Shade_Ransomware_IOCs_04-03-2019

1. #Shade #Troldesh #Ransomware #Trojan
2. -----------------------------------------
3. 04-03-2019 IOC's
4. -----------------------------------------
5. Main object- "a004acd1f73ab1d9b3b7cfb775eedafeaaf353749aeb5f6b2b9397c52db46f87.bin.gz"
6. sha256 dce8045e318cb0989599bb9d8403f63546cc89d3c55ee514265071128329e0a9
7. sha1 f12f044049690b6ab7fe96a1ecb9e0056013cef4
8. md5 4d5e94d891ad8062a310e7f9afe8bc06
9. Dropped executable file
10. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\msg[1].jpg a1271c366e91dbc3a7f0d6b4b2c1873019056786219c14ad12185ad115771632
11. DNS requests
12. domain motorlineuk.co.uk
13. domain tb.ostroleka.pl
14. domain whatismyipaddress.com
15. domain whatsmyip.net
16. Connections
17. ip 212.42.180.221
18. ip 62.129.198.194
19. ip 76.73.17.194
20. ip 86.59.21.38
21. ip 208.83.223.34
22. ip 80.127.152.30
23. ip 104.16.154.36
24. ip 199.115.114.70
25. ip 131.188.40.189
26. ip 68.129.30.236
27. ip 104.18.34.131
28. ip 195.138.255.24
29. HTTP/HTTPS requests
30. url http://tb.ostroleka.pl/templates/siteground12/css/msg.jpg
31. url http://whatismyipaddress.com/
32. url http://whatsmyip.net/
33. ----------------------------------------
34. Main object- "a1271c366e91dbc3a7f0d6b4b2c1873019056786219c14ad12185ad115771632.bin.gz"
35. sha256 af33eb6f7534e21a4cdd2846dfc64b0feb6de92e0dc5e245fda1d3e3b9c88b7f
36. sha1 15b368152cfefb7642816441c8a07082bcbcbf87
37. md5 adfc1e1dbf415a0e5c8a5134f81fb1e7
38. Dropped executable file
39. sha256 C:\Users\admin\Desktop\a1271c366e91dbc3a7f0d6b4b2c1873019056786219c14ad12185ad115771632.bin.gz a1271c366e91dbc3a7f0d6b4b2c1873019056786219c14ad12185ad115771632
40. DNS requests
41. domain whatismyipaddress.com
42. domain whatsmyip.net
43. Connections
44. ip 86.59.21.38
45. ip 128.31.0.39
46. ip 76.73.17.194
47. ip 78.46.60.40
48. ip 104.16.155.36
49. ip 51.15.123.75
50. ip 95.141.35.15
51. ip 104.18.35.131
52. HTTP/HTTPS requests
53. url http://whatismyipaddress.com/
54. url http://whatsmyip.net/