APT_CyberCriminal_Campagin_Collections/2017/2017.10.27.bahamut-revisited/IOCs.txt

Credential Harvesting and Recon

noreply.user.subscripton@gmail[.]com

mirror.news.live@gmail[.]com

mail.noreplyportals@gmail[.]com

rnicrosoft-recovery-update@hotmail[.]com

noreply.subscribeuser.alert@gmail[.]com

noreply.users.validation@gmail[.]com

noreply.applc.id.service@gmail[.]com

noreply.user.subscripton@gmail[.]com

playbooy.magazine.update@outlook[.]com

noreply.goolgemail@gmail[.]com

dubaicalender.eventupdate@outlook[.]com

sputniknews@email[.]com

news_update@email[.]com

bbcnewsdailysubscribe@gmail[.]com

rnicrosoft-recovery-update@hotmail[.]com

noreply.goolgehangouts@gmail[.]com

 

squre39-cld[.]info

goolg-en[.]com

login-asmx[.]com

string2port[.]com

session-en[.]com

singin-go-olge[.]com

111.90.138[.]81

188.68.242[.]18

91.92.136[.]134

200.63.45[.]47

Android Agent

devotedtohumanity-fif[.]info

kashmir-weather-info[.]com

mxiplayer[.]com

6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0 Khuai Translator (1.3)

0550dad8d55446e5b5dbae61783cfb7c78ee10d2 MXI Player (1.2)

00d000679baab456953b4302d8b2a1e65241ed12 Devoted to Humanity (1.0)

ddaf5e43da0b00884ef957c32d7b16ed692a057a Kashmir Weather (1.2)

Windows Agent

9850ac30c3357d3a412d0f6cec2716b63db6c21d

mxiplayer[.]com

Other Malware References

“Analysis Report on Kashmir.exe” 9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560

“E-Challan.zip”  1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96)

 

mint-news-portal.hymnfork[.]com

online-tracking-status.hymnfork[.]com

Similar Infrastructure

insidecloud-aspx[.]com

data-covery[.]com

sa-google[.]com

rnail-aspx[.]com

session-service[.]com

session-owa[.]com

myinfocheck[.]com

host-auth[.]com

 

janko.kolar@bulletmail[.]org

jacbov.vjan@bulletmail[.]org

robert.warne@list[.]ru

viera.taafi@pobox[.]sk

aaron.drago@pobox[.]sk

marek.franko@pobox[.]sk

oliver.dagur@mail[.]ru

ralph.cramey@mail[.]ru

petru.negru@pobox[.]sk