├── README.adoc ├── Android.Banker.NGate.1 └── README.adoc ├── Trojan.DownLoader28.58809 └── README.adoc ├── Android.Spy.1292.origin └── README.adoc ├── Openfire CVE-2023-32315 vulnerability └── README.adoc ├── Trojan.BtcMine.3767 └── README.adoc ├── APT_rail_transportation_operator └── README.adoc ├── Mac.BackDoor.Siggen.20 └── README.adoc ├── APT_Spyder └── README.adoc ├── FakeChromeUpdate └── README.adoc ├── VSDC └── README.adoc ├── Android.Backdoor.Baohuo.1.origin └── README.adoc ├── Linux.BackDoor.TgRat.2 └── README.adoc ├── Trojan.Clipper.231 └── README.adoc ├── Android.FakeApp.1036 └── README.adoc ├── Android.Spy.Lydia └── README.adoc ├── BackDoor.RMS └── README.adoc ├── Linux.BtcMine.174 └── README.adoc ├── APT_ShadowPad └── README.adoc ├── Android.BackDoor.3104 └── README.adoc ├── APT_DNSep └── README.adoc ├── Android.Click.414.origin └── README.adoc ├── APT_news2020 └── README.adoc ├── Android.FakeApp.1669 └── README.adoc ├── Amnesia_campaign └── Readme.adoc ├── Trojan.Scavenger └── Readme.adoc ├── Trojan.Siggen28.58279 └── README.adoc ├── Android.PWS.Facebook └── README.adoc ├── Fakesoft └── README.adoc ├── Android.Circle └── README.adoc ├── APT_JS.BackDoor.60 └── README.adoc ├── Android.BankBot.Coper └── README.adoc ├── August 2023 review of virus activity on mobile devices └── README.adoc ├── February 2024 review of virus activity on mobile devices └── README.adoc ├── Trojan.Fruity.1 └── README.adoc ├── APT_Trojan.Updatar └── README.adoc ├── July 2023 review of virus activity on mobile devices └── README.adoc ├── Android.Pandora └── README.adoc ├── Android.Vo1d └── README.adoc ├── Linux.Backdoor.WordPressExploit.1 └── README.adoc ├── VSDC_CNET └── README.adoc ├── Trojan.ChimeraWire └── README.adoc ├── Trojan.Click3.27430 └── README.adoc ├── December 2023 review of virus activity on mobile devices └── README.adoc ├── Trojan.Belonard └── README.adoc ├── APT_telecom2021 └── README.adoc ├── CoinSteal └── README.adoc ├── Cavalry Werewolf └── README.adoc ├── Q2 2024 review of virus activity on mobile devices └── README.adoc ├── January 2024 review of virus activity on mobile devices └── README.adoc ├── May 2023 review of virus activity on mobile devices └── README.adoc ├── November 2023 review of virus activity on mobile devices └── README.adoc ├── APT_XPath └── README.adoc ├── September 2023 review of virus activity on mobile devices └── README.adoc ├── skidmap └── README.adoc ├── Metack └── README.adoc ├── June 2023 review of virus activity on mobile devices └── README.adoc ├── Android.Joker └── README.adoc ├── Q2 2025 review of virus activity on mobile devices └── README.adoc ├── Q1 2025 review of virus activity on mobile devices └── README.adoc ├── October 2023 review of virus activity on mobile devices └── README.adoc ├── Q3 2025 review of virus activity on mobile devices └── README.adoc ├── Trojan.MonsterInstall └── README.adoc ├── Q3 2024 review of virus activity on mobile devices └── README.adoc ├── Android.Backdoor.916.origin └── README.adoc ├── Q4 2024 review of virus activity on mobile devices └── README.adoc ├── get_cert campaign └── README.adoc ├── April 2023 review of virus activity on mobile devices └── README.adoc ├── March 2023 review of virus activity on mobile devices └── README.adoc ├── investimer └── README.adoc └── Android.Spy.SpinOk └── README.adoc /README.adoc: -------------------------------------------------------------------------------- 1 | = Malware Indicators of Compromise 2 | 3 | This repository contains Indicators of Compromise (IOCs) related to our investigations. 4 | 5 | == Copyright 6 | 7 | Copyright (c) 2003-2025, Doctor Web, Ltd. 8 | https://www.drweb.com 9 | -------------------------------------------------------------------------------- /Android.Banker.NGate.1/README.adoc: -------------------------------------------------------------------------------- 1 | = Contactless banking for thee (and for thief): NFC money theft scheme reaches Russian Android users 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Android.Banker.NGate.1 8 | ---- 9 | 36db96fb3ea62f6c0208535e618bd55133e9270a - com.epzrbmcd.cvryhfvk 10 | f90d1f9988da375924b2023d55fb52916bfbc2b9 - com.fbmiewug.sqemztuv 11 | e44b91099a23e20f28328d76ef0d902980f5fd21 - com.hywtasez.lygsnyis 12 | 13 | ---- 14 | -------------------------------------------------------------------------------- /Trojan.DownLoader28.58809/README.adoc: -------------------------------------------------------------------------------- 1 | = Trojan.DownLoader28.58809 -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Trojan.DownLoader28.58809 8 | ---- 9 | cf0fb4950130abddead04c21316912418562bf8a: flashplayerapp_install.exe 10 | bbbca10a8545b0421fbfcbd0b3b7a42527fea641: secinit.exe 11 | ---- 12 | 13 | === Trojan.Siggen8.50183 14 | ---- 15 | 748e54e607987756fa2ed08ed013ab7271321827: OINFO11.OCX 16 | ---- 17 | 18 | == Network indicators 19 | 20 | === IPs 21 | ---- 22 | 199.247.11.123 23 | 167.179.91.48 24 | ---- 25 | 26 | -------------------------------------------------------------------------------- /Android.Spy.1292.origin/README.adoc: -------------------------------------------------------------------------------- 1 | = Android spyware trojan targets Russian military personnel who use Alpine Quest mapping software - Indicators of compromise 2 | 3 | == Samples 4 | 5 | 6 | |=== 7 | | Detection name | SHA-1 8 | 9 | | Android.Spy.1292.origin | ce71efb93cf4d79bf431d8edfbae7b8b7b55fe44 10 | |=== 11 | 12 | == Network indicators 13 | 14 | === Domains 15 | ---- 16 | hxxps[:]//detect-infohelp[.]com/parse/ 17 | hxxps[:]//api[.]telegram[.]org/bot7833953061:AAHDhij-pl-soJ_Z5yeqGbHijN4ySdMig/ 18 | ---- 19 | 20 | === IPs 21 | ---- 22 | 77[.]73.69[.]118 23 | ---- -------------------------------------------------------------------------------- /Openfire CVE-2023-32315 vulnerability/README.adoc: -------------------------------------------------------------------------------- 1 | = Vulnerability in Openfire messaging software allows unauthorized access to compromised servers ― Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | JSP.BackDoor.8 | 41d2247842151825aa8001a35ee339a0fef2813f 9 | | JSP.BackDoor.8 | 0c6249feee3fef50fc0a5a06299c3e81681cc838 10 | | JSP.BackDoor.8 | 62ea0fce2716006d16a1408cda159cf20f90004e 11 | | JSP.BackDoor.8 | 33c11e7b2b3950a430cf3b40128429d9b723103c 12 | | Linux.BtcMine.546 | e545ceffc8948e3ca9900212807cf3a862d33581 13 | | Linux.BackDoor.Tsunami.1395 | 61586a0c47e3ae120bb53d73e47515da4deaefbb 14 | |=== 15 | 16 | == Network indicators 17 | 18 | === IPs 19 | ---- 20 | 185[.]17[.]0[.]226 21 | 129[.]159[.]207[.]181 22 | ---- 23 | -------------------------------------------------------------------------------- /Trojan.BtcMine.3767/README.adoc: -------------------------------------------------------------------------------- 1 | = Hidden crypto miner in pirated software makes cybercriminals rich at the expense of their victims ― Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Trojan.BtcMine.3767 8 | ---- 9 | 4ffae4669eba9938639662667f5430a806e56980 10 | 7717e9c5d85e77653bf65e57ed20f89086c3e3ed 11 | ---- 12 | 13 | === Trojan.BtcMine.2742 14 | ---- 15 | 673b6be8163580ba70403321663f5edbb0565f12 16 | feb0501ac141df63cc0d5bb341cb24a769f81bc9 17 | bfab9c8da1f969b07e4e7f0bd1aa9865fd7a9d3c 18 | 5918bbf71641c2776f20bdd2fc08c82dc17178cc 19 | ---- 20 | 21 | 22 | == Network indicators 23 | 24 | === Domains 25 | ---- 26 | t[.]me/files_f 27 | soft[.]sibnet[.]ru 28 | promo3010[.]click 29 | itmen[.]software/office/aktivator 30 | mega[.]nz/file/M3VkwS6R#5s4clQ9aEE8kesscEF3vzAC5eVh9a-vCt4DMCTuJtZE 31 | ---- 32 | -------------------------------------------------------------------------------- /APT_rail_transportation_operator/README.adoc: -------------------------------------------------------------------------------- 1 | = Failed spear phishing attack on a Russian rail freight operator — Indicators of compromise 2 | 3 | == Samples 4 | 5 | ---- 6 | sha1:40b87f1aeac347a8eb47f8bf99fbb8e2f4baf39b — Job Application_202402523.rar (password: Инна) 7 | sha1:3bb6e496047aa76adf2fa7a52607cfd208403feb — Job Application.pdf.lnk 8 | sha1:34a4c5f28c7df23662962c3eaa0a15b7ae48b488 — YandexUpdater.exe (Trojan.Packed2.46324) 9 | sha1:60eaa4fd53b78227760864e6cf27b08bc4bdde72 — Wldp.dll (Trojan.Siggen27.11306) 10 | sha1:853d6a17f0a1a4035b52699a447eeb4ad1ca6cf7 — Trojan.Siggen28.53599 11 | ---- 12 | 13 | == Network indicators 14 | 15 | === IP addresses 16 | 17 | ---- 18 | 109.248.147[.]132 19 | ---- 20 | 21 | === Domains 22 | 23 | ---- 24 | infosecteam[.]info 25 | ---- 26 | 27 | == File artifacts 28 | 29 | ---- 30 | 102fa066-cc9d-4a80-b3aa-12d5df196b42.pdf 31 | ---- -------------------------------------------------------------------------------- /Mac.BackDoor.Siggen.20/README.adoc: -------------------------------------------------------------------------------- 1 | = Mac.BackDoor.Siggen.20 -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Mac.BackDoor.Siggen.20 8 | ---- 9 | 66ecc5d96d7fbcb54cac534a16b12e918fa0f11c: WhatsAppService.app.zip, Portfolio.app.zip 10 | eb369722f8c5fed739fe3ceb210115007c583280: WhatsAppService.app\Contents\Resources\script 11 | 95421226a71e9b1977a14ed03c3c0ab7ac8f6a20: a.plist 12 | 0640decb8b5511d4c36ce8a98a287e2d8d2fe375: c.sh 13 | ---- 14 | 15 | === Python.BackDoor.72 16 | ---- 17 | 16b7fe4d36672664d2a4816558f01e0ee171c284: embedded python script 18 | ---- 19 | 20 | === BackDoor.Wirenet.517 21 | ---- 22 | 10000d234dc4f9fe7ae7139df3d1cd64138c347d: Portfolio.exe, WhatsApp-Web.exe 23 | ---- 24 | 25 | == Network indicators 26 | 27 | === Domains 28 | ---- 29 | usb.mine.nu 30 | message-whatsapp.com 31 | zr.webhop.org 32 | enz.webhop.org 33 | ---- 34 | 35 | === IPs 36 | ---- 37 | 185.101.94.99 38 | 185.162.88.213 39 | 95.140.125.108 40 | ---- -------------------------------------------------------------------------------- /APT_Spyder/README.adoc: -------------------------------------------------------------------------------- 1 | = Study of the Spyder modular backdoor for targeted attacks -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === BackDoor.Spyder 8 | ---- 9 | 41777d592dd91e7fb2a1561aff018c452eb32c28 10 | cf584bd93d76f6546004fedb1fcf56888ced54b6 11 | e1fe3594da5466dd2e5a5713e885760d7e914b91 12 | 8af7f35ec09ec77b5a9005a1fff0e22464f2ab7f 13 | 699a7c59ab5b437badfaa90071d9fd9304fdcebc 14 | ff5b2bd36ae07d994c194ed0f38ed9357a018128 15 | d4bec278dda7c046739d5361eb51fd65f0fedfea 16 | 4c871eae022c8088f6e8d46e17002cd0c0006650 17 | 83e47dbe20882513dfd1453c4fcfd99d3bcecc3d 18 | ---- 19 | 20 | == Network indicators 21 | 22 | === Domains 23 | ---- 24 | sidc[.]everywebsite[.]us 25 | snoc[.]hostingupdate[.]club 26 | wntc[.]livehost[.]live 27 | hccadkml89[.]dnslookup[.]services 28 | koran[.]junlper[.]com 29 | nted[.]tg9f6zwkx[.]icu 30 | sidcfpprx14[.]in[.]ril[.]com 31 | sidcfpprx01[.]in[.]ril[.]com 32 | sidcfpprx25[.]in[.]ril[.]com 33 | sidcfpprx10[.]in[.]ril[.]com 34 | ---- 35 | 36 | -------------------------------------------------------------------------------- /FakeChromeUpdate/README.adoc: -------------------------------------------------------------------------------- 1 | = Fake Google Chrome Update -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Installers 8 | ---- 9 | e6cb3c408f8daee38f3a3b52d7412d4dc530d992: Critical_Update.exe 10 | 59d10a99e13c4a31f7bcc475a602441e97e2327c: Update.exe 11 | ---- 12 | 13 | === Trojan.MulDrop 14 | ---- 15 | 386f81a943eb2a966ba4670141f67c4e5f3bbad5: updatechrome.exe 16 | 853db4ad0ea9039c03cb9213f016bef5a30539b5: updatelink.exe 17 | 2638e6c0ce439d0e76aac2048bccc1129d353153: updatemsi.exe 18 | ---- 19 | 20 | === Backdoor.TeamViewer 21 | ---- 22 | 0a9500fb3da39f5fc9c2e9af8f70169dbd0bc208: msi.dll 23 | ---- 24 | 25 | === PowerShell.AVKill 26 | ---- 27 | 2fd1dd9b77fb8db5cba554f7a706b3a64516a249: link.bat 28 | ---- 29 | 30 | == Network indicators 31 | 32 | === Bitbucket repositories 33 | ---- 34 | https://bitbucket.org/wellsbe/ 35 | ---- 36 | 37 | === Domains 38 | ---- 39 | traficbouncer.xyz 40 | traficbouncerbackup.xyz 41 | google.chrome.get-update.online 42 | ---- 43 | 44 | === IPs 45 | ---- 46 | 192.161.167.144 47 | ---- -------------------------------------------------------------------------------- /VSDC/README.adoc: -------------------------------------------------------------------------------- 1 | = VSDC Hack -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Win32.Bolik.2 8 | ---- 9 | fbe8f9be579dddd2bcb109ea5107005e7d914c6d: video_converter.exe 10 | f2f2005062f6de7844b05b1d92f2a52cbec01e6a: video_editor_x32.exe 11 | 280b3d53ce23ef27f222a979b58bbaf6a25629e9: video_editor_x64.exe 12 | 30fa0e961c4c2b43a977eca4639edf058c52a6e6: codec_pack.exe 13 | 9c520a412bd3fe627848bc56c1cc7385be35edef: codec_pack.exe 14 | 6f681bb7190c6d808e43ab929c3891759b0fe5c9: codec_pack.exe 15 | ---- 16 | 17 | === Trojan.PWS.Stealer.26030 18 | ---- 19 | 8d1475501dad8a4e82c415c0be1a830ce169cc22: video_converter.exe 20 | 8c4f3862d50c3bbfcebd69cabf18086a835d69ca: video_editor_x32.exe 21 | e5b8e3f61ae25fb8cbcefb34e73fe521cc57956b: video_editor_x64.exe 22 | 4cb3e80c3e75c76190608944a90e1108293c04ec: codec_pack.exe 23 | ---- 24 | 25 | == Network indicators 26 | 27 | === Domains 28 | ---- 29 | appnodejs.xyz 30 | sync-time.info 31 | ---- 32 | 33 | === IPs 34 | ---- 35 | 104.223.76.230 36 | 213.252.245.146 37 | 213.252.245.229 38 | ---- -------------------------------------------------------------------------------- /Android.Backdoor.Baohuo.1.origin/README.adoc: -------------------------------------------------------------------------------- 1 | 2 | = Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them — indicators of compromise 3 | 4 | 5 | == Samples 6 | 7 | === Android.Backdoor.Baohuo.1.origin 8 | 9 | |=== 10 | | Package name | SHA-1 | file name 11 | 12 | | org.thunderdog.challegram | 4410f69099a037a25e5976df04a91cee7dbfac14 | tgx_11.9.0_03_NPC_QC_6612E026.apk 13 | | org.thunderdog.challegram | 6699466094cc74e31fae4a959004d70fc5d10e94 | — 14 | | com.uckj.tgx | 4673bd285e1f6c6e628fd5aa8d7d9a2293310bf5 | Telegram X_12.0.1_APKPure.apk 15 | | org.thunderdog.challegram | fc4b545cce8933b32d82ab792f0f6c12099f1f1a | tgx_11.8.2_03_QC_357BAE9E.apk 16 | |=== 17 | 18 | 19 | == Network indicators 20 | 21 | === Domains 22 | 23 | ---- 24 | hxxps[:]//bvqie[.]com 25 | hxxps[:]//hpncallback[.]qianxun168[.]com 26 | hxxps[:]//hpncallback[.]gold5play[.]com 27 | hxxps[:]//sdk-nps[.]ips5[.]info 28 | ---- 29 | 30 | === IPs 31 | 32 | ---- 33 | 159[.]138.237[.]10:33619 (Redis server) 34 | 172[.]10.10[.]10:8090 (NPS server) 35 | ---- 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /Linux.BackDoor.TgRat.2/README.adoc: -------------------------------------------------------------------------------- 1 | = Do shoot the messenger: Telegram-controlled backdoor trojan targets Linux servers — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | SHA-1 | Detection name | Version 7 | 8 | | b6686c28c84ae5d98909eaf165321138eb24402b6e9aa24fd36f116897e5da4a | Linux.MulDrop.135 | 3.0.078125 9 | | c6839e261e0d018f20c70eb65dd7cf6d82efb7e842cba8d8580649826d665343 | Linux.BackDoor.TgRat.1 | 3.0.078125 10 | | 2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378 | Linux.MulDrop.135 | 3.0.378125 11 | | a9880d0a284c18b7d6b1ded302e4bef3d91e665af8b2ff0984ed6fbd1fd5091e | Linux.BackDoor.TgRat.2 | 3.0.378125 12 | |=== 13 | 14 | == Network indicators 15 | 16 | === Telegram API token 17 | |==== 18 | | Token | Version 19 | | 6210985956:AAFgjOf-UH94uxfSvWbAyzlEzZdOZzWwV4g | 3.0.078125 20 | | 6397562704:AAEt1UAWUcWcJb3Q5MQo8ZYF0NvJAUTk7S0 | 3.0.378125 21 | |==== 22 | 23 | === Telegram chat ID 24 | |==== 25 | | ID | Version 26 | | -1001616374018 | 3.0.078125 27 | | -1001913285180 | 3.0.378125 28 | |==== 29 | 30 | === IP addresses 31 | ---- 32 | 172[.]24.173[.]28:3128 33 | ---- 34 | 35 | -------------------------------------------------------------------------------- /Trojan.Clipper.231/README.adoc: -------------------------------------------------------------------------------- 1 | = Doctor Web identifies pirated Windows builds with crypto stealer that penetrates EFI partition -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Trojan.MulDrop22.7578 8 | ---- 9 | 32c7b6629fabe6254431a558b57d30cd2f2d43d7: iscsicli.exe 10 | ceac85ddbee2917d1a95a892a983a512d4bfabfa: iscsicli.exe 11 | 7559b01635160193755a6abb7cf36f4a5174f0e2: iscsicli.exe 12 | 0d297ceb76429ea996a1cbe199c277252afad300: iscsicli.exe 13 | ---- 14 | 15 | === Trojan.Inject4.57873 16 | ---- 17 | cacaeb37ccbdb310ee0148257877f4908b95c53c: recovery.exe 18 | 5ea768e5c44a65035dbdac66d12ab68a94361962: recovery.exe 19 | dadfc0247ecf32011667d707e37caf827cd522c8: recovery.exe 20 | a3adba5c8d41b4c5f63e209317740daf6330dfc6: recovery.exe 21 | f6f6f1151cd9e8f37b6b5be07da13dd19d05397e: recovery.exe 22 | ---- 23 | 24 | === Trojan.Clipper.231 25 | ---- 26 | 03075c91d9c57e7051af49d840a2ef2e935b634b: kd_08_5e78.dll 27 | d31df5ea0f82784c010a16597675937fc4896cb0: kd_08_5e78.dll 28 | a3e83d122c7f8206091d81fb584897cdc4677d88: kd_08_5e78.dll 29 | b0115cb4807e9d84b6b73804bd7e88a9b0ee060e: kd_08_5e78.dll 30 | ---- 31 | -------------------------------------------------------------------------------- /Android.FakeApp.1036/README.adoc: -------------------------------------------------------------------------------- 1 | = Fake recruiting apps targeting Android device users — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | Package name | SHA-1 7 | 8 | | Android.FakeApp.1036 | com.yourjobs.findjob1 | 1012283da05e10d2eab052a2164078e510cbd950 9 | | Android.FakeApp.1039 | com.yesapp.notpon | 05072e0858325c6fce9c9dc62ad2544a43dd5c91 10 | | Android.FakeApp.1041 | com.jobsfinder.google | 27d6acf315fa903f42287dabf4fba5797586b198 11 | | Android.FakeApp.1045 | com.id.nanoss.google | 54a38513a8e852f2a0c09b8b2869009a5f657292 12 | | Android.FakeApp.1046 | online.jobs.allz.app | 823274fffe6a1d561cbd872408bf7cd44f6155db 13 | | Android.FakeApp.1047 | jobs.online.goodz.app | eee543c03d0aa287ce366246ad1c4c70ec82fee9 14 | | Android.FakeApp.1055 | com.grabjobs.google | 23605c0d78f44b0497859dc22cab3afa4d4276d7 15 | |=== 16 | 17 | == Network indicators 18 | 19 | === Domains 20 | 21 | ---- 22 | hxxps://d21icdv45rw4c3[.]cloudfront[.]net 23 | hxxps://www[.]jobstodayfyj[.]com 24 | hxxps://www[.]notpon666[.]com 25 | hxxps://www[.]jobsfinder1[.]com 26 | hxxps://www[.]nanoss1[.]com 27 | hxxps://recruitjobrecommon[.]com 28 | hxxps://jobrecommon[.]com 29 | hxxp://www[.]grabjobs1[.]com 30 | ---- 31 | -------------------------------------------------------------------------------- /Android.Spy.Lydia/README.adoc: -------------------------------------------------------------------------------- 1 | = Android.Spy.Lydia trojans masquerade as an Iranian online trading platform to steal personal information and funds — Indicators of compromise 2 | 3 | == Samples 4 | 5 | ---- 6 | sha1:39e55c1d04c77e95583303131f45208e57c327b9 — Sahamed.apk (Android.Spy.Lydia.1) 7 | sha1:a47a2602299c6608e5c2684ef8289e136da58e25 — sahamedalat.apk (Android.Spy.Lydia.2) 8 | sha1:a20221501711ed01dd89507eca4b1396d5f0d471 — app.apk (Android.Spy.Lydia.3) 9 | sha1:9178e58bc936d6ed2d1a7fbb1b813df5b19b7b3a — app.apk (Android.Spy.Lydia.3) 10 | sha1:9c502478b1452c277607a7f394cd6a3ab0867e22 — (Android.Spy.Lydia.3) 11 | ---- 12 | 13 | == Network indicators 14 | 15 | === Domains 16 | ---- 17 | ws[:]//httpiamaloneqs[.]xyz:80 18 | hxxp[:]//teuoi[.]com 19 | hxxps[:]//my-edalatsaham[.]sbs/fa/app.php 20 | hxxps[:]//sahamt.qpoe[.]com/app.php 21 | hxxps[:]//my-edalat-sahamse[.]lol?lang=fa 22 | hxxps[:]//viiirubre[.]store/Dargah 23 | hxxps[:]//date-manager[.]com/sham/app.php 24 | hxxps[:]//dolati[.]host/%F0%9D%90%9C%E2%80%8C%E2%80%8C/app.php 25 | hxxps[:]//ydilat[.]host/%F0%9D%90%9C%E2%80%8C%E2%80%8C/app.php 26 | hxxps[:]//biuy.are-eg[.]com 27 | hxxps[:]//sahmanl.4dq[.]com 28 | hxxps[:]//fusagov[.]xyz 29 | hxxps[:]//biguxcse[.]xyz 30 | ---- 31 | -------------------------------------------------------------------------------- /BackDoor.RMS/README.adoc: -------------------------------------------------------------------------------- 1 | = Phishing emails with RAT malware threaten corporate users -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === BackDoor.RMS.180 8 | ---- 9 | c3e619d796349f2f1efada17c9717cf42d4b77e2: winspool.drv 10 | ---- 11 | 12 | === BackDoor.RMS.181 13 | ---- 14 | 8d1b7d738c4c0f0aba5c25b096b54b3fc20e5643: host6.3_mod.msi 15 | ---- 16 | 17 | === Trojan.MulDrop15.60259 18 | ---- 19 | 52c3841141d0fe291d8ae336012efe5766ec5616: Электронная накладна 1998333773-009033330.scr 20 | ---- 21 | 22 | === BackDoor.RMS.187 23 | ---- 24 | 12497d7c24011078cce12100f57a1cf368a3b17f: KB8438172.msi 25 | ---- 26 | 27 | === Trojan.MulDrop15.61483 28 | ---- 29 | f87831d4a515d58171e35a326224c119b1bcd3f6: CV_Ekaterina_Alekseeva_Broshkina_resume.exe 30 | ---- 31 | 32 | == Network indicators 33 | 34 | === Domains 35 | ---- 36 | wsus[.]ga 37 | 360mediashare[.]com 38 | office360share[.]com 39 | wsusms[.]com 40 | road258[.]website 41 | road349[.]website 42 | office360[.]work 43 | kiat[.]by 44 | ateliemilano[.]ru 45 | mystorage-settings[.]ru 46 | nordtexnika[.]az 47 | savalan[.]az 48 | gedebeywater[.]com 49 | ---- 50 | 51 | === IPs 52 | ---- 53 | 176.9.112[.]14 54 | 111.90.140[.]23 55 | 95.216.64[.]187 56 | 194.9.176[.]37 57 | 194.9.176[.]38 58 | 194.9.176[.]39 59 | ---- 60 | -------------------------------------------------------------------------------- /Linux.BtcMine.174/README.adoc: -------------------------------------------------------------------------------- 1 | = Linux.BtcMine.174 -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Tool.Linux.BtcMine 8 | ---- 9 | 4dc4ca9f10c0d084ae32556e0a4eedbc3842cfd8: 64 10 | ---- 11 | 12 | === Linux.BtcMine.174 13 | ---- 14 | 9ae9233c79390495e607059870671c9936c413c5: just4root 15 | b59fc07afc9f159562f71b3a21c38b1d471acc2f: sdsahd2e3dll 16 | ---- 17 | 18 | === Linux.Exploit.CVE-2013-2094 19 | ---- 20 | 0e76f4c72295fe851b775dac8c49ec53108f1df6: fs_elf_64 21 | ---- 22 | 23 | === Linux.Exploit.CVE-2016-5195 24 | ---- 25 | a3f88f22b046617d6728014bdb6dd64c5b4a76ea: dc_code 26 | 7071c46be40afe6a7bd0d50d67e76dca1b0c7c23: dc_elf_32 27 | 0a8a9f5ef7414eb37b3823326bed68c0d16af5cc: dc_elf_64 28 | ---- 29 | 30 | === Linux.BackDoor.Gates 31 | ---- 32 | 7562774673d012ca274a3ee52e7084585adda1ed: syn 33 | 5b3132a9c2ec2a210436b1a755e3a7bac2e6142b: udp 34 | ---- 35 | 36 | === Linux.Rootkit 37 | ---- 38 | 33d4cf9b1f2d3c42b2c4cfd507626057d20d7c52: bashbd.sh 39 | c1439af08c337e2fd8571cf51dbde9b90f19603a: br.conf 40 | b2bf2bfb2d005b485e934cf92a2aec58287b6bd2: brconfig.sh 41 | 6a3bee822684017e7bca9414f3ef11d8d3a774a4: brdaemon.sh 42 | 95aa3a369770abb8be1d774901fa4de8d05eb63a: brootkit.sh 43 | e6459da0abbdd62311e5d6509b64414b8b459ed2: install.sh 44 | ---- 45 | 46 | == Network indicators 47 | 48 | === Domains 49 | ---- 50 | d4uk.7h4uk.com 51 | cache.windowsdefenderhost.com 52 | ---- -------------------------------------------------------------------------------- /APT_ShadowPad/README.adoc: -------------------------------------------------------------------------------- 1 | = Study of the ShadowPad APT backdoor and its relation to PlugX -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === BackDoor.ShadowPad.1 8 | ---- 9 | 4bba897ee81240b10f9cca41ec010a26586e8c09: TosBtKbd.dll 10 | ---- 11 | 12 | === BackDoor.ShadowPad.3 13 | ---- 14 | 693f0bd265e7a68b5b98f411ecf1cd3fed3c84af: hpqhvsei.dll 15 | 16 | ---- 17 | 18 | === BackDoor.ShadowPad.4 19 | ---- 20 | 6ad20dade4717656beed296ecd72e35c3c8e6721: WinRAR SFX 21 | 13dda1896509d5a27bce1e2b26fef51707c19503: TosBtKbd.dll 22 | 27e8474286382ff8e2de2c49398179f11936c3c5: TosBtKbdLayer.dll 23 | ---- 24 | 25 | === BackDoor.Farfli.122 26 | ---- 27 | 6a1d928709f46d344f75936519c81137258e287c: RasTls.dll 28 | 8638bcebe84be1982c430e05e6bcd72911f36e43: RasTls.dat 29 | 5c54429b219614627a925347fa5006935a70d9d7: RasTls.dat decrypted 30 | ---- 31 | 32 | === BackDoor.Farfli.125 33 | ---- 34 | 736d8e03e40e245d4c812b091b5743fce855a529 35 | ---- 36 | 37 | === BackDoor.PlugX.47 38 | ---- 39 | 1acc85504c94707ac9c56a0ec23b49c4ca671c8a: fslapi.dll 40 | 8f386b29d8d458df67f0a67c4e155827dcee68c9: fslapi.dll 41 | ---- 42 | 43 | === BackDoor.PlugX.48 44 | ---- 45 | 781831e8343d895aa4d9d95838eddda08a4673d8 46 | ---- 47 | 48 | == Network indicators 49 | 50 | === Domains 51 | ---- 52 | www[.]pneword[.]net 53 | www[.]mongolv[.]com 54 | www[.]arestc[.]net 55 | www[.]icefirebest[.]com 56 | ---- 57 | 58 | === IPs 59 | ---- 60 | 103.43.16[.]183 61 | 103.233.98[.]123 62 | 107.183.203[.]235 63 | 125.65.40[.]163 64 | 144.48.6[.]235 65 | ---- 66 | -------------------------------------------------------------------------------- /Android.BackDoor.3104/README.adoc: -------------------------------------------------------------------------------- 1 | = Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices ― Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | Path | SHA-1 7 | 8 | | Android.BackDoor.3104 | /system/lib/libmtd.so | b4bf9edf011e35fd049c2862e898a492bc76dc7d 9 | | Android.BackDoor.3105 | /system/lib/libcutils.so | e96da20cfad50842ab59781f051fda590d231cc9 10 | | Android.FakeUpdates.1.origin | /system/priv-app/ThirdPartyFOTA.apk 11 | 12 | package name: com.fota.wirelessupdate | ac633643a7130c5ced5672841dbc91ff92737ae6 13 | | Android.Backdoor.854.origin | /data/data/com.whatsapp/files/.art/PrivteProvide.jar 14 | /data/data/com.whatsapp.w4b/files/.art/PrivteProvide.jar 15 | /data/data/com.android.phone/files/.art/PrivteProvide.jar 16 | /data/data/com.android.settings/files/.art/PrivteProvide.jar| c747a3a901f3076c504dc513bfcf64e8d29600ac 17 | |=== 18 | 19 | == Network indicators 20 | 21 | === URLs 22 | 23 | ==== Android.Backdoor.854.origin 24 | ---- 25 | hxxp://api[.]genetence[.]com:8300/pl2 26 | hxxp://api[.]matriature[.]com:8300/pl2 27 | hxxp://api[.]miretic[.]com:8300/pl2 28 | hxxp://api[.]sensfaction[.]com:8300/pl2 29 | hxxp://45.33.61[.]62:8300/pl2 30 | ---- 31 | 32 | ==== Android.FakeUpdates.1.origin 33 | ---- 34 | hxxp://statistics[.]flurrydata[.]com 35 | hxxp://106[.]184.5.78 36 | "http://boot.b" + md5("202207")[1:8] + ".net" 2022 – year, 07 - month 37 | hxxp://app[.]fota.digitimetech[.]com 38 | hxxp://s1[.]fotaservice[.]com 39 | hxxp://112.124.58[.]101 40 | ---- 41 | -------------------------------------------------------------------------------- /APT_DNSep/README.adoc: -------------------------------------------------------------------------------- 1 | = Study of the APT attacks on the Russian research institutes -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === BackDoor.Skeye 8 | ---- 9 | a259db436aa8883cc99af1d59f05f4b1d97c178b: acess.exe 10 | b0ff476e3a273af600840d0f3dcd099274035e76: skeye.exe 11 | ---- 12 | 13 | === BackDoor.DNSep.1 14 | ---- 15 | 14a652b5b9d71171224541ce2b950cf55da38190: ccL100U.dll 16 | f76ae6ee508cf22f52b8533d704667a1893860d9: (payload) 17 | ---- 18 | 19 | === BackDoor.RemShell.24 20 | ---- 21 | fffec74a6330e25f97b687f989bb287aeb5fbb76: ftps.dll 22 | ---- 23 | 24 | === BackDoor.Siggen2.3268 25 | ---- 26 | bfa1e457afbb1f160094f65b456503b64832d249: ssdtvrs.dll 27 | ce3fc5b40231b5a9dd4aeeb0f0c7ef6f7779c53e: ssdtvrs.dll 28 | ---- 29 | 30 | === BackDoor.Farfli.130 31 | ---- 32 | b33e65fd1790260ad47a0dbdad2f12f555a0d6ca: Irmon32.dll 33 | ---- 34 | 35 | === Trojan.Mirage.12 36 | ---- 37 | fc698eb0d7d6948605a7e5ba6708752b691a3fec: dnvdisp32.dll 38 | ---- 39 | 40 | === BackDoor.PlugX.67 41 | ---- 42 | ad5fc8dfe8341d08c118abe72caa7cc8d40efa11: mcutil.dll.bbc 43 | ---- 44 | 45 | == Network indicators 46 | 47 | === Domains 48 | ---- 49 | www2[.]morgoclass[.]com 50 | term[.]internnetionfax[.]com 51 | atob[.]kommesantor[.]com 52 | rps[.]news-click[.]net 53 | www1[.]dotomater[.]club 54 | ns02[.]ns02[.]us 55 | snow[.]swingfished[.]com 56 | skype[.]swingfished[.]com 57 | dog[.]darknightcloud[.]com 58 | eye[.]darknightcloud[.]com 59 | home[.]sysclearprom[.]space 60 | tick[.]sysclearprom[.]space 61 | atlas[.]golianbooks[.]com 62 | dm[.]golianbooks[.]com 63 | ---- 64 | 65 | === IPs: 66 | ---- 67 | 103.97.124[.]193 68 | 103.91.67[.]251 69 | 144.34.145[.]168 70 | 185.70.185[.]231 71 | 45.76.34[.]147 72 | ---- -------------------------------------------------------------------------------- /Android.Click.414.origin/README.adoc: -------------------------------------------------------------------------------- 1 | = Smart-sex-toy users targeted by clicker trojan — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | SHA-1 | Name | Detection name | Comment 7 | 8 | | 66c09fe739d3477b9e7af996ed3e35115a47e4b1 | com.android.deskclock (/system/app/DeskClock/DeskClock.apk) | Android.Click.410.origin | Detected on X96Q TV box 9 | | 44bc9a3bcae3d19ccc1fb0429e22df8b407443f9 | cn.com.goodsdk.hw.ad (/system/app/cn.com.goodsdk.hw.ad_MjAyMi0wOS0yMSAxNzo0Nzo0OQ==.apk) | Android.RemoteCode.348.origin | Detected on V88mini TV box, downloads Android.Click.410.origin 10 | | 862ae5f2334fcf7bdc37caa4f16076e18a409b6e | com.wbkj.lovespouse | Android.Click.414.origin | App version 1.8.4 11 | | 06c99cf6e53bfe9b730f57a531a4ef5202bafefa | com.wbkj.lovespouse | Android.Click.414.origin | App version 1.8.5 12 | | 5ee7fee0f817cefe91211006472ffe774ab9ac5d | com.wbkj.lovespouse | Android.Click.414.origin | App version 1.8.6 13 | | d65ca4d9608411da9bb2e992c1dc710774b145c9 | com.wbkj.lovespouse | Android.Click.414.origin | App version 1.8.7 14 | | df8c11d4a1496f81e9ae89fe61e1e67f2926c328 | com.qix.running | Android.Click.414.origin | App version 1.1.10 15 | | 159438fcbc60c9988110cb2e3abd6a8c9e94f3c4 | com.qix.running | Android.Click.414.origin | App version 1.1.11 16 | 17 | 18 | |=== 19 | 20 | == Network indicators 21 | 22 | === Domains 23 | ==== Android.Click.414.origin & Android.Click.410.origin 24 | 25 | ---- 26 | trends[.]search-hub[.]cn 27 | play[.]airmfly[.]com 28 | geo[.]airmfly[.]com 29 | stg[.]airmfly[.]com 30 | capture[.]airmfly[.]com 31 | keywords[.]airmfly[.]com 32 | usae[.]dsp.dbincome[.]com 33 | planwm[.]weatherokye[.]com 34 | 5[.]ahd187[.]com 35 | 36 | ---- 37 | 38 | === IP addresses 39 | ==== Android.RemoteCode.348.origin 40 | 41 | ---- 42 | 104[.]250.52[.]73 43 | 128[.]14.143[.]26 44 | 45 | ---- -------------------------------------------------------------------------------- /APT_news2020/README.adoc: -------------------------------------------------------------------------------- 1 | = Study of the APT attacks on Russian fuel and energy companies -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === BAT.Starter.318 8 | ---- 9 | 07bdaa2ef4556d9c14753c53c7fc239e9e669637: configstest.bat 10 | ---- 11 | 12 | === Trojan.DownLoader34.31724 13 | ---- 14 | 091866cac1bef518dbb6d114b3636fbad144b49a: rdplib64.exe 15 | 8e2c253615e3e49e81e43a28d5b0d2a7fc54ac2b 16 | bb373b8a81deaccc4f69cac3bde0d6174b261f37 17 | bbb29d96809bcd4c0e75df8f08f3e9dbc817f584: rdplib.exe 18 | ---- 19 | 20 | === BackDoor.Siggen2.3238 21 | ---- 22 | 3884263dfe67a3da0079fe40d6186950b853145c 23 | ---- 24 | 25 | === BackDoor.Siggen2.3244 26 | ---- 27 | c36aabe2828b84a1221a8855b984187b89c24b44: dlhost.exe 28 | 632f6737f5308b49cc198fea88338a3403732274: migwiz.exe 29 | a2cab5d0c2a7eb93e24c32c407059464dc66ab97: migwiz.dll 30 | 7b9e9c67f42671d33c9e7d4d7a36231f1de49bb7: migwiz.dll 31 | 02676f335b800ff1c42a1f4fe2344ac381d914f1: migwiz.exe 32 | ebb1c0ad2ad2bcdecf5182be7bd3ea5b18cc2126: migwiz.exe 33 | ---- 34 | 35 | === BackDoor.Whitebird.23 36 | ---- 37 | 2510e873e79cfb61533e9b5a124ddbec130c653c: migwiz3.DAT 38 | d6e84ad926cc1d5a3d300a98f492380a31b2427b: migwiz6.DAT 39 | ---- 40 | 41 | == Network indicators 42 | 43 | === Domains 44 | ---- 45 | newsinfo[.]newss[.]nl 46 | newsfor[.]newss[.]nl 47 | news[.]newss[.]nl 48 | webnews[.]newss[.]nl 49 | nissen[.]newss[.]nl 50 | john[.]newss[.]nl 51 | news[.]microotf[.]com 52 | news[.]zannews[.]com 53 | download[.]inklingpaper[.]com 54 | sports[.]manhajnews[.]com 55 | gova[.]manhajnews[.]com 56 | duck[.]manhajnews[.]com 57 | ---- 58 | 59 | === IPs 60 | ---- 61 | 185.158.249[.]120 62 | 109.230.199[.]173 63 | 109.230.199[.]138 64 | 109.230.199[.]124 65 | 109.230.199[.]48 66 | 176.10.118[.]154 67 | 176.10.125[.]59 68 | 31.214.157[.]14 69 | 31.214.157[.]126 70 | 122.10.82[.]65 71 | ---- 72 | -------------------------------------------------------------------------------- /Android.FakeApp.1669/README.adoc: -------------------------------------------------------------------------------- 1 | = Malicious apps on Google Play: how threat actors use the DNS protocol to covertly connect trojans to C&C servers — indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Package name | SHA-1 7 | 8 | | com.llx | f413239a50a79ca5dd498d8ae97ece5f93bf0718 9 | | com.youmus | 9b557feeb5a2e910b3261f31ebab1ac75d8651d4 10 | | com.amazon.avod.thirdparty | ebd44fa43d68bcfc09b7c4ebcff243e5e79019e3 11 | | com.kumobius.android.wal | 9138c39349b3d56f07e2fe0fb26749fb0ebabbc2 12 | | com.amazon.avod.thirdpart | d721a04cf9f2f3b8e80a49ef4e76cd4899e13c7c 13 | | com.durakm.durak | 5799a529d32038ecc27b0f4e9fec2b05ae075429 14 | | com.word.count | 39d5d168a2ad92369565aaa1b0e6fc208164ffe9 15 | | com.kumobius.android.walljum | e1b676d31530915f3c4066f16563242cfeeb4633 16 | | com.dessertdreams.recipes | 181a46cb4ed8a106ae048c598ef2d3a98c0a188c 17 | | com.dualtext.compare | 6367558432559eae0b8a138aaea3223fd500e758 18 | | com.vivo.eas | 86b0897c62caa10c77181f86d5aa7d7c710feabc 19 | | com.fruitypic.editor | b350627433bb199f2aab42439755836a007e4c46 20 | | com.kumobius.android.wall | 165e99382e787511a198d7e7868ea1e1de44e7ed 21 | | com.alibaba.aliexpre | 37aa606b3f4d438ac40dbde1d2309297e5b30353 22 | | com.score.time | d962610bf1d622a3f641887a297688ca8f1866a2 23 | 24 | |=== 25 | 26 | == Network indicators 27 | 28 | === Domains 29 | 30 | ---- 31 | hxxps[:]//travelmemo[.]pro 32 | hxxps[:]//goalachievplan[.]pro 33 | hxxps[:]//checksandtips[.]pro 34 | hxxps[:]//beyummycook[.]online 35 | hxxps[:]//memogen[.]pro 36 | hxxps[:]//displaymoving[.]pro 37 | hxxps[:]//wordcountapp[.]pro 38 | hxxps[:]//flashpage[.]pro 39 | hxxps[:]//dessertdreams[.]pro 40 | hxxps[:]//dualtext[.]pro 41 | hxxps[:]//youplant[.]pro 42 | hxxps[:]//enchantedmermaidcastle[.]pro 43 | hxxps[:]://scoretime[.]pro 44 | ---- 45 | 46 | === IPs 47 | 48 | ---- 49 | 113[.]30.190[.]193 50 | 113[.]30.188[.]48 51 | ---- 52 | -------------------------------------------------------------------------------- /Amnesia_campaign/Readme.adoc: -------------------------------------------------------------------------------- 1 | = Who hacked the hackers? Or how to get off on the wrong foot in cybercrime? 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | |=== 8 | | sha1 | File name | Detect name 9 | 10 | | fd7eee537605618826ed7dd236948964faa2252f | hacn.conf | Python.Muldrop.39 11 | | e481b36df3182178b8e09790f78067cbfae9d217 | CompPkgSrv.exe | Python.Stealer.2056 12 | | 5cc1d1aeadb606495ae51ef2ea3d0504f8ddcd4c | crss.exe | Python.Spy.61 13 | | 2dd31bf4813dc0e273fa5210c442d68876002f28 | setup.exe | Python.AVKill.1 14 | | cb28ebc5e85d114dfe3063b74d3d44dbf25dfe96 | svchost.exe | Python.Siggen.119 15 | | 53c870d62dcd6154052445dc03888cdc6cffd370 | setup0.exe | Trojan.BtcMine.3767 16 | | 470d278d6ecae7282f474347717ea8783200e009 | setup1.exe | Trojan.BtcMine.3767 17 | | 64a0058655ccc8b3e59dc61b1fa9ed082536acc5 | smss.exe | Python.Packed.120 (BlankOBF v2, Amnesia RAT) 18 | | 64a0058655ccc8b3e59dc61b1fa9ed082536acc5 | AmnesiaRB.apk | Android.Spy.1305.origin + 19 | Android.Spy.1304.origin 20 | | 80d4007dfb8f429a444bfd4160623735551bc016 | Build.apk | Android.Spy.1305.origin 21 | | ef9bca86c788c1712b439a97edad1a5364c8ffad | AmnesiaBETA.apk | Android.Spy.1305.origin + 22 | Android.Siggen.Susp.27680 + 23 | Android.Spy.1304.origin 24 | | b58fafa093f6bb42a0bbb28b71db5c8a72d55f6c | tronbrut.apk | Android.Spy.1307.origin 25 | | 8d8049b2079592908b473249ef175de6e48306b1 | amnesia.zip | Password protected archive 26 | | 1acbc6166175aeec0cad5bae59a97f3ad462fb70 | Amnesia-Tron-Brute-Force.zip | Python.Packed.120 27 | | 129e3e66e07d8b46a943b04f073289ae8c087fa5 | WinRAR.exe | Trojan.MulDrop30.8373 28 | | 8e1753c57ba919b9db4fabe3504d8664c8be71ab | builder.py | Python.Packed.120 29 | | 97a606d5b2a96825b8ec1d6d55a1e55714d58129 | AmnesiaRAT.zip | Python.BackDoor.242 30 | | dbb74908686443f4edabe171e0b088d535d74609 | python310.dll | Trojan.MulDrop30.8373 31 | 32 | |=== 33 | 34 | == Distribution domains 35 | 36 | ---- 37 | amnesiarat[.]online 38 | amnesia333[.]store 39 | tronbruteforce[.]online 40 | ---- 41 | -------------------------------------------------------------------------------- /Trojan.Scavenger/Readme.adoc: -------------------------------------------------------------------------------- 1 | = Gamers, get ready: scammers disguise cryptocurrency and password-stealing Scavenger trojans as cheats and mods 2 | 3 | == Samples 4 | === Trojan.Scavenger.1 5 | ---- 6 | ebc12716082f0841a7c889df16fe15e68a1a24b0: umpdc.dll 7 | 60fca6ad18c8574f5234fdd47963d6fb9a6e113e: umpdc.dll 8 | ---- 9 | === Trojan.Scavenger.2 10 | ---- 11 | 3a02aacce9653958e1b11523ec3f618e5e2f11e7: EnhancedNativeTrainer.asi 12 | 9f5d1dbb2cd31b2af97e14b8781ea035a4869194: tmp6FC15.tmp 13 | 56ba2e4371e125ded5a52a66c2f77295cff09a0b: TrainerV.asi 14 | 82462e8a02169b8a4af2dc367f1c7e613e12a52e: Menyoo.asi 15 | 96708c84e07d058b5f0012666e565617907add99: tmp6FC15.tmp 16 | c9525818b9703d8e1bad10384ec0a995181b7808: tmp6FC15.tmp 17 | ---- 18 | === Trojan.Scavenger.3 19 | ---- 20 | dcf9a4a81ec24b8d171fb2c6b5a6f374253748e5: version.dll 21 | fe612df1ae5fba63ca4eaeb880e9f14b1061636b: version.dll 22 | 739d4a37831d94b35b5140e7acdee6e75d3279f1: version.dll 23 | a77271854d70ac119552ab830eb266e94cc8b9cc: version.dll 24 | ---- 25 | 26 | === Trojan.Scavenger.4 27 | ---- 28 | daf7bf74dc54b8eb98be2f140c82c4ae1ea1f10e: profapi.dll 29 | ---- 30 | === Trojan.Scavenger.5 (fetch to C2 server) 31 | ---- 32 | 4ee0b3f20ebd269b57d46a93d8697f69f2d67781: background.js 33 | f98984cf0968a6bae42ca1ab00e811f5a414572d: background.js 34 | d155d3fb9e2fec39bd6e7da6adb43e70948592cc: background-redux-new.js 35 | 1a4891f841d32772f7efb90c5523bb8c5259456c: chunk-5CNB4EIU.js 36 | 22ec4510f48059a993eb94b63fe8d0f4c3120808: common-1.js 37 | ---- 38 | === Trojan.Scavenger.5 (cookie patch) 39 | ---- 40 | f182e735f256a4a99c88ea738d3fe5009b819c61: index-b3157d0334170ec5d4e22db77717a2b9.js 41 | 93e0dcc0d4dce8923a8e0a609b30263f2b9a3fb7: lockdown-install.js 42 | e3b685cd999075f1eb0ac800bcb2274e35d6e196: main.js 43 | 947d983cc91cf9b9b937d53e67c64ecdd7cba208: Popup.entrypoint.js 44 | e2f4652d3d900e40c4af23165d7064e765183a10: runtime-lavamoat.js 45 | ---- 46 | 47 | == Domains 48 | ---- 49 | datacrab-analytics[.]com 50 | datalytica[.]su 51 | datahog[.]su 52 | ---- 53 | -------------------------------------------------------------------------------- /Trojan.Siggen28.58279/README.adoc: -------------------------------------------------------------------------------- 1 | = Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools 2 | 3 | == Samples 4 | 5 | ---- 6 | sha256:64877cd00de6c8a4f48bb4659db71f3f803a164573ab63b5dde8af601608ee6d ("sqlserver.exe") 7 | sha256:4a589ad84d06912eee67402f29389940158f5c51d280d1ea43fb0bbf1e436aa4 ("SpSiteManage.exe") 8 | sha256:8d6a22c8ef6fb045232812e5290ef975f268df9793baecef70e48075bba93a2d ("dnnup-4.exe") 9 | sha256:962af35b862468779a83491e995a12d146dbc0486af27363a040ba9371deac7a ("win32api.exe") 10 | sha256:628142d63c2698a543d4c7c2824b99dd7998af9a886d213180c68b63e8cb5905 ("vmtoold.exe") 11 | 12 | sha256:73bab28d24bd046ffc2dbc169cd9ce2f9f320495b872972501976c6015569f98 ("8_Bitrue_linux_amd64__console") 13 | sha256:fc55d59f775a723dd6e3277ca065b5396b0cc54223c13e151235076ba0564a0c ("jca") 14 | sha256:cb6982234303fbf4504a8a1446c9635ffcb348be8806df6ce66ac866226fc46f ("rsyslog") 15 | sha256:6f9843967705443c5433365ac02757975f473379a71bd947fc14346669a45044 ("linux-t") 16 | sha256:506db2f623579d2ae540637c379150f614c2e2fb40fdd479ea5dd2a9cadc9910 ("yundun") 17 | sha256:10e0d26ce50ce10499efc76cc12a42a1bcffb53fff0e57791bb1c46e0a19f9c2 ("alydun") 18 | ---- 19 | 20 | == Network indicators 21 | 22 | === IP addresses 23 | 24 | ---- 25 | 84.32.131[.]53 26 | 103.230.15[.]187 27 | 103.230.15[.]214 28 | 13.115.248[.]96 29 | 43.201.23[.]238 30 | 54.168.223[.]109 31 | ---- 32 | 33 | === URLs 34 | 35 | ---- 36 | https://gitlab[.]com/-/snippets/2565191/raw/main/Version 37 | https://google-ehs.pages[.]dev/GetUpdate/Version 38 | https://gitlab[.]com/ALphaManx/kernel-motorola-msm8953/-/raw/xpe-13.0/firmware/kaweth/new_code_fix.bin.ihex 39 | https://dfeqdfds.pages[.]dev/Updata 40 | https://gitlab[.]com/-/snippets/2529934/raw/main/Updata 41 | https://x.threatbook[.]com/v5/article?threatInfoID=36613 42 | http://43.201.23[.]238:8080/jquery-1.9.1.min.js 43 | https://raw.githubusercontent[.]com/Jquery1-12/jquery/main/src/effects.js 44 | http://54.168.223[.]109:8080/http/sider.css 45 | https://54.168.223[.]109/https/sider.css 46 | ---- 47 | -------------------------------------------------------------------------------- /Android.PWS.Facebook/README.adoc: -------------------------------------------------------------------------------- 1 | = Android trojans steal Facebook users’ logins and passwords - Indicators of compromise 2 | 3 | == Samples 4 | 5 | [cols="2,5,3,3,3,6"] 6 | |=== 7 | | Detection name | SHA-1 | Application name | Package name | Package version | Developer 8 | 9 | | Android.PWS.Facebook.13 | d8f941f6a8dbda39a881ad2a1661e3227e3f8f18 | App Lock Keep | com.enab.lockkeep | 1.0.6 | Sheralaw Rence 10 | | Android.PWS.Facebook.13 | 8f30f3f176613dbc14aa29bfb3c952b6eb046da3 | Processing Photo | com.pcnts.splicingpp | 1.2 | chikumburahamilton 11 | | Android.PWS.Facebook.13 | de2ac7091b7c51d0b7e1e9c31d5e8d9aa863aa5c | Rubbish Cleaner | com.snt.rubbishcleaner | 1.5.1 | SNT.rbcl 12 | | Android.PWS.Facebook.13 | b2d07ac10bba9839fd8a0ccd7a7dcd08b508140b | Horoscope Daily | com.cgi.ygk.iozwrku.izgzw | 1.0 | HscopeDaily momo 13 | | Android.PWS.Facebook.13 | de93c1c7a0c03ecf79179d2296008f93f48fdcaa | Horoscope Pi | com.iigxuq.xueqe.horoscopepi | 2.4.56 | Talleyr Shauna 14 | | Android.PWS.Facebook.13 | d68717837c3b3ec7fd95a6b776ec96bef7344928 | App Lock Manager | com.oimjqcnw.mngyz.kqhcrpy.xdrzs | 007.xyz | Implummet col 15 | | Android.PWS.Facebook.13 | 5a3d2917fe987dea35d1aa4b089743d168a71415 | Lockit Master | com.svbo.oypvn.otpl | 1.3 | Enali mchicolo 16 | | Android.PWS.Facebook.14 | 903fcfba98f32b00badcec5976a4b401b994be7e | Inwell Fitness | chv.jrd.axiyby.ojs.xevjo | 1.1 | Reuben Germaine 17 | | Android.PWS.Facebook.15 | f7d6462d16e8c0c81634e8812ae1b19a59bede26 | EditorPhotoPip | com.viewedites.showimg | 1.1 | Laurense 18 | | Android.PWS.Facebook.17 | 2b931978aaee9e2a9d35b1f8bf35a9b89b74d2fa | PIP Photo | com.piphoto.pipsapp | 1.1.0 | Lillians 19 | | Android.PWS.Facebook.18 | 8b0451ee56e8a5805b1c501d48066d2cb89e41a5 | PIP Photo | com.piphoto.pipsapp | 1.0.0 | Lillians 20 | |=== 21 | 22 | == Network indicators 23 | 24 | === Domains 25 | ---- 26 | data.applockkeep.xyz 27 | shop.vfgrl.com 28 | wap.inwellfitness.xyz 29 | cc.horoscopemagic.xyz 30 | mxi.applockmaster.xyz 31 | mm.superbrightflashlight.xyz 32 | wap.lockitmaster.xyz 33 | data.horoscopedaily.xyz 34 | ---- 35 | 36 | === IPs 37 | ---- 38 | 108.160.132.15 39 | 45.32.110.28 40 | ---- 41 | -------------------------------------------------------------------------------- /Fakesoft/README.adoc: -------------------------------------------------------------------------------- 1 | = Fakesoft -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Win32.Bolik.2 8 | ---- 9 | 7d6c24992eff0d64f19c78f05ea95ae44bc83af1: NordVPNSetup.exe 10 | d39c320c3a43873db2577b2c9c99d9bf2bdb285c: NordVPNSetup1s.exe 11 | d5ed3c70a8d7213ed1b9a124bbc1942e2b8cfeea: NordVPNSetup2s.exe 12 | e89efde8ae72857b1542e3ae47f047c54b3d341a: nord-sig.exe 13 | 59f511ea1e34753f41a75e05de96456ca28f14a7: NordVPN.exe 14 | 453c428edda0fc01b306cc6f3252893fce9763a7: NordVPN.exe 15 | 69724850494cef5343008afbea0b88076d153bd1: clbplus_bot.exe 16 | aa91162d43f54b61d9dba5c76724942da61242df: invoice.exe 17 | 0abd6ed3c7fb41943b1c5b5329bb1bcbed01f586: Invoice360TemplateDesigner1.8.exe 18 | 9562a8f3f9d150eb7395d6de35caca8aa416dd74: Invoice360.exe 19 | 5bfa31e2d6930d492abba4b2c574d15a20b45823: Invoice360ReportsBarcode.exe 20 | 14759c414f3f0d05dca7bfdbb827a351ccc86651: gk.exe 21 | ---- 22 | 23 | === Trojan.PWS.Stealer.26645 (Predator The Thief) 24 | ---- 25 | 2508d33035597243aaa4d9b860cda964bf36aec3: clbplus.exe 26 | 4b732a8822cfa3c4a840cc1e3835519cb1aafa09: clipplus.exe 27 | a9e9468e7067236c92544653732801ae690bc941: Invoice360TemplateDesigner1.8.exe 28 | a32b45749a96b7fcf1d0e2c4b4aeab611e9ad80c: Invoice360ReportsBarcode.exe 29 | 1ab55553f2b3fdc545b3b4fd84ce69fc4372326b: Invoice360.exe 30 | 3bdafcbdbf3f1a91a3d4c19a5e570170aed9de13: invoice.exe 31 | ---- 32 | 33 | === Trojan.PWS.Stealer.24943 (AZORult) 34 | ---- 35 | bdd5124149df4926cfbb94389b5921051a6534b0: 36 | d5287fac1d35a59a6e3ad6968ef3ef81b348882d: 37 | 688a240ee32a8e249fa9dec8f9d378654112c93c: 38 | ---- 39 | 40 | === BackDoor.HRDP.32 41 | ---- 42 | e7d526995d5ffd0dcf098fdf9ccefc993845b97a: NordVPNSetupRDP.exe 43 | 036e3f1a241b96e8799a1584e19dab5a2f3a6c11: NordVPN.exe 44 | ---- 45 | 46 | == Network indicators 47 | 48 | === C&C Domains 49 | ---- 50 | sync-time.info 51 | munsys.icu 52 | android-power.space 53 | dns-master.club 54 | juster.icu 55 | normpost.club 56 | ---- 57 | 58 | === Distribution domains 59 | ---- 60 | nord-vpn.club 61 | clipoffice.xyz 62 | invoicesoftware360.xyz 63 | ---- 64 | 65 | === IPs 66 | ---- 67 | 213.252.245.229 68 | 185.225.17.154 69 | 2.56.212.212 70 | 2.56.213.96 71 | 2.56.214.102 72 | 2.56.215.159 73 | 2.56.215.234 74 | ---- -------------------------------------------------------------------------------- /Android.Circle/README.adoc: -------------------------------------------------------------------------------- 1 | = Android.Circle -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Android.Circle.1 8 | ---- 9 | 28612e3c18f179d125f97443ba194e13d6ac635c: com.app.bestwallblack 10 | 44cc27d73976feb4772436a5fe4f7226bbca4500: com.aboutlife.futureviewer 11 | d548550a437c83f56c0a41a165f08b424224efec: com.horoscopelife.zodiac2020 12 | 57eb0919e5b8eee24547f74cb2a1562780ecb00c: com.wallypi.pepers 13 | 388d45c93c71565fe30ea7cbb9555c0812ccc1bb: com.daily.astrologyhoro 14 | e860e71c653145aafffa3d005f00245a1280af0f: com.findyou.lifehistory 15 | 72c0ffdadbf45e20e91262d4f5883e84a5470c57: all.com.lovs.datter 16 | e410ad42ad609a42bbb0404d8f9b91abdfe13b11: com.hdwallpaper.beautywalls 17 | d0598e7dd6ce61d6e6b99208cab03165e75d938a: com.batterybooster.speedup 18 | acf5f99ba7bad353f93dad4aa808003e3d136da6: com.relationship.horolove 19 | a36d8138bd1da19d60814274d030e15fb5277f2c: com.wallypi.peperspro 20 | 52df1d7f5b76b40117c0c21b22a6374906b56cde: com.imagerepair.cartooneffectpro 21 | 2a95120d6b036a17426292297796a774d69ea290: com.hdwallpaper.beautywallspro 22 | 975daed6e5d9acf75f50b6ba97f35fb3fa5adc38: com.daily.astrologyhoropro 23 | 2b576f5bd7751190a8d346a5d71ac38643d3653c: com.imagerepair.cartooneffect 24 | 0a18cbdfe93b0fc5a408349cf7fb5d5abefc50b1: com.bubbleup.gamepop 25 | 2b1af363cbd65c9a6ade5c9f8f679af2d261c276: com.mydatter.loves 26 | 7487611db437b6b07f487512d6929d74bf1a989e: com.wallpapershop.livepaper 27 | ---- 28 | 29 | === Android.Circle.2 30 | ---- 31 | c213e4baaa616c886cfbc8293e22faad995cc12e: config.armeabi_v7a.apk 32 | ---- 33 | 34 | === Android.Circle.3 35 | ---- 36 | 2017bb38515e28be80f95bc749017cfda599c526: config.armeabi_v7a.apk 37 | ---- 38 | 39 | === Android.Circle.4 40 | ---- 41 | daba3aa97ae09ae143423f13fad98928984b539c: config.armeabi_v7a.apk 42 | ---- 43 | 44 | === Android.Circle.5 45 | ---- 46 | 5e93c86f5774bcd58f7b2dceb8cd7ac3cfb5558a: config.arm64_v8a.apk 47 | ---- 48 | 49 | == Network indicators 50 | === Domains 51 | ---- 52 | circle.cleandroid.ru 53 | circle.fallballdroid.ru 54 | circle.droidcandy.ru 55 | circle.wall3droid.ru 56 | circle.wall2droid.ru 57 | circle.callerdroid.ru 58 | circle.walldroid.ru 59 | circle.brickdroid.ru 60 | circle.hardwalldroid.ru 61 | circle.droidp.ru 62 | ---- 63 | 64 | === IPs 65 | ---- 66 | 95.215.205.228 67 | ---- -------------------------------------------------------------------------------- /APT_JS.BackDoor.60/README.adoc: -------------------------------------------------------------------------------- 1 | = Study of a targeted attack on a Russian enterprise in the mechanical-engineering sector -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Trojan.Siggen21.39882 8 | ---- 9 | 9b75ef8a67b412122e03a8209c5d46ea5a8cd957: Дополнительные материалы, перечень вопросов, накладные и первичные документы.exe 10 | ---- 11 | 12 | === JS.BackDoor.60 13 | ---- 14 | 847855b9240afb0b8e1e11de412cc779db51020e: the main backdoor body 15 | 5f51e7319c582a8ccdd4971d22515977213b8639: the “task_autorun_lnk” task 16 | d45d42225db3ce5cd1407dff55d88dc5ffa843e2: the “task_autorun_reg” task 17 | 940390c98276ceda423574c7357188728ea83074: the “task_autorun_scheduler” task 18 | b3d694a7832cd4f228df9cbeaee10e996b583d18: the “task_fdwd” task 19 | db86d55f3394d82f10f9b17b2250d11bb38149c5: the “task_punto2_diary” tas; 20 | 5a17ed042b3209d993cd81b56f420a36bd1f3b3a: the “task_punto_install” task 21 | 0d2226f7cf71c8685f52d490586ed63bb3393fc1: the “task_s” task 22 | ---- 23 | 24 | === BackDoor.SpyBotNET.79 25 | ---- 26 | c402d069a92bbc552c3ac6497547e10f45aca4f3 27 | ---- 28 | 29 | === Trojan.DownLoader46.24755 30 | ---- 31 | 3f34031b923dc68667859162260b22830cbce521: Проводник.exe 32 | ---- 33 | 34 | == Network indicators 35 | 36 | === Domains 37 | ---- 38 | rembo[.]solkvize[.]com 39 | ragulya[.]amoibius[.]com 40 | skalioz[.]zenoizen[.]com 41 | zalupakonya[.]clonckure[.]com 42 | kishka[.]vivostark[.]com 43 | pizda[.]eckliptic[.]com 44 | aran[.]quonovap[.]com 45 | barmaley[.]quoonity[.]com 46 | muflon[.]zorroiz[.]com 47 | ---- 48 | 49 | === IPs: 50 | ---- 51 | 213[.]232.255.61:8080 52 | 88[.]99.71.225:8080 53 | 51[.]178.53.191:8080 54 | 78[.]46.66.9:8080 55 | 135[.]181.206.12:8080 56 | 217[.]145.238.175:80 57 | 164[.]90.185.9:443 58 | 94[.]156.6.209:80 59 | 104[.]248.253.214:80 60 | 141[.]94.175.31:8098 61 | 34[.]207.71.126:80 62 | 192[.]99.44.107:8080 63 | 107[.]161.20.142:8080 64 | 52[.]86.18.77:8080 65 | 192[.]99.196.191:443 66 | 216[.]250.190.139:80 67 | 205[.]185.123.66:8080 68 | 52[.]26.63.10:9999 69 | 24[.]199.110.250:8080 70 | 45[.]55.65.93:80 71 | 139[.]99.123.53:9191 72 | 44[.]228.161.50:443 73 | 162[.]33.178.113:80 74 | 167[.]71.106.175:80 75 | 45[.]76.190.214:1024 76 | 154[.]31.165.232:80 77 | 168[.]138.211.88:8099 78 | 52[.]193.176.117:443 79 | 52[.]196.241.27:443 80 | 54[.]249.142.23:443 81 | 121[.]63.250.132:88 82 | ---- 83 | -------------------------------------------------------------------------------- /Android.BankBot.Coper/README.adoc: -------------------------------------------------------------------------------- 1 | = Android.BankBot.Coper banking trojan targeting Colombian users ― Indicators of compromise 2 | 3 | == Samples 4 | 5 | === Main apk packages (droppers) 6 | 7 | |=== 8 | | Detection name | SHA-1 | Package name 9 | 10 | | Android.BankBot.Coper.3.origin | 0a1fcf7720a15927bee247448937b2d69d19db22 | com.boatfront0 11 | | Android.BankBot.Coper.4.origin | 003f9bcad39c565d76cf9be5aec1ac3df4cedeec | com.readmusic63 12 | | Android.BankBot.Coper.4.origin | 61100e17aae89c9763ac491b5fb7c550d746f062 | com.livetable88 13 | | Android.BankBot.Coper.4.origin | be08992e34f65a47a05ae3fddb55fb4040777431 | com.outway5 14 | | Android.BankBot.Coper.1 | 9ee6d59459a879d7a07e129b93e85b24e2515bd6 | com.getsimple26 15 | | Android.BankBot.Coper.3 | f428883573da2e1ded844ad6c79ee1356b0e6264 | com.lookfeetudnl 16 | |=== 17 | 18 | === Decrypted dex files (Android.BankBot.Coper.2.origin) 19 | 20 | ---- 21 | 0d9873338ea86d5904e521ad6e240c932cf5999e 22 | 0f72d7bafb1ddfd57ce1c9533c9244fc59d17fe6 23 | d736ccc9adebd31d5f34d641b6bf4fce88bdf7d4 24 | e1a7139878cd55875f570a755d2750fad2038c77 25 | d689039c533ad29dfe7dc16b94a8966d79181ea7 26 | 3374ce9735195e3646d4ef769bab2ef65dbe7176 27 | ---- 28 | 29 | === Decrypted apk packages (not packed) 30 | 31 | |=== 32 | | Detection name | SHA-1 | Package name 33 | 34 | | Android.BankBot.Coper.1.origin | d292ec3050df57f09a55c0fd3b3e7237e83eccf7 | com.usold9 35 | | Android.BankBot.Coper.1.origin | d07a7e80a7dfda036173237f89bd3a249da931ae | com.pointstorymyer 36 | | Android.BankBot.Coper.1.origin | c1964942459e99cd0bf52b1a724163874fa99dd2 | com.worktreegd 37 | | Android.BankBot.Coper.1.origin | a0c2d20e68afe6bffdb6c7b9afcbba657357ea44 | com.seeturn9 38 | |=== 39 | 40 | === Decrypted apk packages (packed) 41 | 42 | |=== 43 | | Detection name | SHA-1 | Package name 44 | 45 | | Android.BankBot.Coper.2 | 329c2e94e8c95a0d588fed72ea7e53fe21ea7837 | com.lineanysl 46 | | Android.BankBot.Coper.4 | fe6673b28888d22b1d3181e26b5e708d96d3f602 | com.frontbynpxa 47 | |=== 48 | 49 | === Decrypted Android.BankBot.Coper.1.origin 50 | ---- 51 | f2de6a855f04a0f5e0999c5b413347adaa1197e2 52 | 62d731ab9f40470e649a51b8d7e61af61f23cd8b 53 | ---- 54 | 55 | == Network indicators 56 | 57 | === Domains 58 | 59 | ---- 60 | sportsstyle.club 61 | fitnessstyle.xyz 62 | 4-u.wtf 63 | ---- 64 | 65 | === IPs 66 | 67 | ---- 68 | 18.217.36.170 69 | 45.76.35.31 70 | ---- -------------------------------------------------------------------------------- /August 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = August 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 9 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 10 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 11 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 12 | | Adware.MagicPush.1 | 1624b2ae1c232ebf843aa29b9d362434e6f10f9d 13 | | Adware.MagicPush.1 | 64f1aa22f484f250b9956adef780c3ccb45832f5 14 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 15 | | Android.HiddenAds.3697 | 08415e1771bfc5b229557deb01e63c0a5601f07e 16 | | Android.HiddenAds.3697 | 0a15c8229c290aceca8a2b543251c4907372d365 17 | | Android.HiddenAds.3766 | 2e33de933b62950222cbf5b5ab81ca45559f699e 18 | | Android.MobiDash.7802 | eedaeccd391115ab085cd0f47392cd991976c06d 19 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 20 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 21 | | Android.Pandora.2 | 14215a93ed5d0a86f31aab0b2d7be6db8a45a371 22 | | Android.Pandora.7 | 06e5f681fbae1d5a5d859e63c9d57a0f684a5db8 23 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 24 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 25 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 26 | | Program.FakeMoney.7 | 726cdb1077e8ccf5e0c619ac42cd6850dfefd615 27 | | Program.FakeMoney.7 | f99d997701ca41f14d40eda1c1f1a79cbff3bc11 28 | | Program.FakeMoney.8 | f9ae4ea8ef205c8fcb01cbe3ddb2f69b7ba3322f 29 | | Program.SecretVideoRecorder.1.origin | 7607c6bc3fda8098621ac97b21c9cf013fc2a366 30 | | Program.SecretVideoRecorder.1.origin | a75f2a400ed6b200acc26a2e1aa285110addc08d 31 | | Program.wSpy.1.origin | 4da47e907e74ad939eacda9f01e49bfbb42e30c9 32 | | Program.wSpy.1.origin | f1b71e4faa9ad1c19f65596e52a1dce496ec7bf6 33 | | Tool.ApkProtector.16.origin | 18fa72deca1d7872fef7d81c0b73d1408d8e2484 34 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 35 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 36 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 37 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 38 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 39 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 40 | -------------------------------------------------------------------------------- /February 2024 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = February 2024 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.ModAd.1 | f313360472d294b9f6205585bd5742a59ad07065 9 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 10 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 11 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 12 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 13 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 14 | | Android.HiddenAds.3956 | 059fb8592c8edd8475d94a4ad8c0f12ab715f8de 15 | | Android.HiddenAds.3956 | 0674d656580780c1b9ebd1d916320f7b24abcd62 16 | | Android.HiddenAds.3851 | 88549742af8fa1e9d37298f704f1478c41930990 17 | | Android.HiddenAds.3851 | 8a99bef43844238dece38f5b693ca3ccded0196d 18 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 19 | | Android.HiddenAds.Aegis.1 | 10e743b712899baa6c2d71b2680bd4a1231ae115 20 | | Android.HiddenAds.Aegis.1 | 381537111a1e4fe028738690957d01ba5bde1393 21 | | Android.HiddenAds.Aegis.4.origin | 91ed9521d008164b94017e114f24c49636910d6e 22 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 23 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 24 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 25 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 26 | | Program.wSpy.3.origin | 25f6988e1a46566ac85463fd3f66d314b4441263 27 | | Program.wSpy.3.origin | 6ca09dd7292d2ea97325c1aa4217dc3232e84ca7 28 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 29 | | Program.SecretVideoRecorder.1.origin | 7607c6bc3fda8098621ac97b21c9cf013fc2a366 30 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 31 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 32 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 33 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 34 | | Tool.SilentInstaller.7.origin | 11bbd3eae7bc34e2ac86cdc1cc5b9075dc2f1b26 35 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 36 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 37 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 38 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 39 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 40 | -------------------------------------------------------------------------------- /Trojan.Fruity.1/README.adoc: -------------------------------------------------------------------------------- 1 | = Fruity trojan downloader performs multi-stage infection of Windows computers ― Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | File name | SHA-1 | Detection name 7 | 8 | | python39.dll | 8c54df8f11f9cca98fd91fc8bf35c8763274e59e | Trojan.Fruity.1 9 | | libvlccore.dll | d795cfd67aa5c4c3386e4358f0f5a3c59f8d7ea8 | Trojan.Fruity.7 10 | | SbieDll.dll | 3c1f8b35acd86be14ba3204900a6aa1b70d5efa4 | Trojan.Fruity.8 11 | | idea.mp3 | 3b116c5ad39439994245e1a0b64d1fe7ff156ab9 | - 12 | | tree.mp4 | b33a26608f2faf5ef4f8254ccdf62916976d1e12 | - 13 | | fruit.png | 753fc961cc3eff34ecf54e3b4ae5302f306ea152 | - 14 | | fruit.png | a4526885590b019e22ac10ea3242cdfc6a11cabb | - 15 | | fruit.png | 6132c36304063168816314295c21c4a92841bd65 | - 16 | | fruit.png | b2dd00375062a80648746e24efbc36c8a3893377 | - 17 | | .dll (Remcos RAT) | 17e29f7e82d6999fc5037fd9024a207e9297d3a2 | Trojan.Inject4.57973 18 | | tree.log | 7227e0a27841e795d043155a86b31798b6ea463a | - 19 | | tree.log | 8d6150c1131fe172624c94988ac8bd876e60f9bc | - 20 | | idea.cfg | 7227e0a27841e795d043155a86b31798b6ea463a | - 21 | | SRBPolaris v3.5.zip | 0490955a9c61dc4b8d83bdef64b3e010d63bfb10 | - 22 | | nvidiaInspector 1.9 7.8.zip | 5f2ddcc1c128d78ef6f3f7492d9145f15dec0b72 | - 23 | | GPU-Z.2.49.0.zip | d934fafb506bb577d760b0750fd1ebf146a001a6 | - 24 | | Evga_Precision_XOC_setup.zip | d89ff77cb3c50fc6e21166def0ce79e42ede7381 | - 25 | | ClockGen.zip | 90d0fe275340d419f374d652983aee015cc12370 | - 26 | | BalenaEtcherWin (Portable).zip | 9dfb46f5b65e1e3150917feb660135965a172662 | - 27 | | atiflash_3.31.zip | e90db99fabb6e229861814a5ff7849b2712e6e6f | - 28 | | Set.Miners.Static.IP.v1.3.3.win.zip | ab64d5aa03bc35b0f8baacf46d7a99bc5bdb2a0f | - 29 | | RTSSSetup733.zip | e07eabf9d459e314e78da90f7dc146cc0b81585c | - 30 | | nvflash_5.792.0.zip | 2221625db525ae5ac51c5a72425a5b45118399ab | - 31 | | Atikmdag Patcher 1.4.14 .zip | 8becfa4c00d9d2ba2a4512a238ca091ff2d02bdb | - 32 | | OverdriveNTool_0.2.9.zip | c8eca6e621ff51d486e39a52ffc249c6e062f109 | - 33 | |=== 34 | 35 | == Network indicators 36 | 37 | === Domains 38 | 39 | ---- 40 | more-power-tool[.]com 41 | ryzen-master[.]com 42 | atiflash[.]ru 43 | polaris-bios-editor[.]ru 44 | btc-tools[.]ru 45 | techpowerup-gpu-z[.]com 46 | sapphiretrixx[.]com 47 | srbpolaris[.]ru 48 | clockgen64[.]com 49 | balena-etcher[.]com 50 | nvidiainspector[.]ru 51 | evga-precision[.]com 52 | riva-tuner[.]com 53 | nvflash[.]ru 54 | atikmdagpatcher[.]com 55 | overdriventool[.]ru 56 | ---- 57 | 58 | == IPs 59 | ---- 60 | 62[.]197.48[.]186 61 | 37[.]1.221[.]132 62 | 65[.]108.244[.]82 63 | 37[.]1.221[.]249 64 | ---- 65 | -------------------------------------------------------------------------------- /APT_Trojan.Updatar/README.adoc: -------------------------------------------------------------------------------- 1 | = Take 2: Scaly Wolf persistently targets Russian engineering company’s secrets -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Trojan.Updatar.1 8 | ---- 9 | b463f775a28e134615984d58f774c80575f002af 10 | 26df8e86faa6ee9c19a22b9ac35dd08983e794af 11 | d7bfa3b87e6458c8e3a901779ac76adaca0cc0ce 12 | 602751b9f1cd94813163fcfe3cab64c7d2a3a64c 13 | 2eeb94fd24b66284f5e2f19ec6b284255d1a4c0d 14 | a9d356b851ca2942925d937e02f6a7b09881b6c9 15 | bb9d5c2d31ca7711a5e1c87d429dc495f9fc45db 16 | ---- 17 | 18 | === Trojan.Updatar.2 19 | ---- 20 | e517577a8e2166335fa1b640578fd8a1cb353c6d 21 | ---- 22 | 23 | === Trojan.Updatar.3 24 | ---- 25 | 08e2edeea11515c5c83a9d14d723d29939549978 26 | 856225319df6fbb1ff3ea2b9e418a83fbec300d9 27 | 65ffe173a0f48711531c1cc8155d32c55569facb 28 | e324c7490dc287168c2de66021f02e7d999d8538 29 | ---- 30 | 31 | === Meterpreter 32 | ---- 33 | 98f90f98efa163f2d79877284d30947d7c079b43 34 | 27daaa589d76c8e6a7190d63cfc6daea4281ee4b 35 | ---- 36 | 37 | === Tool.Frp 38 | ---- 39 | f49fa6e6bef00cd00bc31fcf4f019fdf82c28fd3 40 | ---- 41 | 42 | === Trojan.FakeAV 43 | ---- 44 | 64ee90631ecf47d5d0f1916007f96069083292cc 45 | b385e11c70b81ddcd594ac0929fb7882a8354af3 46 | 9e1486417007f84cb76999ec95231362a7daf840 47 | 7e4add7c7135fc091a4ae2452e5683ad4f883e86 48 | e0800e803c00db69a06caa68d5889fccc8080772 49 | ---- 50 | 51 | === Trojan.FakeApp 52 | ---- 53 | 5e9934c1ed5da62dc7d05e5c2a9d364dbb06d3a6 54 | ---- 55 | 56 | === Tool.Ligolo.6 57 | ---- 58 | 1041f2df7770456e3759a86f7db3cd9b29fb6a39 59 | ---- 60 | 61 | === Program.RemoteAdmin.877 (RemCom) 62 | ---- 63 | 23873bf2670cf64c2440058130548d4e4da412dd 64 | ---- 65 | 66 | === Trojan.Uploader.36875 67 | ---- 68 | 903283f46df39c46d3be506fd99fdf61b6f0edeb 69 | ---- 70 | 71 | === BackDoor.Siggen2.5423 72 | ---- 73 | 535374b9391410798ee9490eade689996809bc12 74 | 26df8e86faa6ee9c19a22b9ac35dd08983e794af 75 | ---- 76 | 77 | === Program.Rdpwrap.7 78 | ---- 79 | dc6ba17b27e6611489c5c52f8956bc5a45001ecd 80 | d58d987989d1f44effb4bb29d06efb1c51f66718 81 | ---- 82 | 83 | === Tool.Chisel.1 84 | ---- 85 | 7902b08fb184cfb9580d0ad950baf048a795f7c1 86 | ---- 87 | 88 | === Tool.HandleKatz.1 89 | ---- 90 | 462653d8b96c6ee9cca5c09b2955588e5af40256 91 | ---- 92 | 93 | 94 | == Network indicators 95 | 96 | === Domains 97 | ---- 98 | roscosmosmeet[.]online 99 | roscosmosmeet[.]ru 100 | adobe-updater[.]net 101 | doc-mil[.]ru 102 | updatingservices[.]net 103 | updating-services[.]com 104 | etti-deti[.]ru 105 | etti-deti[.]online 106 | e97861mi[.]beget[.]tech 107 | ---- 108 | 109 | === IPs 110 | ---- 111 | 77[.]105.161[.]30 112 | -------------------------------------------------------------------------------- /July 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = July 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 9 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 10 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 11 | | Adware.Fictus.1.origin | 00aa3a61a6b70bfdb8ddceb9c74f72ed06a170d1 12 | | Adware.Fictus.1.origin | 0867d90ac1aa5680cc99d64a6b6ea6d491495f4c 13 | | Adware.MagicPush.3 | 5dc16a173eb747a1029e50ed5614a5aa1819cd36 14 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 15 | | Android.CoinSteal.105 | 6cf371e96c813a432713c8146e69d2f44607dfcc 16 | | Android.CoinSteal.105 | 888704ab0a8454e1b72b23965e282d3d89bb529a 17 | | Android.Harly.80 | 0f834fde5cc133da4980ad1ca6e3eeab658b128f 18 | | Android.HiddenAds.3697 | 0076a14a2bdf842e9252f6001838ace90ef752c4 19 | | Android.HiddenAds.3697 | 053567eb93555796cef87f8286b85e8cf5df78f4 20 | | Android.Joker.2170 | 36fa79fab68c58e5df63f49d1f5c4a225e597a73 21 | | Android.Joker.2171 | 597bab95d64b286d5d8efec8c31abf948dc1497e 22 | | Android.Joker.2176 | 0d00919a025f210cfda63aeba51abed3cdaad42c 23 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 24 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 25 | | Android.Pandora.2 | 14215a93ed5d0a86f31aab0b2d7be6db8a45a371 26 | | Android.Pandora.5 | b97f19d0f05b222947805803b9c844ccd942b7a3 27 | | Android.Pandora.7 | 06e5f681fbae1d5a5d859e63c9d57a0f684a5db8 28 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 29 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 30 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 31 | | Program.FakeMoney.7 | 18fa02fd251195b3ef4a20e6e7db26867fb938cc 32 | | Program.FakeMoney.7 | 71251919ea0d45c77f51a0f2e5cdcc29f02b962f 33 | | Program.FakeMoney.8 | f9ae4ea8ef205c8fcb01cbe3ddb2f69b7ba3322f 34 | | Program.SecretVideoRecorder.1.origin | 24b76e7354c9d5772e9f3fa90b8fe63f263e8167 35 | | Program.SecretVideoRecorder.1.origin | 5404ff6c4baa94478a61455d2541734862dbbb9e 36 | | Program.SnoopPhone.1.origin | 49569cde1fdfa458f4cf84531e3a93663a9f38d6 37 | | Tool.ApkProtector.16.origin | 18fa72deca1d7872fef7d81c0b73d1408d8e2484 38 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 39 | | Tool.Packer.3.origin | f6b7b11c8920e33b5edf914206d3ae8bd9150454 40 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 41 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 42 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 43 | -------------------------------------------------------------------------------- /Android.Pandora/README.adoc: -------------------------------------------------------------------------------- 1 | = Doctor Web identifies an attack on Android-based TV sets and TV boxes ― Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | Path | SHA-1 7 | 8 | | Android.Pandora.4 | assets/gomediad.so | eb7e9c854508dbfbc3205c42d65efc65fe2aec94 9 | | Tool.AppProcessShell.1 | ./classes.dex | 87005061e5e4ebca28c9463be19f5da6a5ee275d 10 | | Android.Pandora.15 | .tmp.sh | f347afa9e35dbbfc27f5aa3f27ef2fd22e628909 11 | | Android.Pandora.2 | /system/bin/pandoraspearrk | 14215a93ed5d0a86f31aab0b2d7be6db8a45a371 12 | | Android.Pandora.1 | /system/bin/pandoraspear | a4af993540ff66d3989f1bed013a5b9e86c06f47 13 | | Android.Pandora.10 | /system/bin/pandoraspear | 315ce059dc226831b691e12cf954d9ed038075ca 14 | | Android.Pandora.3 | com.global.latinotvod (apk) | 59c9f06b3ff2abceb7116ffc9f4566d2466ae4c4 15 | | Android.Pandora.7, Android.Pandora.5 | com.world.youcinetv (apk) | 533770922093f567ba6f976308c847cc313786a6 16 | | Android.Pandora.7, Android.Pandora.5 | com.world.youcinetv (apk) | 79759135952f88403fe38f242fea42c191412484 17 | | Android.Pandora.7, Android.Pandora.5 | com.world.youcinetv (apk) | 9c3b326f38118dd6bcde52c78b39e7665bf56f22 18 | | Android.Pandora.17 | com.android.msandroid (apk) | 38505df840791e49797cb16e895fecc400e9e57f 19 | | Android.Pandora.17, 20 | Android.Pandora.19 | com.global.latinotvod (apk) | a4d2b8bf7f166e99aa0db4336939cbbb8938603a 21 | | Android.Pandora.17, 22 | Android.Pandora.18 | com.spanish.latinomobile (apk) | E4b4cc3bc9c7d8da00010dba040b7d500e4afce8 23 | | Android.Pandora.4 | com.android.msandroid (apk) | Adaa93cf60ba47bb48892d7067156a1d4d03ed52 24 | | Android.Pandora.4 | com.android.msandroid (apk) | 864b477f97ce8640c8fbf60d73fbc5552883b20f 25 | | Android.Pandora.4 | com.android.msandroid (apk) | 952d9d39bccd3c0de975aca2d2ec577f8dac9934 26 | | Android.Pandora.5 | com.world.youcinetv (apk) | c9a681d3406301ed24f3d27f480cc213862c2bc4 27 | | Android.Pandora.4 | com.global.latinotvod (apk) | bdeee172f31cd4500bc10de3673bd48c65fd7e89 28 | | Android.Pandora.20 | com.global.unitviptv (apk) | e7f67afe8ed036cb583c4a13319001e27179ce3b 29 | |=== 30 | 31 | == Network indicators 32 | 33 | === Domains 34 | 35 | ---- 36 | youcineapp[.]com 37 | magistv[.]video 38 | tele-latino[.]com 39 | telelatino[.]app 40 | youcineapk[.]org 41 | btvapp[.]net 42 | youcine[.]one 43 | youcinetv[.]app 44 | youcinetv[.]page[.]link 45 | latino9[.]com 46 | fadfatest[.]pneydn[.]com 47 | pandoramain-1794008345[.]us-west-2[.]elb[.]amazonaws[.]com 48 | romatotti520[.]oicp[.]io 49 | pandorabackup-1322908155[.]us-west-2[.]elb[.]amazonaws[.]com 50 | pcn[.]panddna[.]com 51 | ok3[.]mflve[.]com 52 | apz[.]bsaldo[.]com 53 | abcr[.]ftsym1[.]com 54 | fadfa.gdalieyw[.]com 55 | ---- 56 | 57 | === IPs 58 | 59 | ---- 60 | 195[.]154.168[.]94 61 | ---- 62 | -------------------------------------------------------------------------------- /Android.Vo1d/README.adoc: -------------------------------------------------------------------------------- 1 | = Void captures over a million Android TV boxes -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Known Android.Vo1d.1 variants (/system/xbin/vo1d) 8 | 9 | |=== 10 | | SHA-1 | Decrypted payload SHA-1 11 | 12 | | f3732871371819532416cf2ec03ea103a3d61802 | 675f9a34f6f8dc887e47aa85fffda41c178eb186 13 | | 637c491d29eb87a30d22a7db1ccb38ad447c8de8 | 9a8b7a85742330970e067f2b80ada9e295b0e035 14 | | 42def5b7eb8b1bcc727739cca98efe42c022a3f6 | 4b1135c6cade7e17548982338bfa9382e3c234f0 15 | 16 | |=== 17 | 18 | 19 | === Known Android.Vo1d.3 variants (/system/xbin/wd) 20 | 21 | |=== 22 | | SHA-1 | Decrypted payload SHA-1 23 | 24 | | 8399c41b0d24c30391d7fba6b634ba29c0440007 | ccf8c0cb83160a20fa4c89b028fb63884f7b6a86 25 | | e5b16486eebd6c6f7c45197f530e854a4f1373dd | cd3c8d0ca99400c86e7e4943e85669f291c52a74 26 | | 51bd967bd7d59a8a9db8083094603a9d10e61ded | 3e941c34af4e07496f515c35eddaff145e06c42a 27 | | 0b3c8113e996ac4e08552761731f9f97b8f0f6a2 | 2d2ceddafbce5afe79e3424ebc32dea4d5dff1fe 28 | | 0d51c034a6deda4d2db21c5852b8ceb8a1e1c68b | 51d17a5a1950db3236c9db3249ab0dcb03223d11 29 | | 9dcc109ac2c5f873ece422aed0687ba21d594e9b | e05c1338426a07a49eb3491e08abbc3f96b047b3 30 | | e5406ae7482c0062cedafbd118a493ab8b7fe530 | c53a76845a78ec9b613442a208b5b2ea8fbecc91 31 | 32 | |=== 33 | 34 | === Known Android.Vo1d.5 variants (/data/google/daemon) 35 | 36 | |=== 37 | | SHA-1 | Decrypted payload SHA-1 38 | 39 | | e34c6a13ccbecf7560d4cb8a32872b8aabd5f8db | 825df85d82a3de5e4bf6347dcba47e3ec48dbd52 40 | | 3e21821a1e6edb684f3931d685b908d4a8df3f19 | 6707cbb2b4e09911c4ada7e24c05e4fbd66a7851 41 | | b1cf85aaf1a355677534ea12c19b034c656804ec | 89788eabef15303c142fff33dfd560e619595ae5 42 | | ed975255eba30345de74936e24b9b3090f26ed7e | 182939085a9aa1d6f0e60da31b200cd644522748 43 | | 3ce81fbb1d968e01e970c4c673a7eeb61c247c85 | 436f200abfc0db4ae6138b0b2f1ab67af57ca506 44 | | 0c7f9f33a40a6028dbef416b2385876c87f1bd48 | df71b68c4172ef7f23949c643550c40d0f81fa83 45 | | 6e06d0decf5e211183a751b206dd533f91c13b22 | b6a00590a3b0b175fa2ec910744875dd5be995ac 46 | 47 | |=== 48 | 49 | === Known Android.Vo1d.1.origin variants (com.google.android.services) 50 | 51 | |=== 52 | | SHA-1 53 | 54 | | 7f87f9f059a58eb830d59af5bcb29c612b2a6ccf 55 | | 9fcdfb9cadabe12283a002755a27a4a68a101949 56 | | 25f93476cb8dc6a7f727a88ece0c5a0c19157c0b 57 | | 3a4d90b9911e7e582cf3279b15f2f822a5bb2823 58 | | b315be9d64e22960f6072aac60538b13d50da054 59 | | 618b98eb97f38ffa7b384b0932fd4b92c8877f60 60 | | b474c279da7b08fd64f92b0781e2663bf6cbb4b6 61 | 62 | |=== 63 | 64 | == Network indicators 65 | 66 | === Domains 67 | ---- 68 | hxxp[:]//meiboot[.]com/ 69 | hxxp[:]//bitemores[.]com/ 70 | hxxp[:]//6f33933ce4a5c0e1b32fea736a61351a[.]com/ 71 | hxxp[:]//catmos99[.]com:81/ 72 | ---- 73 | -------------------------------------------------------------------------------- /Linux.Backdoor.WordPressExploit.1/README.adoc: -------------------------------------------------------------------------------- 1 | = Linux backdoor malware infects WordPress-based websites 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Linux.BackDoor.WordPressExploit.1 8 | ---- 9 | 215a4470063080696630fb6015378938e8c16a15 10 | ---- 11 | 12 | === Linux.BackDoor.WordPressExploit.2 13 | ---- 14 | c1620c4a48a3dcb1d27e587f456b371fc43bcb3d 15 | 9e6178d90f58e9459377a17a7ec2f5bedecd7515 16 | 6bcbd2a5dbfc9a5763c47b7eb327e7df35b401d1 17 | c0053393f9dbe6113bef85dd88b02fa101df030c 18 | c9f7cbc5e634370c396b88c74f426e7a82e23455 19 | 2e995ec1ecfd9b747174e9a19f43d3307c345382 20 | 4ecd9ce89864da0bb758b8a9564976bbe6235aa0 21 | 297e08c30bb487b2820c891e4c9628a04a4fafdc 22 | 3efbd95631e49828a43e8dc5b0035003c96c29b0 23 | 16c737e9d223b9349538e5366963744b3c811a25 24 | f7ae703e2413600ecf2d0c3c20023a45958ab20b 25 | 3284c52eeb26abe796070645a1dabb4009fa61f7 26 | 616b98f0c7d28140c841ffb0acef4d0e7fd63abf 27 | 1e950dfa3f6e44a066b4228658e1de1152ba738e 28 | 215a4470063080696630fb6015378938e8c16a15 29 | 39dea5cb680488e2942641d85c53a80d3b6e03b7 30 | 077d581dbe356bd1ccb94d1833fa368e3f61b5ed 31 | dfb751fa4c393e0748fe29450b0c9953d6c2e005 32 | c4fcfe1599b2e145d7a4249bd9360968d0706ee2 33 | 565a1e98ef9ac549a8594b2e3777d378ef66251c 34 | df4b067cbe01b1ff02aa9ccd5ae37b04830f3cd7 35 | 155171bfca23d3c25fe8b1ac211141c0d1216d62 36 | e11628ab66e4616d22eb150d121ccf9710069474 37 | d5f59dba969401c546ffc9b293223b9c6ce229df 38 | c017a4b93e702120ec64befacfa085bd2d0f3a93 39 | f402fb0b305ea3b65cbd6d6eeeb0084a434ce258 40 | 57a23460fb58c2198ec4acc6a6de79284650aa2d 41 | d3c262d5a12e91921d5a09b746d51fc53e7fbc9f 42 | 076b8e6ef4f800aa458b627dc3caae63718ef6fb 43 | 4a54b885617dc613d28f071af58196f5197f0b5b 44 | 8bd3f72333f50962efaa01d927c6cbc3517d986e 45 | eeb05978ede31b163912300ee05d45be9f2a0ccd 46 | bc85aa5917c050311e8889dad3de9a77abdacf13 47 | 22a0c4debdb1f9f99d00b0f818da88f7429798a3 48 | b581d939def9328b0d985b2b1df38cd25fc475d9 49 | 6cedba22594c52d5dd9c5b66ffa175c26ff06025 50 | 09a0d142eb51d2a59ebb88627b3579cfb2083f7b 51 | c19bd1a1b2b18b48273cda326154a369fd07b96d 52 | 344ec12182ab2bf79a10dec7f7c27b3b0e0b2fa0 53 | a3f6f731a0ca6455e4817aa7c68d47a0464691eb 54 | e5bb95687d464ada71c9f06497140a57a8c03ec2 55 | 3e1204224b1492b06107a61ab7f11ad8b50ef456 56 | fdeeb68a92a7805ecb7bb7f728d9f28f322a536f 57 | acd4339fa505d9ff76d85633fcae4265ebebd135 58 | ---- 59 | 60 | === JS.DownLoader.6047 61 | ---- 62 | 6d61e0c0343c5de5881cbf7a149106947090e101: location.js 63 | ---- 64 | 65 | == Network indicators 66 | 67 | === Domains 68 | ---- 69 | lobbydesires[.]com 70 | letsmakeparty3[.]ga 71 | deliverygoodstrategies[.]com 72 | gabriellalovecats[.]com 73 | css[.]digestcolect[.]com 74 | clon[.]collectfasttracks[.]com 75 | count[.]trackstatisticsss[.]com 76 | ---- 77 | 78 | === IPs: 79 | ---- 80 | 109[.]234.38[.]69 81 | 198[.]24.166[.]222 82 | 193[.]37.213[.]197 83 | 45[.]9.148[.]48 84 | ---- 85 | -------------------------------------------------------------------------------- /VSDC_CNET/README.adoc: -------------------------------------------------------------------------------- 1 | = VSDC hack -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Installers 8 | ---- 9 | 6e6d2e2a2bfe5cae7cad11db87792be286a48d4a: video_editor_x64.exe 10 | cdb22065e436f8be87c4b382b6d6eaac50bb3632: NordVPNSetup.exe 11 | ---- 12 | 13 | === Trojan.DownLoader 14 | ---- 15 | aa940989d959f41a48561eeb26d0f007c8416af5: update_check.exe 16 | 39985f475755d9cb865bdf359609b176f6c85a5f: update.exe 17 | 8277a1968397b60334449a99899e2ce412d3c595: updtae.exe 18 | 7e199b09816111b8083621598ed41d9ff62ed0ae: update_driver.exe 19 | 3dd0c98ddcf91250492d472eced7a672595b54db: part1.exe 20 | 8bcf6def0c0dc6e23b3d016112523310a07e60bf: tvbit.exe 21 | 87daed1db7a7d4b7d7d7ba9b1ca35c85d944f111: tvbit10.exe 22 | 7cea576c983971f5009c7190eda3a53cbc031469: UpdateRD.exe 23 | 69ef67ba5157508a895bccae49bea9f7a6753644: update.exe 24 | ---- 25 | 26 | === Backdoor.TeamViewer 27 | ---- 28 | 9120e9d256d4032219f40b76af911bdd874a20b8: msi.dll 29 | 6c0caf141bd6772d3642a893ab846fa7ff19b056: msi.dll 30 | 65602d436660b4477123a268f184289e4da1adf1: msi.dll 31 | 4ddc12ca7c7b034d2318a8717c51f90fc78e5a1c: msi.dll 32 | ---- 33 | 34 | === PowerShell.Dropper.10 (HRDP dropper) 35 | ---- 36 | 86a87cf7453378f57a23dc433a1870251e86bae6: my.db 37 | ---- 38 | 39 | === BackDoor.HRDP 40 | ---- 41 | 178b3c93609d05ea4257f30959120081789214dd: appcache.xml 42 | c029ebfa16c062fab32bac1546086a09bfdff0c4: default_list.xml 43 | ---- 44 | 45 | === BAT.KillAV.144 46 | ---- 47 | 1db07a21617b55426b9ab9825c227e3eef687ab2: update_check.exe, DFEx.exe 48 | ---- 49 | 50 | === Trojan.KeyLogger.41944 (X-Key) 51 | ---- 52 | 1d1a70d9a67117120d099d8069718cf04d52cf16: lkeytv.tiff (decrypted) 53 | 495aeca4def6fdb4a13cd38408ea4e2fec2508c1: errorlog.exe 54 | ---- 55 | 56 | === Trojan.PWS.Stealer.28012 (Predator The Thief) 57 | ---- 58 | bc24d39e740b8809183103e7f729f47cd1ff6bae: predtv.tiff (decrypted) 59 | ---- 60 | 61 | === BackDoor.Siggen2.3092 62 | ---- 63 | a92364656435488e2fa45ebcddb863ff3dff3328: nctv.tiff (decrypted) 64 | ---- 65 | 66 | === Trojan.Clipper.67 67 | ---- 68 | 50da321b85159693cc02b82fd5fedfa94cf57614: cliptv.tiff (decrypted) 69 | ---- 70 | 71 | === Trojan.Spynet.29 (SystemBC) 72 | ---- 73 | 17a4920fe9addd89e27946025531ad101ad7816e: soctv.tiff (decrypted) 74 | ---- 75 | 76 | === Trojan.Siggen9.9205 77 | ---- 78 | a16e1abdc186f58ab7fee84fef870bb0a0c81c0a: butv.tiff (decrypted) 79 | ---- 80 | 81 | == Network indicators 82 | 83 | === Bitbucket repositories 84 | ---- 85 | https://bitbucket.org/videosoftdev/ 86 | https://bitbucket.org/vscd/ 87 | https://bitbucket.org/softvpn/ 88 | https://bitbucket.org/soft-group/ 89 | ---- 90 | 91 | === Domains 92 | ---- 93 | centory20.xyz 94 | mginskjadivizija.club 95 | get-cert-ssl1.xyz 96 | my-helper.site 97 | my-super-puper-helper.xyz 98 | ---- 99 | 100 | === IPs 101 | ---- 102 | 23.249.167.164 103 | ---- -------------------------------------------------------------------------------- /Trojan.ChimeraWire/README.adoc: -------------------------------------------------------------------------------- 1 | = Bellerophon could never have imagined. The ChimeraWire trojan boosts website popularity by skillfully pretending to be human -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Trojan.ChimeraWire.1 8 | ---- 9 | fb889b6fb1a05854ddab3dc056a4be6a6129c8b0 10 | ---- 11 | 12 | === Trojan.ChimeraWire.2 13 | ---- 14 | f4ec358ae772d954b661dc9c7f5e4940a2c733e2 15 | ---- 16 | 17 | === Trojan.DownLoader48.54600 18 | ---- 19 | 231ebce457fb9c1ea23678e25b3b62b942febb7d 20 | 85d5f01e68924e49459b6cc1ccceb74daa03bfbd 21 | ---- 22 | 23 | === Python.Downloader.208 24 | ---- 25 | 71f9af933330a08e05fa99e21f1d3684299f159f: maintaindown.py 26 | 9468b3c9b59cb485df6f363b8077abf7a6bbae2a: update.py 27 | a5207352be07557960240014ebbc6401c31110c1: update.py 28 | 684fa80fc7173bb7704d861cd410e4a851305f0d: maintaindown.py 29 | 2728a59e8ededa1d9d2d24ea37e3d87e1be9dd85: maintaindown.py 30 | 370e410383244c9f1ff75acb4d0dfbef29b483f6: update.py 31 | 477902f5b2934086def7319fc40662d3e603616b: two.zip 32 | 7332fdb6e9b34e1d3dfb94a53272d1b3b6415333: two.zip 33 | d56f4ee28e2545b087972b86507843c6a7836b6d: python3.zip 34 | b49423f5eebfa3c969992c1e5181e40f14255283: python3.zip 35 | e70a41a6ac176e0173f3769de127c704fb0d3239: python3.zip 36 | 5011e937851f3c4ecbd540d89a5dffd52922dfff: python3.zip 37 | eb76a4c01f744cd357f6456526d379dc4653a20a: onedrivetwo.zip 38 | ---- 39 | 40 | === Trojan.Starter.8377 41 | ---- 42 | 993fc928f3f3a4bd6f356d2c567548dcedeef89b: ISCSIEXE.dll 43 | 8badce03b976fa1a4a3ab1b73ce6e158daf35b2a: ISCSIEXE.dll 44 | ---- 45 | 46 | === Trojan.DownLoader48.54318 47 | ---- 48 | 1e010f4637284da7c2c6ac9a8fb2b1bdec8f2abf: UpdateRingSettings.dll 49 | 0d9224ec897d4d20700a9de5443b31811c99b973: UpdateRingSettings.dll 50 | 054b9e9a9b76eccbce00e8f4d249a8e93f178f3c: UpdateRingSettings.dll 51 | ce591bd31bee720dd0ee631f7be63904255a664b: UpdateRingSettings.dll 52 | ---- 53 | 54 | === Trojan.DownLoader48.61444 55 | ---- 56 | 752cbf3b0a18831b1ee02c8850517c695ddda98e 57 | ---- 58 | 59 | == Network indicators 60 | 61 | === URLs 62 | ---- 63 | hxxps[:]//pastebin[.]com/raw/r1V9at1z 64 | hxxps[:]//qu[.]ax/dcvwP[.]zip 65 | hxxps[:]//pastebin[.]com/raw/9tDWNnF6 66 | hxxps[:]//qu[.]ax/ZzSWR[.]txt 67 | hxxps[:]//qu[.]ax/cLxFW[.]txt 68 | hxxps[:]//down[.]temp-xy[.]com/update/python3[.]zip 69 | hxxps[:]//down[.]temp-xy[.]com/update/onedrive[.]zip 70 | hxxps[:]//down[.]temp-xy[.]com/update/onedrivetwo[.]zip 71 | hxxps[:]//down[.]temp-xy[.]com/zip/one[.]zip 72 | hxxps[:]//down[.]temp-xy[.]com/zip/two[.]zip 73 | hxxps[:]//down[.]temp-xy[.]com/code/k[.]txt 74 | hxxps[:]//down[.]temp-xy[.]com/code/s[.]txt 75 | ---- 76 | 77 | === Domains 78 | ---- 79 | temp-xy[.]com 80 | down[.]temp-xy[.]com 81 | git[.]temp-xy[.]com 82 | logs[.]temp-xy[.]com 83 | test[.]temp-xy[.]com 84 | time[.]temp-xy[.]com 85 | openthecahe[.]com 86 | 30[.]openthecahe[.]com 87 | www[.]openthecahe[.]com 88 | qu[.]ax 89 | ---- 90 | 91 | === IP addresses 92 | ---- 93 | 79[.]110.49[.]212 94 | 91[.]200.14[.]14 95 | -------------------------------------------------------------------------------- /Trojan.Click3.27430/README.adoc: -------------------------------------------------------------------------------- 1 | = Trojan.Click3.27430 -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | ---- 8 | 83d03624465bb25a4f1cc4d4e6bccfd346a90437 - Trojan.Starter.7802 9 | 2219a16d8a06ef60ae77e740b006983c4739bcaa - Trojan.Starter.7802 10 | eb257be0d328bf6e4d800a15d24b87086ec373b1 - Trojan.Starter.7803 11 | f189f436c3194df24e340e806ff21ecdcf5c9a55 - Trojan.DownLoader27.2476 12 | 6e774cb765455281979bbe359972d191afbe82d4 - Trojan.DownLoader27.15163 13 | 87caefda330a5fc4c132107d58f50cd191c3f5f2 - Trojan.Click3.27430 14 | a000e9b17863e40ee82626c42ebe28a298fcfd40 - Trojan.Click3.27430 15 | ca2d8fe62288c61479401e146ac9dd2d57080cae - Trojan.Click3.27430 16 | 0d1277b16abd9c6515d45fa7958dc1615b9a1414 - Trojan.Click3.27430 17 | ec853c64e84e787c9d6f521588c6c21375ca4bb0 - Trojan.Click3.27432 18 | 7be3adf73bc32ed24d5c6e50a494caf5f2a394a6 - Trojan.Click3.27430 19 | d64092870b8126c5ffe98a91c4ccec80e4355c8c - Trojan.Click3.27430 20 | 667c476e03c411c5cbfb25b3b979693c1e8d5eec - Trojan.Click3.27430 21 | dbf58e4eecf56de742af26e25c7f469ed6ad4809 - Trojan.Click3.27430 22 | 942f8943e546be16b8d160b69e3335c8dff8dcee - Trojan.Click3.27430 23 | fca73f5f6dd84cd4f76905b08d16024506edd511 - Trojan.Click3.27430 24 | add2b6262469b7a347ace43543b1244f8b6d829f - Trojan.Click3.27430 25 | 33cb79383cde1f342c9b98ff993b01c10eb2571a - Trojan.Click3.27430 26 | 4256cef839adb2dfb2827c6d7089be103849284c - Trojan.Click3.27430 27 | a3aebd17eebfab90da8a375677c643a418f05092 - Trojan.Click3.27430 28 | e6d25484b4f98b8febeaef3af537b8157d036c49 - Trojan.Click3.27430 29 | 617d071aae535ba0944a2144a58bbf891c079f9f - Trojan.Click3.27430 30 | 7eef6c72779843f415db7236f48a33edbf52a424 - Trojan.Click3.27430 31 | c86d2df93e96ee881eac2596b1792d999ce5be03 - Trojan.Click3.27430 32 | 672622ce5181c8d122586a0910cddcff34bd69af - Trojan.Click3.27430 33 | 28cfe59f6f57ae548618dfc3647cd919fc242ac5 - Trojan.Click3.27430 34 | d2e0a1547c23c8a47318a56b3418d750b44625c3 - Trojan.Click3.27430 35 | 19b631b4d8924a21b32227ff2c6eece28b39ac68 - Trojan.Click3.27430 36 | c08cd653fc59410672a4c1ecac23b42779db7cb4 - Trojan.Click3.27430 37 | 5148d6d7e35e0e86ba0ac374440a775d5c8d5233 - Trojan.Click3.27430 38 | 00203ba8452a3cce6a1ef233609a6397d546a32b - Trojan.Click3.27430 39 | 9991ea7071294e72cdd0e94262882e0f154f0f86 - Trojan.Click3.27430 40 | 969a3b3472898df00c439dfdd937e41fb8bea51f - Trojan.Click3.27430 41 | 4ecf24785d60e0f0de2e76c9113e30df689da22b - Trojan.Click3.27430 42 | 7487a6210377f84773a32c81f99e0289cdc8e174 - Trojan.Click3.27430 43 | 40ae13c10257d06699c5dbdb2a8432d2483a6b85 - Trojan.Click3.27430 44 | ---- 45 | 46 | == Network indicators 47 | 48 | === Domains 49 | ---- 50 | barmash.ru 51 | dnsip.ru 52 | dns-free.com 53 | ---- 54 | 55 | == Project paths 56 | 57 | ---- 58 | C:\Boris\Программы\Auto Installer\Project1.vbp 59 | C:\Boris\Программы\Barmash_ru_Restarter3\Project1.vbp 60 | C:\Boris\Программы\Barmash.ru.new\Project1.vbp 61 | C:\Boris\Программы\Barmash.ru.new\DNSIP\Проект1.vbp 62 | C:\Boris\Программы\BDown\Project1.vbp 63 | ---- -------------------------------------------------------------------------------- /December 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = December 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Android.FakeApp.1563 | 9bc619eed34c0410f0a8415532020410a7fd91e1 9 | | Android.FakeApp.1564 | b176d98d97df68855ca8fba1b2f2ac2274b03397 10 | | Android.FakeApp.1566 | 297601335144c1ea00557a9fd4f59ed31ff0221b 11 | | Android.FakeApp.1567 | 30cbebcbea6fb26660f6517f82fc08a04c1c7f05 12 | | Android.FakeApp.1568 | 0a105f9b1e0600c44eac8fe302b39b132dba5159 13 | | Android.FakeApp.1569 | 34523ee4d9dd1740b4f4287683a26d5e53c748e1 14 | | Android.Packed.57122 | 0de65568491fd5b42274b226d5328f28d8156353 15 | | Android.Packed.57122 | e970e7c5213dc52fda77e7d0dfdfc49de32a9596 16 | | IPhoneOS.CoinSteal.58 | e5f93a61f9c4dc661337c7d75229f9a99ac5d784 17 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 18 | | Android.HiddenAds.3831 | 9b83f23b6c357fc1ee6a0bb429c1b7a7ef629e01 19 | | Android.HiddenAds.3831 | 9d85c49605a010ca1c8a523fc994c76b457edd75 20 | | Android.HiddenAds.3851 | e5b683a1bb634ae97216ddceb8c929b9f55fd316 21 | | Android.HiddenAds.3851 | e8e28e4eb826bb3b9baf4a5c1cefdd566f2d5522 22 | | Android.MobiDash.7805 | 6c2b880b43397c9e5238a866a938bd34aefc36c6 23 | | Android.Click.1751 | 59bc8cd2996f071ad29d8b8cfa9089bbf6a6b241 24 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 25 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 26 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 27 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 28 | | Program.wSpy.3.origin | 25f6988e1a46566ac85463fd3f66d314b4441263 29 | | Program.wSpy.3.origin | 6ca09dd7292d2ea97325c1aa4217dc3232e84ca7 30 | | Program.FakeMoney.7 | 726cdb1077e8ccf5e0c619ac42cd6850dfefd615 31 | | Program.FakeMoney.7 | f99d997701ca41f14d40eda1c1f1a79cbff3bc11 32 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 33 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 34 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 35 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 36 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 37 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 38 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 39 | | Tool.ApkProtector.16.origin | 18fa72deca1d7872fef7d81c0b73d1408d8e2484 40 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 41 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 42 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 43 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 44 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 45 | | Adware.Fictus.1.origin | a0f870b496e957029e136ba299ba326f7ca709d1 46 | | Adware.Fictus.1.origin | e2baa09fcdef1f8e1b438c1a0e5aca83cf473feb 47 | -------------------------------------------------------------------------------- /Trojan.Belonard/README.adoc: -------------------------------------------------------------------------------- 1 | = Trojan.Belonard -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === client.dll 8 | ---- 9 | ce9f0450dafda6c48580970b7f4e8aea23a7512a - Trojan.Belonard.1 10 | ---- 11 | 12 | === Mp3enc.asi 13 | ---- 14 | 75ec1a47404193c1a6a0b1fb61a414b7a2269d08 - Trojan.Belonard.2 15 | 4bdb31d4d410fbbc56bd8dd3308e20a05a5fce45 - Trojan.Belonard.2 16 | ---- 17 | 18 | === Mssv16.asi 19 | ---- 20 | 72a311bcca1611cf8f5d4d9b4650bc8fead263f1 - Trojan.Belonard.3 21 | 2bf76c89467cb7c1b8c0a655609c038ae99368e9 - Trojan.Belonard.3 22 | d37b21fe222237e57bc589542de420fbdaa45804 - Trojan.Belonard.3 23 | 6b03e0dd379965ba76b1c3d2c0a97465329364f2 - Trojan.Belonard.3 24 | ---- 25 | 26 | === Mssv24.asi 27 | ---- 28 | 15879cfa3e5e4463ef15df477ba1717015652497 - Trojan.Belonard.5 29 | 4b4da2c0a992d5f7884df6ea9cc0094976c1b4b3 - Trojan.Belonard.5 30 | 6813cca586ea1c26cd7e7310985b4b570b920803 - Trojan.Belonard.5 31 | ---- 32 | 33 | === Mssv36.asi 34 | ---- 35 | a0ea9b06f4cb548b7b2ea88713bd4316c5e89f32 - Trojan.Belonard.10 36 | ---- 37 | 38 | === FileSystem.asi 39 | ---- 40 | e6f2f408c8d90cd9ed9446b65f4b74f945ead41b - Trojan.Belonard.11 41 | ---- 42 | 43 | === spwinres.dll 44 | ---- 45 | a77d43993ba690fda5c35ebe4ea2770e749de373 - Trojan.Belonard.4 46 | ---- 47 | 48 | === davapi.dll 49 | ---- 50 | 73ba54f9272468fbec8b1d0920b3284a197b3915 - Trojan.Belonard.6 51 | a057bc2910dd38b01390aaa3c8b73b436d695539 - Trojan.Belonard.6 52 | d6f2a7f09d406b4f239efb2d9334551f16b4de16 - Trojan.Belonard.6 53 | 0261dd7fe117729a345ea048ec834d22950f7b23 - Trojan.Belonard.6 54 | db4d0e71590ac6da3f5a4af000c871db4f48c8fb - Trojan.Belonard.6 55 | 002320bcabd497da9872b0ee723acfede52840a7 - Trojan.Belonard.6 56 | ---- 57 | 58 | === WinDHCP.dll 59 | ---- 60 | 8165872f1dbbb04a2eedf7818e16d8e40c17ce5e - Trojan.Belonard.7 61 | 027340983694446b0312abcac72585470bf362da - Trojan.Belonard.7 62 | ---- 63 | 64 | === wmcodecs.dll 65 | ---- 66 | 89dfc713cdfd4a8cd958f5f744ca7c6af219e4a4 - Trojan.Belonard.8 67 | 93fe587a5a60a380d9a2d5f335d3e17a86c2c0d8 - Trojan.Belonard.8 68 | ---- 69 | 70 | === ssdp32.dll 71 | ---- 72 | 2420d5ad17b21bedd55309b6d7ff9e30be1a2de1 - Trojan.Belonard.9 73 | dc7dda9cd9ccd74f65dc517aa7a9e80d5190c786 - Trojan.Belonard.9 74 | 1a351e271bd74aa5d98dd544597740802fca4fda - Trojan.Belonard.9 75 | ---- 76 | 77 | == Network indicators 78 | 79 | === Domains 80 | ---- 81 | csgoogle.ru 82 | etmpyuuo.csgoogle.ru 83 | jgutdnqn.csgoogle.ru 84 | hl.csgoogle.ru 85 | half-life.su 86 | play.half-life.su 87 | valve-ms.ru 88 | bmeadaut.valve-ms.ru 89 | fuztxhus.valve-ms.ru 90 | ixtzhunk.valve-ms.ru 91 | oihcyenw.valve-ms.ru 92 | suysfvtm.valve-ms.ru 93 | wcnclfbi.valve-ms.ru 94 | reborn.valve-ms.ru 95 | valve.ms 96 | csfsblue.ru 97 | okxxdigs.csfsblue.ru 98 | smuwccfn.ru 99 | etpfnniu.ru 100 | zpnkqkgv.ru 101 | mwprnvlu.ru 102 | xfxjuwru.xyz 103 | bekauyrk.xfxjuwru.xyz 104 | snsrsfay.xfxjuwru.xyz 105 | ---- 106 | 107 | === IPs 108 | ---- 109 | 37.143.12.3 110 | 46.254.17.165 111 | 160.20.147.81 112 | 162.246.23.169 113 | 88.198.131.212 114 | ---- -------------------------------------------------------------------------------- /APT_telecom2021/README.adoc: -------------------------------------------------------------------------------- 1 | = Study of an APT attack on a telecommunications company in Kazakhstan -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Trojan.Loader.889 8 | ---- 9 | f783fc5d3fc3f923c2b99ef3a15a38a015e2735a: McUiCfg.dll 10 | ---- 11 | 12 | === Trojan.Loader.890 13 | ---- 14 | 65f64cc7aaff29d4e62520afa83b621465a79823: SRVCON.OCX 15 | 8b9e60735344f91146627213bd13c967c975a783: CLNTCON.OCX 16 | 84d5f015d8b095d24738e45d2e541989e6221786: sti.dll 17 | 3d8a3fcfa2584c8b598836efb08e0c749d4c4aab: iviewers.dll 18 | ---- 19 | 20 | === Trojan.Loader.891 21 | ---- 22 | 595b5a7f25834df7a4af757a6f1c2838eea09f7b: McUiCfg.dll 23 | ---- 24 | 25 | === Trojan.Loader.893 26 | ---- 27 | 46e999d88b76cae484455e568c2d39ad7c99e79f: McUiCfg.dll 28 | ---- 29 | 30 | === Trojan.Loader.894 31 | ---- 32 | b1041acbe71d46891381f3834c387049cbbb0806: iviewers.dll 33 | ---- 34 | 35 | === Trojan.Loader.895 36 | ---- 37 | 635e3cf8fc165a3595bb9e25030875f94affe40f: McUiCfg.dll 38 | ---- 39 | 40 | === Trojan.Loader.896 41 | ---- 42 | ff82dcadb969307f93d73bbed1b1f46233da762f: TmDbgLog.dll 43 | ---- 44 | 45 | === Trojan.Loader.898 46 | ---- 47 | 429357f91dfa514380f06ca014d3801e3175894d: CLNTCON.OCX 48 | ---- 49 | 50 | === Trojan.Loader.899 51 | ---- 52 | cc5bce8c91331f198bb080d364aed1d3301bfb0c: LDVPTASK.OCX 53 | ---- 54 | 55 | === BackDoor.PlugX.93 56 | ---- 57 | a8bff99e1ea76d3de660ffdbd78ad04f81a8c659: CLNTCON.OCX 58 | ---- 59 | 60 | === BackDoor.PlugX.94 61 | ---- 62 | 5a171b55b644188d81218d3f469cf0500f966bac 63 | ---- 64 | 65 | === BackDoor.PlugX.95 66 | ---- 67 | b3ecb0ac5bebc87a3e31adc82fb6b8cc4fb66d63: netcfg.dll 68 | ---- 69 | 70 | === BackDoor.PlugX.96 71 | ---- 72 | a3347d3dc5e7c3502d3832ce3a7dd0fc72e6ea49 73 | ---- 74 | 75 | === BackDoor.PlugX.97 76 | ---- 77 | 36624dc9cd88540c67826d10b34bf09f46809da7 78 | ---- 79 | 80 | === BackDoor.PlugX.100 81 | ---- 82 | 16728655e5e91a46b16c3fe126d4d18054a570a1 83 | ---- 84 | 85 | === BackDoor.Whitebird.30 86 | ---- 87 | abfd737b14413a7c6a21c8757aeb6e151701626a 88 | a5829ed81f59bebf35ffde10928c4bc54cadc93b 89 | ---- 90 | 91 | === Trojan.Siggen12.35113 92 | ---- 93 | 4f0ea31a363cfe0d2bbb4a0b4c5d558a87d8683e: rapi.dll 94 | ---- 95 | 96 | === Trojan.Uacbypass.21 97 | ---- 98 | 20ad53e4bc4826dadb0da7d6fb86dd38f1d13255 99 | ---- 100 | 101 | === Program.RemoteAdmin.877 102 | ---- 103 | 23873bf2670cf64c2440058130548d4e4da412dd: AkavMiqo.exe 104 | ---- 105 | 106 | === Tool.Frp 107 | ---- 108 | a6e9f5d8295d67ff0a5608bb45b8ba45a671d84c: firefox.exe 109 | 39c5459c920e7c0a325e053116713bfd8bc5ddaf: firefox.exe 110 | ---- 111 | 112 | 113 | == Network indicators 114 | 115 | === Domains 116 | ---- 117 | webmail.surfanny.com 118 | www.sultris.com 119 | mail.sultris.com 120 | pop3.wordmoss.com 121 | zmail.wordmoss.com 122 | youtubemail.club 123 | clark.l8t.net 124 | blog.globnewsline.com 125 | mail.globnewsline.com 126 | ---- 127 | 128 | === IPs 129 | ---- 130 | 45.144.242.216 131 | 45.147.228.131 132 | 46.105.227.110 133 | 5.183.178.181 134 | 5.188.228.53 135 | 103.30.17.44 136 | 103.93.252.150 137 | 103.230.15.41 138 | 103.251.94.93 139 | 104.233.163.136 140 | 159.65.157.100 141 | 180.149.241.88 142 | 185.105.1.226 143 | 192.236.177.250 144 | 209.250.241.35 145 | ---- 146 | -------------------------------------------------------------------------------- /CoinSteal/README.adoc: -------------------------------------------------------------------------------- 1 | = CoinSteal cryptocurrency-stealing malware targeting Android and iOS mobile devices — indicators of compromise 2 | 3 | == Android samples 4 | 5 | |=== 6 | | Detection name | SHA-1 | Trojanized application | Malware C2 host | Malware distribution host 7 | 8 | | Android.CoinSteal.3 | 47f802900bc4e89afd0c6e4c858a3d3b10f37536 | OneKey | hxxp://ok.tkdt.cc | 9 | | Android.CoinSteal.4 | 9d79392b1027c6e2aad3b86c2e60141b8df0879e | imToken | hxxps://imtoken.porn | hxxps://imtoken.porn 10 | | Android.CoinSteal.5 | 427eb59d6db909ccef3749b52968c269e3cb681b | imToken | hxxps://imtoken.porn | hxxps://imtoken.porn 11 | | Android.CoinSteal.6 | a98181d4b7f39f00c9533de7ae94ce469354ef5a | imToken | hxxps://api.btipie.com | 12 | | Android.CoinSteal.7 | 452e2e3a77e1d8263d853c69440187e052ee3f0a | MetaMask | hxxps://admin.metamaskio.vip | hxxps://metamaskio.vip 13 | | Android.CoinSteal.8 | 177c6d83200d0aaafafa04e8fb3295c5c061fd8f | Bitpie | hxxps://api.btipie.com | hxxps://www[.]btipie.com 14 | | Android.CoinSteal.10 | cb4ea311930e1a678efe84b5ccc88d95b36d1466 | imToken | hxxps://api4.dealinterface.com | hxxps://www[.]imtoken0004.com 15 | | Android.CoinSteal.11 | dd0b699dc01ae6c439cc2273ccd6ad0dae2c6d84 | MetaMask | hxxps://dht.tokenpocket.pm/ | hxxps://metamaskio.vip 16 | | Android.CoinSteal.13 | 0c54959bcb7794340382584b3653747a5302eead | TokenPocket | hxxps://dht.tokenpocket.pm | hxxps://tokenpocket.pm 17 | | Android.CoinSteal.14 | 09fefc52f528cd16d4ef49eab8f6929928aae8aa | imToken | hxxps://im-token-w.world | hxxps://im-token-w.club 18 | | Android.CoinSteal.16 | 68b9becb426bcf44f5fcd1e14a8a4db7d78a2210 | Bitpie | hxxps://mobile.jointsky.com | 19 | | Android.CoinSteal.17 | 746545c063b0d4e9dc1ae5700d5ce6cbf7c74bb8 | imToken | hxxps://ok.sdgthr.co | hxxps://lrntoken.vip 20 | 21 | |=== 22 | 23 | == iOS samples 24 | 25 | |=== 26 | | Detection name | SHA-1 | Trojanized application | Malware C2 host | Malware distribution host 27 | 28 | | IPhoneOS.CoinSteal.1 | 2d0a77fd005ca9a383f9c75e1484c2cdbd6261c4 | imToken | hxxps://api4.dealinterface.com | hxxps://www[.]imtoken0004.com 29 | hxxps://hs65.top 30 | | IPhoneOS.CoinSteal.2 | 3c4b49440be91b4e7262b6d3732cc93972daab45 | MetaMask | hxxps://admin.metamaskio.vip | hxxps://metamaskio.vip 31 | hxxps://sign.habkp.shop 32 | | IPhoneOS.CoinSteal.2 | 17daccde5db672c1831df9fd74e05b831fe16db3 | MetaMask | hxxps://admin.metamaskio.vip | hxxps://metamaskio.vip 33 | hxxps://sign.habkp.shop 34 | | IPhoneOS.CoinSteal.3 | 62376c995740cf1117f76558d765018d64f553bd | imToken | hxxps://api4.dealinterface.com | hxxps://www[.]imtoken0004.com 35 | hxxps://huosu009.top 36 | | IPhoneOS.CoinSteal.4 | 46652aef96bf098ae799747fd6aa42f4d8c9339a | MetaMask | hxxps://admin.tokenpocket.pm | hxxps://metamaskio.vip 37 | | IPhoneOS.CoinSteal.4 | d93c8f2cb545e2244bc2244612e1f3b45cc6cc7a | MetaMask | hxxps://admin.tokenpocket.pm | hxxps://metamaskio.vip 38 | | IPhoneOS.CoinSteal.5 | 4d29645ceb322c0eaf06324222ba1f09bd93de7c | imToken | hxxps://api6.dealinterface.com | hxxps://www[.]imtoken0004.com 39 | | IPhoneOS.CoinSteal.6 | 8573f66774ba5bda6eb2e427c691c03d62737a80 | TokenPocket | hxxp://admin.tokenpocket.pm/ | hxxps://tokenpocket.pm 40 | hxxps://ios.meiguoxiazai9.com 41 | | IPhoneOS.CoinSteal.7 | fd393b4ccdbe14462afe56d83fba85014392791c | imToken | hxxps://ok.baofuhh.co | hxxps://lrntoken.vip 42 | hxxps://pgoss1218.oss-accelerate.aliyuncs.com 43 | 44 | |=== -------------------------------------------------------------------------------- /Cavalry Werewolf/README.adoc: -------------------------------------------------------------------------------- 1 | = Cavalry Werewolf hacker group attacks Russian state institutions -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === BackDoor.ShellNET.1 8 | ---- 9 | ec7269f3e208d72085a99109a9d31e06b4a52152 10 | ---- 11 | 12 | === BackDoor.ShellNET.2 13 | ---- 14 | 1957fb36537df5d1a29fb7383bc7cde00cd88c77 15 | ---- 16 | 17 | === BackDoor.Tunnel.41 18 | ---- 19 | c3929c555f4b61458030b70bc889baca8d777abc 20 | ---- 21 | 22 | === BackDoor.RShell.169 23 | ---- 24 | 633885f16ef1e848a2e057169ab45d363f3f8c57 25 | ---- 26 | 27 | === BackDoor.ReverseShell.10 28 | ---- 29 | dd98dcf6807a7281e102307d61c71b7954b93032 30 | f546861adc7c8ca88e3b302d274e6fffb63de9b0 31 | ---- 32 | 33 | === BackDoor.ReverseProxy.1 34 | ---- 35 | 6ec8a10a71518563e012f4d24499b12586128c55 36 | ---- 37 | 38 | === BAT.DownLoader.1138 39 | ---- 40 | d2106c8dfd0c681c27483a21cc72d746b2e5c18c 41 | ---- 42 | 43 | === Trojan.FileSpyNET.5 44 | ---- 45 | f40ef5cd25c3f9d552be6a43218be91d07650660 46 | ---- 47 | 48 | === Trojan.Packed2.49708 49 | ---- 50 | 5684972ded765b0b08b290c85c8fac8ed3fea273 51 | 29ee3910d05e248cfb3ff62bd2e85e9c76db44a5 52 | ce4912e5cd46fae58916c9ed49459c9232955302 53 | 653ffc8c3ec85c6210a416b92d828a28b2353c17 54 | b52e1c9484ab694720dc62d501deca2aa922a078 55 | ---- 56 | 57 | === Trojan.Siggen31.54011 58 | ---- 59 | baab225a50502a156222fcc234a87c09bc2b1647 60 | 93000d43d5c54b07b52efbdad3012e232bdb49cc 61 | ---- 62 | 63 | === BackDoor.Siggen2.5463 64 | ---- 65 | c96beb026dc871256e86eca01e1f5ba2247a0df6 66 | ---- 67 | 68 | === Trojan.Inject5.57968 69 | ---- 70 | e840c521ec436915da71eb9b0cfd56990f4e53e5 71 | 22641dea0dbe58e71f93615c208610f79d661228 72 | ---- 73 | 74 | === Trojan.Packed2.49862 75 | ---- 76 | 8279ad4a8ad20bf7bbca0fc54428d6cdc136b776 77 | a2326011368d994e99509388cb3dc132d7c2053f 78 | 451cfa10538bc572d9fd3d09758eb945ac1b9437 79 | a5e7e75ee5c0fb82e4dc2f7617c1fe3240f21db2 80 | bbe3a5ef79e996d9411c8320b879c5e31369921e 81 | e8ab26b3141fbb410522b2cbabdc7e00a9a55251 82 | dcd374105a5542ef5100f6034c805878153b1205 83 | e51a65f50b8bb3abf1b7f2f9217a24acfb3de618 84 | d2a7bcbf908507af3d7d3b0ae9dbaadd141810a4 85 | c89c1ed4b6dda8a00af54a0ab6dca0630eb45d81 86 | b05c5fe8b206fb0d168f3a1fc91b0ed548eb46f5 87 | b4d0d2bbcfc5a52ed8b05c756cfbfa96838af231 88 | ---- 89 | 90 | === Trojan.Clipper.808 91 | ---- 92 | 96bf2f07c785f6889799458f0609293ccb005634 93 | 939ca87baee86097ec901bd7c121f7c1b1976f24 94 | 360b759555286a48db9fce259853f2d62de02897 95 | ---- 96 | 97 | 98 | == Network indicators 99 | 100 | === Domains 101 | ---- 102 | sss[.]qwadx[.]com 103 | ---- 104 | 105 | === IPs 106 | ---- 107 | 188[.]127.251[.]146 108 | 193[.]149.129[.]113 109 | 195[.]2.79[.]245 110 | 172[.]86.75[.]237 111 | 185[.]231.155[.]111 112 | 185[.]231.154[.]84 113 | 188[.]127.227[.]226 114 | 188[.]127.231[.]136 115 | 77[.]232.42[.]107 116 | 78[.]128.112[.]209 117 | 96[.]9.125[.]168 118 | 109[.]172.85[.]63 119 | 94[.]198.52[.]210 120 | 109[.]172.85[.]95 121 | 89[.]110.98[.]234 122 | 62[.]113.114[.]209 123 | 89[.]22.161[.]133 124 | 188[.]127.225[.]191 125 | 94[.]198.52[.]200 126 | 91[.]219.148[.]93 127 | 185[.]244.180[.]169 128 | 185[.]173.37[.]67 129 | 168[.]100.10[.]73 130 | 45[.]9.120[.]11 131 | 195[.]133.1[.]120 132 | 192[.]165.32[.]78 133 | 185[.]130.251[.]139 134 | 194[.]180.11[.]75 135 | -------------------------------------------------------------------------------- /Q2 2024 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = Q2 2024 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Android.FakeApp.1498 | 516aa0b92cb946230ca6c2eb778fde34850c9521 9 | | Android.FakeApp.1600 | 645ae4d7bc879645b6f2e0ebe84d57e89cb03f78 10 | | Android.FakeApp.1601 | 5b6cc4bb6fb2cceda7e9fcda68b57ec0ca85e289 11 | | Android.FakeApp.1602 | 34da69a656ebf9368fe131d95747b42d7e6dd760 12 | | Android.FakeApp.1602 | 4929f17eabfd3ad7431278ce6540751c46fa3b32 13 | | Android.FakeApp.1603 | 32b153e6abf6c5f2f5c10d18feade74dc8d15973 14 | | Android.FakeApp.1604 | 32f4fea0373dc38f07c9cf9c1251bec51e2ec588 15 | | Android.FakeApp.1605 | b9d25a26a33c3c9e79374f5b655ecaf9dd5671c2 16 | | Android.FakeApp.1606 | f7a7e59e6f04a44ce6d95ef92659e1eeb403489d 17 | | Android.FakeApp.1607 | 4682b5cefa113bb7eb51959b5400ab6317d4aa3d 18 | | Android.FakeApp.1608 | b6b371764a939c7c121a4512b12c997ac0bdbab1 19 | | Android.FakeApp.1610 | f825d4ca05f138cfbc8dbe7f2731e5fbc940372f 20 | | Android.FakeApp.1611 | a96a321763efddbc2bf03ec66be721fd8fecb138 21 | | Android.FakeApp.1612 | 0d93d9836b5d4ae8f612d5f0049fc38471036e9d 22 | | Program.FakeMoney.11 | 23d35f8774fa7020b804fa1253b13c59bf338e81 23 | | Program.FakeMoney.11 | 7fdb2adc34504b63f1f123d61ea36b6afbb6c00b 24 | | Android.Harly.82 | b3501646f30b0c3a59a6a601b7c5fe53e5ea162c 25 | | Android.Harly.87 | ff7fe39ed3efd93e419497ff6d0d2c3992824fc2 26 | | Android.HiddenAds.3956 | 1ccf2f5a5caed19d9d8672a9ccf25b9cafc08a4f 27 | | Android.HiddenAds.3956 | 204ed9ed1a4fa2531f4baf8767e57adb7794ca1f 28 | | Android.HiddenAds.3980 | 40546dd9554f6743abb8c9f90cba59da8cdeb831 29 | | Android.HiddenAds.3980 | 729fc241e8700403f13af7a36ded8e09621f18cc 30 | | Android.HiddenAds.3989 | 8a6ebc76590faec8907445e0dd26b645d5821276 31 | | Android.HiddenAds.3989 | cbb8972189ef7c93f978cf62c4ca8d26ced9d569 32 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 33 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 34 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 35 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 36 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 37 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 38 | | Program.SecretVideoRecorder.1.origin | 24b76e7354c9d5772e9f3fa90b8fe63f263e8167 39 | | Program.SecretVideoRecorder.1.origin | 5404ff6c4baa94478a61455d2541734862dbbb9e 40 | | Tool.SilentInstaller.17.origin | e33aad2f232f469081586e3e6fa5b843cd54432e 41 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 42 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 43 | | Tool.CloudInject.2 | e0f72842a8ce55c5ba633512529fca128bf20dbe 44 | | Tool.Packer.1.origin | 897b65ae5ab11a2ceeb238b4ce41fab0b413c466 45 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 46 | | Tool.NPMod.2 | 11a54fda40f8648af8132b81b1e501d91bb0e24c 47 | | Adware.ModAd.1 | f313360472d294b9f6205585bd5742a59ad07065 48 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 49 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 50 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 51 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 52 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 53 | -------------------------------------------------------------------------------- /January 2024 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = January 2024 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.StrawAd.1 | 52c865404708223d21e9064f1b8b9be2ddefc417 9 | | Adware.StrawAd.1 | c35ec6566602fe4e4b06f232fb168108de234b24 10 | | Adware.StrawAd.2 | 3cb89a80bd818b058aca3e533eb96b55a88dd6f3 11 | | Adware.StrawAd.3 | 46b85e35bc4fed58453ae063629a4f66abc7de0b 12 | | Adware.StrawAd.4 | 3f5cd15a0c01266618193e240cf8f5903069c83a 13 | | Adware.StrawAd.5 | c80f64d67e1bcb1e14b23a312aaf1ccb94df020b 14 | | Adware.StrawAd.6 | 24b0bb16f9767370ed6ac2ade693edea98a89419 15 | | Adware.StrawAd.7 | bbe26fc9869633e79dcc92f80b59a076696532c0 16 | | Adware.StrawAd.8 | f108568e0c2f99d38cf1e092bd1ae4bc82063fee 17 | | Adware.StrawAd.9 | 189c9898d829fd606e5b81d54d587f1cc1384999 18 | | Adware.StrawAd.1.origin | ef1f245549d07d4f547afe96dfd97c786b4a1309 19 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 20 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 21 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 22 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 23 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 24 | | Android.FakeApp.1564 | b176d98d97df68855ca8fba1b2f2ac2274b03397 25 | | Android.FakeApp.1573 | 236ee997669951670bc12f74089da983b3a1e47f 26 | | Android.FakeApp.1574 | f41270b8e22e6f213cd97bebdc0f87a058337275 27 | | Android.FakeApp.1575 | 8b4baf25c120e462a0a515cf4287f7eb93daf39f 28 | | Android.FakeApp.1576 | 364372aabd476004c63465357b037cdea3a521b8 29 | | Android.FakeApp.1576 | 3919856d0b24d335012bc5ef23de101104ad8e62 30 | | Android.FakeApp.1577 | b91810f01763946883e298406248ce0f335b0166 31 | | Android.FakeApp.1578 | 200d33c37595f82c50753589262ebf672b442df3 32 | | Android.FakeApp.1579 | 2afccc5d78408e2af8d94c9c8331537b16d39dec 33 | | Android.FakeApp.1580 | 56cc7bc3fb17106d19f07b7fb05db762224c6c5e 34 | | Android.FakeApp.32.origin | 91a6834d3e4a3aa22b27fa2c39bb9caafd9146d3 35 | | Android.FakeApp.32.origin | c4a767a1cdc0e904f664b301ecfb279de2793c40 36 | | Android.HiddenAds.3851 | 046e6c54dfbd27b64c34bbfc20d2bffaaa0a0018 37 | | Android.HiddenAds.3851 | 1a6d93a590e1b29911fd0c7606fc0918b12be8da 38 | | Android.HiddenAds.3831 | 016810c2aaf499d18be9e12da908b31d4c450d08 39 | | Android.HiddenAds.3831 | 0358546ea5c4a736d43d1dcafd3142c1d5920153 40 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 41 | | Android.Spy.4498 | b61e6f67179972c82b7e625550c0e79981c45c3e 42 | | Android.Spy.4498 | e4a1485cb847f36dd6176096304901d99f231529 43 | | Android.MobiDash.7805 | 6c2b880b43397c9e5238a866a938bd34aefc36c6 44 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 45 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 46 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 47 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 48 | | Program.wSpy.3.origin | 25f6988e1a46566ac85463fd3f66d314b4441263 49 | | Program.wSpy.3.origin | 6ca09dd7292d2ea97325c1aa4217dc3232e84ca7 50 | | Program.FakeMoney.7 | 726cdb1077e8ccf5e0c619ac42cd6850dfefd615 51 | | Program.FakeMoney.7 | f99d997701ca41f14d40eda1c1f1a79cbff3bc11 52 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 53 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 54 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 55 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 56 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 57 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 58 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 59 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 60 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 61 | -------------------------------------------------------------------------------- /May 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = May 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Android.FakeApp.1320 | 8912a46355c597b761a4d88a39600d23774c2e0f 9 | | Android.FakeApp.1348 | 8e30eed40915e69ca0aa0fd6d4b8c4ca4edbb507 10 | | Android.FakeApp.1352 | 41279a2892b432a463245a7ba2a3990cfce2ee80 11 | | Android.FakeApp.1354 | 777bcaec942c04ea9f46325e9987da947dc3574a 12 | | Android.FakeApp.1357 | 7a742ec25ab60150bd1f1bf7aa59e6ed2ed761f6 13 | | Android.FakeApp.1358 | 3bf981113ac41d2d34fe797c882ccabcf91260a5 14 | | Android.FakeApp.1359 | cf256f3c01d66defd1ed9c214060a9e9d9df1a03 15 | | Android.FakeApp.1360 | ba50b4797889a1e699b21564df9333d1b4e8a860 16 | | Android.Harly.66 | 919a0a607eb94252d7bbc4048f9f94b690f916ef 17 | | Android.Joker.2117 | a777bfdcdc364e56d8130b02e0f9ad604da20189 18 | | Android.Joker.2118 | 71bf023750a1aea87dd024b4a1750b9bfcc1c127 19 | | Android.Joker.2119 | 9ab9b43de5c1b3ec2bc8208ea9823256fa48790a 20 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 21 | | Android.HiddenAds.3697 | d124d86343e116ef4f6b78cbb5d428dde1abbc2f 22 | | Android.HiddenAds.3697 | 1d7b4eb654ab7d20e549468007121d472b8b86fd 23 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 24 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 25 | | Android.MobiDash.7783 | 1c80bc1b9ef67c88ee704f9a4f5483f9165291cb 26 | | Android.MobiDash.7783 | 0a484b0fb24ba0125d70dc59b54f237af64b8724 27 | | Android.Spy.SpinOk.1 | 09bc394526b8acdfad02cd4b62512de9fb1a6b15 28 | | Android.Spy.SpinOk.1 | 62175fc9cd4a3ebe1dd11cbd0ce86710fdda9ddf 29 | | Program.FakeMoney.7 | 18fa02fd251195b3ef4a20e6e7db26867fb938cc 30 | | Program.FakeMoney.7 | 71251919ea0d45c77f51a0f2e5cdcc29f02b962f 31 | | Program.FakeMoney.7 | 726cdb1077e8ccf5e0c619ac42cd6850dfefd615 32 | | Program.FakeMoney.7 | f99d997701ca41f14d40eda1c1f1a79cbff3bc11 33 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 34 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 35 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 36 | | Program.FakeMoney.8 | f9ae4ea8ef205c8fcb01cbe3ddb2f69b7ba3322f 37 | | Program.wSpy.1.origin | 4da47e907e74ad939eacda9f01e49bfbb42e30c9 38 | | Program.wSpy.1.origin | f1b71e4faa9ad1c19f65596e52a1dce496ec7bf6 39 | | Program.SecretVideoRecorder.1.origin | 24b76e7354c9d5772e9f3fa90b8fe63f263e8167 40 | | Program.SecretVideoRecorder.1.origin | 5404ff6c4baa94478a61455d2541734862dbbb9e 41 | | Program.SecretVideoRecorder.1.origin | 7607c6bc3fda8098621ac97b21c9cf013fc2a366 42 | | Program.SecretVideoRecorder.1.origin | a75f2a400ed6b200acc26a2e1aa285110addc08d 43 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 44 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 45 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 46 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 47 | | Tool.SilentInstaller.7.origin | 11bbd3eae7bc34e2ac86cdc1cc5b9075dc2f1b26 48 | | Tool.SilentInstaller.7.origin | 4fbf1629b2ec49cb2839c3e31f9adbc32285b741 49 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 50 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 51 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 52 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 53 | | Tool.SilentInstaller.17.origin | e33aad2f232f469081586e3e6fa5b843cd54432e 54 | | Adware.MagicPush.3 | 5dc16a173eb747a1029e50ed5614a5aa1819cd36 55 | | Adware.MagicPush.1 | 1624b2ae1c232ebf843aa29b9d362434e6f10f9d 56 | | Adware.MagicPush.1 | 64f1aa22f484f250b9956adef780c3ccb45832f5 57 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 58 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 59 | | Adware.Inmobi.1 | e20817ffa2bacb1da0f6294573f95d83cf25fc1f 60 | -------------------------------------------------------------------------------- /November 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = November 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 9 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 10 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 11 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 12 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 13 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 14 | | Android.FakeApp.1339 | b357d9ad7a97bcd504b4e630df035e485b9d3785 15 | | Android.FakeApp.1494 | 455deeec52ea457c29f995fd67dfabb187e23469 16 | | Android.FakeApp.1495 | 8fd6eb50afa75fa5da23b1af543212a1db442a60 17 | | Android.FakeApp.1496 | fcd9d68a1538733e503dbba41ff247019b3003e3 18 | | Android.FakeApp.1497 | b158ecba11dfd702736b9503659b459d1ad41cc7 19 | | Android.FakeApp.1498 | 516aa0b92cb946230ca6c2eb778fde34850c9521 20 | | Android.FakeApp.1499 | 32accfa7c9fe27bad66105c4e18fdf42675e83ec 21 | | Android.FakeApp.1500 | d757604ad0dcdfe0773c72b836f8a53a149af156 22 | | Android.FakeApp.1501 | 8e8b5bcb045bbfef5fb2b2c80b5d27c8d4069ce6 23 | | Android.FakeApp.1502 | c2fafbeeaf6f2416816c59327ca96013edf8f7a3 24 | | Android.FakeApp.1503 | 7fdfea475b76abe57da175a7f6edea92f8647b60 25 | | Android.FakeApp.1504 | 3e587f6d8b2a4d79d3076f114772fec0faba5b45 26 | | Android.FakeApp.1526 | 371945930caa385df643148425bc2a347b21ae2a 27 | | Android.FakeApp.1527 | 00cd8dbd91194f9c4e583b012e5d61dd4651c0b7 28 | | Android.FakeApp.1528 | 61071aa2df44fc520bcd57b52fdd80d371a2d835 29 | | Android.FakeApp.1529 | d0aacde491958cb8dd50348c6b464ca2b4457cc0 30 | | Android.FakeApp.1533 | 94abf3b71ad9ca30bd6d5705e8b38db5d053048d 31 | | Android.FakeApp.1534 | 148dd15b0e5d40270e63b217befa940558442715 32 | | Android.FakeApp.1535 | 307fb1ad47a4a65e2c4b2735b2a2d8257cd1d41e 33 | | Android.FakeApp.1536 | 4ee769d3e0aceb3e4a96dd4c813056021c6a809b 34 | | Android.FakeApp.1537 | 49cf5991bd39fd38b9c09bdbefb370bad5eb5602 35 | | Android.FakeApp.1538 | 67bf3651e7ccf6fac86fdf4352c3a60f61db2021 36 | | Android.HiddenAds.3697 | 3e1b61c93d61cd25c6d84b6718aa42d0152841ca 37 | | Android.HiddenAds.3697 | 3e4ff575568e8c8537ff60a05d2307afb68b5539 38 | | Android.HiddenAds.3831 | 8c71ac3a14d0f6b9b26c43d3a22c8416da02928c 39 | | Android.HiddenAds.3831 | 9b83f23b6c357fc1ee6a0bb429c1b7a7ef629e01 40 | | Android.MobiDash.7805 | 6c2b880b43397c9e5238a866a938bd34aefc36c6 41 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 42 | | Android.Spy.5864 | 806651d01c1058e495220cc5869bab8a0f79432f 43 | | Android.Spy.5864 | 938d6c76678068a2b5e323904be8e20b6d8447c3 44 | | Android.Subscription.21 | 4532da59097ad78b8c9ac3780b52ab84bb5780fc 45 | | Android.Subscription.21 | ca27d5cdf2e60b119cbb73f910f52be99d6aa766 46 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 47 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 48 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 49 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 50 | | Program.FakeMoney.7 | 18fa02fd251195b3ef4a20e6e7db26867fb938cc 51 | | Program.FakeMoney.7 | 71251919ea0d45c77f51a0f2e5cdcc29f02b962f 52 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 53 | | Program.wSpy.3.origin | 0c16b94622eca1f481b33b895d724272ff64fd4b 54 | | Program.wSpy.3.origin | 25f6988e1a46566ac85463fd3f66d314b4441263 55 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 56 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 57 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 58 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 59 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 60 | | Tool.SilentInstaller.7.origin | 11bbd3eae7bc34e2ac86cdc1cc5b9075dc2f1b26 61 | | Tool.SilentInstaller.7.origin | 4fbf1629b2ec49cb2839c3e31f9adbc32285b741 62 | -------------------------------------------------------------------------------- /APT_XPath/README.adoc: -------------------------------------------------------------------------------- 1 | = Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan -- Indicators of compromise 2 | 3 | == Samples 4 | 5 | All hashes are SHA1 6 | 7 | === Exploit.RTF 8 | ---- 9 | a707de5a277573b8080e2147bd99ec1015cf56c5: doc.rtf 10 | ---- 11 | 12 | === BackDoor.Apper 13 | ---- 14 | 48944207135ffbf0a3edf158e5fe96888a52fada: dropper 15 | 23dbe50d3484ba906a2fd4b7944d62fb4da42f95: RasTls.dll 16 | 5b041bce8559334dc9e819c72da9ff888d7e39c9: shellcode 17 | ---- 18 | 19 | === BackDoor.CmdUdp 20 | ---- 21 | 314b259739f4660e89221fa2e8990139a84611a9: dnscache.dll 22 | ---- 23 | 24 | === BackDoor.Logtu 25 | ---- 26 | 7797107eb4a9a9e4359413c15999603fa27714b3: logsupport.dll 27 | ---- 28 | 29 | === BackDoor.Mikroceen 30 | ---- 31 | 2930efc03e958479568e7930f269efb1e2bcea5a: nwsapagent.dll 32 | 56000aa9a70ff3c546dab3c2a3b19021636b3b9c: nwsapagenttt.dll 33 | e98f3b43ab262f4c4e148e659cc615a0612d755f: srv.dll 34 | ---- 35 | 36 | === BackDoor.PlugX 37 | ---- 38 | b03c98a9539d4cbb17f2efc118c4b57882b96d93: CLNTCON.ocx 39 | b7eac081c814451791f0cd169d0c6a525a05194d: CLNTCON.ocx 40 | 9a2d98321356ad58ea6c8a7796fd576e76237bd1: CLNTCON.ocx 41 | ec548ba0ec9d2452c30e9ef839eb6582a4b685c8: CLNTCON.ocp 42 | 7bcb10f1ed9b41abbbe468d177cd46991c224315: ESETSrv 43 | d52152661c836e76bebd46046ba3f877c5d381d8: http_dll.dll 44 | 1ba85de14f85389bf3194acea865f4c819d7b602: QuickHeal 45 | 8d5e7d389191a3de73350d444c3989857077f629: QuickHeal 46 | aa0e7101b1663c23f980598ca3d821d7b6ea342d: scansts.dll 47 | 84c34167a696533cc7eddb5409739edd9af232ed: msvsct.exe 48 | 2c51147b271d691f0ab040f62c821246604d3d81: msvsct.ini 49 | 2e2919ce6f643d73ff588bccdc7da5d74c611b2c: msvsct.ini 50 | 6fc2e76a0d79cc2a78a8d73f63d2fc433ede8bd5: RasTls.dll 51 | e6381d09cdf15973f952430e70547d0b88bb1248: decrypted 52 | f6bf976a2fdef5a5a44c60cbfb0c8fcbdc0bae02: decrypted 53 | ---- 54 | 55 | === BackDoor.Whitebird 56 | ---- 57 | e70a5ce00b3920d83810496eab6b0d028c5f746e: oci.dll 58 | c47883f01e51a371815fc86f2adbfb16ffb3cb8a: RasTls.dll 59 | 6fc2e76a0d79cc2a78a8d73f63d2fc433ede8bd5: RasTls.dll 60 | ---- 61 | 62 | === BackDoor.Zhengxianma 63 | ---- 64 | cce4ba074aa690fc0e188c34f3afff402602921a: RasTls.dll 65 | ---- 66 | 67 | === Trojan.Mirage 68 | ---- 69 | 34085c6d935c4df7ce7f80297b0c14a8d3b436d8: cmdl32.dat 70 | f5fe30ee6e2de828c7a6eecbb7f874dc35d31f43: config.dat 71 | c4ef5981bee97c78d29fb245d84146a5db710782: rapi.dll 72 | d4558761c52027bf52aa9829bbb44fe12920381d: server.dll 73 | ---- 74 | 75 | === Trojan.Misics 76 | ---- 77 | c90ade97ec1c6937aedeced45fd643424889d298: MISICS.dll 78 | 5b8f28a5986612a41a34cb627864db80b8c4b097: MISICS.dll.crt 79 | ---- 80 | 81 | === Trojan.XPath 82 | ---- 83 | 3e1d66ea09b7c4dbe3c6ffe58262713806564c17: svchost.exe 84 | b6fba9877ad79ce864d75b91677156a33a59399e: yyyyyyyygoogle.sys 85 | 8cc16ad99b40ff76ae68d7b3284568521e6413d9: yyyyyyyygoogle.sys 86 | 5c21ce425ff906920955e13a438f64f578635c8f: yyyyyyyygoogle.sys 87 | e4e365cc14eeeba5921d385b991e22dea48a1d75: PayloadDll.dll 88 | b07568ef80462faac7da92f4556d5b50591ca28d: PayloadDll.dll 89 | fc4844a6f9b5c76abc1ec50b93597c5cfde46075: xPath.dll 90 | 2bf5cfe30265a99c13f5adad7dd17ccb9db272e0: xPath64.dll 91 | ---- 92 | 93 | === Tool.Proxy 94 | ---- 95 | a1c6958372cd229b8a75a09bdff8d72959bb6053: cryptsocket.exe 96 | 30debaf4ec160c00958470d9b295247c86595067: vmwared.exe 97 | ---- 98 | 99 | === Tool.Scanner 100 | ---- 101 | 05a2b543b5a3a941c7ad9e6bff2a101dc2222cb2: m17.exe 102 | ---- 103 | 104 | === Tool.WmiExec 105 | ---- 106 | 8675e4c54a35b64e6fee3d8d7ad500f618e1aac9: wmi.vbs 107 | ---- 108 | 109 | == Network indicators 110 | 111 | === Domains 112 | ---- 113 | tv.teldcomtv.com 114 | dns03.cainformations.com 115 | www.sultris.com 116 | kkkfaster.jumpingcrab.com 117 | www.pneword.net 118 | v.nnncity.xyz 119 | nicodonald.accesscam.org 120 | ---- 121 | 122 | === IPs: 123 | ---- 124 | 45.32.184.101 125 | 45.63.114.127 126 | 45.77.234.118 127 | 45.251.241.26 128 | 46.105.227.110 129 | 46.166.129.241 130 | 103.93.76.27 131 | 104.194.215.199 132 | 114.116.8.198 133 | 116.206.94.68 134 | 137.175.79.212 135 | 142.252.249.25 136 | 202.74.232.2 137 | ---- -------------------------------------------------------------------------------- /September 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = September 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 9 | 10 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 11 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 12 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 13 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 14 | | Adware.MagicPush.1 | 1624b2ae1c232ebf843aa29b9d362434e6f10f9d 15 | | Adware.MagicPush.1 | 64f1aa22f484f250b9956adef780c3ccb45832f5 16 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 17 | | Android.FakeApp.1429 | b4e282f6555bbfd528cf144935c48f25bd80b85c 18 | | Android.FakeApp.1430 | 5607fa179bc87d88ba96effb67bfc99f9eff9573 19 | | Android.FakeApp.1432 | 56beadf415b2481cfbf9085a98e6b5227e8a25cc 20 | | Android.FakeApp.1433 | cf7d4845f3044ea63fc80c14a2d36dbbb84a1bde 21 | | Android.FakeApp.1433 | f0852956c7485876c9dac7f75288a1d23c0919e5 22 | | Android.FakeApp.1434 | 05ae3132992025e18b18b7285d415e8fa369fa0a 23 | | Android.FakeApp.1435 | e725a0688623e34f795212834652936f8aa05dd6 24 | | Android.FakeApp.1436 | 6f7055d3282a9e6fd9c4a4f1f6e3518552898060 25 | | Android.FakeApp.1437 | 38e2795aaca5163cd39d70a2601a177ca2de9089 26 | | Android.FakeApp.1438 | dcb0fbcf43d262e87b8346c34e1cf8db41e865a3 27 | | Android.FakeApp.1439 | fa2a0999bda5f44145f1af2d77647901cc5884d0 28 | | Android.FakeApp.1440 | 2a3328de4eb6b283d4c711527c9176f6d6c21118 29 | | Android.FakeApp.1441 | 00376e6c11d0641253b69e9a58ff27d96312f8ce 30 | | Android.FakeApp.1442 | 8fe9cffa6ccee429baf455ff1446bb30b3589f28 31 | | Android.HiddenAds.3697 | 210297ab922bd87d94456f19722445734235970a 32 | | Android.HiddenAds.3697 | 222fa2cf19136fffba4aa899484d5d963c50634f 33 | | Android.HiddenAds.3781 | 36cf987f712ed70b03f7bcce20a95fbba7042d36 34 | | Android.HiddenAds.3785 | 842c6b7210663e5fd1a3b69584dd410cef6c29e1 35 | | Android.HiddenAds.3786 | eb219be855f4308bb34b7a7269f466f352cef3ab 36 | | Android.HiddenAds.3787 | b3c1fbf3dd6d398c3105e7c83df60690707e0b6b 37 | | Android.Joker.2216 | 5a4ad1171bd46b72bfc15ad8c6719d5e26d2d522 38 | | Android.Joker.2217 | 2bf7abdf4c2d85e95a561afc3b6957a4c77d4be8 39 | | Android.MobiDash.7804 | d9cf9f28d5f6edc5d2c754501ebc3451a503d17f 40 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 41 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 42 | | Android.Pandora.17 | 38505df840791e49797cb16e895fecc400e9e57f 43 | | Android.Pandora.2 | 14215a93ed5d0a86f31aab0b2d7be6db8a45a371 44 | | Android.Spy.Lydia.1 | 39e55c1d04c77e95583303131f45208e57c327b9 45 | | Android.Spy.Lydia.2 | a47a2602299c6608e5c2684ef8289e136da58e25 46 | | Android.Spy.Lydia.2 | aa65173adff9f3c08dcbea8388e73f661deb8547 47 | | Android.Spy.Lydia.3 | 41399919972017148e48e8c88649c0912c2a43d2 48 | | Android.Spy.Lydia.3 | 9178e58bc936d6ed2d1a7fbb1b813df5b19b7b3a 49 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 50 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 51 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 52 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 53 | | Program.FakeMoney.7 | 726cdb1077e8ccf5e0c619ac42cd6850dfefd615 54 | | Program.FakeMoney.7 | f99d997701ca41f14d40eda1c1f1a79cbff3bc11 55 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 56 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 57 | | Program.wSpy.3.origin | 0c16b94622eca1f481b33b895d724272ff64fd4b 58 | | Program.wSpy.3.origin | 25f6988e1a46566ac85463fd3f66d314b4441263 59 | | Tool.ApkProtector.16.origin | 18fa72deca1d7872fef7d81c0b73d1408d8e2484 60 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 61 | | Tool.Packer.3.origin | f6b7b11c8920e33b5edf914206d3ae8bd9150454 62 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 63 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 64 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 65 | -------------------------------------------------------------------------------- /skidmap/README.adoc: -------------------------------------------------------------------------------- 1 | = Redis honeypot: server with vulnerable Redis database reveals new SkidMap modification used to hide cryptocurrency mining process 2 | 3 | == Hashes 4 | 5 | [cols="1,2"] 6 | |=== 7 | | *Name* | *sha-1* 8 | | Linux.DownLoader.2213 | 936616f99c2d4b9986a8d35514531bab7697faad c53748e9f9803ff4eaa99e4c1ef73b5a9fac7a94 9 | | Linux.MulDrop.142 | 0da1fa467f1db4cea0e591a2ab369f49ab2a41f074da85da37919951c28ae574 10 | | Linux.MulDrop.143 | d75fd66a622fd5846642840f00194ed77ed7d2ba54ebdcd78ecb9700edc9ddab 11 | | Linux.MulDrop.151 | 030dbc854bb9bdce25e96881b15c812659d71fed 7d4c1910d8bf94c95b18c5131b3df969119d33a6 f4a8fa193a9abaa7575445fdae7c80393dcf38d4 12 | | Linux.MulDrop.144 | ee78829b7057233643abc5fd685b46d3ef040a0347bb4569ac252984760eea2f 94f4eee7f986699699cd38eba68bf8adda1037eafbd0590c0d9b77b3133d0bfa 13 | | Linux.BtcMine.815 | 084657ee9a939d00f4a0d82f45692008699329e1 14f483fd7eb792ec2ebe0c8459896db143985669 3de0a2f76f95375c1c078a465683415bda99f01b 14 | | Linux.BackDoor.SSH.425 | 03ebfbf83a7f9c01fa496dec22fbfad1465587d3 1889c26c75aed993b0f2dfd78306c7095b69364d e456a26028cffc3de502df0af75255fe3a558776 15 | | Linux.BackDoor.SSH.426 | 24f5377a8b0f5dff1c7f0f058b7c76bccfc109c0 57e992c3562d0d7d5954f9b6eb7e464eb5aa732d e622265120fd9b05a27f24b69a75d852186eaac2 16 | | Linux.Stealer.8 | 205952f7d3bab21a77e583451b788bbda0227ce1 cfacfea656aac991d2df35af4df593c6abec9059 d375abefbc8bca16c5a901f6f4d831a152b886c2 17 | | Linux.Siggen.7907 | 16aaca24bce66f4f19d80e729801d343047dee9c 18 | | Linux.BackDoor.RCTL.2 | 2db920cfe65ddfb73bc08735671991248a56273e | 19 | |=== 20 | 21 | == File artifacts 22 | ---- 23 | /usr/bin/ssh 24 | /usr/bin/scp 25 | /usr/bin/biosdecoded 26 | /usr/bin/devlinked 27 | /usr/bin/matchpathcond 28 | /usr/bin/postcated 29 | /usr/bin/postmaped 30 | /usr/bin/telinited 31 | /lib/udev/collectd/kmeminfo.ko 32 | /lib/udev/collectd/mcpuinfo.ko 33 | /etc/reviews/cn 34 | /etc/reviews/ig 35 | /etc/reviews/ip 36 | /etc/reviews/it 37 | /etc/reviews/nt 38 | /etc/reviews/rt 39 | /etc/reviews/up 40 | /etc/reviews/uu 41 | /etc/reviews/ux 42 | /etc/mountinfo 43 | /etc/dhclientd 44 | /etc/dhclientdx 45 | /etc/dhclientdd 46 | /usr/include/olog.h 47 | /usr/include/ilog.h 48 | etc/collectd/certs/rctl_ca.crt 49 | ---- 50 | 51 | == Domains 52 | ---- 53 | c80.softgoldinformation[.]com 54 | c443.softgoldinformation[.]com 55 | c80.softprojectcode[.]com 56 | c443.softprojectcode[.]com 57 | tls8990.softgoldinformation[.]com 58 | tls8990.softprojectcode[.]com 59 | m80.softprojectcode[.]com 60 | m80.softgoldinformation[.]com 61 | tls2.softprojectcode[.]com 62 | tls2.softgoldinformation[.]com 63 | m7.softprojectcode[.]com 64 | m7.softgoldinformation[.]com 65 | tls1.softprojectcode[.]com 66 | tls1.softgoldinformation[.]com 67 | ---- 68 | 69 | 70 | == Misc 71 | === Certificate 72 | ---- 73 | -----BEGIN CERTIFICATE-----MIID1DCCArwCCQDrvzm79oEkYTANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCVVMxFDASBgNVBAgMC0xvcyBBbmdlbGVzMRcwFQYDVQQHDA5WZW50dXJhIENvdW50eTEQMA4GA1UECgwHU29mdGFyZTENMAsGA1UECwwEVGVjaDEgMB4GA1UEAwwXc29mdGdvbGRpbmZvcm1hdGlvbi5jb20xKjAoBgkqhkiG9w0BCQEWG21haUBzb2Z0Z29sZGluZm9ybWF0aW9uLmNvbTAeFw0yMTAxMDkxMTUyNDZaFw0zMTAxMDcxMTUyNDZaMIGrMQswCQYDVQQGEwJVUzEUMBIGA1UECAwLTG9zIEFuZ2VsZXMxFzAVBgNVBAcMDlZlbnR1cmEgQ291bnR5MRAwDgYDVQQKDAdTb2Z0YXJlMQ0wCwYDVQQLDARUZWNoMSAwHgYDVQQDDBdzb2Z0Z29sZGluZm9ybWF0aW9uLmNvbTEqMCgGCSqGSIb3DQEJARYbbWFpQHNvZnRnb2xkaW5mb3JtYXRpb24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1up0wA6rUAABnSm7VijCRp+I+wrwWkQIJm0lOYgeXMdxYgOaBPyvT1PYdhMXAdd/Xf3j3uCz0td4jy1YJHzT7832KTDX+YHs7IGV1hkfpLVi6uguX9lATlBQmptqW7N6q+5/lL9XYNwlC6+AIIStLFdUgb9YSIjXF4fu8JjkyK7j7FEXFJ2KF4LAPoDtcUBZVo4GqG/rFdL9joPitVbkO0jhK6/UpVtASINeCRJKCQie5yK301PQqMeB3bACPlK7J7a4iwGaYrl7g8LJcCnX4ib6w5D4o41kVUWlo8mgfZRNgNArAcfREyFtvj+kEhWq8vooWs03SQyuo6USIaFDwQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBJzKFXc9IuYcTb4pTgP6s0bu5EIxJ/ZYSGbbJt+z48cZ15Q9T8vEPYZpa8xWmBIZBYiu3iG76jtDt4tXkTYc+sNgfdwtIV2beiZPnRZkF7Il/VaWIBwg6BffYuhJqTTYRelXa1ULbazIqSf0SKGO68RRtH5IhqAaICIyzgPtgvk6sf04Qt2yQmCBIyay0foUylUUJpABWHnx7uLPUP+5nxZUhDiCTEkExZxjA0kZnLLmAWyn92k2UPKsTK3EaVvch1RfX9Ivp2iHSOoyix+lNhNgGOzx/zoHqpLDlVBfTeLr16cUrnawl3pok1JuBX03HE08oH5uKqtYyyXSKN0gZA-----END CERTIFICATE----- 74 | ---- 75 | 76 | === Wallet address 77 | ---- 78 | 47crZwpezjKEbsAqDiqjj1dwDo1vMBDxoPdB48cXCpBZ4RdYYwyiyb956aBEh3ZQv3i1vSNtZjw89g9zMEXTv9LAD13XHbN 79 | ---- 80 | -------------------------------------------------------------------------------- /Metack/README.adoc: -------------------------------------------------------------------------------- 1 | = Hidden cryptocurrency mining and theft campaign affected over 28,000 users 2 | 3 | == Hashes 4 | 5 | [cols="1,2"] 6 | |=== 7 | | *Name* | *sha-1* 8 | | BAT.Starter.571 | 9bade99535106c1e9467b1ce71e4a254c8af4f64 15260895196748e5a476b5bf8d4595cfdff086c5 d6b39e73a013c923a2da5070bb7c73fa34baeb20 79ded24c4f125ea27df64e543a79fd955d871cbf 0df9b2617b18f6ca4cfb50bb0490bc2705b077a2 9 | | Trojan.Starter.8288 | 60fdcc08d413988b027218705d477af054c84769 f9f27d09afc876750722d79e462ebffb480647ca 7ae374be3e30eb3b521f36d733fdf9de73f48aba 6729925abe113e9a7d8bc8ef52897c29304ed0e2 33e1dc544536eb4154a2f1ed218c33b6e3dece39 6fbba1d146d20fc9d8717a9be224057fd5db1a14 6835808021fb22d1a1549f1e80c26fb5ce76c53a d0b7186434f859be1fa22b59a9992e7165c80be8 10 | | ShellExt.dll | b1ff3d48a3946ca7786a84e4a832617cd66fa3b9 151b8dba3e67fb2a39cc905faed9e87b948acf45 11 | | BAT.Starter.560 | 3faf1cdf9986a43a2c4cc980a9788bd3186f3787 70e24d932fd45fca7e3b2c83513575ca789475d3 70be5104fac7c5b02a9978598aa9c813f1f5c400 76d69bc3a9829e4ddfe350a4098632b9b64da99d 72459c0c5591b4230875bc729158d63c2b87c6da 12 | | BAT.Starter.561 | ee23df32b53ab84c1683fff9c6dc55c82ab2311b 13 | | Tool.Ncat.1 | db702e12e1eff49e553d8bdbb6a76c088e78af0e 14 | | BAT.Starter.562 | bd526970dbddc9341a2dbce911099f59a3f8a3a5 15 | | Trojan.Clipper.335 | 026b55e8934b8500c26adbb501ee3964e2788511 16 | | Trojan.BtcMine.3767 | 98922170ce92067fbdf164511eea3c9f60afb5f2 | 17 | |=== 18 | 19 | == File artifacts 20 | ---- 21 | Install.msi 22 | %ALLUSERSPROFILE%\jedist\UnRar.exe 23 | %ALLUSERSPROFILE%\jedist\WaR.rar 24 | %ALLUSERSPROFILE%\jedist\Iun.bat 25 | %ALLUSERSPROFILE%\jedist\Uun.bat 26 | %ALLUSERSPROFILE%\jedist\UTShellExt.dll 27 | C:\ProgramData\NUL..\libssl-1_1.dll 28 | C:\ProgramData\NUL..\vcruntime140.dll 29 | C:\ProgramData\NUL..\libcrypto-1_1.dll 30 | C:\ProgramData\NUL..\StartMenuExperienceHost.exe 31 | C:\ProgramData\AUX..\ShellExt.dll 32 | C:\ProgramData\AUX..\DeviceId.dll 33 | C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun.bat 34 | C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellExt.dll 35 | C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DeviceId.dll 36 | C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun.bat 37 | C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellExt.dll 38 | C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\7zxa.dll 39 | C:\ProgramData\inst.bat 40 | ---- 41 | 42 | == Domains 43 | === C2 servers 44 | ---- 45 | gamesjumpers[.]com 46 | gamejump[.]site 47 | sportjump[.]ru 48 | ---- 49 | 50 | === Malware sources 51 | ---- 52 | https://utorrent-app[.]github.io/ 53 | https://excel-ms[.]github.io/ 54 | https://iplog[.]co/setup 55 | https://discord-pc[.]github.io/ 56 | yip[.]su/FreeDemo.zip 57 | pixeldrain[.]com/u/ptagkS7e 58 | pixeldrain[.]com/u/3Akie3MP 59 | https://yip[.]su/osth 60 | https://pixeldrain[.]com/u/AufE6Hff 61 | https://pixeldrain[.]com/u/5md5hn6e 62 | https://pixeldrain[.]com/u/iq1Cib5M 63 | https://yip[.]su/InSetup 64 | https://taplink[.]cc/demosoft 65 | ---- 66 | 67 | == Misc 68 | 69 | === Wallet addresses 70 | ---- 71 | tz1MfeYbh8t3CL2Jgom2aZXBo4AGdoEDufw5 72 | bnb1rvfraelekr9xns90hwn45wxdxuqzd3rujdpwzc 73 | bc1qnwdcqd9fq5mzghzz2tfftwwar8vsy4ezt49ypg 74 | 1HwngaiHVLic8f86MVaatHnMRnXeUnJjsy 75 | 3ECXLjASVRpGmtD1s5CGD9eCaBL7rh7vWk 76 | rNDzXXvuCvjNaJdazZxaFKqz5t2g23g5Ka 77 | 0x0591Db8CB9cAfe5529592131B334F431B3A480a2 78 | grs1qrp44g5yslllprereqa53fxzwjh08886ah96y3f 79 | ltc1q3mz97ldfuvjttf23allnmfm8lz88wzrqcdt9z7 80 | LQ8bxHKMXfVpjXqobko1rKXXHgrraBkf7R 81 | MRrzfjX13QBV5DxnebbVcGux5izTdUEgmA 82 | qpqhfje9sa2vnem38eyu4m6t2ktkq2pdzgq40xevx0 83 | XyMKEgYGgnJnCmksooZJVeNH59eGyV4FUw 84 | DHYpKhr1hp7MReV6K7TvhpznXDEQyozB3d 85 | addr1qxcz55s5kkacz7jp2euxez983afeh7xlctdkyak877745rds9ffpfddms9ayz4ncdjy20r6nn0udlskmvfmv0aaatgxsmgqw2e 86 | TYTsY8NizEDdmcxkoMMX1dgL9oDvGCLkPz 87 | 42h6w41ACBuLVfnfrZoPNsgY9uiGa6evqhNRErrKWiSeCkXehxKzyJVii9yDX4eNZZRgruVPLzq1i9f7YLAy2UVMT8P6H 88 | 88sP54naX1TFSeNtPqRtRjhMkGhiSg9Fu9pWE6QwfYZMisaGyspWvpbiWhUSBAyySwH5ZBuuNemmPDPmLNbV 89 | 1XA9J4Bkm6YNEFZ6p9C2NzWH5kMvCxukgRBYSxyV4y8AxYv 90 | ---- 91 | 92 | === File signature 93 | ---- 94 | Install.msi# ---> 448172A55C7A9F547613944C9E34D1C3299EA46F:GreenLine Software Corp.!!! CN=GreenLine Software Corp., O=GreenLine Software Corp., L=Ottawa, S=Ontario, C=CA 95 | ---- 96 | -------------------------------------------------------------------------------- /June 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = June 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Android.FakeApp.1382 | 18f7d33342f53f8727c8e9b4d6895a2921e025b6 9 | | Android.FakeApp.1382 | 1c83bc176901c6358b9483b295f6173c47ebe650 10 | | Android.FakeApp.1383 | d64b2846aa136b5ac8348c1bd7e8202d22d8b735 11 | | Android.FakeApp.1384 | c1e897c6aedf7155200d48a0cde2336cc0fb80c0 12 | | Android.FakeApp.1384 | 54df7237d1c85b8adf18b0529de80a6723358f17 13 | | Android.FakeApp.1385 | f1b506358c0776387f6645a47551f1ba3a3545cc 14 | | Android.FakeApp.1386 | 04058077c0b8473981b8cd0404bb7a2761306a08 15 | | Android.FakeApp.1387 | db852eff26385ecc105fc33d52d88684eb064714 16 | | Android.FakeApp.1388 | 50447b27b95c457e40a33ba589b3db9b8bdbfd86 17 | | Android.FakeApp.1389 | 313a557938c9baca45ce9c10ee0800eec996e147 18 | | Android.FakeApp.1390 | caf56d87c84a358a65b81c6672f00a02b5d86333 19 | | Android.FakeApp.1391 | 340f128552a53b772893719bdb52d4d7d2b7e26b 20 | | Android.FakeApp.1392 | 989fbca743a20f947a992f49fd4ded678dd32d32 21 | | Android.FakeApp.1393 | 145e13e596ecf7313c57acb37ec8205260c8bc26 22 | | Android.FakeApp.1394 | 4adcd7820117221656fef0908baa52660b4e2c42 23 | | Android.FakeApp.1395 | a980cb423e7532ef47b065337704761b4407be90 24 | | Android.FakeApp.1396 | bce2479299eb9f92969268175068b324c9399b9e 25 | | Android.FakeApp.1397 | 1274e048503a42267b7e4768c10401a75cc3ba46 26 | | Android.FakeApp.1398 | 5d49423046d03474083d8bdd548d13ba92c94d8d 27 | | Android.FakeApp.1399 | a2f92d67ec5606318bc868f63dea5161396b7652 28 | | Android.FakeApp.1400 | c3985857d2af87354609e0f51bacd07d6bd03568 29 | | Android.FakeApp.1401 | ef342f82fdb71ef841322c543a7a2080fb535bef 30 | | Android.FakeApp.1402 | 0c37e514710bf9213240e340c25b984ba5e7807e 31 | | Android.Joker.2143 | 69cddf835dc7206801f8731e74b165e47b94ec80 32 | | Android.Joker.2152 | da2e078ab4471cf99e2360baf915ef6f774fed56 33 | | Android.Joker.2154 | 72f37ddb2b8e9f728c773f9a0e4923ec7aaf4baa 34 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 35 | | Android.HiddenAds.3697 | 0076a14a2bdf842e9252f6001838ace90ef752c4 36 | | Android.HiddenAds.3697 | 053567eb93555796cef87f8286b85e8cf5df78f4 37 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 38 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 39 | | Android.MobiDash.7795 | 74100612fdab32692c7a062f4b905e393c0efb64 40 | | Android.MobiDash.7795 | a83df3f861333847512293949261f5936298af9c 41 | | Android.Pandora.7 | 06e5f681fbae1d5a5d859e63c9d57a0f684a5db8 42 | | Android.Pandora.2 | 14215a93ed5d0a86f31aab0b2d7be6db8a45a371 43 | | Program.FakeMoney.7 | 18fa02fd251195b3ef4a20e6e7db26867fb938cc 44 | | Program.FakeMoney.7 | 71251919ea0d45c77f51a0f2e5cdcc29f02b962f 45 | | Program.FakeMoney.8 | f9ae4ea8ef205c8fcb01cbe3ddb2f69b7ba3322f 46 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 47 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 48 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 49 | | Program.SecretVideoRecorder.1.origin | 24b76e7354c9d5772e9f3fa90b8fe63f263e8167 50 | | Program.SecretVideoRecorder.1.origin | 5404ff6c4baa94478a61455d2541734862dbbb9e 51 | | Program.Reptilicus.8.origin | 5319ee8812065d002a3e576a7669ca3e4356c0f7 52 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 53 | | Tool.SilentInstaller.7.origin | 11bbd3eae7bc34e2ac86cdc1cc5b9075dc2f1b26 54 | | Tool.SilentInstaller.7.origin | 4fbf1629b2ec49cb2839c3e31f9adbc32285b741 55 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 56 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 57 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 58 | | Tool.ApkProtector.16.origin | 18fa72deca1d7872fef7d81c0b73d1408d8e2484 59 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 60 | | Adware.MagicPush.3 | 5dc16a173eb747a1029e50ed5614a5aa1819cd36 61 | | Adware.MagicPush.1 | 1624b2ae1c232ebf843aa29b9d362434e6f10f9d 62 | | Adware.MagicPush.1 | 64f1aa22f484f250b9956adef780c3ccb45832f5 63 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 64 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 65 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 66 | -------------------------------------------------------------------------------- /Android.Joker/README.adoc: -------------------------------------------------------------------------------- 1 | = Android.Joker on the Huawei AppGallery - Indicators of compromise 2 | 3 | == Samples 4 | 5 | [cols="2,5,3,3,6"] 6 | |=== 7 | | Detection name | SHA-1 | Application name | Package name | Configuration 8 | 9 | | Android.Joker.531 | 2349b2c0238dcc52e072500ea402128de0a216cf | Super Keyboard | com.nova.superkeyboard | hxxps://superkeyboard.oss-ap-southeast-1.aliyuncs.com/ 10 | | Android.Joker.531 | 0cfb4dd79fcfda7ecfcab7fd238f9f73ab8543d8 | Happy Colour | com.colour.syuhgbvcff | hxxps://happycolor.oss-ap-northeast-1.aliyuncs.com/ 11 | | Android.Joker.531 | 443c73e1ee2cc7c9301ac4dfe14411762689baf5 | Fun Color | com.funcolor.toucheffects | hxxps://funcolortoucheffects.oss-ap-southeast-2.aliyuncs.com/ 12 | | Android.Joker.531 | ddebecf001fd0c7ce03bf4a3eb7b6abe779f0d2d | New 2021 Keyboard | com.newyear.onekeyboard | hxxps://new2021keyboard.oss-ap-south-1.aliyuncs.com/ 13 | | Android.Joker.594 | f1b49a444f554bb942fd8f5a9ff2a212d8db6247 | Camera MX - Photo Video Camera | com.sdkfj.uhbnji.dsfeff | hxxps://cameramx-photovideocamera.oss-cn-wulanchabu.aliyuncs.com/ 14 | | Android.Joker.594 | 9dcc00513144612fdfcdb57278b2a54654b996ec | BeautyPlus Camera | com.beautyplus.excetwa.camera | hxxps://beautypluscamera.oss-ap-northeast-1.aliyuncs.com/ 15 | | Android.Joker.658 | 3950c89eb27c973dce8c1c0ea3ae30baa0f7544e | Color RollingIcon | com.hwcolor.jinbao.rollingicon | hxxps://colorrollingicon.oss-cn-huhehaote.aliyuncs.com/ 16 | | Android.Joker.659 | 9d2337047ca59d1375c898cf7d0361fe56c3576c | Funney Meme Emoji | com.meme.rouijhhkl | hxxp://funneymemeemoji.oss-ap-southeast-5.aliyuncs.com/ 17 | | Android.Joker.660 | 57148c6e040fb15723e5ca040740ae8901fd2dae | Happy Tapping | com.tap.tap.duedd | hxxp://happytapping.oss-cn-qingdao.aliyuncs.com/ 18 | | Android.Joker.662 | fb184efe017debc57eba118ab7aee17fd946e1ec | All-in-One Messenger | com.messenger.sjdoifo | hxxps://allinonemessenger.oss-cn-shenzhen.aliyuncs.com/ 19 | |=== 20 | 21 | === Android.Joker.242.origin - decrypted payload 22 | ---- 23 | a1a6eea1397dbdc89618dad549ac81bf896747a1 - sdkplugin001.apk 24 | 4fff23f587ac5891a207844e34cb442e45abda15 - sdkplugin002.apk 25 | 91315f824341b8b27e9f32c36dbdb77c4808f1b4 - sdkplugin003.apk 26 | 7f12bf4edc5492c8d867753ca6f61f19a3007f53 - newSysSdkplugin001.apk 27 | e442a5b7fda81746ec6a6f4597d867859369076a - newSysSdkplugin003.apk 28 | 65624632270075109bc65ccee7101c121466b47f - newSysSdkplugin006.apk 29 | 75d4aee6b254afd0984fcfc5def2c41f2613c287 - newSysSdkplugin007.apk 30 | ---- 31 | 32 | === Domains 33 | ---- 34 | hxxp://novasdk.oss-cn-beijing.aliyuncs.com/ 35 | hxxps://ad.mobnv.com/ 36 | ---- 37 | 38 | 39 | === Samples from Google Play with the same payload. 40 | 41 | [cols="2,5,3,3,6"] 42 | |=== 43 | | Detection name | SHA-1 | Application name | Package name | Configuration 44 | 45 | | Android.Joker.592 | 1ed1c87bbf34c377a978c6bea3591216eecc7add | Funny Color Test | com.dusw.funtes | hxxp://api.lemonmanga.com/ 46 | | Android.Joker.614 | c87cf64419c60d3fa538881d4f3b928bfa554550 | Voice Changer with Funny | com.changer.voice.funappjokes | hxxp://gp.fortunnecat.com/ 47 | | Android.Joker.617 | 01fd0eb92677e6a7afb889bf2d70537d35e1ed09 | Rolling Icon Plus Fun | com.rollingworld.iconplus.comfun | hxxp://gp.fortunnecat.com/ 48 | | Android.Joker.619 | 56bd7e1b702b2e80383071e2a8ab3367ba5a2fd7 | Deep Keyboard pro | com.keyborada.emoji.pokimon | hxxp://deepkeyboardpro.oss-cn-hongkong.aliyuncs.com/ 49 | | Android.Joker.620 | c8453fef3b7435ea1ebb0956908bc27547a7ecc1 | Story Teller with Cute Layout | xa.photocc.opd_collage | hxxp://router.cutebubblegame.com/ 50 | | Android.Joker.621 | c0db92460ef93edfe2e580dd90d6356300fa4515 | Smart Designed Keyboard with Emoji | com.des.keyboardros | hxxp://router.cutebubblegame.com/ 51 | | Android.Joker.622 | b23e935ab53f3b327dc65738533ee45ad597bb4c | Smart Background Eraser | com.times.backgiydnoty | hxxp://router.cutebubblegame.com/ 52 | | Android.Joker.623 | 6a3e9aef77df2365cd832ad67d89bf7eff88252f | Photo in Motion and Moving Picture | com.deotech.phots.poxtionas | hxxp://gp.fortunnecat.com/ 53 | | Android.Joker.624 | 25f975b826d1a44ccbf42f1502ca3a6c2dc0eec7 | PIX Photo Motion Maker | com.photoxmotio.animateions | hxxp://gp.fortunnecat.com/ 54 | | Android.Joker.630 | 84e2587ce7049519cb129d48f57d7157219c461b | Shape Your Body Magical Pro | com.camerasideas.collagemaker | hxxp://welcome.baltergames.com/ 55 | | Android.Joker.632 | 3c9825ac8e3d0045fbd216de8555f4d66f6f3cea | Assistive Touch Control Centre | com.kong.toouch.ass.iphoea | hxxp://welcome.baltergames.com/ 56 | | Android.Joker.633 | 1ed179ccd62aeab9d095041c42dd3d274dda291a | Smart Computer Style Launcher | com.windowspl.launcherwith | hxxp://welcome.baltergames.com/ 57 | |=== 58 | -------------------------------------------------------------------------------- /Q2 2025 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = Q2 2025 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.Adpush.21912 | b3c54d43246cf21354130a05d1957b1c1d0bedd3 9 | | Adware.AdPush.3.origin | 501f36db0aae9f950fe5559fc12820f20cd1f620 10 | | Adware.Basement.1 | 910091acd64150480c41ec265e41da4c4a168e69 11 | | Adware.Fictus.1.origin | a0f870b496e957029e136ba299ba326f7ca709d1 12 | | Adware.Fictus.1.origin | e2baa09fcdef1f8e1b438c1a0e5aca83cf473feb 13 | | Adware.Jiubang.1 | c0d4e2e7fdea7cfed327792bb67c8de24bedb9ab 14 | | Adware.ModAd.1 | f313360472d294b9f6205585bd5742a59ad07065 15 | | Android.Clipper.31 | 90013a24d03b72a6d9f8df38899fc2200e69682d 16 | | Android.Clipper.31 | 9521dbc9fd8f3bcefea1056f08619a4c54c9edd5 17 | | Android.FakeApp.1600 | 645ae4d7bc879645b6f2e0ebe84d57e89cb03f78 18 | | Android.FakeApp.1777 | 4ae944f17a6cecaba788271cfb3945b417b8e1a2 19 | | Android.FakeApp.1787 | ca8b9379c8b32efba832f565e7d788ba9b82206c 20 | | Android.FakeApp.1829 | 198d3f71918625bb9d624ca2851af58bacebb6a6 21 | | Android.FakeApp.1835 | 7c617ba259a94d88de41a0bd3aad7126daccfed5 22 | | Android.FakeApp.1836 | a43ac08111828e61ae7e0af6162efd93b82fa7a0 23 | | Android.FakeApp.1836 | a43ac08111828e61ae7e0af6162efd93b82fa7a0 24 | | Android.FakeApp.1837 | dd9f6e9ba759e8005065c4c153628e233c7b44fd 25 | | Android.FakeApp.1840 | 9e717e32c7847ff586cb426d72b97a5b2e5f1af1 26 | | Android.FakeApp.1841 | b1fb4815bdb0a34f3ae2cfd7a0fa15dd69680bdc 27 | | Android.FakeApp.1842 | 1c76b23e9a9830073212dbdefbe0fed16c70b43c 28 | | Android.FakeApp.1843 | 2b81b788ad3d8c17799b857873ddeca557b10567 29 | | Android.FakeApp.1847 | c2ef076a2dd41e6897b00abb4d6a8427a1f212c0 30 | | Android.FakeApp.1848 | a6bc66f321281c369228d8c6d6106ea2e5a9edae 31 | | Android.FakeApp.1849 | 97d0b8d71b2ccfc9ee64f7fc76bbb080c3cbce95 32 | | Android.FakeApp.1852 | eced340638a97d234a03f3c13d7a75525550c3b7 33 | | Android.FakeApp.1853 | 68b8082045c938c35e8d0c87ce37323836b16f5b 34 | | Android.FakeApp.1853 | 68b8082045c938c35e8d0c87ce37323836b16f5b 35 | | Android.FakeApp.1854 | 90c9c19c9247f86016d9a1fc7fb14bc4d2796a4e 36 | | Android.FakeApp.1855 | a5425a39a382e9f697f29595f5d5507a7667e465 37 | | Android.FakeApp.1857 | e8dbfe4ec423cefacc793d52d6dfa9ac145dd4b6 38 | | Android.FakeApp.1858 | 1eae146be70f1115092db0205ecfc4e2333e295a 39 | | Android.FakeApp.1859 | 49f96e7d64ea458e31726c25d1860459ef602151 40 | | Android.FakeApp.1860 | 79aff0c3b270c032b9cd74cb88bb7075535c7c30 41 | | Android.FakeApp.1861 | 4a25dbf2a821973de7325ecd975c196f97c7bff2 42 | | Android.FakeApp.1863 | d9dbf1897d14a7252dfbda83d5010c418bc7bcc0 43 | | Android.FakeApp.1864 | 50e00a8948560c20f406a25b5e4eb0f43bc2b765 44 | | Android.FakeApp.1865 | 75f84ba3a89f179039e0d7846c81e30ff74356e3 45 | | Android.FakeApp.1866 | d36630642b26de86b97142fffdd69db961f2a078 46 | | Android.FakeApp.47.origin | ab878053c24f3e4f3a011700dbe62a2ef8aaf0b9 47 | | Android.FakeApp.47.origin | 64d3cd0a2bba51cca40f7b3e3c3c148928a21e2f 48 | | Android.HiddenAds.4213 | 93dc963167a7c3b7b826914aee948207c8c41305 49 | | Android.HiddenAds.4213 | a8b1cb411cb1735e4ae59e9f25659b2bb1118d46 50 | | Android.HiddenAds.4214 | e68214a005a273194dc9a01088e4c11c4b565d3a 51 | | Android.HiddenAds.4214 | ff5fd1496253fddab885f67bcc04a512b9e83028 52 | | Android.HiddenAds.657.origin | 00832c46bb70bf4f0ddd3b5364f1cf32a610aa71 53 | | Android.MobiDash.7859 | 15858bab4022440fbd7e9e3a76791613f060cff0 54 | | Android.MobiDash.7859 | 23043aa05d04a1750d937b01a0c1a6896de5ec5c 55 | | Android.Spy.1292.origin | 8625d002e768f1ce451b4f7a0fadc6804ade834b 56 | | Android.Spy.1292.origin | ce71efb93cf4d79bf431d8edfbae7b8b7b55fe44 57 | | Program.CloudInject.1 | 9ee08b1c245a5c8dbc268788374cb89e79beb26b 58 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 59 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 60 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 61 | | Program.FakeMoney.11 | 23d35f8774fa7020b804fa1253b13c59bf338e81 62 | | Program.FakeMoney.11 | 7fdb2adc34504b63f1f123d61ea36b6afbb6c00b 63 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 64 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 65 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 66 | | Tool.Androlua.1.origin | 2fc769c357159a116d13d51172952150096734e7 67 | | Tool.Androlua.1.origin | d7a2606d1c014a070b7d76dceebd5e06a75553ff 68 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 69 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 70 | | Tool.NPMod.3 | 571d981e2f63081376cc84d680fb6b51a11573a0 71 | | Tool.Packer.1.origin | 897b65ae5ab11a2ceeb238b4ce41fab0b413c466 72 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 73 | -------------------------------------------------------------------------------- /Q1 2025 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = Q1 2025 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 9 | | Adware.AdPush.3.origin | 501f36db0aae9f950fe5559fc12820f20cd1f620 10 | | Adware.Basement.1 | 910091acd64150480c41ec265e41da4c4a168e69 11 | | Adware.Fictus.1.origin | 0867d90ac1aa5680cc99d64a6b6ea6d491495f4c 12 | | Adware.Fictus.1.origin | e2baa09fcdef1f8e1b438c1a0e5aca83cf473feb 13 | | Adware.ModAd.1 | f313360472d294b9f6205585bd5742a59ad07065 14 | | Android.CoinSteal.202 | b27c3eba03bedc4bef1156ff9455f393fb5d90ee 15 | | Android.CoinSteal.203 | d35fd8d16731823a347cab05dd15910e8580566a 16 | | Android.CoinSteal.206 | 34c16030fd7f3ccecb3ca7668eaf3d89c6c93fa7 17 | | Android.FakeApp.1600 | 645ae4d7bc879645b6f2e0ebe84d57e89cb03f78 18 | | Android.FakeApp.1650 | 170ffc0c1ad0813ef131c65deef457a5ed865862 19 | | Android.FakeApp.1650 | 170ffc0c1ad0813ef131c65deef457a5ed865862 20 | | Android.FakeApp.1669 | f413239a50a79ca5dd498d8ae97ece5f93bf0718 21 | | Android.FakeApp.1669 | f413239a50a79ca5dd498d8ae97ece5f93bf0718 22 | | Android.FakeApp.1753 | bf184dba13e57cd96d0395cd6edef959c154e394 23 | | Android.FakeApp.1754 | 0d056708c6bf9466c3419132509e1ac7caa1f158 24 | | Android.FakeApp.1757 | 3079891b1d35560a4219442b1b07e41321063504 25 | | Android.FakeApp.1759 | a50415ffc1a38eecdb8ee449cc342954a519f89d 26 | | Android.FakeApp.1760 | 3698e36fac55b5e1adb3dd9c999b551dfde33ced 27 | | Android.FakeApp.1763 | 5caa950199e4b2c4c76bf5986d453afd970448bd 28 | | Android.FakeApp.1765 | 09eb60e7a4af984cb56c745dae0cc03cab6f2b73 29 | | Android.FakeApp.1766 | 3c29ff857d4a2fc5cbffea8d068cbda25abec177 30 | | Android.FakeApp.1767 | 832780c30661bb534c79516625acc3d02a314b85 31 | | Android.FakeApp.1768 | be908680a7a0438344a12a4ec0c8268949bb6586 32 | | Android.FakeApp.1769 | 3d1cd251d07977ee113fb7b0a140208a9f3a3b85 33 | | Android.FakeApp.1769 | 3d1cd251d07977ee113fb7b0a140208a9f3a3b85 34 | | Android.FakeApp.1770 | d6a6d532e52445f30378e9616524f30471f62c00 35 | | Android.FakeApp.1772 | a0637845646996679d276bbafe159add6e914fcf 36 | | Android.FakeApp.1773 | fd26c905259046dd3780709cab72fdefce786498 37 | | Android.FakeApp.1774 | c660825a29af5565ab181bf06f9376e7a1320b94 38 | | Android.FakeApp.1775 | 157a45f097b0d749d7f2084155703fc378334be4 39 | | Android.FakeApp.1776 | 97bf1910628c2d72f3be70eb14c17ecd4cdc2088 40 | | Android.FakeApp.1777 | 4ae944f17a6cecaba788271cfb3945b417b8e1a2 41 | | Android.FakeApp.1777 | 4ae944f17a6cecaba788271cfb3945b417b8e1a2 42 | | Android.FakeApp.1780 | fc536c0442f084909315af8a246c6e157bd6ee2e 43 | | Android.FakeApp.1781 | ec215cae6b1702d8e13f4ba6cb62790bc1d597c1 44 | | Android.FakeApp.1782 | 47c7bbc75e703c912b46acbd36256fc3e416728b 45 | | Android.FakeApp.1783 | 35ce46058779c0add6090f774047b8d9d14d22ad 46 | | Android.FakeApp.1784 | b0933d4715f39ad49c875fa958f893871f972a6e 47 | | Android.FakeApp.1785 | 9b8833c66444e27b2dcc412060263f153f551dab 48 | | Android.FakeApp.1786 | 3a2f854b5688db88a66c7b642e3a3998e5dcf78a 49 | | Android.FakeApp.1788 | 06de595076b09e34c2b106d2ffd75b920420e1f7 50 | | Android.FakeApp.1792 | 8bb091cd9e5e13cb9f24092f14c8224c225b688d 51 | | Android.FakeApp.1798 | 1e742e0714a94432a8e4e5996305cb9dc3324879 52 | | Android.FakeApp.1802 | 841895ad6975892d676c58c2d641f582801427ab 53 | | Android.FakeApp.1803 | 65cda6c4aae2980e450681b9ff08211ac92b96ed 54 | | Android.FakeApp.1803 | 65cda6c4aae2980e450681b9ff08211ac92b96ed 55 | | Android.FakeApp.1804 | e267804a181badd33e8f14aa12241292976f66c7 56 | | Android.FakeApp.1805 | a6781281364469b73f649c20a12d4a3b21ae26e6 57 | | Android.FakeApp.1806 | 755f56e4c1222b93c3d2f05ac435b5a4e8e48d4f 58 | | Android.FakeApp.1807 | 23a9b63dae25c5ef73fbfa0f541a2fff060dfa0b 59 | | Android.FakeApp.1808 | 455357f5560f1d49f11145797cecc3eb9421a19f 60 | | Android.FakeApp.1809 | 5755946fe14453ebcad3512db4b3d5e40dcbc71d 61 | | Android.FakeApp.1810 | a6e3c488433ac30778bbfc52349521ce568dbd3a 62 | | Android.FakeApp.1811 | 03f282e476f02f28343c78082cebf04f65271353 63 | | Android.FakeApp.1812 | 19622878633a0051fe2db7ace73fdff828fbd15e 64 | | Android.FakeApp.1813 | 1b8fe1af594f93e2aad2c31e4a6fd65a8e8b6e48 65 | | Android.FakeApp.1814 | e2e9e781a96086592ef6d75d481f69de4903a4e9 66 | | Android.FakeApp.1815 | ff94fd66eb1ab94313d81ba6d38b81d9d6a07cfe 67 | | Android.HiddenAds.4213 | 93dc963167a7c3b7b826914aee948207c8c41305 68 | | Android.HiddenAds.4213 | a8b1cb411cb1735e4ae59e9f25659b2bb1118d46 69 | | Android.HiddenAds.4214 | e68214a005a273194dc9a01088e4c11c4b565d3a 70 | | Android.HiddenAds.4214 | ff5fd1496253fddab885f67bcc04a512b9e83028 71 | | Android.HiddenAds.4215 | e841d57a25561a4221fdb862662b2f9a091a7973 72 | | Android.HiddenAds.655.origin | ded1493bc26421eb5a3e48e699c7a30758a4632a 73 | | ndroid.HiddenAds.657.origin | 00832c46bb70bf4f0ddd3b5364f1cf32a610aa71 74 | | Android.MobiDash.7859 | 23043aa05d04a1750d937b01a0c1a6896de5ec5c 75 | | Android.MobiDash.7859 | e7ba7761fb2d890acc4374a19b1e6e8b41cd7013 76 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 77 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 78 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 79 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 80 | | Program.FakeMoney.11 | 23d35f8774fa7020b804fa1253b13c59bf338e81 81 | | Program.FakeMoney.11 | 7fdb2adc34504b63f1f123d61ea36b6afbb6c00b 82 | | Program.FakeMoney.14 | b24ab6409d590fa758ae1672bf9d854e348e50fe 83 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 84 | | Tool.Androlua.1.origin | 2fc769c357159a116d13d51172952150096734e7 85 | | Tool.Androlua.1.origin | d7a2606d1c014a070b7d76dceebd5e06a75553ff 86 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 87 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 88 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 89 | | Tool.Packer.1.origin | 897b65ae5ab11a2ceeb238b4ce41fab0b413c466 90 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 91 | -------------------------------------------------------------------------------- /October 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = October 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 9 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 10 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 11 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 12 | | Adware.MagicPush.1 | 1624b2ae1c232ebf843aa29b9d362434e6f10f9d 13 | | Adware.MagicPush.1 | 64f1aa22f484f250b9956adef780c3ccb45832f5 14 | | Adware.ShareInstall.1.origin | 0f244a35f16ef045bb389a07c520d222e683561d 15 | | Android.FakeApp.1433 | 681da5f4b937b31c23a5797ae13d0cf5357e0970 16 | | Android.FakeApp.1433 | cf7d4845f3044ea63fc80c14a2d36dbbb84a1bde 17 | | Android.FakeApp.1444 | a8ba0e23121da35c6f7705b72fd7cd3fecb77381 18 | | Android.FakeApp.1445 | 5c2851352342f24349cc121092ebd10b9c616947 19 | | Android.FakeApp.1446 | 64c63c98fc6d27ddc69e2ff940207c7a4ad45a5c 20 | | Android.FakeApp.1447 | 131569edf82b53165112c350a19befc42be9c39a 21 | | Android.FakeApp.1448 | 024bbb91dc5e6879cda0328394b184bd2396acd7 22 | | Android.FakeApp.1449 | 9e6c71332cb11bfcf4d9c40fa0a6914ee1fddd38 23 | | Android.FakeApp.1450 | 40fd023d1abe5e5888fbc5d90b18e045de9e9679 24 | | Android.FakeApp.1451 | 1f7ba340f1a00c8d92d0e0489d45b6fb00350893 25 | | Android.FakeApp.1452 | efc89ee9932976c9048accc98d5621d750625610 26 | | Android.FakeApp.1453 | 8ee30915398b46529383be9880d42494ce6c41c2 27 | | Android.FakeApp.1454 | 01078c3ee397934e785833f716944a340e63b1ec 28 | | Android.FakeApp.1455 | 4b4433e9be042fd70ecc962c20bd072aa9e8395c 29 | | Android.FakeApp.1456 | a16d0f3cae0148cac179146abb7b5e88d5df35b3 30 | | Android.FakeApp.1457 | 64ea654138de4ce1f26272515f7307d68118a415 31 | | Android.FakeApp.1458 | e8fd03e811466728e56e9516947dffe08f9bc0c1 32 | | Android.FakeApp.1459 | bcd6fad788b5980afd869e326329de56073c57e3 33 | | Android.FakeApp.1460 | 6dd79f29aacb57ed6936ee6606b5f76de96e66ae 34 | | Android.FakeApp.1461 | fce9a7d0b7040dcde063a7118d78ba10b487238b 35 | | Android.FakeApp.1462 | 627ef0eac3f3d3137ac49534a00c14bbbefd6941 36 | | Android.FakeApp.1463 | 020d0006a876e086221c03c0f856cd8d949fe27f 37 | | Android.FakeApp.1464 | d56871d43353a4733969aeb035fd0a747cea292a 38 | | Android.FakeApp.1465 | 4805e253c25d752ea85e2974199bbbb3e9e573a6 39 | | Android.FakeApp.1466 | c61a0fdb31c4f336b5db7681b7e7a6fe9b5166e6 40 | | Android.FakeApp.1467 | 5c2dc84e6b1f593fc5b30d0054b386b1844db8c9 41 | | Android.FakeApp.1468 | 87a1a566ff0f9f5a8c0f924ed403049639694a10 42 | | Android.FakeApp.1469 | 18696ee9a742afa9559a70d538822f2ee015f601 43 | | Android.FakeApp.1470 | 552021e9146a913fb958e7a55c3c17e36b6cdfc4 44 | | Android.FakeApp.1471 | a1ba75f9cea52c27d84cc72a04e1a5401706cf15 45 | | Android.FakeApp.1472 | d37acf1e4f46a069396138ba8982b7da3ceb7b95 46 | | Android.FakeApp.1473 | 4982b05efa97ad13a536487abd67f193bcc222e2 47 | | Android.FakeApp.1474 | 5e60f9ba792d154ea7eacebbac01732c51faec7e 48 | | Android.FakeApp.1475 | 81f22618a467f8a4e90e1b59a4f7b7601499ac73 49 | | Android.FakeApp.1476 | 6923a00e52e1caf1c041ee570294e26d05b965b8 50 | | Android.FakeApp.1477 | 10896bb3313e27fa6764068d16f46af54b501be2 51 | | Android.FakeApp.1478 | fb3c899cb5e9154b49043b369fcf06527ea012db 52 | | Android.FakeApp.1479 | e9a2ab497c672288a2c767f8a429d876f37f294c 53 | | Android.FakeApp.1480 | d1770caa733ff1fd793fbf0d99c55478f6ceeb49 54 | | Android.FakeApp.1481 | 9e44f6a792e5c4f42aa35164599ca4c09c302b6c 55 | | Android.FakeApp.1482 | fb0d416bc696f7e65449ca772bad7aae31c7077f 56 | | Android.FakeApp.1483 | ca6fef614732593c9fcc6065772ec2abe7bfdc4e 57 | | Android.FakeApp.1484 | 54a2d66e5cb2b8f4af1b0a97d1e1da07906f2f42 58 | | Android.FakeApp.1485 | 3ece2904a7d7bde16a39a4369e43971a8dfabc71 59 | | Android.HiddenAds.3697 | 3e7ad99c00ceaac0652e0c83a39eb99b37bbeb41 60 | | Android.HiddenAds.3697 | 40c1fef8f409902d0bcf6a83ebab236363c8e5b0 61 | | Android.HiddenAds.3831 | 2676c83f7126df8c1ad9c474d1e2f51bef3d9936 62 | | Android.HiddenAds.3831 | 296fe2c83a97b7f9bb8286c4993de23a5ef39bd4 63 | | Android.MobiDash.7804 | d9cf9f28d5f6edc5d2c754501ebc3451a503d17f 64 | | Android.Proxy.4gproxy.1 | a4bb2d7c4271fd9c733cc04ddaf2bc49d3038fe9 65 | | Android.Proxy.4gproxy.1 | b922b0b06b5d0c7310844d2fc48986d00cceeb14 66 | | Android.Proxy.4gproxy.2 | 5a6217e4175eb5ea0a44bfbc926d18a8e303b301 67 | | Android.Proxy.4gproxy.3 | be0df625c0d43562d3d9d9db2b97b85a85521e48 68 | | Android.Proxy.4gproxy.4 | ac1e9cc1aadd8c696cfad43ea1d91a6b134ecd1f 69 | | Android.Spy.4498 | 52f091fa1a98c3ab9f322e94ccfb390bd39ffc83 70 | | Android.Spy.4498 | 5f8fcd7375ecf7ee027b78e68e8fdd7c996a5bc8 71 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 72 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 73 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 74 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 75 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 76 | | Program.FakeMoney.7 | 18fa02fd251195b3ef4a20e6e7db26867fb938cc 77 | | Program.FakeMoney.7 | 71251919ea0d45c77f51a0f2e5cdcc29f02b962f 78 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 79 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 80 | | Program.wSpy.3.origin | 25f6988e1a46566ac85463fd3f66d314b4441263 81 | | Program.wSpy.3.origin | 6ca09dd7292d2ea97325c1aa4217dc3232e84ca7 82 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 83 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 84 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 85 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 86 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 87 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 88 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 89 | | Tool.WAppBomber.1.origin | 0ee45a56d9223551183b66d5b41ac02945fac885 90 | -------------------------------------------------------------------------------- /Q3 2025 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = Q3 2025 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 9 | | Adware.AdPush.3.origin | 501f36db0aae9f950fe5559fc12820f20cd1f620 10 | | Adware.Basement.1 | 910091acd64150480c41ec265e41da4c4a168e69 11 | | Adware.ModAd.1 | f313360472d294b9f6205585bd5742a59ad07065 12 | | Adware.Youmi.4 | 09681eeb301f6c81043bcad56366176beafd9d78 13 | | Adware.Youmi.4 | b470652fd537d6c0449b4a2adca7815a8181c2e6 14 | | Android.Backdoor.916.origin | 4000d55e218b54eea9090b01d4a96d1410c6c4b1 15 | | Android.Backdoor.916.origin | 94d25cebb6ba408c7c45bd12fd8aca5293d5df21 16 | | Android.Click.1812 | 2157969ab0856b72ff4a2a089797fdb463a23753 17 | | Android.FakeApp.1600 | 645ae4d7bc879645b6f2e0ebe84d57e89cb03f78 18 | | Android.FakeApp.1880 | 01c25fce90d602644a090ab023481be1a72d27af 19 | | Android.FakeApp.1880 | 361a5329b663e6290fc77c1d98789660e8ff9670 20 | | Android.FakeApp.1881 | 3d04f7539f5a978c30ae83b76a538302391f5490 21 | | Android.FakeApp.1882 | b3d34bea2da416442e9a7d73c76e81319ed51c58 22 | | Android.FakeApp.1883 | 03b353708d3084576683baed8d221c65bc8d97f8 23 | | Android.FakeApp.1884 | 29aaecb7d580aee86bad0326af6479c038b548e9 24 | | Android.FakeApp.1885 | 3e6e037066bfb0f9c84facd02593562eaceb3fce 25 | | Android.FakeApp.1886 | 267b5084208bc10bd2a9ad78d8addd8a46f8b34d 26 | | Android.FakeApp.1887 | 3ad42570454c9737d2c1fe1c9e22b5391f082bb1 27 | | Android.FakeApp.1888 | bca7a6c7f5afafc155dd5d72eec299587f1a9edb 28 | | Android.FakeApp.1888 | c982e06911d7dd5b8210f30a3e905c4f9992681f 29 | | Android.FakeApp.1889 | 44437f73e1b1fce16796ea5389a5d0ea0b503d2c 30 | | Android.FakeApp.1890 | df640a948ac5afaf91d529c14222a6129ce91b58 31 | | Android.FakeApp.1891 | 3accc8fd979548e0a10dcc82c09c255a7bd69505 32 | | Android.FakeApp.1892 | 35a787a3b46a6b2261c875e8c710933e96d47203 33 | | Android.FakeApp.1893 | d70c2e171053796b81d5cb24ce4666045893eb4e 34 | | Android.FakeApp.1894 | 81c9f469e0f360632cb26088418db34d471129d8 35 | | Android.HiddenAds.673.origin | 552cb2d3197b6bc18509283064344bd92457d6d4 36 | | Android.Joker.2406 | 0bc944905a91687b6c51b0c41f4a7733407f8633 37 | | Android.Joker.2406 | a0fb70b088a4cffdcf2c0fa49459a920d578eed7 38 | | Android.Joker.2408 | d83990fbc2660566700f6e8eb20d853d4f394f13 39 | | Android.Joker.2409 | 9c16bcea6ae85dfc85a04f85a63e563a26f8bb1d 40 | | Android.Joker.2409 | 9c87a7566e4556309680ece73a20f55e72da97e4 41 | | Android.Joker.2411 | 1debacf6fe7e56beaef7588abc6d3fd794b53e92 42 | | Android.Joker.2411 | a35e227b66933a6e3493d13fc7cb8e4dad5e3767 43 | | Android.Joker.2412 | 4829e09ed7d94f1ec866caa5eee0966e1797a4d0 44 | | Android.Joker.2413 | 01c17098e83b63977c02c9e771211f255dec4c25 45 | | Android.Joker.2413 | 136e4fff6af22d65b42818738122b78e406968f4 46 | | Android.Joker.2415 | 64e0f1cf5dc7c2fe5ebfd65c9b395e34c71eb564 47 | | Android.Joker.2415 | c8d9013522de509c82ccb95fc747ede24339170b 48 | | Android.Joker.2418 | 5897c6de468b2dd5743f9e148aac0446b06d26fd 49 | | Android.Joker.2419 | ba77487471396d386b968dcbedf0e6db5a1cc8f0 50 | | Android.Joker.2420 | 3a280a6c699119da8ee52cb4a6684fb4ad028d00 51 | | Android.Joker.2421 | 89ca6d40b45b241851a1187ffb026faf7a0166bc 52 | | Android.Joker.2422 | 067b90b8d97cd372f8c84ae95f4af22c0365c4ec 53 | | Android.Joker.2424 | 8479b79d761bddf47f06926d2d7c17646e63f3a8 54 | | Android.Joker.2425 | 1566d671c585622f64cfe41e2574f0eec046b3ff 55 | | Android.Joker.2427 | 10adbc63a85f486069d63580b885f154d55d5268 56 | | Android.Joker.2427 | 25a380f2acf1952baa2efe6bbbb3aff77edebac2 57 | | Android.Joker.2429 | 26dedd40dc1df425ee44c6a4aee5593ebdd095ee 58 | | Android.Joker.2430 | d58cfa62b0192a923a2f0a68448fe5011018e452 59 | | Android.Joker.2431 | 359b7af6e135b6cabf039237fa823e97736346ef 60 | | Android.Joker.2432 | a14ff2dd340b12d81ea2575ec7784c67efe030db 61 | | Android.Joker.2433 | 1be3abe49ad42844eff4ab14f4f1c3215ca7d818 62 | | Android.Joker.2434 | 821f5415f52c153b65a5f3422f64579794f70939 63 | | Android.Joker.2435 | 29026fbe525a48958c0c902c2aba86a580638ac2 64 | | Android.Joker.2435 | 3ee3aa5b36429d37d1abad031ce23945b4a7ade0 65 | | Android.Joker.2436 | cdbaac708d723122096184900fcaa08a01f2213c 66 | | Android.Joker.2437 | 6622a2ffda578398fc71bec35b8a56ff8db5b43f 67 | | Android.Joker.2437 | b4612c2e2db62a5aab59994c647e13cd0f7bef80 68 | | Android.Joker.2438 | 38b6212120647c4d6a1f7148c6709564b6c8d179 69 | | Android.Joker.2439 | 703043b83ab58a49f26a30f2de336651497d8b5f 70 | | Android.Joker.2440 | 0d92be5de8227fe279069050fe59f93e0fdbdbe5 71 | | Android.Joker.2440 | 20c97925d6ec980cb2a0750d3eeb6364fdbe956c 72 | | Android.MobiDash.7859 | 06cc4ba166a8b8695fbe2e1fc827bb1fc156f974 73 | | Android.MobiDash.7859 | 15858bab4022440fbd7e9e3a76791613f060cff0 74 | | Android.Triada.5847 | 3e2bcf5bcb24ebef7f9b0e6d0dbffb508887eea2 75 | | Android.Triada.5847 | 62188aedf16bddf8de9425b31d39d7a6000f906a 76 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 77 | | Program.CloudInject.1 | 9ee08b1c245a5c8dbc268788374cb89e79beb26b 78 | | Program.CloudInject.5 | 4002aab34096cdb9a71263bced1c29111b681733 79 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 80 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 81 | | Program.FakeMoney.11 | 23d35f8774fa7020b804fa1253b13c59bf338e81 82 | | Program.FakeMoney.11 | 7fdb2adc34504b63f1f123d61ea36b6afbb6c00b 83 | | Program.FakeMoney.16 | 38531fde9e6d880fa9c833053f6fccdf72aea084 84 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 85 | | Program.TrackView.1.origin | 402d40a8824a8edea39eb22cd9dcb4f29ca76e9d 86 | | Tool.Androlua.1.origin | d7a2606d1c014a070b7d76dceebd5e06a75553ff 87 | | Tool.Androlua.1.origin | fe120b047ae3db313fbe4649c5f26fc2f2f32763 88 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 89 | | Tool.LuckyPatcher.2.origin | 4f80c2fc41872957672cd903366eb08bb7d4ce65 90 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 91 | | Tool.NPMod.3 | 571d981e2f63081376cc84d680fb6b51a11573a0 92 | | Tool.NPMod.4 | 281e131a17aec62635c0af4e7cefac42bd70d9c6 93 | -------------------------------------------------------------------------------- /Trojan.MonsterInstall/README.adoc: -------------------------------------------------------------------------------- 1 | == Samples 2 | 3 | All hashes are SHA1 4 | 5 | === Trojan.MonsterInstall.1 6 | ---- 7 | 4f053ad18150f07f15039bd845d3e2db8bd50c72 - main.js 8 | b24e8dfd44a42a74e8c47d759d36fc178d988a93 - start.js 9 | 2cfa09b812f90c9f1e0a1e620c4ef9d8f8f6b5e7 - crypto.dll 10 | d0a6fab0e4c98413f56f96d68c11ebd64db090cf - network.dll 11 | 444d4a915ba55a46b9c551ba4a6c1398a1cd5e16 - windows.dll 12 | ---- 13 | 14 | === Trojan.MonsterInstall.2 15 | ---- 16 | 21d6f7980e6b1383c0cc813bfc003f2adf51eb74 - start.js 17 | 980f067ce3976a3f40e1a39e1bc8b74c3849f91e - startDll.dll 18 | 52e021f47f487e58d9a8edfb887925e2e75be256 - update.js 19 | d337eeefdf45055a1e3fbf26abe7ca8eb5c2295a - updateDll.dll 20 | b6a9db83a915494fa0b22cd116ec26cbe4d166ce - ESP чит для КС ГО.exe 21 | ---- 22 | 23 | 24 | === Trojan.MonsterInstall.3 25 | ---- 26 | cf20c882dcc427bff822fa2c54fab39397a8d6e7 - codeX 27 | 0f5d2fe52f15adb6813bd398dcc1e10de52e2953 - main.js 28 | ---- 29 | 30 | === Trojan.MonsterInstall.4 31 | ---- 32 | 46b8955c8fa07994f8cb3c11dff0a277c7353730 - xmr-1.7z 33 | 0909fe2c42c4b3480313671dde00d4e0fd756f1b - xmrig.exe, x86 34 | 0785a05695428436a95e875b058268cfb1347207 - xmrig.dll, x86 35 | f5c766423bf6a1eca4b2063da8464e2f09778920 - start.js 36 | 1c5e358185f15ae619dceb353adce18a2221ff19 - xmr-1-64.7z 37 | c9e4dd2f67a4aa2aaa152e92df4fe137d1d73b78 - xmrig.exe, x64 38 | 2710c02c6e069b94fc2708eae42f309b1313bf5d - xmrig.dll, x64 39 | d91fc46d9af39fb1bbb45f1c4970437b49497edf - start.js 40 | ---- 41 | 42 | === Trojan.MonsterInstall.5 43 | ---- 44 | 0950ba59af3ffa8ac32882aa280d1fbe604d5c68 - VvaldiSetup.exe 45 | 2857eca1bb4dd401958107a9b7d0d2faaeea4e61 - MonsterInstall.exe 46 | b934131ab7fbf66caf58a9deb6c689bf6d979fee - MonsterInstall.exe 47 | ---- 48 | 49 | === Trojan.MonsterInstasll.6 50 | ---- 51 | befdec16c459bd71bd7e735276ad1a10adc8fd76 - updater.dll 52 | 25186470ae0982fff93c2569fb9de5e489fc011b - updater.dll 53 | ---- 54 | 55 | === Trojan.MonsterInstall.7 56 | ---- 57 | d7d7fe73e3288e4b1e7be5a460e55c0925465428 - ЧИТ ДЛЯ CSGO БЕСПЛАТНЫЙ HVH.exe 58 | d8dabb84e4ab75fd1dc0ec806933d60b5c693bd2 - DayZ (2018).exe 59 | 322c660e644af0930476e6540dce7da6d4b06e39 - work.js 60 | 8db6aa47181d8cf2f5f1f60db33b380d8b24ced4 - install.js 61 | 873ba485d40199ab7f7ebe1258aa56e09625f3af - codeX 62 | ---- 63 | 64 | === Trojan.MonsterInstall.8 65 | ---- 66 | ecc02c3cccf8496d12ce48e98e5219128ed72e05 - install.zip 67 | 271bbad1ba905d5a5971f712f8084710cbfa76fa - install.js 68 | c0d39a50799fa11ea402a7634b972479d5a6e16c - MonsterInstall.dll 69 | ---- 70 | 71 | === Trojan.MonsterInstall.9 72 | ---- 73 | b7c0b0f7c8765a3021b4f907e0835f8bee53730b - FC.exe 74 | 8d06ee83054c790f2401352af29ad0c56b0db52f - updater.dll 75 | ---- 76 | 77 | === Trojan.MonsterInstall.10 78 | ---- 79 | eb7c08ef01c4eba0a1cb2edb06dde6b7f5e9383d - Чит wallhackwh для CS GO {steam no steam}.rar 80 | f4cf382939aaf7f76a5cbf81c525dab2a26a4d5e - Чит wallhackwh для CS GO {steam no steam}.exe 81 | 08fd5700e6d54a7bd2b1b2589d4f363d9335cb36 - Dawn of Man Трейнер 7 v1.0.5 {CheatHappens.com}.exe 82 | b5ccc67d9aa7e6faeec6091bc2169e185169c88c - GLOW WH.exe 83 | bbc9c42f5450b4afe7d92b697b094b82fe8d27dc - Чит wallhackwh для CS GO {steam no steam}.exe 84 | 7e8c549da28c08642e8e7d5a780521666715d7d6 - starter.exe 85 | a7c6cba1f02624af4eca7ce2afca17add72fe15f - Чит аим и вх на Блокаду .exe 86 | 785e2807132889d886d2794eb576c5ff2571e852 - new-node.bin 87 | f4a0d14e862c6d7de28096a2662ae08fcb89679d - work.js 88 | ---- 89 | 90 | === Trojan.MonsterInstall.11 91 | ---- 92 | d6d3f9f067e8bb2244e4a4529fa032d92d9f0425 - Чит для Warface валхак (вх).exe 93 | a4f81547d5e594b039241c36d443471857d3c10c - Чит для Warface валхак (вх).exe 94 | ---- 95 | 96 | == Network indicators 97 | 98 | === C&C Domains 99 | ---- 100 | cortel8x.beget.tech 101 | reserve-system.ru 102 | s44571fu.bget.ru 103 | xyi-sosi-guboi-trisi.xyz 104 | cherry-pot.top 105 | corteli.com 106 | ---- 107 | 108 | === Distribution sites 109 | ---- 110 | fastscreen.ru 111 | torrent-igri.com 112 | румайнкрафт.рф 113 | clearcheats.ru 114 | worldcodes.ru 115 | mmotalks.com 116 | cheatfiles.ru 117 | minecraft-chiter.ru 118 | fasrworm.ru 119 | corteli.com 120 | ---- 121 | 122 | === IPs 123 | ---- 124 | 176.57.70.81 125 | ---- 126 | 127 | == Artefacts 128 | 129 | === PDB 130 | 131 | ---- 132 | B:\Develop\VisualStudioProject\module\crypto\Release\crypto.pdb 133 | B:\Develop\VisualStudioProject\module\network\Release\network.pdb 134 | B:\Develop\VisualStudioProject\module\windows\Release\windows.pdb 135 | D:\Develop\VisualStudio15Project\botnet\starterDll\Release\starterDll.pdb 136 | D:\Develop\VisualStudio15Project\botnet\updaterDll\Release\updaterDll.pdb 137 | B:\Develop\VisualStudioProject\botnet\installerDll\Release\installerDll.pdb 138 | D:\VisualStudioProject\libpeconv\Release\libpeconv.pdb 139 | D:\VisualStudioProject\libpeconv\x64\Release\libpeconv.pdb 140 | D:\VisualStudioProject\test\starter\Release\starter.pdb 141 | D:\1isua1St1dio1ro1ec1\test\s1ar1e1\R1le1se\1111111.pdb 142 | B:\Develop\VisualStudioProject\botnet\MonsterInstall\Release\MonsterInstall.pdb 143 | D:\Develop\VisualStudio15Project\botnet\MonsterInstall\Release\MonsterInstall.pdb 144 | B:\Develop\VisualStudioProject\LEGACY\FCInstall\FC\Release\FC.pdb 145 | D:\VisualStudioProject\inst\WindowsFormsApp1\WindowsFormsApp1\obj\Release\WindowsFormsApp1.pdb 146 | ---- 147 | 148 | === Source paths 149 | ---- 150 | B:\Develop\VisualStudio\VC\Tools\MSVC\14.12.25827\include\corteli\json.hpp 151 | b:\develop\visualstudioproject\botnet\monsterinstall\monsterinstall\source.cpp 152 | b:\develop\visualstudioproject\legacy\fcinstall\fc\source.cpp 153 | ---- 154 | 155 | == Installation 156 | 157 | === Registry 158 | ---- 159 | HKLM\\SOFTWARE\\Microsoft\\MoonTitle\\ 160 | HKLM\\SOFTWARE\\Microsoft\\Windows Node\\ 161 | HKLM\\SOFTWARE\\Microsoft\\Reserve System\\ 162 | HKLM\\Software\\Corteli\\File Checker\\ 163 | ---- 164 | 165 | === Filesystem 166 | ---- 167 | %WINDIR%\\NodeService\\ 168 | %WINDIR%\\Reserve Service\\ 169 | %WINDIR%\\WinKit\\ 170 | ---- 171 | 172 | === Task scheduler 173 | ---- 174 | MoonTitle 175 | ---- -------------------------------------------------------------------------------- /Q3 2024 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = Q3 2024 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 9 | | Adware.AdPush.39.origin | 7a168d81399a0872f7b86deeb773f8d995e7a450 10 | | Adware.AdPush.39.origin | feafc0517dd9d40d7c621b7296bc072c3806f4f8 11 | | Adware.Basement.1 | 910091acd64150480c41ec265e41da4c4a168e69 12 | | Adware.Fictus.1.origin | 00aa3a61a6b70bfdb8ddceb9c74f72ed06a170d1 13 | | Adware.Fictus.1.origin | 0867d90ac1aa5680cc99d64a6b6ea6d491495f4c 14 | | Adware.ModAd.1 | f313360472d294b9f6205585bd5742a59ad07065 15 | | Android.Click.1751 | 59bc8cd2996f071ad29d8b8cfa9089bbf6a6b241 16 | | Android.FakeApp.1600 | 645ae4d7bc879645b6f2e0ebe84d57e89cb03f78 17 | | Android.FakeApp.1602 | 34da69a656ebf9368fe131d95747b42d7e6dd760 18 | | Android.FakeApp.1602 | 4929f17eabfd3ad7431278ce6540751c46fa3b32 19 | | Android.FakeApp.1619 | 3b4858c655af139a7c0295833bd8a8bb1dac203f 20 | | Android.FakeApp.1620 | 1418e419f6dc921e01be238fa6883b83608bc387 21 | | Android.FakeApp.1621 | 0a2c154471eaed8d9605fc3a5791d268c12817f2 22 | | Android.FakeApp.1622 | c208c1c6d925a1ba53281047f288cf70209fced3 23 | | Android.FakeApp.1623 | 6f07d49c16e8fb73c932d5f9c39b46425c948b97 24 | | Android.FakeApp.1624 | eea35474a442d43eeef9471a9aa18fbeb71b10ba 25 | | Android.FakeApp.1625 | 33b74699a0e7bf5422adbac852760accf833cf2d 26 | | Android.FakeApp.1626 | e2cb37cc0b978912bd15cf79b0a338435504d724 27 | | Android.FakeApp.1627 | e01c762052ffba2705490d511b327e1882d4ea78 28 | | Android.FakeApp.1628 | fd43c0bd92925ccef9e4bfdb9a20489150fa2bdb 29 | | Android.FakeApp.1629 | e2d91843a821ea8172d5cba3be92300aca0eaa04 30 | | Android.FakeApp.1630 | 159a37cf57fea825ecacd5f6ae9304cf18338589 31 | | Android.FakeApp.1635 | 1e438967edafecf134fc93818227f6c9411d7fc0 32 | | Android.FakeApp.1636 | 86ac57650910de7ed049dc0cc375714848ca53c3 33 | | Android.FakeApp.1637 | 8c3b576e6424e0bfa51550cca1236377af9d020e 34 | | Android.FakeApp.1638 | 7bf6c73a9c0db0ed7eba79e9ea1a5dd4e514656a 35 | | Android.FakeApp.1639 | bddcd82332d4e3fb2d31429dd95bc00659c82a6d 36 | | Android.FakeApp.1639 | c208c1c6d925a1ba53281047f288cf70209fced3 37 | | Android.FakeApp.1640 | ca01b84af2d204a16d4764bee14890795209bcd9 38 | | Android.FakeApp.1641 | 07eb8070b230ecfd7c6057a75a29648969248a6d 39 | | Android.FakeApp.1642 | e723de98b8551d243be46ceb744353dca420fe7d 40 | | Android.FakeApp.1643 | 7ba6e6495417356efd8c5df80659f48c137b62ca 41 | | Android.FakeApp.1644 | 79d97113dac67cb406e41d06bdbe6a6ea0168c3d 42 | | Android.FakeApp.1645 | 4296d4f04f5e3c590c3b22ceebaefcd5c767564c 43 | | Android.FakeApp.1645 | 999598de7cc1e7e96c16af72d2f47ee8fa37e04d 44 | | Android.FakeApp.1646 | df665089ef47186ff3f2543bdae6c788212af424 45 | | Android.FakeApp.1647 | bbfbc50f1638235c0a3861c0d62ca69d800a50f0 46 | | Android.FakeApp.1649 | bd5180e873886c46ac605ff6068d91a0f28c602a 47 | | Android.FakeApp.1650 | 170ffc0c1ad0813ef131c65deef457a5ed865862 48 | | Android.FakeApp.1651 | 9d2f8378cb52e6955fa44ba05da1d9f5599f271d 49 | | Android.FakeApp.1652 | d57004515d641af4393a0822d50bab9f67cbb0e1 50 | | Android.FakeApp.1653 | 2490ca0df836e03e1ea236f081d58fec6a6d7f5c 51 | | Android.FakeApp.1654 | a026d2ebf7dff10076dc55ccf8e35a6da5fe5d7d 52 | | Android.FakeApp.1655 | 16f18343b6c52396be2876068a9f2bae0580f852 53 | | Android.FakeApp.1658 | 7b46d72f7c5b0c57f5088d7e6d1a2fbce2d1d35b 54 | | Android.FakeApp.1659 | 486ed656e19f3f0da2e9791277624069616faff3 55 | | Android.FakeApp.1660 | e84ef208ebb6ef298c13ea2de94eba7666cbac09 56 | | Android.FakeApp.1661 | 63419287252e2e34da745069103d71b299f76f3d 57 | | Android.FakeApp.1662 | beeb84e445b1162cdda83de7d1129f1e02644c2d 58 | | Android.FakeApp.1663 | 131b043927845dfa27347c089705c24398ff673f 59 | | Android.FakeApp.1664 | c4235d0abe2320ed3c2577f2be77d318d8ec8309 60 | | Android.FakeApp.1665 | 92e93dfee3188b0ca04deba6bc04376faf9c02db 61 | | Android.FakeApp.1665 | 9b27f0d324b2fee1a3ae7bbe5004a91090796637 62 | | Android.FakeApp.1666 | cb4a8556558a66c8f0332d012f90e92674ec8ff8 63 | | Android.FakeApp.1667 | 2bed3737345b2c0d4db18f0d8c3fc9f62ca523fe 64 | | Android.FakeApp.1667 | dc636a460f8f395983f47ae3fbb8cdb1f5619b1f 65 | | Android.FakeApp.1669 | f413239a50a79ca5dd498d8ae97ece5f93bf0718 66 | | Android.FakeApp.1670 | 50bb75a80f0a6c03bd6cf5388bdf7f02e8617d6f 67 | | Android.FakeApp.1671 | d366f4ffadec79595a37ce9439e60edd8e18b22c 68 | | Android.FakeApp.1672 | 05988525cd6a63569d7c7b2a5c6bc48aae01e1a1 69 | | Android.FakeApp.1673 | be24a37a32dcd83cbee66275825ec7e6b822bd66 70 | | Android.FakeApp.1674 | e713dcd0d335bdae7ef6007e061caec1ec62472e 71 | | Android.FakeApp.1675 | 0d4783661c0562e8ca616eca3c5771dada482fa6 72 | | Android.FakeApp.1677 | 0ec168db4a1b0871c50a2a7a23d564f88515cbb0 73 | | Android.HiddenAds.3994 | 22da255c6f10cb6d2996edadd6a6dbc6318c3435 74 | | Android.HiddenAds.3994 | 2b7ea144426461e099dc5d0e0dee12c9d3dd59c1 75 | | Android.HiddenAds.4013 | 681bc9df83b548d320dccd9eb31f743555289201 76 | | Android.HiddenAds.4015 | 0c053d917fb3b85ffe4b50242fab0aea2cb0c0e1 77 | | Android.HiddenAds.4025 | 5583eb42d0113d3e12215cef3884ddeb47603cbc 78 | | Android.HiddenAds.4027 | 5390fea0fae2761197a6c3fd6d2dd26c1079ab21 79 | | Android.HiddenAds.4034 | f69a94f7b5d7cec09f1f8cbdd0fa033982d24972 80 | | Android.HiddenAds.4100 | 003461418a7ca25960ce1d1e12460e9df532895f 81 | | Android.HiddenAds.4102 | a4c34dc11805073dcb513782ee888c78c720c17b 82 | | Android.MobiDash.7813 | 2071c55c85a2b65165cfe2fd8ced0ef20821aa03 83 | | Android.MobiDash.7815 | 16269525616410c59b77dca51e6860d2a1f1db4f 84 | | Android.Vo1d.1 | f3732871371819532416cf2ec03ea103a3d61802 85 | | Android.Vo1d.1.origin | 618b98eb97f38ffa7b384b0932fd4b92c8877f60 86 | | Android.Vo1d.3 | 8399c41b0d24c30391d7fba6b634ba29c0440007 87 | | Android.Vo1d.5 | ed975255eba30345de74936e24b9b3090f26ed7e 88 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 89 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 90 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 91 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 92 | | Program.FakeMoney.11 | 23d35f8774fa7020b804fa1253b13c59bf338e81 93 | | Program.FakeMoney.11 | 7fdb2adc34504b63f1f123d61ea36b6afbb6c00b 94 | | Program.SecretVideoRecorder.1.origin | 7607c6bc3fda8098621ac97b21c9cf013fc2a366 95 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 96 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 97 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 98 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 99 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 100 | | Tool.NPMod.2 | 11a54fda40f8648af8132b81b1e501d91bb0e24c 101 | | Tool.Packer.1.origin | 897b65ae5ab11a2ceeb238b4ce41fab0b413c466 102 | | Tool.SilentInstaller.17.origin | e33aad2f232f469081586e3e6fa5b843cd54432e 103 | -------------------------------------------------------------------------------- /Android.Backdoor.916.origin/README.adoc: -------------------------------------------------------------------------------- 1 | = Android backdoor spies on employees of Russian businesses ― Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | SHA-1 | Package name | Version | Thumberprint 7 | 8 | | 38717aeeb365bcfe74760cb59ffcb4a92ab32604 | com.google.android | - | 81fba3e7821cdb38d8bb6767fef00dc7fab63ca6 9 | | 8b4b205d7efef0f5f887f627c89629082927e4a9 | ru.safezone.safeguard | - |e018304ee662319225bc32755eee149d8d7d9f2e 10 | | f88410271b51ba751242e31384d50abf2d6165a8 | ru.next.secure | 1.15 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 11 | | 94d25cebb6ba408c7c45bd12fd8aca5293d5df21 | ru.next.secure | 1.16 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 12 | | d43f35feec33b473bbb78f2a467021f3484531eb | ru.next.secure | 1.16 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 13 | | 3c734b9c24087898cfbfb58b3a53c44592356389 | ru.next.secure | 1.16 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 14 | | eea0dbbced23ffe5d5086e520abf61d12395596a | ru.next.secure | 1.16 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 15 | | 5f97d7aeb20d56df918b313520958eaa88ea6e52 | ru.safezone.safeguard | 1.12 | e018304ee662319225bc32755eee149d8d7d9f2e 16 | | 5059c6dc5a657722e3c13f720cbf77e9b58ef515 | ru.safezone.safeguard | 2.07 | e018304ee662319225bc32755eee149d8d7d9f2e 17 | | e30e1e8218dc39be09df45192080357155eb5a29 | ru.safezone.safeguard | 2.11 | e018304ee662319225bc32755eee149d8d7d9f2e 18 | | d8554d2fdbae21927f1f10f199b73dbc6b351ad3 | ru.safezone.safeguard | 2.11 | e018304ee662319225bc32755eee149d8d7d9f2e 19 | | 4000d55e218b54eea9090b01d4a96d1410c6c4b1 | ru.next.secure | 2.12 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 20 | | 35c775748501bf3f57cddee44e3dfed1d6a41b87 | ru.next.secure | 2.12 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 21 | | 28ff8d630e4acbd809c4a2672f8fdc349173d6ff | ru.next.secure | 2.12(tg) | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 22 | | 28e5c478144088a1ce31a831354f042435e52ea6 | ru.next.secure | 2.12(tg) | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 23 | | ced461fd540c6e558a75afaf1c0aeef25e001fc5 | ru.next.secure | 2.12(tg) | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5 24 | |=== 25 | 26 | 27 | == Network indicators 28 | 29 | ==== AlekseevIPs: 30 | ---- 31 | alegriki[.]ru 32 | pikiviki777[.]sbs 33 | 24biliberdiki[.]ru 34 | 83[.]147.255[.]228 35 | 80[.]85.154[.]134 36 | 193[.]124.33[.]196 37 | 192[.]145.28[.]67 38 | 45[.]67.231[.]139 39 | 94[.]130.255[.]132 40 | 213[.]218.212[.]25 41 | ---- 42 | 43 | ==== BerdikIPs: 44 | ---- 45 | hugamuga[.]monster 46 | cadabrabro[.]ru 47 | twofish[.]pro 48 | 45[.]12.109[.]104 49 | 45[.]12.136[.]170 50 | 85[.]192.56[.]19 51 | 77[.]239.124[.]232 52 | 194[.]33.35[.]94 53 | 95[.]217.146[.]248 54 | 144[.]76.48[.]43 55 | ---- 56 | 57 | ==== DneprIPs: 58 | ---- 59 | senechkau-creep[].]store 60 | lunadev3[.]photography 61 | tuzvladki[.]cfd 62 | 103[.]71.22[.]52 63 | 194[.]226.121[.]169 64 | 80[.]85.155[.]182 65 | 45[.]140.167[.]112 66 | 194[.]87.62[.]162 67 | 95[.]216.239[.]65 68 | 45[.]129.242[.]236 69 | 94[.]131.118[.]221 70 | 37[.]221.126[.]216 71 | ---- 72 | 73 | ==== DpBoxIPs: 74 | ---- 75 | dpbots[.]online 76 | dpblast[.]fun 77 | dpbxtroj[.]xyz 78 | 79[.]137.192[.]33 79 | 80[.]85.154[.]249 80 | 194[.]226.121[.]112 81 | 192[.]145.28[.]179 82 | 45[.]140.147[.]41 83 | 144[.]76.48[.]45 84 | 213[.]218.212[.]200 85 | ---- 86 | 87 | ==== GeneveIPs: 88 | ---- 89 | gevena-best[.]com 90 | gevena-bh[.]com 91 | geneva-it-otdel[.]com 92 | 103[.]71.22[.]68 93 | 80[.]85.155[.]41 94 | 80[.]85.154[.]250 95 | 45[.]159.248[.]6 96 | 212[.]87.223[.]192 97 | 136[.]243.209[.]196 98 | 62[.]192.174[.]151 99 | ---- 100 | 101 | ==== KabanovIPs: 102 | ---- 103 | kabanosiki[.]ru 104 | kaban1488[.]ru 105 | silakabana[.]cfd 106 | 45[.]134.12[.]13 107 | 80[.]85.154[.]70 108 | 194[.]87.252[.]163 109 | 194[.]147.35[.]45 110 | 85[.]209.153[.]229 111 | 157[.]90.14[.]184 112 | 213[.]218.212[.]19 113 | ---- 114 | 115 | ==== KievIPs: 116 | ---- 117 | bountyhunter[.]pro 118 | 138[.]124.182[.]198 119 | 83[.]217.210[.]91 120 | 193[.]32.179[.]113 121 | 83[.]217.210[.]163 122 | 83[.]217.210[.]129 123 | 185[.]255.178[.]199 124 | ---- 125 | 126 | ==== NikoIPs: 127 | ---- 128 | nikolas[.]sbs 129 | nikolas[.]quest 130 | nikolas[.]monster 131 | nikolas[.]icu 132 | nikolas[.]cfd 133 | nikolas[.]lol 134 | nikolas[.]pics 135 | 83[.]147.255[.]202 136 | 80[.]85.155[.]141 137 | 80[.]85.154[.]246 138 | 45[.]159.248[.]236 139 | 195[.]58.50[.]187 140 | 136[.]243.209[.]194 141 | 62[.]192.174[.]87 142 | ---- 143 | 144 | ==== OdessaIPs: 145 | ---- 146 | asasdffgasd[.]online 147 | nasdaad[.]ru 148 | advasd[.]ru 149 | 103[.]71.22[.]206 150 | 80[.]85.155[.]185 151 | 80[.]85.156[.]13 152 | 45[.]140.167[.]148 153 | 212[.]87.223[.]248 154 | 148[.]251.240[.]92 155 | 62[.]192.174[.]132 156 | ---- 157 | 158 | ==== OsnovaIPs: 159 | ---- 160 | osnovium[.]it[.]com 161 | profitala[.]it[.]com 162 | nluxor[.]pro 163 | 80[.]85.155[.]179 164 | 77[.]239.124[.]215 165 | 194[.]226.121[.]245 166 | 138[.]124.15[.]61 167 | 138[.]124.31[.]191 168 | 31[.]172.75[.]46 169 | 89[.]42.142[.]29 170 | ---- 171 | 172 | ==== PoltavaIPs: 173 | ---- 174 | pilitavki[.]ru 175 | pikiviki777[.]cyou 176 | biliberdiki[.]ru 177 | 103[.]71.22[.]100 178 | 80[.]85.154[.]90 179 | 194[.]190.152[.]200 180 | 194[.]147.35[.]129 181 | 88[.]218.93[.]20 182 | 157[.]90.14[.]191 183 | 213[.]218.212[.]23 184 | ---- 185 | 186 | ==== SixFlorIPs: 187 | ---- 188 | spydroid[.]dad 189 | speroid6six[.]ru 190 | speroidsix6[.]ru 191 | 83[.]147.255[.]86 192 | 80[.]85.157[.]114 193 | 194[.]87.252[.]51 194 | 194[.]147.35[.]86 195 | 45[.]67.231[.]215 196 | 94[.]130.255[.]149 197 | 62[.]192.174[.]219 198 | ---- 199 | 200 | ==== SkovorodkaIps: 201 | ---- 202 | lunadev1[.]rehab 203 | zifirwera[.]ru 204 | pikabueim[.]cfd 205 | 194[.]190.152[.]39 206 | 89[.]169.15[.]54 207 | 31[.]192.237[.]132 208 | 80[.]85.155[.]132 209 | 45[.]85.93[.]206 210 | 2[.]59.183[.]215 211 | 45[.]67.230[.]151 212 | ---- 213 | 214 | ==== TeslaIPs: 215 | ---- 216 | retrojins[.]ru 217 | example2[.]cyou 218 | lunadev2[.]legal 219 | 176[.]124.192[.]155 220 | 194[.]226.121[.]95 221 | 5[.]39.249[.]107 222 | 45[.]12.129[.]171 223 | 45[.]82.253[.]185 224 | 45[.]129.242[.]58 225 | 85[.]192.56[.]90 226 | ---- 227 | 228 | ==== TeslaTwoIPs: 229 | ---- 230 | repkasv[.]ru 231 | vetervgolov[.]icu 232 | 77[.]239.124[.]95 233 | 80[.]85.155[.]32 234 | 80[.]85.154[.]113 235 | 77[.]91.101[.]27 236 | 194[.]87.35[.]52 237 | 5[.]9.133[.]189 238 | 62[.]192.174[.]142 239 | ---- 240 | 241 | ==== TwoFlorIPs: 242 | ---- 243 | panopti[.]ru 244 | pancum[.]ru 245 | optipan[.]ru 246 | opticun[.]ru 247 | 212[.]193.31[.]126 248 | 193[.]124.33[.]230 249 | 91[.]207.183[.]142 250 | 95[.]164.38[.]35 251 | 94[.]131.122[.]189 252 | 138[.]124.31[.]177 253 | 84[.]21.172[.]65 254 | ---- 255 | 256 | ==== UvelirIPs: 257 | ---- 258 | 24lasofyu[.]ru 259 | dertels[.]ru 260 | kingwqeq[.]ru 261 | 77[.]110.104[.]235 262 | 80[.]85.154[.]222 263 | 194[.]87.252[.]7 264 | 192[.]145.28[.]144 265 | 95[.]164.86[.]41 266 | 188[.]40.171[.]100 267 | 213[.]218.212[.]55 268 | ---- 269 | -------------------------------------------------------------------------------- /Q4 2024 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = Q4 2024 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.Adpush.21846 | 4e164cd0a8ad4e00102717957ee85320234bc7d3 9 | | Adware.AdPush.3.origin | 501f36db0aae9f950fe5559fc12820f20cd1f620 10 | | Adware.Basement.1 | 910091acd64150480c41ec265e41da4c4a168e69 11 | | Adware.Basement.2 | a7f93ba3bd5403fda276807f192077df2b1b89ec 12 | | Adware.Fictus.1.origin | a0f870b496e957029e136ba299ba326f7ca709d1 13 | | Adware.Fictus.1.origin | e2baa09fcdef1f8e1b438c1a0e5aca83cf473feb 14 | | Adware.ModAd.1 | f313360472d294b9f6205585bd5742a59ad07065 15 | | Android.Click.1751 | 59bc8cd2996f071ad29d8b8cfa9089bbf6a6b241 16 | | Android.FakeApp.1600 | 645ae4d7bc879645b6f2e0ebe84d57e89cb03f78 17 | | Android.FakeApp.1645 | 999598de7cc1e7e96c16af72d2f47ee8fa37e04d 18 | | Android.FakeApp.1645 | e2cb37cc0b978912bd15cf79b0a338435504d724 19 | | Android.FakeApp.1669 | f413239a50a79ca5dd498d8ae97ece5f93bf0718 20 | | Android.FakeApp.1679 | 0d652ce9e01180dc43016a7c4ce67ec1e750b576 21 | | Android.FakeApp.1680 | 31148c9751dbcd3128a094088dda7d4f5c4127b2 22 | | Android.FakeApp.1681 | cab34741309f24f52811852a6f08081c27eca6d0 23 | | Android.FakeApp.1682 | a8fe099acb862c216cedee2e2be72c29f03344aa 24 | | Android.FakeApp.1683 | 6627e13291eca41afa16e379b3706c0d05996033 25 | | Android.FakeApp.1684 | 71bf1f1993d3658c49c7ac2ffc236cd80767e4f5 26 | | Android.FakeApp.1686 | e8259e91ca097b357158bb2f0590843deb1b5294 27 | | Android.FakeApp.1687 | b9fa579c61d616bbf29ef9e8de0779831a48d5e7 28 | | Android.FakeApp.1688 | 30f56dff838ae1f120463f934ca24fb37f451d27 29 | | Android.FakeApp.1689 | 2c9f8fc3d013db694a335b6360546bee6109294b 30 | | Android.FakeApp.1690 | 3e9432fc700319612b78319088aced8c2b650868 31 | | Android.FakeApp.1691 | ea986ca59797adcf6554bad81321a1a613724e9e 32 | | Android.FakeApp.1692 | f776d270d5debdeef3769ff268528d5f0f6791f7 33 | | Android.FakeApp.1693 | 51f179991e43ea743408a9f8719d67584c735074 34 | | Android.FakeApp.1694 | d7a9ce1477d1c56e136e5370ec97c770a48e6508 35 | | Android.FakeApp.1695 | 133486ab2cec62f92ce478c0d5577b085e7d4be9 36 | | Android.FakeApp.1696 | 3ebe10511b734027ee15b71a66cff1e0a10ffd1f 37 | | Android.FakeApp.1697 | d9c3d9883a920fc452535dccacdd5ff7b2d69800 38 | | Android.FakeApp.1698 | 6bc84390c86aab5658012a98f432c3c75577a836 39 | | Android.FakeApp.1699 | 1c3941466a410f3b12b73c78d5f5b1bccd56f248 40 | | Android.FakeApp.1700 | f377515fab14565c75a560f8d9e8345fd35cb193 41 | | Android.FakeApp.1703 | b80b3d661d448c79a387207e13762feb8b8b6520 42 | | Android.FakeApp.1704 | d7b29e65f5346aec916c981610d9ae5e5cab0c51 43 | | Android.FakeApp.1705 | 1ea5885324f2f294eaea4518da5866e5169b33e8 44 | | Android.FakeApp.1706 | 7114b21994cd7513945171a30912718f231c5ce7 45 | | Android.FakeApp.1707 | edef4d788c9654baaeedd7be745aec3350aa216e 46 | | Android.FakeApp.1708 | 334c479b804913d15fc1c143670d8be11a2cd286 47 | | Android.FakeApp.1710 | 808e1a201490ea75fb34819d6c476a68790817a5 48 | | Android.FakeApp.1711 | 98259cf545425153705d256a0bfb076db05d3ee9 49 | | Android.FakeApp.1713 | 076a11ae028d3b1b0590aaa7250e7197260c3266 50 | | Android.FakeApp.1714 | 14721f7dbfdd6a6a01d85d2e4e8a4beae4d19d56 51 | | Android.FakeApp.1715 | 97c3dc76fe1ceb5cc31684f6d99f4e2a3801b483 52 | | Android.FakeApp.1716 | 146397f12edf86c3f0a0c3268c76c121c4675b67 53 | | Android.FakeApp.1717 | 3241c92635993a3d9725afa0ef34eb7d1a4ad819 54 | | Android.FakeApp.1718 | 5f52cf930cec6be746fe831571f07d2b58c602bf 55 | | Android.FakeApp.1719 | 69f850cfd89ca8194ca6a85570e400ec2ec7dea9 56 | | Android.FakeApp.1720 | 9ed9f5b9f097a3aee93e2e3581cdf1dd08030aba 57 | | Android.FakeApp.1721 | 125cb16fd9ae2e8ce5e2022eb8f60575873b8f11 58 | | Android.FakeApp.1722 | 7036241994e808f73b5a0ac35a31a4fd36da1bc4 59 | | Android.FakeApp.1723 | c868916942e2277b709bea4b05474e787d4281f8 60 | | Android.FakeApp.1724 | 867b360b95230c32a9d57966941da0ab61f274d4 61 | | Android.FakeApp.1725 | dd8179b728f8e553e20ee6acad2850c2eb8fe219 62 | | Android.FakeApp.1727 | 3eb200ab14eb5113a3328d38f566927d09365fca 63 | | Android.FakeApp.1728 | a6727c3d7c985bf6f9ccd8d556a5ae826e75a441 64 | | Android.FakeApp.1729 | c3117836247caf34cd1c9549c11c1d39c7eb0e37 65 | | Android.FakeApp.1730 | 078129367c393f2043d1f73d33260fc572fe96a2 66 | | Android.FakeApp.1731 | d9c9aba7bef3af5ab97f8c64bc81c290ebe1c84c 67 | | Android.FakeApp.1733 | c3616640d561c29ad55c054db49f0482ef7d8a1b 68 | | Android.FakeApp.1734 | a8a0e5bad3768fd57e6634429cf19c2403133f5e 69 | | Android.FakeApp.1735 | 29501df72d031e29e95aba2d21a411b150b36e01 70 | | Android.FakeApp.1736 | 7d5b6166dfe9b8ba03bb69bd0cec4e85e30e454a 71 | | Android.FakeApp.1737 | 81ed09dc27eaa634029006abdb3d0de10a8b2f25 72 | | Android.FakeApp.1738 | b2db961bb92e257a4365ed6b56a7fbf19bf1edbe 73 | | Android.FakeApp.1739 | 1934bb56b75e4d99ab38040b534fb614278f68b0 74 | | Android.FakeApp.1740 | 3899ede429b59b0342fcc27048c9cc0e195d860d 75 | | Android.FakeApp.1741 | caa5df142af151dc7e0339b2a081ca9379c12291 76 | | Android.FakeApp.1742 | 784b1e5b65d850ea214d16b1b3736864d066024c 77 | | Android.HiddenAds.4013 | 681bc9df83b548d320dccd9eb31f743555289201 78 | | Android.HiddenAds.4015 | 0c053d917fb3b85ffe4b50242fab0aea2cb0c0e1 79 | | Android.HiddenAds.4208 | b3fa4609a57fad3b8468866a05ec913372dc75b9 80 | | Android.HiddenAds.4210 | a3e1edaf4a8ac30f048368e9c662043a32f90bc1 81 | | Android.HiddenAds.4212 | bd321587ecd116af4ab33be55aee2d12f48e0d05 82 | | Android.HiddenAds.655.origin | ded1493bc26421eb5a3e48e699c7a30758a4632a 83 | | Android.HiddenAds.656.origin | 6b842b0ece8b3bf25a485161cb278ae35d12068f 84 | | Android.HiddenAds.657.origin | 00832c46bb70bf4f0ddd3b5364f1cf32a610aa71 85 | | Android.Joker.2280 | b61b17e7a1d044bf61e2b138bac978997ff95a9c 86 | | Android.Joker.2280 | f7bb5f40281b9a823879672c4fbdf438cabb14d0 87 | | Android.Joker.2281 | 774e3125976e2829f8517d8d8617fb03bc12accb 88 | | Android.Joker.2282 | 1611e03a045952e5d25d664454cb552b90cd25e3 89 | | Android.Joker.2282 | 594bd0e84df3b3f8681e91691315d4bcbd4d9df0 90 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 91 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 92 | | Android.Packed.57156 | 778f332b9563dc6307a74840013a3fdb5f28699d 93 | | Android.Packed.57157 | 56166bb786df97544712187260f7ddb806ce6154 94 | | Android.Packed.57159 | 2c9f66ab3321c75ef7b05d84a4e1a2d9c362e18e 95 | | Android.Subscription.22 | 298c372d564f0daa9598ef59847fba7b51e2ce53 96 | | Program.CloudInject.1 | 9c97f4010f2b10bf00951216141b8aa5e67c86bc 97 | | Program.CloudInject.1 | decd232709a4878f0b6b1cb5cfb28d3b8b471d3e 98 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 99 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 100 | | Program.FakeMoney.11 | 23d35f8774fa7020b804fa1253b13c59bf338e81 101 | | Program.FakeMoney.11 | 7fdb2adc34504b63f1f123d61ea36b6afbb6c00b 102 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 103 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 104 | | Program.TrackView.1.origin | 232bfdf129d4e8f075138b7ba70e70de8b5bbea7 105 | | Tool.Androlua.1.origin | 2fc769c357159a116d13d51172952150096734e7 106 | | Tool.Androlua.1.origin | d7a2606d1c014a070b7d76dceebd5e06a75553ff 107 | | Tool.CloudInject.1 | c66100aee1b7816fcca2dc7088d77e35fc2ab771 108 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 109 | | Tool.NPMod.1 | 696588e66632cfd79f0ad9390c8df7e5ed5671a6 110 | | Tool.Packer.1.origin | 897b65ae5ab11a2ceeb238b4ce41fab0b413c466 111 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 112 | -------------------------------------------------------------------------------- /get_cert campaign/README.adoc: -------------------------------------------------------------------------------- 1 | = getcert.net — Indicators of compromise 2 | 3 | == Samples 4 | 5 | [cols="1,1"] 6 | |=== 7 | | SHA-1 | Name/Detection name 8 | 9 | | 33ccea79ddcf7d22fbc1ddd9945f353eb4981ca9 10 | | Trojan.MulDrop20.28843 11 | 12 | | c0895d0123a92f56db2940df44042e102b77e47d 13 | | VBS.DownLoader.2822 14 | 15 | | 6d8716cddc3ca6c8558eb4f842d81638f00f01f8 16 | | PowerShell.DownLoader.1640 (ubr.txt) 17 | 18 | | 9cd084897729ef3ade0c0b02da1414f89b24c9aa 19 | | Trojan.Inject4.47390 (ZX-uninstaller2.exe) 20 | 21 | | 8e8dac022a03310da15d4c2ecd57a19c7f077ed3 22 | | Trojan.Hosts.50579 (ZX-uninstaller.exe) 23 | 24 | | 7fae2f61eb513411a536544d87ce9559a351af90 25 | | Trojan.Hosts.50366 (ZE-uninstaller.exe) 26 | 27 | | 5dc6c820290bfdb094f0c6e46ae33a9b46f41583 28 | | Trojan.Hosts.50962 (ZoomX.exe) 29 | 30 | | 6d371a964488b7b505514a1f266b56982b38442e 31 | | Trojan.Inject4.17628 (ZoomE.exe) 32 | 33 | | 4ff6a0b7ec138e855f13d0f52bb77014bd406d70 34 | | Trojan.Inject4.47388 (S32-uninstaller.exe) 35 | 36 | | c16fdeef67fd747eb82db6cc9a4a68fda2cd4dec 37 | | Trojan.Siggen19.13452 (S64-uninstaller.exe) 38 | 39 | | 5dc6c820290bfdb094f0c6e46ae33a9b46f41583 40 | | Trojan.Hosts.50962 (Services32.exe) 41 | 42 | | d387755c90b43047ff649949e52fe7204b721009 43 | | Trojan.Inject4.17628 (Services64.exe) 44 | 45 | | d355dff37ed85f6d0d84eb9f42dd1fe7c02537bb 46 | | Trojan.Inject4.47388 (mc-uninstaller.exe) 47 | 48 | | 2e8dd0a66cc86f307a3782d6b7f98e48d1eb36b9 49 | | Trojan.Siggen19.13452 (ec-uninstaller.exe) 50 | 51 | | 5dc6c820290bfdb094f0c6e46ae33a9b46f41583 52 | | Trojan.Hosts.50962 (mclient.exe) 53 | 54 | | a9e15b26115ff8e999d9e313ec4b7e0b6d37939e 55 | | Trojan.Inject4.17628 (eclient.exe) 56 | 57 | | 74487ebea9aa3d83dd68204bafd2027264c1b15b 58 | | Trojan.Siggen19.13452 (updater-uninstaller.exe) 59 | 60 | | 2f7d0fb9c9b622953746ac0ceaac0e8331230483 61 | | Trojan.Siggen19.13458 (updatere-uninstaller.exe) 62 | 63 | | b8b0c2732ed6366c3ce8f0efa891f229d29244b0 64 | | Trojan.Hosts.51154 (updaterx-uninstaller.exe) 65 | 66 | | e40d372c7f9637ed83a3961035e8910c3731fc7d 67 | | Trojan.Inject4.47390 (updaterx-uninstaller2.exe) 68 | 69 | | 5dc6c820290bfdb094f0c6e46ae33a9b46f41583 70 | | Trojan.Hosts.50962 (updaterx.exe) 71 | 72 | | 5dc6c820290bfdb094f0c6e46ae33a9b46f41583 73 | | Trojan.Hosts.50962 (updaterx.exe) 74 | 75 | | 99111907b50911f9b2853cd73b373d231ab92f79 76 | | Trojan.Hosts.51840 (un.exe) 77 | 78 | | 385a72bede84c9c44b84b2f044ca77e440be0802 79 | | Trojan.Hosts.51839 (u.exe) 80 | 81 | | 0f05fbb257fc71ba649175b92fcd963ff23a2540 82 | | Trojan.Siggen23.24088 (m.exe) 83 | 84 | | 636c8a9736ef2c6ee894a5d32e76fc4d74600794 85 | | Trojan.Starter.8323 (Web.exe) 86 | 87 | | b72aad9ae8022bc932a6989544edc76936afe498 88 | | Trojan.Starter.8324 (Ps.exe) 89 | 90 | | 283b170573316d0e693a9e66006b1634a3f6d021 91 | | Trojan.PackedNET.3150 (Myapps.exe) 92 | 93 | | 146ba5563eff1627f9fcc45e26b95d89b0f64c8c 94 | | PowerShell.DownLoader.2151 (cgtalent.txt) 95 | 96 | | 1d46a948eabbaa85fede43fd50a49ad820e96833 97 | | PowerShell.Starter.98 (Metamorph.txt) 98 | 99 | | 8d791539be6a22eec6ab612e427a3c9bbe7e1daa 100 | | assignmentbmp.zip 101 | 102 | | 4b583d399d16bf174938daaefbcce7b8a15e0413 103 | | PowerShell.DownLoader.2153 104 | 105 | | 90e473b93ce0ff3ee2e9fb13a138843a8dda40a3 106 | | images.zip 107 | 108 | | a7b09c73aa9ddd6a6a535eed2a2598697ad8a5be 109 | | PowerShell.Siggen.2099 (Cleaner.txt) 110 | 111 | | 87a2b37aa36ff0ce60e0f5d13e4b27b61e596353 112 | | PowerShell.Siggen.2099 (Cleaner.txt) 113 | 114 | | 60c5cc8e93ddf35d006a36b0be8e3b68c1ee809b 115 | | PowerShell.DownLoader.2154 (m.txt) 116 | 117 | | 3208c2d40e9feeebf2669985d63d79005cf8fce7 118 | | Trojan.InjectNET.14 119 | 120 | | 0f05fbb257fc71ba649175b92fcd963ff23a2540 121 | | Trojan.Siggen23.24088 122 | 123 | | 7764945007b03d746b0b0108144a15eb9112a2f8 124 | | Trojan.Inject4.30867 125 | 126 | | a92da5e57a8e50ec1b4e8d3b029f5b2150bc3f27 127 | | Trojan.PackedNET.3149 128 | 129 | | aaef9da0c976797717a93c6b48b9cc672d6f06bb 130 | | Trojan.PackedNET.2191 131 | 132 | | f5329857be92d3b70e85481026963991bd9c1feb 133 | | Trojan.InjectNET.14 134 | 135 | | 8de8e5474c5d0f638ce56e0db758b8bec675f762 136 | | PowerShell.Starter.107 (Async.ps1) 137 | 138 | | f7d890de0931d733d6d0a37c36bb00f0f1cc0b91 139 | | Trojan.PackedNET.2429 (Aevnocvfiq.exe) 140 | 141 | | df660ed3a9ebae8a727529984562d98872452167 142 | | Trojan.Starter.8322 (AdminSetup.exe) 143 | 144 | | c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1 145 | | Trojan.PWS.Amadey.18 146 | 147 | 148 | 149 | |=== 150 | 151 | == Network indicators 152 | 153 | === URLs 154 | 155 | ---- 156 | hxxps://asobimo[.]link/ubr.txt 157 | hxxps://asobimo[.]link/ZX-uninstaller2.rdp 158 | hxxps://asobimo[.]link/ZX-uninstaller.rdp 159 | hxxps://asobimo[.]link/ZE-uninstaller.rdp 160 | hxxps://asobimo[.]link/ZX.rdp 161 | hxxps://asobimo[.]link/ZE.rdp 162 | hxxps://asobimo[.]link/S32-uninstaller.rdp 163 | hxxps://asobimo[.]link/S64-uninstaller.rdp 164 | hxxps://asobimo[.]link/S32.rdp 165 | hxxps://asobimo[.]link/S64.rdp 166 | hxxps://asobimo[.]link/mc-uninstaller.rdp 167 | hxxps://asobimo[.]link/ec-uninstaller.rdp 168 | hxxps://asobimo[.]link/mc.rdp 169 | hxxps://asobimo[.]link/ec.rdp 170 | hxxps://asobimo[.]link/updater-uninstaller.rdp 171 | hxxps://asobimo[.]link/updatere-uninstaller.rdp 172 | hxxps://asobimo[.]link/updaterx-uninstaller.rdp 173 | hxxps://asobimo[.]link/updaterx-uninstaller2.rdp 174 | hxxps://asobimo[.]link/updater.rdp 175 | hxxps://asobimo[.]link/updaterx.rdp 176 | hxxps://asobimo[.]link/updater.rdp 177 | hxxps://asobimo[.]link/updaterx.rdp 178 | hxxps://asobimo[.]link/checkubr.txt 179 | hxxps://asobimo[.]link/asom-uninstaller.rdp 180 | hxxps://asobimo[.]link/xz-uninstaller.rdp 181 | hxxps://asobimo[.]link/xz.rdp 182 | hxxp://myownservice.duckdns[.]org:8000/mclient.txt 183 | hxxps://asobimo[.]link/marosa.txt 184 | hxxps://pastebin[.]com/raw/9UHQkGec 185 | hxxps://ipv4object[.]net/MetaWeb.txt 186 | hxxps://ipv4object[.]net/MetaNev.txt 187 | hxxps://ipv4object[.]net/Metamorph.txt 188 | hxxps://txtcatch[.]com/archive/link.txt 189 | hxxps://ipv4object[.]net/licence 190 | hxxps://getcert[.]net/assignmentbmp.zip 191 | hxxps://drive.usercontent.google[.]com/download?id=1zGHGEpbLq7I1p90YFn70ZaZU3v1YyLNz&export=download 192 | hxxps://ia601208.us.archive[.]org/31/items/images_20231226_0815/Images.zip 193 | hxxps://getcert[.]net/Images.zip 194 | hxxps://ipv4object[.]net/Cleaner.txt 195 | hxxps://ipv4object[.]net/m.txt 196 | hxxps://ipv4object[.]net/Net.txt 197 | hxxps://getcert[.]net/m.txt 198 | hxxps://txtc[.]cloud/m.txt 199 | hxxp://validssl[.]online/m.txt 200 | hxxps://github.com/torpedo0x/ 201 | hxxps://i.imghippo[.]com/files/NkKm6518aVQ.Bmp 202 | hxxps://i.imghippo[.]com/files/iBrq9443HWk.Bmp 203 | hxxps://i.imghippo[.]com/files/RRqb3512Vb.Bmp 204 | hxxps://i.imghippo[.]com/files/iBrq9443HWk.Bmp 205 | hxxps://i.imghippo[.]com/files/GGV9604Lg.Bmp 206 | hxxps://i.imghippo[.]com/files/vitY7320btA.Bmp 207 | hxxps://i.imghippo[.]com/files/set5912PyY.Bmp 208 | hxxs://i.imghippo[.]com/files/jlj5300oyU.Bmp 209 | 210 | ---- 211 | 212 | === Domains 213 | 214 | ---- 215 | asobimo[.]link 216 | myownservice.duckdns[.]org 217 | txtc[.]cloud 218 | validssl[.]net 219 | validip[.]net 220 | validssl[.]online 221 | validip[.]online 222 | txtkey[.]online 223 | txtcatch[.]com 224 | getcert[.]net 225 | ipv4object[.]net 226 | filenav[.]net 227 | windowscdn[.]site 228 | buyclients[.]xyz 229 | ---- 230 | 231 | === IP addresses 232 | 233 | ---- 234 | 95.216.99[.]206 235 | ---- 236 | 237 | == Wallets 238 | 239 | ---- 240 | 49dERm4bKtG1Pz64KDE73r6oCKnowVieph41y996zq6Q6Mdhbks6EMQh1qyn2dsvyHW9CoBTqAU7BZQKxz5AfGov3c7PgS4 241 | 46nUxRJRF1s7EXgxHB8fUghtpuZ8amdE42XqNyUkPi4bN96nL1BsZq1JmLMeL8a4x4AUVXcxXxVbD7qP9ZvHqzwi5zw7gxi 242 | 44SC1Wk3tmZeVr6LvcaVcsZbnYCT5hUVWe4ptAPE445NWhcYUvkShPuJiYkxi5yofgdTWqPUCCNdcBar18Kecbgs15gRzhk 243 | ---- 244 | -------------------------------------------------------------------------------- /April 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = April 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Android.FakeApp.1320 | 8912a46355c597b761a4d88a39600d23774c2e0f 9 | | Android.FakeApp.1321 | 18a8df4e4eec9c2c84257c6100fe5fac4d985f3b 10 | | Android.FakeApp.1322 | 93eb6abc66ad707e1f0e75f296f7da3e2723d2dc 11 | | Android.FakeApp.26.origin | 5db96c3394c664cac54247b2eda261a2362a8f13 12 | | Android.FakeApp.1323 | a8a5e0531dc64b6eff09e44ea44bb5e11d6f1297 13 | | Android.FakeApp.1260 | 9c975cff7cd924a0b619402259b805a059159e8d 14 | | Android.FakeApp.1260 | a629d692985f827c780caa8063e4dcf93350f486 15 | | Android.FakeApp.1260 | bb41a7a0901daa711c8f7a5e6df99a869195dc37 16 | | Android.FakeApp.1260 | f0af8b736016f80e95afb7b59bd3a3baf9b286d2 17 | | Android.FakeApp.1324 | d0122952fdb55773b54a6bb97bdd715a21984b77 18 | | Android.FakeApp.1307 | 3b466c27597148056bb88ec298d383e06c7f0211 19 | | Android.FakeApp.1307 | 5a2839fc292379a585e426d40f1c861ea17198d4 20 | | Android.FakeApp.1326 | e7dc6af0c59e6df0b0e2adf31e424d7c1fe30977 21 | | Android.FakeApp.1328 | 516060e54ae203ae4b328bffd6ee67915fbccc5e 22 | | Android.FakeApp.1330 | ea46daa13b6c90cff9a642c52dc441a156bebaa3 23 | | Android.FakeApp.1331 | 765e9f8a97f7b379e6d1d3533be332ed5bbf255a 24 | | Android.FakeApp.1332 | 18b89d64d3465260450213cd478269b40023134d 25 | | Android.FakeApp.1334 | 169af701b0c95e76e2a368d6a9a40490cd04f3e1 26 | | Android.FakeApp.1335 | f66949a873ad715b4085b9e44d54205dc90f2f83 27 | | Android.FakeApp.1351 | bb005c3fbee09afdbb5832f02329379f39e9d3c3 28 | | Android.FakeApp.1336 | 6691ad3fff3c184d2dee84cf90402fb13dd7e949 29 | | Android.FakeApp.1337 | 389ae42836c73d7df1b565e30b72302ce3bcd25e 30 | | Android.FakeApp.1353 | af20621d4e7ce0a3cfdf22ca9820cba357a585e1 31 | | Android.FakeApp.1338 | 59b7ee1429d41c3a6b9f9e478eb47267f65cc5b0 32 | | Android.FakeApp.1339 | b357d9ad7a97bcd504b4e630df035e485b9d3785 33 | | Android.FakeApp.1340 | 7b253c7e05ba9ffb46332bd6a3a610789afdc11f 34 | | Android.FakeApp.1148 | 8dea17dccc07ff8bb5eb1a15686313d6dcace5ad 35 | | Android.FakeApp.1148 | f26b1d1b73d430d511584eb29f98794a02168c84 36 | | Android.FakeApp.1341 | c95f0b4f19f3e37a151f633eb327e3a931cd9bad 37 | | Android.FakeApp.1343 | 1f167131ed5d89c78e917851132fe7f81b90b866 38 | | Android.FakeApp.1344 | eb8b2992a17cec6f721c7a61f00ae6adfd86a75e 39 | | Android.FakeApp.1345 | 303da5d5e9a343782588d8e398c6c457f2e3d546 40 | | Android.FakeApp.1295 | 1a4e2fa26ca1590b6b006123a8e57c8dbca5cee4 41 | | Android.FakeApp.1295 | f34b23c61c9c2c01e97ec179ba4e1c3aca3db33f 42 | | Android.FakeApp.1346 | 644d29492bb175a8f0978e71bb5fcfe6c73aac94 43 | | Android.FakeApp.1347 | 8feeab4a76858e19b5f0fc3924fcd1f02afa2c18 44 | | Android.FakeApp.1348 | 8e30eed40915e69ca0aa0fd6d4b8c4ca4edbb507 45 | | Android.FakeApp.1329 | 0c041b64fe14ce5e3ad7dcb8b0605dc71965f1f2 46 | | Android.Joker.2106 | 8ecd444c7d69d2496a5efe6771d54e34fb03da42 47 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 48 | | Android.Spy.4498 | 03c09072fadc6daf271ca649f57f0efdd7f284c2 49 | | Android.Spy.4498 | 24ba77e554adedbff18b4749a114da27c00846ca 50 | | Android.Spy.4498 | 36baa8eaf30eee18834ea350aaa6029391a7a2c5 51 | | Android.Spy.4498 | 42adf2a97b8749105f23253409b215df4a5ef2a9 52 | | Android.Spy.4498 | 504ae03cb9232bd53aa1b778c20c8e1ef66f9969 53 | | Android.Spy.4498 | 52f091fa1a98c3ab9f322e94ccfb390bd39ffc83 54 | | Android.Spy.4498 | 5f8fcd7375ecf7ee027b78e68e8fdd7c996a5bc8 55 | | Android.Spy.4498 | a8659e6e66ca171efabbe3662c576849a9f8e3b4 56 | | Android.Spy.4498 | af53706a5193a0376277c41f28741874b4dd6933 57 | | Android.Spy.4498 | b61e6f67179972c82b7e625550c0e79981c45c3e 58 | | Android.Spy.4498 | e4a1485cb847f36dd6176096304901d99f231529 59 | | Android.MobiDash.7783 | 0a484b0fb24ba0125d70dc59b54f237af64b8724 60 | | Android.MobiDash.7783 | 1c80bc1b9ef67c88ee704f9a4f5483f9165291cb 61 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 62 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 63 | | Android.HiddenAds.3597 | ca3558b11a24db3abfcffc2312f9f02da653c1ab 64 | | Android.HiddenAds.3558 | 1878b00eb5643292b96396dc91956190e6db7d5d 65 | | Android.HiddenAds.3558 | 1d09dea8b738bb78ae707b1609daa186ee6e74ea 66 | | Android.HiddenAds.3558 | 311babfb5173554a0f938b74f0f95f6113059bd7 67 | | Android.HiddenAds.3558 | 3c9266fdd4bb26f1e0af8d944e20d2f092139e6d 68 | | Android.HiddenAds.3558 | 44d1c3649e5825720020d476119ea8e5b2bdaf17 69 | | Android.HiddenAds.3558 | 47269c07b50bb8d66bd1c3cf35f92e1276f9335d 70 | | Android.HiddenAds.3558 | 489d34781867ac6144f74042564e682468e950df 71 | | Android.HiddenAds.3558 | 4decdeaac7d5e7a3b7f3a1137a9c676be1753fc1 72 | | Android.HiddenAds.3558 | 4fcef80047f40704ab91b51ba54aecf4ae67caaa 73 | | Android.HiddenAds.3558 | 56f56cfdea96633f5561999f8c7fa79e745b1db6 74 | | Android.HiddenAds.3558 | 5900e3caf14e59a31699ac8ec9eb1c2ce50a8c3b 75 | | Android.HiddenAds.3558 | 5a6d7642a3ae0beb1cbfcfeaf0967b6eefb19bdb 76 | | Android.HiddenAds.3558 | 6c1b333f8420e1363cc9bb37d0fe9147ddafcda4 77 | | Android.HiddenAds.3558 | 8873a944b967961d132e6ad16b725f5ce821212b 78 | | Android.HiddenAds.3558 | 8f10a7decc6f2405021436a199ed9699af5f7a6f 79 | | Android.HiddenAds.3558 | 90c09309dd8a30bf915efd55480d86fd8aff7784 80 | | Android.HiddenAds.3558 | 93543baf2d6526ef434c7849f93cb602307503df 81 | | Android.HiddenAds.3558 | 9e6c3794303f3910d4eb00ba396e0db830d22164 82 | | Android.HiddenAds.3558 | a32e5a05a917278e7c01f7dc5a6912c09dfa035a 83 | | Android.HiddenAds.3558 | d608c5dbcb7b9929ec5117c797c88445aef79229 84 | | Program.FakeMoney.7 | 18fa02fd251195b3ef4a20e6e7db26867fb938cc 85 | | Program.FakeMoney.7 | 71251919ea0d45c77f51a0f2e5cdcc29f02b962f 86 | | Program.FakeMoney.7 | 726cdb1077e8ccf5e0c619ac42cd6850dfefd615 87 | | Program.FakeMoney.7 | f99d997701ca41f14d40eda1c1f1a79cbff3bc11 88 | | Program.FakeMoney.8 | f9ae4ea8ef205c8fcb01cbe3ddb2f69b7ba3322f 89 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 90 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 91 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 92 | | Program.wSpy.1.origin | 4da47e907e74ad939eacda9f01e49bfbb42e30c9 93 | | Program.wSpy.1.origin | f1b71e4faa9ad1c19f65596e52a1dce496ec7bf6 94 | | Program.SecretVideoRecorder.1.origin | 24b76e7354c9d5772e9f3fa90b8fe63f263e8167 95 | | Program.SecretVideoRecorder.1.origin | 5404ff6c4baa94478a61455d2541734862dbbb9e 96 | | Program.SecretVideoRecorder.1.origin | 7607c6bc3fda8098621ac97b21c9cf013fc2a366 97 | | Program.SecretVideoRecorder.1.origin | a75f2a400ed6b200acc26a2e1aa285110addc08d 98 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 99 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 100 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 101 | | Tool.SilentInstaller.7.origin | 11bbd3eae7bc34e2ac86cdc1cc5b9075dc2f1b26 102 | | Tool.SilentInstaller.7.origin | 4fbf1629b2ec49cb2839c3e31f9adbc32285b741 103 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 104 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 105 | | Tool.SilentInstaller.17.origin | e33aad2f232f469081586e3e6fa5b843cd54432e 106 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 107 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 108 | | Tool.LuckyPatcher.1.origin | 6e71c117dd597946de43a99df467a71a5728f7e0 109 | | Adware.MagicPush.1 | 1624b2ae1c232ebf843aa29b9d362434e6f10f9d 110 | | Adware.MagicPush.1 | 64f1aa22f484f250b9956adef780c3ccb45832f5 111 | | Adware.MagicPush.3 | 5dc16a173eb747a1029e50ed5614a5aa1819cd36 112 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 113 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 114 | | Adware.Youmi.4 | 09681eeb301f6c81043bcad56366176beafd9d78 115 | | Adware.Youmi.4 | b470652fd537d6c0449b4a2adca7815a8181c2e6 116 | -------------------------------------------------------------------------------- /March 2023 review of virus activity on mobile devices/README.adoc: -------------------------------------------------------------------------------- 1 | = March 2023 review of virus activity on mobile devices — Indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | SHA-1 7 | 8 | | Adware.Adpush.19599 | cc34cde1f6933416c340046b6add081e36ced3d5 9 | | Adware.AdPush.36.origin | 92d7798feaef1bcc6e28c2e60a690d7da7d27f22 10 | | Adware.Airpush.7.origin | 48dd9d4b9c69c5c5f0fa387864d8ce1f68dea50f 11 | | Adware.SspSdk.1.origin | 4dd319c0ca0839d400b2e66e6b34c5e27788fd2a 12 | | Adware.SspSdk.1.origin | 7f54e9db2f249dcb89cbe94450d54a798876ab25 13 | | Adware.SspSdk.1.origin | bcb440b8cb5d979a9ed90e9d68b6f6e95042badb 14 | | Android.Clipper.7 | 0e65ec9c665c8e07351a09f0274c1e768fcd51e3 15 | | Android.FakeApp.1133 | 21815bed732b4354e905daf2c2ea03e5741fba81 16 | | Android.FakeApp.1148 | 8dea17dccc07ff8bb5eb1a15686313d6dcace5ad 17 | | Android.FakeApp.1169 | 1dfd7d9318871960fd75a5ebcc5c615ee8e842cd 18 | | Android.FakeApp.1230 | 709f2f2164940fda0319c11f0639ea9ae77a867f 19 | | Android.FakeApp.1230 | dc28688e9330b8225852f54ce80c9d6a3187c9b8 20 | | Android.FakeApp.1242 | 6f7c76a706a605fcb72753c1553a1f76cc350bfc 21 | | Android.FakeApp.1242 | b69d9256d793a2aac8af2a9673cdfa9d6646e3b0 22 | | Android.FakeApp.1249 | d863fb152a7d3c112ce583bc375b07ce94d66d10 23 | | Android.FakeApp.1250 | 6db5a3ef6110e260dac2ed4ba8618581da781f62 24 | | Android.FakeApp.1251 | 0b1f6ac698f14f9d7d838514181a4222927b095f 25 | | Android.FakeApp.1252 | 38614c5004323d559d69e8dbb9f775b0b8286026 26 | | Android.FakeApp.1253 | d491ce0dd7c6d703703b2d1f628ea4528c0b0791 27 | | Android.FakeApp.1254 | 2e346fe49a90f60f7796102699b0e93aa64dea3d 28 | | Android.FakeApp.1255 | de83b0a5d3880165d1b5f0cad1fb5fcc30377f58 29 | | ndroid.FakeApp.1256 | 8c2b0ddd15f8b087929aab32704fb9bf1d8df660 30 | | Android.FakeApp.1257 | 3d0af62f4beeb18a3dd63373ade245a63a434800 31 | | Android.FakeApp.1258 | 9c975cff7cd924a0b619402259b805a059159e8d 32 | | Android.FakeApp.1259 | f128cd7bd8fe7d17485731200be6192df693dc00 33 | | Android.FakeApp.1260 | a629d692985f827c780caa8063e4dcf93350f486 34 | | Android.FakeApp.1260 | bb41a7a0901daa711c8f7a5e6df99a869195dc37 35 | | Android.FakeApp.1260 | f0af8b736016f80e95afb7b59bd3a3baf9b286d2 36 | | Android.FakeApp.1261 | ea2db8878ee47c5e0aa7d98d301eab2495107fb9 37 | | Android.FakeApp.1262 | bd47e8f2c01b63bab9447b1acd3bc2755c6d8ecb 38 | | Android.FakeApp.1263 | d5c5f0e1d92535f8a2d92444ff3c24b8cab1c78c 39 | | Android.FakeApp.1264 | 2c0ddc3871e43b0462328a4a495d63152747b675 40 | | Android.FakeApp.1265 | 68d9efed0fc0247343638f498db8f61885f33935 41 | | Android.FakeApp.1266 | 149ee59737146abfd8158c5886e72d49286550bf 42 | | Android.FakeApp.1267 | 6141e0cf5b81ac8824b53e262b5b1b477b1ee77a 43 | | Android.FakeApp.1268 | 82c18ce3a1dc496f7416a13c63c0a14fd5f9cd0c 44 | | Android.FakeApp.1269 | 9016d50bb53c1a03a1ae472d7c94bec3329487b6 45 | | Android.FakeApp.1270 | bdf13b349374d399fbe7becc107e0faa0351cf68 46 | | Android.FakeApp.1271 | 8d745fb372970f6fb6e60a4506013f2e7659f118 47 | | Android.FakeApp.1272 | 2d8a05e106a38b371b41f9fd9432b79bd7e1cfbe 48 | | Android.FakeApp.1273 | 5f5e10a4f285e24478791ed1a6a5249fa9fb52fe 49 | | Android.FakeApp.1274 | e5669e6cf490b9bcdc2502b8771a32627762d6ee 50 | | Android.FakeApp.1275 | fdb20562a27fa0eacebdc2481f2b2f39028cb4eb 51 | | Android.FakeApp.1276 | 8f27a849572a6e42aa584094908718b23b479902 52 | | Android.FakeApp.1277 | c2cc900f322c22b6a6adfb8077d4365299797d9a 53 | | Android.FakeApp.1278 | dc6ad633ce1d96f8ae18e51f41541bf4d3dd70a3 54 | | Android.FakeApp.1279 | b7b4d635917a18a56d072c0839112c13ee0cd399 55 | | Android.FakeApp.1280 | 5f4b32bda02b535684dd28caeb62360af7a5d5a7 56 | | Android.FakeApp.1282 | c6b67dd722cb034eefb068fa9c4b3d9afea8a1d5 57 | | Android.FakeApp.1283 | 44b5889f6bd39b9e8328887b3e2bb6e8c6a40f32 58 | | Android.FakeApp.1284 | 0560afce8a47c7d71b4d182fcaa2e496cb185447 59 | | Android.FakeApp.1285 | 2ff526d90bc2aec69933797359b07aa188b3603d 60 | | Android.FakeApp.1286 | b4877c2b7401887aeb73375707b8688da9de74c4 61 | | Android.FakeApp.1287 | dafc152b505e4a47b3a30c150e022175264458a7 62 | | Android.FakeApp.1288 | 6c1823728b7f25744392656234ff8077cba1676d 63 | | Android.FakeApp.1289 | 2947836a7c0d75a22e356c8ec54edc113079ccb1 64 | | Android.FakeApp.1290 | 42048cd8963415ae362ca71ad92a0ff7931de735 65 | | Android.FakeApp.1291 | 5296c18082308540a5825a07010d011823dd62c6 66 | | Android.FakeApp.1292 | b7098008cce4fc41bc2efb8bd21ebd387a8d735b 67 | | Android.FakeApp.1293 | f56a214fc2b019a48c1674345d18a77131581132 68 | | Android.FakeApp.1294 | 45646b5b40f97998408f45720b77bc6a580cd847 69 | | Android.FakeApp.1295 | f34b23c61c9c2c01e97ec179ba4e1c3aca3db33f 70 | | Android.FakeApp.1296 | f865a74a10ef8aa6bf3086a3010564d64d8a2396 71 | | Android.FakeApp.1297 | 60ac332bddfa5fcaceca5edd0a9c6fa312121d29 72 | | Android.FakeApp.1305 | 3819bbb7932c20207acf4f3c4f9cfaa15d2de16b 73 | | Android.FakeApp.1306 | 2b65cdf8b0be6398493c0ac1cf8549b3cdf4120d 74 | | Android.FakeApp.1308 | 4693d697b056be1ca5cd1469b61726591584e386 75 | | Android.FakeApp.1309 | 70eef69c84c4216d1108501d1d6a8b46c9da35fe 76 | | Android.FakeApp.1310 | 4371f0d0e9d823bfce5d3234876222715088dbdf 77 | | Android.FakeApp.1311 | 3c317bad1038464e0914c6df83f93c9a8785bfda 78 | | Android.FakeApp.1314 | 78d11b64fb1f82cb69cefa9dd1915ada449818e4 79 | | Android.FakeApp.1315 | c27b4cb943e9b31b5d0cce797643c5fa0e35810c 80 | | Android.FakeApp.1316 | c6691b732448748d4cdb5dcbc2b16b1540aee0fc 81 | | Android.FakeApp.23.origin | 0748e4d759a5d04a39073d9183c63e378ed56d6e 82 | | Android.HiddenAds.3558 | 1878b00eb5643292b96396dc91956190e6db7d5d 83 | | Android.HiddenAds.3558 | 1d09dea8b738bb78ae707b1609daa186ee6e74ea 84 | | Android.HiddenAds.3558 | 311babfb5173554a0f938b74f0f95f6113059bd7 85 | | Android.HiddenAds.3558 | 3c9266fdd4bb26f1e0af8d944e20d2f092139e6d 86 | | Android.HiddenAds.3558 | 44d1c3649e5825720020d476119ea8e5b2bdaf17 87 | | Android.HiddenAds.3558 | 47269c07b50bb8d66bd1c3cf35f92e1276f9335d 88 | | Android.HiddenAds.3558 | 489d34781867ac6144f74042564e682468e950df 89 | | Android.HiddenAds.3558 | 4decdeaac7d5e7a3b7f3a1137a9c676be1753fc1 90 | | Android.HiddenAds.3558 | 4fcef80047f40704ab91b51ba54aecf4ae67caaa 91 | | Android.HiddenAds.3558 | 56f56cfdea96633f5561999f8c7fa79e745b1db6 92 | | Android.HiddenAds.3558 | 5900e3caf14e59a31699ac8ec9eb1c2ce50a8c3b 93 | | Android.HiddenAds.3558 | 5a6d7642a3ae0beb1cbfcfeaf0967b6eefb19bdb 94 | | Android.HiddenAds.3558 | 6c1b333f8420e1363cc9bb37d0fe9147ddafcda4 95 | | Android.HiddenAds.3558 | 8873a944b967961d132e6ad16b725f5ce821212b 96 | | Android.HiddenAds.3558 | 8f10a7decc6f2405021436a199ed9699af5f7a6f 97 | | Android.HiddenAds.3558 | 90c09309dd8a30bf915efd55480d86fd8aff7784 98 | | Android.HiddenAds.3558 | 93543baf2d6526ef434c7849f93cb602307503df 99 | | Android.HiddenAds.3558 | 9e6c3794303f3910d4eb00ba396e0db830d22164 100 | | Android.HiddenAds.3558 | a32e5a05a917278e7c01f7dc5a6912c09dfa035a 101 | | Android.HiddenAds.3558 | d608c5dbcb7b9929ec5117c797c88445aef79229 102 | | Android.HiddenAds.3597 | ca3558b11a24db3abfcffc2312f9f02da653c1ab 103 | | Android.Packed.57083 | 0c51e87cc94c30e560eda7bca477dffafa42a79e 104 | | Android.Packed.57083 | ffd3d6952f1ea4f83a4f3f93418aecc4b1f44249 105 | | Android.Spy.5106 | 9496d9a804596dcb27290d508e46fc5a27a714a9 106 | | Program.FakeAntiVirus.1 | 017719d3fee02a0dc4fa22017b882a5c0a983ec9 107 | | Program.FakeAntiVirus.1 | 8b8889f69532ab25c57351666389715e3d2b8676 108 | | Program.FakeAntiVirus.1 | e1b517dfacaa735014331dca8dfe8099ea74c8e5 109 | | Program.FakeMoney.7 | 18fa02fd251195b3ef4a20e6e7db26867fb938cc 110 | | Program.FakeMoney.7 | 71251919ea0d45c77f51a0f2e5cdcc29f02b962f 111 | | Program.FakeMoney.7 | 726cdb1077e8ccf5e0c619ac42cd6850dfefd615 112 | | Program.FakeMoney.7 | f99d997701ca41f14d40eda1c1f1a79cbff3bc11 113 | | Program.FakeMoney.8 | f9ae4ea8ef205c8fcb01cbe3ddb2f69b7ba3322f 114 | | Program.SecretVideoRecorder.1.origin | 24b76e7354c9d5772e9f3fa90b8fe63f263e8167 115 | | Program.SecretVideoRecorder.1.origin | 5404ff6c4baa94478a61455d2541734862dbbb9e 116 | | Program.SecretVideoRecorder.1.origin | 7607c6bc3fda8098621ac97b21c9cf013fc2a366 117 | | Program.SecretVideoRecorder.1.origin | a75f2a400ed6b200acc26a2e1aa285110addc08d 118 | | Program.SecretVideoRecorder.1.origin | b549db6a95d084542b9a2e10c8d392af597c2073 119 | | Program.SecretVideoRecorder.1.origin | ee51ffefeba4f50d8aa6ebaf6d7f3497ac9f0362 120 | | Program.wSpy.1.origin | 4da47e907e74ad939eacda9f01e49bfbb42e30c9 121 | | Program.wSpy.1.origin | f1b71e4faa9ad1c19f65596e52a1dce496ec7bf6 122 | | Tool.Androlua.1.origin | 1468dfcdb58225db9340c57392763289965c3763 123 | | Tool.Androlua.1.origin | 2fc769c357159a116d13d51172952150096734e7 124 | | Tool.Androlua.1.origin | d7a2606d1c014a070b7d76dceebd5e06a75553ff 125 | | Tool.SilentInstaller.14.origin | e9213c8e5327622d7cebc0232d1a6b751c53a54d 126 | | Tool.SilentInstaller.17.origin | e33aad2f232f469081586e3e6fa5b843cd54432e 127 | | Tool.SilentInstaller.6.origin | 52717eaa83bd7f25941c622bae3bd791146fdbd0 128 | | Tool.SilentInstaller.6.origin | a2e5122c1660ffcf759b3ac3a74263924cf722ce 129 | | Tool.SilentInstaller.7.origin | 11bbd3eae7bc34e2ac86cdc1cc5b9075dc2f1b26 130 | | Tool.SilentInstaller.7.origin | 4fbf1629b2ec49cb2839c3e31f9adbc32285b741 131 | | Tool.SilentInstaller.7.origin | e07fa9e81fe7718521ff1200ccf53f18e4f0d178 132 | | Tool.SilentInstaller.7.origin | fd33e88c786b5a1e62f41dda6b46138b931afd61 133 | -------------------------------------------------------------------------------- /investimer/README.adoc: -------------------------------------------------------------------------------- 1 | = Investimer -- Indicators of compromise 2 | 3 | Details of the Investimer's activity are described at https://news.drweb.com/show/?lng=en&i=12886 4 | 5 | == Samples 6 | 7 | All hashes are SHA1 8 | 9 | === ACRUX 10 | ---- 11 | 1cc4f2c62293be47c46e1e77cb8903498893b679 - Trojan.BtcMine.3035 12 | 588637a1d4a3c204372159e65bad0be84b41f9aa - Trojan.BtcMine.3040 13 | 66b5833195bfde7c50c80617c083f6ee685b30c8 - Trojan.BtcMine.3041 14 | 7e5d94746386af8cbe6c550b6ffcf6f4bc06f42c - Trojan.BtcMine.3034 15 | d91d3bda7d0ad320f26e8cbe34fe5d57464caf34 - Trojan.Packed.193 16 | df1ecdae40cfb7b040e41f6b2529be2a942e48df - Trojan.BtcMine.3037 17 | e4596f292b96f97d9de2eb2aed7ef7ab3ec10f99 - Trojan.Packed.193 18 | e72fe063ce180b8f07240aed53b22a1bc47a29a6 - Trojan.BtcMine.3031 19 | ---- 20 | 21 | === Arkei 22 | ---- 23 | 04c58a62a858bd8ffe578d84fdd1bc57d7a62cab - Trojan.Inject3.10256 24 | 0f30fdb27377c614b7835a3b710a7d6133510541 - Trojan.PWS.Stealer.24676 25 | 12c24fdff1159004895c3c5d08222df4bc541a2d - Trojan.Siggen7.42576 26 | 1e1cb44c157753a7fa293e3d5f840fa6ce9b9d35 - Trojan.Packed2.41319 27 | 1e9d25d0bb1cf8ab9a47cd0d51e57f9ce28dee57 - Trojan.PWS.Stealer.24572 28 | 25edc63b6d7ae026a25ebd6c2122896d8c148d09 - Trojan.Siggen7.42576 29 | 36d2475a9891d0b31f924523ff5df4d374f8ec87 - Trojan.Siggen7.42576 30 | 3cbd578f2bc8a86c0f1d21dc5b38f6310b1a140e - Trojan.Siggen7.42576 31 | 4351ff797d237cdf8e37ad5fd842171991df1efd - Trojan.Siggen7.42576 32 | 4f3d6e15d501b9a4ea0f57475328e8d09671b6d5 - Trojan.PWS.Stealer.24676 33 | 5283991b787439835e4579fd00cb243611ff3045 - Trojan.Inject3.9331 34 | 53b665a73bd2664a4aeee08806f92bd259633f7b - Trojan.PWS.Stealer.24442 35 | 6a0c93fef3e0aceb5c41ca719ee83023f971a711 - Trojan.PWS.Stealer.24442 36 | 7ef62997767fd718b761d32f1ec4040f6d54fab7 - Trojan.Inject3.10256 37 | 81ff86e9d5af7fddeb55857cda50f0c9f2ad23d4 - Trojan.Siggen7.42576 38 | 8235f89c3eeb25746ada70da92585bd52de786a9 - Trojan.PWS.Stealer.24603 39 | 8e62074b1f77b66fc8559eda72f993279f0224c3 - Trojan.Packed2.41278 40 | b7fd0411ec91d13d7270d4dfb0db28440e7260a0 - Trojan.Siggen7.42576 41 | dd4f13b04ccf460b1b535cb8c255b5d47efe1985 - Trojan.Siggen7.42576 42 | ---- 43 | 44 | === AZORult 45 | ---- 46 | 289ca2f2cfd0e131773bf6d56e69978f5a8350a0 - Trojan.PWS.Stealer.23950 47 | 9929f2a71138960153c190c06bc2e7982d8c141d - Trojan.Inject3.9331 48 | c3c758a65499b508597df621040fff3c0b00a047 - Trojan.Packed2.41281 49 | ---- 50 | 51 | === Eredel 52 | ---- 53 | 038250f585b4062b1d3feb4f6d609fe18355222d - Trojan.Packed2.41182 54 | 049759dc910d719328ccdb181f6cd69b24a01110 - Trojan.Packed2.41182 55 | 0eba752daa92ee359d19e0435ee51a690666f4c2 - Trojan.Packed2.41182 56 | 558d67308c78e6f71784fb1a8f16e088fb247de0 - Trojan.Packed2.41182 57 | 5bc04c8e245b4b9cdbbe91939e6b32e821cfdda0 - Trojan.Packed2.41182 58 | 5caf3e859d65630e2b69fb3f0d686adf74f094db - Trojan.Packed2.41182 59 | 63ece1388932e9be2ef74e8504675ed75dede914 - Trojan.Packed2.41182 60 | 7bf6ab15e667e3671157eb1b80e227a572b50000 - Trojan.Packed2.41182 61 | b044fd5874c4281327b1f72b0db52c0b2cfd4931 - Trojan.Inject3.10256 62 | dad095dd7127a219c1dbdebe8f33a2361eeacbf5 - Trojan.Packed2.41182 63 | f152a97842e0dd87a403aad118ae78648a7721ef - Trojan.Packed2.41182 64 | f7e0d406d03e05d5e4fc25c5ac2fb3fd66c39c17 - Trojan.PWS.Stealer.24604 65 | ---- 66 | 67 | === Kpot 68 | ---- 69 | 1270b4091691e03e495f9ae9cca94b3bb1f9ad78 - Trojan.PWS.Stealer.24575 70 | 720f10909bac57097b6380a43186236c82d99f56 - Trojan.PWS.Stealer.24652 71 | 781a269dd64c0b061e110b71948651dbcf5a5d5c - Trojan.PWS.Stealer.24325 72 | e637367a315faefb506e97368887a0c18a50f5d5 - Trojan.PWS.Stealer.24653 73 | ---- 74 | 75 | === Kratos 76 | ---- 77 | 36ee19ae11c5a6fc34a38e170de09ff06295acb8 - Trojan.Packed2.41161 78 | 741f9714294c12d69eb898a0db10cef8765fd5aa - Trojan.PWS.Stealer.23849 79 | ---- 80 | 81 | === N0F1L3 82 | ---- 83 | 002e913acfbfc055690dff24aca6fef42a2f64dd - Trojan.PWS.Stealer.23208 84 | 32b512a46dadc0fb6636b14f57c6b805e17d8cdc - Trojan.PWS.Stealer.23202 85 | 5fe2b7be66cb32ee47b34f82e2fcee1accf68966 - Trojan.PWS.Stealer.21284 86 | 73fd2ac1459c9a2c9c16c5ef59952460895ad34a - Trojan.PWS.Stealer.22928 87 | adba86091fd095eb334caf1f5f083629e19fec66 - Trojan.PWS.Stealer.22928 88 | be744730327a1fb4f0a775c35efe2ee6f098d61a - Trojan.Packed2.40914 89 | d8c031ad44c9b416b1772203d8644c5642f0e049 - Trojan.PWS.Stealer.24895 90 | ---- 91 | 92 | === Pony 93 | ---- 94 | c7f693244230180ab751e8477e16c57e362e88c7 - Trojan.PWS.Stealer.13052 95 | ---- 96 | 97 | === Predator The Thief 98 | ---- 99 | 00b0d5fd1c720b59c3e467ab7ae8d10b19cd1b35 - Trojan.DownLoader27.701 100 | 01813e3c4afd53eee31b91ab04623d1c698ba1e9 - Trojan.Encoder.26235 101 | 02715b3e0cbfd0d4d6b293a62125176107546099 - Trojan.PWS.Stealer.24834 102 | 086dc6190e224e5e6915b798646d41a25a66d00b - Trojan.Packed.193 103 | 196261a55e55b3908c9433e3cb0059725f1e97a6 - Trojan.Packed.193 104 | 22ebda166949698cf77079471c4572037d71693c - Trojan.DownLoader27.419 105 | 535d6b75d925629b59ef010fbcdb38fb1557e5d2 - Trojan.PWS.Stealer.24574 106 | 5556212f338e4843d6a4bf052ab6d27c69c5d3cb - Trojan.PWS.Stealer.24571 107 | 5713a5ddfc82e8b48c068606fac8a377ea6fadf8 - Trojan.PWS.Stealer.24659 108 | 5777efe7a9b01bf945bad9bfb74dea783d5895ea - Trojan.PWS.Stealer.24657 109 | 6797e5461a40af047df7d302c74e740df686b00a - Trojan.PWS.Stealer.24561 110 | 6f80e76aee323efdf9f8931d6a0225b49a45a205 - Trojan.PWS.Stealer.24573 111 | 72e1f9b42572f19f422cc4e8e062194d45ea7934 - Trojan.PWS.Stealer.24391 112 | 7e69d8cf58771d400ba2451e2eb8514d2c74dcd6 - Trojan.PWS.Stealer.24560 113 | 8593a30e372044163ea1a0d4b785b2e9d0003b27 - Trojan.PWS.Stealer.24605 114 | 8e93efc7aeed07539f5f8041c8e9b2f39cb2ca40 - Trojan.PWS.Stealer.24442 115 | 9a15c10c2688f32dc11b5621dbdbf67f1e348dc7 - Trojan.PWS.Stealer.24625 116 | 9c2cfc4cf4619cb525d020a665532ecc8dc3f33f - Trojan.PWS.Steam.16207 117 | 9f3e36888d0d410e5e0bee5e3be46fec3835c1e1 - Trojan.PWS.Stealer.24854 118 | a170ce1b72bd59fdfda8d0c985d271733ff8d1c6 - Trojan.PWS.Stealer.24563 119 | afffd90c30cd4473d2a919ac63044b522d05d36d - Trojan.DownLoader27.419 120 | cb3ce9f6bb8ef30c178f67aaab73cd885dfe6f69 - Trojan.PWS.Stealer.24571 121 | ---- 122 | 123 | === Spy-Agent 124 | ---- 125 | 044afa02bba97f4816b67b967ba5806b5c8929e4 - Trojan.DownLoader27.7465 126 | 0cd3ddf91284fc005d6f7acfb76d3a35fdbe0aeb - Trojan.DownLoader26.49460 127 | 220f8b021fc12481c7c28230222f77b62d5334cf - BackDoor.TeamViewer.180 128 | 2540c274c90c9d0de3806e36a9cd09e248dfc86c - Trojan.MulDrop8.43229 129 | 36ec3355da616056d8079832d10f55d70695b7f1 - Trojan.DownLoader26.58874 130 | 3c881b12f1b272c9c14c24468cb05d94f1837221 - Trojan.DownLoader26.59704 131 | 3fb4795c00b6b52ef203039c3f8e7eab14ab5219 - BackDoor.TeamViewer.179 132 | 62101fb69306364513101674ceb904b8d3a8fc32 - BackDoor.TeamViewer.181 133 | 71b4f50dfba25ec3565e627c541b57d764a853b3 - Trojan.MulDrop8.48384 134 | 95f0b80eb8c20287252e20499baa571af029d573 - Trojan.MulDrop8.25846 135 | 9613a0b65c61aa0406d5330112a4b11e5c7a1865 - Trojan.MulDrop8.37275 136 | 9ffd17ed6d463fbc93e60f161f8678305001dfbf - Trojan.DownLoader26.50704 137 | a65d0fbce9d8f3d71eac13baf6c8c5802ebf85f6 - Trojan.MulDrop8.37022 138 | adcb9e0e06ec2c9c55a123083cd9edb6ba5d02de - Trojan.DownLoader26.46028 139 | be6156ab0cec2436440282869a08b00466e5a0d6 - BackDoor.TeamViewer.182 140 | cb68045e54d1cd218995c82e36a2bf29f0b97cb9 - Trojan.MulDrop8.37563 141 | e4e653160ad4fa7fda99905ac5ef5d8ef561a493 - Trojan.DownLoader26.48383 142 | e73935a706e15caffaeb465e1057a9c587da6f88 - BackDoor.TeamViewer.168 143 | e91996401455667fd9ff1991ce6f720ed0788307 - Trojan.DownLoader27.6092 144 | fb6e00ca371ac24e4e8e4519cbde5ec2de01ce72 - Trojan.DownLoader26.52700 145 | ---- 146 | 147 | === DarkVNC 148 | ---- 149 | 3b75f4a128a80ef574fff7f5e1da9e67faeb55f1 - BackDoor.DarkVNC.3 150 | ea5afa25b386b68ff9f143343a011cdae341b747 - BackDoor.DarkVNC.3 151 | ed1583d7c901309880e9b7c548b10c558a664798 - BackDoor.DarkVNC.2 152 | ef07b905634ca5013bd0c70e92a2570f70da0651 - BackDoor.DarkVNC.7 153 | ---- 154 | 155 | === Loader by Danij 156 | ---- 157 | 3840709e2a77e277d6127a135d60ac58ab729c57 - Trojan.AutoIt.261 158 | 7e71988e106f598583a98d8479b24b93019b32ad - Trojan.DownLoader27.11011 159 | ---- 160 | 161 | === Smoke Loader 162 | ---- 163 | dae8285bf70b3e4716ba9f6ba59edaecdec527e5 - Trojan.DownLoader26.9526 164 | ---- 165 | 166 | == Network indicators 167 | 168 | === Server with malicious sites & panels 169 | ---- 170 | 185.231.70.51 171 | ---- 172 | 173 | === DarkVNC C&C 174 | ---- 175 | 37.46.133.31 176 | ---- 177 | 178 | === HVNC C&C 179 | ---- 180 | 94.250.255.57 181 | ---- 182 | 183 | === Domains 184 | ---- 185 | adogegold.live 186 | adsdoge.com 187 | ark.surfeth.com 188 | best.surfeth.com 189 | beta.gopetrom.com 190 | big.surfeth.com 191 | bill.gopetrom.com 192 | bitcodoubler.com 193 | bithelp.top 194 | bot.surfeth.com 195 | botik.surfeth.com 196 | btcmaster.top 197 | btctrades.info 198 | crmine.com 199 | cryptonas.top 200 | cryptonia.top 201 | cryptoniaz.top 202 | cryptono.top 203 | cryptons.top 204 | doge.gopetrom.com 205 | dogeboost.com 206 | dogegold.live 207 | dogehour.com 208 | dogeloto.com 209 | dogem.top 210 | dogemaster.top 211 | dogetaxi.com 212 | ethinvite.top 213 | ethsurfer.top 214 | ethtab.top 215 | get-doges.top 216 | get.surfeth.com 217 | getdoggs.top 218 | getdogs.top 219 | getdooge.top 220 | getmydoge.top 221 | go.adsdoge.com 222 | gopetrom.com 223 | home.gopetrom.com 224 | investime-pro.myjino.ru 225 | log.surfeth.com 226 | megabit.top 227 | megabit.win 228 | minestab.top 229 | mmpower.ru 230 | my.surfeth.com 231 | new.gopetrom.com 232 | new.surfeth.com 233 | panel.bithelp.top 234 | panel.gopetrom.com 235 | panel.zastrahui.xyz 236 | quoetex.top 237 | sbtctrades.info 238 | shop.gopetrom.com 239 | shop.surfeth.com 240 | smoke.surfeth.com 241 | surfeth.com 242 | top.gopetrom.com 243 | tv.zastrahui.xyz 244 | vksecured.ru 245 | work.gopetrom.com 246 | worldofswords.net 247 | zastrahui.xyz 248 | ---- -------------------------------------------------------------------------------- /Android.Spy.SpinOk/README.adoc: -------------------------------------------------------------------------------- 1 | = Android apps containing SpinOk module with spyware features installed over 421,000,000 times — indicators of compromise 2 | 3 | == Samples 4 | 5 | |=== 6 | | Detection name | Package name | App name | SHA-1 | 7 | 8 | | Android.Spy.SpinOk.1 | com.bingo.dd.slotrain.bankrain | Bank Bingo Slot | 09bc394526b8acdfad02cd4b62512de9fb1a6b15 | 9 | | Android.Spy.SpinOk.1 | com.bingo.win.wt.fun.game | Bingo-J | 8b52ad1744999a019151013c95d869f51b8f6946 | 10 | | Android.Spy.SpinOk.1 | com.blast.game.candy.candyblast | Jelly Connect | d9399887327b96cf6af4e547f8bac3e2d9a8ce2b | 11 | | Android.Spy.SpinOk.1 | com.carnival.slot.treasure.slotparty | Mega Win Slots | 8ef21b1edebbb20e012b5da411f911c2f4778938 | 12 | | Android.Spy.SpinOk.1 | com.clover.bingo.cloverbingo | Lucky Clover Bingo | 81b3dbf5b9fdd683a08eff792d83659a8f0239f1 | 13 | | Android.Spy.SpinOk.1 | com.coinpusher.jackpot.king | Jackpot King - Coin Pusher | ff13e35da45e57b689b738eca684e96c710143c8 | 14 | | Android.Spy.SpinOk.1 | com.crew.assessment.frame.complex | Owl Pop Mania | 5424005f9a6bfe2abe6ee9f4fbc94d03f46f4e32 | 15 | | Android.Spy.SpinOk.1 | com.dailystep.asd | Daily Step | 2f78a33e6ae66132b917c4073ac9b33ebcde854a | 16 | | Android.Spy.SpinOk.1 | com.funny.game.grscanner | Get Rich Scanner | c8dcd59d655f5141f05dd59a912ea0f08aca76b4 | 17 | | Android.Spy.SpinOk.1 | com.play.starquiz.quiz | Star Quiz | e6b14343e8d1fffee1521216b6293dcc56b4ca35 | 18 | | Android.Spy.SpinOk.1 | com.pusher.jackpot.lucky | Lucky Jackpot Pusher | 390efe953d0dc2f28005684680a4d341938d8dd4 | 19 | | Android.Spy.SpinOk.1 | com.ql.recovery.picpro | Pic Pro - AI Photo Enhancer | be25a9f6bd0799a5732558a060141ca8ec06f6fb | 20 | | Android.Spy.SpinOk.1 | com.integralwall.playbox.box | PlayBox: Rewarded Play | 1ff20130833bcd7450fe637c2cb4c7a2c04895dd | 21 | | Android.Spy.SpinOk.1 | com.kelly.laws.ready.username | Mission Guru: Brain Boost | 2aa7d576e8e5f762a79d962b301200ed24632323 | 22 | | Android.Spy.SpinOk.1 | com.bubble.connect.vvbubbleconnect | Bubble Connect - puzzle match | 1523288cab6ab5d53dfe9dbde27fefcd97664f3e | 23 | | Android.Spy.SpinOk.2 | com.novel.novelah | Novelah - Read fiction & novel | f242a0f4d1c5f9aad6feae529d6f938bb5399c31 | 24 | | Android.Spy.SpinOk.2 | com.cash.em.app | CashEM:Get Rewards | 9bd4a7105421f1b4c37d3cfceaa41124f8efd04d | 25 | | Android.Spy.SpinOk.3 | com.ai.bfly | VFly: video editor&video maker | 599a700e7c9e4a6c25c6ecc77f6db89b2d6541ee | 26 | | Android.Spy.SpinOk.2 | com.yy.biugo.lite | Biugo-video maker&video editor | f937b24eb19290fc8e171e3e6f09afd758dcd7c0 | 27 | | Android.Spy.SpinOk.2 | com.yy.biu | Noizz: video editor with music | d3ec7069d7d5b03e285b48b67752d335c813159f | 28 | | Android.Spy.SpinOk.2 | com.insta.cash.app | InstaCash:Earn rewards | fbe85ddd2cf07517cd1c00c91e476ab152a3b0d3 | 29 | | Android.Spy.SpinOk.1 | com.drawing.visual.twice | VibeTik | bf8bed5228cc411c50fecf8ec20e44bf6271b36c | 30 | | Android.Spy.SpinOk.1 | com.written.slide.bingotour | Bingo Tour | c7ba436777d664c71731c9e3fa40488f37b80ffd | 31 | | Android.Spy.SpinOk.1 | com.june.survey.recorded | Coin Big Bang | 59ed80b8e704a0ce7a7b53b18fecb554ee375ae7 | 32 | | Android.Spy.SpinOk.1 | com.blonde.magnetic.place | Gold Miner Coin Dozer | 2617a0c2ede56c1bd6998c3f1adbdb7c1dfc1596 | 33 | | Android.Spy.SpinOk.1 | com.food.match3d.puzzle | Match Fun 3D | 91ba1495ccc5e064b8584b5ddad31afa4a28594b | 34 | | Android.Spy.SpinOk.1 | com.surveyking.earn.money.from.surveys | SurveyKing - Earn from surveys | a209a85831ec87e8fa6ef2ed59d0991a761612ed | 35 | | Android.Spy.SpinOk.1 | run.sully1942.upload.employee | Holiday Solitaire Party | c832b9f1c62a034499133be28abf364eeb675fe1 | 36 | | Android.Spy.SpinOk.1 | com.filter91.statement.lifestyle | Step Counter:Keep Fit | 4ab18faf16c759575ccc26b6fb925eb10062f39c | 37 | | Android.Spy.SpinOk.1 | com.surveycash.earn.cash.money.from.paid.surveys | Survey Cash - Earn Easy Cash | 7006c9a428d3709d700b94163ba7a4ff0dd020fa | 38 | | Android.Spy.SpinOk.1 | com.bubble.connect.bitconnect | BitCoin Connect | c39485600122061a6010ed6df66dba73a26f1e22 | 39 | | Android.Spy.SpinOk.1 | cc.coastsamoa.slide.green | Mega Blast Tree | 00a83c6dec5e8e7b4ad97ba8d0f5b94dcd0bd71f | 40 | | Android.Spy.SpinOk.1 | com.bigtrea.scan.go | Treasure Scanner | 17ecede709ca847498ccbd650915f5b618a7de57 | 41 | | Android.Spy.SpinOk.1 | com.currency.dozer.currencydozer | Mega Coin Dozer | 972840e86a6939a954432f7debc16933933ea55d | 42 | | Android.Spy.SpinOk.1 | com.video.tubecbox | TT Tube:Short Video | fe964160d2cd07fbaed1f577996a52282282305b | 43 | | Android.Spy.SpinOk.1 | space.lattice1935.thoughts.times | Space Pop: Bubble Shooter | 7190279caac9cd541e67525fe1c6962b38f09942 | 44 | | Android.Spy.SpinOk.2 | com.crazy.plinko.winner.game | Crazy Drop | f640fbf76b6705b734331efff0c10b5bf8f46e5d | 45 | | Android.Spy.SpinOk.1 | com.registered.author.chair | WOW Domino | 1985d74f8b4e8650babbc9dcb113b5a36655e74e | 46 | | Android.Spy.SpinOk.1 | com.fevercentury.cake.swap | Cake Factory:Pop Match3 | d72d4bd34e4fbf7a15309da9bbcf61cc46720f8b | 47 | | Android.Spy.SpinOk.1 | com.realgame.solitaire.arena | Solitaire Arena | 2792493b34559cf9c7da0b701f4cc202f9240466 | 48 | | Android.Spy.SpinOk.1 | fun.comedylivesz.trial.packages | Domino Master | ffafadd81ae2e59a7b631ae232d568a2d5b4c259 | 49 | | Android.Spy.SpinOk.1 | com.game.fish.reworld | Royal Fishing Party | 658cc023643e0ed6f47165d91767f3433081008b | 50 | | Android.Spy.SpinOk.1 | club.issued193911.currently.associated | Piggy Rush Slot | f19ac2bbdc14c7970eb17d65b557f912803904f4 | 51 | | Android.Spy.SpinOk.1 | com.minota.fruit.fruitbigbang | Fruit BigBang | 25a4285ac6a85b78df75f275f4aa7187395dc4b5 | 52 | | Android.Spy.SpinOk.1 | com.effective.start.solitaire | Solitaire Go: TriPeaks | 78648d3eb8e5b9019e5c2e1b2b653830b9d4771d | 53 | | Android.Spy.SpinOk.1 | com.anime.checking.procedures | Casino Royale: Wild Slots | a55fa38f2ef9e6678964c12cf51b7150a6a095cd | 54 | | Android.Spy.SpinOk.1 | com.wallplay.coinvibe.android | Coin Vibe | 0777a9faad1bc315512868e2b77cdb8ae7ba1e01 | 55 | | Android.Spy.SpinOk.1 | com.words.money.win.cash.free.game | Lucky Word Club | 2d152243446ce717606ea93542db5971f7247a53 | 56 | | Android.Spy.SpinOk.1 | com.money_gun.earn.money.from.your.phone | Money Gun - Earn money easily | c7022a688b0e5f2b6260e2a45ca6380b0984d3cc | 57 | | Android.Spy.SpinOk.2 | com.sky.sea.cashzine | Cashzine - Earn money reward | fe8975d0af2f33af04b809eb63e02dabf31af1e3 | 58 | | Android.Spy.SpinOk.1 | com.weather.rewards.forecast.money | Weather & Rewards - Real Money | 1ff27b237922b078ea153604bbc18c113a37ada4 | 59 | | Android.Spy.SpinOk.1 | com.slots.win.money.bigcash2 | Witch Slots 2 | 715be256189c12c71fe189db89670f8d8a1e77ac | 60 | | Android.Spy.SpinOk.1 | com.minota.fruitdropb | Fruit Drop | a1f76fcdf25ca76cac131775fe08977a90ab3f56 | 61 | | Android.Spy.SpinOk.1 | com.kuaiyin.tick | Tick:watch to earn | 7626e54e6746bc62cd97b4b173798a4bc313b30d | 62 | | Android.Spy.SpinOk.1 | com.bingo.joy.win.game | Bingo Joy | f25c13d74a9c5866dbe9427fec130a31cfc003ea | 63 | | Android.Spy.SpinOk.1 | com.sandwishtube.asd | Video Tube:Cash Back | 9ab325313b45740c701d121a43ac5ac4cdf865d3 | 64 | | Android.Spy.SpinOk.1 | com.game.slot.masterdigger | Digger Master - Casino slots | 9bad72231f25788065816930c9a5b59f881e44d3 | 65 | | Android.Spy.SpinOk.2 | net.trendgames.play | Trend Games | 46837f94a937f943e791abe968fadbc6bcf4c10a | 66 | | Android.Spy.SpinOk.2 | com.roaster.earn.easy | Make Money & Earn Cash Rewards | 395e139ade2f0fa2cde798e84b8f5a1ff32f110b | 67 | | Android.Spy.SpinOk.2 | com.oufa.reward | bucksfir | 2637d1850bb3b1b7906f1fa2025df87c1e4a8475 | 68 | | Android.Spy.SpinOk.2 | com.gx.app.novelfun | NovelFun | bb6abb4e425494dc08a8ce00bbc7f447f0b27e24 | 69 | | Android.Spy.SpinOk.2 | br.com.pitapps.pixmaniabrasil | PixMania: Ganhe prêmios no pix | 42663ad291caaf35cb07331263746a326c34242a | 70 | | Android.Spy.SpinOk.2 | com.memguru.pro | MemGuru | 5e90196c06166eca9db2bbb2a231590e93ea4094 | 71 | | Android.Spy.SpinOk.2 | co.candygas.theapp | Candy Gas | 2c42ea402f3d9b2fcce3ce7c7791eddc787615d5 | 72 | | Android.Spy.SpinOk.2 | com.prizes.cash_money_rewards | Cash Prizes - Earn Rewards App | 2da9d6ce970089b2c7cb690665d97b30eabb767a | 73 | | Android.Spy.SpinOk.2 | com.eclipse.gamonyapp | Gamony : Make Money Everyday | 22a56f447b500c9a84cb6711d53dd1ccaeccfbd6 | 74 | | Android.Spy.SpinOk.2 | com.ohcashapp.android | OhCash | 52188af5863c1de799e753552b123fd4a7bd899b | 75 | | Android.Spy.SpinOk.2 | com.youth.youthrewards | Youth Rewards - Cash App | 61eba7479ad8cf26e329c807b6f7d1494a42ad17 | 76 | | Android.Spy.SpinOk.2 | com.fantasy.crazy.pusher.coin | Fantasy Pusher | a3d14e0d9061659c54d6c26f1151d225e46136d2 | 77 | | Android.Spy.SpinOk.2 | com.scanner.qr.myscanner | Money Game-Win Real Cash | ebc87b1b19196fbe1e12582c4fe04107cc775a56 | 78 | | Android.Spy.SpinOk.2 | step.counter.smart.walk.android | Smart Walk | 8b562d0e7853d22627a501c2c28c3614d6da1e4b | 79 | | Android.Spy.SpinOk.2 | e.books.reading.apps | Fizzo Novel - Reading Offline | be975d6a856b69a945540acc8d9f598745c8d144 | 80 | | Android.Spy.SpinOk.2 | com.mania.slots.vegas.casino | Mania Vegas Slots | b9f48f360336d7e4b1c34076a4f84b493479b04a | 81 | | Android.Spy.SpinOk.2 | com.game.tap.away.puzzle | Tap Away 3D | 12d15531228d8010d1b7078e6cfbf1e0e6b52469 | 82 | | Android.Spy.SpinOk.2 | com.stepwin.earn.walkmoney | StepWin-Pedometer&Step Tracker | 4a2548421b7e3ef1ab8f432537cafc718c8ec01d | 83 | | Android.Spy.SpinOk.2 | com.game.queenmatch | Queen Match-Triple Tile Master | 266c1fb538347e08a08a71e4f38aac967b8fb7c6 | 84 | | Android.Spy.SpinOk.2 | com.erancash.times | Fast Wallet-Earn Money&games | 5bbeb5095759bdf1fefbc30ae6c60d30efaf6170 | 85 | | Android.Spy.SpinOk.2 | com.QwekuDev.vdbrowser | Lion Coin: The King of Rewards | ce2c4d34757c715e08096f68bf2adbecfe9d537e | 86 | | Android.Spy.SpinOk.2 | com.reweize.android | Reweize: Earn Rewards | 2f7c58f8e3e06f5eecfd31066a1ffe1a73f70d8b | 87 | | Android.Spy.SpinOk.2 | com.swedswap.rewards | SWE Rewards "Swedswap" | 47450323a9ceb9e2ebce35541c3c157852ea3333 | 88 | | Android.Spy.SpinOk.4 | com.freediamonds.quickhitslots.vegas | Blitz Slots | 8d448cc95d0da8073a2e5af2d55d0381eaeb9305 | 89 | | Android.Spy.SpinOk.4 | com.water.sort.puzzle.master.captain | Water Puzzle Captain | 3838e47ccab9f8cabfdd65a7ff9be1df8e9d015d | 90 | | Android.MulDrop.1218 (drops Android.Spy.SpinOk.2) | com.celengan.moneytube | Money Tube: Video Player | 17196b056010d4eb762bd7370c493960cf0a09bd | 91 | | Android.Spy.SpinOk.5 | com.digiwards.app | DigiWards | 73440962c945f922c249be8476c97abef03bdbf9 | 92 | | Android.Spy.SpinOk.2 | crypto.aliens.bch | Bitcoin Cash Giveaway | a47cdc00e60e47eb500e38ba9c7007252916ec1b | 93 | | Android.Spy.SpinOk.2 | com.make.moneywell.game | Money Well:Play game&earn cash | 7d1475ab8b98f140f8db35832a46eb681c582805 | 94 | | Android.Spy.SpinOk.2 | com.starcoin.moremoney | Stars Coin | 0dc9a949ffee29283000162d080b44fd5087dc95 | 95 | | Android.Spy.SpinOk.2 | com.ctrange.colochess | Colo Chess | 3d065340af285839ab6700292b625c2965ff97bf | 96 | | Android.Spy.SpinOk.4 | com.sermase.longertimer | Alaa win play | 8b4335db0c66985a509aa8d8d08e2d98770158b6 | 97 | | Android.Spy.SpinOk.2 | com.videowin.app | Lucky Money - Real Money Games | f2d3ec5c1efa6d9463080b6bc6ac1cf9bfa5f668 | 98 | | Android.Spy.SpinOk.2 | com.gopuzzlecash.android | Puzzle Cash | 3a0c16923e7382f0e381176aa8ee4d739fd6fcb3 | 99 | | Android.Spy.SpinOk.4 | com.keyboard.governor.deliver.printing | Jackpot bingo Slots | ef46b9090cf1df63dae788ef5254b3038f6a0a6b | 100 | | Android.Spy.SpinOk.2 | com.poprewards.app | Pop Rewards | 498086c20f5cf6e75258c1029e7482f084a46315 | 101 | | Android.Spy.SpinOk.5 | com.cloudmob.game.playtube | Play Tube | 22d106ebc79357e7ac9346279dea7f8471d870fa | 102 | | Android.Spy.SpinOk.4 | com.messages.offered.platform | Loto Scratch and Win | 5b6ea9667debbbde7f1d360ce1751ae7075d4ad9 | 103 | | Android.Spy.SpinOk.2 | com.in.mvbit | MVBit - MV video status maker | 0f97969f403af7db58b39763db572370fb47449c | 104 | | Android.Spy.SpinOk.2 | com.gamereward.real.money.games | Game Reward- Real Money Games | f5e75a012910a15534dd7d84e9972181712bd824 | 105 | | Android.Spy.SpinOk.4 | com.park.inc3d2022 | Parking Inc. 3D | 89714a6aade48a1e0bd2c89b42d20d91695f42c1 | 106 | | Android.Spy.SpinOk.1 | com.myepic.mayamerge | Maya Merge | b3a3e2709e7365c9e49170fc24fc8cc310a9486d | 107 | | Android.Spy.SpinOk.5 | com.vodofun.royaldice | Royal Dice Party | b7bb205aef76d3ce5e9761927ae96dbd8902b82d | 108 | | Android.Spy.SpinOk.4 | com.blackgold.cwto21 | ChipWin To 21:Merge game | 07cd4b892abadbc3091f584f4f37f80bdb1b06fa | 109 | 110 | |=== 111 | 112 | == Network indicators 113 | 114 | === Domains 115 | 116 | ---- 117 | https[:]//d3hdbjtb1686tn[.]cloudfront[.]net/gpsdk.html 118 | https[:]//s[.]hisp[.]in 119 | 120 | ---- 121 | --------------------------------------------------------------------------------