Mirrors
/
ioc-collection
mirror of https://github.com/avast/ioc
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ioc-collection/Meh-part-2
History
Jan Rubín d6c6e7d420 Removed redundat content 2020-11-12 11:46:41 +01:00
..
extras Meh: Added IoC files for the second part 2020-11-12 10:27:22 +01:00
README.md Meh: Added IoC files for the second part 2020-11-12 10:27:22 +01:00
network.txt Meh: Added IoC files for the second part 2020-11-12 10:27:22 +01:00
samples.md5 Meh: Added IoC files for the second part 2020-11-12 10:27:22 +01:00
samples.sha1 Meh: Added IoC files for the second part 2020-11-12 10:27:22 +01:00
samples.sha256 Meh: Added IoC files for the second part 2020-11-12 10:27:22 +01:00

README.md

IoC for Meh part 2

Malware analysis and more technical information at https://decoded.avast.io/janrubin/meh-2-2/

The technical analysis of the first part of the blogpost series can be found at https://decoded.avast.io/janrubin/complex-obfuscation-meh/ IoCs of the first part of the blogpost series can be found at https://github.com/avast/ioc/tree/master/Meh

Table of Contents

Samples (SHA-256)

Meh binary and related files

94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
1f13024724491b4b083dfead60931dcacabd70e5bd674c41a83a02410dea070d - Meh password stealer
3c1e5930d35815097435268fab724a6ed1bc347dd97cd20eb05f645a25eb692b - cpux64.bin
57b6fa7cbc98b752da6002e1b877a0e1d83f453f9227044b0b96bf28b0131195 - cpux86.bin
722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d - cpux64.bin unpacked
e96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa - cpux86.bin unpacked

File names

C:\ProgramData\Intel\Wireless\
C:\Users\<user>\AppData\Local\Temp\test.txt
C:\Users\<user>\AppData\Local\Temp\torrent.txt

Network indicators

C&C servers

http[:]//193-22-92-35.intesre.com
http[:]//0.le4net00.net
http[:]//83.171.237.231
http[:]//deploy.static.blazingtechnologies.io
http[:]//0.weathdata.nu
http[:]//124.red-79-152-243.dynamicip.fina-tdl.io