TA505 IOC

1. Indicators of Compromise
2. Dropurl:
3. kentona[.su – 47.245.58.124
4. hxxps://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/ananas.exe
5. hxxps://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/pasmmm.exe
6. C2:
7. 217[.12.201.159
8. Persistence:
9. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
10. Hash:
11. 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273
12. 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b
13. fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0
14. c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a
15. 5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3
16. aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7
17. 210bb55664d291d82b94b9cea6fcf41029eded9eca6e7fe7b7d58715407a0703
18. 2b5eefc4bc2d34cbe5093332c47b5405cf5c32e8156767fc8bc9ddd9cdcf3018
19. 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
20. 6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2
21. Yara Rules
22. rule excel_dropper {
23. meta:
24. description = "Yara rule for excel dropper"
25. author = "Cybaze - Yoroi ZLab"
26. last_updated = "2019-05-22"
27. tlp = "white"
28. category = "informational"
29. strings:
30. $a1 = { 98 C3 AB F0 E7 F3 BD F4 }
31. $a2 = { 41 6E D5 7E F0 10 AB A7 }
32. $a3 = "gxbgarjktzyu"
33. $a4 = "Bob Brown"
34.  
35. condition:
36. all of them
37. }
38.  
39. import "pe"
40. rule pasmmm_exe {
41. meta:
42. description = "Yara rule for pasmmm SFX archive"
43. author = "Cybaze - Yoroi ZLab"
44. last_updated = "2019-05-22"
45. tlp = "white"
46. category = "informational"
47. strings:
48. $a1 = { 1C Cf 43 39 C8 32 B4 B0 }
49. $a2 = { 60 6C B8 7C 5F FA }
50. $a3 = "LookupPrivilege"
51. $a4 = "LoadBitmap"
52.  
53. condition:
54. pe.number_of_sections == 6 and all of them
55. }
56.  
57. import "pe"
58. rule uninstall_exe {
59. meta:
60. description = "Yara rule for uninstall SFX archive"
61. author = "Cybaze - Yoroi ZLab"
62. last_updated = "2019-05-22"
63. tlp = "white"
64. category = "informational"
65. strings:
66. $a1 = { E8 68 BA 01 00 51 }
67. $a2 = { 58 E9 8B C6 4F 6F 7A }
68. $a3 = { D9 4E D5 FA D4 34 }
69.  
70. condition:
71. pe.number_of_resources == 24 and all of them
72. }
73.  
74. import "pe"
75. rule winserv_exe {
76. meta:
77. description = "Yara rule for winserv backdoor"
78. author = "Cybaze - Yoroi ZLab"
79. last_updated = "2019-05-22"
80. tlp = "white"
81. category = "informational"
82. strings:
83. $a1 = "MPRESS1"
84. $a2 = { 90 C4 73 05 E6 92 }
85. $a3 = { E9 64 4B 56 3F EC }
86. $a4 = { 10 EF D0 E1 36 E1 14 3C }
87.  
88. condition:
89. all of them and pe.version_info["CompanyName"] contains "tox"
90. }
91.  
92. import "pe"
93. rule veter_random {
94. meta:
95. description = "Yara rule for veter_trojan"
96. author = "Cybaze - Yoroi ZLab"
97. last_updated = "2019-05-22"
98. tlp = "white"
99. category = "informational"
100. strings:
101. $a = { 5E C2 04 00 F6 44 24 04 01 56 }
102.  
103. $b1 = { 01 8B 02 8B 48 04 03}
104. $b2 = { 4A 3B C2 7E 08 8B C2 }
105.  
106. $c1 = { E8 83 CA 04 89 55 E8 }
107. $c2 = { 1F DF 70 07 22 84 82 }
108.  
109. condition:
110. $a and (($b1 and $b2 and pe.version_info["CompanyName"] contains "Miranda") or ($c1 and $c2 and pe.version_info["InternalName"] contains "DrldwgRom"))
111. }