API tools faq
paste
Bank_Security

Gaining New Visibility into Financial Threats

Bank_Security
Jun 6th, 2019
16,243
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.28 KB | None | 0 0
raw download clone embed print report
  1. An APT Blueprint: Gaining New Visibility into Financial Threats
  2. Bitdefender Forensic Investigation Reveals Complete Attack Timeline and Behavior of Notorious Financial Cyber Criminal Group
  3.  
  4. Appendix A: IOCs
  5. File IOCs:
  6. smrs.exe D68351f754a508a386c06946c8e79088
  7. smrs.exe 341917d17440ee8a334b202eb0378108
  8. java.exe d90ecd6c825ce236838112898e1c4a2e
  9. 94563784.doc d117c73e353193118a6383c30e42a95f
  10. WRF{8F0C5F8E-18A3-48CE-A2F4-2F4DB1B14E94}.tmp b8fc470b9665b33d2071034fdfd6629c
  11. KbhpQIcahFCuZwq.sct bb784d55895db10b67b1b4f1f5b0be16
  12. MGsCOxPSNK.txt 4bee6ff39103ffe31118260f9b1c4884
  13. cqHfjCkTtMwG.doc c2a9443aac258a60d8cace43e839cf9f
  14. tCrrDqBQoCcEkbnK.txt 581c2a76b382deedb48d1df077e5bdf1
  15. DLL dropper f0645bd9367faf4e21a9c5e8c132bed7
  16. DLL dropper 34a58e62866e5c17db61ee5f95d52c58
  17. DLL dropper 38242fb29d7cb82a4ffd651189d9821e
  18. DLL dropper f0e52df398b938bf82d9e71ce754ab34
  19. 303F1428C3F.txt eb561d46c6283c632df88bd20ade6df4
  20. 9D01CA.txt bbaee5d936a3809f46fd409b8442f753
  21. rad353F7.tmp 63c98b8c34ee9261c0068c7f0435a9f9
  22. jusched.exe d68351f754a508a386c06946c8e79088
  23. nusb1mon.exe ddb9553c6e4e4908b5c7fbbdc4795d6c
  24. netscan.exe 1e94f1fdf5ace5e57d8b7832ea2da22e
  25. netscan.exe e7aa5608c81ba4fcd8d166501b90fc06
  26. psexec.exe 27304b246c7d5b4e149124d5f93c5b01
  27. psexesvc.exe 75b55bb34dac9d02740b9ad6b6820360
  28. psexec.exe a7f7a0f74c8b48f1699858b3b6c11eda
  29. psexesvc.exe 87dfac39f577e5f52f0724455e8832a8
  30.  
  31. Network IOCs:
  32. swift-fraud[.]com/documents/94563784.doc downloads initial doc
  33. cloud[.]yourdocument[.]biz/robots.txt downloads DLL dropper
  34. nl[.][redacted][.]kz/robots.txt downloads JavaScript backdoor
  35. nl[.][redacted][.]kz/api/v1 JavaScript backdoor C&C - gets commands and executes them
  36. 94.140.116.69
  37. 185.206.145.227
  38. 45.56.162.8
  39. 94.156.35.118
  40. 185.243.115.28
  41. 185.206.146.226
  42. 94.140.116.176
  43.  
  44.  
  45. Appendix B:
  46. smrs.exe (d68351f754a508a386c06946c8e79088)
  47. Downloader that downloads a shellcode, which in turn downloads the beacon.
  48. smrs.exe (341917d17440ee8a334b202eb0378108)
  49. Cobalt Strike beacon that’s being deployed on affected workloads.
  50. jusched.exe (d68351f754a508a386c06946c8e79088)
  51. Downloader that downloads a shellcode, which in turn downloads the beacon. Same file/hash as “smrs.exe”, just under a different
  52. name.
  53. nusb1mon.exe (ddb9553c6e4e4908b5c7fbbdc4795d6c)
  54. Tool that takes screenshots at specific time intervals.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!