mirror of
https://github.com/avast/ioc
synced 2024-06-16 11:58:39 +00:00
Clipsa: Added IoC files
This commit is contained in:
parent
a7206e1e40
commit
54e6bf1a32
79
Clipsa/README.md
Normal file
79
Clipsa/README.md
Normal file
@ -0,0 +1,79 @@
|
||||
# IOC for Clipsa
|
||||
|
||||
Malware analysis and more technical informations at <https://decoded.avast.io/janrubin/clipsa---multipurpose-password-stealer/>
|
||||
|
||||
|
||||
### Table of Contents
|
||||
* [Samples (SHA-256)](#samples-sha-256)
|
||||
* [Network indicators](#network-indicators)
|
||||
* [File names](#file-names)
|
||||
* [Registy keys](#registry-keys)
|
||||
* [Semaphores](#semaphores)
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### Clipsa binary and related files
|
||||
```
|
||||
2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E - condlg.exe
|
||||
FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5 - 65923_VTS.vob
|
||||
A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1 - condlg.dll
|
||||
B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5 - XMRig miner (C&C)
|
||||
F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42 - 65923_VTS.asx
|
||||
```
|
||||
|
||||
|
||||
## Network indicators
|
||||
#### Downloader urls
|
||||
```
|
||||
poly.ufxtools[.]com/wp-content/plugins/WPSystem/dl.php?a=d
|
||||
poly.ufxtools[.]com/wp-content/plugins/WPSystem/ok.php
|
||||
```
|
||||
#### Uploader urls
|
||||
```
|
||||
poly.ufxtools[.]com/wp-content/plugins/WPSecurity/up.php
|
||||
```
|
||||
#### C&C servers
|
||||
```
|
||||
http[:]//besttipsfor[.]com
|
||||
http[:]//chila[.]store
|
||||
http[:]//globaleventscrc[.]com
|
||||
http[:]//ionix.co[.]id
|
||||
http[:]//mahmya[.]com
|
||||
http[:]//mohanchandran[.]com
|
||||
http[:]//mutolarahsap[.]com
|
||||
http[:]//northkabbadi[.]com
|
||||
http[:]//poly.ufxtools[.]com
|
||||
http[:]//raiz[.]ec
|
||||
http[:]//rhsgroup[.]ma
|
||||
http[:]//robinhurtnamibia[.]com
|
||||
http[:]//sloneczna10tka[.]pl
|
||||
http[:]//stepinwatchcenter[.]se
|
||||
http[:]//topfinsignals[.]com
|
||||
http[:]//tripindiabycar[.]com
|
||||
http[:]//videotroisquart[.]net
|
||||
http[:]//wbbministries[.]org
|
||||
```
|
||||
|
||||
|
||||
## File names
|
||||
```
|
||||
%APPDATA%\Roaming\AudioDG\condlg.exe
|
||||
%APPDATA%\Roaming\AudioDG\zcondlg.exe
|
||||
%APPDATA%\Roaming\AudioDG\log.dat
|
||||
%APPDATA%\Roaming\AudioDG\log.dat
|
||||
%APPDATA%\Roaming\AudioDG\obj\
|
||||
%APPDATA%\Roaming\AudioDG\udb\
|
||||
%APPDATA%\Roaming\AudioDG\rep.dat
|
||||
```
|
||||
|
||||
## Registry keys
|
||||
```
|
||||
HCU\Software\Microsoft\Windows\CurrentVersion\Run\11f86284
|
||||
```
|
||||
|
||||
## Semaphores
|
||||
```
|
||||
%APPDATA%\ROAMING\AUDIODG\CONDLG.EXE
|
||||
%APPDATA%\ROAMING\AUDIODG\ZCONDLG.EXE
|
||||
```
|
||||
|
2002
Clipsa/appendix_files/btc_addresses_2000.txt
Normal file
2002
Clipsa/appendix_files/btc_addresses_2000.txt
Normal file
File diff suppressed because it is too large
Load Diff
9414
Clipsa/appendix_files/btc_addresses_complete.txt
Normal file
9414
Clipsa/appendix_files/btc_addresses_complete.txt
Normal file
File diff suppressed because it is too large
Load Diff
9415
Clipsa/appendix_files/btc_addresses_sorted.txt
Normal file
9415
Clipsa/appendix_files/btc_addresses_sorted.txt
Normal file
File diff suppressed because it is too large
Load Diff
20
Clipsa/appendix_files/cnc_servers_all.txt
Normal file
20
Clipsa/appendix_files/cnc_servers_all.txt
Normal file
@ -0,0 +1,20 @@
|
||||
List of C&C server addresses
|
||||
----------------------------------
|
||||
http[:]//besttipsfor[.]com
|
||||
http[:]//chila[.]store
|
||||
http[:]//globaleventscrc[.]com
|
||||
http[:]//ionix[.]co[.]id
|
||||
http[:]//mahmya[.]com
|
||||
http[:]//mohanchandran[.]com
|
||||
http[:]//mutolarahsap[.]com
|
||||
http[:]//northkabbadi[.]com
|
||||
http[:]//poly[.]ufxtools[.]com
|
||||
http[:]//raiz[.]ec
|
||||
http[:]//rhsgroup[.]ma
|
||||
http[:]//robinhurtnamibia[.]com
|
||||
http[:]//sloneczna10tka[.]pl
|
||||
http[:]//stepinwatchcenter[.]se
|
||||
http[:]//topfinsignals[.]com
|
||||
http[:]//tripindiabycar[.]com
|
||||
http[:]//videotroisquart[.]net
|
||||
http[:]//wbbministries[.]org
|
3
Clipsa/appendix_files/password_list.txt
Normal file
3
Clipsa/appendix_files/password_list.txt
Normal file
@ -0,0 +1,3 @@
|
||||
Decrypted password list
|
||||
----------------------------------
|
||||
!|%domain%|0000|000000|1|102030|111|1111|111111|11111111|112233|11223344|121212|123|123123|123123123|123321|1234|12341234|12345|123456|1234567|12345678|123456789|1234567890|123456a|1234abcd|1234qwer|123654|123qwe|123qweasdzxc|124578|147258|147258369|1478963|1q2w3e4r|1q2w3e4r5t|1qaz2wsx|2001|222222|55555|654321|987654321|a|aaa|a12345|a123456|a1b2c3d4|aaa111|aaaaaa|abc123|abc12345|abcd1234|admin|admin1|admin123|admin123456|admin2017|admin2018|adminadmin|administrador|administrator|adminpass|adrian|amazon|andrey|apple|apple123|asd123|asdf1234|asdfgh|azerty|changeme|chris123|coadmin|demo|formula|fuck|fuckyou|hello|letmein|master|michael1|nopass|pa55w0rd|pass|pass1|pass123|password|password1|password123|president|q1w2e3|q1w2e3r4|q1w2e3r4t5|qazwsx|qazxsw|qwe123|qwer1234|qwerty|qwerty123|qwertyuiop|raymond|root|secret|simon|success1|temppass|test|test1|test123|test1234|testing|testtest|tools|webmaster|welcome|welcome1|zaq123|zaq12wsx|zxcvbnm
|
3
Clipsa/appendix_files/word_list.txt
Normal file
3
Clipsa/appendix_files/word_list.txt
Normal file
File diff suppressed because one or more lines are too long
20
Clipsa/network.txt
Normal file
20
Clipsa/network.txt
Normal file
@ -0,0 +1,20 @@
|
||||
poly.ufxtools[.]com/wp-content/plugins/WPSystem/dl.php?a=d
|
||||
poly.ufxtools[.]com/wp-content/plugins/WPSystem/ok.php
|
||||
http[:]//besttipsfor[.]com
|
||||
http[:]//chila[.]store
|
||||
http[:]//globaleventscrc[.]com
|
||||
http[:]//ionix.co[.]id
|
||||
http[:]//mahmya[.]com
|
||||
http[:]//mohanchandran[.]com
|
||||
http[:]//mutolarahsap[.]com
|
||||
http[:]//northkabbadi[.]com
|
||||
http[:]//poly.ufxtools[.]com
|
||||
http[:]//raiz[.]ec
|
||||
http[:]//rhsgroup[.]ma
|
||||
http[:]//robinhurtnamibia[.]com
|
||||
http[:]//sloneczna10tka[.]pl
|
||||
http[:]//stepinwatchcenter[.]se
|
||||
http[:]//topfinsignals[.]com
|
||||
http[:]//tripindiabycar[.]com
|
||||
http[:]//videotroisquart[.]net
|
||||
http[:]//wbbministries[.]org
|
5
Clipsa/samples.md5
Normal file
5
Clipsa/samples.md5
Normal file
@ -0,0 +1,5 @@
|
||||
7E52633FFA2C3AEE03E8B26F03E07CC4
|
||||
501B80014C750EDEFFC0E966F7845A41
|
||||
FD07A9CD7C88C5D972E0EAB897B7EA78
|
||||
CCEEDD6FB18845F31BAFEB9968572CCB
|
||||
84CE3FB41E9E59851C3B176E1CFB1100
|
5
Clipsa/samples.sha1
Normal file
5
Clipsa/samples.sha1
Normal file
@ -0,0 +1,5 @@
|
||||
7D998BDE90222F7845E62ADB033F27AE162DF5E8
|
||||
647C5DE4E3686EBA8FDDB5AABC55B6A9CE25C627
|
||||
EBD5847FFF0C403A2536655353B1EB7338B5E603
|
||||
249F1F240B3FBF38E597A7B186CF6C3297E3A33B
|
||||
AD46B83CAD6DA6A05690AE220BCEEBDA312A4DFA
|
5
Clipsa/samples.sha256
Normal file
5
Clipsa/samples.sha256
Normal file
@ -0,0 +1,5 @@
|
||||
2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E
|
||||
FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5
|
||||
A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1
|
||||
B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5
|
||||
F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42
|
Loading…
Reference in New Issue
Block a user