns[.]org
recuperacionvive.duckdns[.]org
remcquince.duckdns[.]org
riofrioservervjd.duckdns[.]org
rolandoochoa.duckdns[.]org
rosaguerrero.duckdns[.]org
rosariotijerasnj.duckdns[.]org
sandray.duckdns[.]org
secretariageneral.duckdns[.]org
septimoserv.duckdns[.]org
servdoceremco.duckdns[.]org
serverbambupato.duckdns[.]org
servipanxtr.duckdns[.]org
servtreceremc.duckdns[.]org
snajuandns.duckdns[.]org
soluciondeahora.duckdns[.]org
sportdns.duckdns[.]org
terceroremco.duckdns[.]org
tonystark2019.duckdns[.]org
tonystark2020.duckdns[.]org
tonystark2021.duckdns[.]org
trabajovalle2019.duckdns[.]org
tractor1.duckdns[.]org
treintallegamos.duckdns[.]org
treintaytresrem.duckdns[.]org
verdehithoy.duckdns[.]org
verdepruebauno.duckdns[.]org
vueloempresarial.duckdns[.]org
xtrtiy697.duckdns[.]org
yari73.duckdns[.]org
----