Clipsa: Added IoC files

Clipsa/README.md

@@ -0,0 +1,79 @@
+# IOC for Clipsa
+
+Malware analysis and more technical informations at <https://decoded.avast.io/janrubin/clipsa---multipurpose-password-stealer/>
+
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [Network indicators](#network-indicators)
+* [File names](#file-names)
+* [Registy keys](#registry-keys)
+* [Semaphores](#semaphores)
+
+
+## Samples (SHA-256)
+#### Clipsa binary and related files
+```
+2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E - condlg.exe
+FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5 - 65923_VTS.vob
+A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1 - condlg.dll
+B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5 - XMRig miner (C&C)
+F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42 - 65923_VTS.asx
+```
+
+
+## Network indicators
+#### Downloader urls
+```
+poly.ufxtools[.]com/wp-content/plugins/WPSystem/dl.php?a=d
+poly.ufxtools[.]com/wp-content/plugins/WPSystem/ok.php
+```
+#### Uploader urls
+```
+poly.ufxtools[.]com/wp-content/plugins/WPSecurity/up.php
+```
+#### C&C servers
+```
+http[:]//besttipsfor[.]com
+http[:]//chila[.]store
+http[:]//globaleventscrc[.]com
+http[:]//ionix.co[.]id
+http[:]//mahmya[.]com
+http[:]//mohanchandran[.]com
+http[:]//mutolarahsap[.]com
+http[:]//northkabbadi[.]com
+http[:]//poly.ufxtools[.]com
+http[:]//raiz[.]ec
+http[:]//rhsgroup[.]ma
+http[:]//robinhurtnamibia[.]com
+http[:]//sloneczna10tka[.]pl
+http[:]//stepinwatchcenter[.]se
+http[:]//topfinsignals[.]com
+http[:]//tripindiabycar[.]com
+http[:]//videotroisquart[.]net
+http[:]//wbbministries[.]org
+```
+
+
+## File names
+```
+%APPDATA%\Roaming\AudioDG\condlg.exe
+%APPDATA%\Roaming\AudioDG\zcondlg.exe
+%APPDATA%\Roaming\AudioDG\log.dat
+%APPDATA%\Roaming\AudioDG\log.dat
+%APPDATA%\Roaming\AudioDG\obj\
+%APPDATA%\Roaming\AudioDG\udb\
+%APPDATA%\Roaming\AudioDG\rep.dat
+```
+
+## Registry keys
+```
+HCU\Software\Microsoft\Windows\CurrentVersion\Run\11f86284
+```
+
+## Semaphores
+```
+%APPDATA%\ROAMING\AUDIODG\CONDLG.EXE
+%APPDATA%\ROAMING\AUDIODG\ZCONDLG.EXE
+```
+

Clipsa/appendix_files/cnc_servers_all.txt

@@ -0,0 +1,20 @@
+List of C&C server addresses
+----------------------------------
+http[:]//besttipsfor[.]com
+http[:]//chila[.]store
+http[:]//globaleventscrc[.]com
+http[:]//ionix[.]co[.]id
+http[:]//mahmya[.]com
+http[:]//mohanchandran[.]com
+http[:]//mutolarahsap[.]com
+http[:]//northkabbadi[.]com
+http[:]//poly[.]ufxtools[.]com
+http[:]//raiz[.]ec
+http[:]//rhsgroup[.]ma
+http[:]//robinhurtnamibia[.]com
+http[:]//sloneczna10tka[.]pl
+http[:]//stepinwatchcenter[.]se
+http[:]//topfinsignals[.]com
+http[:]//tripindiabycar[.]com
+http[:]//videotroisquart[.]net
+http[:]//wbbministries[.]org

Clipsa/appendix_files/password_list.txt

@@ -0,0 +1,3 @@
+Decrypted password list
+----------------------------------
+!|%domain%|0000|000000|1|102030|111|1111|111111|11111111|112233|11223344|121212|123|123123|123123123|123321|1234|12341234|12345|123456|1234567|12345678|123456789|1234567890|123456a|1234abcd|1234qwer|123654|123qwe|123qweasdzxc|124578|147258|147258369|1478963|1q2w3e4r|1q2w3e4r5t|1qaz2wsx|2001|222222|55555|654321|987654321|a|aaa|a12345|a123456|a1b2c3d4|aaa111|aaaaaa|abc123|abc12345|abcd1234|admin|admin1|admin123|admin123456|admin2017|admin2018|adminadmin|administrador|administrator|adminpass|adrian|amazon|andrey|apple|apple123|asd123|asdf1234|asdfgh|azerty|changeme|chris123|coadmin|demo|formula|fuck|fuckyou|hello|letmein|master|michael1|nopass|pa55w0rd|pass|pass1|pass123|password|password1|password123|president|q1w2e3|q1w2e3r4|q1w2e3r4t5|qazwsx|qazxsw|qwe123|qwer1234|qwerty|qwerty123|qwertyuiop|raymond|root|secret|simon|success1|temppass|test|test1|test123|test1234|testing|testtest|tools|webmaster|welcome|welcome1|zaq123|zaq12wsx|zxcvbnm

Clipsa/network.txt

@@ -0,0 +1,20 @@
+poly.ufxtools[.]com/wp-content/plugins/WPSystem/dl.php?a=d
+poly.ufxtools[.]com/wp-content/plugins/WPSystem/ok.php
+http[:]//besttipsfor[.]com
+http[:]//chila[.]store
+http[:]//globaleventscrc[.]com
+http[:]//ionix.co[.]id
+http[:]//mahmya[.]com
+http[:]//mohanchandran[.]com
+http[:]//mutolarahsap[.]com
+http[:]//northkabbadi[.]com
+http[:]//poly.ufxtools[.]com
+http[:]//raiz[.]ec
+http[:]//rhsgroup[.]ma
+http[:]//robinhurtnamibia[.]com
+http[:]//sloneczna10tka[.]pl
+http[:]//stepinwatchcenter[.]se
+http[:]//topfinsignals[.]com
+http[:]//tripindiabycar[.]com
+http[:]//videotroisquart[.]net
+http[:]//wbbministries[.]org

Clipsa/samples.md5

@@ -0,0 +1,5 @@
+7E52633FFA2C3AEE03E8B26F03E07CC4
+501B80014C750EDEFFC0E966F7845A41
+FD07A9CD7C88C5D972E0EAB897B7EA78
+CCEEDD6FB18845F31BAFEB9968572CCB
+84CE3FB41E9E59851C3B176E1CFB1100

Clipsa/samples.sha1

@@ -0,0 +1,5 @@
+7D998BDE90222F7845E62ADB033F27AE162DF5E8
+647C5DE4E3686EBA8FDDB5AABC55B6A9CE25C627
+EBD5847FFF0C403A2536655353B1EB7338B5E603
+249F1F240B3FBF38E597A7B186CF6C3297E3A33B
+AD46B83CAD6DA6A05690AE220BCEEBDA312A4DFA

Clipsa/samples.sha256

@@ -0,0 +1,5 @@
+2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E
+FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5
+A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1
+B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5
+F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42