Rewterz Threat Alert – Ryuk Ransomware – Active IOCs
March 2, 2022Rewterz Threat Advisory – Microsoft Zero-Day Vulnerabilities
March 2, 2022Rewterz Threat Alert – Ryuk Ransomware – Active IOCs
March 2, 2022Rewterz Threat Advisory – Microsoft Zero-Day Vulnerabilities
March 2, 2022Severity
High
Analysis Summary
A new malicious code named Coldstealer has been discovered by a security researcher. For this code there are two cases of malicious code distribution.
- As CryptBot and RedLine, in case of distributing a single malicious code
- It is a dropper-type code by which several codes are executed and decompressed.
The malicious code has six main functions.
- Stealing cryptocurrency wallet information
- Stealing system information
- Sending exception (error) information
- Stealing system information
- file-hijacking
- stealing browser information
If the downloader malicious code exists inside the dropper malicious code, and the downloader malicious code is executed, it downloads the ColdStealer malicious code from C2.
Impact
- Credential Theft
- Information Theft
- Exposure of Sensitive Data
Indicators of Compromise
MD5
- 1578ad8f244ae82c36e3feadeb7d66e3
- 8f021266830397dac3e34f1b3bdde60c
- 05c97434f3c6970103a3ceda97572481
- 529951790a4a6da8743af98a24c4088e
- a141acc27f79584575a7d2af634be917
- 8550ebb8f4f5b377df3a3492dbc08f63
- 511b48b4471e8ab08a4ec6495157f62a
- 0b3b4b02ed9d4844ec53a3f2a7064432
- 8e0486fb2291090d4411f58aa030dd23
- 758f815f3775e1b063eba3ab33479a9f
- 0d34d8571c6998796a2edb212a8037f5
- 6953629af9858647b65c47ae738334db
- f94e8d62921d078c58860ffc2374a357
- 50f2b28aba4d4cb47544bcc98980a63e
- 9ec150a4c04da6a1087a3cd36086fde3
- 79a9f2ae5af2b370eea6c7fc6681e3ef
- 3b94bf347edcc8f137741989de3eb882
- 485edc4695212c4e97cf2e841661151c
- dc2cbd65ca5411b8a9326338c74c7758
- 940d63f67b70b37e7ee662b851ae389b
- 05748b4e8730bb2a705fe1e2e00c5d77
- 8f0f4e736d83e296b55802c2337f341b
- 01144efd1dc06a0b9d3ea8a1e632dc26
- cd9ba1e78dab227e2fda2cf952adcab4
SHA-256
- 2abe925806d415dbc47f1cfa3b1689c2ca2d148f0729899c04ab30db7b156748
- 6a9ea9890622716e75b20972498ec9254afaa71c1753d4ba2b21a5cdf232f161
- 72a6f27f01dc0b247a4f0ceeee13862f23d200ddb48f05d5138f6687096c65c4
- f2bea4530290688b1cb07d386baccb310d8f8f4d48cebb5ab42abc39e74abd83
- 7fa7d9341b491e4c9d074c7eadb353d1d51090ae34c07eb3608d39c4a67e5b34
- 4ce378a5ea71af10bfcbcc5b39dadbeb86718437cc92566a77641222ab2bd44e
- 8cb9bbf14cd76507c5c3066d8efd4f0ac50bb1504b7489aa433642315e6feabb
- d1d9224d4ed1d8dcc4b13b1cc76b2067ff45355eab59415ebe92fb321b84a146
- 2fc398405ccae03da421d4a6f66d75062300bd094a8171d3cb066063768e3d69
- 8ab69eeff9996df8a6fde60ad7baecb3bc156d0f1f52f1e883c9636dad9c30b9
- badcf84e94ccf106c02ab45330ef15d5e163f487e1351ec1a204d5a02fd510e0
- e52109d0d5c72033905f7faa95c118d55acd8c21aaa428dba792191749dde03e
- 99fab148f1cb8b5a5644759d377401b35d1e554e6d226230a2b7c2031eec7bb4
- 135d54659ab9d7d0bf7bb6b6470c20400bf6070cf8d9b475b5063190d9da60c5
- 9e21e39cd313c6974c5ca9133f9c29acd59f09a90d2c78cf6302516fd4d93897
- 4c172e5402f4e9f38c421e8367acf9218ad6da092da92b574298fb6fe2dedcce
- e222f43909926934381160d8257bb6cdb3e10c0f0bcca3c8237cd358c04beb4b
- 1fd2625f418014cdb9bb1bac15eecfa1b05ad9a3000385c7a3daf3a6b1f2f650
- bfd7c97e7e949dc629d5365aeaa6c733122940f4af9f863d2f1f91f0d7c41bae
- ba76b48941747901ed1349301b6c3c9536589f6b8327bd9f7086d8080be944db
- 98519882b0cd89805dd60ee1da6120066c95288eff6f5777935c905b66764e50
- 4e3be477ddde4a5e372424179168dfb6cb366f9d12543bdfa9cdd3407c375004
- dd4cdbeb0537a388a5db4efb9d70217272508358e8c23254dc777d34d8fabbc5
- a2659c8dd3dabaeab91824c37f7366bbd6bb1224a8b94af4b3cf312c14a41822
SHA-1
- 701d12fdc004e20a2fbb782e22f6d76cbc1b5999
- d03dd91572a155f84b2e7b613684f5edbf9a7f69
- 678498535cc39b82646c0c83fa255964e451d04e
- 3cb16f25c694b8b4e10c08b960a177f9bf2b7c02
- e486a2119884aa3bd0a2b5e5ac66ca23fa7c67e9
- b28aa83aa21501a8d12bba80d964da54adcb4162
- 9aac51dfedc377f61b0c69a13a45f35308dc3e1f
- 885cba2105146a6f7351859920418de8de02d241
- 2b887c5c880b1a02c4bae6346ac41c14fe39b3eb
- 967f2eb72c088fef9ac91611a09d54499e0958bb
- 049ad7a3aa9c81985420bb19baeb8bf76470faca
- ea584c3206cca0c5c08732857045f184fb7b3fed
- 57ac28bb30baf005c06e85ff058177dad30f1b82
- 22ca0136d588e3c8182a4b6086cbe4fcb1d1f953
- d67ef87f7f756ea776ae3f63a2b2a86e2a3fe061
- a2c2baa0e0cfced33c4387441545329a14a0594a
- d44b7c2d4194109af17b76d96d1592e3618647ad
- 8d78e5b67eea3014f1a3530e68e7c1c21750990e
- 543244a68c0dbba46dade98699195897649415a3
- dd0a39ca5e2570dc8909e2732c48e89f2bcd98e7
- 3e4f646d9af5ad09064cf3b2d7b40ecfd5837aec
- aa21c54c8b3a1f4b0eb13351114bda762ac799a5
- 1968fe09cc14c328542b9c0627bbe920c0a0934f
- 80c97556d5c5c9203978d3e6795f4f2abea711db
URL
- http[:]//jordanserver232[.]com
- http[:]//realacademicmediausa[.]com
- http[:]//topexpertshop[.]com
- http[:]//realmoneycreate[.]xyz
- http[:]//thehomenow[.]xyz
- http[:]//enter-me[.]xyz
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.