From 2ed2e9c02e2a9c2146c6b39371238756d1aeb972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Rub=C3=ADn?= Date: Wed, 1 Dec 2021 10:11:18 +0100 Subject: [PATCH] Added IoC files for CoinHelper --- CoinHelper/README.md | 66 +++++++++++++++++++++++++++++++++++++++ CoinHelper/mutexes.txt | 4 +++ CoinHelper/network.txt | 31 ++++++++++++++++++ CoinHelper/samples.md5 | 9 ++++++ CoinHelper/samples.sha1 | 9 ++++++ CoinHelper/samples.sha256 | 9 ++++++ 6 files changed, 128 insertions(+) create mode 100644 CoinHelper/README.md create mode 100644 CoinHelper/mutexes.txt create mode 100644 CoinHelper/network.txt create mode 100644 CoinHelper/samples.md5 create mode 100644 CoinHelper/samples.sha1 create mode 100644 CoinHelper/samples.sha256 diff --git a/CoinHelper/README.md b/CoinHelper/README.md new file mode 100644 index 0000000..119c0d3 --- /dev/null +++ b/CoinHelper/README.md @@ -0,0 +1,66 @@ +# IOC for CoinHelper + +Malware analysis and more technical informations at + + +### Table of Contents +* [Samples (SHA-256)](#samples-sha-256) +* [Network indicators](#network-indicators) +* [Mutexes](#mutexes) + + +## Samples (SHA-256) +#### CoinHelper binary and related files +``` +83a64c598d9a10f3a19eabed41e58f0be407ecbd19bb4c560796a10ec5fccdbf - start.exe +cc36bb34332e2bc505da46ca2f17206a8ae3e4f667d9bdfbc500a09e77bab09c - asacpiex.dll +ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d - CL_Debug_Log.txt +126d8e9e03d7b656290f5f1db42ee776113061dbd308db79c302bc79a5f439d3 - 32.exe +7a3ad620b117b53faa19f395b9532d3db239a1d6b46432033cc0ef6a8d2377cd - 64.exe +7387e57e5ecfdba01f0ad25eeb49abf52fa0b1c66db0b67e382d3b9c057f51a8 - 32.txt +ff5aa6390ed05c887cd2db588a54e6da94351eca6f43a181f1db1f9872242868 - 64.txt +6753d1a408e085e4b6243bfd5e8b44685e8930a81ec27795ccd61f8d54643c4e - amd.txt +93dd8ef915ca39f2a016581d36c0361958d004760a32e9ee62ff5440d1eee494 - nvidia.txt +``` + + +## Network indicators +#### Public IP logging service URL +``` +2no[.]co/1wbYc7 +``` +#### Tor C&Cs +``` +bgpaio75egqvqigekt5bqfppzgth72r22f7vhm6xolzqd6ohroxs7pqd[.]onion +jr2jjfxgklthlxh63cz3ajdvh7cj6boz3c3fbhriklk7yip4ce4vzsyd[.]onion +uovyniuak3w4d3yzs4z4hfgx2qa6l2u6cx4wqsje4pmnmygc6vfddwqd[.]onion +rcjndzwubq5zbay5xoqk4dnc23gr4ifseqqsmbw5soogye6yysc7nkyd[.]onion +ist4tvsv5polou6uu5isu6dbn7jirdkcgo3ybjghclpcre5hzonybhad[.]onion +nt4flrgftahnjzrazdstn2uwykuxuclosht46fnbwlcsjj4zaulomlad[.]onion +shmauhvdvfcpkz7gl23kmkep5xtajau3ghxtswur6q5bznnpmfam3iqd[.]onion +sqymp2cgjmp5pllesephn55wtocugudyrxvz2ptkdnctet53e5e4mfid[.]onion +t6ka6jsevtotg4jstanojg3meo24ciyl3fwllzpml4bpibek6waxsgqd[.]onion +7cmqghpupqiquxkfgmotxv6nfl366hyekx4mulez6rdgwdmq7hn72rad[.]onion +bobsslp6f4w23r2g375l6ndbbz7i5uwg7i7j5idieeoqksuwm4wy57yd[.]onion +diyacgq37d4mdev7jao4vjmpplejpx6srnvjspcg7yh4ffdjkiurekyd[.]onion +2qepteituvpy42gggxxqaaeozppjagsu5xz2zdsbugt3425t2mbjvbad[.]onion +r2yzxjp3hrsqjwbpvxsx4zn5ww4cbnt6gqkjkgqrry7634qi7aeqtvyd[.]onion +t7f46q5mj2i7vatj6oij3s4pzr2glxozqzntnq7hab2unh5ph5iniaad[.]onion +vmpzn64y2jg3dtvlg3sdqwngciiqbb53quiw52fjldjrkml5cux4kzad[.]onion +3h7yxuyj6bfgpys63z7gleu6xc3gedgsvzqb2onayv4nvide3cja2vid[.]onion +4sqi3axlh5bxk3jnh76ohvn3nnwekrubdpygznzeqsji7v66secvhgid[.]onion +6yhfokwes7hcjnp7bgzlto5umqcoir7bqfxojd7rsrbnb4cad2uf3dad[.]onion +acis2advyp7ougpe46o64vqwu7qheko3sphytcwsvoyrkysq2r2bt3yd[.]onion +brnrnawg7yv5ot7qc76fqpju6e34dy4z6rbrw3phax6uoyes4vr7sgad[.]onion +unbagbew3rjfng5xtyxtp4oyopcopqwmhargs4m5qz47joisgfyv7wqd[.]onion +xyer2q73qwhc2csqbfzf7w4vv4r6555qhyn6ofm56iwzvkgidxv6coqd[.]onion +jbadd74iobimuuuvsgm5xdshpzk4vxuh35egd7c3ivll3wj5lc6tjxqd[.]onion +``` + +## Mutexes +``` +QPRZ1bWvXh +QPRZ1bWvXh2 +QPRZ2bWvXh +QPRZ3bWvXh +``` diff --git a/CoinHelper/mutexes.txt b/CoinHelper/mutexes.txt new file mode 100644 index 0000000..0c95307 --- /dev/null +++ b/CoinHelper/mutexes.txt @@ -0,0 +1,4 @@ +QPRZ1bWvXh +QPRZ1bWvXh2 +QPRZ2bWvXh +QPRZ3bWvXh diff --git a/CoinHelper/network.txt b/CoinHelper/network.txt new file mode 100644 index 0000000..37db7aa --- /dev/null +++ b/CoinHelper/network.txt @@ -0,0 +1,31 @@ +Public IP logging service URL +----------------- +2no[.]co/1wbYc7 + + +Tor C&Cs +----------------- +bgpaio75egqvqigekt5bqfppzgth72r22f7vhm6xolzqd6ohroxs7pqd[.]onion +jr2jjfxgklthlxh63cz3ajdvh7cj6boz3c3fbhriklk7yip4ce4vzsyd[.]onion +uovyniuak3w4d3yzs4z4hfgx2qa6l2u6cx4wqsje4pmnmygc6vfddwqd[.]onion +rcjndzwubq5zbay5xoqk4dnc23gr4ifseqqsmbw5soogye6yysc7nkyd[.]onion +ist4tvsv5polou6uu5isu6dbn7jirdkcgo3ybjghclpcre5hzonybhad[.]onion +nt4flrgftahnjzrazdstn2uwykuxuclosht46fnbwlcsjj4zaulomlad[.]onion +shmauhvdvfcpkz7gl23kmkep5xtajau3ghxtswur6q5bznnpmfam3iqd[.]onion +sqymp2cgjmp5pllesephn55wtocugudyrxvz2ptkdnctet53e5e4mfid[.]onion +t6ka6jsevtotg4jstanojg3meo24ciyl3fwllzpml4bpibek6waxsgqd[.]onion +7cmqghpupqiquxkfgmotxv6nfl366hyekx4mulez6rdgwdmq7hn72rad[.]onion +bobsslp6f4w23r2g375l6ndbbz7i5uwg7i7j5idieeoqksuwm4wy57yd[.]onion +diyacgq37d4mdev7jao4vjmpplejpx6srnvjspcg7yh4ffdjkiurekyd[.]onion +2qepteituvpy42gggxxqaaeozppjagsu5xz2zdsbugt3425t2mbjvbad[.]onion +r2yzxjp3hrsqjwbpvxsx4zn5ww4cbnt6gqkjkgqrry7634qi7aeqtvyd[.]onion +t7f46q5mj2i7vatj6oij3s4pzr2glxozqzntnq7hab2unh5ph5iniaad[.]onion +vmpzn64y2jg3dtvlg3sdqwngciiqbb53quiw52fjldjrkml5cux4kzad[.]onion +3h7yxuyj6bfgpys63z7gleu6xc3gedgsvzqb2onayv4nvide3cja2vid[.]onion +4sqi3axlh5bxk3jnh76ohvn3nnwekrubdpygznzeqsji7v66secvhgid[.]onion +6yhfokwes7hcjnp7bgzlto5umqcoir7bqfxojd7rsrbnb4cad2uf3dad[.]onion +acis2advyp7ougpe46o64vqwu7qheko3sphytcwsvoyrkysq2r2bt3yd[.]onion +brnrnawg7yv5ot7qc76fqpju6e34dy4z6rbrw3phax6uoyes4vr7sgad[.]onion +unbagbew3rjfng5xtyxtp4oyopcopqwmhargs4m5qz47joisgfyv7wqd[.]onion +xyer2q73qwhc2csqbfzf7w4vv4r6555qhyn6ofm56iwzvkgidxv6coqd[.]onion +jbadd74iobimuuuvsgm5xdshpzk4vxuh35egd7c3ivll3wj5lc6tjxqd[.]onion diff --git a/CoinHelper/samples.md5 b/CoinHelper/samples.md5 new file mode 100644 index 0000000..f8fd4f8 --- /dev/null +++ b/CoinHelper/samples.md5 @@ -0,0 +1,9 @@ +14ed4e48eb21324df282179510880d0a +1d72633024a903e2c032c940de973549 +43141e85e7c36e31b52b22ab94d5e574 +b067e6a02fe417086c69e60e066fdfd7 +c1512c6c7b9fa52c7621d2559ca76086 +1707ec4b99f87d3ec9f4b405f70493f5 +e819e2f372cc1f87fe0273e8ccafdea1 +3cb1de93748a97855050af88dc34105f +129caf6d5088e8d0137d7453107a631b diff --git a/CoinHelper/samples.sha1 b/CoinHelper/samples.sha1 new file mode 100644 index 0000000..cb5c205 --- /dev/null +++ b/CoinHelper/samples.sha1 @@ -0,0 +1,9 @@ +737f320a4f3336d2faf30e600bd7b192b40e6163 +9fa6d79c49ccc3d77346fe72539d7eb4bc4fbc03 +cfd7079a9b268d84b856dc668edbb9ab9ef35312 +3bc7d1ec32692f6b9cdeb0f427721119d92a48c6 +6e8e3ef755de950405d426982f71b4fc26289c19 +a396ccbfa2b3fdd563f70e83ca220dd792734cea +809b07153a0f586fd137248697ca4bcb0b13da4d +733c7e8f1f78b26abaed63de4318056f148423b7 +c6e59f733050910d66d6ed03bf78e4f3e25fb661 diff --git a/CoinHelper/samples.sha256 b/CoinHelper/samples.sha256 new file mode 100644 index 0000000..a0c0cac --- /dev/null +++ b/CoinHelper/samples.sha256 @@ -0,0 +1,9 @@ +83a64c598d9a10f3a19eabed41e58f0be407ecbd19bb4c560796a10ec5fccdbf +cc36bb34332e2bc505da46ca2f17206a8ae3e4f667d9bdfbc500a09e77bab09c +ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d +126d8e9e03d7b656290f5f1db42ee776113061dbd308db79c302bc79a5f439d3 +7a3ad620b117b53faa19f395b9532d3db239a1d6b46432033cc0ef6a8d2377cd +7387e57e5ecfdba01f0ad25eeb49abf52fa0b1c66db0b67e382d3b9c057f51a8 +ff5aa6390ed05c887cd2db588a54e6da94351eca6f43a181f1db1f9872242868 +6753d1a408e085e4b6243bfd5e8b44685e8930a81ec27795ccd61f8d54643c4e +93dd8ef915ca39f2a016581d36c0361958d004760a32e9ee62ff5440d1eee494