EVILNUM IOCs

1. EVILNUM Observed In Attacks Against The Global Financial Industry
2.  
3. Indicators of Compromise
4. GDrive URLs
5. hxxps://drive[.]google[.]com/uc?auth_user=0&id=1KjJy7FCn-4IN7rsOSwWmSab3xVfY-wNn&export=download
6. hxxps://docs[.]google[.]com/uc?authuser=0&id=1TROQjDFvR1pw7QckQq1TUVnOYUK6tR6Q&export=download
7.  
8. Zip Files
9. 0f4b51dafe6bd75bce2cfbd1fe16d1af91fd958084e23b526671b4e05423f9ee
10. 97aa67531305da6fb73198fabd05b0592705c427519670a218d68d9def83f764
11. 83f1af96b4a15b3b8ec7490de83555000800779d6456ccd017ba02623704f80c
12.  
13. Microsoft ShortCut (Lnk) Files
14. 9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5
15. b89cc69c63894c4b263be5a7b7390d3f8500a8ed4834882a7282ebca301e528e
16. 951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b
17. 7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6
18. 4930874f700dd81bff1c0f2ec7a8f55741987e102be8164bdc4aad6ea97062cb
19. 1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284
20. 88537039a4b87ff55ef9a57c21f728ecf90e40e532486913d763e16db04ccac4
21. 01f1f23649920e30d510f6ae48e370c82dd57ce0817d12f649615d7188c9b0e2
22. ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30
23. Ceb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea
24. 83e5eeb549543e16f98eb26d848194baa8273d5e0408c72222999535f91434fe
25. 4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade
26. Bb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7
27. 7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e
28. 69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4
29. E06ab6b87c4977c4ee30f3925dd935764a0ec0da11458aca4308da61b8027d76
30. 79ddc62bcab8efaef586c7e4202fa6a40a82a37571cbab309812602f7a03162b
31.  
32. Core Agent
33. Javascript agent version 4.0
34. 75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0
35. Javascript agent version 3.6
36. 8c770d3424324030887fd6efcd7b989129f1430b8dafb482372240e93c009a24
37. 951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b
38. Javascript agent version 3.5
39. ba4ca5ae0aeb7916a6b08320830bb48c756f7ebaa281431e1311cb66dba3bca0
40. 8100351010C260A7BDC2D283065097140418B5A33CF682F902E793FFAED263D4
41. Media.reg
42. 9FEE4514F8B3027AD045E67EE8D80317DD2AFBF7A996C97F47C216EAD011B070
43. MediaIE.reg
44. 6cc5a6ce509a7bbbcaeab1f0635c8b14cbd6a5503cde799de3163fbf70221301
45.  
46. Actor created Folders
47. appData + \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\
48. appData + \\Microsoft\\Credentials\\MediaPlayer\\UtilitiesLog\\
49.  
50. C2 Retrieval URLs
51. hxxps://gitlab[.]com/bliblobla123/testingtesting/-/raw/master/README.md
52. hxxps://www.digitalpoint[.]com/members/bliblobla.943007/
53. hxxps://gitlab[.]com/jhondeer123/test/raw/master/README.md
54. hxxps://www.digitalpoint[.]com/members/johndeer123.923670/
55. hxxps://gitlab[.]com/jhondeer123/test/raw/master/test.py
56.  
57. Command and Control Node
58. hxxp://139.28.37[.]63
59. hxxp://185.62.190[.]89
60. hxxp://185.62.190[.]218
61.  
62. MITRE ATT&CK Framework Mapping
63. Tactic
64. Technique
65. Initial Access
66. Spear Phishing Link (T1192)
67. Execution
68. User Execution (T1204)
69. Persistent
70. Registry Run Keys / Startup Folder (T1060)
71. Defensive Evasion
72. Timestomping (T1099), Indicator Removal from host (T1070),
73. Modify Registry (T1112), Hidden Window (T1143), rundll32 (T1085),
74. Credential Access
75. Steal Web Session Cookie (T1539)
76. Collection
77. Data from Local System (T1005), Data Staged (T1074)
78. Command & Control
79. Commonly used port (T1043), Web service (T1102),
80. Remote File copy (T1105)
81. Exfiltration
82. Exfiltration Over Command and Control Channel (T1041)