Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- An APT Blueprint: Gaining New Visibility into Financial Threats
- Bitdefender Forensic Investigation Reveals Complete Attack Timeline and Behavior of Notorious Financial Cyber Criminal Group
- Appendix A: IOCs
- File IOCs:
- smrs.exe D68351f754a508a386c06946c8e79088
- smrs.exe 341917d17440ee8a334b202eb0378108
- java.exe d90ecd6c825ce236838112898e1c4a2e
- 94563784.doc d117c73e353193118a6383c30e42a95f
- WRF{8F0C5F8E-18A3-48CE-A2F4-2F4DB1B14E94}.tmp b8fc470b9665b33d2071034fdfd6629c
- KbhpQIcahFCuZwq.sct bb784d55895db10b67b1b4f1f5b0be16
- MGsCOxPSNK.txt 4bee6ff39103ffe31118260f9b1c4884
- cqHfjCkTtMwG.doc c2a9443aac258a60d8cace43e839cf9f
- tCrrDqBQoCcEkbnK.txt 581c2a76b382deedb48d1df077e5bdf1
- DLL dropper f0645bd9367faf4e21a9c5e8c132bed7
- DLL dropper 34a58e62866e5c17db61ee5f95d52c58
- DLL dropper 38242fb29d7cb82a4ffd651189d9821e
- DLL dropper f0e52df398b938bf82d9e71ce754ab34
- 303F1428C3F.txt eb561d46c6283c632df88bd20ade6df4
- 9D01CA.txt bbaee5d936a3809f46fd409b8442f753
- rad353F7.tmp 63c98b8c34ee9261c0068c7f0435a9f9
- jusched.exe d68351f754a508a386c06946c8e79088
- nusb1mon.exe ddb9553c6e4e4908b5c7fbbdc4795d6c
- netscan.exe 1e94f1fdf5ace5e57d8b7832ea2da22e
- netscan.exe e7aa5608c81ba4fcd8d166501b90fc06
- psexec.exe 27304b246c7d5b4e149124d5f93c5b01
- psexesvc.exe 75b55bb34dac9d02740b9ad6b6820360
- psexec.exe a7f7a0f74c8b48f1699858b3b6c11eda
- psexesvc.exe 87dfac39f577e5f52f0724455e8832a8
- Network IOCs:
- swift-fraud[.]com/documents/94563784.doc downloads initial doc
- cloud[.]yourdocument[.]biz/robots.txt downloads DLL dropper
- nl[.][redacted][.]kz/robots.txt downloads JavaScript backdoor
- nl[.][redacted][.]kz/api/v1 JavaScript backdoor C&C - gets commands and executes them
- 94.140.116.69
- 185.206.145.227
- 45.56.162.8
- 94.156.35.118
- 185.243.115.28
- 185.206.146.226
- 94.140.116.176
- Appendix B:
- smrs.exe (d68351f754a508a386c06946c8e79088)
- Downloader that downloads a shellcode, which in turn downloads the beacon.
- smrs.exe (341917d17440ee8a334b202eb0378108)
- Cobalt Strike beacon that’s being deployed on affected workloads.
- jusched.exe (d68351f754a508a386c06946c8e79088)
- Downloader that downloads a shellcode, which in turn downloads the beacon. Same file/hash as “smrs.exe”, just under a different
- name.
- nusb1mon.exe (ddb9553c6e4e4908b5c7fbbdc4795d6c)
- Tool that takes screenshots at specific time intervals.
Add Comment
Please, Sign In to add comment