mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-07-05 09:32:16 +00:00
255 lines
3.4 KiB
Plaintext
255 lines
3.4 KiB
Plaintext
Indicators of Compromise (IOCs)
|
|
|
|
IOC
|
|
|
|
IOC Type
|
|
|
|
Description
|
|
|
|
faa80e0692ba120e38924ccd46f6be3c25b8edf7cddaa8960fe9ea632dc4a045
|
|
|
|
SHA256
|
|
|
|
PE Attachment - our infrastructure offer ann‮cod.exe
|
|
|
|
b7960d1f40b727bbea18a0e5c62bafcb54c9ec73be3e69e787b7ddafd2aae364
|
|
|
|
SHA256
|
|
|
|
PE Attachment - powersafe courses ann‮cod.exe
|
|
|
|
26eb8a1f0bdde626601d039ea0f2c92a7921152371bafe5e811c6a1831f071ce
|
|
|
|
SHA256
|
|
|
|
FlowCloud MS Word Macro Attachment - personal invitation.doc
|
|
|
|
cd8f877c9a1c31179b633fd74bd5050e4d48eda29244230348c6f84878d0c33c
|
|
|
|
SHA256
|
|
|
|
Dropped Files - Cert.pem
|
|
|
|
e4ad5d3213425c58778d8a0244df4cd99c748f58852d8ac71b46326efd5b3220
|
|
|
|
SHA256
|
|
|
|
Dropped Files - pense1.txt
|
|
|
|
589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4
|
|
|
|
SHA256
|
|
|
|
Dropped Files - Temptcm.tmp
|
|
|
|
1334c742f2aec7e8412d76ba228b99935a49dc96a1e8e1f3446d9f61247ae47e
|
|
|
|
SHA256
|
|
|
|
Dropped Files - EhStorAuthn.exe
|
|
|
|
de30929ef958211f9315e27a7aa45ef061726a76990ddc6b9d9f189b9fbdd45a
|
|
|
|
SHA256
|
|
|
|
Dropped Files - dlcore.dll
|
|
|
|
0b013ccd9e10d7589994629aed18ffe2388cbd745b5b28ab39c07835295a1ca9
|
|
|
|
SHA256
|
|
|
|
Dropped Files - rebare.dat
|
|
|
|
479954b9e7d5c5f7086a2a1ff1dba99de2eab2e1b1bc75ad8f3b211088eb4ee9
|
|
|
|
SHA256
|
|
|
|
Dropped Files - rescure.dat
|
|
|
|
d5191327a984fab990bfb0e811688e65e9aaa751c3d93fa92487e8a95cb2eea8
|
|
|
|
SHA256
|
|
|
|
Dropped Files - responsor.dat
|
|
|
|
0701cc7eb1af616294e90cbb35c99fa2b29d2aada9fcbdcdaf578b3fcf9b56c7
|
|
|
|
SHA256
|
|
|
|
Dropped Files - EhStorAuthn_shadow.exe
|
|
|
|
27f5df1d35744cf283702fce384ce8cfb2f240bae5d725335ca1b90d6128bd40
|
|
|
|
SHA256
|
|
|
|
Dropped Files - rescure64.dat
|
|
|
|
13e761f459c87c921dfb985cbc6489060eb86b4200c4dd99692d6936de8df5ba
|
|
|
|
SHA256
|
|
|
|
Dropped Files - rescure86.dat
|
|
|
|
2481fd08abac0bfefe8d8b1fa3beb70f8f9424a1601aa08e195c0c14e1547c27
|
|
|
|
SHA256
|
|
|
|
Dropped Files - hha.dll
|
|
|
|
188.131.233[.]27
|
|
|
|
IP
|
|
|
|
C&C IP
|
|
|
|
118.25.97[.]43
|
|
|
|
IP
|
|
|
|
Sender IP
|
|
|
|
34.80.27[.]200
|
|
|
|
IP
|
|
|
|
Sender IP
|
|
|
|
134.209.99[.]169
|
|
|
|
IP
|
|
|
|
Staging IP
|
|
|
|
101.99.74[.]234
|
|
|
|
IP
|
|
|
|
Staging IP
|
|
|
|
Asce[.]email
|
|
|
|
Domain
|
|
|
|
Phishing Domain
|
|
|
|
powersafetrainings[.]org
|
|
|
|
Domain
|
|
|
|
Phishing Domain
|
|
|
|
mails.daveengineer[.]com
|
|
|
|
Domain
|
|
|
|
Phishing Domain
|
|
|
|
powersafetraining[.]net
|
|
|
|
Domain
|
|
|
|
Related Infrastructure
|
|
|
|
mails.energysemi[.]com
|
|
|
|
Domain
|
|
|
|
Related Infrastructure
|
|
|
|
www.mails.energysemi[.]com
|
|
|
|
Domain
|
|
|
|
Related Infrastructure
|
|
|
|
www.powersafetraining[.]net
|
|
|
|
Domain
|
|
|
|
Related Infrastructure
|
|
|
|
www.powersafetrainings[.]org
|
|
|
|
Domain
|
|
|
|
Related Infrastructure
|
|
|
|
ffca.caibi379[.]com
|
|
|
|
Domain
|
|
|
|
Macro Domain
|
|
|
|
http://ffca.caibi379[.]com/rwjh/qtinfo.txt
|
|
|
|
URL
|
|
|
|
FlowCloud Macro Delivery URL Inactive
|
|
|
|
https://www.dropbox[.]com:443/s/ddgifm4ityqwx60/Cert.pem?dl=1
|
|
|
|
URL
|
|
|
|
FlowCloud Macro Delivery URL
|
|
|
|
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\2
|
|
|
|
Registry Key
|
|
|
|
FlowCloud Registry Key
|
|
|
|
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\3
|
|
|
|
Registry Key
|
|
|
|
FlowCloud Registry Key
|
|
|
|
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\4
|
|
|
|
Registry Key
|
|
|
|
FlowCloud Registry Key
|
|
|
|
HKEY_LOCAL_MACHINE\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}
|
|
|
|
Registry Key
|
|
|
|
FlowCloud Registry Key
|
|
|
|
HKEY_LOCAL_MACHINE\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}
|
|
|
|
Registry Key
|
|
|
|
FlowCloud Registry Key
|
|
|
|
HKEY_LOCAL_MACHINE\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}
|
|
|
|
Registry Key
|
|
|
|
FlowCloud Registry Key
|
|
|
|
G:\FlowCloud\trunk\Dev\src\fcClient\Release\QQSetupEx_func.pdb
|
|
|
|
File Path
|
|
|
|
FlowCloud PDB Path
|
|
|
|
g:\FlowCloud\trunk\Dev\src\fcClient\Release\fcClientDll.pdb
|
|
|
|
File Path
|
|
|
|
FlowCloud PDB Path
|
|
|
|
F:\FlowCloud\trunk\Dev\src\fcClient\kmspy\Driver\Release\Driver.pdb
|
|
|
|
File Path
|
|
|
|
FlowCloud PDB Path
|
|
|
|
F:\FlowCloud\trunk\Dev\src\fcClient\kmspy\Driver\x64\Release\Driver.pdb
|
|
|
|
File Path
|
|
|
|
FlowCloud PDB Path
|
|
|
|
|