# IoC for Meh part 2
Malware analysis and more technical information at
The technical analysis of the first part of the blogpost series can be found at
IoCs of the first part of the blogpost series can be found at
### Table of Contents
* [Samples (SHA-256)](#samples-sha-256)
* [File names](#file-names)
* [Network indicators](#network-indicators)
## Samples (SHA-256)
#### Meh binary and related files
```
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
1f13024724491b4b083dfead60931dcacabd70e5bd674c41a83a02410dea070d - Meh password stealer
3c1e5930d35815097435268fab724a6ed1bc347dd97cd20eb05f645a25eb692b - cpux64.bin
57b6fa7cbc98b752da6002e1b877a0e1d83f453f9227044b0b96bf28b0131195 - cpux86.bin
722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d - cpux64.bin unpacked
e96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa - cpux86.bin unpacked
```
## File names
```
C:\ProgramData\Intel\Wireless\
C:\Users\\AppData\Local\Temp\test.txt
C:\Users\\AppData\Local\Temp\torrent.txt
```
## Network indicators
#### C&C servers
```
http[:]//193-22-92-35.intesre.com
http[:]//0.le4net00.net
http[:]//83.171.237.231
http[:]//deploy.static.blazingtechnologies.io
http[:]//0.weathdata.nu
http[:]//124.red-79-152-243.dynamicip.fina-tdl.io
```