API tools faq
paste
Advertisement
Bank_Security

TA2101 IOCs

Bank_Security
Nov 17th, 2019
19,088
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.45 KB | None | 0 0
raw download clone embed print report
  1. German Cobalt Strike/German Tax Office spoof (October 23)
  2. Lure email address: antwortensienicht@bzst-informieren.icu
  3.  
  4. SOA: gladkoff1991@yandex.ru
  5.  
  6. Italian Maze Campaign/Italian Ministry of Taxation spoof (October 29)
  7. Lure email address: info@agenziaentrate.icu
  8.  
  9. SOA: gladkoff1991@yandex.ru
  10.  
  11. Proofpoint researchers have also determined that the IP address 91.218.114[.]37 is present in all Maze Ransomware downloads initiated by this actor.
  12.  
  13. German Maze Campaign/German Tax Office spoof (November 6)
  14. This campaign uses an identical lure that was observed on October 23, including the same "RSA Key" malicious Microsoft Word attachment. It is also where we observed the second use of word_/.tmp variation on the URL.
  15.  
  16. German Maze Campaign/German ISP spoof (November 7)
  17. This campaign, distributing Maze ransomware, impersonates a German internet service provider (1&1 Internet AG) and uses a nearly identical malicious Word Document with an "RSA Key" lure that was observed in the November 6 German Tax Office campaign and the October 23 German campaign using Cobalt Strike.
  18.  
  19. Lure email address: antwortensienicht@bzstinform.icu
  20.  
  21. SOA: gladkoff1991@yandex.ru, which matches the October 23 Cobalt Strike campaign.
  22.  
  23. US IcedID Campaign / USPS Spoof (November 12)
  24. On November 12, Proofpoint researchers observed a campaign utilizing a USPS themed lure delivering the IcedID Trojan. While a .icu domain was not used in this campaign, instead choosing a different look-alike domain, uspsdelivery-service[.]com, these malicious documents used similar “RSA” style lures observed in the previous Cobalt Strike and Maze Ransomware campaigns, and added further evidence to support the theory that the same actor/group is behind the distribution of those malware families.
  25.  
  26. The SOA for uspsdelivery-service[.]com is gladkoff1991@yandex.ru which matches previous campaigns.
  27.  
  28.  
  29.  
  30. Indicators of Compromise (IOCs)
  31. IOC
  32.  
  33. IOC Type
  34.  
  35. Description
  36.  
  37. 44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
  38.  
  39. SHA256
  40.  
  41. Document
  42.  
  43. cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
  44.  
  45. SHA256
  46.  
  47. Document
  48.  
  49. 9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
  50.  
  51. SHA256
  52.  
  53. Document
  54.  
  55. 5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
  56.  
  57. SHA256
  58.  
  59. Document
  60.  
  61. 97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
  62.  
  63. SHA256
  64.  
  65. Document
  66.  
  67. d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
  68.  
  69. SHA256
  70.  
  71. Document
  72.  
  73. 7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a
  74.  
  75. SHA256
  76.  
  77. Document
  78.  
  79. antowortensienicht@bzst-infomieren[.]icu
  80.  
  81. Domain
  82.  
  83. Spoofed sending domain
  84.  
  85. info@agenziaentrate[.]icu
  86.  
  87. Domain
  88.  
  89. Spoofed sending domain
  90.  
  91. antwortensienicht@bzstinform[.]icu
  92.  
  93. Domain
  94.  
  95. Spoofed sending domain
  96.  
  97. uspsdelivery-service[.[com
  98.  
  99. Domain
  100.  
  101. Spoofed sending domain
  102.  
  103. hxxp://198.50.168.67/wordpack.tmp
  104.  
  105. Payload
  106.  
  107. Cobalt Strike
  108.  
  109. hxxp://conbase.top/sys.bat
  110.  
  111. Payload
  112.  
  113. Cobalt Strike
  114.  
  115. hxxp://104.168.198.208/wordupd.tmp
  116.  
  117. Payload
  118.  
  119. Maze Ransomware
  120.  
  121. hxxp://104.168.215.54/wordupd.tmp
  122.  
  123. Payload
  124.  
  125. Maze Ransomware
  126.  
  127. hxxp://104.168.174.32/wordupd_3.0.1.tmp
  128.  
  129. Payload
  130.  
  131. Maze Ransomware
  132.  
  133. hxxp://192.119.68.225/wordupd1.tmp
  134.  
  135. Payload
  136.  
  137. Buran Ransomware
  138.  
  139. hxxp://108.174.199.10/wordupd3.tmp
  140.  
  141. Payload
  142.  
  143. Buran Ransomware
  144.  
  145. hxxp://54.39.233.175/wupd19823.tmp
  146.  
  147. Payload
  148.  
  149. Buran Ransomware
  150.  
  151. hxxp://54.39.233.131/word1.tmp
  152.  
  153. Payload
  154.  
  155. Buran Ransomware
  156.  
  157. hxxp://104.168.198.230/wordupd.tmp
  158.  
  159. Payload
  160.  
  161. IcedID
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!