Rewterz Threat Alert – Shade Ransomware Hits High-Tech, Wholesale & Education Sectors in Multiple Countries

Severity

Medium

Analysis Summary

Shade ransomware has been targeting hosts running Microsoft Windows, since 2014. It is also known as Troldesh. Distributed through Russian language as well as English language malspam campaigns and exploit kits, Shade ransomware encrypts files on your computer and appends an extension .crypted000007 with the name of each encrypted file.

When a Windows host is infected with Shade ransomware, its desktop background announces the infection, and ten text files appear on the desktop named README1.txt through README10.txt as shown in Figure 1.

These readme text files are the ransom notes as shown below:

The Malspam-based infections for Shade ransomware involve a JavaScript (.js) or other type of script-based file disguised as an invoice or bill. In some cases, Shade malspam has links for these script-based files. In other cases, the files are directly attached to the emails within a zip file or other type of archive.

Shade ransomware’s favorite victims fall under High Tech category in many countries including U.S, Japan, India, Thailand, Canada.

Impact

• Files Encryption
• Loss of Information
• Financial Loss

Indicators of Compromise

URLs

• hxxp[:]//333media[.]co[.]uk/[.]tmb/inf[.]inf
• hxxp[:]//abcstudio[.]sk/wp-content/themes/fusion-base/fonts/msg[.]jpg
• hxxp[:]//abyaz[.]ir/wp-content/themes/woodstock/js/1[.]pdf
• hxxp[:]//acffiorentina[.]ru/assets/1[.]pdf
• hxxp[:]//actinix[.]com/wp-content/themes/ultra/images/msg[.]jpg
• hxxp[:]//adelekeoluwakemiandco[.]com/wp-content/themes/twentyseventeen/inc/inf[.]inf
• hxxp[:]//agava[.]ee/wp-content/themes/graphene/bootstrap-rtl/1[.]pdf
• hxxp[:]//alpadegra[.]pe/wp-content/themes/mesmerize/customizer/css/hp[.]gf
• hxxp[:]//ambulatorium[.]sk/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//amsr[.]ma/templates/businessplan/html/com_contact/categories/msg[.]jpg
• hxxp[:]//andyburkholder[.]com/wordpress/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//andyliotta[.]com/wp-content/themes/musicpro/js/cookie/msg[.]jpg
• hxxp[:]//anselmi[.]at/templates/rt_hadron/css-compiled/hp[.]gf
• hxxp[:]//anyadavidson[.]com/wordpress/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//app[.]expalglobal[.]com/upload/items/img/1[.]pdf
• hxxp[:]//arbanstore[.]com/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//arbanstore[.]com/wp-admin/css/colors/blue/inf[.]inf
• hxxp[:]//archiaidbd[.]com/templates/shaper_helix3/css/presets/inf[.]inf
• hxxp[:]//ascentprint[.]ru/scripts/1[.]pdf
• hxxp[:]//auroradx[.]com/adxwp/wp-content/backups-dup-pro/tmp/gr[.]mpwq
• hxxp[:]//auroradx[.]com/adxwp/wp-content/nfwlog/cache/hp[.]gf
• hxxp[:]//automodernshop[.]com/[.]quarantine/inf[.]inf
• hxxp[:]//b-compu[.]de/templates/conext/content_images_source/msg[.]jpg
• hxxp[:]//b-compu[.]de/templates/conext/html/com_contact/contact/msg[.]jpg
• hxxp[:]//balloflightning[.]com/wp-content/themes/vigilance/css/msg[.]jpg
• hxxp[:]//bamferproductions[.]com/GeneratedItems/1[.]pdf
• hxxp[:]//banzay[.]com/wp-content/themes/di-blog/languages/msg[.]jpg
• hxxp[:]//bbbrown[.]com/wp-content/themes/twentyten/languages/msg[.]jpg
• hxxp[:]//berkaytulpar[.]com[.]tr/inf[.]inf
• hxxp[:]//bitcoinqrgen[.]com/wp-content/ai1wm-backups/hp[.]gf
• hxxp[:]//bjlaser[.]com/templates/outsourcing-fjt/html/com_contact/contact/msg[.]jpg
• hxxp[:]//britishcollege[.]edu[.]lk/[.]well-known/acme-challenge/inf[.]inf
• hxxp[:]//bursabowling[.]com/templates/rt_myriad/custom/1[.]pdf
• hxxp[:]//canadianpricespharmacy[.]xyz/wp-content/themes/maxshop/images/hp[.]gf
• hxxp[:]//capablecanines[.]org/wp-content/themes/Divi/css/hp[.]gf
• hxxp[:]//clubdelideres[.]org/font-awesome/css/hp[.]gf
• hxxp[:]//coastalcrestgroup[.]com/wp-content/themes/betheme/assets/animations/hp[.]gf
• hxxp[:]//conozcatlanta[.]com/[.]well-known/acme-challenge/hp[.]gf
• hxxp[:]//consultantlegality[.]com/wp-content/themes/llorix-one-lite/css/hp[.]gf
• hxxp[:]//costiran[.]com/wp-admin/css/colors/blue/inf[.]inf
• hxxp[:]//crlagoa[.]cdecantanhede[.]pt/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//customercarelist[.]info/wp-content/themes/Newspaper/parts/footer/hp[.]gf
• hxxp[:]//cvpass[.]net/wp-content/themes/twentyseventeen/assets/css/inf[.]inf
• hxxp[:]//damyo[.]co[.]kr/wp-content/themes/enfold/config-gravityforms/hp[.]gf
• hxxp[:]//damyo[.]co[.]kr/wp-content/themes/enfold/lang/hp[.]gf
• hxxp[:]//davanaweb[.]com/wp-content/themes/arras-theme/@eaDir/hp[.]gf
• hxxp[:]//davidgillettephotography[.]com/wp-content/themes/boilerplate/boilerplate-admin/inf[.]inf
• hxxp[:]//demo[.]art-of-digital[.]com/yoga/2018/12/24/live-a-perfect-life/feed/inf[.]inf
• hxxp[:]//dicaconsultores[.]com/wp-content/themes/empowerment/inc/msg[.]jpg
• hxxp[:]//dnz17[.]in[.]ua/tmp/inf[.]inf
• hxxp[:]//dongavienthong[.]com/wp-includes/ID3/inf[.]inf
• hxxp[:]//donmago[.]com/wp-content/themes/betheme/js/parallax/msg[.]jpg
• hxxp[:]//dresscollection[.]ru/errors/default/css/msg[.]jpg
• hxxp[:]//ekolog[.]org/687a0eb9e70069aa3c7f5a7bc1b08bf0/msg[.]jpg
• hxxp[:]//elurnsummit[.]com/wp-content/themes/writee/templates/inf[.]inf
• hxxp[:]//emfbd[.]org/wp-content/themes/frontier/includes/genericons/hp[.]gf
• hxxp[:]//enaghsh[.]ir/wp-content/themes/mweb-digiland/dokan/hp[.]gf
• hxxp[:]//entrepreneurspider[.]com/wp-content/themes/astra/languages/inf[.]inf
• hxxp[:]//escwireless[.]com/templates/jm-0013/css/gr[.]mpwq
• hxxp[:]//eurotecheu[.]com/wp-content/themes/skt-solar-energy/js/inf[.]inf
• hxxp[:]//farmworldtech[.]com/wp-content/themes/generatepress/inc/customizer/controls/css/1[.]pdf
• hxxp[:]//fcbiolog[.]com/errordocs/style/inf[.]inf
• hxxp[:]//fenapro[.]org[.]br/templates/ja_edenite/css/colors/msg[.]jpg
• hxxp[:]//flashsale88[.]com/wp-admin/css/colors/blue/inf[.]inf
• hxxp[:]//flirtwithclassdemo[.]racevmarketing[.]com/wp-admin/css/colors/blue/1[.]pdf
• hxxp[:]//foodera[.]co/wp-admin/css/colors/blue/1[.]pdf
• hxxp[:]//forestandseaclub[.]racevmarketing[.]com/wp-content/cache/et/26/1[.]pdf
• hxxp[:]//frenchdoitbetter[.]my/wp-includes/ID3/hp[.]gf
• hxxp[:]//gimnazjum-zawichost[.]pl/dokumenty/mlody_naukowiec/msg[.]jpg
• hxxp[:]//gpcezhukone[.]org/templates/rt_audacity/html/com_content/archive/hp[.]gf
• hxxp[:]//greenerpathway[.]info/wp-admin/css/colors/blue/gr[.]mpwq
• hxxp[:]//grunert[.]biz/wp-content/themes/sydney/languages/hp[.]gf
• hxxp[:]//hamayeshgroup[.]com/[.]well-known/pki-validation/inf[.]inf
• hxxp[:]//hitechontheweb[.]com/wp-content/themes/advanced-twenty-seventeen-child/template-parts/footer/inf[.]inf
• hxxp[:]//importfish[.]ru/dynamic/msg[.]jpg
• hxxp[:]//inhome[.]theadleaf[.]net/wordpress/inf[.]inf
• hxxp[:]//innovationsolarinc[.]com/wp-content/themes/isi/bbpress/inf[.]inf
• hxxp[:]//instanttechnology[.]com[.]au/wp-content/themes/skyline/inc/footers/inf[.]inf
• hxxp[:]//invokeshop[.]com/wp-content/ai1wm-backups/inf[.]inf
• hxxp[:]//iqra[.]tn/fbs/hp[.]gf
• hxxp[:]//iqra[.]tn/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//isfacca[.]ir/IrSans/css/inf[.]inf
• hxxp[:]//jazarah[.]net/wp-content/themes/truemag/admin/assets/css/msg[.]jpg
• hxxp[:]//jbrealestategroups[.]com/wp-content/themes/bridge/export/msg[.]jpg
• hxxp[:]//jgcarpetcleaning[.]com/wp-content/themes/bb-theme/classes/1[.]pdf
• hxxp[:]//joeksdj[.]nl/VT555/_vti_cnf/msg[.]jpg
• hxxp[:]//kean3[.]com/[.]well-known/pki-validation/hp[.]gf
• hxxp[:]//khabbas[.]com/wp-content/themes/twentyseventeen/inc/hp[.]gf
• hxxp[:]//kokkelering[.]no/wp-content/themes/Divi/core/admin/css/inf[.]inf
• hxxp[:]//koren[.]cc/wp-content/themes/twentyseventeen/template-parts/footer/inf[.]inf
• hxxp[:]//languardia[.]ru/wp-content/languages/plugins/msg[.]jpg
• hxxp[:]//leamoreconstruction[.]com/wp-content/themes/buildplus/admin/1[.]pdf
• hxxp[:]//liliatomova[.]com/wp-includes/ID3/1[.]pdf
• hxxp[:]//linetours[.]ru/wp-content/themes/untitled/styles/msg[.]jpg
• hxxp[:]//louismoreno[.]com/wp-content/themes/asterion/page-templates/msg[.]jpg
• hxxp[:]//magicsounds[.]net/wp-admin/css/colors/blue/1[.]pdf
• hxxp[:]//mail[.]333media[.]co[.]uk/public_html/plugins/acl/localization/inf[.]inf
• hxxp[:]//mail[.]360cleaning[.]co[.]uk/skins/classic/images/buttons/hp[.]gf
• hxxp[:]//mail[.]360cleaning[.]co[.]uk/wp_caden_package_1[.]3/Licensing/inf[.]inf
• hxxp[:]//mail[.]creativerentacar[.]com/installer/images/inf[.]inf
• hxxp[:]//mail[.]creativetravelworld[.]com/plugins/acl/localization/hp[.]gf
• hxxp[:]//mail[.]zadiaks90[.]com/installer/images/inf[.]inf
• hxxp[:]//makeupp[.]site/wp-content/themes/twentysixteen/genericons/1[.]pdf
• hxxp[:]//makeupp[.]site/wp-content/themes/twentysixteen/genericons/inf[.]inf
• hxxp[:]//mapsu[.]org/awstats/msg[.]jpg
• hxxp[:]//marathonbuilding[.]com/wp-content/themes/Marathon20140204a/images/msg[.]jpg
• hxxp[:]//marketingcoachth[.]com/wp-admin/css/colors/blue/msg[.]jpg
• hxxp[:]//meeweb[.]com/admin/swfupload/css/inf[.]inf
• hxxp[:]//meurls[.]xyz/wp-content/plugins/ad-ace/assets/css/fonts/iconfont/msg[.]jpg
• hxxp[:]//miumilkshop[.]com/wp-includes/ID3/hp[.]gf
• hxxp[:]//mmonteironavegacao[.]com[.]br/blog/category/msg[.]jpg
• hxxp[:]//montaneproperties[.]co[.]za/cache/1[.]pdf
• hxxp[:]//musiciansassociationofthephilippines[.]com/wp-includes/ID3/inf[.]inf
• hxxp[:]//muslimlifestyleexpo[.]info/wp-content/themes/singlepage/languages/1[.]pdf
• hxxp[:]//myclientsdemo[.]com/cannadyz/css/hp[.]gf
• hxxp[:]//nest[.]sn/wp-content/themes/education-web/languages/msg[.]jpg
• hxxp[:]//new4[.]pipl[.]ua/[.]well-known/acme-challenge/inf[.]inf
• hxxp[:]//noblechild[.]com/wp-content/themes/mt-dark/languages/hp[.]gf
• hxxp[:]//northernoceanmarine[.]com/wp-content/themes/nom/images/hp[.]gf
• hxxp[:]//northernoceanmarine[.]com/wp-content/themes/nom/images/inf[.]inf
• hxxp[:]//novotravel[.]ir/wp-snapshots/hp[.]gf
• hxxp[:]//oestervraafys[.]dk/templates/rt_cygnet/fields/hp[.]gf
• hxxp[:]//orielliespinoza[.]com/wp-content/themes/rara-business/images/hp[.]gf
• hxxp[:]//orielliespinoza[.]com/wp-content/themes/rara-business/inc/css/hp[.]gf
• hxxp[:]//ozemag[.]com/wp-content/themes/emag/template-parts/msg[.]jpg
• hxxp[:]//panamacitybeachcondosforsale[.]net/wp-content/themes/astra/assets/css/minified/compatibility/woocommerce/hp[.]gf
• hxxp[:]//pitbullcreative[.]net/wp-content/themes/alyeska/lang/hp[.]gf
• hxxp[:]//pixonet[.]ir/wp-snapshots/hp[.]gf
• hxxp[:]//plasticbottle-factory[.]com/wp-content/themes/baiila/fonts/hp[.]gf
• hxxp[:]//prathmeshbiotech[.]com/templates/jd_miami/css/presets/inf[.]inf
• hxxp[:]//precision[.]bc[.]ca/wp-content/themes/precision/colors/hp[.]gf
• hxxp[:]//prigo[.]com/bluewhale/hp[.]gf
• hxxp[:]//rayaxiaomi[.]com/wp-content/themes/abchlik/widgets/hp[.]gf
• hxxp[:]//repairinc[.]wsid[.]net/wp-admin/css/colors/blue/inf[.]inf
• hxxp[:]//rickspringfield[.]jp/PHOTOS/PHOTOS_files/msg[.]jpg
• hxxp[:]//robinchahal[.]com/ftp/msg[.]jpg
• hxxp[:]//rockett[.]net/wp-content/themes/simplemag/formats/hp[.]gf
• hxxp[:]//ryzconstruccionesciviles[.]com/wp-content/themes/spacious/font-awesome/css/inf[.]inf
• hxxp[:]//sabbath[.]weswesmusic[.]com/wp-includes/ID3/hp[.]gf
• hxxp[:]//sagami-suisan[.]com/wpBK/msg[.]jpg
• hxxp[:]//schwimmerforum[.]de/archive/hp[.]gf
• hxxp[:]//shop[.]albertgrafica[.]com[.]br/vqmod/install/msg[.]jpg
• hxxp[:]//smarthost[.]kiev[.]ua/templates/sunshine/css/msg[.]jpg
• hxxp[:]//snowfeel[.]in/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//solutionpc[.]be/modules/php/1[.]pdf
• hxxp[:]//spidernet[.]comuv[.]com/wp-content/themes/twentyseventeen/inc/inf[.]inf
• hxxp[:]//standard-cement[.]kz/hp[.]gf
• hxxp[:]//stilldesigning[.]com/wp-content/themes/stilldesigning-2014/css/hp[.]gf
• hxxp[:]//subastaomarwheels[.]com/wp-content/themes/revo/css/fancy/hp[.]gf
• hxxp[:]//szimano[.]org/wordpress/wp-admin/css/colors/blue/1[.]pdf
• hxxp[:]//tanmoy[.]xyz/wp-content/themes/sility/files/hp[.]gf
• hxxp[:]//tasooshi[.]com/wp-content/themes/astra/assets/css/minified/compatibility/woocommerce/msg[.]jpg
• hxxp[:]//tasooshi[.]com/wp-content/themes/astra/inc/addons/transparent-header/assets/js/minified/msg[.]jpg
• hxxp[:]//taxi-kazan[.]su/administrator/cache/msg[.]jpg
• hxxp[:]//telebriscom[.]cl/wp-content/themes/fitness-wellness/languages/msg[.]jpghxxp[:]//thabazimbi[.]net/css/1[.]pdf
• hxxp[:]//thaisell[.]com/AM/hp[.]gf
• hxxp[:]//thefourthseasona-1-z[.]com/wp-includes/ID3/1[.]pdf
• hxxp[:]//thegioibds[.]net/wp-includes/ID3/1[.]pdf
• hxxp[:]//thelearningcompany[.]com[.]au/templates/eventus2/images/presets/default/inf[.]inf
• hxxp[:]//tilmenyoresel[.]com/catalog/controller/account/inf[.]inf
• hxxp[:]//tntnailswoodlands[.]com/wp-admin/css/colors/blue/hp[.]gf
• hxxp[:]//tntnailswoodlands[.]com/wp-admin/css/colors/blue/inf[.]inf
• hxxp[:]//tosama[.]de/templates/jsn_artista_pro/js/inf[.]inf
• hxxp[:]//tourview[.]ir/wp-includes/ID3/hp[.]gf
• hxxp[:]//trdesign[.]org/themes/bartik/color/1[.]pdf
• hxxp[:]//tugaukina[.]com/wp-content/themes/sahifa/framework/admin/images/inf[.]inf
• hxxp[:]//twosisterstravelco[.]com/wp-content/themes/uncode/languages/hp[.]gf
• hxxp[:]//tyger[.]ro/wp-content/themes/twentysixteen/inc/inf[.]inf
• hxxp[:]//varfolomeev[.]ru/cgi-bin/msg[.]jpg
• hxxp[:]//veganwarrior[.]racevmarketing[.]com/wp-content/cache/et/8/1[.]pdf
• hxxp[:]//vehiclescanner[.]co[.]uk/[.]quarantine/hp[.]gf
• hxxp[:]//visionfirst[.]site/wp-admin/css/colors/blue/gr[.]mpwq
• hxxp[:]//visitjourney[.]org/wp-content/plugins/admin-menu-editor/ajax-wrapper/hp[.]gf
• hxxp[:]//vlakvarkproductions[.]co[.]za/[.]well-known/acme-challenge/inf[.]inf
• hxxp[:]//voasi[.]com/wp-content/themes/twentyseventeen/assets/css/msg[.]jpg
• hxxp[:]//www[.]333media[.]co[.]uk/wp-content/plugins/Plugin/Licensing/inf[.]inf
• hxxp[:]//www[.]baumont[.]fr/wp-content/themes/dt-the7/languages/hp[.]gf
• hxxp[:]//www[.]djyan[.]net/administrator/cache/inf[.]inf
• hxxp[:]//www[.]eliasmetal[.]co[.]il/wp-content/languages/plugins/1[.]pdf
• hxxp[:]//www[.]glitzygal[.]net/wp-content/themes/FreshClean/includes/msg[.]jpg
• hxxp[:]//www[.]gran-premio[.]es/wp-content/themes/elastico/functions/css/hp[.]gf
• hxxp[:]//www[.]gran-premio[.]es/wp-content/themes/elastico/js/hp[.]gf
• hxxp[:]//www[.]illustr8design[.]co[.]uk/wp-content/themes/illustr8black/font/hp[.]gf
• hxxp[:]//www[.]insidepoolmag[.]com/wp-content/themes/vidorev/page-templates/msg[.]jpg
• hxxp[:]//www[.]krayot[.]ru/includes/hp[.]gf
• hxxp[:]//www[.]krohm[.]net/wp-content/themes/Flexible_old/css/hp[.]gf
• hxxp[:]//www[.]leamoreconstruction[.]com/wp-content/themes/buildplus/admin/1[.]pdf
• hxxp[:]//www[.]mashmul[.]ir/components/com_ajax/hp[.]gf
• hxxp[:]//www[.]phazethree[.]com/wp-content/themes/customizr/inc/admin/css/msg[.]jpg
• hxxp[:]//www[.]plasticbottle-factory[.]com/wp-content/themes/baiila/fonts/hp[.]gf
• hxxp[:]//www[.]scottpatton[.]com/birthday/hp[.]gf
• hxxp[:]//www[.]scottpatton[.]com/img/common/hp[.]gf
• hxxp[:]//www[.]sey-org[.]com/wp-content/themes/frindle/templ/msg[.]jpg
• hxxp[:]//www[.]soundtel[.]com/cgi-bin/msg[.]jpg
• hxxp[:]//www[.]thecustomboxeshelp[.]com/wp-content/themes/Newspaper/mobile/amp/css/inf[.]inf
• hxxp[:]//www[.]x-ng[.]de/wp-content/themes/my-vcard-resume/vendors/bootstrap/css/hp[.]gf
• hxxp[:]//www[.]xfreaks[.]at/templates/reinhard4/css/inf[.]inf
• hxxp[:]//zipcarbahamas[.]com/wp-admin/css/colors/blue/inf[.]inf
• hxxp[:]//zzb[.]kz/libraries/cms/captcha/hp[.]gf

Malware Hash (MD5/SHA1/SH256)

• 1fc2e4c5ff5844410fc7b78c6987cddf 
• 44ff529219044aea635985dbb98b63f1 
• c834c0e071ba81c16ec8093233a268c9 
• d4dd2a704dc4058951b330bf9e72df57 
• 7288d113b95d76bdb5e80040fcded9a4 
• 862ced9771f1d1af136e0b00c9a37496 
• 4efaa45b9e7c58ee04eecbf11c430063 
• fc2d1d2825c42a11b56d6e5fd0ef0317 
• 358f9893f047e1e0e7d4eee13bd4a3b6 
• 17c7cda30096c869c95c50852b4043c9 
• d27974f69100fe36c948f25529a72a2d 
• 21d5abb9977d71918ee1de4e83dc8e84 
• 6cc16cb37135f58895345e3f8cbfdd5d 
• 6f3e147fca1f2c8fe6275082d66e2a30 
• 75e0a3f7fa6853b006b7871be3217e21 
• 588c44f7d45328df605aaa90902f51b4 
• 9cbdc4243bf6b775c17ddae33472d7f0 
• 399602c103cf91b3983742ab89a71918 
• e64ffb9762baa56fca2dcf788e671c19 
• d0b32bcb0d2d3c809dd829d0b4f5e36f 
• f0a70786bc46ef829652208789fb71a8 
• a49becf00b4f784713850c36c93743fd 
• 26e56de629257522119b9c0bf303f178 
• efeef329677779bdce968ad62a4744a6 
• 92b5abef090c538d37aaa4d4220d203c 
• f8f2854a70018b6dc26069bfd677ac65 
• 6050d781f8a9138342195c195354f601 
• 013aae78d326cfb1cc3c1baf924368c1 
• adead6c71c051595f60dbd42919cbfa3 
• b891aa5781114582c27baa0c8029777c 
• d7b1976d623015332b2ff468f385ea69 
• e3b60927db92de73e80813fa24a7c61b 
• a645c3785b9f3ece07bd959631f8fdc0 
• 7382581e63ff4fe62477dd915fa33736 
• 5d5d9dba99e609b34ea040ef7003e444 
• 834e658f1c9206f3dcf1076192ba7256 
• 969305f9f01a46e8eee82885d9bde2bd 
• 2d4f8a97b58382be42c61bacd190a577 
• 024b96c94297855f73d34df614a4baa3 
• 5b6401c25c4db9c6552a24bcf72295b8 
• 66527ee46c0939b508607efab87b352d 
• 4d988338e79cb04cdc1358d49dfdd2e9 
• e1910ce7fa51b3d99c1664c632949cdd 
• 80c87c3b7187bf24ad3e3805c9ceccca 
• e8178a58198d491bd2dbcc2c170fd40d 
• 4a9246917961b64d89d52f812647a4c6 
• 46d391cb2a6c43cee82609ee33fb371b 
• 86cc993b9af22ce2624a6a3d7831e422 
• b82b82beb62ac4eb418482d9bcb517c2 
• 08588913138eae6baec523566ae4131e 
• e5dbf26de67c36360904167fc0d014e7 
• bd2504c9adb62cce7cc148f97f5f9201 
• bb39f3c3bafd9fac9c8cc1b8ed2a6e40 
• b6a294ac8421dfc269e9af7428094063 
• eecc3f8b06d10c937ee2bdda9afdfc03 
• 214139f97f853b7febdf030baba6bafd 
• ee65ebbc954c2ad5a09042d138af0679 
• 91ecfc7bef3e8f2851cd0b3a80e767b4 
• 9c216a7d7e50c0576ca4bdc794db37c8 
• 4dc6394261c4404164c1061deef9afb3 
• 821db42aed5076881f1ccf04fb9f3025 
• 65c7547198528217791e1f0de2788e7d 
• 2507d78dec3de7552c582576ba48865d 
• e704da02579efeb63b16181bdec2b77f 
• cb65cf232455da6e55f9d27339caa4b3 
• cb444d53bc22ef7a48f809801bb06ec7 
• d618bf728cecc3d684fc28c23996a95f 
• f97ff2b608b522b1a6769a87c74af6d4 
• 38af0830c3144800359245d53a8854b5 
• 7e921e11caeb6f9594fa286d217af62e 
• e3cce010a6dd36ea82db065ee92f2c2e 
• eb4a56ff586f6c8efe402a1684c79464 
• 4a56b5573673cc7d2cb3161fbfce5c7c 
• 201e80d06b45399649f453017eb5a4e5 
• 84b8bc2fea52b2090f29857f5d7e467e 
• 73dea1a75637e14f6fcd012fe2815636 

Remediation

• Block the threat indicators at their respective controls.
• Do not download email attachments coming from untrusted sources.
• Do not click on URLs received in untrusted emails.
• Scan all files prior to execution.
• Closely monitor invoice/bill-themed emails, (They’re also frequently reported in phishing alerts).