├── andromeda ├── buhtrap ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── danabot ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── nukesped_lazarus └── Makefile ├── gamarue ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── powerpool ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── glupteba ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── rakos ├── samples.md5 ├── samples.sha1 ├── samples.sha256 ├── README.adoc ├── rakos.yar └── vars.yaml ├── casbaneiro ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── gamaredon ├── samples.md5 ├── samples.sha1 └── samples.sha256 ├── grandoreiro ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── interception ├── samples.md5 ├── samples.sha1 └── samples.sha256 ├── quarterly_reports ├── README.adoc └── 2020_Q2 │ ├── samples.md5 │ ├── samples.sha1 │ └── samples.sha256 ├── Makefile ├── gmera ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── keydnap ├── samples.md5 ├── samples.sha1 ├── samples.sha256 ├── README.adoc └── keydnap.yar ├── industroyer ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── guildma ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── amavaldo ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── dnsbirthday ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── mispadu ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── ramsay ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── sednit ├── 2019-05-23_Zebrocy.adoc ├── 2017-05-09_Trump_Attack_on_Syria_IoCs.adoc ├── 2018-11-20_Zebrocy.adoc ├── part3.adoc ├── lojax.adoc └── README.adoc ├── dukes ├── samples.md5 ├── samples.sha1 └── samples.sha256 ├── kasidet ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── deprimon ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── README.adoc ├── moose ├── samples.md5 ├── samples.sha1 └── samples.sha256 ├── attor ├── samples.md5 ├── samples.sha1 └── samples.sha256 ├── telebots ├── samples.md5 ├── samples.sha1 ├── samples.sha256 └── README.adoc ├── LICENSE ├── oceanlotus ├── samples.md5 ├── samples.sha1 └── samples.sha256 ├── okrum_ke3chang ├── samples.md5 ├── samples.sha1 └── samples.sha256 ├── mikroceen ├── samples.md5 ├── samples.sha1 ├── README.adoc └── samples.sha256 ├── windigo ├── windigo-cdorked.rules ├── windigo-onimiki.rules ├── windigo-ebury.rules ├── windigo-onimiki.yar ├── samples.md5 └── samples.sha1 ├── mumblehard └── mumblehard_packer.yar ├── sshdoor ├── crait_report.ksy ├── samples.md5 ├── kessel_config.ksy └── misp-events │ ├── bespin.json │ └── borleias.json ├── potao ├── potao-et.rules └── samples.md5 ├── turla ├── carbon_tool.py ├── carbon.yar └── gazer.yar ├── evilnum ├── samples.md5 └── samples.sha1 ├── greyenergy ├── samples.md5 └── samples.sha1 ├── invisimole └── samples.md5 ├── rtm └── samples.md5 └── machete └── samples.md5 /andromeda: -------------------------------------------------------------------------------- 1 | gamarue -------------------------------------------------------------------------------- /buhtrap/samples.md5: -------------------------------------------------------------------------------- 1 | 12f65a68e13cd0d2592df43acc6bfbea 2 | f36fe1716c9e38fa39186b63339ebee6 3 | -------------------------------------------------------------------------------- /danabot/samples.md5: -------------------------------------------------------------------------------- 1 | 632d1a50e4f75b12521c14e390596125 2 | 0a33222032e7e78de45acb076adb951d 3 | -------------------------------------------------------------------------------- /nukesped_lazarus/Makefile: -------------------------------------------------------------------------------- 1 | all_hashes.txt: README.adoc 2 | grep ^- $< | cut -c 4-67 > $@ 3 | -------------------------------------------------------------------------------- /buhtrap/samples.sha1: -------------------------------------------------------------------------------- 1 | 2f2640720cce2f83ca2f0633330f13651384dd6a 2 | c17c335b7ddb5c8979444ec36ab668ae8e4e0a72 3 | -------------------------------------------------------------------------------- /danabot/samples.sha1: -------------------------------------------------------------------------------- 1 | 0c2389b3e0a489c8e101ffd0e3e2f00e0c461b31 2 | a05a71f11d84b75e8d33b06e9e1ebfe84fae0c76 3 | -------------------------------------------------------------------------------- /buhtrap/samples.sha256: -------------------------------------------------------------------------------- 1 | 91d67d2d9387ee5c4ded96311980a066ae7548eb4d5499acc05c11c6789258c0 2 | 7c1971f434d6ec8b8bd837dfca03115b55d0b12e95394af4dd17142099805d8f 3 | -------------------------------------------------------------------------------- /danabot/samples.sha256: -------------------------------------------------------------------------------- 1 | 66c3a85ab2f34092fd15cf15e5c289cc70dd65bb86edf8308ca7b5ae1363abb5 2 | e7c4fbe5eb0a2e166d84bfb799f1b34773e5792c794505a526656efd2eba2214 3 | -------------------------------------------------------------------------------- /gamarue/samples.md5: -------------------------------------------------------------------------------- 1 | c9d6af1ebd361e8015d379b3bd1c1943 2 | 8c3ee0dfa4af14120d06df91371b6fcb 3 | b5e0f74c50ffc5c22946c41e712ae76a 4 | 5fa684a8119889e401f746ead7a20def 5 | -------------------------------------------------------------------------------- /gamarue/samples.sha1: -------------------------------------------------------------------------------- 1 | bcd45398983eb58b33294dfe852b57b1add5117e 2 | cc9ac16847427cc15909a60b130cb7e67d2d3804 3 | 6d5051580da73570944bbe79a9ea7f2e4d006699 4 | 6fa5e48ad60b53761a42725a4b9ec12b85963f90 5 | -------------------------------------------------------------------------------- /powerpool/samples.md5: -------------------------------------------------------------------------------- 1 | 80e7a7789286d3fb69f083f1a2dddbe6 2 | 32b8d08e67cf509236ae8142fbeb30b3 3 | efe3518ee7d62299d01b7882f72ffd0a 4 | 99670267cbece5f5cc3ce92efd5bb04b 5 | e2bd4044fab4214c4aa7dd65d65fca21 6 | -------------------------------------------------------------------------------- /glupteba/samples.md5: -------------------------------------------------------------------------------- 1 | 6303a523649181bb0c60b29de1a70304 2 | e51ada8b144ff8271ba31429d2f5e480 3 | 584d919500b9edce244692436e405b2b 4 | 6d5616c83492e5c0a199ad4337c1b4fd 5 | b49335fa74781ec00a91cefa88084222 6 | 623ee6b7d5def6c311a9f434d071fcb4 7 | -------------------------------------------------------------------------------- /powerpool/samples.sha1: -------------------------------------------------------------------------------- 1 | b4ec4837d07ff64e34947296e73732171d1c1586 2 | 038f75dcf1e5277565c68d57fa1f4f7b3005f3f3 3 | 247b542af23ad9c63697428c7b77348681aadc9a 4 | 9dc173d4d4f74765b5fc1e1c9a2d188d5387beea 5 | 0423672fe9201c325e33f296595fb70dcd81bcd9 6 | -------------------------------------------------------------------------------- /glupteba/samples.sha1: -------------------------------------------------------------------------------- 1 | b623f4a6cd5947ca0016d3e33a07eb72e8c176ba 2 | 70f2763772fd1a1a54ed9ea88a2bcfdb184bcb91 3 | f7230b2cab4e4910bca473b39ee8fd4df394ce0d 4 | 1645ad8468a2fb54763c0ebeb766dfd8c643f3db 5 | ed310e5b9f582b4c6389f7ab9eed17d89497f277 6 | 87ad7e248dadc2fbe00d8441e58e64591d9e3cbe 7 | -------------------------------------------------------------------------------- /gamarue/samples.sha256: -------------------------------------------------------------------------------- 1 | 91dbd86deb59740c8f358574a798303615f52e95518b83ae3818cbb0016a49f7 2 | 112fe3250238acc98fe8a1d985f8ac9e2533118f4f3455a339735b5f8a940016 3 | 84bef212de8a6b8b76db055cafeaabf55f962f24063dfe9f7da520e481320a9e 4 | aa9d40f383df6149c9168a405e395f4e860b7812ec1baa99f492b5733a9f277b 5 | -------------------------------------------------------------------------------- /rakos/samples.md5: -------------------------------------------------------------------------------- 1 | 19705141888917dddda4cac32ec8b6fc 2 | 4416e7bfbfa7318f10c8c08cff3fce5d 3 | ce12f465f353bb1b64f790a5e4cd45af 4 | 1c672ba32e481faeccade0ad43ea5a08 5 | 841eac692e4c5fb09f18c229c59a3fcb 6 | eedab74ca1303647ade4fb0b0b588a36 7 | 96c5ec03c20491389a240ead5cbd72fe 8 | 9a0ea27a15899e47bfe6fcc7c9df36c6 9 | -------------------------------------------------------------------------------- /casbaneiro/samples.md5: -------------------------------------------------------------------------------- 1 | 60c34d025cec313b443ab4600746579d 2 | fa270e87548b889dcbbd0c9a7a489fee 3 | 82e2d1a00e98f755657777e981d1eee1 4 | 59e2dbbc34cc7641cace3e1e847b78e5 5 | 74dd5d1b06d94411f2f0eb4b493d5e7c 6 | 65b12cb6b5ea3827c5542c66f1c62ca2 7 | 47265b8d72cf13ab265b36d7a879a5f6 8 | bd6357cf07248cf228dc9c9318b967fc 9 | -------------------------------------------------------------------------------- /gamaredon/samples.md5: -------------------------------------------------------------------------------- 1 | c09794ddb7f5ce5f88304843687fd55c 2 | 1df3fd2b6c4e4640be91d62a8bb74150 3 | 73bd624bbb770c82e720a930ad9d6b66 4 | e83615afa0781a822d79d3e05b912938 5 | fc1f9207e5d8c1f5b40c19a91435d213 6 | 3603286b1fb1707988e1c1e0c60835a6 7 | 55f603e253df38092f8073700c6163c8 8 | d088047cc6a011b99ebc987702a2c0c9 9 | -------------------------------------------------------------------------------- /grandoreiro/samples.md5: -------------------------------------------------------------------------------- 1 | a04b0a65443828be16d2c61b40093898 2 | c94ec48e18fbfbda9f299ab46672c997 3 | 26108b36a9348bb7813c314d97a90fb7 4 | 4230d993c2113a7ffa7fcdcd4f554490 5 | e336bb69bf7df42b6b94a6d9d00442a1 6 | 7406cc3727e91a0a3762b9ae9c6cd1d6 7 | f973be3b3e5b0953f50b6e2454852046 8 | d69a2b5b8112f3bbd34fbb6319171a04 9 | -------------------------------------------------------------------------------- /interception/samples.md5: -------------------------------------------------------------------------------- 1 | 922acc98cff5377fb58c7babdcb9b1af 2 | 74a8f57a9b8df4cbf1dc79f6ae1fbe05 3 | 5ea378474295858c6b01ee342fc99228 4 | 5619f2a5b06c945f7a31cfe741517e1e 5 | f9f60d2758a061f2897813723a6b892e 6 | 21c6e9478beca6f413213f080ab7c091 7 | f5a295c37ddf9664239f0e30003d31c0 8 | 851a4f13928a5edb3859a21a8041908e 9 | -------------------------------------------------------------------------------- /quarterly_reports/README.adoc: -------------------------------------------------------------------------------- 1 | = Quarterly reports IoCs 2 | 3 | The directory contains indicators of compromise related to 4 | https://www.welivesecurity.com/papers/threat-reports/[ESET's quarterly Threat 5 | Reports] published on https://www.welivesecurity.com[WeLiveSecurity]. 6 | 7 | Each publication has a subdirectory with its IoCs. 8 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Makefile to generate a zip file with IOCs 2 | # Olivier Bilodeau 3 | # Copyright (c) ESET 2014 4 | 5 | HEAD=$(shell git show -s --format=%h) 6 | 7 | default: distrib 8 | 9 | clean: 10 | rm -f *.zip 11 | 12 | distrib: clean zip 13 | 14 | zip: 15 | git archive -v -o malware-ioc-$(HEAD).zip HEAD 16 | -------------------------------------------------------------------------------- /gmera/samples.md5: -------------------------------------------------------------------------------- 1 | 4623f860c600fa6535b911cff64ab3c4 2 | a13e3e24b81e127da91a85fe32768acd 3 | e1b49de17d8bc4f9420df8ab6b684159 4 | 8f67b858fac3f3b9acbadefbacd5aa0b 5 | 9308c2c452960b1b5efb0d5029ffdfd3 6 | f241140158f4e7cf0e3d35f8688c89e8 7 | 1c1be7afecf51f38dfb0f10c8129c373 8 | 041f5728c5bea426a7453ec58ddb622e 9 | dc577d5830fcea6e61cc4fef16ed87d3 10 | -------------------------------------------------------------------------------- /keydnap/samples.md5: -------------------------------------------------------------------------------- 1 | 033408bb276e2cca4a1f6d64781f943b 2 | 25d239791cc6186489d36cdd22686f65 3 | c2c9faded8a79eab092ed72d18a47849 4 | e9eb9b4adbaf9e2853b42fc6cfbfdaac 5 | 04c7badfb6a330cb31cc9ad59098977b 6 | 065c33361684b2602873f195c59bbc6e 7 | ae09674fa0e132ab6f61b09785aff275 8 | b77c410127076083dc3319714efb8aef 9 | 8c414488b1fd6c8c8f1d0c1a34fddcc8 10 | -------------------------------------------------------------------------------- /industroyer/samples.md5: -------------------------------------------------------------------------------- 1 | f67b65b9346ee75a26f491b70bf6091b 2 | ab17f2b17c57b731cb930243589ab0cf 3 | 497de9d388d23bf8ae7230d80652af69 4 | f9005f8e9d9b854491eb2fbbd06a16e0 5 | 11a67ff9ad6006bd44f08bcc125fb61e 6 | 7a7ace486dbb046f588331a08e869d58 7 | a193184e61e34e2bc36289deaafdec37 8 | ff69615e3a8d7ddcdc4b7bf94d6c7ffb 9 | fc4fe1b933183c4c613d34ffdb5fe758 10 | -------------------------------------------------------------------------------- /powerpool/samples.sha256: -------------------------------------------------------------------------------- 1 | 58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd 2 | 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4 3 | 035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5 4 | 97b5b4478d234632df4c65ec251051a6b032ce21e9e68495e31f077bf4074831 5 | af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1 6 | -------------------------------------------------------------------------------- /rakos/samples.sha1: -------------------------------------------------------------------------------- 1 | e53c73fe6a552eab720e7ee685ea4e159ebd4fdd 2 | def04ec688ac6b41580dd3a6e78445b56536ba34 3 | c54d50025d9f66ce2ace3361a8626aee468d94ba 4 | 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0 5 | f80836349d6e97251030190ecd30dda0047f1ee6 6 | c93bddd9cdb4f2e185b54a4931257954e25e7c37 7 | 36b2fffe98f517355425797fc242f2cb82271c0c 8 | 14af6254d9ca310b4d52778d050cb8dd7a5de1d8 9 | -------------------------------------------------------------------------------- /casbaneiro/samples.sha1: -------------------------------------------------------------------------------- 1 | bcdf0ddf98e3aa7d5c67063b9926c5d1c0ca6f3a 2 | 9dffeb147d89ed58c98252b54c07fae7d5f9fea7 3 | c873ed94e582d24faae6403a17bf2df497be04eb 4 | dd2799c10954293c8e7d75cd4be2686add9ac2d4 5 | b3630a866802d6f3c1fa2ec487a6795a21833418 6 | bc909b76858402b3cbb5efd6858fd5954a5e3fd8 7 | 8745197972071ede08aa9f7fbec029bed56151c2 8 | f07932d8a36f3e36f2552dadedad3e22efa7aae1 9 | -------------------------------------------------------------------------------- /gamaredon/samples.sha1: -------------------------------------------------------------------------------- 1 | 6f75f2490186225c922fe605953038bdeb537fee 2 | 9afc9d6d72f78b2eb72c5f2b87bdc7d59c1a14ed 3 | 336c1244674bb378f041e9064ea127e9e077d59d 4 | dc8bd2f65fd2199ce402c76a632a9743672efe2d 5 | dfc941f365e065187b5c4a4bf42e770035920856 6 | 941f341770b67f9e8ee811b4b8383101f35b27cd 7 | 5fc1b6a55a9f5a52422872a8e34a284cdbdd0526 8 | 3dd83d7123aefbe5579c9dc9cf3e68bcafc9e65e 9 | -------------------------------------------------------------------------------- /grandoreiro/samples.sha1: -------------------------------------------------------------------------------- 1 | bced5d138aceada1ef11bfd22c2d6359cda183db 2 | 42892df64f00f4c091e1c02f74c2bb8bad131fc5 3 | 7905db9bbe2cb29519a5371b175551c6612255ef 4 | 28d58402393b6bca73ff0eac319226233181edc9 5 | 7c2ed8b4aa65befcc229a36ce50539e9d6a70ee3 6 | 40fbc932bd45feb3d2409b3a4c7029ddde881389 7 | 27a434d2ef4d1d021f283bcb93c6c7e50acb8ea6 8 | bd88a809b05168d6efdba4dc149653b0e1e1e448 9 | -------------------------------------------------------------------------------- /interception/samples.sha1: -------------------------------------------------------------------------------- 1 | ae130a678d76c44171799c0750fefd5db43a9de4 2 | 286c01eab255da32b7f36ce9814da3999e17f40d 3 | fb38c71dd02c3926f9a1c146a13a66579d3f88d2 4 | b1199ee7afb1f348d42bef1caed7e405a7631b1b 5 | 0c63f318edeaedc7d7af28304a61a0df71699f89 6 | d07b19373293369c55cc6e7e0d4cf6cfe32542df 7 | 8690930299d83fe65a9c3c5cd1d7f509a79d8e71 8 | 373ec71b31f803298f06b7eded059bc1e7c6d70b 9 | -------------------------------------------------------------------------------- /guildma/samples.md5: -------------------------------------------------------------------------------- 1 | 9cf275040d1972d00d46707e95ee7903 2 | 9ac074f895f9cb402f2c6ac5cffb5180 3 | 41f7d85a459d7eb8c3f6c251263d2b06 4 | fff9c4dfdda8f7f6c58cb0c005129eea 5 | f622d5ee36405414c4b80226b6c42d79 6 | 4742aeb621d786ea514ca984cbee7dfc 7 | aeee16993df41049a5f58f4654d1e8a9 8 | 26e40755772c6be66505de2f3a612877 9 | 9a8abf96a6490b4d6b558a2f0cc6f3c5 10 | e7129bbe7b83b72558de0fca0e13a3d5 11 | -------------------------------------------------------------------------------- /gmera/samples.sha1: -------------------------------------------------------------------------------- 1 | 4c688493958cc7cccfcb246e706184dd7e2049ce 2 | da1fda04d4149ebf93756bcef758eb860d0791b0 3 | 560071ef47fe5417fff62cb5c0e33b0757d197fa 4 | 2ac42d9a11b67e8af7b610aa59aadcf1bd5ede3b 5 | 9c0d839d1f3da0577a123531e5b4503587d62229 6 | f6cd98a16e8cc2dd3ca1592d9911489bb20d1380 7 | 575a43504f79297cbfa900b55c12dc83c2819b46 8 | b8f19b02f9218a8dd803da1f8650195833057e2c 9 | af65b1a945b517c4d8baaa706aa19237f036f023 10 | -------------------------------------------------------------------------------- /glupteba/samples.sha256: -------------------------------------------------------------------------------- 1 | e22b21736d60f9a8535ea70f6c1242cd17f0fdc86d55c3146cfe1da71bc948db 2 | ddcb91743753c4912fe290182f54c7537c78810987422f54619e91b3dfc97dae 3 | 969b77e52b571cddffe60aaf2e5ff8de6dfb612841a28bfbc9f3af3288fe9980 4 | 622ecb0b874225b3f20bb70a2ce6378472c42b538b1a0bee0eac9ccd309f50ea 5 | ca3f04a495c2fe626d441ab54a27f4a972b44d5d7b3a323f9dbeb4df9b72f912 6 | ed309c1a22dfb7a370c9e55c8a2bcf2d16f78e513c302ce5b3010283e8174d6b 7 | -------------------------------------------------------------------------------- /keydnap/samples.sha1: -------------------------------------------------------------------------------- 1 | 773a82343367b3d09965f6f09cc9887e7f8f01bf 2 | 7472102922f91a78268430510eced1059eef1770 3 | abf99129e0682d2fa40c30a1a1ad9e0c701e14a4 4 | dfdb38f1e3ca88cfc8e9a2828599a8ce94eb958c 5 | a4bc56f5ddbe006c9a68422a7132ad782c1aeb7b 6 | 2739170ed195ff1b9f00c44502a21b5613d08a58 7 | e9d4523d9116b3190f2068b1be10229e96f21729 8 | 78ba1152ef3883e63f10c3a85cbf00f2bb305a6a 9 | 07cd177f5baf8c1bdbbae22f1e8f03f22dfdb148 10 | -------------------------------------------------------------------------------- /industroyer/samples.sha1: -------------------------------------------------------------------------------- 1 | f6c21f8189ced6ae150f9ef2e82a3a57843b587d 2 | 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04 3 | b335163e6eb854df5e08e85026b2c3518891eda8 4 | 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a 5 | 8e39eca1e48240c01ee570631ae8f0c9a9637187 6 | b92149f046f00bb69de329b8457d32c24726ee00 7 | 94488f214b165512d2fc0438a581f5c9e3bd4d4c 8 | 2cb8230281b86fa944d3043ae906016c8b5984d9 9 | cccce62996d578b984984426a024d9b250237533 10 | -------------------------------------------------------------------------------- /guildma/samples.sha1: -------------------------------------------------------------------------------- 1 | 4f65736a9d6b94b376c58b3cdcb49bbd295cd8cc 2 | 37fd19b1ab1dcc25e07bc96d4c02d81cf4edb8a1 3 | 6c9304c5862d4e0de1c86d7ae3764f5e8358daff 4 | 89fbffe456de850f7abf4f97d3b9da4bad6afb57 5 | af0d495ecc3622b14a40ddcd8005873c5ddc3a2d 6 | 92bcf54079cbba04f584eac4486473c3abdd88cd 7 | a7b10b8de2b0ef898cff31fa2d9d5cbaae2e9d0d 8 | 45c58bc40768dce6a6c611e08fd34c62441aa776 9 | a2048f435f076988bf094274192a196216d75a5f 10 | 861f20b0dcc55f94b4c43e4a7e77f042c21506cf 11 | -------------------------------------------------------------------------------- /amavaldo/samples.md5: -------------------------------------------------------------------------------- 1 | 1091a566e2f44bada1f814998034bd04 2 | 3797869c58148fdc45ccf5c8aaf0dab3 3 | 6f2bf181f8b9ca1d28465ed6bab6f3e2 4 | 7cb500021ff667f6082fca1bb4811409 5 | 88eca26e7f720a3faa94864359681590 6 | 90ab08fbe569184b8386059ab41b2153 7 | a6c853789e71dca7fd732c4798617f71 8 | e880c09454a68b4714c6f184f7968070 9 | 9f1e5d66c2889018daef4aef604eebc4 10 | 4a3cdcef8ed41b221f3dbef5792fb52d 11 | 45c01734ed56c52797156620a5f8b414 12 | df3e0e32d1e1fb50cc292aebc5e5b322 13 | 55ffee241709ae96cf64cb0b9a96f0d7 14 | -------------------------------------------------------------------------------- /dnsbirthday/samples.md5: -------------------------------------------------------------------------------- 1 | b611e3475cf099f2dfbf0a8324392100 2 | ce388866bbf70b553ab22f2813c61410 3 | a94b52c842465f5ed821ac6f779f6e32 4 | 707db964e74b17460c91c0d8aa10eeac 5 | 34b256378caff57f5658a6e9aaea9da5 6 | 239fc4c16fe0c7894f4661f8f4c5c896 7 | 542774f19d67fbbd90014dc592838cce 8 | 8c56a3682ac5c6918062a096f60747f5 9 | 99b29debda826d857f62568fc7daf8af 10 | 93fe2510e5da13b64d4bb9ea1d3b6b50 11 | 575c9c5d855bf6aa49cf8435ff0aab3c 12 | 6b28ddd8c552b74d140ba7a02f9e3df5 13 | 96e59cf912c16d8663b624ba8832793f 14 | -------------------------------------------------------------------------------- /rakos/samples.sha256: -------------------------------------------------------------------------------- 1 | 3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470 2 | 83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25 3 | efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2 4 | d731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e 5 | ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb 6 | d59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05 7 | 2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9 8 | a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d 9 | -------------------------------------------------------------------------------- /casbaneiro/samples.sha256: -------------------------------------------------------------------------------- 1 | bbdfd1b176b1d42ab4306c924af4374c00c5abe5427224e0c29411485e1984ec 2 | 53e16a8d0c6a9f9d3c55da277633e74ac8609c9228a41b7a9e78e0a47d81d773 3 | d4b72b7881fb44d10529014f1e6e2bc06b1b041aa2cacba320256eda072744d2 4 | 81b163d06bfa19638014bdf3932b1dfc60eee091bace0efad581081bfc94af7b 5 | 40ef0a2a7dbcbf122e26777d044295a4118fe7c77d5e7fbaae5a8f672a38cc55 6 | a5b7c29324f616d03f4b811e5f5ad3a0f19425cefbdcd866df381bab02707678 7 | 4d509f2d24ba0f938fd9e30dd537c0c0552718ca4ddd4c7cebd50b57bf2ca9ed 8 | 085600ed239c4f2f1619ba62868749c2d38a1c837065f87ed07214cf745b0c8b 9 | -------------------------------------------------------------------------------- /gamaredon/samples.sha256: -------------------------------------------------------------------------------- 1 | ee29eb3980dff9034b1c539a799cedc1428224855e6d515d81da226448b81521 2 | af25a7b21b7f513ec37e7230f96aaebb21e38c4f74e011fc5613fae10a7465d9 3 | de48172aa4a204d8eaa00e8b6e774fcbf1575066eaf41d259fd291a22d4eadce 4 | 0a808f836bd3ab7e774e2ba6a71e7e9f3f35b9a88982bc6cc2b7aee5aa5ed3fe 5 | ea68d8da67ebf9dbe1c3af590768704135f5230a15b9e1114bde51d7e8e9e39f 6 | a81a3c6c1a89310d78a7913a6184aee5f093a99eeada09afbca5175c1e30099d 7 | adc9077d9807e83e6cdb1976ec9701330e1791f33bcaf9ee2b113b59923627e4 8 | 5727af66a2ff9bd5e6884feeaeef249d978ad47a55b0a240ea0f23270f42b895 9 | -------------------------------------------------------------------------------- /grandoreiro/samples.sha256: -------------------------------------------------------------------------------- 1 | a8ce4d4e61236b1e7596193163214e803abe223e5616b826661642b166e25486 2 | b1e4ae121886039ea865549d0cb81f1f954056545a5aec487a538ae5f616bb52 3 | 5e03f24eb44630e351d99a3dcb2f749520f3b01a41da8915e61333b8a827935a 4 | 79181209f9d352136e6f3c496fcd99356f2b92a9e07271cd5cea433629771f24 5 | 973872421b24e0f7bb98a89a78b8fc16630f9afb35dba15852f8b3acf8a739c9 6 | 424cab9401adc2bf7ad478eb33dabeb2df00838959ee7f089b74175530bbcccc 7 | 8e134226dd9fa93ab9ff34bf7459b56b0e9de1db23e6d69efe941adf91bbb66a 8 | 85dc3e2940d21966d4c596428de7f32b14ef7ebb7a0475748e8920714fec84f4 9 | -------------------------------------------------------------------------------- /interception/samples.sha256: -------------------------------------------------------------------------------- 1 | 149066503652dc0f01a9418e39c187a3bd42b92db0baaee45fc00d5780e522e8 2 | d0cbdc854a29058b9004dd94d8f797fe789787b6c485c0901bfda2a1ef8e7960 3 | 5c7bb5dec82060a71e3a032e5841ee04d0629516ce423752e97a1ccfa684d8a5 4 | c418472505deb7f754af1c8b835b9febbdfb3794459bf8fd03851cb8b6d96e21 5 | a0c470007222480de7c462e5894f45ecb298f2dc17b8ac5f04c09e3831e38911 6 | 65c739d78ce0ac2a2de0065d62e5a9a07183c47c7f0dab9bc07a255cd4711f4d 7 | d307d51d62674856c216f4de99e5d6d5efc0e31a10dbbf111e8310f6dae1dc43 8 | 33d2b141b17e6e04da11b2a75ca2dab74de19c1fb7be5065e839f540d267bdca 9 | -------------------------------------------------------------------------------- /mispadu/samples.md5: -------------------------------------------------------------------------------- 1 | ac92fd8a98251517d6fc388c6430827f 2 | 053d613849ee008f5a1967bf0219d406 3 | 0ea4196141215c3148054f029fc9c96a 4 | e0aac7e3c25c0c9d83955b9745068093 5 | 5a844a95d850eff71adf9657c1407030 6 | f14cb7f36795c5b96594841ab72ac017 7 | 024ff6c7fff97103fe81120aea96da94 8 | e31999a9b5f3226fc2f931165908d88b 9 | eda3dd0fad912aba298e47cbc5c2ebd2 10 | 525e86186b017bfbbdef82802dba6950 11 | adf70ffac3fd504332227d2308a1d12f 12 | 54e8ded7b148a13d3363ac7b33f6eb06 13 | e60bad975bbec25fe5d26298a3eafbe4 14 | 32245c1462784999cc4c09e9734f9bf7 15 | b48641db701df1c0f9f22519b0eb5ab4 16 | -------------------------------------------------------------------------------- /amavaldo/samples.sha1: -------------------------------------------------------------------------------- 1 | 1d56bab28793e3ab96e390f09f02425e52e28ffc 2 | 4dba5fe842b01b641a7228a4c8f805e4627c0012 3 | 6d80a959e7f52150fda2241a4073a29085c9386b 4 | 9a968341c65ab47bf5c7290f3b36fcf70e9c574b 5 | ad1fce0c62b532d097dacfce149c452154d51eb0 6 | b761d9216c00f5e2871de16ae157de13c6283b5d 7 | b855d8b1bad07d578013bdb472122e405d49acc1 8 | e0c8e11f8b271c1e40f5c184afa427ffe99444f8 9 | b80294261c8a1635e16e14f55a3d76889ff2c857 10 | 6c04499f7406e270b590374ef813c4012530273e 11 | fc37ac7523cf3b4020ec46d6a47bc26957e3c054 12 | 12c93bb262696314123562f8a4b158074c9f6b95 13 | b191810094dd2ee6b13c0d33458fafcd459681ae 14 | -------------------------------------------------------------------------------- /dnsbirthday/samples.sha1: -------------------------------------------------------------------------------- 1 | cc291be6cbc7b0dc3aa09973d0ed98e363f9083f 2 | 19041323a4ecd92eb888664e1d2c0b2893419f78 3 | 0f4aeee1a0878eb510229b871e02eb1e1939107e 4 | 59eb5b5d3171069761a13389a1a7cce12a95e0bd 5 | d1085fb7f2c4d1add9244cb8af6d0e25b50d7b14 6 | 94c6f2bbad0ce47957d18b53ef1938d846d7576f 7 | f02e0012aedf02f898f1558c827491d7099c1d62 8 | e6b6fe919cf6c3af0d40594e86da4cf776dbcf9a 9 | 8cfbd1f7e4d8c4357766f0f4b84bb08cf2e78c17 10 | ce84d96a974e95499fadd3320f851c0b728cd438 11 | 6a07de60da0962ee952e63ac89ce86d2581f3926 12 | 5a5174739bbb7881c46112704cbf039f39d98fec 13 | 892785875fcdfe4cc672ba1c3fc59bfbf37c7efe 14 | -------------------------------------------------------------------------------- /gmera/samples.sha256: -------------------------------------------------------------------------------- 1 | 49feb795e6d9bce63ee445e581c4cf4a8297fbf7848b6026538298d708bed172 2 | eacf7e3865e9995fd5fe74e61b2073441cba4029610cae739b2006de8e5787dc 3 | ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06 4 | 9becf766448205a3bdab89f191b1f77942843021b200462f47988d06d705e0ec 5 | 3d0e3c351e79ec72b2412428219f0700838175799e82d8c28c3ff09c7a4234fa 6 | 138a54a0a1fe717cf0ffd63ef2a27d296456b5338aed8ef301ad0e90b0fe25ae 7 | 85e5429c06cf3dd370755ce418c471f44a947c427c5ef44cd9c3d5037ccc3495 8 | 1429a3bf995ba8a5563d4988ea4d824f192d01d0f85427abbd8a2d0f863a64f6 9 | 0aa69c3ecdc8f63f9de9bc2b8440cfb01d06b68a7452f4a59f422662ff476eb9 10 | -------------------------------------------------------------------------------- /keydnap/samples.sha256: -------------------------------------------------------------------------------- 1 | 5d68d761026f6c5354a70c20b304b4c7972d7a1a55ae0ddebc7bab10f355437a 2 | f7331310cf59049d42cc1e51b95f54aa8160b50769147ff0c9ef7a9ca04c6dba 3 | 23296f664e9d40be3a20f6bb4e5bb328556e0aa0408fb006725f9db72ae4682c 4 | 52415bc62c68fee6f26c303aeecb132939951d7fd4651338b27a5c69e8771bfa 5 | 8d2bd504125d815339af52558a38f804048a56a213424378af83fd3c0d4c131c 6 | ebaba752e9e6f0a0233467a7162f0342ce7dd702bf3d2a30981a9bf28b22f766 7 | 64cc212853359ec2164ceb142961db25452e576a94bc1e092417eb4cd2bf9186 8 | 924035cf6990fcda744737bde60036a3938fd42ac5d06a5cddd8f66d0e9eac2a 9 | 296e962560f69f12f93e457549a8612ab66b9df1d93c27b074bb8609764db480 10 | -------------------------------------------------------------------------------- /industroyer/samples.sha256: -------------------------------------------------------------------------------- 1 | 37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4 2 | 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81 3 | 893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f 4 | 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561 5 | 3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571 6 | ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910 7 | 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad 8 | ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77 9 | 6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47 10 | -------------------------------------------------------------------------------- /ramsay/samples.md5: -------------------------------------------------------------------------------- 1 | 03bd34a9ba4890f37ac8fed78feac199 2 | 07858d5562766d8239a7c961feea087c 3 | 186b2e42de0d2e58d070313bd6730243 4 | 1f1121c282fefb076fa77939c35f2a33 5 | 27cd5b330a93d891bdcbd08050a5a6e1 6 | 3654c3fa86f19d253e4c70bdf5f3d158 7 | 615a0f818dc0ded2f138d6b3b2dfd6e5 8 | 789a56aed7a6d50d3fcd3015080a4f56 9 | 7a32803bf0de13d2c5ea966976c64faa 10 | 8413ab4d5a950f81b40ceebc3f1e7273 11 | 8aa069860d591119af2859856ad5f063 12 | 8d41d7fae90cd8363ba3ccbd94a52f7e 13 | b2b51a85bdad70ff19534cd013c07f24 14 | b796298d6f3f5939895e00ac5d35ca68 15 | bb72720bc4583c6c4c3caa883a7dec95 16 | cb0e3a54934fc3f1750a3faed79b4d9a 17 | e61ba12c33db1696715401d8fd0baae9 18 | -------------------------------------------------------------------------------- /sednit/2019-05-23_Zebrocy.adoc: -------------------------------------------------------------------------------- 1 | == Blog: A journey to Zebrocy land 2 | 3 | .IoCs 4 | [cols="2*",options="header",frame=none] 5 | |=== 6 | |SHA-1 7 | |ESET detection names 8 | |`bfa26857575c49abb129aac87207f03f2b062e07` 9 | |`Win32/PSW.Agent.OGE` 10 | 11 | |`48f8b152b86bed027b9152725505fbf4a24a39fd` 12 | |`Win32/TrojanDownloader.Sednit.CMT` 13 | 14 | |`1e9f40ef81176190e1ed9a0659473b2226c53f57` 15 | |`Win32/HackTool.PSWDump.D` 16 | |=== 17 | 18 | === Distribution URL 19 | 20 | `http://45.124.132[.]127/DOVIDNIK - (2018).zip` 21 | 22 | === C&C server 23 | 24 | `http://45.124.132[.]127/action-center/centerforserviceandaction/service-and-action.php` 25 | -------------------------------------------------------------------------------- /dukes/samples.md5: -------------------------------------------------------------------------------- 1 | d96491796c402a1aebb30b00b20ac8c2 2 | 8173ccb6b3936f72bb8701025d92ff7e 3 | 378ae22bbb1ef4b1ac031dccb3094931 4 | 98b2087f9b842320c39ab041c08fefce 5 | 1e599b7cae957c2ce87f95822b9f560a 6 | e4d31bd6bb58cbeafa57f1d2a78cd249 7 | e2935caf2dd982c918366549fad168ca 8 | 16981cc83348c6f4e6786726eea12054 9 | 805f4fb534f8665abc74ff00741dd721 10 | a66a3948fe8fbce7ce8ba88eb9daa0ba 11 | a6b1ae7b778a9f8994617d4babd7ee85 12 | ffdadc7a09832c7ddf310a07ca65f816 13 | c8e6cab481e023001ef10dd278ff83c2 14 | 1559be5e8b96312f3fbe383c8d810053 15 | 92d2204691f8ac9274b2943f88958552 16 | 5e08b729bb708530d36b5d3bd1aa08fd 17 | cc216e41ad4291d0cc4c77d88c234f6d 18 | 79b3bc9f67444f6dee1d8127a0e300ab 19 | -------------------------------------------------------------------------------- /mispadu/samples.sha1: -------------------------------------------------------------------------------- 1 | 3486f6f21034a33c5425a398839de80ac88feca8 2 | a4eda0dd2c33a644feef170f5c24cf7595c19017 3 | cfe21dbfb97c2e93f099d351de54099a3fc0c98b 4 | 337892e76f3b2df0ca851ccf4479e56eaf2db8fd 5 | 710a20230b9774b3d725539385d714b2f80a5599 6 | 1d19191fb2e9ded396b6352cbf5a6746193d05e8 7 | 8b950bf660aa7b5fb619e1f6e665d348bf56c86a 8 | 251ac7386d1b376fb1cb0e02bdfc45472387c7bc 9 | 22e6ebdfab7c2b07ff8748afe264737c8260e81e 10 | f6021380ad6e26038b5629189a7ada5e0022c313 11 | a8cd12cc0bbd06f14aa136ea5a9a2e299e450b18 12 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 13 | 76f70276eb95ffec876010211b7198bcbc460646 14 | a9badcbf3bd5c22eeb6faf7db8fc0a24cf18d121 15 | a4fc4162162a02ce6feadfe07b22465686a0ec39 16 | -------------------------------------------------------------------------------- /guildma/samples.sha256: -------------------------------------------------------------------------------- 1 | 62c141cdb63865390f3bfea9b0e34c8f25864a91a05089cb282ebd821f30a7f4 2 | 62a328bbb7cec18015599f0680f5715c5fbd62ba73007f326dde21883bae6ca4 3 | ea4df6c8b3b06e5308d969d65a09f324a74492359c665290741c74a897de2b1c 4 | c6138ca79ac09deee3f0022fdcc02db86f773ac3d01f83f4228b061470f2c856 5 | cb55744f0ea9b02f928b356b5227d69136c9df38b1e28fb047bd18714dfa3b70 6 | f4f711b8890c3981743b77a4293f7b305e5cca043efcee81b76cf14ae105cf49 7 | ae8249cfd3b70667a614e7e13679786ca94f0c8f6f95b89c262a566ac1a92c75 8 | 31a35f5a8c0a83ba75ffc5c252e8723c360ea1b06764c99a0fe360b4b2ec755d 9 | 264b1a6434ebecda2dd5f228d15026c29a547fb89f3029bc8590912a5c31ddc4 10 | c8aa64c9300db6f1e61e3e209ddf95b95afd72fdd66c238ebf72538cf7109590 11 | -------------------------------------------------------------------------------- /ramsay/samples.sha1: -------------------------------------------------------------------------------- 1 | 19bf019fc0bf44828378f008332430a080871274 2 | 3849e01bff610d155a3153c897bb662f5527c04c 3 | 3bb205698e89955b4bd07a8a7de3fc75f1cb5cde 4 | 50eb291fc37fe05f9e55140b98b68d77bd61149e 5 | 5a5738e2ec8af9f5400952be923e55a5780a8c55 6 | 5c482bb8623329d4764492ff78b4fbc673b2ef23 7 | 62d2cc1f6eedba2f35a55beb96cd59a0a6c66880 8 | 7d85b163d19942bb8d047793ff78ea728da19870 9 | 87ef7bf00fe6aa928c111c472e2472d2cb047eae 10 | ae722a90098d1c95829480e056ef8fd4a98eedd7 11 | baa20ce99089fc35179802a0cc1149f929bdf0fa 12 | bd8d0143ec75ef4c369f341c2786facbd9f73256 13 | bd97b31998e9d673661ea5697fe436efe026cba1 14 | e7987627200d542bb30d6f2386997f668b8a928c 15 | eb69b45faf3be0135f44293bc95f06dad73bc562 16 | f74d86b6e9bd105ab65f2af10d60c4074b8044c9 17 | f79da0d8bb1267f9906fad1111bd929a41b18c03 18 | -------------------------------------------------------------------------------- /kasidet/samples.md5: -------------------------------------------------------------------------------- 1 | e3fd3feeb165ddbf2e27ac07045e7ec2 2 | 6d4277b0ee5e1fdf039714e4b4eeae52 3 | ce312eab853e0cc08f3264f63c4fce30 4 | 8043a7777cfb472851297a2422f705bb 5 | d0f9c24dd768b9303bc3cf5769f6d375 6 | 20699545abd50cbe53fb28d4d08c7cf2 7 | 02ff95c2ef78ebbd39ca35c5590eea9f 8 | b031414a81a25d42c7f702ef5f352830 9 | e001ddafc18e3290df858a4d1e3572d6 10 | c865f8eb5026614182ed020b2846fc64 11 | b249528da344aff91427aa38b4632324 12 | 01360c4c4819a567ad43d33c024d65cf 13 | 7300a458a429a213e5ee51af8953e12e 14 | 6308813ed77c7b780f43da0a6ac0559f 15 | c2398bbc91be27fa7311aca8d7e07804 16 | f6e891055764bf5b6e6389752a1167e6 17 | 8c34e9b893292af95ef923c5268cfb25 18 | 97f37f225b150c3cd3e39f563ee6a581 19 | ab5cf14e40f8b7a8a01f499bee9a8392 20 | 59a8bb4c55bce023439ae1dfef525031 21 | 9c75d09b1a2ebc34627294111097d8ff 22 | -------------------------------------------------------------------------------- /dukes/samples.sha1: -------------------------------------------------------------------------------- 1 | 6acc0b1230303f8cf46152697d3036d69ea5a849 2 | 170be45669026f3c1fc5ba2d48817dbf950da3f6 3 | af2b46d4371ce632e2669fea1959ee8af4ec39ce 4 | d625c7ce9dc7e56a29ec9a81650280edc6189616 5 | 539d021cd17d901539a5e1132ecaab7164ed5db5 6 | f7fd63c0534d2f717fd5325d4397597c9ee4065f 7 | 0a5a7dd4ad0f2e50f3577f8d43a4c55ddc1d80cf 8 | 4ba559c403ff3f5cc2571ae0961eaff6cf0a50f6 9 | 5905c55189c683bc37258aec28e916c41948cd1c 10 | b05caba461000c6ebd8b237f318577e9bccd6047 11 | 9e96b00e9f7eb94a944269108b9e02d97142eedc 12 | a88da2dd033775f7abc8d6fb3ad5dd48efbeade1 13 | 718c2ce6170d6ca505297b41de072d8d3b873456 14 | db19171b239ef6de8e83b2926eadc652e74a5afa 15 | cf14ac569a63df214128f375c12d90e535770395 16 | 194d8e2ae4c723ce5fe11c4d9cfefbba32dcf766 17 | 0e25ee58b119dd48b7c9931879294ac3fc433f50 18 | 64d6c11fff2c2aadaacee01b294afcc751316176 19 | -------------------------------------------------------------------------------- /deprimon/samples.md5: -------------------------------------------------------------------------------- 1 | 3ccb06facfec4e39211f123a374dec1b 2 | 5b3498c5d6987232a89ca85b71ed0f7b 3 | 5554919d82808db157ad12a65ee53964 4 | 7e83d681eca4aed3c4bc0e7f5c89372f 5 | c9b808d02d738e626c5977a2a02a3e34 6 | 45b117973b386de1dc4428655816cc41 7 | 80213572dca7e340cc1b41617b765442 8 | 3f9ec30390cf992cedf3a083c8768b15 9 | b9317bd833531f51024624611940461d 10 | d56c441e74003380a2db4461e8c540f3 11 | 6eba47f4446775d30d45855d5e78093d 12 | b0e0cb8d545c21fe9bae43de8b809ef4 13 | da8ec89c8cd2d7a41aca804ba4ac4eef 14 | b350d5516dd89d18451e8b9941426e52 15 | ce2a9cb596fe55637ee3da14ed146fb4 16 | ac94d0bf18ba30137eccc97422938d71 17 | facc1e4b4bb887547c4ef58ddeb630fc 18 | bce0e61b4e428eb42241cd27bb271eb6 19 | 467fdf5516cf4425707c5e34c9922285 20 | 7c68b36520e0cc165ed5a9e5fad94a76 21 | 8776b5c5ba2f5f9b659610885587f952 22 | d2c094c579a172c8d57a0f1e411e5178 23 | -------------------------------------------------------------------------------- /quarterly_reports/2020_Q2/samples.md5: -------------------------------------------------------------------------------- 1 | f2a0e9034d67f8200993c4fa8e4f5d15 2 | ccb38b5c11c8b4bb3dfc8117f93bb720 3 | 4a4a223893c67b9d34392670002d58d7 4 | d88b46189d8e094d3620f5e85125dea1 5 | 623edb0c7cb9b811544c38027b7e3e58 6 | 6e6a47fdff433ebf6ba327a68e6808a2 7 | d190d547f2df70b06fff6f98e34e6f70 8 | 756dd0fa0b699f04eda8c4e865903390 9 | 9776f04d9c254a0b67f4dc000369a17c 10 | c33d3d6970dbb19062ae09505a6eb376 11 | e5aaa283bb46b6e194d2e6d173af09c9 12 | 84e7244d99e4fa8841151573ea858ed3 13 | f26179d65b42720b2a4984d717c309de 14 | 997ab0b59d865c4bd63cc55b5e9c8b48 15 | b2218d286a7e92b15e93168e0e497516 16 | bb71da8682e42100e0f82f6914f425bb 17 | a29408dbedf1e5071993dca4a9266f5c 18 | 5a3c30274ac1ba6f253e318cf63bfc08 19 | 7255e77b5e905bf92a1b96601ca09e17 20 | 89f9dea18dbde8a39f4f4449b5ce656b 21 | 082b7b38061bf30cd9752c443bd6d734 22 | b2f85bc880a2f79fe64d50db79672709 23 | 1cb924170eb1964ad7414c01631cc10e 24 | -------------------------------------------------------------------------------- /amavaldo/samples.sha256: -------------------------------------------------------------------------------- 1 | 1c17cf7af862cdb0af2f5540391ac3d0b427bd6369cf1a5fbb8d82fb80964d1c 2 | 563d462c492525b6332e9919e3b7f8174d932fc6bf15e65f719ebaee564074ee 3 | 6952d2057c5567664db770c38661ac2b9ab8c1d966018fad0ed29fde0f6f7c24 4 | 8171cbd7bc06d905a7d77d2d0dd147b0b9305d76f76a176fbda4b78768656a47 5 | 9f9bcd12870dba79e59f17ac663dc63d2083a7f86597bcd69c4ebaf59cedefa2 6 | b7e72ad59f05b67e7f44f071e7c3e46a490261c653cac66063ceed52c176fae0 7 | c5a6e0b21aebbee0ce90086c30d7f20ebed73cf00dea9af99081e71538b53591 8 | c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82 9 | 02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222 10 | 6bb5f3a7147660db416b838893c7d0734872ada9f7db68b1d019043a1cb89397 11 | 20ae23a6793e58761a28949dec7e910ce6479ab9c2b7bcbd7a1bb4df1171c503 12 | 6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412 13 | 64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf 14 | -------------------------------------------------------------------------------- /dnsbirthday/samples.sha256: -------------------------------------------------------------------------------- 1 | 7bf62ac2ae8ca3b2f546d3b04f64a95fa48169695cac242b3905eb6500930a90 2 | 8094ea47a004d5797eec8bb9d54693c1790830bd316a797738da39fe56361d5a 3 | 66fb65fef889e2d2236e45bc72fb222c515f8cbfcc73962c9d8aef24136d238a 4 | d8979b9f8a56280a4047c35fd50189f5c932a15300d3b341db5b98370191e34c 5 | f0fcae3159687185ab58fe2b6c80c54e2a32903a2eb5eb68dfa42b8ae3c7327f 6 | ed5b120b6805c637db751bfcb14fb835b44c3394877867c549f9018744f7f74f 7 | cedb3c62c7ef5633e6804cf1ad900c0a5d321d1eb0d832d139521692477f1241 8 | ec7cd382964c76a3be1d37b47c1127985e454a3996fde7edc10fa53c7910ee47 9 | c58a85955d5173d74a8c201468396ba3037542174b985ec592f127b65e3bdc8f 10 | eeb43f001429cce2fc5084120838fc3311dd4606cbde6ca11b79cc6704475295 11 | 38168caaac7d9d9a8efffb6d2dbf8171274eb7009ce531c03cb398ad6e022802 12 | c6d0c241070aab5bd861a45a40a772d56fe9a5037b67cc03abaaf42e242df957 13 | f20094c1696b5c45fb5fbd04111e4ee5495eddb9f93816ae764c8c1d4fd20a8a 14 | -------------------------------------------------------------------------------- /kasidet/samples.sha1: -------------------------------------------------------------------------------- 1 | 5f94e9d9f43da93574d62b117bdfe03fb846fba6 2 | 76c0e3deeb781231498991cb9729faa02fb1a19c 3 | b51e76e65c5fa095730c8c5153a7038a6d4f09b0 4 | 4462ef92d630751d442e5d850436c4cabf9ad2da 5 | ac0b9d5cd038422d0b4045446cf76e5a48ff40bf 6 | 83154250728b33d191a394000c2e53d03d2934a2 7 | 78a421237da7f61b91117e6176cc4742c9b54076 8 | c78042ca77e5cfe1b9cd51d188f20f0ed2699b49 9 | b7f796d6e1c45f1fe087bd2bac0192ea7839f790 10 | 94767262b02f90ac198d137fb2dc3b344aaeb4b9 11 | f205c4acb22e6c2f25aa523e5ce772c5256fad89 12 | b5e5b6393a444ed21b65554304288402e617011a 13 | 2d160f8804fbe7f068b5dee61f316a59b2cea746 14 | 7b0b58e1fc4cec0eac15254bc6a115cc0dd9df35 15 | dc2f1d7b2618727b30d0b950627a7e03d4542aa5 16 | b6c92083cdc03f5cba842f52a5cdfa27073c6cd8 17 | 4c0699fb326e27e26e4acee6f2592744085b7a42 18 | 6e0849ad14a695e2c65c592cde500334266114d3 19 | 19411620c34e6e13b323923f2ff7ce6e3e22ad97 20 | d1a4eae72c13a06f1b70b265682246648b755f8e 21 | 63e706baa8620c993e46469e8bae542ec67f74ca 22 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | Malware Indicators of Compromise 2 | ================================ 3 | 4 | Copyright (C) ESET 2014-2018 5 | 6 | Here are indicators of compromise (IOCs) of our various investigations. We are 7 | doing this to help the broader security community fight malware wherever it 8 | might be. 9 | 10 | * `.yar` files are http://plusvic.github.io/yara/[Yara] rules 11 | * `.rules` files are http://snort.org/[Snort] rules 12 | * `samples.md5`, `samples.sha1` and `samples.sha256` files are newline 13 | separated list of hexadecimal digests of malware samples 14 | 15 | If you would like to contribute improved versions please send us a pull 16 | request. 17 | 18 | If you've found false positives give us the details in an issue report and 19 | we'll try to improve our IOCs. 20 | 21 | These are licensed under the permissive BSD two-clause license. You are 22 | allowed to modify these and keep the changes to yourself even though it would 23 | be rude to do so. 24 | -------------------------------------------------------------------------------- /deprimon/samples.sha1: -------------------------------------------------------------------------------- 1 | 2b30be3f39def1f404264d8858b89769e6c032d9 2 | c2388c2b2ed6063eacba8a4021ce32eb0929fad2 3 | aa59cb6715cfff545579861e5e77308f6caeac36 4 | 1911f6e8b05e38a3c994048c759c5ea2b95ce5f7 5 | 7e8a7273c5a0d49dfe6da04fef963e30d5258814 6 | 03e047dd4cecb16f513c44599bf9b8ba82d0b7cb 7 | 02b38f6e8b54885fa967851a5580f61c14a0aab6 8 | e272fda0e9ba1a1b8ef444ff5f2e8ee419746384 9 | 6fab7aa0479d41700981983a39f962f28ccfbe29 10 | 7d0b08654b47329ad6ae44b8ff158105ea736bc3 11 | ca34050771678c65040065822729f44b35c87b0c 12 | f413eee3cfd85a60d7afc4d4ecc4445bb1f0b8bc 13 | 8b4f3a06ba41f859e4cc394985bb788d5f76c85c 14 | 0996c280ab704e95c9043c5a250cce077df9c8b2 15 | 9c4bade47865e8111dd3eee6c5c4bc83f2489f5b 16 | 94c0be25077d9a76f14a63cbf7a774a96e8006b8 17 | 15ebe328a501b1d603e66762fbb4583d73e109f7 18 | e2d39e290201010f49652ee6116fd9b35c9ad882 19 | 968b52550062848a717027c512afeded19254f58 20 | d38045b42c7e87c199993ab929ad92ade4f82398 21 | 2d80b235cdf41e09d055dd1b01fd690e13be0ac7 22 | 6db79671a3f31f7a9bb870151792a56276619dc1 23 | -------------------------------------------------------------------------------- /mispadu/samples.sha256: -------------------------------------------------------------------------------- 1 | 5b1e244ec5d88f0747c72ba10f59bfdffdb16c491e0d98841254226b5d761dc3 2 | f3e6a1dbb374e4926f55d3905c70bf30ee59281de6fa96aa34ba6d9e624a8b0e 3 | 8b9e03bea2dfc1ce375cbff63927b7f0f51cbd0d8e74557e9a54c9a361e709b0 4 | 335b5f887fe759ab0782a88f88a7c93ad6cc941e4d8e75cbba1edfcc119e5efd 5 | 6b3bed56bc43b96660926970c2480df5c975ca341fb6cdb52054d5b77ed12bdb 6 | 7297806c071bf4ecf5887751054009c38da840b6c15cfc86167daf0d3f3e955e 7 | 81baf904ac489e8f71f852f5ad654169c5115b96d4bec8c5c53cfe7479dc29b3 8 | 731e5538357e450e8252dfd6e3c99efd011a0d0eb1ebd616e7d663bdc44b8141 9 | 065ed7fbe65f2905d50d53c8a58ff4c08256f2ecd632375cbe3ad6f990dde524 10 | 0e3c89fa4d61b5430e3a0949b86058b0873f4c807cba87d687c81d3ad4412ed4 11 | 57528cfcf5645190e94f96a3fe4e1208bb0226edede36fa29b4134e92bba9473 12 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 13 | 6ed32f46a595a4097d85e7f70c74be5a57b542595088e81074ad8197901ba7aa 14 | 717186c986b7035883a72c1af53b898c4549f2552078fb17b6b7ab5b0d68469a 15 | c1be78e5c30a591b8573b744ee0033bf9cfaf827487c707a34430a8f6b84fd4d 16 | -------------------------------------------------------------------------------- /moose/samples.md5: -------------------------------------------------------------------------------- 1 | 520cd88b4cc5e14531b42af7a06dd307 2 | b8d94c26bc94d11f57a6223d1ab8752d 3 | 8d3453c67271d460c183537f231fc278 4 | 2de3bb7960c85d0e0634a31756628466 5 | 18630e1425ce34e1c3662e6ed654bd25 6 | f9942bd4251e43e1153bb14d8702382e 7 | f1222ccfa674f29ac3dac55e2cef92f4 8 | 7d51bc74c49c8f3f8b42bc1b07db38ed 9 | fb3618e28ffc3833179049d56343ad76 10 | 4bcb90d88a8620af8f55ea1b392ff8dc 11 | cac59332bf0467e58df0664bff9475ea 12 | 078684cbb3081945988ce90fa51b16a4 13 | 76a4c11638f9415ba120634b0d93f47f 14 | 3f75f4abf8991621858411f6f7e2abb5 15 | dea72b9a7fcb9707023792115d6f7c16 16 | fa3312815fe699af1dee9336f43bed4f 17 | fe0d01f98bcf76bb04cc2a6aa700742d 18 | 8878b3a0688ed198b63091024dba7e57 19 | 9e6f2ea5a290ff3ad5a3e4920a1ddfd2 20 | 8bd777329b79193727f04a12d19e7d93 21 | 40056590b12783ad5f7a70ee531279ef 22 | 65ff4d2d67e198d09fa0c0a79b251e81 23 | 2145ca5683d623be51c209635b761ff0 24 | f5f9f355395f6c0f0196b945f5de0f02 25 | 685a3397fcbdefac15784e56a7dbf35f 26 | 4e9a15c787599832057e1c1eacf941ef 27 | 66a76165dba8e2568553ecfffc9bc698 28 | 40d5d537d9cba0e199bfa20876436c35 29 | -------------------------------------------------------------------------------- /quarterly_reports/2020_Q2/samples.sha1: -------------------------------------------------------------------------------- 1 | 617c42943dcd973235e2227d3ae88f330a2944d0 2 | 9757d92dcb5fc253783e8a1d2702bf0f1196d4ab 3 | 281c1b196cd992906d8583e64011dc28d9c52e3c 4 | 1b1a867a950c0cd4aaca930e4978f8c47287ec63 5 | 6224f4e73d49ad40d67e41ab22086239b153b6c8 6 | ae9e6ec5489492210ecad274475710f1456631ef 7 | 724b2e24872be445ed2f914b252f8ccf580e9c71 8 | 42811d5a48200361e72add7d50d7511ee22b3bb1 9 | dba010496a7be2e5de1f923ffdfc19bf345b650b 10 | db4a2f4ba2aada8bf12e5d840a0d5921012dbd07 11 | d69ba2099a9483fc2691d500fcfff2e1fc382c2d 12 | b8cff709950cfa86665363d9553532db9922265c 13 | 3319a0af253d487ff8f137dd0f7f0cb3dc94f729 14 | 0f1f2431ecccb980f7d93b9af52139d0d508510f 15 | b48beb5e49976294287b1d6910d7445db83e5cf2 16 | 8b8d2eb8de66890f4c0950ccb3fff95b0f42b9e1 17 | ed0d4baa22dfadf41484955a823aaa095470e6d7 18 | 4a5e5ed953ee8bc0ff438192e6235f205304bbce 19 | 9ac922e2a445e039ee3ddd6de102a20824476326 20 | a6fc4834b9dba46ace3055c7214d65ae39bbf920 21 | 9e0f7a78cdbc83b9086df1b4aef6e06df2b98a27 22 | eb2fb8f0e14cb68b45b4db7acc05ad22a151d19d 23 | 9d1940ed48190277c9d98ddbd7e4ea63ade5ceae 24 | -------------------------------------------------------------------------------- /industroyer/README.adoc: -------------------------------------------------------------------------------- 1 | = Win32/Industroyer -- Indicators of Compromise 2 | 3 | For a description of Industroyer, please see the article about 4 | https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/[Industroyer] 5 | on https://www.welivesecurity.com[WeLiveSecurity]. 6 | 7 | == SHA-1 hashes 8 | ---- 9 | F6C21F8189CED6AE150F9EF2E82A3A57843B587D 10 | CCCCE62996D578B984984426A024D9B250237533 11 | 8E39ECA1E48240C01EE570631AE8F0C9A9637187 12 | 2CB8230281B86FA944D3043AE906016C8B5984D9 13 | 79CA89711CDAEDB16B0CCCCFDCFBD6AA7E57120A 14 | 94488F214B165512D2FC0438A581F5C9E3BD4D4C 15 | 5A5FAFBC3FEC8D36FD57B075EBF34119BA3BFF04 16 | B92149F046F00BB69DE329B8457D32C24726EE00 17 | B335163E6EB854DF5E08E85026B2C3518891EDA8 18 | ---- 19 | 20 | == IP addresses of C&C servers 21 | 22 | WARNING: Most of the servers with these IP addresses were part of Tor network, 23 | which means that the use of these indicators could result in false 24 | positives. 25 | 26 | - 195.16.88.6 27 | - 46.28.200.132 28 | - 188.42.253.43 29 | - 5.39.218.152 30 | - 93.115.27.57 31 | -------------------------------------------------------------------------------- /ramsay/samples.sha256: -------------------------------------------------------------------------------- 1 | 0c341c6bcbadc4663f87b4d75102976c2a3a1a74109240794eb6416d122c86fc 2 | 10278770a9c331d0903dde91e714d395a1242101f40ae6030436ce07ff5fcaf6 3 | 1b3457656b70dd72162c0975b8359516420f46854e55cec55e55ee73687ad52d 4 | 22b2de8ec5162b23726e63ef9170d34f4f04190a16899d1e52f8782b27e62f24 5 | 610f62dd352f88a77a9af56df7105e62e7f712fc315542fcac3678eb9bbcfcc6 6 | 6f9cae7f18f0ee84e7b21995a597b834a7133277637b696ba5b8eea1d4ad7af1 7 | 823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f 8 | 885540b5a42fe845ffada109b4ef7eb1e07c158255ac315910dfb333ec85d513 9 | 8e8084a295709b0ff7b083d1f5fd001ea79507490d15e8479a8ced616bb54ee1 10 | aceb4704e5ab471130e08f7a9493ae63d3963074e7586792e6125deb51e40976 11 | cc7ac31689a392a2396f4f67d3621e65378604b16a2420ffc0af1e4b969c6689 12 | d00818338eaabe253978cd212ebd181b6c1e8b798a726b76f1e23a35b9d08927 13 | d57657d547b956500c292f1fbde5a3441052f1a2ef0f217799a3668367a5cd68 14 | dcf74979a2c0ecef28fe3997d79ae23f82cfbcaeb883b7c39c569c089d7fb7a2 15 | dede24bf27fc34403c03661938f21d2a14bc50f11297d415f6e86f297c3c3504 16 | e60c79a783d44f065df7fd238949c7ee86bdb11c82ed929e72fc470e4c7dae97 17 | ff6f07121142d5e82742e132622a5f5930efba22a3820b4862c8a4b70dbf551d 18 | -------------------------------------------------------------------------------- /sednit/2017-05-09_Trump_Attack_on_Syria_IoCs.adoc: -------------------------------------------------------------------------------- 1 | == Sednit's _Trump's_Attack_on_Syria_ Indicators of Compromise 2 | 3 | Related blog post: 4 | 5 | - http://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/[Sednit 6 | adds two zero-day exploits using ‘Trump’s attack on Syria’ as a decoy] 7 | 8 | Also available in link:2017-05-09_Trump_Attack_on_Syria_IoCs.json[MISP JSON format]. 9 | 10 | === CVE Numbers 11 | 12 | - CVE-2017-0261 13 | - CVE-2017-0262 14 | - CVE-2017-0263 15 | 16 | === SHA-1 Hashes 17 | 18 | - `d072d9f81390c14ffc5f3b7ae066ba3999f80fee` - LPE 19 | - `6a90e0b5ec9970a9f443a7d52eee4c16f17fcc70` - SedUploader Dropper 20 | - `18b7dd3917231d7bae93c11f915e9702aa5d1bbb` - Office RCE 21 | - `d5235d136cfcadbef431eea7253d80bde414db9d` - Docx 22 | 23 | 24 | === File names 25 | 26 | - `Trump's_Attack_on_Syria_English.docx` 27 | - `image1.eps` 28 | - `joiner.dll` 29 | - `apisecconnect.dll` 30 | 31 | === ESET Detection Names 32 | 33 | - Win32/Exploit.Agent.NWV 34 | - Win32/Exploit.Agent.NWZ 35 | - Win32/Sednit.B 36 | 37 | === Registry Keys 38 | 39 | - `HKCU\Software\Microsoft\Office test\Special\Perf|%TEMP%\apisecconnect.dll` 40 | -------------------------------------------------------------------------------- /attor/samples.md5: -------------------------------------------------------------------------------- 1 | 5c4986fe26bf67ac5a81749169bc6676 2 | 67905749f359b2fe743176c870b22d12 3 | a5094634178144564604af90eefe9265 4 | 3d3ca6da4b6a0782ddf65ffac3e41a3b 5 | 185761cc7aad3efa119aa469394d7fdc 6 | 7eb0f8989bcd34da451cac05d0733dbb 7 | c7fee716d7610ee8cf936b9f09c36c39 8 | f1ba1d4ef6dc62fd03596693faa8fdab 9 | 1562c96a9dc1eec9628b843f0e46be3e 10 | d1a4b6739362637e57e25220fad485ce 11 | d9ab2cf7a6de5dc4dbf456c6fd439cca 12 | d29d2b18576aac76da5da8706e0500c4 13 | ec37835bec64bc215c7d5254ac100a1a 14 | c50560b30924bce66350021b51068a76 15 | 9ad6b1f81e1b9b4cd5c3a2f9dc2bf835 16 | 04a0f5293d533c9e31b7105dd2da238f 17 | bd6c531004cdb8bc0afa2cb09d56b7af 18 | 78d71ffaa0f59c0ecc989c2ff0d9c04a 19 | 9ad32bb70f1266abef8dfeff3466ba3d 20 | 024427ecd9dcfc6caef2a718ccfef535 21 | 553a680322f40392fbbe4d45333ac5bb 22 | 5af05232a6173b8f46b34dc3cb574570 23 | 5ce9568ae27d686811890aa8e8e738da 24 | 436bd45652b44078d6775ee9851f2129 25 | 7775eec0a261f36cdb7061478638c25d 26 | e4270dac7d04d68643f3b8786fa8a3c1 27 | 4c17d3230213d795dc61a392937e8672 28 | d40f54a5fd1fb1ab2eeed9ddfedb0958 29 | 12f2bee2d3ca48c75515e0f046dc519c 30 | 6a4070c09a1055e9ca4563b1f24fb3e9 31 | 82883dfa0f122933452804cc2d87643c 32 | 8f97960386610e7d86049e0f186bd939 33 | -------------------------------------------------------------------------------- /dukes/samples.sha256: -------------------------------------------------------------------------------- 1 | 57ce5b1dd5666a075f0491f864087dc00f5cde45e7d23db1fcc4ba8fd0e91ac0 2 | f9d338ed8fc57b36275efaff4387d2450c4eac57f4d2d8367111ed7d9f2b168d 3 | b53a3d03e86bb17b58a5b2be337b4da821816524659befa966df67b3b9017943 4 | a8c966b211b7f674af5a1541b65b45e52b15f772927c71160741e656519dde36 5 | 40632efe4d505cad53746150ee3f7e356f67f6e79079ed73a0d31311912037f1 6 | 9fed53548c8b517134797f760729ff23dfc0c645bc46833ff414b7bc68aca8f0 7 | 9da31189cd6b4ca840ba84cc5c9d01a89c69e04cdaeb55b77d4588f993f76bfc 8 | 153d19bf9fd09973df56a32a534122a3f7735dbeaecff7b294a93c01707b3bfa 9 | a8f8e93a3426f76260d10e168dc587ed82a90e773cd750dad58a6be29031fd8b 10 | f5a66707f51c21f0acf18243245a4902d4df62a9506bcf69938433bb1e0d4517 11 | 5b8467a9a89d83d721d28fb45fbe0ce53a9ee284b7aad93bff178ed6ea26247a 12 | 0be57d1244fefc679feb7aa9996e539481be7b8f4c9246817f81caa8c2f61a57 13 | 6057b19975818ff4487ee62d5341834c53ab80a507949a52422ab37c7c46b7a1 14 | a95449f7c7c1ea5359bd76f25f57b89802d94f649ba059b910d8e46d9a914fcf 15 | ba48e087c070c711b25d1d86b354b559081cb4059c4e992dd1835861b5dbed1a 16 | 4f2e0453bc7505affb517b78c7c3804a79affe74d5fa947c1762d8631cc6a155 17 | 9b33ec7f5e615a6556f147b611425d3ca4a8879ce746d4a8cb62adf4c7f76029 18 | ba08468d8847c9c62325dd266491e8da917caa8e710cf5b662debfc6fa8ca1c2 19 | -------------------------------------------------------------------------------- /moose/samples.sha1: -------------------------------------------------------------------------------- 1 | dd7e8211336aa02851f6c67690e2301b9c84bb26 2 | c9ca4820bb7be18f36b7bad8e3044b2d768a5db8 3 | f7574b3eb708bd018932511a8a3600d26f5e3be9 4 | 54041ce90b04698465b866ed169ddf4a269e1e76 5 | e8dc272954d5889044e92793f0f637fe4d53bb91 6 | 34802456d10efdf211a7d486f7108319e052cd17 7 | 2876cad26d6dabdc0a9679bb8575f88d40ebd960 8 | 5b444f1ac312b4c24b6bde304f00a5772a6a19a4 9 | c3f0044ffa9d0bc950e9fd0f442c955b71a706b6 10 | 10e2f7dd4b2bb4ac9ab2b0d136f48e5dc9acc451 11 | 1d1d46c312045e17f8f4386adc740c1e7423a24a 12 | c6edfa2bf916d374e60f1b5444be6dbbee099692 13 | 216014dba6f1a636c44530fbce06c598d3cf7fa1 14 | 4bffc0ebfe8c373f387eb01a7c5e2835ec8e8757 15 | d8b45a1114c5e0dbfa13be176723b2288ab12907 16 | bfc2a99450977dc7ba2ec0879fb17c612e248ece 17 | d648c405507ad62ddb3faa1dd37f659f3676cacf 18 | 5dea6c0c4300e432896038661db2f046c523ce35 19 | 0685cb1d72107de63fa1da52930322df04a72dbc 20 | c35d6812913ef31c20404d9bbe96db813a764886 21 | 1caac933ae6ca326372f7e5dd9fff82652e22e34 22 | f3daea1d06b1313ec061d93c9af12d0fe746839a 23 | 095ee85aa648de4e557fc243de17d4f00ab2091f 24 | 274ef5884cb256fd4edd7000392b0e326ddd2398 25 | 85c3439b6773241d11cda78f0ecfea4c07e55fd2 26 | f94b6cc5aea170cee55a238eaa9339279fba962f 27 | 0843239b3d0f62ae6c5784ba4589ef85329350fa 28 | 7767c8317fb0bbf91924bddffe6a5e45069b0182 29 | -------------------------------------------------------------------------------- /powerpool/README.adoc: -------------------------------------------------------------------------------- 1 | = PowerPool - Indicators of Compromise 2 | 3 | The blog post about PowerPool is available on WeLiveSecurity at https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/. 4 | 5 | == Sample hashes 6 | 7 | [options="header"] 8 | |======================================== 9 | |SHA-1 hash|Component|Compilation Time (GMT)|ESET Detection Name 10 | |`038f75dcf1e5277565c68d57fa1f4f7b3005f3f3`|First stage backdoor|2018-01-10 14:07:16|Win32/Agent.SZS 11 | |`247b542af23ad9c63697428c7b77348681aadc9a`|First stage backdoor|2018-05-12 12:13:13|Win32/Agent.TCH 12 | |`0423672fe9201c325e33f296595fb70dcd81bcd9`|Second stage backdoor|2019-06-17 08:07:18|Win32/Agent.TIA 13 | |`b4ec4837d07ff64e34947296e73732171d1c1586`|Second stage backdoor|2019-05-21 12:38:53|Win32/Agent.TIA 14 | |`9dc173d4d4f74765b5fc1e1c9a2d188d5387beea`|ALPC LPE exploit|2018-08-29 23:28:35|Win64/Exploit.Agent.H 15 | |======================================== 16 | 17 | == ESET detection names 18 | * Win32/Agent.SZS 19 | * Win32/Agent.TCH 20 | * Win32/Agent.TEL 21 | * Win32/Agent.THT 22 | * Win32/Agent.TDK 23 | * Win32/Agent.TIA 24 | * Win32/Agent.TID 25 | 26 | == C&C servers 27 | * newsrental[.]net 28 | * rosbusiness[.]eu 29 | * afishaonline[.]eu 30 | * sports-collectors[.]com 31 | * 27.102.106[.]149 32 | 33 | -------------------------------------------------------------------------------- /telebots/samples.md5: -------------------------------------------------------------------------------- 1 | 0fce93cd9beeea30a7f0e2a819d2b968 2 | 389ae3a4589e355e173e9b077d6f1a0a 3 | a143591e63d110040560720990121740 4 | 455f3f68a812b80bef541ef1e14ace23 5 | 75ee947e31a40ab4b5cde9f4a767310b 6 | d22000739ff9f207ad25ee9a9ecc70ad 7 | 873c7701e16bc68ad7a90886b5d0a3f0 8 | f56981721597f2c1041d4370141562cb 9 | bde6c0dac3e594a4a859b490aaaf1217 10 | 2d7866989d659c1f8ae795e5cab40bf3 11 | a2d874bc7d6d6b759a41a421d6afdc1f 12 | 1019c101fc1ae71e5c1687e34f0628e6 13 | 4a9398118b7b1e926348c2021e0cf58d 14 | 604d2d4a3fc7d0eea86a47071f2845d4 15 | 5bd6b79a4443afd27f7ed1fbf66060ea 16 | 7d4fc63f2096a485d2da3db1150e6d34 17 | 99f92158e66e532249b643244a0a7b95 18 | 98d28e589cfe6dcae7e832777b0579d1 19 | 4919569cd19164c1f123f97c5b44b03b 20 | 24313581bbbffa9a784b48075b525810 21 | 7d90d3097af6393c78c25de0fa65a2bf 22 | a5215bd9d098311212e550e247d04815 23 | fd0fd58b20b1476e8f67d6a05307e9bc 24 | ffb1e8babaecc4a8cb3d763412294469 25 | cb13d9aa8259d32b0006ea04205d63d5 26 | 8f8a550f9e0c960baf6d8f3a9fd4945a 27 | 5a760c2f523651330622ea43393ae5ee 28 | 73222500da14f518d26c25b1bb7781c9 29 | 2285d680389e08a252b5200f4d3c2a9d 30 | b75c869561e014f4d384773427c879a6 31 | 80fc43ca3427d474f4bb65f331fe3b2a 32 | c404b959b51ad0425f1789f03e2c6ecf 33 | 797f9e47cabee5b85c1a544683e0178c 34 | d425bc20d603ee47bd718a41f501dd7f 35 | 76691c58103431624d26f2b8384a57b0 36 | 782abd373af163bb58fcc0a4239d4fb2 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014-2018 ESET spol. s r.o. 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 18 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 21 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 22 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 | -------------------------------------------------------------------------------- /buhtrap/README.adoc: -------------------------------------------------------------------------------- 1 | 2 | :toc: 3 | :toclevels: 2 4 | 5 | = Buhtrap Indicators of Compromise 6 | 7 | == 0-day campaign 8 | 9 | The blog post about this campaign is available on WeLiveSecurity at 10 | https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/ 11 | 12 | === ESET detection names 13 | 14 | - VBA/TrojanDropper.Agent.ABM 15 | - VBA/TrojanDropper.Agent.AGK 16 | - Win32/Spy.Buhtrap.W 17 | - Win32/Spy.Buhtrap.AK 18 | - Win32/RiskWare.Meterpreter.G 19 | 20 | === Network indicators 21 | 22 | ==== C&C servers 23 | 24 | * `++https://hdfilm-seyret.com/help/index.php++` 25 | * `++https://redmond.corp-microsoft.com/help/index.php++` 26 | * `++dns://win10.ipv6-microsoft.org++` 27 | * `++https://services-glbdns2.com/FIGm6uJx0MhjJ2ImOVurJQTs0rRv5Ef2UGoSc++` 28 | * `++https://secure-telemetry.net/wp-login.php++` 29 | 30 | === Samples 31 | 32 | All hashes are SHA-1 33 | 34 | ==== Main packages 35 | 36 | ---- 37 | 2f2640720cce2f83ca2f0633330f13651384dd6a 38 | e0f3557ea9f2ba4f7074caa0d0cf3b187c4472ff 39 | c17c335b7ddb5c8979444ec36ab668ae8e4e0a72 40 | ---- 41 | 42 | === Certificates 43 | 44 | [options="header"] 45 | |======================================== 46 | |Company name|Fingerprint 47 | |YUVA-TRAVEL|`5e662e84b62ca6bdf6d050a1a4f5db6b28fbb7c5` 48 | |SET&CO LIMITED|`b25def9ac34f31b84062a8e8626b2f0ef589921f` 49 | |======================================== 50 | -------------------------------------------------------------------------------- /attor/samples.sha1: -------------------------------------------------------------------------------- 1 | 37a1138f9ef575d3b7fc11d59473aea261be4aef 2 | d1ca68eee49a4d25072855ebecc79d31f92efb2e 3 | 47dc997d08d53e55b8450940d9de94e2b5db631e 4 | 6dec7c66cb5e6f86cddbe313b604603731c78e20 5 | b7f1f151c3206e823fcaefcd0dab963be4efeb2f 6 | c3d7391863838fbbd88660392d114ab7536ca373 7 | 6f640e5acd1592424962df781707556f2c02cb17 8 | 8a6829b8615c5f6661a84ea3af0e15ab28c5840c 9 | e7371badae22c0ed0d93de2f1393c3e47dcee2d0 10 | c2371eb7a01149e87220bc7e62263266ee48be46 11 | f9e9c4e45697880d8f601096e9dfc90e46557dcc 12 | 09d220b7da92a177d03eb6ca6711c500fe34667b 13 | 16b4c4da770991cc94e763ffec2a3fc418f9dc46 14 | 921e237b7e7c9945fb7cf5dd8960548a99896555 15 | 1f69ba8063853dd80953b7881f4df9759a025780 16 | 02631dedb28c8d704ba689fc9efae057d2e8c8de 17 | 7b1e48154b93b6b374dd35bf821b2670ad1d0f69 18 | d0528b8777d556809ac64935fa6247164aaabb4f 19 | f7e30a3fa186361794699d7a4fac6a9b85ccbf40 20 | b194b2cdae26f5c65d62fe8f0204d1e80cd7a41f 21 | 52213cab4954c850a1ac51974a24b878ca88eb59 22 | 472eef198c8da7ea233d3f21393f5823968a8a0e 23 | a8112bd5e7dd78161c8b77638826c7cfc730f95f 24 | 5316abf8c4c148ce4d18419bb4e5057cf7535dcf 25 | e64af8db5b6ccd076327a7c58c59e73eeb90be9b 26 | bd2845b2e7178da92c9014d0e8921b7efba5a924 27 | 3c417b299532e62844869c4e0f33f3d719682f46 28 | 87ded0f812ced722e86ff4a4f36bf8217c480388 29 | 9d8126148089646717c84f313fd52c1a9fec2aca 30 | 53c7232e00445fde63e7f7d75f6eecdb8a8a830e 31 | a922558735227abe61754b02a6917a1aed18358a 32 | 461f245da24c693a5b3ef3ff6367b2b18514eff5 33 | -------------------------------------------------------------------------------- /kasidet/samples.sha256: -------------------------------------------------------------------------------- 1 | 6d812c1572f89da2c8deeea0cd29181ceadb6b7b81344f6585c26cfc49a4f1b4 2 | c02a47796e452a1bb4bb15919a45c31a26ab38c09a9707892edb196fd232cad1 3 | f6497a6c5309204b5f968fbb3c5c69e524ad8bee83a4c493950b80a064a664e9 4 | 344e0d7c07ec36a72b16daaa2408d5a90451e82d9669decb3a063db72d76df07 5 | c9f0bb83f8572a99444ff919fe424e04bc17236c43658a51e818697e522577d4 6 | 84fbf7fd4a0c5572c87b49f051031dafddc40fa7437b4261a264593f07ed3e80 7 | 00bd8e0eb42033fcf201dbe7f8e0bc174e781986a818e93b4bd8d3946bd87e18 8 | fede31ee4e3b8027d4f7982fea4f4ce78e92cfe09a82d8b38ca6254ba0683ece 9 | 32e888b1ee437938a96387d4facb6d07038a620fd0c9e90affda40bdf7c13287 10 | 80e5a6537af36a648610152d418d691637b004342bb7c13f8e636cf5a5495e4f 11 | bbfaa8b91a530fceae50bc0cbcbd2d62f2ff009f16d0569c8d2dbe3dade74697 12 | 1bfe26444d0579ac71f6fd1cddbd717ed0d25e193e097bd420fbc32f4984f496 13 | 6b7d0d361aabe3e3f38397916066894909953ff2adfd7cbe7941ce1d3fd191c7 14 | bc9934b061309da7e3c9019fa80090aed1defed6dbdc9b143a6b9c944cb82ea5 15 | 2d0cae2605e09bf70de4cbeb793306ee23d640d141a5fbecb0c18eb01b191934 16 | 39dc2f635b21a5a0645068095690ba0de31f822c09ef633a8c3f70e7080e954c 17 | 4118ddf60da21658a9e43450b87e09e6d5a66215d1d5cb21a76a3cd2bd0a3c04 18 | d27483cdef2b6e405283680ebe6555cc01a42b51a36447c56612b4599397aca8 19 | 9befd8327187b4a282e69c0d2d928f9a3e7a6d3e1c9f3761df7134392caa91e4 20 | 501eea447e5271f85086a03945e04295e95b270e80a0023f27dd314285f90ad2 21 | 8ed370d01aebe5735684934f12d65821824b607c1aadf959916049aaf889027f 22 | -------------------------------------------------------------------------------- /oceanlotus/samples.md5: -------------------------------------------------------------------------------- 1 | b65b82eddcecd719c55d6d222926e648 2 | b123f9151c5e7057f061f3e03c1e8416 3 | 87a421dcf17d40d8157a0d8f1dca6585 4 | 8bf63f758356c2b40f1249c108c37257 5 | 88608abaad53b5d80d3b705fba6fd5fd 6 | c212074b43b6ef811f2a8fb72e670e0c 7 | 88152846c45924d5706a11523942c82b 8 | 56142bbd9a218b2f6ce56350c0a88d43 9 | bf7c5bc086694a6e909013d63fccf6d6 10 | d592b06f9d112c8650091166c19ea05a 11 | 0dee2063ee3a77063b084da860b8e76d 12 | 4282c6633122dce395de35c05159282d 13 | 9453f31cdb02533d509948cc4fd0c44f 14 | 6e0ce271ea2872eeaab5f126058df3ca 15 | e3e99f6d1333ca76a80ba2899a4e2587 16 | 4f6b14b1291e654a8df931362d657bb3 17 | fb2b48d856b9c3db882fb4026d5b056b 18 | 9ffdfea1979f792b22e356e0e3b7ddd7 19 | eb2b52ed27346962c4b7b26df51ebafa 20 | 1459ddff4db04887e348271df706ddbb 21 | d2d332fd3e0aa7b7745d32756e704e12 22 | 3dfc49add45ad35a7c6e21054a53a351 23 | 02ae075da4fb2a6d38ce06f8f40e397e 24 | 759a8dc7aa5a6afab580178e93ce2fd0 25 | 686b61c2d1274c81db691866c8646e2d 26 | d95bbf9645994e891f3a8156eee9cbee 27 | 262e13557163a0bd16d6d0f601e2a308 28 | 96b971c9ac868c8d9ae98618b9a9bddc 29 | e33fce35e3fd7bb2241190f2cafc5acf 30 | 6b1908bc8cdae9646febbd8574dce523 31 | 3f2d25400daa9f1ea166b7122669fc51 32 | 3679911b0566259a1e5255eec7511c0e 33 | e58f436a95f967a324c6df506c76b5a7 34 | ebf6a950b26261cd353015ed567c6ac6 35 | 3d9490fa589d912bdce649fe1825ceb8 36 | 2aa2d2cc63122b498c82f76244646199 37 | 06334cb14c1512bf2794af8dae5ab357 38 | 2a8efbfadd798f6111340f7c1c956bee 39 | c9b65b764985dfd7a11d3faf599c56b8 40 | -------------------------------------------------------------------------------- /sednit/2018-11-20_Zebrocy.adoc: -------------------------------------------------------------------------------- 1 | == Blog: What’s going on with Zebrocy? 2 | 3 | .IoCs 4 | [cols="3*",options="header",frame=none] 5 | |=== 6 | |filename 7 | |SHA-1 8 | |ESET detection names 9 | 10 | |`SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe` 11 | |`7768fd2812ceff05db8f969a7bed1de5615bfc5a` 12 | |`Win32/Sednit.ORQ` 13 | 14 | |`C:\Users\public\Pictures\scanPassport.jpg` 15 | |`da70c54a8b9fd236793bb2ab3f8a50e6cd37e2df` 16 | |`-` 17 | 18 | |`C:\Users\Public\Documents\AcrobatReader.{exe,txt}` 19 | |`a225d457c3396e647ffc710cd1edd4c74dc57152` 20 | |`MSIL/Sednit.D` 21 | 22 | |`C:\Users\Public\Videos\audev.txt` 23 | |`a659a765536d2099ecbde988d6763028ff92752e` 24 | |`Win32/Sednit.CH` 25 | 26 | |`%TMP%\Indy0037C632.tmp` 27 | |`20954fe36388ae8b1174424c8e4996ea2689f747` 28 | |`Win32/TrojanDownloader.Sednit.CMR` 29 | 30 | |`%TMP%\Indy01863A21.tmp` 31 | |`e0d8829d2e76e9bb02e3b375981181ae02462c43` 32 | |`Win32/TrojanDownloader.Sednit.CMQ` 33 | |=== 34 | 35 | === Email addresses 36 | 37 | `carl.dolzhek17@post.cz` 38 | 39 | `shinina.lezh@post.cz` 40 | 41 | `P0tr4h4s7a@post.cz` 42 | 43 | `sym777.g@post.cz` 44 | 45 | `kae.mezhnosh@post.cz` 46 | 47 | `tomasso25@ambcomission.com` 48 | 49 | `kevin30@ambcomission.com` 50 | 51 | `salah444@ambcomission.com` 52 | 53 | `karakos3232@seznam.cz` 54 | 55 | `rishit333@ambcomission.com` 56 | 57 | `antony.miloshevich128@seznam.cz` 58 | 59 | === C&C server 60 | 61 | `http://45.124.132.127/company-device-support/values/correlate-sec.php` 62 | -------------------------------------------------------------------------------- /deprimon/samples.sha256: -------------------------------------------------------------------------------- 1 | 7730c46be1dbb25c251ac0a3375ce9f212f4adb072cbb83d408333de0a5ff347 2 | faa1b95c5e22f8ca3df6fd3e3d02abbbeeb6246b76daf461dab539abe464a665 3 | 632e79dac5a86190c7ed3adaae8d217ff0dc91d69d4de8b5d0f07d674eaa5751 4 | 896dd21625ce08bda66bee94565d2c1729f82a81af196b377d643c37972c25ff 5 | 272e8e57f1a3cfff9aafabf984f81943a18639a4a77f75ace45f4e8b05334580 6 | 7615ebfbae515e580687765ecb9d8fa09a5602ceef31701ee9a42a733233e7f1 7 | 38ecb7b6e77e4181a2e498449a3b91873328eb9b08e7bd78644f6a14c58bbae6 8 | b1a16906b6a09168e586f99917ca5905716b7ba4cf84da33b24a78d99906934e 9 | e6aefbfe8b268334ee052cf8f5ce6916e0827ffd86d4e86c5e1d72bad3a9010d 10 | 56b51b8dd47f878583e335fb62c92cea1d6ae83d74a1b7676bff15f6fac3eed7 11 | 267c1aacacb8eb6c86b277d622e9b4b739abe1f20b94f43119f77490057450ab 12 | eb31bf6a48366819faf7f08760f2de635cd8615e56c128553f9bc110731aa9b9 13 | c1d11664d77bc6a6eba15df4041723e5afc6fe81d1e36a3f1c1ec0e8f8976ac6 14 | 915bc2f471fbf8296eba44dc5403a3c523a671c36e57bcb58d6fd549e2d7df9c 15 | eeadfcbc60c5e0f6d9b600ab386cd901ddad14d8465f932c1c3f4e3a65220e78 16 | cd4a4cb04dc2f82bb2f47437f4498e9a46ae1d8e561212f514b45b76a4b5e2bd 17 | f8ed9d26bc55e85d7abb9d2116c41a6325cba5c52e884b717adbe0e4483478f4 18 | bc04d96757f65f92d25a93d666c5ba2ec88af1feb571af495456a46b62958ba4 19 | 635912c7a685aa75a4067ba15ac896b8fdbaa8593a67f4b04701d0b1c8e0496d 20 | e7e868e5a797402a2b6619d4562f73c81013ae4054fba952f11cd6eb4d3d43fc 21 | c297ad028ed8eecab6bed1413102f34fa2d50de4c9af025f6b1c6ea33cc3ef21 22 | 63372cebe1d8c0ea26502551a6222f449a0e26be5260ed70c409a0ffc71015cd 23 | -------------------------------------------------------------------------------- /kasidet/README.adoc: -------------------------------------------------------------------------------- 1 | = Win/Kasidet IoCs 2 | 3 | == Samples 4 | 5 | [options="header"] 6 | |==== 7 | | SHA-1 | Version | Type 8 | | `B5E5B6393A444ED21B65554304288402E617011A` | 3.2.1 | 9 | | `B6C92083CDC03F5CBA842F52A5CDFA27073C6CD8` | 3.5 | 10 | | `4462EF92D630751D442E5D850436C4CABF9AD2DA` | 3.6 | 11 | | `B51E76E65C5FA095730C8C5153A7038A6D4F09B0` | 3.9 | 12 | | `94767262B02F90AC198D137FB2DC3B344AAEB4B9` | 3.9.2 | 13 | | `7B0B58E1FC4CEC0EAC15254BC6A115CC0DD9DF35` | 3.9.4 | 14 | | `B7F796D6E1C45F1FE087BD2BAC0192EA7839F790` | 4.4 | 15 | | `4C0699FB326E27E26E4ACEE6F2592744085B7A42` | 4.5.1 | 16 | | `83154250728B33D191A394000C2E53D03D2934A2` | 4.5.4 | 17 | | `DC2F1D7B2618727B30D0B950627A7E03D4542AA5` | 5.0 | dropper 18 | | `76C0E3DEEB781231498991CB9729FAA02FB1A19C` | 5.0 | module 19 | | `5F94E9D9F43DA93574D62B117BDFE03FB846FBA6` | 5.1 | dropper 20 | | `6E0849AD14A695E2C65C592CDE500334266114D3` | 5.1 | module 21 | | `C78042CA77E5CFE1B9CD51D188F20F0ED2699B49` | 5.2 | dropper 22 | | `63E706BAA8620C993E46469E8BAE542EC67F74CA` | 5.2 | module 23 | | `D1A4EAE72C13A06F1B70B265682246648B755F8E` | 5.3 | dropper 24 | | `AC0B9D5CD038422D0B4045446CF76E5A48FF40BF` | 5.3 | module x32 25 | | `F205C4ACB22E6C2F25AA523E5CE772C5256FAD89` | 5.3 | module x64 26 | | `19411620C34E6E13B323923F2FF7CE6E3E22AD97` | 5.4 | dropper 27 | | `78A421237DA7F61B91117E6176CC4742C9B54076` | 5.4 | module x32 28 | | `2D160F8804FBE7F068B5DEE61F316A59B2CEA746` | 5.4 | module x64 29 | |==== 30 | -------------------------------------------------------------------------------- /rakos/README.adoc: -------------------------------------------------------------------------------- 1 | = Linux/Rakos IoCs 2 | 3 | For a description of Linux/Rakos, please see the 4 | http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/[the 5 | article about Linux/Rakos] on http://www.welivesecurity.com[WeLiveSecurity]. 6 | 7 | == Samples 8 | 9 | === Executables 10 | 11 | [options="header"] 12 | |====== 13 | | SHA-1 | First seen on VirusTotal | Architecture | Version 14 | | `f80836349d6e97251030190ecd30dda0047f1ee6` | 2016-08-17 | EM_X86_64 | 688 15 | | `def04ec688ac6b41580dd3a6e78445b56536ba34` | 2016-09-27 | EM_X86_64 | 694 16 | | `3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0` | 2016-09-27 | EM_X86_64 | 695 17 | | `e53c73fe6a552eab720e7ee685ea4e159ebd4fdd` | 2016-09-27 | EM_X86_64 | 697 18 | | `c93bddd9cdb4f2e185b54a4931257954e25e7c37` | 2016-09-28 | EM_X86_64 | 698 19 | | `14af6254d9ca310b4d52778d050cb8dd7a5de1d8` | 2016-10-21 | EM_MIPS | ??? 20 | | `c54d50025d9f66ce2ace3361a8626aee468d94ba` | 2016-11-09 | EM_386 | 700 21 | | `36b2fffe98f517355425797fc242f2cb82271c0c` | 2016-11-21 | EM_386 | 706 22 | |====== 23 | 24 | A plugin for Volatility Framework that detects IoCs and collects the ping request and the configuration: 25 | vt_ioc_linux_rakos.py 26 | 27 | 28 | == C&C servers 29 | 30 | - `hxxps://217.12.208.28/` 31 | - `hxxps://217.12.203.31/` 32 | - `hxxps://193.169.245.68/` 33 | - `hxxps://46.8.44.55/` 34 | - `hxxps://195.123.210.100/` 35 | - `hxxps://5.34.183.231/` 36 | - `hxxps://5.34.180.64/` 37 | - `hxxps://185.82.216.125/` 38 | - `hxxps://185.14.30.78/` 39 | - `hxxps://185.14.29.65/` 40 | - `hxxps://185.20.184.117/` 41 | -------------------------------------------------------------------------------- /quarterly_reports/2020_Q2/samples.sha256: -------------------------------------------------------------------------------- 1 | cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610 2 | 86879bf918164a4bf292714a53522f13bf102bab3caadf813b69150e571471ed 3 | dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6 4 | 5fbe3800d8e574b991bfe1da3243a87b6c6984621a0c7a67d4556861ce9dadbc 5 | b3eb783b017da32e33d19670b39eae0b11de8e983891dd4feb873d6e9333608d 6 | 5af14848d33786a504dffa83fd143a5cff7e77471574c13c4bae63f7d0ab5482 7 | 145169916b84462e8e7878110b2358e447656679ecfc879e4b826e6f322e2da7 8 | ccb65657ee5448d531b03bf70f9810f8f52abbaf520205e04bf76e0dc471a0b5 9 | 4733d1204b06dc95178e83834af61934a423534e1d4edd402b37e226f0f2727f 10 | 5bf291fd726770a7c3e60192be74b960fe34c4733c4e0e770202e8e8f85cbd02 11 | e2c3913d7e1dee8eae919b8852baf20cf8572852a033fc33eeed2c075a84edd0 12 | 4382c33af939d5e3974e42a7be5b2d9ab1ac244be9ca853bf968ade842b3161a 13 | a8767be010e1cd90d77034f3c4f69821f764ae976d32dc34d29d19659afa5950 14 | c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b 15 | 06edaf3c56c89837d900460a126f364e0034afd429853904e86aee0c4b1f7c8c 16 | 7d6d72b064804dca4aa0b1c75506363ae7c95081fa068561b6f39faea35e6d3b 17 | a251069b3fccd528cf2ce8ed36d814e974068fb4a1d9a5e67a4eb8fffa09e938 18 | 74146127685cd115fc67af3dca9601eaac74c82b767fd49616a439246ad3856e 19 | cf3d64ab1d314da422cc937d57d13331115c7a27721672c8eee65f90dee74122 20 | 7c0d78f4e258a9d513d9f3b10c722283187b85dfbf3a80f0937741f9b77f068d 21 | c9e0556c0e468ac1c46e3f76b05deda6a6a75e459dd282ac95b9833bef955bb4 22 | 2bdbcc2b8f069dd93673ae8b5d092e470e9706ec77412bc7aed696a12afb2e8d 23 | 1b5b37790b2029902d2d6db2da20da4d0d7846b20e32434f01b2d384eba0eded 24 | -------------------------------------------------------------------------------- /telebots/samples.sha1: -------------------------------------------------------------------------------- 1 | 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7 2 | 58a45ef055b287bad7b81033e17446ee6b682e2d 3 | a0b9a35675153f4933c3e55418b6566e1a5dbf8a 4 | 86abbf8a4cf9828381dde9fd09e55446e7533e78 5 | 16c206d9cfd4c82d6652afb1eebb589a927b041b 6 | 7b87ad4a25e80000ff1011b51f03e48e8ea6c23d 7 | 68377a993e5a85eb39aded400755a22eb7273ca0 8 | 7c822f0fdb5ec14dd335cbe0238448c14015f495 9 | d8614bc1d428ebabccbfae76a81037ff908a8f79 10 | 35d71de3e665cf9d6a685ae02c3876b7d56b1687 11 | f00f632749418b2b75ca9ece73a02c485621c3b4 12 | f1bf54186c2c64cd104755f247867238c8472504 13 | bf3cb98dc668e455188ebb4c311bd19cd9f46667 14 | 06e1f816cbaf45bd6ee55f74f0261a674e805f86 15 | 64cb897acc37e12e4f49c4da4dfad606b3976225 16 | c361a06e51d2e2cd560f43d4cc9dabe765536179 17 | b2e9d964c304fc91dcaf39ff44e3c38132c94655 18 | c473ccb92581a803c1f1540be2193bc8b9599bfe 19 | 7582de9e93e2f35f9a63b59317eba48846eea4c7 20 | 57dad9cda501bc8f1d0496ef010146d9a1d3734f 21 | fffc20567da4656059860ed06c53fd4e5ad664c2 22 | 4b692e2597683354e106dfb9b90677c9311972a1 23 | 7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f 24 | 71a2b3f48828e4552637fa9753f0324b7146f3af 25 | 26da35564d04bb308d57f645f353d1de1fb76677 26 | 4d5023f9f9d0ba7a7328a8ee341dbbca244f72c5 27 | fe4c1c6b3d8fdc9e562c57849e8094393075bc93 28 | ad2d3d00c7573733b70d9780ae3b89eeb8c62c76 29 | 9512a8280214674e6b16b07be281bb9f0255004b 30 | 8eb8527562dda552fc6b8827c0ebf50968848f1a 31 | 77d7ea627f645219cf6b8454459baef1e5192467 32 | f22cea7bc080e712e85549848d35e7d5908d9b49 33 | 30d2da7caf740baaa8a1300ee48220b3043a327d 34 | b0ba3405bb2b0fa5ba34b57c2cc7e5c184d86991 35 | 81f73c76fbf4ab3487d5e6e8629e83c0568de713 36 | 1dc1660677a41b6622b795a1eb5aa5e5118d8f18 37 | -------------------------------------------------------------------------------- /sednit/part3.adoc: -------------------------------------------------------------------------------- 1 | == Indicators of Compromise 2 | 3 | === DOWNDELPH 4 | 5 | ==== ESET Detection Names 6 | 7 | ---- 8 | Win32/Rootkit.Agent.OAW 9 | Win32/Rootkit.Agent.OAY 10 | Win32/Sednit.AZ 11 | Win32/Sednit.BA 12 | Win32/Sednit.BB 13 | Win32/Sednit.K 14 | Win64/Sednit.J 15 | ---- 16 | 17 | ==== Hashes 18 | 19 | ---- 20 | 1cc2b6b208b7687763659aeb5dcb76c5c2fbbf26 21 | 49acba812894444c634b034962d46f986e0257cf 22 | 4c9c7c4fd83edaf7ec80687a7a957826de038dd7 23 | 4f92d364ce871c1aebbf3c5d2445c296ef535632 24 | 516ec3584073a1c05c0d909b8b6c15ecb10933f1 25 | 593d0eb95227e41d299659842395e76b55aa048d 26 | 5c132ae63e3b41f7b2385740b9109b473856a6a5 27 | 5fc4d555ca7e0536d18043977602d421a6fd65f9 28 | 669a02e330f5afc55a3775c4c6959b3f9e9965cf 29 | 6caa48cd9532da4cabd6994f62b8211ab9672d9e 30 | 7394ea20c3d510c938ef83a2d0195b767cd99ed7 31 | 9f3ab8779f2b81cae83f62245afb124266765939 32 | e8aca4b0cfe509783a34ff908287f98cab968d9e 33 | ee788901cd804965f1cd00a0afc713c8623430c4 34 | ---- 35 | 36 | ==== File Names 37 | 38 | ---- 39 | apivscd.dll 40 | install_com_x32_LL_full.dll 41 | shcore.dll 42 | userinit.exe 43 | ---- 44 | 45 | ==== Registry Keys 46 | 47 | ---- 48 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LastEnum 49 | SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shell 50 | ---- 51 | 52 | ==== C&C Server Domain Names 53 | 54 | ---- 55 | intelmeserver.com 56 | ---- 57 | 58 | ==== C&C Server IP addresses 59 | 60 | ---- 61 | 104.171.117.216 62 | 141.255.160.52 63 | ---- 64 | 65 | ==== PDB Paths 66 | 67 | ---- 68 | d:\\!work\\etc\\hideinstaller_kis2013\\Bin\\Debug\\win7\\x64\\fsflt.pdb 69 | d:\\new\\hideinstaller\\Bin\\Debug\\wxp\\x86\\fsflt.pdb 70 | d:\\!work\\etc\\hi\\Bin\\Debug\\win7\\x86\\fsflt.pdb 71 | ---- 72 | -------------------------------------------------------------------------------- /okrum_ke3chang/samples.md5: -------------------------------------------------------------------------------- 1 | dcacb246805f4a63dcb4a669b3ff0dbd 2 | d8a252962a5dd15cc55c1a2baf8fc8a5 3 | 03a2f5ea0cea83e77770a4018c4469ab 4 | f53ecd1f1075d0e46ea3f7d287d316a4 5 | a5e958f13d2b26a0ab9c51cddfb3407c 6 | e46d8f510c09f09e2e6b958b84190d8b 7 | ecf5c533c904cfc8eb1426289ef215c2 8 | 745526970384e6bfadb88dc774d772ae 9 | 100336c98e0cfe9edd134438cb1ab901 10 | 55946f2919f93ac1874b2fc20c235777 11 | 5da1f81a8ca70622b113a82446979dd5 12 | f21c3de3e3be191c5e746ef9fe98dcc8 13 | 177ad093991d46581b89fd104cc2581f 14 | 1b87a7822d91a3ff5b9de46d9557dd18 15 | c1d289ee401c03a9900810640218c499 16 | 1f0beb1d18134c8fdb3544bd0d593de3 17 | e5f450ca7fcbad57a8349c7b5378c562 18 | a0784263d97b4a96768df8d64090d16f 19 | d31cec27ac0094ed45612e4989f6616d 20 | c79b60e5e923f5fde2a02991238ae688 21 | 0938c867b9bb7efc789734cfa872f8cd 22 | d5ff9cd2471215fc2d26f95fa6dfa535 23 | d0dc69f10525931ee275cb515d7f430f 24 | f996e7e43aa8485c0aa198e1c2273d8e 25 | 20894952332cb0d98087eb23a38667db 26 | f677a575b2cd8afd4eb970a7a23a1a39 27 | adee545b32a8375d6fb3b2e47a96a827 28 | 7536b375e05135eb1e9123c28e2326cf 29 | 6aa3f55a77bded9a280fe0418e40e110 30 | 179cd45fb625c38d2526a460af984f03 31 | 6936b56f3469b6eef002bf78f5db505d 32 | c93c0673179339c8b5df4b821b8ce188 33 | 720f625c427aa16972d9dd517e69d73e 34 | 2bd31bc1fa8383d15b99e3485d82ac2c 35 | 7d584187e33f58f57d08becf3cc75b72 36 | dad64227619bb24e67f0b72de7c215da 37 | ff49b26664070b080d30d824bd2f3064 38 | e0f185b6fe8f28149ae7ab2ff535087c 39 | 0924ed929b1a6b30b70d61a8dad1fb25 40 | d807c2858bb95aefcab3ebdc3fc94dce 41 | fd67767a577f9440b2bbd27aa857ab3d 42 | c14165226bd3e51b1b6c070da7707fb9 43 | d1b876a420dfbb5b92c4fd733191d809 44 | f8fad0098bfa19c8ce48663d4069ddbf 45 | ed8a3e5c4f21614c5a5b91231fd61e3e 46 | 164c702460314fb7c091b615be6e3a18 47 | 5036448ed1a00bde4b38ab99a86aa6dc 48 | -------------------------------------------------------------------------------- /oceanlotus/samples.sha1: -------------------------------------------------------------------------------- 1 | 82e579bd49d69845133c9aa8585f8bd26736437b 2 | 49dff13500116b6c085c5ce3de3c233c28669678 3 | 50a755b30e8f3646f9476080f2c3ae1347f8f556 4 | cd13210a142da4bc02da47455eb2cfe13f35804a 5 | 2194271c7991d60ae82436129d7f25c0a689050a 6 | 202fb56edb2fb542e05c845d62ffbdcfbebed9ec 7 | c2eb1033bc01ab0fd732a7ba4967be02c0690bf0 8 | efac23b0e6395b1178bcf7086f72344b24c04dcc 9 | 7642f2181cb189965c596964d2edf8fe50da742b 10 | fe0161fb8a26a0bf4afad746c7ebf89499dcd3a7 11 | f96bcd875836da89800912de1e557891697c7cf4 12 | 8b991d4f2c108fd572c9c2059685fc574591e0be 13 | d1357b284c951470066aaa7a8228190b88a5c7c3 14 | b998f1b92ed6246ded13b79d069aa91c35637dec 15 | bb060e5e7f7e946613a3497d58fbf026ae7c369a 16 | 2a387d7d47a63d6e47d9cc92d3dc69a53816c2c0 17 | 83d520e8c3fdaefb5c8b180187b45c65590db21a 18 | d35695f2366a43628231e73ffa83ca106306a8fa 19 | a40ee8ff313e59aa92d48592c494a4c3d81449af 20 | 1bd6f7e4c74a339d04d2fbf0e672363531145f49 21 | 377fdc842d4a721a103c32ce8cb4daf50b49f303 22 | 3dfc3d81572e16ceaae3d07922255eb88068b91d 23 | e2d949cf06842b5f7ae6b2dffaa49771a93a00d9 24 | 981640ae7c12e94aafca3cb4356e37a362f66f53 25 | bd39591a02b4e403a25aae502648264308085ded 26 | a24ca18ff3caf505cb7ab6ebb88ad840ffc78877 27 | 996d0ac930d2cdb16ef96edc27d9d1afc2d89ca8 28 | fdcb35cd9cb8dc1474cbcdf1c9bb03200dcf3f18 29 | cc918f0da51794f0174437d336e6f3edfdd3cbe4 30 | b4e6ddcd78884f64825fdf4710b35cdbeaabe8e2 31 | 032ef58b7978d079287874044dc516af624ae5f5 32 | b744878e150a2c254c867bad610778852c66d50a 33 | 9df3f0d8525edf2b88c4a150134c7699a85a1508 34 | 77c42f66dadf5b579f6bcd0771030adc7aefa97c 35 | 7105caa6d4fd8a2c67523d385277528e556ae4f6 36 | ac10f5b1d5ecab22b7b418d6e98fa18e32bbdeab 37 | e615632c9998e4d3e5acd8851864ed09b02c77d2 38 | 233c86a79924fe172d3d128fb692fd3883339de2 39 | 677c7cc6865a0466f96843090a2eb239f3ec375a 40 | -------------------------------------------------------------------------------- /mikroceen/samples.md5: -------------------------------------------------------------------------------- 1 | c82ddaa769fff873389f88adf2d5b428 2 | d61dc546d14f7a53e8727d335841f705 3 | 761d08c90d864cc457b0a21f81ff8f9a 4 | 5d41d0fd328d582020d261501819e2e6 5 | ce080d717de7323e9e1a13c547c9eec6 6 | 01c94693b40bca523ef6700db9ac2bd6 7 | f9dfcba99a3bd151d0a9d585fe7eb980 8 | 670e4bf5961d6279484586120f81572d 9 | e388a2c1d109d9873ad4bc75f7403bc2 10 | 60e9d8ec8a8a73082719e6e923c5c186 11 | 3210ee588331b7df6a52c507611f7ff1 12 | 385eab250b3164ef84bb71efca8e305d 13 | f9cf2648ae9520cb99539c2c2104b8c7 14 | dff76bbeb81104d626d2a00382a398a1 15 | 3ca5b7645bb909ddd699f51fc8030d68 16 | 6d6f22be5d40d055f278e3d62eecedd1 17 | 1b58415f7f9c40f9c8b5034e1b17b83a 18 | 57d9222e2461b06335a49ae776b3ed9f 19 | 9ccb15494bf00be32e8c5723c2e4bcb0 20 | 5d41d0fd328d582020d261501819e2e6 21 | ef3429f86879744070a1a85ce8b46438 22 | 5f9de7eae4908845f78f1a37e339fe22 23 | 339b6218c7209f497a3d9f3a6cf9347d 24 | eff029fecbff07850c2eac2305ea9c02 25 | a8ce53a9dac6f1e276c026bc31489858 26 | f9dfcba99a3bd151d0a9d585fe7eb980 27 | b82aa46045d2ea7876a9cc7c235bea09 28 | 46bcdc917aedd42e47ba220a1e14f116 29 | aeaf3d3d1a413fba098ca6078a317bbb 30 | 8c4aba836c5036b397c287f93a3ce763 31 | cd792384c1d70b9210a573b56a5ec035 32 | 1286017712287f12c5ee741ed53842fa 33 | 441cfe81cf61ea777f94f0057ca7bc52 34 | 2e8e069cdfd0982f36d6ea335fe460ee 35 | a7282866ade4ac7358ddeed79723dd18 36 | ad3b1951b00fa50f110ec53e8fdc7c01 37 | cf55aae26cc00da9ca8a3b4e603701c7 38 | 22b2c40d6e8160695d5d9dc630285a8f 39 | 235fd6e7779e374bd451172ae9dc033e 40 | 93080368f0cd2cedd2d3ec2b73ee33b3 41 | 35c46045a09e9cd7362fad4b7e968854 42 | 216bebaca8e49bbcee05bba8cea581fa 43 | dc0021bfe7375db4a79a0c4623ec16ff 44 | f7196850200b1dc540c7e8757924a0bd 45 | 11a56211b067e19189b7bc50df2739d6 46 | d8c9a9a8e8d7e8007c71aa72811b60f3 47 | fb9b3c72f993de60e01d656834ce61e0 48 | d4790fd64cafbd1995b8d889a51b009a 49 | b2234a1dade78a315554b8ac342a11b9 50 | -------------------------------------------------------------------------------- /moose/samples.sha256: -------------------------------------------------------------------------------- 1 | e1f58f5be2973b2f68236ba37d496fa7d6e89e383417c39f6208cde465bc74c0 2 | dadd01cc9791024d9db7290399afa13f237903fe70ac99453475bce6dd7fe472 3 | 1a430acca205dc6e8c02edc33b44f4ef47f4540401be5094a5481101f0427634 4 | 7153a1a67577880a120be99ae3994704379e3d819f60a3ce63282e5b6a97edea 5 | 0cca2d2a20b32e2ee9696136d37a81e275c95d0b85950c599c6b97b3b119e790 6 | 79165e59ee71735a2dbeed6aa3ce7de6e108686455ee6922e9c35c8870ab9f1d 7 | 317b6db8d0f2c2b743d02de833910bf04da363e4548fede36b8a425dd718f56c 8 | 425c9101134c07a19c11e5adab2203a1ae66ee2384346f5c698a24e0f5a95c81 9 | a723638ae6a3fb762e74743cf3f27cd1ecffe1b9ab30df05aeba769ef28ac8f1 10 | bb1af92ec47a2419ded9b205bcb23b9db3272f3e72d82f954fc84e426e42dc87 11 | 527007b7a8064668132053a7155d1676254b12a9f0a7df2bcfac7520af50a1a0 12 | 2a3ea4d1c9bc23a45784967f0302de3f9010096ba7f508d227be45c4ab19bf79 13 | a1fa2b7a6ed168e7806e26ba265a94a6a1fe4227cea5f0e4509cd526d82e92c0 14 | 08b9e2768073af1929ea767e3ca88f4f65ef9bdf85e088abcf7102f6294ba90c 15 | fbdfb51d7b527c828456f0476fae3f473575e8372fa1a4ca944c0101f8b993d3 16 | 6dfdf171472f79566b5b94a3cd2ee539195b9359b6a997ae874157134aae4e41 17 | 459dcaa49ec4620e1c3d4fbeb76aefda2158226bf69c9769868f627c2f064280 18 | 5645024cf62d2ed036b774f63639695c09a48499823f0beaf6b8c1d4f6bcad9d 19 | 7fe66e3fc7dd47941b9bf6261498bf541f80d8ac86b6fdb05fc63030cf0bbfa3 20 | 5cf52a05c3e8fb5a53b81adaf961386ef0776e79ccfa918372bd3d9cade2bfb1 21 | 4eaf24a11e66bea9ff74af7e6c07e229514142c6e1c935ccfe3f21a01f537be4 22 | b678638c3a73d1d9d98b80c4e62c65bf2f81f6c316e1c8f347a58b531def7cb1 23 | 8771f66d0e79816bab02485d18d3f2566c54a656b33d731508995c3761681001 24 | 9ad4a042755a6f18fc7bfec0bc4017b263a2dcb391e584d88da53f57a117ee67 25 | 4775d546f480021a602920e9d59f55a40761d0086c7287b7ed95b3d3b6afbe8e 26 | 61ab162ffd5177d787d481d8e648e1b6980e82a24483023eee10e1543497c2f5 27 | bb1930fd85793507a3ea8dba43d6031bdb3a2ad0088bb23759fe1e2acdee02da 28 | 35840d48992460b727fa5e9c61ad30eded4b4191e33c644d4ff10fd572bd3d81 29 | -------------------------------------------------------------------------------- /ramsay/README.adoc: -------------------------------------------------------------------------------- 1 | = Ramsay 2 | 3 | For a description of Ramsay, please see the article on 4 | https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/[WeLiveSecurity]. 5 | 6 | == MISP event 7 | 8 | link:misp-ramsay.json[MISP event] 9 | 10 | == ESET detection names 11 | 12 | - Win32/Exploit.CVE-2017-11882.H 13 | - Win32/HackTool.UACMe.T 14 | - Win32/HideProc.M 15 | - Win32/Ramsay.A 16 | - Win32/Ramsay.B 17 | - Win32/Ramsay.C 18 | - Win32/TrojanDropper.Agent.SHM 19 | - Win32/TrojanDropper.Agent.SHN 20 | - Win64/HackTool.Inject.A 21 | - Win64/Ramsay.C 22 | 23 | == Host based indicators 24 | === SHA-1 hashes 25 | 26 | ---- 27 | 19bf019fc0bf44828378f008332430a080871274 28 | 3849e01bff610d155a3153c897bb662f5527c04c 29 | 3bb205698e89955b4bd07a8a7de3fc75f1cb5cde 30 | 50eb291fc37fe05f9e55140b98b68d77bd61149e 31 | 5a5738e2ec8af9f5400952be923e55a5780a8c55 32 | 5c482bb8623329d4764492ff78b4fbc673b2ef23 33 | 62d2cc1f6eedba2f35a55beb96cd59a0a6c66880 34 | 7d85b163d19942bb8d047793ff78ea728da19870 35 | 87ef7bf00fe6aa928c111c472e2472d2cb047eae 36 | ae722a90098d1c95829480e056ef8fd4a98eedd7 37 | baa20ce99089fc35179802a0cc1149f929bdf0fa 38 | bd8d0143ec75ef4c369f341c2786facbd9f73256 39 | bd97b31998e9d673661ea5697fe436efe026cba1 40 | e7987627200d542bb30d6f2386997f668b8a928c 41 | eb69b45faf3be0135f44293bc95f06dad73bc562 42 | f74d86b6e9bd105ab65f2af10d60c4074b8044c9 43 | f79da0d8bb1267f9906fad1111bd929a41b18c03 44 | ---- 45 | 46 | === Ramsay filenames 47 | 48 | ---- 49 | %APPDATA%\Microsoft\UserSetting 50 | %APPDATA%\Microsoft\UserSetting\MediaCache 51 | %ALLUSERSPROFILE%\NetCache\ 52 | %ALLUSERSPROFILE%\MediaCache 53 | %WINDIR%\System32\wimsvc.exe 54 | %WINDIR%\System32\drivers\hfile.sys 55 | %WINDIR%\System32\Identities\bindsvc.exe 56 | %WINDIR%\System32\Identities\wideshut.exe 57 | %WINDIR%\System32\msfte.dll 58 | %WINDIR%\System32\oci.dll 59 | 7z920.exe 60 | dpnom.dll 61 | netwiz.exe 62 | racfg.exe 63 | lmsch.exe 64 | slmgr.vbs 65 | sharp.exe 66 | byinfo.exe 67 | ---- 68 | -------------------------------------------------------------------------------- /windigo/windigo-cdorked.rules: -------------------------------------------------------------------------------- 1 | # Operation Windigo snort rules 2 | # For feedback or questions contact us at: windigo@eset.sk 3 | # https://github.com/eset/malware-ioc/ 4 | # 5 | # These snort rules are provided to the community under the two-clause BSD 6 | # license as follows: 7 | # 8 | # Copyright (c) 2014, ESET 9 | # All rights reserved. 10 | # 11 | # Redistribution and use in source and binary forms, with or without 12 | # modification, are permitted provided that the following conditions are met: 13 | # 14 | # 1. Redistributions of source code must retain the above copyright notice, this 15 | # list of conditions and the following disclaimer. 16 | # 17 | # 2. Redistributions in binary form must reproduce the above copyright notice, 18 | # this list of conditions and the following disclaimer in the documentation 19 | # and/or other materials provided with the distribution. 20 | # 21 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | # 32 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Linux/Cdorked is being configured by C&C"; flow:established,to_server; content:"POST"; content:"SECID="; http_cookie; pcre:"/\?[0-9a-f]{6} HTTP/"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2016794; rev:2;) 33 | -------------------------------------------------------------------------------- /okrum_ke3chang/samples.sha1: -------------------------------------------------------------------------------- 1 | d7dfb547033b82765f8b0a6b70a22a4ec204d7a8 2 | d3a96c0fa84bfee826e175d4664116a169d15d4e 3 | 9d41b44af5baaf581c0d9d7bef466213bd8be01a 4 | 233ff39dde5a13cbf78ec1e9c020cf3cf18084e7 5 | 809c53f71549d83ed8ab5bab312249212f6f4149 6 | fe2bf0a613482a40ccf84157361054ee77c07960 7 | 86513fe43f2f2d2c486d6265c9098315e774f791 8 | 7581337db29e092101e4fd692d01aa26d65fa40a 9 | c1c89a1a1779515ec1dfd0efff293615d523279e 10 | 371b14f8bfd9b5db098139e7fe2ebd4381cb259c 11 | d8aa9e4918e464d00ba95a3e28b8707a148ec4d7 12 | 09b7999160c5d0dc9a7443f0fc248b6c23bc0724 13 | 48f8bafb334c6980fb578c09d7297a4b7f5e09e2 14 | 1730d90ffb888877ea2f18198bcc592087218e9a 15 | 054eb61f2ce6deb4fe011335cd88eba530b8d09a 16 | 23796442f7ce7288837536ebf4e8620db55a0bc1 17 | 2c8b145ef5ac177c99dfcb8c0221e30b3a363a96 18 | 1cdc632e0a26f39e527acf7b1cdecd829a6a2b3d 19 | a23ee1f17b746c1907293c7f8155e3e7de135648 20 | f42a9d85abe04e721461fe2b52ddc9e0ea411d9e 21 | 4c1198f726acad7af78b36f250a128d5e3c52d8c 22 | 43a4cc528134e218b9cec2ff0c24b5912bf5c032 23 | 8d7e503d972c03c0f87f2d6f6ef65f1381d21bc6 24 | d98d258c234f5cead43fd897613b2ea2669aa7c0 25 | ad740fd11688b2b39072c7024679cc22878e2619 26 | 6bf0923577fe5939dea66f466b74683ae2ebbc3e 27 | d3d0ded17d0029dfd90da2ae74ada885779e8926 28 | 10bd61f3fb03632e270fef3ab6515677405a472f 29 | 77369d3735b3b2c24ccaa93ecaa903d816ea9cd9 30 | dd753fcbad4be31066f278585d14c411db3d7795 31 | 1d271f22798313650c91c6fc34551cc8492a2019 32 | a426bcc6317f0d49f0f0b68091e8161c512e22c3 33 | ce94ec2cfb23d8c662f558c69b64104c78b9d098 34 | f2bfda51bda3ee57878475817af6e5f24ffbbb28 35 | b49edc05658907c888074905ce234bf3cf58d8a0 36 | 65e3947144f6a3c31bc88e445514a83fcb331afd 37 | 844e710d85dd63aa5bf245cee94c1cc872429bd3 38 | ab7f63649bbc53e45deeb7269bebd54815ae9e27 39 | d3bfb10db08c6828c3001c1f825ed6a6bf6f6e01 40 | 1c7559c57606b359eeb57f0416fe0b2784c01395 41 | 94e6cb95585dbb59a61ec4029bc7ebb30bba57e5 42 | 58dea3a56de1d95353230be9bbba582599afe624 43 | 5fbafb71cfdf0c93e19882630d05f37c1f756cbf 44 | 4636e5fb97afa68f60be9247f5eb9684ca9cdba6 45 | f0e2c3af0297c80c0a14e95e151fc7dc319acfc3 46 | 38299bcf0ba25e331939683597f161a3d7121a26 47 | 2748a2928b6a4a528709aba20aef93d1ec9010f9 48 | -------------------------------------------------------------------------------- /keydnap/README.adoc: -------------------------------------------------------------------------------- 1 | = OSX/Keydnap IoCs 2 | 3 | For a description of Keydnap, please see the 4 | http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials[article about Keydnap] 5 | on http://www.welivesecurity.com[WeLiveSecurity]. 6 | 7 | == Samples 8 | 9 | === Downloader 10 | 11 | [options="header"] 12 | |====== 13 | | SHA-1 | Filename | First seen on VirusTotal | Backdoor download URL | Decoy description or URL 14 | | `07cd177f5baf8c1bdbbae22f1e8f03f22dfdb148` | info_list.txt | 2016-05-09 | hxxp://dev.aneros.com/media/icloudsyncd | "Most Common Interview Questions" 15 | | `78ba1152ef3883e63f10c3a85cbf00f2bb305a6a` | screenshot_2016-06-28-01.jpg | 2016-06-28 | hxxp://freesafesoft.com/icloudsyncd | BlackHat-TDS Panel screenshot 16 | | `773a82343367b3d09965f6f09cc9887e7f8f01bf` | screenshot.jpg | 2016-05-07 | hxxp://dev.aneros.com/media/icloudsyncd | Firefox 20 about screenshot 17 | | `dfdb38f1e3ca88cfc8e9a2828599a8ce94eb958c` | CVdetails.doc | 2016-05-03 | hxxp://lovefromscratch.ca/wp-admin/css/icloudsyncd | hxxp://lovefromscratch.ca/wp-admin/CVdetails.doc 18 | | `2739170ed195ff1b9f00c44502a21b5613d08a58` | CVdetails.doc | 2016-05-03 | hxxp://lovefromscratch.ca/wp-admin/css/icloudsyncd | hxxp://lovefromscratch.ca/wp-admin/CVdetails.doc 19 | | `e9d4523d9116b3190f2068b1be10229e96f21729` | logo.jpg | 2016-06-02 | hxxp://dev.aneros.com/media/icloudsyncd | sanelite logo 20 | | `7472102922f91a78268430510eced1059eef1770` | screenshot_9324 2.jpg | 2016-06-28 | hxxp://freesafesoft.com/icloudsyncd | Some C&C panel 21 | |====== 22 | 23 | === Backdoor 24 | 25 | [options="header"] 26 | |====== 27 | | SHA-1 | C&C | Version 28 | | `a4bc56f5ddbe006c9a68422a7132ad782c1aeb7b` | hxxps://g5wcesdfjzne7255.onion.to | 1.3.1 29 | | `abf99129e0682d2fa40c30a1a1ad9e0c701e14a4` | hxxps://r2elajikcosf7zee.onion.to | 1.3.5 30 | |====== 31 | 32 | A patch for UPX to unpack the samples is provided here: 33 | https://github.com/eset/malware-research/blob/master/keydnap/keydnap_upx.patch 34 | 35 | == Backdoor C&C servers 36 | 37 | - `hxxps://g5wcesdfjzne7255.onion.to/` 38 | - `hxxps://r2elajikcosf7zee.onion.to/` 39 | -------------------------------------------------------------------------------- /attor/samples.sha256: -------------------------------------------------------------------------------- 1 | 99271bebcac0da7f3aad7c4e3966b4f63d5477afa0fa8308a9ed7d53a6009ec4 2 | e4edb7e7050e7a7eeecaed68888a35b16353bee7fe8f3279106f78fdf70f09a1 3 | 71b5bd713e00ce3e238b0a20b875015266f0b3837cf6296b946449a64d8f086e 4 | b32a9e98a929e73895255c84a87f289a663f12877e7430e41f49ee8b35417398 5 | 3e03e35ddab8ea0aa5dc5645a557e1f921c24deb57b195a956ddb103eae2e31e 6 | 76fc595a15db21d6a15b6a0cbb3eef0ac679802a014d18eb1ec3d2c78932f2af 7 | 9ec90d5c4dad1c04a43cfc3a513da5a035af905421f7c7a74a526f3235af9a3c 8 | 4896cf75789fb197c423abf0772e184744103fe6869a667905364434a70ad086 9 | cbf6fac49ecee92e5fb54e72cff5c0c6183c73b3c42616865d311da4f7ec1811 10 | 77a279f29108a7e5a7cb171833d29d751c155b0ed3c4f09e17755d5794376238 11 | e6e1c73ac2566e03cc9e3e73cacb5e93a93177436f73c1d0438a034dd6097967 12 | cfb96900ad1b91259ae75fdf9ff5eba32246c97b772f9f2a1dcb672a5d640421 13 | e770d534957e4a928386b015fbcfc745f94bd1cdc8530a770458af8f899478df 14 | 711d7083853ce2eab599ca41c6072500c4a316a0d71ade16bd191ffb779a65d9 15 | 2e9414010dcfb05eb465a2f416c2a46ba94db1744d51efe34ea4b82eba6ba358 16 | 04bf7df17bbfafaa82f3d59bdc2773410f937b1e086bda7e34768c2bf0af9378 17 | b902bdd8075462b45e3ce48be9828c4778bfc3bccb1977760e2aea22c5dca0ae 18 | 35c37ed14d74a846325af0f003c85bb12e103333290c5bd80012f2bb146c2407 19 | a68dfb7479c712f31f6ba4e000cc1e61904961d1fe87c71248eacdc0d80c979f 20 | 00cf5f8c11489b6f99c357271739d91b6bc52700b84afcb011973dac1edfd9a3 21 | e91931c0d1fa9ae529f3ab42b90dfe6617c0b7b06d96d6070ab6bcbc33b85cb4 22 | 586b666be1e6dd5b8e8d41cad64249690dfc764b515a6f633fd3493c8e672ea1 23 | 66bb7ca7502a42524976b34e3b35a798660299cb71ae22100f1cf9e57d330d27 24 | 4b5b52f551ba8ea42c3162e92dd06bebd5c66a5dc43ec2af51b5b5211a1f075f 25 | 36cb1d87008117e45ad6eb13bc78e7bff381772d4fc93b1b2c0be80860da7bf6 26 | b2e485341300c3f001b406a1d8f003a51fb7e98ee1bd77094c076b5f8187a186 27 | 1005abdf40fe3a7a65ad22fd6ab53093a7406e436917eb4e7a145d4389af9dc4 28 | 41fa605bcf86a30c42ac11decf36fee4a32d7d9dc6532878c391d6c419f70acf 29 | 8fac6de6ac016355839664a11af409c99bc1c9aa039ed1da420035303af52525 30 | 026e3208eed18d8e916d39a97725a320606cda307d466a4e813388e055dac21a 31 | 51efae710ea4a6882f1c776b242b6bb5fa0af3eff27304f45deff22270e16c60 32 | 62b350d567c7cea19b4646e197747f7baeeb3c5111b47a0f9377846d520795c1 33 | -------------------------------------------------------------------------------- /mikroceen/samples.sha1: -------------------------------------------------------------------------------- 1 | e422e8628c34346a31a9ca2cca29233e86ff2d4d 2 | 9fb094bfdb1c05a356e3d8ee846111d5cc3bb064 3 | faf3414a6c884b50ad8ad048dd93814b231e08fc 4 | 13779006d0dafbe4b27bd282230df299eef2b8dc 5 | 8015c5558bab7eddf939a4d10cab2e2da17c6c40 6 | 7fcbe8828325f4f0a133c1b3a03ca22a7f1a5069 7 | 0f70251abc8c64cbc7b24995c3d32927514d0a4b 8 | e7f5a33b33e023a82ac9eee6ed40e4a38ce95277 9 | 2f0f465cdfa5fc2278e9cf5d602e1f48a2906881 10 | 260d434b6d00756c4b1ac39fe51c22ffb0c6dabf 11 | f2856d7d138430e164f83662e251ee311950d83c 12 | 81bb895a833594013bc74b429fb1f24f9ec9df26 13 | f53c77695a162c78c68f693f57f65752d17f6030 14 | 5d5e9ff6526d3d3cf84247bcb3ddc3b915b980fe 15 | 302cf1a90507efbded6b8f53e380591a3eaf6dcb 16 | 240b7aee7487c61528e69efd266b634203434e6b 17 | 4ca33a4e825aad15a544a42da5714868d8e698b6 18 | 8ebf78c84cd7f66ca8708467a28d83658bcf6710 19 | 8fbec09e646311a285aee06b3dd45ccf58928703 20 | 13779006d0dafbe4b27bd282230df299eef2b8dc 21 | d963d63fbbdda1c586cf809a4b3d091811ddcb0f 22 | b1be4b2f874c8309f553acce90287c8c6bb2b6b1 23 | b4790eec7daa9f931bed43a53f66168b477599a7 24 | 371ae8c7ed4f757db7a64620a5779b0708e2bd60 25 | 58d9d349a931a2cafe507b7bcea617869b3a5442 26 | 0f70251abc8c64cbc7b24995c3d32927514d0a4b 27 | 113764653a9799e2a7c1a736f42c544a2095e711 28 | 1402a3cac892eb65161e95002bb20506f1882c2f 29 | ab660a3ac46d563c756463bd1b64cc45f347a1f7 30 | 2100e95c562dc1222ab457ad22c48061962eb696 31 | 21ffd24b8074d7cffdf4cc339d1fa8fe892eba27 32 | a99a21a228b952a0012e502996f5c1b0630e58bf 33 | 11fd54a815a97efeb61bec9a2ab3fedea98eb69b 34 | ff0645cea81bb271abf419327443af9130b83f8d 35 | ec75552b384076e588bd045b274224d7d7d6d1c3 36 | 0df7767ef828ceaf0efa11fbab0a903b0f0fef0b 37 | f274d6c8b47c259096a0b55e16e4310291dcabfb 38 | c7f1c2ff40af2355632bf215043fcef6b081789d 39 | 4de4b662055d3083a1bccf2bc49976cdd819bc01 40 | a54b37d3821ff114b3db0fcd722473d3826b625e 41 | 0983a873ad8deb1f6e29a38c40c1f3ab9eaedaf1 42 | d3305bbac11655d78889894f9cc3c5e2e140e808 43 | f73b053211ca0c0ad6cf0025fbe3b7494fca8067 44 | 19bdf9043517ad883cb719fb9152587dfd08730e 45 | 5192023133dce042da8b6220e4e7e2e0dcb000b3 46 | c18602552352fee592972603262fe15c2cdb215a 47 | 49ed91e7b482a0a0e325ec7f4997e17dc6a7a33b 48 | 5a44cdbd362e8d8c67192d91c8d3f87f2f920531 49 | 649834cb177802b5c73b39f3cc38f002ae436394 50 | -------------------------------------------------------------------------------- /rakos/rakos.yar: -------------------------------------------------------------------------------- 1 | // Linux/Rakos yara rule 2 | // https://github.com/eset/malware-ioc/ 3 | // 4 | // These yara rules are provided to the community under the two-clause BSD 5 | // license as follows: 6 | // 7 | // Copyright (c) 2016, ESET 8 | // All rights reserved. 9 | // 10 | // Redistribution and use in source and binary forms, with or without 11 | // modification, are permitted provided that the following conditions are met: 12 | // 13 | // 1. Redistributions of source code must retain the above copyright notice, this 14 | // list of conditions and the following disclaimer. 15 | // 16 | // 2. Redistributions in binary form must reproduce the above copyright notice, 17 | // this list of conditions and the following disclaimer in the documentation 18 | // and/or other materials provided with the distribution. 19 | // 20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | // 31 | 32 | 33 | rule linux_rakos 34 | { 35 | meta: 36 | description = "Linux/Rakos.A executable" 37 | author = "Peter Kálnai" 38 | date = "2016-12-13" 39 | reference = "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" 40 | version = "1" 41 | contact = "threatintel@eset.com" 42 | license = "BSD 2-Clause" 43 | 44 | 45 | strings: 46 | $ = "upgrade/vars.yaml" 47 | $ = "MUTTER" 48 | $ = "/tmp/.javaxxx" 49 | $ = "uckmydi" 50 | 51 | condition: 52 | 3 of them 53 | } 54 | -------------------------------------------------------------------------------- /mumblehard/mumblehard_packer.yar: -------------------------------------------------------------------------------- 1 | // Mumblehard packer yara rule 2 | // https://github.com/eset/malware-ioc/ 3 | // 4 | // These yara rules are provided to the community under the two-clause BSD 5 | // license as follows: 6 | // 7 | // Copyright (c) 2015, ESET 8 | // All rights reserved. 9 | // 10 | // Redistribution and use in source and binary forms, with or without 11 | // modification, are permitted provided that the following conditions are met: 12 | // 13 | // 1. Redistributions of source code must retain the above copyright notice, this 14 | // list of conditions and the following disclaimer. 15 | // 16 | // 2. Redistributions in binary form must reproduce the above copyright notice, 17 | // this list of conditions and the following disclaimer in the documentation 18 | // and/or other materials provided with the distribution. 19 | // 20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | // 31 | 32 | rule mumblehard_packer 33 | { 34 | meta: 35 | description = "Mumblehard i386 assembly code responsible for decrypting Perl code" 36 | author = "Marc-Etienne M.Léveillé" 37 | date = "2015-04-07" 38 | reference = "http://www.welivesecurity.com" 39 | version = "1" 40 | 41 | strings: 42 | $decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-6] (56 5f | 89 F7) 43 | 39 d3 75 13 81 fa ?? 00 00 00 75 02 31 d2 81 c2 ?? 00 00 44 | 00 31 db 43 ac 30 d8 aa 43 e2 e2 } 45 | condition: 46 | $decrypt 47 | } -------------------------------------------------------------------------------- /sshdoor/crait_report.ksy: -------------------------------------------------------------------------------- 1 | # This Kaitai Struct is provided to the community under the two-clause BSD 2 | # license as follows: 3 | # 4 | # Copyright (c) 2018, ESET 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # 1. Redistributions of source code must retain the above copyright notice, this 11 | # list of conditions and the following disclaimer. 12 | # 13 | # 2. Redistributions in binary form must reproduce the above copyright notice, 14 | # this list of conditions and the following disclaimer in the documentation 15 | # and/or other materials provided with the distribution. 16 | # 17 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 21 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | # 28 | 29 | meta: 30 | id: crait_report 31 | title: Crait OpenSSH backdoor username and password report format 32 | license: BSD 2-Clause 33 | endian: le 34 | doc-ref: 'https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf' 35 | seq: 36 | - id: return_of_rand 37 | type: u4 38 | - id: log_type 39 | type: u1 40 | - id: successful_authentication 41 | type: u1 42 | - id: authentication_method 43 | type: u1 44 | - id: password 45 | type: data_t 46 | - id: username 47 | type: data_t 48 | - id: ip_address 49 | type: data_t 50 | - id: port 51 | type: u2 52 | - id: return_of_time 53 | type: u4 54 | 55 | types: 56 | data_t: 57 | seq: 58 | - id: data_len 59 | type: u2 60 | - id: data 61 | type: str 62 | size: data_len 63 | encoding: ASCII -------------------------------------------------------------------------------- /grandoreiro/README.adoc: -------------------------------------------------------------------------------- 1 | = Grandoreiro Indicators of Compromise 2 | 3 | The blog post about Grandoreiro "Grandoreiro: How engorged can an EXE get?" is available on WeLiveSecurity at 4 | https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/. 5 | 6 | == Hashes 7 | 8 | === Grandoreiro banking trojan 9 | 10 | [options="header"] 11 | |==== 12 | | SHA-1 | Description | ESET detection name 13 | | `40FBC932BD45FEB3D2409B3A4C7029DDDE881389` | Old version of Grandoreiro (2017) | Win32/Spy.Grandoreiro.A 14 | | `7905DB9BBE2CB29519A5371B175551C6612255EF` | Grandoreiro | Win32/Spy.Grandoreiro.AE 15 | | `BD88A809B05168D6EFDBA4DC149653B0E1E1E448` | Grandoreiro | Win32/Spy.Grandoreiro.AJ 16 | |==== 17 | 18 | === Grandoreiro Win32 downloaders 19 | 20 | [options="header"] 21 | |==== 22 | | SHA-1 | Description | ESET detection name 23 | | `7C2ED8B4AA65BEFCC229A36CE50539E9D6A70EE3` | Grandoreiro downloader | Win32/TrojanDownloader.Banload.YJR 24 | | `27A434D2EF4D1D021F283BCB93C6C7E50ACB8EA6` | Grandoreiro downloader | Win32/TrojanDownloader.Banload.YLZ 25 | | `28D58402393B6BCA73FF0EAC319226233181EDC9` | Grandoreiro downloader | Win32/TrojanDownloader.Banload.YJB 26 | | `42892DF64F00F4C091E1C02F74C2BB8BAD131FC5` | Grandoreiro downloader | Win32/TrojanDownloader.Banload.YMI 27 | |==== 28 | 29 | === Grandoreiro spam tool 30 | 31 | [options="header"] 32 | |==== 33 | | SHA-1 | Description | ESET detection name 34 | | `BCED5D138ACEADA1EF11BFD22C2D6359CDA183DB` | Grandoreiro spam tool | Win32/Spy.Grandoreiro.AD 35 | |==== 36 | 37 | == Windows Registry 38 | 39 | - `HKCU\Software\%USER_NAME%` 40 | - `HKCU\Software\ToolTech-RM` 41 | 42 | == User-Agent 43 | 44 | - `h55u4u4u5uii5` 45 | 46 | == Filenames 47 | 48 | - `%INSTALL_DIR%\` * 49 | ** `MDL_YEL_01.dll` 50 | ** `MDL_BLU_BR_02.dll` 51 | ** `MDL_SIC_BR_03.dll` 52 | ** `MDL_SANT_BR_04.dll` 53 | ** `MDL_ITA_BR_05.dll` 54 | ** `MDL_BRADA_BR_06.dll` 55 | ** `MDL_SICCB_BR_07.dll` 56 | ** `MDL_SAFRA_BR_08.dll` 57 | ** `MDL_ORIGI_BR_09.dll` 58 | ** `MDL_NORDES_BR_10.dll` 59 | ** `MDL_BANEST_BR_11.dll` 60 | ** `MDL_BANEZE_BR_12.dll` 61 | ** `MDL_AMAZON_BR_13.dll` 62 | ** `MDL_UNICRE_BR_14.dll` 63 | ** `MDL_BRB_BR_15.dll` 64 | ** `MDL_WUPDATE_BR_001.dll` 65 | ** `%INSTALL_DIR%` is the path where Grandoreiro is installed 66 | -------------------------------------------------------------------------------- /glupteba/README.adoc: -------------------------------------------------------------------------------- 1 | = Glupteba.AY Indicators of Compromise (IoCs) 2 | 3 | These IoCs are related to this https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/[Glupteba blogpost]. 4 | 5 | These IoCs are also available in MISP event format: 6 | link:glupteba.misp-event.json[`glupteba.misp-event.json`] 7 | 8 | == File hashes 9 | 10 | .File hashes 11 | [options="header"] 12 | |================================================================================== 13 | |SHA-1 |Filename |Detection name 14 | |`B623F4A6CD5947CA0016D3E33A07EB72E8C176BA`|cloudnet.exe|Win32/Glupteba.AY 15 | |`ED310E5B9F582B4C6389F7AB9EED17D89497F277`|cloudnet.exe|Win32/Glupteba.AY 16 | |`F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D`|setup.exe |MSIL/Adware.CsdiMonetize.AG 17 | |`70F2763772FD1A1A54ED9EA88A2BCFDB184BCB91`|cloudnet.exe|Win32/Glupteba.AY 18 | |`87AD7E248DADC2FBE00D8441E58E64591D9E3CBE`|cloudnet.exe|Win32/Glupteba.AY 19 | |`1645AD8468A2FB54763C0EBEB766DFD8C643F3DB`|csrss.exe |Win32/Agent.SVE 20 | |================================================================================== 21 | 22 | == Glupteba's C&C servers domains 23 | 24 | ---- 25 | server-{1,30}[.]ostdownload.xyz 26 | server-{1,30}[.]travelsreview.world 27 | server-{1,30}[.]bigdesign.website 28 | server-{1,30}[.]sportpics.xyz 29 | server-{1,30}[.]kinosport.top 30 | server-{1,30}[.]0ev.ru 31 | server-{1,30}[.]0df.ru 32 | server-{1,30}[.]0d2.ru 33 | server-{1,30}[.]0d9.ru 34 | ---- 35 | 36 | == Glupteba's C&C servers IP addresses 37 | 38 | ---- 39 | 5[.]101.6.132 40 | 5[.]79.87.139 41 | 5[.]79.87.153 42 | 5[.]8.10.194 43 | 37[.]48.81.151 44 | 46[.]165.244.129 45 | 46[.]165.249.167 46 | 46[.]165.249.195 47 | 46[.]165.249.201 48 | 46[.]165.249.203 49 | 46[.]165.250.25 50 | 78[.]31.67.205 51 | 78[.]31.67.206 52 | 80[.]93.90.27 53 | 80[.]93.90.32 54 | 80[.]93.90.69 55 | 80[.]93.90.72 56 | 80[.]93.90.78 57 | 80[.]93.90.84 58 | 81[.]30.152.25 59 | 85[.]114.135.113 60 | 85[.]114.141.81 61 | 89[.]163.206.137 62 | 89[.]163.206.174 63 | 89[.]163.212.9 64 | 91[.]121.65.98 65 | 91[.]216.93.126 66 | 91[.]216.93.20 67 | 109[.]238.10.78 68 | 178[.]162.193.193 69 | 178[.]162.193.195 70 | 178[.]162.193.66 71 | 178[.]162.193.86 72 | 193[.]111.140.238 73 | 193[.]111.141.213 74 | 212[.]92.100.114 75 | 212[.]92.100.115 76 | 213[.]202.254.161 77 | 213[.]5.70.9 78 | 217[.]79.189.227 79 | ---- 80 | 81 | == Agent.SVE C&C servers 82 | 83 | ---- 84 | financialtimesguru[.]com 85 | burnandfire5[.]com 86 | ---- 87 | -------------------------------------------------------------------------------- /telebots/samples.sha256: -------------------------------------------------------------------------------- 1 | dcdc4c72c6e0867e74790a882e8e8c20e8a38416e9b10ed64fbf0f64f4e2567c 2 | 50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26 3 | 601aa77c83dc68d22ce2f888f36ebfb5de6ef3c2ef3a6b7a245076c1d06f0f2e 4 | 168b1b535d6cb7f0accbdbb9f68e5cf405169b5303e95ae63151c810d02b262d 5 | 904df5d6b900fcdac44c002f03ab1fbc698b8d421a22639819b3b208aaa6ea2c 6 | 34bf49015137cbf58aa7f9643bf0476d28e1e0ffdec265103beacec30b54c57f 7 | 629cd368514fa4fbe76449568a740d58d205bfabc3d2bf45644d62d2268278d5 8 | 83527cb8d228fcab3314f9631979c6752239ca45c6ea858cc8d974615a71c5cb 9 | b2edc9351b389f1cbcdf0ac52b9d0b3bd982a077e5a3df8cebebc32c450ffeec 10 | eb31a918ccc1643d069cf08b7958e2760e8551ba3b88ea9e5d496e07437273b2 11 | e168518786fe712f67078450a15cea3a1acb8d1dc2170d8238b2e967cbbdd445 12 | 2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2 13 | 3f300a8ca12a8f53fb184d2f60fe7accbb0b9b4449c45d47920030f3557a2362 14 | 4a56ae77eee172a5290dd228b701cb7ce7c7aa5d5af3cd608e44223f01a4ae5b 15 | 5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118 16 | 97b317afa02cd35db40c197fea3a6ef8cdc8c01ca73523983850f323a47d0c2e 17 | f128b2df388c273e22e859a2308a546728aaded67b4999f780df03724b94f01a 18 | c7014820eb40013140c272c33c4adfec6118d110045d88b9cba2e33693cf0c76 19 | e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e 20 | ea57a45dda5b735fc2a982700a21363cbee138de2605d1df06103a5d94c539da 21 | 52eeeeabe6c09330a74f0a1a45f29d52204f57d136de7e750640d69e7e797fb1 22 | 1fb8c4ceb17cfc5337f385eb7018c589cafda804743d7bc442b97bef47371e90 23 | a260320bb52eb0fe767d7e30e069492ab063b65a26969dd78d10d8141b850bc8 24 | 26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e 25 | 74bd1b4ea2f872ccf28eff2e549072130b9762ba3d0dfc8d0885f194b56cdf07 26 | 32c8aa794564dfef1adebaf8ac08c7ffb03c6536c4cae342b24e8afcb0094d1e 27 | eac4807d6269dc527a582896b42d0c6041b47259318603e46c329c22aef0a98f 28 | a2deaa862f82591f530358bb73d61bf862d27029de483004b6d74b0bdd5d4c30 29 | f2bb1431c1e2acfc8564c4abea6dd5ce1a44ad8c4dea97c5fdda0e9e54b3eb0e 30 | 8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d 31 | 365aa5fdd72b5a6a4d9302b2b30c2140794772a43d9028790bccddba13612426 32 | 1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb 33 | 05177f4ea9add2bd78bf3a2011eb7232f1c2ece4570a53ef00c0795cde2a63dc 34 | 829a4ddfaf65ee59481dccbd007766d498e6949014d93bbee12ae9fe035c55ca 35 | a35951855503188a66c94019bd419cd97208291f05e382151fd3c2a9d1848857 36 | fbd3a946af02622ee0199e6dd11b7e9a0b8485d32ca2d7ec22e4472c153101a4 37 | -------------------------------------------------------------------------------- /sednit/lojax.adoc: -------------------------------------------------------------------------------- 1 | == LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group 2 | 3 | === ReWriter_read.exe 4 | 5 | *ESET detection name* 6 | 7 | - Win32/SPIFlash.A 8 | 9 | *SHA-1* 10 | 11 | - `ea728abe26bac161e110970051e1561fd51db93b` 12 | 13 | === ReWriter_binary.exe 14 | 15 | *ESET detection name* 16 | 17 | - Win32/SPIFlash.A 18 | 19 | *SHA-1* 20 | 21 | - `cc217342373967d1916cb20eca5ccb29caaf7c1b` 22 | 23 | === SecDxe 24 | 25 | *ESET detection name* 26 | 27 | - EFI/LoJax.A 28 | 29 | *SHA-1* 30 | 31 | - `f2be778971ad9df2082a266bd04ab657bd287413` 32 | 33 | === info_efi.exe 34 | 35 | *ESET detection name* 36 | 37 | - Win32/Agent.ZXZ 38 | 39 | *SHA-1* 40 | 41 | - `4b9e71615b37aea1eaeb5b1cfa0eee048118ff72` 42 | 43 | === autoche.exe 44 | 45 | *ESET detection name* 46 | 47 | - Win32/LoJax.A 48 | 49 | *SHA-1* 50 | 51 | - `700d7e763f59e706b4f05c69911319690f85432e` 52 | 53 | === Small agent EXE 54 | 55 | *ESET detection names* 56 | 57 | - Win32/Agent.ZQE 58 | - Win32/Agent.ZTU 59 | 60 | *SHA-1* 61 | 62 | - `1771e435ba25f9cdfa77168899490d87681f2029` 63 | - `ddaa06a4021baf980a08caea899f2904609410b9` 64 | - `10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0` 65 | - `2529f6eda28d54490119d2123d22da56783c704f` 66 | - `e923ac79046ffa06f67d3f4c567e84a82dd7ff1b` 67 | - `8e138eecea8e9937a83bffe100d842d6381b6bb1` 68 | - `ef860dca7d7c928b68c4218007fb9069c6e654e9` 69 | - `e8f07caafb23eff83020406c21645d8ed0005ca6` 70 | - `09d2e2c26247a4a908952fee36b56b360561984f` 71 | - `f90ccf57e75923812c2c1da9f56166b36d1482be` 72 | 73 | *C&C server domain names* 74 | 75 | - `secao.org` 76 | - `ikmtrust.com` 77 | - `sysanalyticweb.com` 78 | - `lxwo.org` 79 | - `jflynci.com` 80 | - `remotepx.net` 81 | - `rdsnets.com` 82 | - `rpcnetconnect.com` 83 | - `webstp.com` 84 | - `elaxo.org` 85 | 86 | *C&C server IP addresses* 87 | 88 | - `185.77.129.106` 89 | - `185.144.82.239` 90 | - `93.113.131.103` 91 | - `185.86.149.54` 92 | - `185.86.151.104` 93 | - `103.41.177.43` 94 | - `185.86.148.184` 95 | - `185.94.191.65` 96 | - `86.106.131.54` 97 | 98 | === Small agent DLL 99 | 100 | In this section, we list only the DLL for which we never obtained the corresponding EXE 101 | 102 | *ESET detection name* 103 | 104 | - Win32/Agent.ZQE 105 | 106 | *SHA-1* 107 | 108 | - `397d97e278110a48bd2cb11bb5632b99a9100dbd` 109 | 110 | *C&C server domain names* 111 | 112 | - `elaxo.org` 113 | 114 | *C&C server IP addresses* 115 | 116 | - `86.106.131.54` 117 | -------------------------------------------------------------------------------- /guildma/README.adoc: -------------------------------------------------------------------------------- 1 | = Guildma Indicators of Compromise 2 | 3 | The blog post about Guildma "Guildma: The Devil drives electric" is available on WeLiveSecurity at 4 | https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/. 5 | 6 | == Hashes 7 | 8 | [options="header"] 9 | |=== 10 | | SHA-1 | Description | ESET detection name 11 | | `45c58bc40768dce6a6c611e08fd34c62441aa776` | Main module loader 1 | Win32/Spy.Guildma.BM 12 | | `861f20b0dcc55f94b4c43e4a7e77f042c21506cf` | Main module injector | Win32/Spy.Guildma.BJ 13 | | `37fd19b1ab1dcc25e07bc96d4c02d81cf4edb8a1` | Main module loader 2 | Win32/Spy.Guildma.Q 14 | | `a7b10b8de2b0ef898cff31fa2d9d5cbaae2e9d0d` | Main module | Win32/Spy.Guildma.BS 15 | | `4f65736a9d6b94b376c58b3cdcb49bbd295cd8cc` | Contacts stealer and form grabber | Win32/Spy.Guildma.D 16 | | `6c9304c5862d4e0de1c86d7ae3764f5e8358daff` | RAT module (DLL) | Win32/Spy.Guildma.BR 17 | | `89fbffe456de850f7abf4f97d3b9da4bad6afb57` | RAT module (EXE) | Win32/Spy.Guildma.BR 18 | | `af0d495ecc3622b14a40ddcd8005873c5ddc3a2d` | MailPassView | Win32/PSWTool.MailPassView.E 19 | | `92bcf54079cbba04f584eac4486473c3abdd88cd` | WebBrowserPassView | Win32/PSWTool.WebBrowserPassView.E 20 | | `a2048f435f076988bf094274192a196216d75a5f` | JScript dropper module | Win32/Spy.Guildma.BP 21 | |=== 22 | 23 | == Filenames 24 | 25 | - `C:\Users\Public\Libraries\qlanl\*` 26 | 27 | == Startup link 28 | 29 | - Location 30 | ** `%APPDATA%\Microsoft\Programs\StartUp\reiast%USERNAME%%COMPUTERNAME%.lnk` 31 | - Targets 32 | ** `C:\Program Files (x86)\Internet Explorer\ExtExport.exe` 33 | ** `C:\Program Files\Internet Explorer\ExtExport.exe` 34 | - Args 35 | ** ` ` 36 | ** (where `` is a random 5 to 9 character long string generated from the alphabet `qwertyuiop1lgfdsas2dfghj3zcvbnmm`) 37 | 38 | == C&C servers 39 | 40 | - `++https://www.zvatrswtsrw[.]ml++` 41 | - `++https://xskcjzamlkxwo[.]gq++` 42 | - `++https://www.vhguyeu[.]ml++` 43 | - `++https://www.carnataldez[.]ml++` 44 | - `++https://www.movbmog[.]ga++` 45 | - `++https://iuiuytrytrewrqw[.]gq++` 46 | - `++https://www.gucinowertr[.]tk++` 47 | - `++https://equilibrios[.]ga++` 48 | - `++https://www.clooinfor[.]cf++` 49 | - `++https://ambirsr[.]tk++` 50 | - `++https://dbuhcbudyu[.]tk++` 51 | - `++https://nvfjvtntt[.]cf++` 52 | - `++http://whia7g.acquafufheirybveru[.]online++` 53 | -------------------------------------------------------------------------------- /windigo/windigo-onimiki.rules: -------------------------------------------------------------------------------- 1 | # Operation Windigo snort rules 2 | # For feedback or questions contact us at: windigo@eset.sk 3 | # https://github.com/eset/malware-ioc/ 4 | # 5 | # These snort rules are provided to the community under the two-clause BSD 6 | # license as follows: 7 | # 8 | # Copyright (c) 2014, ESET 9 | # All rights reserved. 10 | # 11 | # Redistribution and use in source and binary forms, with or without 12 | # modification, are permitted provided that the following conditions are met: 13 | # 14 | # 1. Redistributions of source code must retain the above copyright notice, this 15 | # list of conditions and the following disclaimer. 16 | # 17 | # 2. Redistributions in binary form must reproduce the above copyright notice, 18 | # this list of conditions and the following disclaimer in the documentation 19 | # and/or other materials provided with the distribution. 20 | # 21 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | # 32 | alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:2;) 33 | alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:1;) 34 | -------------------------------------------------------------------------------- /potao/potao-et.rules: -------------------------------------------------------------------------------- 1 | #************************************************************* 2 | # Copyright (c) 2003-2015, Emerging Threats 3 | # All rights reserved. 4 | # 5 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 6 | # following conditions are met: 7 | # 8 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 9 | # disclaimer. 10 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 11 | # following disclaimer in the documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 13 | # from this software without specific prior written permission. 14 | # 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 16 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 19 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 20 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 21 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | # 23 | #************************************************************* 24 | # 25 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potao CnC"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|application/xml"; content:""; depth:21; http_client_body; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; http_client_body; fast_pattern; classtype:trojan-activity; sid:2021554; rev:1;) 26 | 27 | # 28 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potao CnC POST Response"; flow:to_client,established; content:"Server|3a 20|nginx"; http_header; file_data; content:""; depth:21; content:""; distance:1; content:"|0a|"; distance:1; content:""; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:trojan-activity; sid:2021555; rev:1;) 29 | 30 | -------------------------------------------------------------------------------- /oceanlotus/samples.sha256: -------------------------------------------------------------------------------- 1 | 06dec0082eac094dc0b4b3de8854f190f1d3112dada0d414d9a085a0ee309199 2 | e7f997778ca54b87eb4109d6d4bd5a905e8261ad410a088daec7f3f695bb8189 3 | c2728fd832f0f7bc3a2747814e3c4eee313235dc2abb93e2f85436017ee41a88 4 | 310bac13316b93f571fa4f8b7230a0fc4324a61f8c49bafc036f778a2b6e5b5a 5 | 1eda0de280713470878c399d3fb6c331ba0fadd0bd9802ed98ae06218a17f3f7 6 | 4ce7c9e9ca6f785921921de4d0b75c5436cd0d760ac71ddb30b8c5a610ae34dd 7 | 8f00c2dab8cc32e0052b7779de0bdc8faa385e890415555e86efdfc3b01cc504 8 | 3019f9c7763644bc0159ce433199b2b12f04843c3c8e231557c4f732317f4223 9 | 5e3367ce792c88147cdcff2c121b7ba33dbe2627c8368d0471a253e14844ab18 10 | a17d4568ad5f745d36fc17846d3e0edf63d4e3c9fccb9861579e957f7a560217 11 | 717ecef2b4a3994f61070c714360ecb2b4c1d41de63e25d8fb761d7ee37049a5 12 | 58e294513641374ff0b42b7c652d3b4a471e8bde8664a79311e4244be0546df4 13 | 0abe0a3b1fd81272417471e7e5cc489b234a9f84909b019d5f63af702b4058c5 14 | eac9e4dd6839353a0c43ae29b6c93e3bf45a06cb3d6d4c0e4f5934023c4b91e5 15 | cb8c176a29003a0474837a6c6dbb871b9f20a520a9232c4705fbd5a87ead1380 16 | 701c27cff93c926d82cba2de130e7af629887c057fe2fcbb9b7210297b5a0979 17 | 1f9766a086cf4a3a692b2a15c0cfe204b7021a2b352306f565de48da166d65a1 18 | 12077994b2fbd04b689385a04e63b9763394213ea7ad3ee847c9c3dcf7877875 19 | bdb83301a470d202480274df161638f83f8f26e7dda131a11b89a5a3d8259c73 20 | 788f3b24c30e4502d9401e343c2ab3f4a04046aeeaaaca523df51113ee0bf565 21 | 0636ec8d69e14391321ed45ca1d5f868febd13c5cf5d71e7accbd098c6fe13b0 22 | 78a1f6d9b91334e5435a45b4362f508ae27d7ad784b96621d825c2e966d04064 23 | e5c766ad580b5bc5f74acc8d2f5dd028c11495d2ce503de7c7a294f94583849d 24 | 4f81c90ab2f63784ec7d205ada8c1eb200cf741cd7815a2b1b65a3e6bbaa26da 25 | 073bdff73d61350b64d10c46cdf678f097aaa236d2a0182f2dc2c3d073d60259 26 | d7549b1ddd668c5706b680654b2c39b6e401c55ecf25d0c4b1bff6468426e7ed 27 | 8b824be52de7a8723124bad5a45664c574d6e905f300c35719f1e6988887bd62 28 | 4ab2df974e5e563f611d7267916a00c18f819f5b8770ffcfadc5e1959047fb8e 29 | e9ae768262d227e89b36f2a5cef74bb832d7de3d28ccffc000e7bbd5137fe5f4 30 | 8b3fac153610cedbbc22221618c9a58997e5293458739b4854136ac56c7bffc2 31 | b97f534c9c66b0141548cb541775462f27bb4be65b860af40e47e05bdfbe6b46 32 | aaf3d294e9103cdbf33fe5ab1e28a7bffa181b5d9faa690c98816535e50dc8c3 33 | 0d1577802d4560b9ba184a2d13570ba28ed0318eee520f2f7a6c5ef238671dd9 34 | f22dfd57bca864a84dfd0c76dfb46ab0fcaafe1cc411d9b5ee28b254061e53de 35 | d2b2f9c22b3d46b5d3653c1e774c81090b240537d779301a411dc048012ad250 36 | 4fec545d27684756f2ae21b2a9bca62df72c9ad7c37c4645aa50c6a262793678 37 | e94781e3da02c7f1426fd23cbd0a375cceac8766fe79c8bc4d4458d6fe64697c 38 | 22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6 39 | ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d 40 | -------------------------------------------------------------------------------- /turla/carbon_tool.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | # Copyright (c) 2017, ESET 4 | # All rights reserved. 5 | # 6 | # Redistribution and use in source and binary forms, with or without 7 | # modification, are permitted provided that the following conditions are met: 8 | # 9 | # 1. Redistributions of source code must retain the above copyright notice, this 10 | # list of conditions and the following disclaimer. 11 | # 12 | # 2. Redistributions in binary form must reproduce the above copyright notice, 13 | # this list of conditions and the following disclaimer in the documentation 14 | # and/or other materials provided with the distribution. 15 | # 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | from Crypto.Cipher import CAST 28 | import sys 29 | import argparse 30 | 31 | 32 | def main(): 33 | 34 | parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter) 35 | parser.add_argument("-e", "--encrypt", help="encrypt carbon file", required=False) 36 | parser.add_argument("-d", "--decrypt", help="decrypt carbon file", required=False) 37 | 38 | try: 39 | args = parser.parse_args() 40 | except IOError as e: 41 | parser.error(e) 42 | return 0 43 | 44 | if len(sys.argv) != 3: 45 | parser.print_help() 46 | return 0 47 | 48 | key = "\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10" 49 | iv = "\x12\x34\x56\x78\x9A\xBC\xDE\xF0" 50 | 51 | cipher = CAST.new(key, CAST.MODE_OFB, iv) 52 | 53 | if args.encrypt: 54 | plaintext = open(args.encrypt, "rb").read() 55 | while len(plaintext) % 8 != 0: 56 | plaintext += "\x00" 57 | data = cipher.encrypt(plaintext) 58 | open(args.encrypt + "_encrypted", "wb").write(data) 59 | else: 60 | ciphertext = open(args.decrypt, "rb").read() 61 | while len(ciphertext) % 8 != 0: 62 | ciphertext += "\x00" 63 | data = cipher.decrypt(ciphertext) 64 | open(args.decrypt + "_decrypted", "wb").write(data) 65 | 66 | if __name__ == "__main__": 67 | main() 68 | -------------------------------------------------------------------------------- /windigo/windigo-ebury.rules: -------------------------------------------------------------------------------- 1 | # Operation Windigo snort rules 2 | # For feedback or questions contact us at: windigo@eset.sk 3 | # https://github.com/eset/malware-ioc/ 4 | # 5 | # These snort rules are provided to the community under the two-clause BSD 6 | # license as follows: 7 | # 8 | # Copyright (c) 2014, ESET 9 | # All rights reserved. 10 | # 11 | # Redistribution and use in source and binary forms, with or without 12 | # modification, are permitted provided that the following conditions are met: 13 | # 14 | # 1. Redistributions of source code must retain the above copyright notice, this 15 | # list of conditions and the following disclaimer. 16 | # 17 | # 2. Redistributions in binary form must reproduce the above copyright notice, 18 | # this list of conditions and the following disclaimer in the documentation 19 | # and/or other materials provided with the distribution. 20 | # 21 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | # 32 | alert tcp any any -> any $SSH_PORTS (msg:"ET TROJAN Linux/Ebury SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:3;) 33 | # The following Snort rule for detecting Linux/Ebury infected machines 34 | # sending harvested credentials to a dropzone server has been provided by 35 | # CERT-Bund 36 | alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Linux/Ebury SSH backdoor data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,https://github.com/eset/malware-ioc; reference:url,https://www.cert-bund.de/ebury-faq; classtype:trojan-activity; sid:1000002; rev:1;) 37 | -------------------------------------------------------------------------------- /deprimon/README.adoc: -------------------------------------------------------------------------------- 1 | = DePriMon -- Indicators of Compromise 2 | 3 | For a description of DePriMon, please see the article on 4 | https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/[WeLiveSecurity]. 5 | 6 | == ESET detection names 7 | - Win32/DePriMon 8 | - Win64/DePriMon 9 | 10 | == Host based indicators 11 | === SHA-1 hashes 12 | ---- 13 | 02B38F6E8B54885FA967851A5580F61C14A0AAB6 14 | 03E047DD4CECB16F513C44599BF9B8BA82D0B7CB 15 | 0996C280AB704E95C9043C5A250CCE077DF9C8B2 16 | 15EBE328A501B1D603E66762FBB4583D73E109F7 17 | 1911F6E8B05E38A3C994048C759C5EA2B95CE5F7 18 | 2B30BE3F39DEF1F404264D8858B89769E6C032D9 19 | 2D80B235CDF41E09D055DD1B01FD690E13BE0AC7 20 | 6DB79671A3F31F7A9BB870151792A56276619DC1 21 | 6FAB7AA0479D41700981983A39F962F28CCFBE29 22 | 7D0B08654B47329AD6AE44B8FF158105EA736BC3 23 | 7E8A7273C5A0D49DFE6DA04FEF963E30D5258814 24 | 8B4F3A06BA41F859E4CC394985BB788D5F76C85C 25 | 94C0BE25077D9A76F14A63CBF7A774A96E8006B8 26 | 968B52550062848A717027C512AFEDED19254F58 27 | 9C4BADE47865E8111DD3EEE6C5C4BC83F2489F5B 28 | AA59CB6715CFFF545579861E5E77308F6CAEAC36 29 | C2388C2B2ED6063EACBA8A4021CE32EB0929FAD2 30 | CA34050771678C65040065822729F44B35C87B0C 31 | D38045B42C7E87C199993AB929AD92ADE4F82398 32 | E272FDA0E9BA1A1B8EF444FF5F2E8EE419746384 33 | E2D39E290201010F49652EE6116FD9B35C9AD882 34 | F413EEE3CFD85A60D7AFC4D4ECC4445BB1F0B8BC 35 | ---- 36 | 37 | === DePriMon filenames 38 | ---- 39 | dpnvmrs.dll 40 | hp3mlnv.dll 41 | hp4mlnv.dll 42 | hp5nhd.dll 43 | hp6nhd.dll 44 | hpjdnb64.dll 45 | hpmdnel3b.dll 46 | ifssvc.dll 47 | ifssvcmgr.dll 48 | msprtmon64.dll 49 | msptromn.dll 50 | plamgr.dll 51 | ppcrlchk.dll 52 | ppcrlupd.dll 53 | prntapt.dll 54 | prntqdl64.dll 55 | pscript6f.dll 56 | pscript6s.dll 57 | shprn64.dll 58 | stprn32.dll 59 | winmnprt.dll 60 | ---- 61 | 62 | === Registry keys and values 63 | ---- 64 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Windows Default Print Monitor] 65 | "Driver" 66 | ---- 67 | 68 | == Cryptographic keys 69 | === AES keys 70 | 71 | .Key 1 72 | ---- 73 | C097CF17DC3303BC8155534350464E50176ACA63842B0973831D8C6C8F136817 74 | ---- 75 | 76 | .Key 2 77 | ---- 78 | 8D35913F80A23E820C23B3125ABF57901BC9A7B83283FB2B240193ABDEDE52B9 79 | ---- 80 | 81 | == Network indicators 82 | === DePriMon's C&C servers 83 | 84 | [options="header"] 85 | |===== 86 | | Domain | IP address 87 | | `img.dealscienters.net` | `138.59.32.72` 88 | | `teknikgorus.com` | `88.119.179.17` 89 | | `wnupdnew.com` | `190.0.226.147` 90 | | `babmaftuh.com` | `185.56.89.196` 91 | | `alwatantrade.com` | `188.241.60.109` 92 | | `shayalyawm.com` | `5.226.168.124` 93 | | `elehenishing.com` | `185.225.17.77` 94 | | `almawaddrial.com` | `46.151.212.202` 95 | | `mdeastserv.com` | `46.151.212.201` 96 | |===== 97 | -------------------------------------------------------------------------------- /gamarue/README.adoc: -------------------------------------------------------------------------------- 1 | = Gamarue (Andromeda) Indicators of Compromise 2 | 3 | == ESET Detection names 4 | 5 | Gamarue is detected as 6 | 7 | * Win32/TrojanDownloader.Wauchos 8 | 9 | USB spreader plugin is detected as 10 | 11 | * Win32/Bundpil.CS 12 | 13 | == DGA algorithm 14 | 15 | === First version 16 | 17 | Both the downloader and the USB spreader use the exact same DGA. The only 18 | difference are the seeds that they use. Here is pseudo-code of the DGA used: 19 | 20 | [source, c] 21 | ---- 22 | generate domain: 23 | seed = dgaSeed(systemTime); 24 | for(i = 0; i < random(&seed) % 4 + 8; ++i){ 25 | int c = random(&seed) % 75 + '0'; 26 | if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'z')) 27 | domain += c; 28 | else 29 | --i; 30 | } 31 | return domain + ".ru"; 32 | ---- 33 | 34 | The following shows first how the USB spreader gets its seed while the second 35 | shows the downloader seed generation: 36 | 37 | [source, c] 38 | ---- 39 | dgaSeed: 40 | a = (14 - systemTime->wMonth) / 12; 41 | y = systemTime->wYear + 4800 - a; 42 | m = systemTime->wMonth + 12 * a - 3; 43 | JD = systemTime->wDay + (153 * m + 2) / 5 + y * 365 + y / 4 - y / 100 + y / 400 - 32045; 44 | d = (JD + 31741 - (JD % 7)) % 146097 % 36524 % 1461; 45 | seed = (((d - d / 1460) % 365) + d / 1460) / 7 + 1; 46 | ---- 47 | 48 | [source, c] 49 | ---- 50 | dgaSeed: 51 | a = (14 - systemTime->wMonth) / 12; 52 | y = systemTime->wYear + 4800 - a; 53 | m = systemTime->wMonth + 12 * a - 3; 54 | JD = systemTime->wDay + (153 * m + 2) / 5 + y * 365 + y / 4 - y / 100 + y / 400 - 32045; 55 | d = (JD + 31741 - (JD % 7)) % 146097 % 36524 % 1461; 56 | seed = systemTime->wYear + (((d - d / 1460) % 365) + d / 1460) / 7 + 1; 57 | ---- 58 | 59 | === Second version 60 | 61 | The newest version we know of the downloader changed the seed generation of its 62 | DGA slightly by adding the square of the year instead of just the year: 63 | 64 | [source, c] 65 | ---- 66 | dgaSeed: 67 | a = (14 - systemTime->wMonth) / 12; 68 | y = systemTime->wYear + 4800 - a; 69 | m = systemTime->wMonth + 12 * a - 3; 70 | JD = systemTime->wDay + (153 * m + 2) / 5 + y * 365 + y / 4 - y / 100 + y / 400 - 32045; 71 | d = (JD + 31741 - (JD % 7)) % 146097 % 36524 % 1461; 72 | seed = (systemTime->wYear * systemTime->wYear) + (((d - d / 1460) % 365) + d / 1460) / 7 + 1; 73 | ---- 74 | 75 | == Hashes 76 | 77 | [options="header"] 78 | |=== 79 | |SHA-1|ESET Detection Name 80 | |`CC9AC16847427CC15909A60B130CB7E67D2D3804`|Win32/TrojanDownloader.Wauchos.B 81 | |`BCD45398983EB58B33294DFE852B57B1ADD5117E`|Win32/TrojanDownloader.Wauchos.AK 82 | |`6FA5E48AD60B53761A42725A4B9EC12B85963F90`|Win32/TrojanDownloader.Small.AHI 83 | |`6D5051580DA73570944BBE79A9EA7F2E4D006699`|Win32/TrojanDownloader.Wauchos.O 84 | |=== 85 | 86 | -------------------------------------------------------------------------------- /casbaneiro/README.adoc: -------------------------------------------------------------------------------- 1 | = Casbaneiro Indicators of Compromise 2 | 3 | The blog post about Casbaneiro "Casbaneiro: Dangerous cooking with a secret ingredient" is available on WeLiveSecurity at 4 | https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/. 5 | 6 | == Hashes 7 | 8 | === Campaign 1: Fishy financial manager update 9 | 10 | [options="header"] 11 | |==== 12 | | SHA-1 | Description | ESET detection name 13 | | `F07932D8A36F3E36F2552DADEDAD3E22EFA7AAE1` | MSI installer | Win32/TrojanDownloader.Banload.YJD trojan 14 | | `BCDF0DDF98E3AA7D5C67063B9926C5D1C0CA6F3A` | Downloaded payload | Win32/Spy.Casbaneiro.AJ trojan 15 | |==== 16 | 17 | === Campaign 2: What’s cooking? A fowl Windows activator 18 | 19 | [options="header"] 20 | |==== 21 | | SHA-1 | Description | ESET detection name 22 | | `8745197972071EDE08AA9F7FBEC029BED56151C2` | MSI installer | JS/TrojanDownloader.Agent.TNX trojan 23 | | `BC909B76858402B3CBB5EFD6858FD5954A5E3FD8` | Re-Loader | MSIL/HackTool.WinActivator.J potentially unsafe application 24 | |==== 25 | 26 | === Campaign 3: The most recent one 27 | 28 | [options="header"] 29 | |==== 30 | | SHA-1 | Description | ESET detection name 31 | | `DD2799C10954293C8E7D75CD4BE2686ADD9AC2D4` | MSI installer | JS/TrojanDownloader.Agent.TNX trojan 32 | | `9DFFEB147D89ED58C98252B54C07FAE7D5F9FEA7` | Downloaded payload | Win32/Spy.Casbaneiro.AJ trojan 33 | |==== 34 | 35 | === Files distributed by Download & Execute 36 | 37 | [options="header"] 38 | |==== 39 | | SHA-1 | Description | ESET detection name 40 | | `C873ED94E582D24FAAE6403A17BF2DF497BE04EB` | Email tool | MSIL/SpamTool.Agent.O trojan 41 | | `B3630A866802D6F3C1FA2EC487A6795A21833418` | Password stealer | Win32/PSW.Agent.OGH trojan 42 | |==== 43 | 44 | == Filenames 45 | 46 | - `%APPDATA%\Spotify\Spotify.exe` 47 | - `%APPDATA%\OneDrive\OneDrive.exe` 48 | - `%APPDATA%\WhatsApp\WhatsApp.exe` 49 | - `%APPDATA%\Sun\Javar\%RANDOM%\%RANDOM%.exe` 50 | - `%APPDATA%\DMCache\%RANDOM%\%RANDOM%.exe` 51 | 52 | == Run key & values 53 | 54 | - `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` 55 | ** `Spotify = %APPDATA%\Spotify\Spotify.exe` 56 | ** `OneDrive = %APPDATA%\OneDrive\OneDrive.exe` 57 | ** `WhatsApp = %APPDATA%\WhatsApp\WhatsApp.exe` 58 | ** `%RANDOM% = %APPDATA%\Sun\Javar\%RANDOM%\%RANDOM%.exe` 59 | ** `%RANDOM% = %APPDATA%\DMCache\%RANDOM%\%RANDOM%.exe` 60 | 61 | == C&C servers 62 | 63 | - hostsize.sytes[.]net:7880 64 | - agosto2019.servepics[.]com:2456 65 | - noturnis.zapto[.]org 66 | - 4d9p5678.myvnc[.]com 67 | - seradessavez.ddns[.]net:14875 68 | 69 | == Bitcoin wallet 70 | - `18sn7w8ktbBNgsX8LeeeLMqKS84xMG54si` 71 | -------------------------------------------------------------------------------- /mikroceen/README.adoc: -------------------------------------------------------------------------------- 1 | :toc: 2 | :toclevels: 2 3 | 4 | = Mikroceen -- Indicators of Compromise 5 | 6 | These are the IoCs from 7 | https://www.welivesecurity.com//2020/05/mikroceen-spying-backdoor-high-profile-networks-central-asia[ 8 | "Mikroceen: Spying backdoors in high-profile networks in Central Asia"] 9 | blogpost on 10 | http://www.welivesecurity.com[WeLiveSecurity]. 11 | 12 | == Mikroceen RAT 13 | 14 | === ESET detection names 15 | 16 | - Win32/Mikroceen 17 | - Win64/Mikroceen 18 | 19 | === Samples 20 | 21 | ---- 22 | e422e8628c34346a31a9ca2cca29233e86ff2d4d 23 | 9fb094bfdb1c05a356e3d8ee846111d5cc3bb064 24 | faf3414a6c884b50ad8ad048dd93814b231e08fc 25 | 13779006d0dafbe4b27bd282230df299eef2b8dc 26 | 8015c5558bab7eddf939a4d10cab2e2da17c6c40 27 | 7fcbe8828325f4f0a133c1b3a03ca22a7f1a5069 28 | 0f70251abc8c64cbc7b24995c3d32927514d0a4b 29 | e7f5a33b33e023a82ac9eee6ed40e4a38ce95277 30 | 2f0f465cdfa5fc2278e9cf5d602e1f48a2906881 31 | 260d434b6d00756c4b1ac39fe51c22ffb0c6dabf 32 | f2856d7d138430e164f83662e251ee311950d83c 33 | 81bb895a833594013bc74b429fb1f24f9ec9df26 34 | f53c77695a162c78c68f693f57f65752d17f6030 35 | 5d5e9ff6526d3d3cf84247bcb3ddc3b915b980fe 36 | 302cf1a90507efbded6b8f53e380591a3eaf6dcb 37 | 240b7aee7487c61528e69efd266b634203434e6b 38 | 4ca33a4e825aad15a544a42da5714868d8e698b6 39 | 8ebf78c84cd7f66ca8708467a28d83658bcf6710 40 | 8fbec09e646311a285aee06b3dd45ccf58928703 41 | 13779006d0dafbe4b27bd282230df299eef2b8dc 42 | d963d63fbbdda1c586cf809a4b3d091811ddcb0f 43 | b1be4b2f874c8309f553acce90287c8c6bb2b6b1 44 | b4790eec7daa9f931bed43a53f66168b477599a7 45 | 371ae8c7ed4f757db7a64620a5779b0708e2bd60 46 | 58d9d349a931a2cafe507b7bcea617869b3a5442 47 | 0f70251abc8c64cbc7b24995c3d32927514d0a4b 48 | 113764653a9799e2a7c1a736f42c544a2095e711 49 | 1402a3cac892eb65161e95002bb20506f1882c2f 50 | ab660a3ac46d563c756463bd1b64cc45f347a1f7 51 | 2100e95c562dc1222ab457ad22c48061962eb696 52 | 21ffd24b8074d7cffdf4cc339d1fa8fe892eba27 53 | a99a21a228b952a0012e502996f5c1b0630e58bf 54 | 11fd54a815a97efeb61bec9a2ab3fedea98eb69b 55 | ff0645cea81bb271abf419327443af9130b83f8d 56 | ec75552b384076e588bd045b274224d7d7d6d1c3 57 | 0df7767ef828ceaf0efa11fbab0a903b0f0fef0b 58 | ---- 59 | 60 | == Simultaneously occuring malware 61 | 62 | ---- 63 | f274d6c8b47c259096a0b55e16e4310291dcabfb 64 | c7f1c2ff40af2355632bf215043fcef6b081789d 65 | 4de4b662055d3083a1bccf2bc49976cdd819bc01 66 | a54b37d3821ff114b3db0fcd722473d3826b625e 67 | 0983a873ad8deb1f6e29a38c40c1f3ab9eaedaf1 68 | d3305bbac11655d78889894f9cc3c5e2e140e808 69 | f73b053211ca0c0ad6cf0025fbe3b7494fca8067 70 | 19bdf9043517ad883cb719fb9152587dfd08730e 71 | 5192023133dce042da8b6220e4e7e2e0dcb000b3 72 | c18602552352fee592972603262fe15c2cdb215a 73 | 49ed91e7b482a0a0e325ec7f4997e17dc6a7a33b 74 | 5a44cdbd362e8d8c67192d91c8d3f87f2f920531 75 | 649834cb177802b5c73b39f3cc38f002ae436394 76 | ---- 77 | -------------------------------------------------------------------------------- /windigo/windigo-onimiki.yar: -------------------------------------------------------------------------------- 1 | // Operation Windigo yara rules 2 | // For feedback or questions contact us at: windigo@eset.sk 3 | // https://github.com/eset/malware-ioc/ 4 | // 5 | // These yara rules are provided to the community under the two-clause BSD 6 | // license as follows: 7 | // 8 | // Copyright (c) 2014, ESET 9 | // All rights reserved. 10 | // 11 | // Redistribution and use in source and binary forms, with or without 12 | // modification, are permitted provided that the following conditions are met: 13 | // 14 | // 1. Redistributions of source code must retain the above copyright notice, this 15 | // list of conditions and the following disclaimer. 16 | // 17 | // 2. Redistributions in binary form must reproduce the above copyright notice, 18 | // this list of conditions and the following disclaimer in the documentation 19 | // and/or other materials provided with the distribution. 20 | // 21 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | // 32 | rule onimiki 33 | { 34 | meta: 35 | description = "Linux/Onimiki malicious DNS server" 36 | malware = "Linux/Onimiki" 37 | operation = "Windigo" 38 | author = "Olivier Bilodeau " 39 | created = "2014-02-06" 40 | reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf" 41 | contact = "windigo@eset.sk" 42 | source = "https://github.com/eset/malware-ioc/" 43 | license = "BSD 2-Clause" 44 | 45 | strings: 46 | // code from offset: 0x46CBCD 47 | $a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D} 48 | $a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0} 49 | $a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C} 50 | $a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89} 51 | $a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89} 52 | $a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92} 53 | $a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01} 54 | $a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26} 55 | $a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07} 56 | 57 | condition: 58 | all of them 59 | } 60 | -------------------------------------------------------------------------------- /evilnum/samples.md5: -------------------------------------------------------------------------------- 1 | 73F31EFE693F8B60DD86EB7E91129EC1 2 | 2DBD582B909880EB446ED36E0129AD4B 3 | B034972A9540B3B00161310F5BF03FC9 4 | DE18E901FE8E39940168CF1BCFFDE813 5 | 9AE7EC46C48AE1AABF58191C16D7E042 6 | 5B733B77E3BD909EFD9F7ACFA58E4770 7 | 61E2B04C0D33740D407D735F00062AB8 8 | 5F289D2A86131EF500041A74C115A857 9 | 4139E248C3133A6ADB70A754DA252718 10 | 7BFEB00217BE93881385BF734DA5871B 11 | 21A1F73942EFDA784B0DABC09459FD97 12 | 1CABC179ABC885A53DF65220540344DD 13 | C28E8ADC6E2570E85839D5203C5336FD 14 | 8C4675A080B642BBF9F096D0E60711FF 15 | 1CE7330385E35AF9B754B1D13B1FCF28 16 | A38769F2E0A002B01471FB96E59EE95F 17 | 0250EC7447F90F3ABC3D3D573F007977 18 | 6A381F91CAF7457C693A456290BB332A 19 | 781F6DD5BFF76B38AE52DA352C976850 20 | F2522F0FB2B59297D14F5515B4D40D39 21 | 8509E80899C80D30BF0F7A933721FC3E 22 | 1E5BC1D8F6D2CD52E622DC1D60AE35A7 23 | 7DEBADE0783C956073FD8A3106C88FF6 24 | BFBB965093B17B51DE0484CEE360CCE4 25 | 02BF629BD6A36B96E8215D41F58415EA 26 | 41A80CC28047B7AEAFE846AAA23C2CFE 27 | 50F8D960829DA37381E09BF4F38E8B1E 28 | 9E5E6E980F5FA81D6E503B7D62E8B5A8 29 | 219DEDB53DA6B1DCE0D6C071AF59B45C 30 | 0823457BCB82AFFF15C900F949E325F4 31 | 6D467502EB34B53728D392E0E162C6D2 32 | CB57951E1B18CC31680A6E50B259B7D8 33 | D027FD0BA08EF26B12436B20C63A6B16 34 | 7CFEB19C792C78C791367C89F74BC8AB 35 | B5EE5FB0F592A606797AFE275725AE9C 36 | 3D0836DDC60AC65F9C43CC6732E5317C 37 | 048107A01809F2D205F3D356A92526FD 38 | FCCE335AD11F4E568E6FE23AE766B187 39 | 25D6EEBA718AF78275F2C9A4A58CD8B2 40 | FB55AA995BC35A48D49F3BA708172BE1 41 | C32820D1EB296D44C56F8430584D9D69 42 | E07C8E2F268018C7A751998DEC8502C7 43 | CC3785E1DC36C0E976E1F799B8C9171C 44 | 37D4011965747658D3A4DCE01D375677 45 | D76F443222551EDFE07B357C3BB157DA 46 | C2AF1AB092F8990D12A0B92FD6C6273A 47 | 3DF04716DB7E3EC08648EBDF090CA36E 48 | 2B4DEBDDB0F4C28B9A8555DE6474978A 49 | 34E97CE85E7AA219272430EAD7AE3B00 50 | 8F18C95021BE569164CEE0B2CEB25736 51 | 768EF933F1A00F2996FC957A35C56C95 52 | 7783211ED125BBE31CF50B47E9E96FBB 53 | 70A03CEFC2345047AD3D42175E15536C 54 | 6E87B2A47A488D9D75ED86CE6BABEC96 55 | 9E81A4350AB3225A4D5A9A17B1C34BCB 56 | F287B9AFB6215E95CEAA780C1311C6E7 57 | 704C745090326539556F7B8BF0DB001B 58 | FBC89C3435B45244F32254C433E311C0 59 | 42A0E13C97E0AA0867F769B71E378D24 60 | 9888ACCBCE9C3BE970D4EB3C7A253B86 61 | 8DCF8C6EB6F83C9A340920844D83E8D1 62 | 85B2D96080C853C686F0B7B7284896A8 63 | 5E8B0E81763A2195855D51F3F2A55A4E 64 | 2EB0C0DDCDFCB18412AFA1D79E16C206 65 | CB4ADB94D1E29C56731828C6BB57AC51 66 | AF24727B0E2DF8B6ED3A58637A8C05ED 67 | 9DA3F4D29B263BED3BF75E87BC7C9C15 68 | 12FD4E486B418914DBEEDC4EFFC73426 69 | 2D831121A689A2045884CFF1AE68BDDC 70 | 48E90CA0F344E1A0445936F2D28AE01F 71 | 80B0BA4EF46A22BFD43F967905C25A75 72 | D0E85B29050228CE0F1DD82F31DD17DE 73 | 40D64F88071B43ABAF29687A1F1ED882 74 | 0A003E8CC4FA2606701A5AD478562C6A 75 | 8EF5FAD49B544D4AE14ADD39D325A3C6 76 | 6166EC0D53AB862657D2A4D777646BA5 77 | F8B83901ACF1E744441B5C2B3D954354 78 | A234DEB636D76B7EB0CF88A305B4ACF3 79 | -------------------------------------------------------------------------------- /danabot/README.adoc: -------------------------------------------------------------------------------- 1 | = DanaBot Indicators of Compromise (IoCs) 2 | 3 | For more information about DanaBot, please refer to the following articles on 4 | https://www.welivesecurity.com/[WeLiveSecurity]. 5 | 6 | * 2018-12-06 7 | https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/[ 8 | DanaBot evolves beyond banking Trojan with new spam-sending capability] 9 | * 2018-08-21 10 | https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/[ 11 | DanaBot shifts its targeting to Europe, adds new features] 12 | 13 | == ESET Detection Names 14 | 15 | .DanaBot 16 | * VBS/TrojanDownloader.Agent.PYC 17 | * JS/TrojanDropper.Agent.NPQ 18 | * Win32/TrojanDropper.Danabot.I 19 | * Win32/TrojanDownloader.Danabot.I 20 | * Win32/Spy.Danabot 21 | 22 | .GootKit 23 | * https://www.virusradar.com/en/Win32_Kryptik.GNNS/detail[Win32/Kryptik.GNNS] 24 | 25 | == Network indicators 26 | 27 | === Webmail services targeted by email-address-harvesting feature 28 | 29 | * *any service based on Roundcube* 30 | * *any service based on Horde* 31 | * *any service based on Open-Xchange* 32 | * `aruba.it` 33 | * `bluewin.ch` 34 | * `email.it` 35 | * `gmx.net` 36 | * `libero.it` 37 | * `mail.yahoo.com` 38 | * `mail.google.com` 39 | * `mail.one.com` 40 | * `outlook.live.com` 41 | * `tecnocasa.it` 42 | * `tim.it` 43 | * `tiscali.it` 44 | * `vianova.it` 45 | 46 | === Webmail services targeted by spam-sending feature 47 | 48 | * *any service based on Open-Xchange* 49 | 50 | === Domains used by the VBS file to download malware (GootKit at the time of writing) 51 | 52 | * `amd.cibariefoodconsulting.it` 53 | * `dcc.fllimorettinilegnaegiardini.it` 54 | * `icon.fllimorettinilegnaegiardini.it` 55 | * `job.hitjob.it` 56 | * `vps.hitjob.it` 57 | * `latest.hitweb.it` 58 | * `team.hitweb.it` 59 | * `pph.picchio-intl.com` 60 | 61 | === Example domains used by the GootKit downloader module 62 | 63 | * `ricci.bikescout24.fr` 64 | * `vps.cibariefoodconsulting.it` 65 | * `drk.fm604.com` 66 | * `gtdspr.space` 67 | * `it.sunballast.de` 68 | 69 | === Active DanaBot C&C servers (as of December 6, 2018) 70 | 71 | * `5.8.55.205` 72 | * `31.214.157.12` 73 | * `47.74.130.165` 74 | * `149.154.157.106` 75 | * `176.119.1.99` 76 | * `176.119.1.100` 77 | * `176.119.1.120` 78 | * `176.119.1.176` 79 | * `176.223.133.15` 80 | * `185.254.121.44` 81 | * `188.68.208.77` 82 | * `192.71.249.50` 83 | 84 | == File indicators 85 | 86 | .Example of .VBS file from a spam email sent by DanaBot downloading GootKit 87 | [options="headers"] 88 | |==== 89 | |SHA-1 |ESET detection name 90 | |`A05A71F11D84B75E8D33B06E9E1EBFE84FAE0C76` | https://www.virusradar.com/en/VBS_Kryptik.KY/detail[VBS/Kryptik.KY] 91 | |==== 92 | 93 | .Example of GootKit downloaded by DanaBot .VBS file 94 | [options="headers"] 95 | |==== 96 | |SHA-1 |ESET detection name 97 | |`0C2389B3E0A489C8E101FFD0E3E2F00E0C461B31` | https://www.virusradar.com/en/Win32_Kryptik.GNNS/detail[Win32/Kryptik.GNNS] 98 | |==== 99 | -------------------------------------------------------------------------------- /turla/carbon.yar: -------------------------------------------------------------------------------- 1 | // For feedback or questions contact us at: github@eset.com 2 | // https://github.com/eset/malware-ioc/ 3 | // 4 | // These yara rules are provided to the community under the two-clause BSD 5 | // license as follows: 6 | // 7 | // Copyright (c) 2017, ESET 8 | // All rights reserved. 9 | // 10 | // Redistribution and use in source and binary forms, with or without 11 | // modification, are permitted provided that the following conditions are met: 12 | // 13 | // 1. Redistributions of source code must retain the above copyright notice, this 14 | // list of conditions and the following disclaimer. 15 | // 16 | // 2. Redistributions in binary form must reproduce the above copyright notice, 17 | // this list of conditions and the following disclaimer in the documentation 18 | // and/or other materials provided with the distribution. 19 | // 20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | // 31 | import "pe" 32 | 33 | rule generic_carbon 34 | { 35 | meta: 36 | author = "ESET Research" 37 | date = "2017-03-30" 38 | description = "Turla Carbon malware" 39 | reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" 40 | source = "https://github.com/eset/malware-ioc/" 41 | contact = "github@eset.com" 42 | license = "BSD 2-Clause" 43 | 44 | strings: 45 | $s1 = "ModStart" 46 | $t1 = "STOP|OK" 47 | $t2 = "STOP|KILL" 48 | 49 | condition: 50 | (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) 51 | } 52 | 53 | rule carbon_metadata 54 | { 55 | meta: 56 | author = "ESET Research" 57 | date = "2017-03-30" 58 | description = "Turla Carbon malware" 59 | reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" 60 | source = "https://github.com/eset/malware-ioc/" 61 | contact = "github@eset.com" 62 | license = "BSD 2-Clause" 63 | 64 | condition: 65 | (pe.version_info["InternalName"] contains "SERVICE.EXE" or 66 | pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or 67 | pe.version_info["InternalName"] contains "MSXIML.DLL") 68 | and pe.version_info["CompanyName"] contains "Microsoft Corporation" 69 | } 70 | -------------------------------------------------------------------------------- /windigo/samples.md5: -------------------------------------------------------------------------------- 1 | 66a89e7f45fb44213b35e436106dfd71 2 | e77a33419876dcd678a425fe50652eed 3 | 970e23b028bc6fb1322ded0b8b5b01d0 4 | d72751d864d283eb085083e70be59294 5 | 728fc6e23a1644d43c8aa564037ee89e 6 | 44ef105d55622f52a9f7f6278ebae891 7 | c321614a1144004feb76abdceb049373 8 | ece07f84edbde75d6883324c91b1ccdd 9 | e8715c88846802fb05b7904833ee18d7 10 | 27a0b1c7424a382a8e23f2ed8cf55754 11 | 2118f2d0efbcdf0eed0af9c881229153 12 | 7544034b10cfe7eff16061e337b3183b 13 | a0170202d50841ea0dcc49fb06c59672 14 | a44c4cfbc1270515a98f7dcc30373772 15 | 98fd5feb0a14646d9700ad5b094a3a47 16 | 6b8b8cdce7c2c734b82ad3d03365ade0 17 | b2637ca7941a048a490b96004b835297 18 | 1551e1ef7983b68edd83e94ef1bdd57f 19 | ecea5cc15532ffac4b8159bf860c63c1 20 | 2a6f1160401485b1dbf665b792f7b197 21 | 9b408497dd5ec88757062dce5ccfb479 22 | 414caaee14f943c6e6559df8b1cacef4 23 | 59794dbf332046b5599fd21e88953877 24 | da0bdbde8860c94b9fe7320a9e784ae5 25 | 6ac6a33dc08e508e58ae6060999d6211 26 | 22bfc05ab0fa217ba95577a3929c459e 27 | 1954547f20f9096a5b03df2f9a67d287 28 | ab3c3366abb8202dfcb15be34c17f68d 29 | 874930210b25f4bc150f3f41e25a8530 30 | e765bb2954b386bd1a4e8e510d38b80d 31 | 4fa6b65d9ebd5aea9b3704216e39fdf6 32 | 1595fc797ca6c949725b863f159e4005 33 | 7a4c666db0a8f3667ccb679039e1331c 34 | 106600018de9fff486a298fc2a30e65f 35 | 3268342d6b5e41621115d8ee9ac2082a 36 | 9b422cf2918ffbd0461fff577da84f36 37 | 2d04c66588b798c1ec1dd61b48285a77 38 | 672d86bdd1fd59d01d6aefca6f7de038 39 | 240a89bdf5495a047366ff0086eb4cd7 40 | 0760a8e598be0afdf15042e6c9dc5495 41 | e8f97a7b7846297850b5ed372f5d1c03 42 | 57dc029c964ff92ceffa1e494f14cccc 43 | bbec45f7d69f3dcd0ff2028a4e2e7520 44 | 09168b56c06554feec0da573e51dd726 45 | 4d822c8bded445a3abbd505bf5ebe20d 46 | 67ffc442b94bb3faabceacbbaa742327 47 | f5810fc515225dd4b607298b5f448f30 48 | b831f74d80c60b6b25edcf6e5343f1c9 49 | 95e4c551fc9f4d2f693970c8314e37eb 50 | 9b3b341a21253397daf80b1d54906a2f 51 | c74e1d007a26e3488987456ecadcaea5 52 | dca4a20bcee3ac33f050592bee2a8054 53 | 97ee396569742b37d1f2b4c1a53169e5 54 | 9b4924dfeee4ddcb89e3773c5da5063d 55 | 1785109e71a8f6eb6fb1ba7cce7c51e6 56 | 37a603a4cb5cad123851059228007735 57 | 15b9b930f3f18484b16173d576ec519e 58 | 0037f06b555a17a4b28a9570e7103ba2 59 | e019a2e17432f80a161faa4ec5b09200 60 | fb4dd618ddcf8792ef4f0f9b77446304 61 | 1a4feb94c6944e56efc591566707fae4 62 | cf859b3b662dd55d35a56af8bf030d99 63 | 39da046a5704631618aaca63976be52d 64 | 8816255883edb589f275ae240db6ce87 65 | 6c7205de33f2b625f0b238c8affe8ce4 66 | 9403538430da045ecef82ff07595425a 67 | 3dbb8c0b659f0003e38eda7086f1c07f 68 | 1f1c100ea006bc5667da22e9273825ca 69 | f0ea6708046cc2f2bce4efb7fbeb769e 70 | cb5b1283a5509f745686fdf0d5fcbd95 71 | a0488c9e9995860dd51f219170928a1e 72 | 3c5bd51b484ba2d8cfd385bd2dcb19dd 73 | 6852e9b0c1fa792e0bd6ba1b3c8e8b39 74 | a5c1c55cb491030a8956d22b76005fca 75 | 5122650280b67f1753f61446b97a5e37 76 | 4d485629fdad9ee8de9003b58078fd0c 77 | b196a26780b6348f815bdbbb09cd811c 78 | 4c2c2a490c3b945167524ea32c2fec44 79 | c155591d5ad3765d770e5dbcba8bb0eb 80 | 01e56e46518100bd61206703019fb7ff 81 | 86c147d99caa493ab638d527d21cc9ec 82 | 9ccb159e60edfe7c3519ac77feacc6d0 83 | -------------------------------------------------------------------------------- /greyenergy/samples.md5: -------------------------------------------------------------------------------- 1 | 02adca186a7236b65bb1b197af8d294c 2 | 494046dc3bf6a824858a45c3d72a7d20 3 | 0cad6adc5874a748edc8423c3a48ef0f 4 | e567d202d72923a8654e77c187ee916b 5 | de12bafefa1c0448e2142787a59f07d6 6 | 5865fa4ed2a15381eb21160049793df5 7 | 7d30036156f14e9c5103d6baee6a0e0a 8 | ca2a53ad706fe27bdb37f23a6cbd0d73 9 | 96a14c481efbecec481740e6673e47e6 10 | 5f58059d894e8aaf58b2da6be6f97aa8 11 | 3cf6ebe5310690eb2f635ab3c0144c21 12 | dee7b0ebeaee1789e99fbe07cdf55a72 13 | 16bb9def4fabfa2ccb3efc1ca5bfc2fa 14 | 960055d984b0a1f97be2226f8d874e71 15 | d7bf1e624d4b7c340b960f07ae8e1048 16 | d4aa2e198072814e1d5a94d4e8713430 17 | e3a2c3a025d1aee589026d09e2a0ca50 18 | 92130bd969c24b181f64c377e45daa76 19 | 9f5309b5960b00f9dc75c6d544b454d2 20 | b0e3bceb86564ad62956feec7b2b7818 21 | 32ac5536ff52d0d7127336474bce307d 22 | b590277f0e9ad91dd743d5be29de541b 23 | 6d0687d55e11d509d3f132ebe12139d6 24 | 048d324343c82cfc6cc736cb86671fb2 25 | 47b759a635a13bf2c7024051f326d80d 26 | 6826a2cb61b501a086c8997a5f786c25 27 | 7a7103a5fc1cf7c4b6eef1a6935554b7 28 | 5148bc008e62ed9b2edb355506d87d29 29 | 462ed68d9de5db6785307be9640c6229 30 | 37ad2cccbce89d87f9fc9086b4728a29 31 | 6cd387815c1fbc7068e2b74630171d4a 32 | cc2c79933a0b80df29a8a0cc6058da50 33 | 65a868e21789cea1310d9da36535bbc9 34 | 4d64b80452db692755ba08d42774cdc4 35 | 92f63b1227a6b37335495f9bcb939ea2 36 | 34b853e45421f5eee6a127db3e836bf0 37 | 361b125ce4d180c9cb803d4d0aec6d3d 38 | 0ee32e77be711eca116c9910228773a9 39 | 467c618ebef0bbb394d776b1db73cbb4 40 | 05ce48972bf2df45ba923c556725f9db 41 | 364600565559fe11933446fc86f2856c 42 | 33b41c3f31638dc381de7b88b462e745 43 | 634e5ecabb014b8a78faf780a6f1465d 44 | 84a1bcb0c475b83a267bbaba88be4be8 45 | 6d48f91ea88fa909c98a5f3400377bd3 46 | 73676711f838906a9a64e6528e0481f6 47 | 81e698891a895e35161b11981ba83da0 48 | 6915b8f5572b8c3554a2fae53d19b6b2 49 | 2bff6b87ee4b4d1d4f9468939797e8a9 50 | 0b9b29f3fc45503990d5d26a574686b6 51 | 3e4947ffb43a299c9a9558732bc0da84 52 | 79694a4fce3518ace2cc938b02f769b9 53 | 7552b4c677048caeb0112d9b8225459b 54 | 483bbfff900ae0c2045865cec28cae9d 55 | 1fd435100735298e0439fd2b120edb05 56 | de4f268948be797688a5f26f748e3114 57 | 1cb35f4340a37e75aff1f901629b59f3 58 | c9d46876d5ab346e8921973b719aff58 59 | 224c2d888bce0c3d19fbef41cb20b45a 60 | 5525af1a03e3ae4fc75e4f5c1d66e07a 61 | cd5eadaeba08af4b61de06c080790b40 62 | 85b1f9d711f3228b8c4a95c4f2d7bbc7 63 | bb67537d0f6103c009f1450f19951042 64 | ed1da62cace4f5a8090d334d8337b062 65 | 0193807528af3ae3e6be4ce266e30882 66 | 9f4499915079ba276b65519862e2da20 67 | 271203635072fcd686c554b0d3d6d425 68 | 01b3eb18011e20141f5cd52d882c62ea 69 | bb85ab5095fd7fd95f19556f7af62760 70 | 549ace2711a324a977be83887f10ed9c 71 | dfe7664237b78aa5eb498ec6d9155419 72 | 0b67e662d2fd348b5360ecac6943d69c 73 | e420d6e25bc6a01216de80237460f565 74 | 538c0573da00d70e40ab38d9dea1940b 75 | 6298d50f0e870b06837c5d6cb4977ace 76 | 275f821b328c06a2ef7b5ebb22af9cb6 77 | d8f6ea7cbaee75a9c46966782f745ddd 78 | 6029a30c073a6150669b89c880728712 79 | e2e4b4211c0021dd9a639d4a435ffa1b 80 | 6ede63d6f216affbb57a26200fd31608 81 | e309dbc94ffdd5476b91690cde71a3df 82 | b24d5f195200367f7fc20e1cc24c6a9a 83 | -------------------------------------------------------------------------------- /gmera/README.adoc: -------------------------------------------------------------------------------- 1 | = GEMRA (OSX/Agent.BE) -- Indicators of Compromise 2 | 3 | For more information about the GEMRA Mac malware, please read 4 | https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/["Mac 5 | cryptocurrency trading application rebranded, bundled with malware"] 6 | on https://www.welivesecurity.com[WeLiveSecurity]. 7 | 8 | == Samples 9 | 10 | [options="header"] 11 | |==== 12 | | SHA-1 | Filename | ESET detection name 13 | | `2AC42D9A11B67E8AF7B610AA59AADCF1BD5EDE3B` | `Licatrade.zip` | multiple threats 14 | | `560071EF47FE5417FFF62CB5C0E33B0757D197FA` | `Licatrade.app/Contents/Resources/run.sh` | OSX/Agent.BA 15 | | `4C688493958CC7CCCFCB246E706184DD7E2049CE` | `Licatrade.app/Contents/MacOS/Licatrade` | OSX/Agent.BA 16 | | `9C0D839D1F3DA0577A123531E5B4503587D62229` | `Cointrazer.zip` | multiple threats 17 | | `DA1FDA04D4149EBF93756BCEF758EB860D0791B0` | `Cointrazer.app/Contents/Resources/nytyntrun.sh` | OSX/Agent.AZ 18 | | `F6CD98A16E8CC2DD3CA1592D9911489BB20D1380` | `Cointrazer.app/Contents/MacOS/Cointrazer` | OSX/Agent.BA 19 | | `575A43504F79297CBFA900B55C12DC83C2819B46` | `Stockfolio.zip` | multiple threats 20 | | `B8F19B02F9218A8DD803DA1F8650195833057E2C` | `Stockfolio.app/Contents/MacOS/Stockfoli` | OSX/Agent.AZ 21 | | `AF65B1A945B517C4D8BAAA706AA19237F036F023` | `Stockfolio.app/Contents/Resources/run.sh` | OSX/Agent.AZ 22 | |==== 23 | 24 | == Code signing certificates 25 | 26 | [options="header"] 27 | |==== 28 | | App name | Fingerprint (SHA-1) | Developer identity | Valid from | App signed on | Revoked on 29 | | Stockfolio | `e5d2c7fb4a64eaf444728e5c61f576ff178c5ebf` | Levis Toretto (`9T4J9V8NV5`) | 2018-11-25 | 2019-04-18 | 2019-07-26 30 | | Cointrazer | `1bc8ea284f9ce5f5f68c68531a410bcc1ce54a55` | Andrei Sobolev (`A265HSB92F`) | 2019-10-17 | 2019-10-17 | 2020-04-16 31 | | Licatrade | `bdbd92bff8e349452b07e5f1d2883678658404a3` | Andrey Novoselov (`M8WVDT659T`) | 2020-04-06 | 2020-04-15 | 2020-05-28 32 | |==== 33 | 34 | == Network 35 | 36 | === Domain names 37 | 38 | - `repbaerray.pw` 39 | - `macstockfolio.com` 40 | - `latinumtrade.com` 41 | - `trezarus.com` 42 | - `trezarus.net` 43 | - `cointrazer.com` 44 | - `apperdenta.com` 45 | - `narudina.com` 46 | - `nagsrsdfsudinasa.com` 47 | - `cupatrade.com` 48 | - `stepbystepby.com` 49 | - `licatrade.com` 50 | - `creditfinelor.com` 51 | - `maccatreck.com` 52 | 53 | === IP Addresses 54 | 55 | - `85.209.88.123` 56 | - `85.217.171.87` 57 | - `193.37.214.7` 58 | - `193.37.212.97` 59 | 60 | == Host-based indicators 61 | 62 | === File paths 63 | 64 | - `$HOME/Library/LaunchAgents/.com.apple.upd.plist` 65 | - `$HOME/Library/LaunchAgents/.com.apple.system.plist` 66 | - `/tmp/.fil.sh` 67 | - `/tmp/loglog` 68 | 69 | === Launch Agent labels 70 | 71 | - `com.apple.apps.upd` 72 | - `com.apples.apps.upd` 73 | -------------------------------------------------------------------------------- /sednit/README.adoc: -------------------------------------------------------------------------------- 1 | 2 | :toc: 3 | :toclevels: 2 4 | 5 | = Sednit Indicators of Compromise 6 | 7 | Find the whole Sednit whitepaper http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-full.pdf[here]. 8 | 9 | == Part 1: Approaching the Target 10 | 11 | For a description of Sednit, please see the 12 | http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/[article about Sednit part1] 13 | on http://www.welivesecurity.com[WeLiveSecurity]. 14 | 15 | === IoCs 16 | 17 | link:part1.adoc[Part 1: Approaching the Target] 18 | 19 | == Part 2: Observing the Comings and Goings 20 | 21 | For a description of Sednit, please see the 22 | http://www.welivesecurity.com/2016/10/25/lifting-lid-sednit-closer-look-software-uses/[article about Sednit part2] 23 | on http://www.welivesecurity.com[WeLiveSecurity]. 24 | 25 | === IoCs 26 | 27 | link:part2.adoc[Part 2: Observing the Comings and Goings] 28 | 29 | == Part 3: A Mysterious Downloader 30 | 31 | For a description of Sednit, please see the 32 | http://www.welivesecurity.com/2016/10/25/lifting-lid-sednit-closer-look-software-uses/[article about Sednit part3] 33 | on http://www.welivesecurity.com[WeLiveSecurity]. 34 | 35 | === IoCs 36 | 37 | link:part3.adoc[Part 3: A Mysterious Downloader] 38 | 39 | == Blog: Sednit adds two zero-day exploits using ‘Trump’s attack on Syria’ as a decoy 40 | 41 | For a description of this attack, please see the http://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/[Sednit adds two zero-day exploits using ‘Trump’s attack on Syria’ as a decoy] on http://www.welivesecurity.com[WeLiveSecurity] 42 | 43 | === IoCs 44 | 45 | link:2017-05-09_Trump_Attack_on_Syria_IoCs.adoc[Sednit adds two zero-day exploits using ‘Trump’s attack on Syria’ as a decoy] 46 | link:2017-05-09_Trump_Attack_on_Syria_IoCs.json[MISP event] 47 | 48 | == LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group 49 | 50 | The white paper about LoJax UEFI rootkit is available link:https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf[here] 51 | 52 | A high level summary is also available as a blog post on link:https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/[WeLiveSecurity] 53 | 54 | === IoCs 55 | 56 | link:lojax.adoc[LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group] 57 | 58 | == Blog: What’s going on with Zebrocy? 59 | 60 | For a description of this attack, please see the 61 | https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/[What’s going on with Zebrocy?] 62 | on http://www.welivesecurity.com[WeLiveSecurity] 63 | 64 | === IoCs 65 | 66 | link:2018-11-20_Zebrocy.adoc[What’s going on with Zebrocy?] 67 | link:2018-11-20_Zebrocy.json[MISP event] 68 | 69 | == Blog: A journey to Zebrocy land 70 | 71 | For a description of this attack, please see the 72 | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/[A journey to Zebrocy land] 73 | on http://www.welivesecurity.com[WeLiveSecurity] 74 | 75 | === IoCs 76 | 77 | link:2019-05-23_Zebrocy.adoc[A journey to Zebrocy land] 78 | link:2019-05-23_Zebrocy.json[MISP event] 79 | -------------------------------------------------------------------------------- /okrum_ke3chang/samples.sha256: -------------------------------------------------------------------------------- 1 | ead297674cb87c7f3a9874b41170f9294fdc6a307d51402cd4bef610d52b86c9 2 | 2242ce4ed5a36e0c1e839e36d09dd6231ac5254ddc92633fbd20ecaa70595e42 3 | 02ea0bc17875ab403c05b50205389065283c59e01de55e68cee4cf340ecea046 4 | 16e784a00683df76c1bfbdceb767ffe7e6b14083d763295e508bb7dde1e2a87f 5 | 6bcf242371315a895298dbe1cdec73805b463c13f9ce8556138fa4fa0a3ad242 6 | 10bfc8208fb853961e9f9c4886380926d76f25cd2563638f580199f1394c3698 7 | 24b177fd14fd49b3c2e863c9ad74a13723101c3fe67fbd6e142fbad84929ec16 8 | a1bf3c1de2d70f1fb884191d9fe4cdba9ef0171e3c4fc24cac9162e8f3a951bd 9 | f3efa600b2fa1c3c85f904a300fec56104d2caaabbb39a50a28f60e0fdb1df39 10 | fe4f2f211262d94284b4519596fddc839e7b77bf72a550b62354da93327dc3c6 11 | a8e554496e71dde565252f09efc051cb3eac911382f2b3c2dcbc49f457dde9ce 12 | 9c79044ebd0486c0987aed83371e5d47c05bcb34095aaa0a735efca9c659e7d7 13 | 8ae62de6d3d7b687565769a26fee9ec91946b324ec2010553c09a677e1658587 14 | 2bd41b5fbdc4e04152c0187345f881c08098fd71d0b5c25ce2de781e81178442 15 | 875d3aaf53317ab9c7e6c6ef729e6a9a4fe864a9975c859632ddd97a410ec764 16 | 2f0dbd2a4d29f8bfcd659c08b86fac9e61300b75a418bacb1ff5dfd895e6e1ad 17 | 7679d6f514313ea5d8951e099ce0e222e0a27a4dac64bba562d0cf562b3b3d0e 18 | c224180cbfcaeb88afc8f01f0b803d2945206e52e490ba872e8850a0270a0a4d 19 | 4466063c5e3e38a74b1b10fcc96b8f97209c19df10bc06ea42668ecdab3515fd 20 | 203a10d3d88e53255c84102d004fdd5f736434f9f115a13ed09490f37704818f 21 | f1f14627254980ff0bc78ad2964e6bdc4f98716aa005e277e2307ac198a71fcc 22 | b0f6948e263523502630b70f9d26164d95354d5b663cae9a8fbfd940e9ddd175 23 | fe2812d8102aac65b9e82ffe57f1f4e164bc4a83d160fd73ea000ce0794ba611 24 | af9f63b2267c16056a5ca969407a74ef04a48e6320287a32a6916544c1bed9dc 25 | e0529e14c95cee485eb8f550a3be31be8ce7fc15232a9481e3b8579de9651640 26 | f73ba20d9895a746448df6dd0fd8fe78b7e8d568ecb33b4a419c684fb18884af 27 | 2b386a617293642a54f09fe1efcfaa3ab6f5bc445e5f2c1eaa6b8ae183f1cfc5 28 | 60766332eb16a5c203dc07be1906606bb7d80ad72332104a091ba2a460a7d685 29 | f6f49ff295c32262926faa5f1e36bcc7f5920277e46879e2111b23b9853e1293 30 | da7b64fca33ac3007750829966d13b56ae77c71329df2499bb56aec2c5a6839b 31 | 511bde4ac24503e69fd41d06f3cda8747baba1220e141d4175d31aa6fc3cbd75 32 | 62aed2056f578598b17558bd822d1cd876da4e64f05e4cea475b3731075f0f1b 33 | 26b93ba6c48d08e09fc45c6e521577537e41ae734a6133d5bc697df85395cf15 34 | 720d4980b0753303a8c77c9eb8e5ffca1a1534da8cac43ce4d99d2842da41c8c 35 | 7b75a05effe913b7a7a17bedb472e28609dbbc71e4996883f2e0dc0b3020b4c8 36 | 14c4f4f2103c93a1063c65af6b3c1b8064620304041e2245507c0fb2b2f3b504 37 | e48a9c922dbb774f4bc7766f5257b42dbfb068a47c9456e7f60c9d7e0d5ae168 38 | 5b91958e32629445cc30bb0e4488d42a169a0a3575710be55855e6e6cd49f71e 39 | 1a9a624fa2fb966ad0152a7097cd2375cc5bc8536e2c2ad574fd4d13d66a61e7 40 | 2cc5c7276bada334acb17e4ad12a5bf1cebb7ecec180b0d351bca82dbcdd37e8 41 | b770709103f9ca94d63c67c834eb4f9d17c6c27cea6c1afd6797d67dbba71b99 42 | 486bcda0c6b1fafb39d294a6371dfa623ab7ba503102595abc784e8ed60aa600 43 | 236771d92c44ebfb32a88783566ac25919bad3190f26e01562becf61e47d6052 44 | ffcc3de18de2b87db82859b1dc122af819357d9928b94dd7db373378be3b17bf 45 | 03b93d54dc4a63ba4a8dbd9177b685f7abeb1b121ecb4f8e8b5484f8957a2b49 46 | b9cb9b6547dd95b1e78ab335ff4768223b58478d261b3e8adc57541fa488955b 47 | 7c17ccdd8eba3791773de8bc05ab4854421bc3f2554c7ded00065c10698300fe 48 | -------------------------------------------------------------------------------- /dnsbirthday/README.adoc: -------------------------------------------------------------------------------- 1 | = DNSBirthday -- Indicators of Compromise 2 | 3 | For a description of DNSBirthday, please see the article about 4 | https://www.welivesecurity.com/2017/06/22/got-birthday-reminder/[DNSBirthday] 5 | on https://www.welivesecurity.com[WeLiveSecurity]. 6 | 7 | == IoCs 8 | 9 | === Registry 10 | 11 | * `HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BirthdayReminder` 12 | 13 | === Mutex 14 | 15 | * `Global\Global\RqzSingleInst` 16 | * `Global\downloadExec` 17 | 18 | === Hashes 19 | 20 | [options="header"] 21 | |===== 22 | | Component | SHA-1 | ESET Detection name 23 | | BirthdayReminderSetup.exe | `6a07de60da0962ee952e63ac89ce86d2581f3926` | Win32/Adware.DNSBirthday.A 24 | | rqz-loader 1.1.0 x32 | `19041323a4ecd92eb888664e1d2c0b2893419f78` | Win32/Adware.DNSBirthday.A 25 | | rqz-loader 1.1.0 x64 | `94c6f2bbad0ce47957d18b53ef1938d846d7576f` | Win64/Adware.DNSBirthday.B 26 | | rqz-stg1 1.1.0 x32 | `59eb5b5d3171069761a13389a1a7cce12a95e0bd` | Win32/Adware.DNSBirthday.A 27 | | rqz-stg1 1.1.0 x64 | `f02e0012aedf02f898f1558c827491d7099c1d62` | Win64/Adware.DNSBirthday.A 28 | | rqz-info-gatherer 1.0.4 x32 | `8cfbd1f7e4d8c4357766f0f4b84bb08cf2e78c17` | Win32/Adware.DNSBirthday.B 29 | | rqz-info-gatherer 1.0.4 x64 | `0f4aeee1a0878eb510229b871e02eb1e1939107e` | Win64/Adware.DNSBirthday.B 30 | | rqz-dnsduvel-ldr 1.0.4 x32 | `892785875fcdfe4cc672ba1c3fc59bfbf37c7efe` | Win32/Adware.DNSBirthday.A 31 | | rqz-dnsduvel-ldr 1.0.4 x64 | `5a5174739bbb7881c46112704cbf039f39d98fec` | Win64/Adware.DNSBirthday.B 32 | | rqz-dnsduvel-ldr-exe 1.0.4 x32 | `cc291be6cbc7b0dc3aa09973d0ed98e363f9083f` | Win32/Adware.DNSBirthday.A 33 | | rqz-dnsduvel-ldr-exe 1.0.4 x64 | `ce84d96a974e95499fadd3320f851c0b728cd438` | Win64/Adware.DNSBirthday.B 34 | | rqz-dnsduvel 1.0.3-68c0c5 x32 | `e6b6fe919cf6c3af0d40594e86da4cf776dbcf9a` | Win32/Adware.DNSBirthday.B 35 | | rqz-dnsduvel 1.0.3-68c0c5 x64 | `d1085fb7f2c4d1add9244cb8af6d0e25b50d7b14` | Win64/Adware.DNSBirthday.B 36 | |===== 37 | 38 | Because `BirthdayReminderSetup.exe` and `BRController.exe` contains a unique 39 | bot id, here are ssdeep fuzzy hashes: 40 | 41 | [options="header"] 42 | |===== 43 | | Component | ssdeep 44 | | BirthdayReminderSetup.exe | `393216:ZD4b8Ev/xl3OB4fcUx6uj55/Q7COLc1cm+DkC1GWF2jazuIYRCxEfFCqgY9iHtKZ:ZD5EhFOmcUs85/OCOLecm+14OzzY9Fdl` 45 | | BRController.exe (x86) | `24576:0+KpP0PYnsKdFCH6BMKHiBMikwMbSyM52it6YTekcys4e6faNe0M4RzRPxM4TuZR:cfs4F6KHiy7kM4CjlpRPx1TuZ+tgP8K` 46 | | BRController.exe (x64) | `49152:l4+VwASOwGtlqKPb8KHh+3ulMrqkvTiV3ML3OsQXIU6inTe2mEPEB:jCTiVGV+q2mHB` 47 | |===== 48 | 49 | === Network 50 | 51 | * Rogue DNS server: `176.31.106.50` (inactive) 52 | * C&C server: `updates.rqztech.com` (was `188.165.205.99`) 53 | * Ad server IP addresses: `188.214.30.97` and `188.214.30.98` 54 | * DNS query to domain matching `[0-9a-f]{60}.smoke` 55 | 56 | === SSL certificates 57 | 58 | * link:358bb04f6a0bf8ce88d23b2e620ac01b28d307ab80286f6ee2dcc484a6b1a5d0.pem[`358bb04f6a0bf8ce88d23b2e620ac01b28d307ab80286f6ee2dcc484a6b1a5d0.pem`] 59 | * link:45cbc80fe0cac8004f862b9eb90b53b57b06299f98e20923185eb08c363d1ec4.pem[`45cbc80fe0cac8004f862b9eb90b53b57b06299f98e20923185eb08c363d1ec4.pem`] 60 | -------------------------------------------------------------------------------- /mispadu/README.adoc: -------------------------------------------------------------------------------- 1 | 2 | = Mispadu Indicators of Compromise 3 | 4 | The blog post about Mispadu "Mispadu: advertisement for a discounted Unhappy Meal" is available on WeLiveSecurity at 5 | https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/. 6 | 7 | == Hashes 8 | 9 | === Brazilian campaign 10 | 11 | [options="header"] 12 | |==== 13 | | SHA-1 | Description | ESET detection name 14 | | `A4EDA0DD2C33A644FEEF170F5C24CF7595C19017` | MSI installer | VBS/TrojanDownloader.Agent.RVY 15 | | `A9BADCBF3BD5C22EEB6FAF7DB8FC0A24CF18D121` | Mispadu injector | Win32/Injector.EHXF 16 | | `337892E76F3B2DF0CA851CCF4479E56EAF2DB8FD` | Mispadu banking trojan | Win32/Spy.Mispadu.C 17 | | `A8CD12CC0BBD06F14AA136EA5A9A2E299E450B18` | Mispadu banking trojan | Win32/Spy.Mispadu.C 18 | |==== 19 | 20 | === Mexican campaign 21 | 22 | [options="header"] 23 | |==== 24 | | SHA-1 | Description | ESET detection name 25 | | `CFE21DBFB97C2E93F099D351DE54099A3FC0C98B` | MSI installer | VBS/TrojanDownloader.Agent.RVY 26 | | `251AC7386D1B376FB1CB0E02BDFC45472387C7BC` | Mispadu injector | Win32/Injector.EHXF 27 | | `A4FC4162162A02CE6FEADFE07B22465686A0EC39` | Mispadu banking trojan | Win32/Spy.Mispadu.J 28 | | `710A20230B9774B3D725539385D714B2F80A5599` | Mispadu banking trojan | Win32/Spy.Mispadu.J 29 | |==== 30 | 31 | === Google Chrome extension 32 | 33 | [options="header"] 34 | |==== 35 | | SHA-1 | Description | ESET detection name 36 | | `3486F6F21034A33C5425A398839DE80AC88FECA8` | Component 1 (manipulating windows) | JS/Spy.Banker.DQ 37 | | `1D19191FB2E9DED396B6352CBF5A6746193D05E8` | Component 2 (credit cards) | JS/Spy.Banker.DQ 38 | | `22E6EBDFAB7C2B07FF8748AFE264737C8260E81E` | Component 3 (banking and Boleto data) | JS/Spy.Banker.DQ 39 | |==== 40 | 41 | === Potentially unwanted applications for credential theft 42 | 43 | [options="header"] 44 | |==== 45 | | SHA-1 | Description | ESET detection name 46 | | `63DCBE2DB9CC14564EB84D5E953F2F9F5C54ACD9` | Email client credential stealer | Win32/PSWTool.MailPassView.E 47 | | `8B950BF660AA7B5FB619E1F6E665D348BF56C86A` | Google Chrome credential stealer | Win32/PSWTool.ChromePass.A 48 | | `F6021380AD6E26038B5629189A7ADA5E0022C313` | Mozilla Firefox credential stealer | Win32/PSWTool.PassFox.F 49 | | `76F70276EB95FFEC876010211B7198BCBC460646` | Internet Explorer credential stealer | Win32/PSWTool.IEPassView.NAH 50 | |==== 51 | 52 | == Filenames 53 | - `C:\Users\Public\%COMPUTERNAME%[1]` 54 | - `C:\Users\Public\%COMPUTERNAME%[1]_` 55 | - `C:\Users\Public\{winx86,libeay32,ssleay32}.dll` (legitimate DLLs downloaded by the loader script; partial indicator) 56 | 57 | == Servers used 58 | - `\http://18.219.25.133/br/mp1a{1,sq,sl,ss}.aj5` 59 | - `\http://3.19.223.147/br/mp1a{1,sq,sl,ss}.aj5` 60 | - `\http://51.75.95.179/la8a{1,sq,sl,ss}.ay2` 61 | 62 | == Discount coupon URLs 63 | - Brazil 64 | ** `\http://promoscupom.cf/` 65 | ** `\http://mcdonalds.promoscupom.cf/index3.html` 66 | - Mexico 67 | ** `\http://mcdonalds.promoscupom.cf/index2.html` 68 | 69 | == Bitcoin wallet 70 | - `3QWffRcMw6mmwv4dCyYZsXYFq7Le9jpuWc` -------------------------------------------------------------------------------- /keydnap/keydnap.yar: -------------------------------------------------------------------------------- 1 | // Keydnap packer yara rule 2 | // https://github.com/eset/malware-ioc/ 3 | // 4 | // These yara rules are provided to the community under the two-clause BSD 5 | // license as follows: 6 | // 7 | // Copyright (c) 2016, ESET 8 | // All rights reserved. 9 | // 10 | // Redistribution and use in source and binary forms, with or without 11 | // modification, are permitted provided that the following conditions are met: 12 | // 13 | // 1. Redistributions of source code must retain the above copyright notice, this 14 | // list of conditions and the following disclaimer. 15 | // 16 | // 2. Redistributions in binary form must reproduce the above copyright notice, 17 | // this list of conditions and the following disclaimer in the documentation 18 | // and/or other materials provided with the distribution. 19 | // 20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | // 31 | 32 | 33 | rule keydnap_downloader 34 | { 35 | meta: 36 | description = "OSX/Keydnap Downloader" 37 | author = "Marc-Etienne M.Léveillé" 38 | date = "2016-07-06" 39 | reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" 40 | version = "1" 41 | 42 | strings: 43 | $ = "icloudsyncd" 44 | $ = "killall Terminal" 45 | $ = "open %s" 46 | 47 | condition: 48 | 2 of them 49 | } 50 | 51 | rule keydnap_backdoor_packer 52 | { 53 | meta: 54 | description = "OSX/Keydnap packed backdoor" 55 | author = "Marc-Etienne M.Léveillé" 56 | date = "2016-07-06" 57 | reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" 58 | version = "1" 59 | 60 | strings: 61 | $upx_string = "This file is packed with the UPX" 62 | $packer_magic = "ASS7" 63 | $upx_magic = "UPX!" 64 | 65 | condition: 66 | $upx_string and $packer_magic and not $upx_magic 67 | } 68 | 69 | rule keydnap_backdoor 70 | { 71 | meta: 72 | description = "Unpacked OSX/Keydnap backdoor" 73 | author = "Marc-Etienne M.Léveillé" 74 | date = "2016-07-06" 75 | reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" 76 | version = "1" 77 | 78 | strings: 79 | $ = "api/osx/get_task" 80 | $ = "api/osx/cmd_executed" 81 | $ = "Loader-" 82 | $ = "u2RLhh+!LGd9p8!ZtuKcN" 83 | $ = "com.apple.iCloud.sync.daemon" 84 | condition: 85 | 2 of them 86 | } 87 | -------------------------------------------------------------------------------- /amavaldo/README.adoc: -------------------------------------------------------------------------------- 1 | 2 | = Amavaldo Indicators of Compromise 3 | 4 | The blog post about Amavaldo "From Carnaval to Cinco de Mayo -- The journey of 5 | Amavaldo" is available on WeLiveSecurity at 6 | https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/. 7 | 8 | == Hashes 9 | 10 | === Distribution chain 1 (targeting Brazil) 11 | 12 | [options="header"] 13 | |==== 14 | | SHA-1 | Filename | Description | ESET detection name | 15 | | `E0C8E11F8B271C1E40F5C184AFA427FFE99444F8` | | MSI downloader | VBS/TrojanDownloader.Agent.QSL trojan | 16 | | `12C93BB262696314123562F8A4B158074C9F6B95` | NvSmartMaxApp.exe | Abused legitimate application | Clean file | 17 | | `6D80A959E7F52150FDA2241A4073A29085C9386B` | NvSmartMax.dll | Amavaldo injector | Win32/Spy.Amavaldo.P trojan | 18 | | `B855D8B1BAD07D578013BDB472122E405D49ACC1` | NvSmartMax | Amavaldo banking trojan | Win32/Spy.Amavaldo.N trojan | 19 | | `FC37AC7523CF3B4020EC46D6A47BC26957E3C054` | gup.exe | Abused legitimate application | Clean file | 20 | | `4DBA5FE842B01B641A7228A4C8F805E4627C0012` | libcurl.dll | Injector for email creation tool | Win32/Spy.Amavaldo.P trojan | 21 | | `9A968341C65AB47BF5C7290F3B36FCF70E9C574B` | libcurl | Email creation tool | Win32/Spy.Banker.AEGH trojan | 22 | |==== 23 | 24 | === Distribution chain 2 (targeting Mexico) 25 | 26 | [options="header"] 27 | |==== 28 | | SHA-1 | Filename | Description | ESET detection name | 29 | | `AD1FCE0C62B532D097DACFCE149C452154D51EB0` | | MSI downloader | Win32/TrojanDownloader.Delf.CSG trojan | 30 | | `6C04499F7406E270B590374EF813C4012530273E` | ctfmon.exe | Abused legitimate application | Clean file | 31 | | `1D56BAB28793E3AB96E390F09F02425E52E28FFC` | MsCtfMonitor.dll | Amavaldo injector | Win32/Spy.Amavaldo.U trojan | 32 | | `B761D9216C00F5E2871DE16AE157DE13C6283B5D` | MsCtfMonitor | Amavaldo banking trojan | Win32/Spy.Amavaldo.N trojan | 33 | |==== 34 | 35 | === Legitimate third-party tools used by Amavaldo downloaders 36 | 37 | [options="header"] 38 | |==== 39 | | SHA-1 | Filename | Description | ESET detection name | 40 | | `B191810094DD2EE6B13C0D33458FAFCD459681AE` | VmDetect.exe | A tool for detecting virtual environment | Clean file | 41 | | `B80294261C8A1635E16E14F55A3D76889FF2C857` | AICustAct.dll | A tool for checking internet connectivity | Clean file | 42 | |==== 43 | 44 | == Mutex 45 | - `{D7F8FEDF-D9A0-4335-A619-D3BB3EEAEDDB}` 46 | 47 | == Filenames 48 | - `%LocalAppData%\%RAND%\NvSmartMax[.dll]` 49 | - `%LocalAppData%\%RAND%\MsCtfMonitor[.dll]` 50 | - `%LocalAppData%\%RAND%\libcurl[.dll]` 51 | 52 | == Scheduled task names 53 | - `GoogleBol` 54 | - `Adobe Acrobat TaskB` 55 | 56 | == C&C servers 57 | - clausdomain.homeunix[.]com:3928 58 | - balacimed.mine[.]nu:3579 59 | - fbclinica.game-server[.]cc:3351 60 | - newcharlesxl.scrapping[.]cc:3844 61 | -------------------------------------------------------------------------------- /sshdoor/samples.md5: -------------------------------------------------------------------------------- 1 | aa81c15e5c95d9f6dcdf31e4f7382d15 2 | 98171ed83bd22d1e2ae4e00b61096a07 3 | 05f7a7cfe34c578b9c86ce950060e52d 4 | c1d1711715908aced777c299c253fb32 5 | 369d5d0a5c800724a6d77f100fef0e2c 6 | d5f6794c3b41f1d7f12715ba3315fd7b 7 | eb5f89cbff4479c1821cf59a4fa5dc94 8 | 3976cdec69fb46eb0b0b33db08b5205d 9 | 5f20e21ed08347befdd3de1302eec366 10 | 01e1052a6c496695a3b51b913bd6bee6 11 | fda0fb5eec7eb956183099c78792ca59 12 | 117e3e4910b6d4e09adffd31b13acebb 13 | 973eee9fae6e3a353286206da7a89904 14 | b88c4958ae28dffac71d85e484eb8d2f 15 | 322ab8c3777eed33675b4668d53cb81f 16 | 9692e329e7a507e2f076c96e2a7fa12f 17 | cd654db712e5d07af53b4522e01dfb38 18 | d2327955581a23b8996ff7f590baea5d 19 | 118cddea6de8f84146872203efc5de3d 20 | e45b4f899671df2fea0992ee25eb4d7e 21 | 3f8234f8180446e821d30fcf8b288a2f 22 | e342f004fbfe3223478247b403b607a1 23 | cf039280b6be8f5b5d115e41e4c79c10 24 | cbfb356ff7ba5720a2f47c46d855e8d5 25 | b1308d2486f12a86a817041277cba3be 26 | 85e6efeeab1aa904b5320268cc8632dd 27 | 4acbbfdb0f1d2be7d39389c10454f949 28 | 5d92c70fc7395af707c692ec7aa62d38 29 | 693e84aa0899f419c36c3169b1e72597 30 | d8c8d1def195fcf129a3b917641d366a 31 | 2468b6631ae316f008e51398fded88b8 32 | 3d36ae70e17854b6bc8de710293f63b0 33 | 75b76a4dab41641d6726bd02f2acb06c 34 | 8b7c583117ad1dbe8af09616da296e3e 35 | c10625bc51d518188aa9c4a57abe313d 36 | 1f884ca0d262028aa3bb357848e1bf71 37 | 81f3db59c0bcb416f1f9ce21f51985d9 38 | 8dcade3553e5927fc9632172f1b5a10b 39 | 0aba7300e3e6096d569c156b3f866805 40 | 3af333e4901edc3ce81968d7fab336fc 41 | 8c2f372be391f495b2dd5753bb49443e 42 | 142e4198e11d405899619d49cc6dc79c 43 | e179ae829fc296f1317ffdaddcffac84 44 | 19633ce4cb43b7f1fa9f657d7d098a8f 45 | 25c5717c7efbb401ee4d2bfd45e6fe85 46 | b01cdf16546dd4846b2c798d137e85d1 47 | 3cc1de6dc7c2650f8260d3a8a7b7c2e0 48 | 69ab02817355e9e9f27259c3f63de4ed 49 | 7731bca7a293366073a96bbeff46ef1e 50 | cff279702ffadfc301ec97f3d949f3cc 51 | ad3431c3472b632eeacbfb14902e635b 52 | 6fecdbe560ed6e53f75be103203465c3 53 | f383861de460467b02959f29013f2b02 54 | fb68f6fd6115a45b60ab0d5b2bfa6867 55 | 3bec26b292ad448be6443b2e24e6161a 56 | 307c83c43e4485a3a40cd777eaeb5c82 57 | 45919261da2cae10a274689f22804198 58 | 15e8eacf3a028310a7060f523478ff8e 59 | 24169f2f3c0eaf494716185c5d060ba2 60 | 39429732f83cfec5935514ffe7b68f96 61 | b389cad96003149f55c5599ce7016177 62 | 90dc9de5f93b8cc2d70a1be37acea23a 63 | 14f50980870851adad4225a0162055f3 64 | 8765d8cf21734cd65561d0ea603c4ba8 65 | 814d71caf37b6b1a29ab4eae39f53ad8 66 | 869d198218281f3c7ce720f13954a30a 67 | 74d7e4849615dd1ccbb37ad60fa405f9 68 | e994df2dec28cc74fa9471f02e23b6af 69 | 4b27fc4db7d4258234bbefce3809c9f3 70 | 3f766b4d7fba2c5ecab98d9679e0c6f9 71 | b85810ab7fd0488a67a043ad414b8f0d 72 | 5ce2b36ecce9b5d84b6110bd4320f2b6 73 | bd5a6e9dbc31fa52854171e0aff6ca22 74 | 3ade1fdfc34fb1be227f90417e18c9b9 75 | fa71437e822c09dbb1ab9f7c63f8bb8a 76 | 6a2d2719d528b8f36f8c1734a5531f39 77 | d84c47a022517d442ac2de0416698272 78 | 8fe8c5fda0ac0bd000efde865186818d 79 | 6940999e18fe9f030ad8ed2055ca4e36 80 | f0c4e150969135f6c8cea839b9d3aaee 81 | 9f08509f2f6a989a2cf19ce1d38f61ec 82 | ae3054b3d932f7605cfd13ed31668efb 83 | 5b3193530738e8e658c5ab8f63b5ee0d 84 | 376923c1ffac0da8197d7472b8da6a4b 85 | e08d087832581e7a595edece537595fe 86 | 752aa5dc9b88f3a701a2d46a29a45778 87 | 53da97955d18e4d59bca1698e1d0f3b7 88 | c4e4e32c0579146159b3bf3f7414c59f 89 | debb293bbe6995be2f6ee5bbf457006d 90 | 9d19a60863ff14bc8fe9298ce672af7d 91 | -------------------------------------------------------------------------------- /mikroceen/samples.sha256: -------------------------------------------------------------------------------- 1 | 69cbbb0b0ed3187ef27498e8d07dab9a7b4f31d350aac4cc9021ef77f81c22a7 2 | 47bac9731bbbfb2376f2c4192e025144d613f21844eb3dbecc9e658f28b9bd1c 3 | d282e20f90c0509ae03f83443334d974112c8eb2035e5846b6fe280470baef28 4 | 4281f7139dd68ff6e91ac7336c373bc241780ce832fa1a66ed2fe1d6498beb6a 5 | c2b25c60cbdb937de9a4d94c02c4240ab1f18ef2d92a01a7b18fc6aebb6e4e29 6 | e03aaef950282fdb6a4250d7cd7e43ccff8af9ccfde2d0c446f586461e68652e 7 | 40c4f8e00e04997a3d531930163501f53154b4c0caa220f835dab0f1ea51c5d1 8 | 82cd37d76a491427f3da34394fca46049013c9212f6a78b15c622d9ef37bb469 9 | 11325fb971519977abe73069f52531eace4c008e8a0d7da3b9193ac858aad2a8 10 | d0e2ff9f347a4cc3bdd560e249e9b47903e044ef0520bd6891e6c400c6c41a68 11 | 313687a206b1c55d5d9f410ac567076ae66579dd804e2615223e2e0e3b29b56b 12 | 1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd 13 | e8781cae3ad703a21fce77685fa5999976abe88b5ce9b46382a3ebc3ef1f3f2f 14 | 96238b0b0b236dcdfd50b1f4925ad1f07f3d2c144a5c14b4daf5e7828ea22540 15 | 92315cdcdd3ecdafbac1d46ef872aaa333e1ea159d662cb61c4fa029d3896df7 16 | dfbd1afa2488dd3218dd5a6c2657075af3f2fe7468fdb7d3a537935741d55e54 17 | b60b06586f89b0864c1f14f6f4a5720a766c57af696c775c09c25a78be95fac4 18 | 068998cd3bd4e6edc5a419ac77a974fadf4320967dafbd0de0dbbfa81e6e8953 19 | 028acf392ec5dc799b9f3e7a72541d99cf3fba94f7f6d4cbcaf284dbe98b3006 20 | 4281f7139dd68ff6e91ac7336c373bc241780ce832fa1a66ed2fe1d6498beb6a 21 | 725d7fa17d9196ecace417407b8545f68a373891b85f1a373c3280c503f120ec 22 | 6ba5decaef8ea3f62104b854ddac46d2534c3b8db9a9a871eb3c184a26c17a09 23 | 092a9b294d8c550b5f9c85d96afe941160e0080044848669c02ccb905fbd71ec 24 | 07ee0d664ca29a84dce5097dab990bf9ee6bdf9c8e95fa428c80ad13b227b14d 25 | 71d186fbb0fb0ee98b4376708af8e5603525d8191cab97ff573d658b4860f073 26 | 40c4f8e00e04997a3d531930163501f53154b4c0caa220f835dab0f1ea51c5d1 27 | d839e382b6c9384897ea6fc0f140149324a2392dc312664d13a5981da23c7e3f 28 | c56b1f5995b19bb1fe039a9d9c9c72f6d690b8630fd78ab3fdf9beba0b4f419c 29 | 214ea738c87c6b6b9353d81b47bbbf20955dace611263f2588ce268ff8901079 30 | edc466f4c6ebf1b571b90c18e075d9a8ab731b3f9c71949c93bae9e2f936d7a8 31 | 19abf8d8bc1d32516279ad836fd8ca8334a270f3804a129f09c642c8d88da2a8 32 | a45fa366a6fcdf1e86f6e763e719d5ce31287530a990dedd8c605d0f5712d020 33 | c00b97260e2ebe1d5bf1ee2dd30d47593122a36bc1cef68cfdc1ef827d70df89 34 | 180d33c420bdd47a06ea3f2681a5431529a93f18d51d5c0d8f38948a1bd28869 35 | 568f4960c6694c73d8e4a15b1e8dec66e91be4527bbc16ff5b9afe1c4c667433 36 | c7d667fdd40ec2eace1cb14d2aefd8eea78faed068d3e0d33be5e378aaa15620 37 | dc130fe76c59dc13de4b694b7b66d1aab6d4febe18a91723b36c2f5ca18bc803 38 | e72fa7a7fbdbc043af06f26549b7a66fa9abd0862c4ac040444bc5b356dfac75 39 | 3a3b05a08180013a37fbdbe65e3fe017440c1cb34289647ef1f60316964ef6a9 40 | 516183dfaf3611e48827a44bc092aabec2ec08eca33c1f8109c93a72cf6215af 41 | fc66353fb26fd82227700beb47c4fa90118cea151eb1689fd8bf48e93fda71d0 42 | a9dfb364956de4fa17584f53ded0e8fc8ed3ca6fe43af4fe388214e0a3c39adb 43 | 0ac97cb6e980376b387c45dac951c8f1bcbacded544dcd71bbc920a89eb875db 44 | a9fb5062424e326a14505acc198312b2cef9393d3d892156006f771b6a3d8c76 45 | e39a396b7635ff06eacaad087dc905c114de00aad98ad9ea8689fa3658dc4666 46 | 2615e5585a5db77b973c74e0a87551978a9322c820362a148a995e571923b59c 47 | 397e6ed790f87d4db0758c5e57a9de8ff67bf80cf64927649cefcb7cb5a4667a 48 | fca47ad3f06a870a0b39fdd56488abe113b5003b0ec4c5c46faced714598e3d8 49 | d15fd2422d2fe22f321aba76d2cb5e7d9d1eccafc54432ead1f1ebd3d2e4dbf2 50 | -------------------------------------------------------------------------------- /sshdoor/kessel_config.ksy: -------------------------------------------------------------------------------- 1 | # This Kaitai Struct is provided to the community under the two-clause BSD 2 | # license as follows: 3 | # 4 | # Copyright (c) 2018, ESET 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without 8 | # modification, are permitted provided that the following conditions are met: 9 | # 10 | # 1. Redistributions of source code must retain the above copyright notice, this 11 | # list of conditions and the following disclaimer. 12 | # 13 | # 2. Redistributions in binary form must reproduce the above copyright notice, 14 | # this list of conditions and the following disclaimer in the documentation 15 | # and/or other materials provided with the distribution. 16 | # 17 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 21 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | # 28 | 29 | meta: 30 | id: kessel_config 31 | title: Kessel OpenSSH backdoor configuration blob 32 | license: BSD 2-Clause 33 | endian: le 34 | doc-ref: 'https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf' 35 | seq: 36 | - id: host 37 | type: str 38 | size: 100 39 | encoding: UTF-8 40 | - id: port 41 | type: u4 42 | - id: timeout 43 | type: u4 44 | - id: dns_enable 45 | type: u4 46 | - id: dns_report_enable 47 | type: u4 48 | - id: dns_ip 49 | type: str 50 | size: 100 51 | encoding: UTF-8 52 | - id: dns_port 53 | type: u4 54 | - id: dns_sub_host 55 | type: str 56 | size: 100 57 | encoding: UTF-8 58 | - id: socks_proxy_enable 59 | type: u4 60 | - id: socks_proxy_host 61 | type: str 62 | size: 100 63 | encoding: UTF-8 64 | - id: socks_proxy_port 65 | type: u4 66 | - id: http_proxy_enable 67 | type: u4 68 | - id: http_proxy_host 69 | type: str 70 | size: 100 71 | encoding: UTF-8 72 | - id: http_proxy_port 73 | type: u4 74 | - id: custom_protocol_enable 75 | type: u4 76 | - id: bc_local_host 77 | type: str 78 | size: 100 79 | encoding: UTF-8 80 | - id: bc_local_port 81 | type: u4 82 | - id: http_enable 83 | type: u4 84 | - id: http_port 85 | type: u4 86 | - id: http_fake_host 87 | type: str 88 | size: 100 89 | encoding: UTF-8 90 | - id: log_enable 91 | type: u4 92 | - id: log_file 93 | type: str 94 | size: 256 95 | encoding: UTF-8 96 | - id: masterpass 97 | type: str 98 | size: 100 99 | encoding: UTF-8 100 | - id: masterkey 101 | type: str 102 | size: 512 103 | encoding: UTF-8 104 | -------------------------------------------------------------------------------- /sshdoor/misp-events/bespin.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "id": "276", 4 | "orgc_id": "2", 5 | "org_id": "2", 6 | "date": "2018-10-10", 7 | "threat_level_id": "4", 8 | "info": "SSHDoor : Bespin", 9 | "published": false, 10 | "uuid": "5bbe52cb-40b0-4bda-8140-79220a016219", 11 | "attribute_count": "3", 12 | "analysis": "0", 13 | "timestamp": "1539269748", 14 | "distribution": "3", 15 | "proposal_email_lock": false, 16 | "locked": false, 17 | "publish_timestamp": "0", 18 | "sharing_group_id": "0", 19 | "disable_correlation": false, 20 | "extends_uuid": "", 21 | "event_creator_email": "romain.dumont@eset.com", 22 | "Org": { 23 | "id": "2", 24 | "name": "ESET", 25 | "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" 26 | }, 27 | "Orgc": { 28 | "id": "2", 29 | "name": "ESET", 30 | "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" 31 | }, 32 | "Attribute": [ 33 | { 34 | "id": "71293", 35 | "type": "sha1", 36 | "category": "Artifacts dropped", 37 | "to_ids": false, 38 | "uuid": "5bbe52f6-53d8-483c-a53e-7ec40a016219", 39 | "event_id": "276", 40 | "distribution": "5", 41 | "timestamp": "1539199734", 42 | "comment": "", 43 | "sharing_group_id": "0", 44 | "deleted": false, 45 | "disable_correlation": false, 46 | "object_id": "0", 47 | "object_relation": null, 48 | "value": "48bd2075313b1731938ee82282dc2562fbaa6cb1", 49 | "Galaxy": [], 50 | "ShadowAttribute": [] 51 | }, 52 | { 53 | "id": "71294", 54 | "type": "text", 55 | "category": "Antivirus detection", 56 | "to_ids": false, 57 | "uuid": "5bbe5314-f940-445a-b23d-79250a016219", 58 | "event_id": "276", 59 | "distribution": "5", 60 | "timestamp": "1539199764", 61 | "comment": "", 62 | "sharing_group_id": "0", 63 | "deleted": false, 64 | "disable_correlation": false, 65 | "object_id": "0", 66 | "object_relation": null, 67 | "value": "Linux/SSHDoor.BE", 68 | "Galaxy": [], 69 | "ShadowAttribute": [] 70 | }, 71 | { 72 | "id": "71295", 73 | "type": "filename", 74 | "category": "Artifacts dropped", 75 | "to_ids": false, 76 | "uuid": "5bbe5346-7d6c-4906-b6ad-7ad60a016219", 77 | "event_id": "276", 78 | "distribution": "5", 79 | "timestamp": "1539199814", 80 | "comment": "", 81 | "sharing_group_id": "0", 82 | "deleted": false, 83 | "disable_correlation": false, 84 | "object_id": "0", 85 | "object_relation": null, 86 | "value": "/var/tmp/.pipe.sock", 87 | "Galaxy": [], 88 | "ShadowAttribute": [] 89 | } 90 | ], 91 | "ShadowAttribute": [], 92 | "RelatedEvent": [], 93 | "Galaxy": [], 94 | "Object": [], 95 | "Tag": [ 96 | { 97 | "id": "44", 98 | "name": "SSHDoor", 99 | "colour": "#000000", 100 | "exportable": true, 101 | "hide_tag": false, 102 | "user_id": "0", 103 | "numerical_value": null 104 | } 105 | ] 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /potao/samples.md5: -------------------------------------------------------------------------------- 1 | e64eb8b571f655b744c9154d8032caef 2 | ce0879958467c35d044c46f86b0ec2b3 3 | 11b4e7ea6bae19a29343ae3ff3fb00ca 4 | fc4b285088413127b6d827656b9d0481 5 | 73e7ee83133a175b815059f1af79ab1b 6 | 9179f4683ece450c1ac7a819b32bdb6d 7 | 38e708fea8016520cb25d3cb933f2244 8 | 360df4c2f2b99052c07e08edbe15ab2c 9 | 2d04127ab930903e9b0c324192754575 10 | b3f0165fb7d8420cd65c00300d349785 11 | f64704ed25f4c728af996eee3ee85411 12 | ca1a3618088f91b8fb2a30c9a9aa4aca 13 | 038ade8542930047a17959266ae44a09 14 | 14634d446471b9e2f55158d9ac09d0b2 15 | 36aee2600929ba7cc5e6815515fffe5b 16 | cfc8901fe6a9a8299087bfc73ae8909e 17 | acedbc810fb12d7d8ac67e25597b32a9 18 | 7ca6101c2ae4838fbbd7ceb0b2354e43 19 | b64dbe5817b24d17a0404e9b2606ad96 20 | 8f7591dd39ef2d1cee3a1bce1285ecb8 21 | 7263a328f0d47c76b4e103546b648484 22 | 9f00b61d859f050ae271123ab917b509 23 | fb4636e2d979a93bf04256b355b42f0f 24 | 720f46e789d564a6f592c8cd5f8e413d 25 | 057028e46ea797834da401e4db7c860a 26 | 3813b848162261cc5982dd64c741b450 27 | 79814dde13cc4cd763cf8633f86a7344 28 | e99450963342955c26fe3b05b76ccecb 29 | defe91cf65b2acbd8a284da1f686fb8f 30 | e685ea8b37f707f3706d7281b8f6816a 31 | 6bb15850d52b1de3fadec87b1f03a70f 32 | 1ab8d45656e245aca4e59aa0519f6ba0 33 | 27d74523b182ae630c4e5236897e11f3 34 | 2646f7159e1723f089d63e08c8bfaffb 35 | 609abb2a86c324bbb9ba1e253595e573 36 | bdc9255df5385f534fea83b497c371c8 37 | 35724e234f6258e601257fb219db9079 38 | d939a05e1e3c9d7b6127d503c025dbc4 39 | 6ba88e8e74b12c914483c026ae92eb42 40 | a35e48909a49334a7ebb5448a78dcff9 41 | 1234bf4f0f5debc800d85c1bd2255671 42 | 85b0e3264820008a30f17ca19332fa19 43 | 02d438df779affddaf02ca995c60cecb 44 | a427ff7abb17af6cf5fb70c49e9bf4e1 45 | 3b7d88a069631111d5585b1b10cccc86 46 | ea1cb57af6f13d6ad09bd004e82a5617 47 | a2bb01b764491dd61fa3a7ba5afc709c 48 | 0c7183d761f15772b7e9c788be601d29 49 | eebbcb1ed5f5606aec296168dee39166 50 | a446ced5db1de877cf78f77741e2a804 51 | 89b12e66f451b9df343a4037665b5d4a 52 | 299b6511ccf5e3db48256f00fda81cb7 53 | 514423670de210f13092d6cb8916748e 54 | 904424cb787f8968225ff78357f187f8 55 | 99278d6718320a2f57242e2127565393 56 | 65f494580c95e10541d1f377c0a7bd49 57 | 9c4626dcec35e3c56f37f1508eb97714 58 | c2350fd7a59dc296b1f8a5cb7790a06f 59 | 89a3ea3967745e04199ebf222494452e 60 | 502f35002b1a95f1ae135baff6cff836 61 | 2424e7e8d2f68a20ae1dfbf899c4be98 62 | 83f3ec97a95595ebe40a75e94c98a7bd 63 | 043f99a875424ca0023a21739dba51ef 64 | a4b0615cb639607e6905437dd900c059 65 | 50b08afbb91e609e806ce913bc4c4343 66 | 39b67cc6dae5214328022c44f28ced8b 67 | c719dca0e2a2c3abaa54323671d29c91 68 | 3d90cbe2ce091c9a752bff218459864b 69 | ae552fc43f1ba8684655d8bf8c6af869 70 | 169b85d388513b0fb3755e7fb14f25a2 71 | ac854a3c91d52bfc09605506e76975ae 72 | 579ad4a596602a10b7cf4659b6b6909d 73 | c1f715ff0afc78af81d215d485cc235c 74 | 542b00f903f945ad3a9291cb0af73446 75 | 5a24a7370f35dbdbb81adf52e769a442 76 | 76dda7ca15323fd658054e0550149b7b 77 | 2bd0d2b5ee4e93717ea71445b102e38e 78 | 5199fcd031987834ed3121fb316f4970 79 | babd17701cbe876149dc07e68ec7ca4f 80 | 0759abdbaa547cca1bcc8e70880c724e 81 | 6f6b96f0f6310e49ee1dc8eb7e79873d 82 | d755e52ba5658a639c778c22d1a906a3 83 | b4d909077aa25f31386722e716a5305c 84 | d1658b792dd1569abc27966083f59d44 85 | cdc60eb93b594fb5e7e5895e2b441240 86 | 1927a80cd45f0d27b1ae034c11ddedb0 87 | a166b1221611580ffd4602a119d920ca 88 | abb9f4fab64dd7a03574abdd1076b5ea 89 | 07e99b2f572b84af5c4504c23f1653bb 90 | f34b77f7b2233ee6f727d59fb28f438a 91 | a59053cc3f66e72540634eb7895824ac 92 | -------------------------------------------------------------------------------- /sshdoor/misp-events/borleias.json: -------------------------------------------------------------------------------- 1 | { 2 | "Event": { 3 | "id": "277", 4 | "orgc_id": "2", 5 | "org_id": "2", 6 | "date": "2018-10-10", 7 | "threat_level_id": "4", 8 | "info": "SSHDoor : Borleias", 9 | "published": false, 10 | "uuid": "5bbe5659-4794-490a-bb44-7ec50a016219", 11 | "attribute_count": "3", 12 | "analysis": "0", 13 | "timestamp": "1539269995", 14 | "distribution": "3", 15 | "proposal_email_lock": false, 16 | "locked": false, 17 | "publish_timestamp": "0", 18 | "sharing_group_id": "0", 19 | "disable_correlation": false, 20 | "extends_uuid": "", 21 | "event_creator_email": "romain.dumont@eset.com", 22 | "Org": { 23 | "id": "2", 24 | "name": "ESET", 25 | "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" 26 | }, 27 | "Orgc": { 28 | "id": "2", 29 | "name": "ESET", 30 | "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" 31 | }, 32 | "Attribute": [ 33 | { 34 | "id": "71299", 35 | "type": "ip-dst|port", 36 | "category": "Network activity", 37 | "to_ids": false, 38 | "uuid": "5bbe567e-a8d4-4a8c-ae53-01550a016219", 39 | "event_id": "277", 40 | "distribution": "5", 41 | "timestamp": "1539200881", 42 | "comment": "", 43 | "sharing_group_id": "0", 44 | "deleted": false, 45 | "disable_correlation": false, 46 | "object_id": "0", 47 | "object_relation": null, 48 | "value": "94.75.207.3|35247", 49 | "Galaxy": [], 50 | "ShadowAttribute": [] 51 | }, 52 | { 53 | "id": "71300", 54 | "type": "text", 55 | "category": "Antivirus detection", 56 | "to_ids": false, 57 | "uuid": "5bbe568b-b558-41fa-9540-7ec50a016219", 58 | "event_id": "277", 59 | "distribution": "5", 60 | "timestamp": "1539200651", 61 | "comment": "", 62 | "sharing_group_id": "0", 63 | "deleted": false, 64 | "disable_correlation": false, 65 | "object_id": "0", 66 | "object_relation": null, 67 | "value": "Linux/SSHDoor.BZ", 68 | "Galaxy": [], 69 | "ShadowAttribute": [] 70 | }, 71 | { 72 | "id": "71301", 73 | "type": "sha1", 74 | "category": "Artifacts dropped", 75 | "to_ids": false, 76 | "uuid": "5bbe56f6-7008-47f1-986b-7ec60a016219", 77 | "event_id": "277", 78 | "distribution": "5", 79 | "timestamp": "1539200758", 80 | "comment": "", 81 | "sharing_group_id": "0", 82 | "deleted": false, 83 | "disable_correlation": false, 84 | "object_id": "0", 85 | "object_relation": null, 86 | "value": "846cdb8cd32cac0bd6d739746f9368850ff5228d", 87 | "Galaxy": [], 88 | "ShadowAttribute": [] 89 | } 90 | ], 91 | "ShadowAttribute": [], 92 | "RelatedEvent": [], 93 | "Galaxy": [], 94 | "Object": [], 95 | "Tag": [ 96 | { 97 | "id": "44", 98 | "name": "SSHDoor", 99 | "colour": "#000000", 100 | "exportable": true, 101 | "hide_tag": false, 102 | "user_id": "0", 103 | "numerical_value": null 104 | } 105 | ] 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /invisimole/samples.md5: -------------------------------------------------------------------------------- 1 | 4bfeed3bf743db4010c3e063c2bbe32f 2 | 3363b6a5e082ebae70df774534d96acd 3 | abab0fe8d247c02929f781bcfe4a2eca 4 | 8541b315e5628110d686f512c726830d 5 | f887b16ec686445b00f937bdee2919c8 6 | 25f7967aa6f32ecfe27bdf05bd9b629f 7 | 273ca6b013b3d92116a095501f955741 8 | 36836d89b775658111f900a8619649f0 9 | 644f869e87a76a4087dfe9fea94ced8e 10 | 5688a32c2d24b37b1ca428a2953bc703 11 | 0a663f781913a8ca81359ba77b00086f 12 | 0042fc4db5b699775680d218cbbb633c 13 | f03f4617b3be8dd99ed959f2119c24d9 14 | 0120d6ed78e31cc75ee5a5b16b73fce7 15 | 313942d28b4bdba1c612eba1f5105f19 16 | a326ffa2f5d346cec303acf04a07df30 17 | 071ba874cdd1022acd039787d97cfc52 18 | 6b87a7cc5fef4d5c72f6fd1a6781dc94 19 | 0d1ed749af64a30e0397b5a184ec98df 20 | c32a95756bdf306a015523bfedd90af2 21 | e7f2084ca24b06de1d43d493ad484b4c 22 | 9216dabdf3e69ef675564fe5dd763667 23 | 06de7153103c400fb9fa466cb6646a04 24 | f2d20db2d1bbc649bdd9bfb478196f6e 25 | 3d3aeff215ab6fd0a69562a0fcc1ae59 26 | 76fd21b29cbc10d81c219dd2799e6c79 27 | 5a65a25d68004b58cc79f3a6ea457e6e 28 | 0aeae404db290d51ac7af7abadab15f3 29 | aa7d810b9d6d45cacb476b8e76155825 30 | 9ab9a66c6157875f12aa282b290336c2 31 | d33e9f2febe5355fad6b2172654be556 32 | a39a8990bb08b339fdb1696628b43a2f 33 | 0fb620f2feda5a4b0bf4db60c809ff24 34 | e9ee95d65ed7241b97bcc8bb41485799 35 | dccb8e1a91c66ddc07f9992ba28576e9 36 | 6f750ea20da05a31003b2032ff066d6f 37 | 268401cade50f283a36df8745da91aa9 38 | 81f90b1249f90eeeb09d216b64a383e3 39 | 56e8455aaa7b926091c2e5b8d55b9661 40 | 1f254f4f542774583f52d1087dab1e12 41 | 5418bafa0917c9cb84639b5b923042ae 42 | 6315872b574897c5b3d4f6a350ba46da 43 | 2383659249c0b13719363b3b98246e34 44 | f7be57f37d20e8a21a77b32833212110 45 | 292180b80737f2507a5949a4f7e7a6c8 46 | 0d9da59ebd8f9ec3b51452781dd8e348 47 | 516a13245e3a31db2cb719c95aa2da04 48 | 7faa9971f6c91b534ff108126e932359 49 | 771cc1270e5f36e79898618c02f5fec7 50 | 3078ff27a2612d5530be1e4e2eb30a54 51 | df18a8029c61432cdce12aaac71971bb 52 | 739da32ab8f86bc4166d7b1d6df37d5f 53 | 766a2bce08eabace83ea994ff8189250 54 | 309b1f0f5e305e698e45a5e63e0f4f1e 55 | 63bcd93726485fab3ba719aab1aa67b5 56 | d8b72ccef3372ccc1082195705bd5ec5 57 | 22591bf07dbc025fc9fd83e005641ce4 58 | 8f278c9b843c6d030b64f80aba2cfc03 59 | 812f93d56dc23c288572920117ae8105 60 | efd2c32a80b8497ac6b8003530754bdc 61 | 0b4297f57d9f1b99faa703dfa0ee487c 62 | 0cb3cc13374e270d912c1b662183257e 63 | fa2edd8a24266f9ecccea44b4b47100f 64 | 58c01a80e8a5b9de93dd822feec1d662 65 | a75d1153ec8800fc8fea3a65a562fd96 66 | 6187531afd53592a3752b4a3271096c0 67 | 995660a5fcd31050a0492d0e4fdcc399 68 | a4f67ff7548284ec5c1f8aedcdee8a5d 69 | 2200654df0013e7a8a1cfee491a28cb0 70 | 39d234bd237a1ef46865d9e99c98f1a5 71 | 19103858513cbcd268fb812f979cf8a6 72 | c4fb28195e4fb38e46b03cbaa5089431 73 | 50b60c86ebd84715df2b489c5b986c8d 74 | 331681e1211394f91c52294e85cecf8e 75 | ce1af2476b4cfb64141d4f35db52383b 76 | 08360a69ee9a3653f4b7ddf954d4a892 77 | fe0e3feabf298a0674ad323d39c8b609 78 | b282ba4213221e3abe49a1d68fb9fc37 79 | 852384ccfba891ba95606d44d86742bb 80 | 33fe8bb68c4a0bcfb7ad0a814404076a 81 | 8277fb48d720e489296c8fe3357c54b6 82 | 90364d768530a325a2a9df0fe8c3258a 83 | 67521ab9b1855b4a6f58ae99c61cfad6 84 | 84d1c9147ba235d8f9691282c96cf100 85 | e716d65846f047c8ef693c595b1f537c 86 | 5ed33400a692ca9816b6276894e1b7db 87 | 8fdb215410bdda385c40b694ef151203 88 | 42b7859aac1841ec772c5f3784aaaf6a 89 | 13f8744ad961d44e4892edf2084a1800 90 | 21ae205c6fe259a147c63ddddee5c113 91 | 840d391db7b393670d8516c81d855722 92 | 65e55d189d8db4228ad9a11c1898ff78 93 | c53e34bbda91f3059ea4dcff66a36d0c 94 | eb6a1ccdffb3247d54da328d5ec2cc00 95 | -------------------------------------------------------------------------------- /evilnum/samples.sha1: -------------------------------------------------------------------------------- 1 | 04F7FEDF8FDDF8EB5B592A57F67F72B1075C7CC1 2 | 1303EB76FE1F978C6BFB6EA28329E7CDA61126AF 3 | 1C1D8D0AF6AA728589C5D0D0F46C01B129C75BA0 4 | 1F287AA922911F72F68B4B0C8645B4C909EB07B9 5 | 212FA26C100BF56120C7F2F2D569819E3DABE556 6 | 228FE78F80565BC7C02DA137505196E9EDBA767C 7 | 23DA05A5FAD175F2C035A8C4601E09E30C98B202 8 | 27054C073C10F61452101646DA5AC9AA21DC90DB 9 | 27A75DE6BC73106BF192A38A45740DEE47A1D9D3 10 | 29EF1FE11A063FBE218DE9BF91A4C2F871592F26 11 | 2B8522ED748178037BD13FC4D3F564CE8B7BA6D6 12 | 3200E9832CD61828DDF4E82155D66B63D2E6A54E 13 | 34A72738DC025353EBDC3D5C99B19DAE4D9DE2E6 14 | 36345044D5E88CC8C002863E3F1F48FDEC8FF4D9 15 | 3AAED43B2B8E36DA80046AF51C33A3ADFB49BD1F 16 | 3F71525D531690A6B75CABE113B7221504108B44 17 | 401BC3740385A73EF0D3AD93DFCE03C82770072A 18 | 4187F714076853B1FFA38A84835DB2623460F537 19 | 438B0C180A7CFF5AEDBFC9FF83668A0DEC0174A4 20 | 45BB89DF5A612F53B119A6111E6AC6DE60E071D5 21 | 46AA42970418010DBD5EFD571BC7056BECBCB2DC 22 | 476BB78BCF194523C385E2CEE364D6D097464ECA 23 | 47A7CD789C90735325EBD2C495A983A9C7E56E6F 24 | 480C6F0C3998009C017051A8D6FFE199BC2A18DF 25 | 4CDD87F5B9AB8C2AFCD76E4B8127B0CB6E880CF1 26 | 513B161299D99F4BE1DFFBB171B7C4040FF83DE7 27 | 55D1AEA9BBB49A96A383AA5B604870DF06E7DE09 28 | 5A2227A37676564969F4392790FE9E3B995D7782 29 | 650DEB9BAFF4B7564146222DEB555E77D5CBBE36 30 | 6E7493BD1EF727FBC6EECD3AE5EC31BB8C1E897D 31 | 7379FD28E0816555D081196F0CA3EB44C8E62911 32 | 73C5792AA05C122903C1AEA1E1F965D223C073D8 33 | 7C98E37CBA9B9C757E77892F02E1783A80AC450F 34 | 7D9037377DC2A2E3FC1985983942D1E9F986AA42 35 | 854A17550FF473FB4C5AB03FD39ABFD1B3953E9C 36 | 910382E02738661583813D212904742390C5008A 37 | 9677FCBF6F59BE2A5AB61BE5E6DF91599FB67602 38 | 976DA2E8BDD698D974D38D01593897CA64946D92 39 | 97820A79FD43F664F553C46DCA682BCE135B2CC3 40 | A21522A20DB85C24CDC0CF46818E576F19CB0927 41 | A2DBD75DD079594D36509F5EF84A22F869DF68CF 42 | A5C91E06881E19079B7E8496C6F229A790E8C1EE 43 | A5F300C880842328B4D0D9C83F8314180520BD5A 44 | A6ECD3A818D463155C31977000E6FDE3EB8A2352 45 | A7F1C2BE87B5EE4392757948FB7C895CAD95520B 46 | AA7585DF29E8F1D058FF267B94E8E7084DE4C7C1 47 | AB0C6268C61D9F36996BA7653B3A3E1EDE2AEE51 48 | AF0A98F04697F836878D76DC402668C42FF1E2CA 49 | AF68B3E310BF8446E4CD10EFCF4776196131E785 50 | B3C8C1C80824278661FBB26B17040B87180D1D34 51 | B6767E63CC8483444540D701F00705B65055C69B 52 | B6B9C5EFFDD14E2920183B313C56E5068C57A709 53 | BD8D4C93234B01A155128E3FABB61AE1CC81B5F1 54 | C17CF1E8B4806A931F5FA0D73AD4BB521C43849A 55 | C23F0551C2F7937EA4AD4B970B01CBD4D104EFFE 56 | C2739DDC99027AB515C75C352FB532524A082066 57 | C341D18A79057B032DC0A03F4524606205057F62 58 | C4817D8C8E0B147ED5220229987FC84A43DA16A5 59 | C7575DCCC6D1A228393E9AC0840A4C10BB4C1FB2 60 | D6341CD464847C9C2716030111261D5B84A43B2A 61 | D675D3AC1C05DC7AC73674C47FA141D75F537DD3 62 | DB50FC4EA4F6C13FDBCD28EBE2F1CC44A74A83BF 63 | DBB54C9B29AEA16EFA8E3AE663428E6F2BDE4919 64 | DE0FF4B04F05482ADE4CF3BA765A453818F6858E 65 | E0957B2421A6EF3237A33A37DA8B52A9F29863D6 66 | E29011596AFE794BA673906F8F8F35AB71F397ED 67 | E8A95EC590E5786B780D3D6986282273895B4C8A 68 | EB046DEB4BDF36461BB828967CE15D5123637CEE 69 | EDD1CA115D600E982623A3A2342810855B0DE543 70 | EE050A767EAA5227ED40D7A77B7746AEA0554AE5 71 | EE59BC476BB3A7DB1190BEB791A5AA8550FC9541 72 | EF2B07B2C6B5B1F25C18FA7546EDC1EEDB3CC055 73 | F0DB18E0FD8C376A7EF7316C413240857F37CCAA 74 | F113CA2DA0F1E4ECC92000E419DAD2B259A9F839 75 | F15C8F755B32A70471639B050B93FDBFB5A4D403 76 | F35961EB47EC4FF1B79300B8115FECD2313C6DFC 77 | FBCB367EC7DD64B253482B4475CCDE6FF6B10AB0 78 | 90C22DB300F44EC79BEAB4662BB77ED1E81843BC 79 | -------------------------------------------------------------------------------- /turla/gazer.yar: -------------------------------------------------------------------------------- 1 | // For feedback or questions contact us at: github@eset.com 2 | // https://github.com/eset/malware-ioc/ 3 | // 4 | // These yara rules are provided to the community under the two-clause BSD 5 | // license as follows: 6 | // 7 | // Copyright (c) 2017, ESET 8 | // All rights reserved. 9 | // 10 | // Redistribution and use in source and binary forms, with or without 11 | // modification, are permitted provided that the following conditions are met: 12 | // 13 | // 1. Redistributions of source code must retain the above copyright notice, this 14 | // list of conditions and the following disclaimer. 15 | // 16 | // 2. Redistributions in binary form must reproduce the above copyright notice, 17 | // this list of conditions and the following disclaimer in the documentation 18 | // and/or other materials provided with the distribution. 19 | // 20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | // 31 | import "pe" 32 | 33 | rule Gazer_certificate_subject { 34 | meta: 35 | author = "ESET Research" 36 | date = "2017-08-30" 37 | description = "Turla Gazer malware" 38 | reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" 39 | source = "https://github.com/eset/malware-ioc/" 40 | contact = "github@eset.com" 41 | license = "BSD 2-Clause" 42 | 43 | condition: 44 | for any i in (0..pe.number_of_signatures - 1): 45 | (pe.signatures[i].subject contains "Solid Loop" or pe.signatures[i].subject contains "Ultimate Computer Support") 46 | } 47 | 48 | rule Gazer_certificate 49 | { 50 | meta: 51 | author = "ESET Research" 52 | date = "2017-08-30" 53 | description = "Turla Gazer malware" 54 | reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" 55 | source = "https://github.com/eset/malware-ioc/" 56 | contact = "github@eset.com" 57 | license = "BSD 2-Clause" 58 | 59 | strings: 60 | $certif1 = {52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02} 61 | $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c} 62 | 63 | condition: 64 | (uint16(0) == 0x5a4d) and 1 of them and filesize < 2MB 65 | } 66 | 67 | rule Gazer_logfile_name 68 | { 69 | meta: 70 | author = "ESET Research" 71 | date = "2017-08-30" 72 | description = "Turla Gazer malware" 73 | reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" 74 | source = "https://github.com/eset/malware-ioc/" 75 | contact = "github@eset.com" 76 | license = "BSD 2-Clause" 77 | 78 | strings: 79 | $s1 = "CVRG72B5.tmp.cvr" 80 | $s2 = "CVRG1A6B.tmp.cvr" 81 | $s3 = "CVRG38D9.tmp.cvr" 82 | 83 | condition: 84 | (uint16(0) == 0x5a4d) and 1 of them 85 | } 86 | -------------------------------------------------------------------------------- /rakos/vars.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | version: 30 4 | logging: no 5 | generation: 0 6 | 7 | 8 | skaro: 9 | ips: 10 | - "193.0.178.151" 11 | - "46.8.44.55" 12 | - "5.34.183.231" 13 | - "185.82.216.125" 14 | - "195.123.210.100" 15 | ping: 60 16 | 17 | checkers: 18 | - "http://193.0.178.151" 19 | - "http://46.8.44.55" 20 | - "http://5.34.183.231" 21 | - "http://185.82.216.125" 22 | - "http://195.123.210.100" 23 | - "http://httpbin.org/ip" 24 | 25 | userpass: [ 26 | "root:qwerty", 27 | "user:admin", 28 | "ubnt:ubnt", 29 | "root:12345", 30 | "root:klv1234", 31 | "guest:1234", 32 | "user:user", 33 | "root:1111", 34 | "test:test", 35 | "admin:123456", 36 | "support:password", 37 | "root:root", 38 | "admin:1", 39 | "test:test123", 40 | "manager:manager", 41 | "fax:fax", 42 | "service:service", 43 | "root:Zte521", 44 | "root:letmein", 45 | "sales:sales", 46 | "guest:guest", 47 | "shell:sh", 48 | "enable:system", 49 | "user:password", 50 | "backup:backup", 51 | "ftpuser:ftpuser", 52 | "user:1234", 53 | "admin:password123", 54 | "root:pfsense", 55 | "root:abc123", 56 | "root:admin", 57 | "support:support", 58 | "root:anko", 59 | "monitor:monitor", 60 | "root:vizxv", 61 | "bin:bin", 62 | "root:ikwb", 63 | "admin:manager", 64 | "oracle:oracle", 65 | "test:12345", 66 | "bob:bob", 67 | "user1:1234", 68 | "user1:123456", 69 | "root:", 70 | "1:1", 71 | "root:1", 72 | "admin:default", 73 | "support:123456", 74 | "nagios:nagios", 75 | "default:default", 76 | "demo:demo", 77 | "admin:1111", 78 | "admin:password", 79 | "PlcmSpIp:PlcmSpIp", 80 | "pos:pos", 81 | "support:12345", 82 | "admin:smcadmin", 83 | "root:baseball", 84 | "root:0000", 85 | "guest:12345", 86 | "admin:1234", 87 | "apache:apache", 88 | "admin:", 89 | "root:123456", 90 | "administrator:password", 91 | "admin:ubnt", 92 | "admin:123321", 93 | "adam:adam", 94 | "root:alpine", 95 | "root:54321", 96 | "admin:support", 97 | "anonymous:anonymous", 98 | "root:juantech", 99 | "tester:retset", 100 | "admin:administrator", 101 | "root:888888", 102 | "root:pass", 103 | "root:raspberry", 104 | "nobody:nobody", 105 | "pi:raspberry", 106 | "admin:admin", 107 | "debian:debian", 108 | "root:root123", 109 | "root:xc3511", 110 | "administrator:1234", 111 | "admin:root", 112 | "admin:abc123", 113 | "root:password", 114 | "ftp:ftp", 115 | "root:xmhdipc", 116 | "test1:test1", 117 | "admin:qwerty", 118 | "root:openelec", 119 | "admin:admin1234", 120 | "shipping:shipping", 121 | "supervisor:supervisor", 122 | "root:1234", 123 | "root:system", 124 | "admin:12345", 125 | "ftpuser:asteriskftp", 126 | "root:default", 127 | "root:666666", 128 | "aPlcmSpIp:PlcmSpIp", 129 | "admin:111", 130 | "operator:operator", 131 | "root:ubnt" 132 | ] 133 | 134 | smtp: 135 | usernames: 136 | - jobs 137 | - job 138 | - hr 139 | - info 140 | - support 141 | - root 142 | - postmaster 143 | - sales 144 | - admin 145 | - contact 146 | passwords: 147 | - info 148 | - support 149 | - password 150 | - password1 151 | - password2 152 | - password3 153 | - password0 154 | - 0000 155 | - 1111 156 | - 1234 157 | - 12345 158 | - 123456 159 | - 1234567 160 | - 12345678 161 | - 123456789 162 | - qwerty 163 | - 1qaz2wsx 164 | -------------------------------------------------------------------------------- /rtm/samples.md5: -------------------------------------------------------------------------------- 1 | 52e3cd6913c503eb427bd5a43f4090b6 2 | 0ae0a33272228c1c67cecd65667e33f4 3 | 2ca67be644862033a967caea7dfe744e 4 | 20ed3e65af4e59e8e5a50fa5a32651c4 5 | dfcaa45a0bafbfa54f56d3bf8cbc925b 6 | d5642eee675b66402be93b377c053ddb 7 | cc04cdce2e6940515dc022de658ffcec 8 | 5d4c9c7e19e1e85aa4d4441f1fdd79d9 9 | 23975b38e11ad89b8e561a675c501278 10 | b26125e36a918b3c9748834ed24c8a58 11 | a23e36fecf403e88c49c71c498ac413b 12 | 5a4e135a7a61ee5f1b9b3deaf9ee1f4f 13 | 5586f79b53cabbcfabb4c755982dcc56 14 | 839677108552d0f651877c69d2855cce 15 | ce5711311bcc91d46d249521faea9d6a 16 | caac8f0067de80e1e81965e9d99eb29d 17 | 648f89708c6582de1dddc17bb979e4f7 18 | 70f79ed6a5a468b1a7454d7f9d59dca2 19 | 13dc85e7013353de66139806442efb58 20 | 25cbdb7583edd1e3bf769e5102507d40 21 | d80e20605c1bedfdff09ceadca57cc21 22 | 4107e1105698a27cdd84dca15085a66a 23 | a0405d199b57eea300cc6379089cc6d0 24 | 2d29462c594a8662c463bdf08ac1ea66 25 | a1cabce244bf2857692a673005bfcc71 26 | e7eb47a5f94f41d5a63a60eebb421a1c 27 | 7fa324dadd54551a4642bb609f56dc50 28 | 9bff35c08fe973f8090c9b0f2e583fc2 29 | 543fc6a14275fdb78d4fad0d62ffb81f 30 | bff4569850123a9838961e4ab88ee378 31 | 82ca5911a23ca8e92476931408959bed 32 | 7a381defde1b9e0f9eae7cbca0ed5f17 33 | 1ef3776be26798ccd5f1fb2737744240 34 | 4ebf129d1e43075b2d45437593f74a32 35 | a276009295a8ae02d973f678435d6a4a 36 | 3deea57d2ed263945c810c63114d4ade 37 | 95336b00329122dcb506c61eb8978e7a 38 | 5ae5970c76eabb1609079af1027e8e5c 39 | 98af39124469ec04179f98d96203ee9c 40 | fbbdad3acfe3e5aa219a8001725b5d13 41 | 21a02832fa55e26c34bfd286208f6841 42 | eb49ea17c7cb82018fc7cd024ffdcb6b 43 | 3f1ac2afbe1720ed794e0cf857998b38 44 | 2d04213ca76ae9b58ec6946d997cf050 45 | 7f7a984b8a779f13e070bf4f638a7b82 46 | 03cc4b1c85a01c636befb936ad689081 47 | c040f3938505a75c5064463940ac11da 48 | a290e068f1425933576a8d966c41f418 49 | 93dfc3e29f6baab8a4db480bce9c7b80 50 | 76272d965f80550272f538f588dfe50b 51 | 23f000bd072f61e39aa8098341baf9c7 52 | 686c31591e4ba4d3acfeeda30e4ab4a6 53 | 73b42ac32496e5ae58a77fee9c7e074d 54 | 7e4f128e89269cca203a212e7d015ccd 55 | 13b4e61c66426a2326a9ec6b52561c61 56 | 9a0fbc99fb007b3dfe4fbc8038fc89ef 57 | 2a6cf28c8ed0b414088e710af3808e00 58 | c4451ef03bc157cc29048936cf74c44d 59 | 0c7ba51253b0c5733d28e4521e24eb00 60 | b09340eb5b3d484d88cb11b6bb1e51c6 61 | c9ef5cc74f0810002ab72cb5806bd692 62 | 76609dad320bd4a675fafd067da8e1de 63 | dd91fa13d31dea2c87cf4d39940b104f 64 | 36080727a18e8cac844c6ebca265abf3 65 | 2f827102915af5379d94456ae3d6c68f 66 | c673979c56bcf3e240e2dc3a657de264 67 | b0d26da61d34db6560329471d7f81165 68 | 49b5c9fe99d6603678b952265ef84c8c 69 | a1b126d83f16c90d38d9cb56ee7cdc80 70 | c51f253696ab41c92b6043d736ec0491 71 | 857d8693cc4ca75396a89ad643954e78 72 | 222fa6bcca0d81db85c788651fde2374 73 | 6080ba9d4a762b6c8937b8d297c6eb31 74 | 2a52ca1c9cc99ec153213b28dc22f2fd 75 | 1e75af9cb0bf7089b8b93c153b8c4d77 76 | c004684a889832c93c6ea4d1de86213d 77 | e3054a042408c665b03b75e6a11daffe 78 | 0e14a4ebc82c8c4245546aef61c1f677 79 | 3b0a72945d2f2180f5ea39c03ad6db5d 80 | 7dd4539ca4c85529f565453118340a5b 81 | a4172c551d198e5bf0f5f14701a679d3 82 | 4476c9e4ab8064b060260f384482fbe1 83 | 8913c89b8abfe1468f891c728716028b 84 | 5263ab652bcf440fd0b3067613a15c9e 85 | 8f2a310705c35f70425161b59f05abc6 86 | 7b82718066360654e8ba8368fd8a9309 87 | c0dfca44bf669b135956eeae32d48fa6 88 | 469c53a04eee1cf48f6b5b1ac35e3a8e 89 | 2d1994fb2c3f60b7fa3a14ab5e761863 90 | cb0a8037d14882f2cbdb709e387d3dcd 91 | 299f7fa8de027117af65084767a4ffb5 92 | fc9df85561eb68259756783c3a632a89 93 | 57ced0693fa4763e05426753b1409b27 94 | 39b3af247a70e3235262902fed89d86b 95 | a1d3cf59ca08f37429ee8dae473249d7 96 | 2a60cc3e695fd653a1539ae03da5e5f7 97 | b60dcd4a380eef4124e06c1a4759cf69 98 | -------------------------------------------------------------------------------- /windigo/samples.sha1: -------------------------------------------------------------------------------- 1 | fa6707c7ef12ce9b0f7152ca300ebb2bc026ce0b 2 | ac96adbe1b4e73c95c28d87fa46dcf55d4f8eea2 3 | b58725399531d38ca11d8651213b4483130c98e2 4 | 09c8af3be4327c83d4a7124a678bbc81e12a1de4 5 | 2fc132440bafdbc72f4d4e8dcb2563cc0a6e096b 6 | dd7846b3ec2e88083cae353c02c559e79124a745 7 | 9018377c0190392cc95631170efb7d688c4fd393 8 | 03592b8147e2c84233da47f6e957acd192b3796a 9 | 858c612fe020fd5089a05a3ec24a6577cbeaf7eb 10 | 5b87807b4a1796cfb1843df03b3dca7b17995d20 11 | 10c6ce8ee3e5a7cb5eccf3dffd8f580e4fb49089 12 | 25a819d658d02548b2e5bdb52d2002df2f65b03a 13 | bbce62fb1fc8bbed9b40cfb998822c266b95d148 14 | 62c4b65e0c4f52c744b498b555c20f0e76363147 15 | 5d3ec6c11c6b5e241df1cc19aa16d50652d6fac0 16 | 1dd7a18125353d426b5314c4ba04d60674ffa837 17 | 2f382e31f9ef3d418d31653ee124c0831b6c2273 18 | 7248e6eada8c70e7a468c0b6df2b50cf8c562bc9 19 | 471ee431030332dd636b8af24a428556ee72df37 20 | 615c6b022b0fac1ff55c25b0b16eb734aed02734 21 | 5c796dc566647dd0db74d5934e768f4dfafec0e5 22 | a53a30f8cdf116de1b41224763c243dae16417e4 23 | 051a89a7a335062829a8e938b8d4e3e2b532f6ff 24 | 9bb6a2157c6a3df16c8d2ad107f957153cba4236 25 | 6180d8c1c6967d15a0abb0895103ccc817e43362 26 | 74cd5ae9f6bbdf27b4eaf45c4a22c6aae07345a2 27 | 5196a8a034611aaa112232767aafd74b8ef71279 28 | e14da493d70ea4dd43e772117a61f9dbcff2c41c 29 | 98cdbf1e0d202f5948552cebaa9f0315b7a3731d 30 | a7b8d06e2c0124e6a0f9021c911b36166a8b62c5 31 | c4c28d0372aee7001c44a1659097c948df91985d 32 | ee679661829405d4a57dbea7f39efeb526681a7f 33 | 4d12f98fd49e58e0635c6adce292cc56a31da2a2 34 | a0f18b5ee2d347961b7109a22ea06cca962693d2 35 | a51b1835abee79959e1f8e9293a9dcd8d8e18977 36 | 58f185c3fe9ce0fb7cac9e433fb881effad31421 37 | 8f75993437c7983ac35759fe9c5245295d411d35 38 | 1d3aafce8cd33cf51b70558f33ec93c431a982ef 39 | adfcd3e591330b8d84ab2ab1f7814d36e7b7e89f 40 | fc39009542c62a93d472c32891b3811a4900628a 41 | d552cbadee27423772a37c59cb830703b757f35e 42 | 149cf77d2c6db226e172390a9b80bc949149e1dc 43 | 78c63e9111a6701a8308ad7db193c6abb17c65c4 44 | bf1466936e3bd882b47210c12bf06cb63f7624c0 45 | 1972616a731c9e8a3dbda8ece1072bd16c44aa35 46 | eb352686d1050b4ab289fe8f5b78f39e9c85fb55 47 | 3c5ec2ab2c34ab57cba69bb2dee70c980f26b1bf 48 | 74aa801c89d07fa5a9692f8b41cb8dd07e77e407 49 | 267d010201c9ff53f8dc3fb0a48145dc49f9de1e 50 | 1a9aff1c382a3b139b33eeccae954c2d65b64b90 51 | 20467521bfd58e9ed388ce83467d73e8fd0293a7 52 | 17c40a5858a960afd19cc02e07d3a5e47b2ab97a 53 | f1ada064941f77929c49c8d773cbad9c15eba322 54 | fdf91a8c0ff72c9d02467881b7f3c44a8a3c707a 55 | 24e3ebc0c5a28ba433dfa69c169a8dd90e05c429 56 | bd867907a5059ab1850918d24b4b9bbe33c16b76 57 | ddb9a74cd91217cfcf8d4ecb77ae2ae11b707cd7 58 | 39ec9e03edb25f1c316822605fe4df7a7b1ad94a 59 | 899b860ef9d23095edb6b941866ea841d64d1b26 60 | b8508fc2090ddee19a19659ea794f60f0c2c23ff 61 | e2a204636bda486c43d7929880eba6cb8e9de068 62 | 8daad0a043237c5e3c760133754528b97efad459 63 | 7314eadbdf18da424c4d8510afcc9fe5fcb56b39 64 | a559ee8c2662ee8f3c73428eaf07d4359958cae1 65 | e8d392ae654f62c6d44c00da517f6f4f33fe7fed 66 | 035327b42f6e910b652bbdde5d9c270cfbaa9669 67 | 575bb6e681b5f1e1b774fee0fa5c4fe538308814 68 | 7adb38bf14e6bf0d5b24fa3f3c9abed78c061ad1 69 | 0004b44d110ad9bc48864da3aea9d80edfceed3f 70 | ebc45dd1723178f50b6d6f1abfb0b5a728c01968 71 | 0daa51519797cefedd52864be0da7fa1a93ca30b 72 | 2e571993e30742ee04500fbe4a40ee1b14fa64d7 73 | 4f40bb464526964ba49ed3a3b2b2b74491ea89a4 74 | 42123cbf9d51fb3dea312290920b57bd5646cefb 75 | e8d3c369a231552081b14076cf3eaa8901e6a1cd 76 | 44b340e90edba5b9f8cf7c2c01cb4d45dd25189e 77 | 0eb1108a9d2c9fe1af4f031c84e30dcb43610302 78 | 27ed035556abeeb98bc305930403a977b3cc2909 79 | f634f305a655b06f2647b82b58f7d3920546ac89 80 | 9e2af0910676ec2d92a1cad1ab89029bc036f599 81 | 5bdf483279a4a816ed4f8a235e799d5068d14f64 82 | d4eeada3d10e76a5755c6913267135a925e195c6 83 | -------------------------------------------------------------------------------- /greyenergy/samples.sha1: -------------------------------------------------------------------------------- 1 | 6abd4b82a133c4610e5779c876fcb7e066898380 2 | 716efe17cd1563ffad5e5e9a3e0cac3cab725f92 3 | e2436472b984f4505b4b938cee6cae26ef043fc7 4 | 646060ac31ffddfbd02967216bc71556a0c1aedf 5 | b75d0379c5081958af83a542901553e1710979c7 6 | 10f4d12cf8ee15747bfb618f3731d81a905aab04 7 | d3ae97a99d826f49ad03addc9f0d5200be46ab5e 8 | ceb96b364d6a8b65ea8fa43eb0a735176e409eb0 9 | e496318e6644e47b07d6cab00b93d27d0fe6b415 10 | 455d9eb9e11aa9af9717e0260a70611ff84ef900 11 | 438c8f9607e06e7ac1261f99f8311b004c23dec3 12 | b3ef67f7881884a2e3493fe3d5f614dbbc51a79b 13 | 0b5d24e6520b8d6547526fcbfc5768ec5ad19314 14 | 04f75879132b0bfba96cb7b210124bc3d396a7ce 15 | 4e0c5ccffb7e2d17c26f82db5564e47f141300b3 16 | 2a7ee7562a6a5ba7f192b3d6aed8627dffda4903 17 | 177af8f6e8d6f4952d13f88cdf1887cb7220a645 18 | c449294e57088e2e2b9766493e48c98b8c9180f8 19 | cb11f36e271306354998bb8abb6ca67c1d6a3e24 20 | df051c67ee633231e4c76ec247932c1a9868c14f 21 | e83a090d325e4a9e30b88a181396d62fef5d54d5 22 | 594b809343feb1d14f80f0902d764a9bf0a8c33c 23 | 89d7e0da80c9973d945e6f62e843606b2e264f7e 24 | 58a69a8d1b94e751050decf87f2572e09794f0f8 25 | 940de46cd8c50c28a9c0efc65aee7d567117941b 26 | 3608ec28a9ad7af14325f764fb2f356731f1ca7a 27 | 94f445b65bf9a0ab134fad2aaad70779eafd9288 28 | 1aa1ef7470a8882ca81bb9894630433e5cce4373 29 | 81332d2f96a354b1b8e11984918c43fb9b5cb9db 30 | 99a81305ef6e45f470eee677c6491045e3b4d33a 31 | e4fcaa1b6a27aa183c6a3a46b84b5eae9772920b 32 | 0666b109b0128599d535904c1f7ddc02c1f704f2 33 | c1eb0150e2fcc099465c210b528bf508d2c64520 34 | 0bcecb797306d30d0ba5eaea123b5bf69981eff4 35 | 30af51f1f7cb9a9a46df3abffb6ae3e39935d82c 36 | 639bce78f961c4b9ecd9fe1a8537733388b99857 37 | 71ba8fe0c9c32a9b987e2bb827fe54dae905d65e 38 | 90122c0dc5890f9a7b5774c6966ea694a590bd38 39 | 1ba30b645e974de86f24054b238fe77a331d0d2c 40 | ad6f835f239da6683caa54fccbcfdd0dc40196be 41 | ec7e018ba36f07e6dadbe411e35b0b92e3ad8aba 42 | 4e137f04a2c5fa64d5bf334ef78fe48cf7c7d626 43 | d24fc871a721b2fd01f143eb6375784144365a84 44 | b371a5d6465dc85c093a5fb84d7cddeb1effcc56 45 | f00befdf08678b642b69d128f2afae32a1564a90 46 | 51309371673acd310f327a10476f707eb914e255 47 | 7127b880c8e31fbeb1d376eb55a6f878bc77b21a 48 | e69f5ff2fcd18698bb584b6bc15136d61eb4f594 49 | bfc164e5a28a3d56b8493b1fc1ca4a12fa1ac6ac 50 | 5377adb779de325a74838c0815eea958b4822f82 51 | 5dd34fb1c8e224c17dce04e02a4409e9393bce58 52 | 34f8323b3b6bcf4b47d0abefcf9e38e15ecd2858 53 | 3cbdc146441e4858a1de47df0b4b795c4b0c2862 54 | 93ef4f47ac160721768a00e1a2121b45a9933a1d 55 | a414f0a651f750eea18f6d6c64627c4720548581 56 | a415e12591dd47289e235e7022a6896cb2bfde96 57 | cc1ce3073937552459fb8ed0adb5d56fa00bcd43 58 | f36ecac8696aa0862ad3779ca464b2cd399d8099 59 | e3e61df9e0dd92c98223c750e13001cbb73a1e31 60 | 2695fcfe83ab536d89147184589ccb44fc4a60f3 61 | c59f66808ea8f07cbde74116dde60dab4f9f3122 62 | da617bc6dcd2083d93a9a83d4f15e3713d365960 63 | fceaa83e7bd9bcab5efba9d1811480b8cb0b8a3e 64 | c7fc689fe76361ef4fdc1f2a5bab71c0e2e09746 65 | 7c1f7ce5e57cbde9ac7755a7b755171e38abd70d 66 | 11159db91b870e6728f1a7835b5d8be9424914b9 67 | a01036a8efe5349920a656a422e959a2b9b76f02 68 | ebd5dc18c51b6fb0e9985a3a9e86ff66e22e813e 69 | ecf21efc09e4e2acfeeb71fb78cb1f518e1f5724 70 | 10d7687c44beca4151bb07f78c6e605e8a552889 71 | 8cc008b3189f8ce9a96c2c41f864d019319eb2ee 72 | 37c837fb170164cbc88beae720df128b786a71e0 73 | dfd8665d91c508faf66e2bc2789b504670762ea2 74 | 13c5b14e19c9095aba3f1da56b1a76793c7144b9 75 | b40bde0341f52481ae1820022fa8376e53a20040 76 | 748fe84497423ed209357e923be28083d42d69de 77 | 8b295ab4789105f9910e4f3af1b60cbba8ad6fc0 78 | 69e2487eee4637fe62e47891154d97dfdf8aad57 79 | 4d1c282f9942ec87c5b4d9363187afdc120f4dc7 80 | 62e00701f62971311ef8e57f33f6a3ba8ed28bf7 81 | 78a7fbdd6adf073ea6d835be69084e071b4da395 82 | 848f0dbf50b582a87399428d093e5903ffaeedcd 83 | -------------------------------------------------------------------------------- /telebots/README.adoc: -------------------------------------------------------------------------------- 1 | = TeleBots Indicators of Compromise 2 | 3 | The blog post about Telebots is available on WeLiveSecurity at 4 | http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/. 5 | 6 | == ESET detection names 7 | 8 | - VBA/TrojanDropper.Agent.SD trojan 9 | - Win32/TrojanDownloader.Agent.CWY trojan 10 | - Python/TeleBot.AA trojan 11 | - Python/Agent.Q trojan 12 | - Python/Agent.AE trojan 13 | - Python/Agent.AD trojan 14 | - VBS/Agent.AQ trojan 15 | - VBS/Agent.AO trojan 16 | - VBS/Agent.AP trojan 17 | - Win32/HackTool.NetHacker.N trojan 18 | - Win32/HackTool.NetHacker.O trojan 19 | - Win64/Riskware.Mimikatz.H application 20 | - Win32/RiskWare.Mimikatz.I application 21 | - Win32/PSW.Delf.OQU trojan 22 | - Win32/PSW.Agent.OCO trojan 23 | - Win32/PSW.Agent.OCP trojan 24 | - Win64/Spy.KeyLogger.G trojan 25 | - Win32/KillDisk.NBH trojan 26 | - Win32/KillDisk.NBI trojan 27 | 28 | == Network indicators 29 | 30 | === C&C servers 31 | 32 | - `93.190.137.212` 33 | - `95.141.37.3` 34 | - `80.233.134.147` 35 | 36 | === Legitimate servers abused by malware authors 37 | 38 | - `srv70.putdrive.com` (IP: `188.165.14.185`) 39 | - `api.telegram.org` (IP: `149.154.167.200`, `149.154.167.197`, `149.154.167.198`, `149.154.167.199`) 40 | - `smtp-mail.outlook.com` (IP: `65.55.176.126`) 41 | 42 | == Samples 43 | 44 | All hashes are SHA-1. 45 | 46 | === XLS documents with malicious macro 47 | 48 | ---- 49 | 7FC462F1734C09D8D70C6779A4F1A3E6E2A9CC9F 50 | C361A06E51D2E2CD560F43D4CC9DABE765536179 51 | ---- 52 | 53 | === Win32/TrojanDownloader.Agent.CWY 54 | 55 | ---- 56 | F1BF54186C2C64CD104755F247867238C8472504 57 | ---- 58 | 59 | === Python/TeleBot.AA backdoor 60 | 61 | ---- 62 | 16C206D9CFD4C82D6652AFB1EEBB589A927B041B 63 | 1DC1660677A41B6622B795A1EB5AA5E5118D8F18 64 | 26DA35564D04BB308D57F645F353D1DE1FB76677 65 | 30D2DA7CAF740BAAA8A1300EE48220B3043A327D 66 | 385F26D29B46FF55C5F4D6BBFD3DA12EB5C33ED7 67 | 4D5023F9F9D0BA7A7328A8EE341DBBCA244F72C5 68 | 57DAD9CDA501BC8F1D0496EF010146D9A1D3734F 69 | 68377A993E5A85EB39ADED400755A22EB7273CA0 70 | 77D7EA627F645219CF6B8454459BAEF1E5192467 71 | 7B87AD4A25E80000FF1011B51F03E48E8EA6C23D 72 | 7C822F0FDB5EC14DD335CBE0238448C14015F495 73 | 86ABBF8A4CF9828381DDE9FD09E55446E7533E78 74 | 9512A8280214674E6B16B07BE281BB9F0255004B 75 | B2E9D964C304FC91DCAF39FF44E3C38132C94655 76 | FE4C1C6B3D8FDC9E562C57849E8094393075BC93 77 | ---- 78 | 79 | === VBS backdoors 80 | 81 | ---- 82 | F00F632749418B2B75CA9ECE73A02C485621C3B4 83 | 06E1F816CBAF45BD6EE55F74F0261A674E805F86 84 | 35D71DE3E665CF9D6A685AE02C3876B7D56B1687 85 | F22CEA7BC080E712E85549848D35E7D5908D9B49 86 | C473CCB92581A803C1F1540BE2193BC8B9599BFE 87 | ---- 88 | 89 | === BCS-server 90 | 91 | ---- 92 | 4B692E2597683354E106DFB9B90677C9311972A1 93 | BF3CB98DC668E455188EBB4C311BD19CD9F46667 94 | ---- 95 | 96 | === Modified Mimikatz 97 | ---- 98 | B0BA3405BB2B0FA5BA34B57C2CC7E5C184D86991 99 | AD2D3D00C7573733B70D9780AE3B89EEB8C62C76 100 | D8614BC1D428EBABCCBFAE76A81037FF908A8F79 101 | ---- 102 | 103 | === LDAP query tool 104 | 105 | ---- 106 | 81F73C76FBF4AB3487D5E6E8629E83C0568DE713 107 | ---- 108 | 109 | === CredRaptor password stealer 110 | 111 | ---- 112 | FFFC20567DA4656059860ED06C53FD4E5AD664C2 113 | 58A45EF055B287BAD7B81033E17446EE6B682E2D 114 | ---- 115 | 116 | === Win64/Spy.KeyLogger.G trojan 117 | 118 | ---- 119 | 7582DE9E93E2F35F9A63B59317EBA48846EEA4C7 120 | ---- 121 | 122 | === Intercepter-NG and silent WinPCAP installer 123 | 124 | ---- 125 | 64CB897ACC37E12E4F49C4DA4DFAD606B3976225 126 | A0B9A35675153F4933C3E55418B6566E1A5DBF8A 127 | ---- 128 | 129 | === Win32/KillDisk 130 | 131 | ---- 132 | 71A2B3F48828E4552637FA9753F0324B7146F3AF 133 | 8EB8527562DDA552FC6B8827C0EBF50968848F1A 134 | ---- 135 | -------------------------------------------------------------------------------- /machete/samples.md5: -------------------------------------------------------------------------------- 1 | de8b61ae73f510eba526684f85b7cacb 2 | 69e8e8258fbda29a140fb820c93afbcc 3 | ca0bdef2b365c70733aa61ad2224475b 4 | 8bd56c580f96c6c1eb042935a11ada19 5 | ec9e0092505743e000bd95c3e4677aff 6 | 38b7ff01b3310b7e1586d4d7872f679f 7 | 59ed79f666ba7afcfe52522751ac88bb 8 | 33aac948ba9f11ff8e8fba02127e2c34 9 | d18a9c66c5c6cd6e881307704496bf78 10 | 23621334605777a107cfb03a0939a0ec 11 | 84d0eb92a62f095271fd7a22352144d4 12 | 4b0a62d5f4f813d9395889ccb7b90324 13 | f76ee4d0e496fd22bc87e685653a296b 14 | dc5979fab4023ac2f04b8092db1dba69 15 | f246ba14f19ee0fdfe099ae9425168db 16 | c10336018f67bb1aecdfdee5258448a7 17 | c8ca25bd428818277968ac3239cfc573 18 | e3b8e45b1b9077e8cdb5e0db97b62876 19 | 19b049ab19fd3e8c6f5b36c6a41024fe 20 | dfec24718db4f0af94d00b281b0de2f1 21 | 14ced4c924110bd5a8c088f02dc6b9d2 22 | 089f1980ab2525f515a273f5861feceb 23 | 6d8e13586bad8f8b41c17ef6732b6ee9 24 | f84f600384a857b583fa5d24de290de4 25 | 8996e4cb8aecf66432faaf46fe7fba27 26 | 62334eb5f7180cd28432e41585ea39a1 27 | 4bfd79b34234060f9d4dc26bd23c67c9 28 | 3581474d51fd38854f4b2d80614158c4 29 | 28731c629578cbc7164ca36cc58f77f1 30 | dcf7f36163c4e8013e4295ec56a34b04 31 | 33edc43992137c0d4b07a4c1ed389e1e 32 | fd4e17b1d4d1c9ca9d1217bf2eac3979 33 | fd301450a00094407729b9139c6c544a 34 | 3239f2d8acee4742f9b4d919e61b8983 35 | 04fa52b44178bec611232d260ec18c03 36 | b9806b73c97d1eab5c4dde19fb20a403 37 | b2975864ad694469b04165bd09277421 38 | 80297aefa3c178ac196a41cb29660f8d 39 | 983274f2bf02936eb6dd7c0a890b245e 40 | 3a75551aabcf53cc5e039c806504d360 41 | 624a23ea378b4422beb4189ac75a478d 42 | d4d74eb1da835f2e5022a5bf0b5f40b8 43 | ad2067a13b3b4e6cb61e00aee6d73a4d 44 | 95a9f742768e75c5ac4614ed0645c510 45 | ad63b6cc534086c18f2f7d475cd1a02d 46 | e1e0ef483568978866816478f4a30e62 47 | 1acc3b68da6b0a800cd58af30d47b01e 48 | a3f35e1ec2a70df31296deef93129904 49 | ae106af371dc00d07ce13baa277e52e7 50 | 2adb5b013ba4de9a20c7c9e185930675 51 | b8b59bff6084044894d858e5e0118952 52 | bdede8c167b85250401c7605d81d05f2 53 | f2d15d96b51fe232c1262c1604be55b7 54 | b56201e4eacf68966626c92420c53209 55 | 9344988562f4a82f2c4230f466088d42 56 | c312d1a4ac706d910c611ad8f600fe68 57 | 181e4541fb66ff596c2eae8267034bca 58 | e72f0eefc5008c2594863fb8290dfd95 59 | 5a46d793cf82822cb334b70609a9acd7 60 | 9eb9af0f63644fee49d083c1c330226b 61 | 15e50c8efe8f72064d51fc04437bed26 62 | 22b2718408aa6dbbfb05066325838468 63 | 8daa8ceefae540f4cc713a532ce16fea 64 | 8d92e51008d4ec7530bb16b3caa63fbb 65 | e070239d114596b7e088fcee41839805 66 | 6370323a5960f06b77a61487b75aabe3 67 | cb67a0251a1898a76dbe94c3d8c664be 68 | 4da12f54f0b7413d04f6832d26ee4633 69 | dd4389198abe57219d74928d6e775f6b 70 | 48e6c558a87577281a6b1f37e426f8ed 71 | 9bc58a40aa36674fe4a44abfd938a8db 72 | 1bc22ab9052b2a70c339cad2af18c513 73 | 0d63cbd745f5a5367037de013f0a8079 74 | 26127ce7fd372ae6421c3a380db3c6c8 75 | a23d27688c57fb8d1b4979c4643c7dbc 76 | 70d89bef5607b020d80195608d757e03 77 | cb605f85cfca7735fe8464e7d6d47e21 78 | 396b6502c46b45d9f5efff728fa27055 79 | 7163167a07b2ba31d6064297167cc19f 80 | d734af6d7aa0c4e130a38127769602cb 81 | dd56c6e35a76d98ebb1a0bbe82cac769 82 | b706fbc29f4007147f8ff9d818fbd158 83 | dace9f2870f67305dd8285da457d362b 84 | 1e1c95a7cb1ed48d2702eaa616f323a6 85 | f52bbb3feff6dcb05599c753898f6637 86 | 4f332d97cacc58cf8edd94553b289fef 87 | f7307236cc2e6549fbc6a643bcf3a157 88 | 7e8efbffe5b24a4d423ed9f250924388 89 | 5da2527d17bb9e29696e70e703d958fa 90 | 19e080ae03864e16880a2056fa4892e4 91 | 367d8bf3b7b119549aa7af3ca0c653df 92 | 587c67c29ab02be1e30cf09a99885b0b 93 | 7c3e9477b72b4f7c4d05210eda3ce6fd 94 | fe96143652b1744e75d8b48ed1ef6951 95 | 5a5ac826e300f0b4144e7b3e505e3f95 96 | 74662f2119b489f2eb047291cc9167df 97 | 2bf95ae1c48da2775e7aac611d9bb5eb 98 | 4cf5cbce40cdb1b82a241d374f55ce13 99 | 41c2465dd043592cf08a454b43cf4426 100 | 421658de8fd5bd3d6fdc9552d2b5a61a 101 | 6589e890bffbba49421bd38b8e380a3c 102 | 01eca87a1d29d8e2da2ed94930ae0d41 103 | --------------------------------------------------------------------------------