mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-26 00:39:46 +00:00
| .. | ||
| misp-machete-event.json | ||
| README.adoc | ||
| samples.md5 | ||
| samples.sha1 | ||
| samples.sha256 | ||
= Machete -- Indicators of Compromise For a technical analysis of Machete, check the white paper available on https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf[WeLiveSecurity]. A high level summary is also available as a blog post https://www.welivesecurity.com/2019/08/01/sharpening-machete-cyberespionage/[here]. The https://www.misp-project.org[MISP] event is available in link:misp-machete-event.json[`misp-machete-event.json`]. == Sample hashes === GoogleUpdate.exe [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`048C40EB606DA3DEF08C9F6997C1948AFBBC959B`|Python/Machete.F |`2E8D8508096CAA38493414F6BA788D0041EA9E15`|Python/Machete.F |`85BDD7D871108C737701AC30C14A2D343CBDEF94`|Python/Machete.D |`8ED8CB784512F7DADD147347FC94E945FAF16338`|Python/Machete.F |`9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E`|Python/Machete.A |`AB8DD6B0CC950618589603012863B57F7ADB9D9B`|Python/Machete.A |======================================== === Chrome.exe [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`318496B58CF5052EFD49A95C721D9165278E9FCE`|Python/Machete.B |`3BB345032B6D0226D6771BA65FE4DA0FAF628631`|Python/Machete.B |`946A24DFBD0AE94209EF7C284D3F462548566A3C`|Python/Machete.B |`984B9202A6DBD7D3DD696CAE1220338A68092DC9`|Python/Machete.B |`EABD45D0A86113F5CCFF9FD292C1E482A5727815`|Python/Machete.B |`F05BC018C90B560DC4932758956ADFFBC10588CE`|Python/Machete.B |======================================== === GoogleCrash.exe [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`204A2850548E5994D4696E9002F90DFCCBE2093A`|Python/Machete.C |`3792588EDC809270E6666A4677EC85A3400BA4CF`|Python/Machete.E |`4899A2C2CECEB92D2CC4ED17D092D1D599379284`|Python/Machete.A |`A42756280AA352F4612BED85AABF7F3267E676C2`|Python/Machete.E |`A97CF05AD7F3102BDE45E4B4947ED435EFEA1968`|Python/Machete.E |======================================== === RAR/7z SFX: config + malicious components ESET detection names vary for these samples, depending on the malicious components they hold inside. [options="header"] |======================================== |SHA-1 hash|Filename |`00397DA69B8E748720AEDFD80D78166573C33EC8`|ders.exe |`03929A5530639C1D9DBD395A298C59FD7EFF1DEC`|chrome.sfx.exe |`0922DEFB82FF1140BBE3481BAB27564BB966D50B`|ChrOme_UpdAte.sfx.exe |`0AC64E08E63601AD9D6A4EF019E5B374784AF80A`|chrome.sfx.exe |`0BA5BCE133B50EF80FD9241C3EA5CB9135CA4EB1`|ders.exe |`161629F63422AB34108854662313F87A278DD7F5`|chrome.sfx.exe |`24752DAB28C3ADD4C31591F2EC480CE3CA83E0AA`|python27.exe |`341F2EFA0FD11B4480D8503BFB81C62AF667D72D`|chrome_Up.sfx.exe |`4C130AA110B290A0CF4FF1C099EA2A705081A9CB`|Chrome_Update.sfx.exe |`50C23690C23EE070AD3A20FCED7311BFDF098833`|ders.exe |`67ECBC1E9A66719C599E6DDED33A85F70DACA13E`|chrome.sfx.exe |`6A69A2A2D4A2F8690B71386F0F092B04EA5A647D`|ders.exe |`92C56AF6815597C0135C21EF5A35D41B0E2A460F`|Python_27.exe |`9E52E1C015B97D4FB2CAC888F8FC69D729AF78F5`|finaser.aes |`A48A71B9D1C00A683397F97C02E0DBB3F4606863`|ders.exe |`B6E436A0FFF117A1C3D3D70947F62D4CAC66C95E`|ders.exe |`C4ACCF6071F51ADE102190C6FA350435FC202654`|Python.27.exe |`D5238CDE036EEFCC6D8D686B3A00247F27DA894C`|Python.27.exe |`DDA105D8D894F73B16518D546270E4F783CB5178`|python27.exe |`E85C1EF38C39B6087EA9AC8171DDD1416B9A5306`|python27.exe |`FD52B10E9D4E5D343E589627444A6766357D5E47`|Security.exe |======================================== === 7z SFX: decoy + downloader [options="header"] |======================================== |SHA-1 hash|Filename |`52B680F472AE463436979DA325DB7AD64D5AF1EF`|Mapa_monitoreo_WRF_ind02052018.scr |`69109287D41C002FA70BB3D6238C4056B2B24B2F`|Mapa_monitoreo_WRF_ind02052018.scr |`89C0FDEED36A69099E935A590A103339B0CBE525`|Mapa_monitoreo_WRF_ind02052018.scr |`9EA7832D83C74C839A49580B4211E627A24571BE`|Programa Formacion en Contratacion Publica.scr |`BFD0CBEF5B9C329792B38274474F04BD8109DF66`|RGMA0_1_629.scr |`FB871AACA0DDCF2F009A2D11ECF672CFB61B7357`|CALENDARIO_ACTIVIDADES_COLCO_EC.scr |`FDE89FCEC30FCAABB3D42ED87180843F3E760CD8`|Mapa_monitoreo_WRF_ind02052018.scr |======================================== === RAR SFX: URL config + downloader [options="header"] |======================================== |SHA-1 hash|Filename |`9912BDBE08179122DC3797A2585D463573D1B5A5`|04Down.exe |`AB16808B5B4706B6265C5FF5FEF8B8460C8A51F8`|4Down.sfx.exe |`BDAAB0B356EC9FE61FEE1723E1DD52E39DDC6699`|04Down.exe |`DED6509458DF62D3CE60C68F3A2A87E59F1F96BE`|Down.sfx.exe |======================================== === Downloader [options="header"] |======================================== |SHA-1 hash|Filename|ESET Detection Name |`2B7404F6B0075BC1192D61D4AF135D521D5F08A3`|RdrCEF.exe|Python/Machete.A |`53102E57B40FEACB64566C26D101D9242DECE77C`|Down.exe|Python/Machete.A |`56E8743E0773286A4B9E055147D96D53A43BECA1`|Down.exe|Python/Machete.A |`71F69F04307C8F5675DCADEAA80B8C2B95691B01`|Down.exe|Python/Machete.A |`904137B61F1DED66C8CA76EBF198DEC1B638B5D4`|Down.exe|Python/Machete.A |`FBB485B40477F5A014E7096747B1B4A494CE50EF`|Down.exe|Python/Machete.A |======================================== === RAR/7z SFX: decoy + payload (no downloader) [options="header"] |======================================== |SHA-1 hash|Filename |`0468D3776435E527DBA52B9DA61D38C076DDA09A`|FORMATO UNICO DE RENDIMIENTO OPERATIVO GNB 11JUNIO2019 CZGNB-13 xlsx.scr |`10EB152039CB0A379DAAB272151BC1BAA8C6D4DB`|Radiograma 004026_pdf.scr |`173664DE0A9A08218098ABFB86D2C64F25B5EE37`|Diseño_pptx.scr |`212F3697117D17EC3F299D037845CF3DB20CE88A`| |`29EA8A983E56229AC69FFF9958319B66C006020B`|RDGMA 1101 001 jpg.scr |`3562CB8D37E68025787C31A0B4654A1CE209E62F`|20190611101428 pdf.scr |`35E4ECB61F1FA09BEC8A4528C592D982D33B6C6B`|INVITADOS_MEXICANOS.scr |`442E6CC28D118CFAF1A5482E2000C7DC00D9A7B9`| |`5C56AC14CA7159804A9D53FE037CFD0D99D45AB1`|JUNIO_19_PROPUESTA_CLARO_RENOVACION.scr |`61DE62436B3806A3A645C96677D7AD9D802E30A8`|FORMATO DE NOVEDADES PARA DC PERSONAL xls.scr |`62800D245A3726CA390D08B7BF17FE2C37F2B3CF`|20190611101331.scr |`64F1322BF2A898278AA1E73803FDD500B6E5E7C7`|RAD_N_0961_21MAY19.scr |`79AC512389EF9E27A3598CA2968573DB4F5FD58F`|RAD OFL0120_jpg.scr |`7A1AD75A1AA73EC72EE21B213FCCA55D57A0CD58`|S_E_ARLETTE_MARENCO_NOTA_INFORMANDO_TERMINO_DE_MISION_001.scr |`8E0AC29B8BD0C086B20C23B254CF047AA30A0529`|07_1379.scr |`91F2C7EED2EE92D11BC6B8FD8D3CBA0B02C8D074`|Blason.scr |`97EDCDFD6E674591C1E809381C7E68F11DFA81FC`|08_1159.scr |`9D65B55168526161A79F4743A37B1A7358C67037`|INSTRUCCIONES DEL JSO 08JUN19 docx.scr |`A19648A5576E0B9FC449D89ADDC569BA1350ECFF`| |`A94916F9696D861FE040891634B3F2DA09557F13`|REPORTE OPERACIONAL 10JUN19 pdf.scr |`B451F623FE9F315EB886B83F27139FC236A07EC9`|20190611101428.scr |`C39B9D966AED0372619B3989995AB9AD12F94D38`|NOTA_CICR_00079.scr |`CF10E0313177FF4C9C588232218078EB870C0079`|BOLETA DE PERMISO NELSON GUERERE docx.scr |`E8BBCB0F6538D1543BFA3F7A66F20155EBC2BCC8`|JUNIO_27_PROPUESTA_CLARO_RENOVACION.scr |`EA3D823DF9F0E41AD1DA2FD3492B418693BED8BD`|20190611101331 pdf.scr |`EB82401CE6B2497AEB1FC666697D7D9CE66E4D5B`|Asimilacion.scr |======================================== === \_hashlbi.pyw [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`1B3723651E1D321D4F34F2A243D7751D17288257`|Python/Machete.G |`7FFB9C7DA20C536B694E78538B65726EACB1B055`|Python/Machete.G |`B1ADF4B46350FB801CE54DA9C93A4EF79674F3F5`|Python/Machete.G |======================================== === \_bsdbd.pyw [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3`|Python/Machete.G |`314D9B4C25DD69453D86E4C7062DCE6DEDDA0533`|Python/Machete.G |`D4CF22F3DB78BDC1CEB55431857D88166CE677D4`|Python/Machete.G |======================================== === \_clypes.pyw [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`26FB301AF7393B5E564B8C802F5795EDEBD7CECF`|Python/Machete.G |`979859B5A177650EF0549C81FD66D36E9DEA8078`|Python/Machete.G |`A07E38DF9887EA7811369CD72C57FD6D44523CD6`|Python/Machete.G |======================================== === \_elementree.pyw [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`07E383E9FF04F587769845306DC4BFE75630BAAA`|Python/Machete.G |`3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3`|Python/Machete.G |`56765B7511372A8E9BE017F48A764D141F485474`|Python/Machete.G |`CF2DC40926D8747AEC572DFD711BBFD766AADB10`|Python/Machete.G |======================================== === \_mssi.pyw [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`6B42091CA2F89A59F4E27E30ACDACF32EB83F824`|Python/Machete.G |`708F159F2CFE22FF0C4464F2FEDAA0501868BDD8`|Python/Machete.G |`DE639618B550DBE9071E999AAA5B4FC81F63A5A6`|Python/Machete.G |======================================== === \_multiproccessing.pyw [options="header"] |======================================== |SHA-1 hash|ESET Detection Name |`0B6F61AF3E2C6551F15E0F888177EEC91F20BA99`|Python/Machete.G |`76AABC0AF5D487A80BCBA19555191B46766139FA`|Python/Machete.G |`7FF87649CA1D9178A02CD9942856D1B590652C6E`|Python/Machete.G |`8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D`|Python/Machete.G |`8AF19AA3F18CB35F12EE3966931E11799C3AC5A4`|Python/Machete.G |`E1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD`|Python/Machete.G |======================================== == Domain names * `tobabean.expert` * `koliast.com` * `u929489355.hostingerapp.com` * `u154611594.hostingerapp.com` * `6e24a5fb.ngrok.io` * `f9527d03.ngrok.io` * `adtiomtardecessd.zapto.org` * `mcsi.gotdns.ch` * `djcaps.gotdns.ch` * `tokeiss.ddns.net` * `artyomt.com` * `lawyersofficial.mipropia.com` * `ceofanb18.mipropia.com` == Server IPs * `185.224.137.63` * `156.67.222.88` * `158.69.9.209` * `142.44.236.215` * `199.79.63.188` * `109.61.164.33`