mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-16 03:50:04 +00:00
.. | ||
misp-telebots.json | ||
README.adoc | ||
samples.infected.zip |
= TeleBots Indicators of Compromise The blog post about Telebots is available on WeLiveSecurity at http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/. == ESET detection names - VBA/TrojanDropper.Agent.SD trojan - Win32/TrojanDownloader.Agent.CWY trojan - Python/TeleBot.AA trojan - Python/Agent.Q trojan - Python/Agent.AE trojan - Python/Agent.AD trojan - VBS/Agent.AQ trojan - VBS/Agent.AO trojan - VBS/Agent.AP trojan - Win32/HackTool.NetHacker.N trojan - Win32/HackTool.NetHacker.O trojan - Win64/Riskware.Mimikatz.H application - Win32/RiskWare.Mimikatz.I application - Win32/PSW.Delf.OQU trojan - Win32/PSW.Agent.OCO trojan - Win32/PSW.Agent.OCP trojan - Win64/Spy.KeyLogger.G trojan - Win32/KillDisk.NBH trojan - Win32/KillDisk.NBI trojan == Network indicators === C&C servers - `93.190.137.212` - `95.141.37.3` - `80.233.134.147` === Legitimate servers abused by malware authors - `srv70.putdrive.com` (IP: `188.165.14.185`) - `api.telegram.org` (IP: `149.154.167.200`, `149.154.167.197`, `149.154.167.198`, `149.154.167.199`) - `smtp-mail.outlook.com` (IP: `65.55.176.126`) == Samples All hashes are SHA-1. === XLS documents with malicious macro ---- 7FC462F1734C09D8D70C6779A4F1A3E6E2A9CC9F C361A06E51D2E2CD560F43D4CC9DABE765536179 ---- === Win32/TrojanDownloader.Agent.CWY ---- F1BF54186C2C64CD104755F247867238C8472504 ---- === Python/TeleBot.AA backdoor ---- 16C206D9CFD4C82D6652AFB1EEBB589A927B041B 1DC1660677A41B6622B795A1EB5AA5E5118D8F18 26DA35564D04BB308D57F645F353D1DE1FB76677 30D2DA7CAF740BAAA8A1300EE48220B3043A327D 385F26D29B46FF55C5F4D6BBFD3DA12EB5C33ED7 4D5023F9F9D0BA7A7328A8EE341DBBCA244F72C5 57DAD9CDA501BC8F1D0496EF010146D9A1D3734F 68377A993E5A85EB39ADED400755A22EB7273CA0 77D7EA627F645219CF6B8454459BAEF1E5192467 7B87AD4A25E80000FF1011B51F03E48E8EA6C23D 7C822F0FDB5EC14DD335CBE0238448C14015F495 86ABBF8A4CF9828381DDE9FD09E55446E7533E78 9512A8280214674E6B16B07BE281BB9F0255004B B2E9D964C304FC91DCAF39FF44E3C38132C94655 FE4C1C6B3D8FDC9E562C57849E8094393075BC93 ---- === VBS backdoors ---- F00F632749418B2B75CA9ECE73A02C485621C3B4 06E1F816CBAF45BD6EE55F74F0261A674E805F86 35D71DE3E665CF9D6A685AE02C3876B7D56B1687 F22CEA7BC080E712E85549848D35E7D5908D9B49 C473CCB92581A803C1F1540BE2193BC8B9599BFE ---- === BCS-server ---- 4B692E2597683354E106DFB9B90677C9311972A1 BF3CB98DC668E455188EBB4C311BD19CD9F46667 ---- === Modified Mimikatz ---- B0BA3405BB2B0FA5BA34B57C2CC7E5C184D86991 AD2D3D00C7573733B70D9780AE3B89EEB8C62C76 D8614BC1D428EBABCCBFAE76A81037FF908A8F79 ---- === LDAP query tool ---- 81F73C76FBF4AB3487D5E6E8629E83C0568DE713 ---- === CredRaptor password stealer ---- FFFC20567DA4656059860ED06C53FD4E5AD664C2 58A45EF055B287BAD7B81033E17446EE6B682E2D ---- === Win64/Spy.KeyLogger.G trojan ---- 7582DE9E93E2F35F9A63B59317EBA48846EEA4C7 ---- === Intercepter-NG and silent WinPCAP installer ---- 64CB897ACC37E12E4F49C4DA4DFAD606B3976225 A0B9A35675153F4933C3E55418B6566E1A5DBF8A ---- === Win32/KillDisk ---- 71A2B3F48828E4552637FA9753F0324B7146F3AF 8EB8527562DDA552FC6B8827C0EBF50968848F1A ----