Rewterz Threat Advisory – IBM Java Multiple Vulnerabilities
March 4, 2019Rewterz Threat Alert – Indicators of Compomise for Trickbot Qakbot Emotet
March 5, 2019Severity
High
Analysis Summary
Cobalt group has resurfaced again with it’s activities targeting specific customers and using phishing emails to drop malicious url’s.
- CobInt Downloader (EXE) -> Polymorphic Encrypted Data (DLL – CobInt Malware) -> Final Payload
Indicators of Compromise
IP(s) / Hostname(s)
- 193.33.61[.]170
- 144.202.59[.]44
- 192.42.119[.]41
- 45.72.3[.]177
URLs
- hxxps://dskbank[.]nl/order/doc/complaint.doc
- hxxps://dskbank[.]nl/invoice/notepad.exe
- hxxps://ciscoupdt[.]com/woiexjaavl
- hxxps://ciscoupdt[.]com/hcylzkwytfacztxxmcrnwumhulpqooo
- hxxps://ciscoupdt[.]com/zlxksulywulzawzzrzatzgzxuezeirdujimfphpybszce
- hxxps://ciscoupdt[.]com/ljzuzezpzjfmgztyxojvvudqrtushogmzpjvqma
- hxxps://ciscoupdt[.]com/tosvqmknrrzsbznzaltbheyrnwjsfmvdlgizim
- hxxps://ciscoupdt[.]com/zkczmyabbyeezldjzoulwzdzbgzdfrzjwcnozn
- dskbank[.]nl
- ciscoupdt[.]com
- hxxps://boutrost[.]com/woiexjaavl
- boutrost[.]com
Email Address
- eva.olofsson[@]dskbank[.]uk
- jan.larsson[@]dskbank[.]uk
- christoph.danz[@]dskbank[.]uk
- info[@]dskbank[.]uk
Malware Hash (MD5/SHA1/SH256)
- 6fa3bc5e5786b0d828d444b515b5f5a3
- 88f93a412cb88ff8d4b8def191b7d530999b963d
- 50cf1e09ed9cf7c6bc92ff738773c0b40c0f90ac547852964ddb486cd307da09
- 898f5d084e91c0c78dd384e4028ea264
- d40586fb75d8967c697d29e55ef46ff9e56d4d72
- 1574be5da3937920a40ba5d3103e7e3c2ca52b07261cecb802348e01ade89274
- 5ae9fa1af92f323cffc06577e7ba8198
- f6382a2ede229feebd998579d23a25a9cc37e8a7
- 2bb99909be2dac06e8182f50357f505d6a30c3457c85385676369cabf124cf24
- 7eb9902f5f1effd23d1ddd9482a197f3
- 97a0762239cd5db3b4a8bd9d2c3a48a15aa66839
- 303c7f18ba2b47d19dc9f1375a2b2d6beb4ccbeda8afdbf0cc809fda249989c1
Remediation
- Block threat indicators at respective controls.
- Always be suspicious about the emails being sent from unknown senders.
- Never click on the attachments or links sent by unknown senders.