MVISION Insights: Prometheus TDS, Antibot, Redirect System
Technical Articles ID:
KB95383
Last Modified: 3/29/2022
Last Modified: 3/29/2022
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.
Summary
The Prometheus TDS is an underground service used to redirect visitors to phishing and malicious sites and distribute malware. An administrative panel is used to configure parameters for a malicious campaign. Third-party infected websites act as a middleman between the administrative panel and the user to prevent being disclosed and blocked. Several stages are used to distribute malware to the target system. The user receives an HTML file, a link to a web shell, or a link to a Google Doc which redirects the user to a compromised site, a specified URL, or to a malicious link. The second stage requires the victim to open the attachment or follow the link which in turn drops a backdoor used to collect sensitive data. The final stage sends the stolen information to the admin panel and is used to determine if the user is sent a malicious file or directed to a specified URL.
Prometheus has been advertised on the underground XSS forum by the user named Main or Ma1n since September 2020.
The threat actor mentions the following details:
NOTE: Auto translated from Russian
System capabilities:
-Validation of WSO , PAS . shells.
- Creation, testing of redirects functionality.
- Recreation of deleted redirects on previously created names to eliminate traffic loss.
-Creating Hybrid Redirects - Google Redirects + Shell Redirects .
-Google redirect is created, with a random link from the panel, thus getting Google redirects with click statistics and the Antibot system .
-Support for Google Accounts + Cookie . -Support Socks5 . -Loading a pre-created Doc file. -The system traffic distribution -Detailed Statistics clicks - the Google of Red Alert the Chrome Checker - Crypt EMAIL base for substitution kriptovat EMAIL to GET string -Produmanny and pleasant interface Two modes. Prices: $ 30 two days $ 100 a week $ 150 two weeks $ 250 a month
-Validation of WSO , PAS . shells.
- Creation, testing of redirects functionality.
- Recreation of deleted redirects on previously created names to eliminate traffic loss.
-Creating Hybrid Redirects - Google Redirects + Shell Redirects .
-Google redirect is created, with a random link from the panel, thus getting Google redirects with click statistics and the Antibot system .
-Support for Google Accounts + Cookie . -Support Socks5 . -Loading a pre-created Doc file. -The system traffic distribution -Detailed Statistics clicks - the Google of Red Alert the Chrome Checker - Crypt EMAIL base for substitution kriptovat EMAIL to GET string -Produmanny and pleasant interface Two modes. Prices: $ 30 two days $ 100 a week $ 150 two weeks $ 250 a month
Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.
This campaign was researched by Group-IB and shared publicly.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page. - Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review
KB91836 - Countermeasures for entry vector threats . - Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
Threat Hunting:
| YARA | rule win_campoloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.campoloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4508 0345c8 50 8b4d0c } // n = 4, score = 200 // 8b4508 | mov eax, dword ptr [ebp + 8] // 0345c8 | add eax, dword ptr [ebp - 0x38] // 50 | push eax // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] $sequence_1 = { 8945fc c745c800000000 c745c000000000 a1???????? 8945f4 8b0d???????? 894df8 } // n = 7, score = 200 // 8945fc | mov dword ptr [ebp - 4], eax // c745c800000000 | mov dword ptr [ebp - 0x38], 0 // c745c000000000 | mov dword ptr [ebp - 0x40], 0 // a1???????? | // 8945f4 | mov dword ptr [ebp - 0xc], eax // 8b0d???????? | // 894df8 | mov dword ptr [ebp - 8], ecx $sequence_2 = { 8b8d70efffff 51 8b9584efffff 52 } // n = 4, score = 200 // 8b8d70efffff | mov ecx, dword ptr [ebp - 0x1090] // 51 | push ecx // 8b9584efffff | mov edx, dword ptr [ebp - 0x107c] // 52 | push edx $sequence_3 = { 8d55f4 899580efffff 8b8580efffff 83c001 } // n = 4, score = 200 // 8d55f4 | lea edx, dword ptr [ebp - 0xc] // 899580efffff | mov dword ptr [ebp - 0x1080], edx // 8b8580efffff | mov eax, dword ptr [ebp - 0x1080] // 83c001 | add eax, 1 $sequence_4 = { c702bb010000 8d45e8 8945d4 8b4dd4 83c101 894dac 8b55d4 } // n = 7, score = 200 // c702bb010000 | mov dword ptr [edx], 0x1bb // 8d45e8 | lea eax, dword ptr [ebp - 0x18] // 8945d4 | mov dword ptr [ebp - 0x2c], eax // 8b4dd4 | mov ecx, dword ptr [ebp - 0x2c] // 83c101 | add ecx, 1 // 894dac | mov dword ptr [ebp - 0x54], ecx // 8b55d4 | mov edx, dword ptr [ebp - 0x2c] $sequence_5 = { 8d4588 50 68???????? 6a00 6a00 6a00 6a00 } // n = 7, score = 200 // 8d4588 | lea eax, dword ptr [ebp - 0x78] // 50 | push eax // 68???????? | // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_6 = { 8b5508 8955d0 8b45d0 83c001 8945a4 8b4dd0 } // n = 6, score = 200 // 8b5508 | mov edx, dword ptr [ebp + 8] // 8955d0 | mov dword ptr [ebp - 0x30], edx // 8b45d0 | mov eax, dword ptr [ebp - 0x30] // 83c001 | add eax, 1 // 8945a4 | mov dword ptr [ebp - 0x5c], eax // 8b4dd0 | mov ecx, dword ptr [ebp - 0x30] $sequence_7 = { 50 ff15???????? 837d1001 0f8579010000 c78574efffff00000000 c78578efffff70170000 c78570efffff70170000 } // n = 7, score = 200 // 50 | push eax // ff15???????? | // 837d1001 | cmp dword ptr [ebp + 0x10], 1 // 0f8579010000 | jne 0x17f // c78574efffff00000000 | mov dword ptr [ebp - 0x108c], 0 // c78578efffff70170000 | mov dword ptr [ebp - 0x1088], 0x1770 // c78570efffff70170000 | mov dword ptr [ebp - 0x1090], 0x1770 $sequence_8 = { 8955f8 8b45e4 8945ec 8b4dec 83c101 } // n = 5, score = 200 // 8955f8 | mov dword ptr [ebp - 8], edx // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 8945ec | mov dword ptr [ebp - 0x14], eax // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // 83c101 | add ecx, 1 $sequence_9 = { c7458844000000 b907000000 be???????? 8d7ddc f3a5 66a5 } // n = 6, score = 200 // c7458844000000 | mov dword ptr [ebp - 0x78], 0x44 // b907000000 | mov ecx, 7 // be???????? | // 8d7ddc | lea edi, dword ptr [ebp - 0x24] // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 66a5 | movsw word ptr es:[edi], word ptr [esi] condition: 7 of them and filesize < 66560 } |
| YARA | rule win_hancitor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.hancitor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6a00 6824040000 6a00 6a00 6a00 } // n = 6, score = 800 // 6a00 | push 0 // 6a00 | push 0 // 6824040000 | push 0x424 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_1 = { 68???????? 8d85dcfaffff 50 ff15???????? } // n = 4, score = 600 // 68???????? | // 8d85dcfaffff | lea eax, dword ptr [ebp - 0x524] // 50 | push eax // ff15???????? | $sequence_2 = { 6800010000 6a40 68???????? e8???????? } // n = 4, score = 600 // 6800010000 | push 0x100 // 6a40 | push 0x40 // 68???????? | // e8???????? | $sequence_3 = { 750d e8???????? 83c010 a3???????? } // n = 4, score = 500 // 750d | jne 0xf // e8???????? | // 83c010 | add eax, 0x10 // a3???????? | $sequence_4 = { 6a20 68???????? 68???????? e8???????? 83c410 } // n = 5, score = 500 // 6a20 | push 0x20 // 68???????? | // 68???????? | // e8???????? | // 83c410 | add esp, 0x10 $sequence_5 = { 8955fc 8b45f8 0fb74806 394dfc 7334 6b55fc28 } // n = 6, score = 500 // 8955fc | mov dword ptr [ebp - 4], edx // 8b45f8 | mov eax, dword ptr [ebp - 8] // 0fb74806 | movzx ecx, word ptr [eax + 6] // 394dfc | cmp dword ptr [ebp - 4], ecx // 7334 | jae 0x36 // 6b55fc28 | imul edx, dword ptr [ebp - 4], 0x28 $sequence_6 = { e9???????? b801000000 6bc800 8b5508 0fbe040a 8945fc 8b4dfc } // n = 7, score = 500 // e9???????? | // b801000000 | mov eax, 1 // 6bc800 | imul ecx, eax, 0 // 8b5508 | mov edx, dword ptr [ebp + 8] // 0fbe040a | movsx eax, byte ptr [edx + ecx] // 8945fc | mov dword ptr [ebp - 4], eax // 8b4dfc | mov ecx, dword ptr [ebp - 4] $sequence_7 = { 85c0 7504 33c0 eb0f 8b450c 50 } // n = 6, score = 500 // 85c0 | test eax, eax // 7504 | jne 6 // 33c0 | xor eax, eax // eb0f | jmp 0x11 // 8b450c | mov eax, dword ptr [ebp + 0xc] // 50 | push eax $sequence_8 = { 83c201 895508 ebaf 33c0 } // n = 4, score = 500 // 83c201 | add edx, 1 // 895508 | mov dword ptr [ebp + 8], edx // ebaf | jmp 0xffffffb1 // 33c0 | xor eax, eax $sequence_9 = { 55 8bec 81ec58010000 6a44 } // n = 4, score = 500 // 55 | push ebp // 8bec | mov ebp, esp // 81ec58010000 | sub esp, 0x158 // 6a44 | push 0x44 $sequence_10 = { 8b4d08 51 ff15???????? 8945fc 8b55fc 8955f4 837dfc00 } // n = 7, score = 500 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 51 | push ecx // ff15???????? | // 8945fc | mov dword ptr [ebp - 4], eax // 8b55fc | mov edx, dword ptr [ebp - 4] // 8955f4 | mov dword ptr [ebp - 0xc], edx // 837dfc00 | cmp dword ptr [ebp - 4], 0 $sequence_11 = { eb9d 8b45f4 8b4de8 2b4804 } // n = 4, score = 500 // eb9d | jmp 0xffffff9f // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 2b4804 | sub ecx, dword ptr [eax + 4] $sequence_12 = { e8???????? 83c410 83f801 755d } // n = 4, score = 400 // e8???????? | // 83c410 | add esp, 0x10 // 83f801 | cmp eax, 1 // 755d | jne 0x5f $sequence_13 = { 8bec a1???????? 85c0 740c ff7508 6a00 } // n = 6, score = 400 // 8bec | mov ebp, esp // a1???????? | // 85c0 | test eax, eax // 740c | je 0xe // ff7508 | push dword ptr [ebp + 8] // 6a00 | push 0 $sequence_14 = { 53 56 57 8b483c 33f6 03c8 6a40 } // n = 7, score = 400 // 53 | push ebx // 56 | push esi // 57 | push edi // 8b483c | mov ecx, dword ptr [eax + 0x3c] // 33f6 | xor esi, esi // 03c8 | add ecx, eax // 6a40 | push 0x40 $sequence_15 = { 8b4dfc 85c0 7402 8908 8b5518 85d2 } // n = 6, score = 400 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 85c0 | test eax, eax // 7402 | je 4 // 8908 | mov dword ptr [eax], ecx // 8b5518 | mov edx, dword ptr [ebp + 0x18] // 85d2 | test edx, edx $sequence_16 = { 55 8bec 8b4d08 6a00 6a01 51 } // n = 6, score = 400 // 55 | push ebp // 8bec | mov ebp, esp // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 6a00 | push 0 // 6a01 | push 1 // 51 | push ecx $sequence_17 = { 41 83f941 72ed 881d???????? c705????????01000000 } // n = 5, score = 400 // 41 | inc ecx // 83f941 | cmp ecx, 0x41 // 72ed | jb 0xffffffef // 881d???????? | // c705????????01000000 | $sequence_18 = { 57 ff15???????? 8bd8 83fbff 7509 6a00 57 } // n = 7, score = 400 // 57 | push edi // ff15???????? | // 8bd8 | mov ebx, eax // 83fbff | cmp ebx, -1 // 7509 | jne 0xb // 6a00 | push 0 // 57 | push edi $sequence_19 = { 7502 5d c3 ff7508 6a00 50 ff15???????? } // n = 7, score = 400 // 7502 | jne 4 // 5d | pop ebp // c3 | ret // ff7508 | push dword ptr [ebp + 8] // 6a00 | push 0 // 50 | push eax // ff15???????? | $sequence_20 = { a3???????? 8b45a0 05c8d45566 7440 } // n = 4, score = 100 // a3???????? | // 8b45a0 | mov eax, dword ptr [ebp - 0x60] // 05c8d45566 | add eax, 0x6655d4c8 // 7440 | je 0x42 $sequence_21 = { a1???????? 83c052 8945cc 8365e400 } // n = 4, score = 100 // a1???????? | // 83c052 | add eax, 0x52 // 8945cc | mov dword ptr [ebp - 0x34], eax // 8365e400 | and dword ptr [ebp - 0x1c], 0 $sequence_22 = { 0345cc 8945c4 8b45cc 0345e4 } // n = 4, score = 100 // 0345cc | add eax, dword ptr [ebp - 0x34] // 8945c4 | mov dword ptr [ebp - 0x3c], eax // 8b45cc | mov eax, dword ptr [ebp - 0x34] // 0345e4 | add eax, dword ptr [ebp - 0x1c] $sequence_23 = { c645f301 0fb645f3 85c0 7476 a1???????? 83c044 a3???????? } // n = 7, score = 100 // c645f301 | mov byte ptr [ebp - 0xd], 1 // 0fb645f3 | movzx eax, byte ptr [ebp - 0xd] // 85c0 | test eax, eax // 7476 | je 0x78 // a1???????? | // 83c044 | add eax, 0x44 // a3???????? | $sequence_24 = { 0305???????? 8945cc 8b45e4 48 8945e4 894df4 } // n = 6, score = 100 // 0305???????? | // 8945cc | mov dword ptr [ebp - 0x34], eax // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 48 | dec eax // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 894df4 | mov dword ptr [ebp - 0xc], ecx $sequence_25 = { 40 8945b8 837db80a 0f8d7f010000 8b45c4 0345cc 8945c4 } // n = 7, score = 100 // 40 | inc eax // 8945b8 | mov dword ptr [ebp - 0x48], eax // 837db80a | cmp dword ptr [ebp - 0x48], 0xa // 0f8d7f010000 | jge 0x185 // 8b45c4 | mov eax, dword ptr [ebp - 0x3c] // 0345cc | add eax, dword ptr [ebp - 0x34] // 8945c4 | mov dword ptr [ebp - 0x3c], eax $sequence_26 = { 0f8ced000000 a1???????? a3???????? b9382baa99 8d45fc 50 6a00 } // n = 7, score = 100 // 0f8ced000000 | jl 0xf3 // a1???????? | // a3???????? | // b9382baa99 | mov ecx, 0x99aa2b38 // 8d45fc | lea eax, dword ptr [ebp - 4] // 50 | push eax // 6a00 | push 0 $sequence_27 = { 8b45a0 05c8d45566 0f8482000000 c645f301 } // n = 4, score = 100 // 8b45a0 | mov eax, dword ptr [ebp - 0x60] // 05c8d45566 | add eax, 0x6655d4c8 // 0f8482000000 | je 0x88 // c645f301 | mov byte ptr [ebp - 0xd], 1 condition: 7 of them and filesize < 106496 } |
| YARA | rule win_qakbot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.qakbot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 57 ff15???????? 33c0 85f6 0f94c0 } // n = 5, score = 4100 // 57 | push edi // ff15???????? | // 33c0 | xor eax, eax // 85f6 | test esi, esi // 0f94c0 | sete al $sequence_1 = { 50 ff5508 8bf0 59 } // n = 4, score = 4100 // 50 | push eax // ff5508 | call dword ptr [ebp + 8] // 8bf0 | mov esi, eax // 59 | pop ecx $sequence_2 = { c9 c3 55 8bec 81ecc4090000 } // n = 5, score = 4000 // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 81ecc4090000 | sub esp, 0x9c4 $sequence_3 = { 6a02 ff15???????? 8bf8 83c8ff } // n = 4, score = 3900 // 6a02 | push 2 // ff15???????? | // 8bf8 | mov edi, eax // 83c8ff | or eax, 0xffffffff $sequence_4 = { 740d 8d45fc 6a00 50 e8???????? } // n = 5, score = 3900 // 740d | je 0xf // 8d45fc | lea eax, dword ptr [ebp - 4] // 6a00 | push 0 // 50 | push eax // e8???????? | $sequence_5 = { 7405 8b4df8 8908 ff75fc ff15???????? } // n = 5, score = 3900 // 7405 | je 7 // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 8908 | mov dword ptr [eax], ecx // ff75fc | push dword ptr [ebp - 4] // ff15???????? | $sequence_6 = { 750c 57 ff15???????? 6afe 58 } // n = 5, score = 3900 // 750c | jne 0xe // 57 | push edi // ff15???????? | // 6afe | push -2 // 58 | pop eax $sequence_7 = { 33c0 7402 ebfa e8???????? } // n = 4, score = 3900 // 33c0 | xor eax, eax // 7402 | je 4 // ebfa | jmp 0xfffffffc // e8???????? | $sequence_8 = { c74508???????? e8???????? 85c0 7d08 83c8ff e9???????? } // n = 6, score = 3900 // c74508???????? | // e8???????? | // 85c0 | test eax, eax // 7d08 | jge 0xa // 83c8ff | or eax, 0xffffffff // e9???????? | $sequence_9 = { c3 33c9 3d80000000 0f94c1 } // n = 4, score = 3900 // c3 | ret // 33c9 | xor ecx, ecx // 3d80000000 | cmp eax, 0x80 // 0f94c1 | sete cl $sequence_10 = { 8b81c0090000 8b1481 40 8981c0090000 8bc2 } // n = 5, score = 3900 // 8b81c0090000 | mov eax, dword ptr [ecx + 0x9c0] // 8b1481 | mov edx, dword ptr [ecx + eax*4] // 40 | inc eax // 8981c0090000 | mov dword ptr [ecx + 0x9c0], eax // 8bc2 | mov eax, edx $sequence_11 = { c1e814 40 c1e014 50 } // n = 4, score = 3800 // c1e814 | shr eax, 0x14 // 40 | inc eax // c1e014 | shl eax, 0x14 // 50 | push eax $sequence_12 = { e8???????? 83c40c 33c0 7402 } // n = 4, score = 3700 // e8???????? | // 83c40c | add esp, 0xc // 33c0 | xor eax, eax // 7402 | je 4 $sequence_13 = { 7402 ebfa 33c0 7402 } // n = 4, score = 3700 // 7402 | je 4 // ebfa | jmp 0xfffffffc // 33c0 | xor eax, eax // 7402 | je 4 $sequence_14 = { 7402 ebfa eb06 33c0 } // n = 4, score = 3700 // 7402 | je 4 // ebfa | jmp 0xfffffffc // eb06 | jmp 8 // 33c0 | xor eax, eax $sequence_15 = { 7506 837dec00 740f 817de800000080 } // n = 4, score = 3600 // 7506 | jne 8 // 837dec00 | cmp dword ptr [ebp - 0x14], 0 // 740f | je 0x11 // 817de800000080 | cmp dword ptr [ebp - 0x18], 0x80000000 $sequence_16 = { 8365fc00 6a00 8d45fc 50 8b4510 2bc6 } // n = 6, score = 3600 // 8365fc00 | and dword ptr [ebp - 4], 0 // 6a00 | push 0 // 8d45fc | lea eax, dword ptr [ebp - 4] // 50 | push eax // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 2bc6 | sub eax, esi $sequence_17 = { 50 68???????? 6a3f 8d45c0 } // n = 4, score = 3600 // 50 | push eax // 68???????? | // 6a3f | push 0x3f // 8d45c0 | lea eax, dword ptr [ebp - 0x40] $sequence_18 = { 837d0800 7507 c74508???????? e8???????? } // n = 4, score = 3600 // 837d0800 | cmp dword ptr [ebp + 8], 0 // 7507 | jne 9 // c74508???????? | // e8???????? | $sequence_19 = { 7412 8d85d8feffff 50 57 ff15???????? } // n = 5, score = 3500 // 7412 | je 0x14 // 8d85d8feffff | lea eax, dword ptr [ebp - 0x128] // 50 | push eax // 57 | push edi // ff15???????? | $sequence_20 = { ff750c 8d85d8feffff 50 ff5508 } // n = 4, score = 3500 // ff750c | push dword ptr [ebp + 0xc] // 8d85d8feffff | lea eax, dword ptr [ebp - 0x128] // 50 | push eax // ff5508 | call dword ptr [ebp + 8] $sequence_21 = { 6a00 58 0f95c0 40 50 } // n = 5, score = 3500 // 6a00 | push 0 // 58 | pop eax // 0f95c0 | setne al // 40 | inc eax // 50 | push eax condition: 7 of them and filesize < 958464 } |
| YARA | rule win_icedid_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.icedid." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7411 ff7500 56 ff15???????? } // n = 4, score = 1400 // 7411 | je 0x13 // ff7500 | push dword ptr [ebp] // 56 | push esi // ff15???????? | $sequence_1 = { 0fb74738 50 ff773c 51 51 ff15???????? } // n = 6, score = 1300 // 0fb74738 | movzx eax, word ptr [edi + 0x38] // 50 | push eax // ff773c | push dword ptr [edi + 0x3c] // 51 | push ecx // 51 | push ecx // ff15???????? | $sequence_2 = { 50 ff15???????? 33c0 40 eb11 } // n = 5, score = 1300 // 50 | push eax // ff15???????? | // 33c0 | xor eax, eax // 40 | inc eax // eb11 | jmp 0x13 $sequence_3 = { 742c 803e00 7427 6a3b 56 ff15???????? 8bf8 } // n = 7, score = 1300 // 742c | je 0x2e // 803e00 | cmp byte ptr [esi], 0 // 7427 | je 0x29 // 6a3b | push 0x3b // 56 | push esi // ff15???????? | // 8bf8 | mov edi, eax $sequence_4 = { 833e00 50 7413 ff36 6a08 ff15???????? 50 } // n = 7, score = 1300 // 833e00 | cmp dword ptr [esi], 0 // 50 | push eax // 7413 | je 0x15 // ff36 | push dword ptr [esi] // 6a08 | push 8 // ff15???????? | // 50 | push eax $sequence_5 = { 7511 56 57 ff15???????? 50 ff15???????? } // n = 6, score = 1300 // 7511 | jne 0x13 // 56 | push esi // 57 | push edi // ff15???????? | // 50 | push eax // ff15???????? | $sequence_6 = { 85c0 7411 40 50 6a08 ff15???????? 50 } // n = 7, score = 1300 // 85c0 | test eax, eax // 7411 | je 0x13 // 40 | inc eax // 50 | push eax // 6a08 | push 8 // ff15???????? | // 50 | push eax $sequence_7 = { 57 6a00 ff15???????? 50 ff15???????? 8bc6 eb02 } // n = 7, score = 1300 // 57 | push edi // 6a00 | push 0 // ff15???????? | // 50 | push eax // ff15???????? | // 8bc6 | mov eax, esi // eb02 | jmp 4 $sequence_8 = { 50 ff15???????? eb0b 6a08 } // n = 4, score = 1200 // 50 | push eax // ff15???????? | // eb0b | jmp 0xd // 6a08 | push 8 $sequence_9 = { 8d4c2414 51 ff33 50 57 } // n = 5, score = 1000 // 8d4c2414 | lea ecx, dword ptr [esp + 0x14] // 51 | push ecx // ff33 | push dword ptr [ebx] // 50 | push eax // 57 | push edi $sequence_10 = { 8bf0 8d45fc 50 ff75fc 6a05 } // n = 5, score = 1000 // 8bf0 | mov esi, eax // 8d45fc | lea eax, dword ptr [ebp - 4] // 50 | push eax // ff75fc | push dword ptr [ebp - 4] // 6a05 | push 5 $sequence_11 = { eb0b 6a08 ffd3 50 ff15???????? 8bf0 85f6 } // n = 7, score = 900 // eb0b | jmp 0xd // 6a08 | push 8 // ffd3 | call ebx // 50 | push eax // ff15???????? | // 8bf0 | mov esi, eax // 85f6 | test esi, esi $sequence_12 = { c3 51 51 8b4c240c 53 55 56 } // n = 7, score = 800 // c3 | ret // 51 | push ecx // 51 | push ecx // 8b4c240c | mov ecx, dword ptr [esp + 0xc] // 53 | push ebx // 55 | push ebp // 56 | push esi $sequence_13 = { 8d45fc 50 6a04 6a05 } // n = 4, score = 800 // 8d45fc | lea eax, dword ptr [ebp - 4] // 50 | push eax // 6a04 | push 4 // 6a05 | push 5 $sequence_14 = { 0132 47 83c302 3bfd 72c4 8b542414 0302 } // n = 7, score = 800 // 0132 | add dword ptr [edx], esi // 47 | inc edi // 83c302 | add ebx, 2 // 3bfd | cmp edi, ebp // 72c4 | jb 0xffffffc6 // 8b542414 | mov edx, dword ptr [esp + 0x14] // 0302 | add eax, dword ptr [edx] $sequence_15 = { 0fb6440b34 50 ff740b28 8b440b24 } // n = 4, score = 800 // 0fb6440b34 | movzx eax, byte ptr [ebx + ecx + 0x34] // 50 | push eax // ff740b28 | push dword ptr [ebx + ecx + 0x28] // 8b440b24 | mov eax, dword ptr [ebx + ecx + 0x24] $sequence_16 = { 5f 743f 8d5808 0fb713 } // n = 4, score = 800 // 5f | pop edi // 743f | je 0x41 // 8d5808 | lea ebx, dword ptr [eax + 8] // 0fb713 | movzx edx, word ptr [ebx] $sequence_17 = { ff7008 ff36 e8???????? 83c40c } // n = 4, score = 800 // ff7008 | push dword ptr [eax + 8] // ff36 | push dword ptr [esi] // e8???????? | // 83c40c | add esp, 0xc $sequence_18 = { 47 3b7820 72d1 5b 33c0 40 5f } // n = 7, score = 800 // 47 | inc edi // 3b7820 | cmp edi, dword ptr [eax + 0x20] // 72d1 | jb 0xffffffd3 // 5b | pop ebx // 33c0 | xor eax, eax // 40 | inc eax // 5f | pop edi $sequence_19 = { 395e18 7505 b9???????? 50 } // n = 4, score = 700 // 395e18 | cmp dword ptr [esi + 0x18], ebx // 7505 | jne 7 // b9???????? | // 50 | push eax $sequence_20 = { 53 ff15???????? 8b4608 6a00 ff7618 f7d8 } // n = 6, score = 700 // 53 | push ebx // ff15???????? | // 8b4608 | mov eax, dword ptr [esi + 8] // 6a00 | push 0 // ff7618 | push dword ptr [esi + 0x18] // f7d8 | neg eax $sequence_21 = { ff7604 51 52 ff15???????? 8bd8 } // n = 5, score = 700 // ff7604 | push dword ptr [esi + 4] // 51 | push ecx // 52 | push edx // ff15???????? | // 8bd8 | mov ebx, eax $sequence_22 = { 53 55 56 57 33db 33f6 } // n = 6, score = 700 // 53 | push ebx // 55 | push ebp // 56 | push esi // 57 | push edi // 33db | xor ebx, ebx // 33f6 | xor esi, esi $sequence_23 = { 8a4173 a808 75f5 a804 } // n = 4, score = 400 // 8a4173 | mov al, byte ptr [ecx + 0x73] // a808 | test al, 8 // 75f5 | jne 0xfffffff7 // a804 | test al, 4 $sequence_24 = { ff5010 85c0 7407 33c0 } // n = 4, score = 400 // ff5010 | call dword ptr [eax + 0x10] // 85c0 | test eax, eax // 7407 | je 9 // 33c0 | xor eax, eax $sequence_25 = { ff15???????? 85c0 750a b8010000c0 } // n = 4, score = 400 // ff15???????? | // 85c0 | test eax, eax // 750a | jne 0xc // b8010000c0 | mov eax, 0xc0000001 $sequence_26 = { 894a20 48 8b5c2430 48 83c420 } // n = 5, score = 200 // 894a20 | mov dword ptr [edx + 0x20], ecx // 48 | dec eax // 8b5c2430 | mov ebx, dword ptr [esp + 0x30] // 48 | dec eax // 83c420 | add esp, 0x20 $sequence_27 = { 85e4 740d 44 8b431c 48 } // n = 5, score = 200 // 85e4 | test esp, esp // 740d | je 0xf // 44 | inc esp // 8b431c | mov eax, dword ptr [ebx + 0x1c] // 48 | dec eax $sequence_28 = { 48 8b0d???????? 44 0fb6440b09 48 } // n = 5, score = 200 // 48 | dec eax // 8b0d???????? | // 44 | inc esp // 0fb6440b09 | movzx eax, byte ptr [ebx + ecx + 9] // 48 | dec eax $sequence_29 = { 48 83ec18 48 8b442420 8b00 89442408 } // n = 6, score = 200 // 48 | dec eax // 83ec18 | sub esp, 0x18 // 48 | dec eax // 8b442420 | mov eax, dword ptr [esp + 0x20] // 8b00 | mov eax, dword ptr [eax] // 89442408 | mov dword ptr [esp + 8], eax $sequence_30 = { 8b05???????? 48 8b5720 48 8b88c9030000 48 } // n = 6, score = 200 // 8b05???????? | // 48 | dec eax // 8b5720 | mov edx, dword ptr [edi + 0x20] // 48 | dec eax // 8b88c9030000 | mov ecx, dword ptr [eax + 0x3c9] // 48 | dec eax condition: 7 of them and filesize < 303104 } |
| YARA | rule win_buer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.buer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7cf1 eb02 33c0 5f 5e 5b 5d } // n = 7, score = 1100 // 7cf1 | jl 0xfffffff3 // eb02 | jmp 4 // 33c0 | xor eax, eax // 5f | pop edi // 5e | pop esi // 5b | pop ebx // 5d | pop ebp $sequence_1 = { 83e003 83e800 7435 83e801 7420 83e801 740b } // n = 7, score = 1100 // 83e003 | and eax, 3 // 83e800 | sub eax, 0 // 7435 | je 0x37 // 83e801 | sub eax, 1 // 7420 | je 0x22 // 83e801 | sub eax, 1 // 740b | je 0xd $sequence_2 = { 01515c 5f 5e 894154 5b c9 c3 } // n = 7, score = 1100 // 01515c | add dword ptr [ecx + 0x5c], edx // 5f | pop edi // 5e | pop esi // 894154 | mov dword ptr [ecx + 0x54], eax // 5b | pop ebx // c9 | leave // c3 | ret $sequence_3 = { 8b45dc 03c6 89414c 8b45fc 03c7 } // n = 5, score = 1100 // 8b45dc | mov eax, dword ptr [ebp - 0x24] // 03c6 | add eax, esi // 89414c | mov dword ptr [ecx + 0x4c], eax // 8b45fc | mov eax, dword ptr [ebp - 4] // 03c7 | add eax, edi $sequence_4 = { 8b55d8 894148 8b45dc 03c6 } // n = 4, score = 1100 // 8b55d8 | mov edx, dword ptr [ebp - 0x28] // 894148 | mov dword ptr [ecx + 0x48], eax // 8b45dc | mov eax, dword ptr [ebp - 0x24] // 03c6 | add eax, esi $sequence_5 = { 03c2 8b55e8 015158 8b55d8 894148 } // n = 5, score = 1100 // 03c2 | add eax, edx // 8b55e8 | mov edx, dword ptr [ebp - 0x18] // 015158 | add dword ptr [ecx + 0x58], edx // 8b55d8 | mov edx, dword ptr [ebp - 0x28] // 894148 | mov dword ptr [ecx + 0x48], eax $sequence_6 = { 8b00 8b4010 8945fc 61 } // n = 4, score = 1100 // 8b00 | mov eax, dword ptr [eax] // 8b4010 | mov eax, dword ptr [eax + 0x10] // 8945fc | mov dword ptr [ebp - 4], eax // 61 | popal $sequence_7 = { 6803010000 ff75f8 ff15???????? 59 59 } // n = 5, score = 1100 // 6803010000 | push 0x103 // ff75f8 | push dword ptr [ebp - 8] // ff15???????? | // 59 | pop ecx // 59 | pop ecx $sequence_8 = { b9???????? eb1a 6a05 59 } // n = 4, score = 200 // b9???????? | // eb1a | jmp 0x1c // 6a05 | push 5 // 59 | pop ecx $sequence_9 = { b9e97f00d6 0fa3c1 7308 83c408 } // n = 4, score = 200 // b9e97f00d6 | mov ecx, 0xd6007fe9 // 0fa3c1 | bt ecx, eax // 7308 | jae 0xa // 83c408 | add esp, 8 $sequence_10 = { b9???????? eb05 b9???????? 8b1424 } // n = 4, score = 200 // b9???????? | // eb05 | jmp 7 // b9???????? | // 8b1424 | mov edx, dword ptr [esp] $sequence_11 = { b9???????? e9???????? 8d9424a4000000 c70205000000 } // n = 4, score = 200 // b9???????? | // e9???????? | // 8d9424a4000000 | lea edx, dword ptr [esp + 0xa4] // c70205000000 | mov dword ptr [edx], 5 $sequence_12 = { b9???????? e9???????? 8b8424a8000000 85c0 } // n = 4, score = 200 // b9???????? | // e9???????? | // 8b8424a8000000 | mov eax, dword ptr [esp + 0xa8] // 85c0 | test eax, eax $sequence_13 = { b9???????? eb36 6a04 59 } // n = 4, score = 200 // b9???????? | // eb36 | jmp 0x38 // 6a04 | push 4 // 59 | pop ecx $sequence_14 = { b9???????? e9???????? ff4608 89f1 } // n = 4, score = 200 // b9???????? | // e9???????? | // ff4608 | inc dword ptr [esi + 8] // 89f1 | mov ecx, esi $sequence_15 = { e8???????? 0f0b 53 57 56 83ec0c } // n = 6, score = 200 // e8???????? | // 0f0b | ud2 // 53 | push ebx // 57 | push edi // 56 | push esi // 83ec0c | sub esp, 0xc condition: 7 of them and filesize < 2518016 } |
This Knowledge Base article discusses a specific threat that is being tracked and list of IOCs will change over time, check MVISION Insights for latest IOCs.
Campaign IOC
| Type | Value |
| SHA256 | C98990D05F745F21E96770571123C6A2651EE3D874AF36D1747A2893B4C96412 |
| SHA256 | 8686D43C68B9803440D762D05E76A8FC1BEA292B0C0CB725684884090CEEFC20 |
| SHA256 | D26A56178FD6D15D1E6A8A15218F1DEA8DAEB5C2E36E8ECC8B9DB3C305B5D16D |
| SHA256 | 0A9CA5D5106405262D74DBD8006F982687C58EDA0362CF5542CF7068A4AD3DB5 |
| SHA256 | 8F329F8FD20ACB25617C0D49D002EF7F55A064294483A284CF66466E28E59C6F |
| SHA256 | E904E0E341412166588DAD98DB9EED82535F88947D1091EE80DC4E98DCE8E64A |
| SHA256 | A7BF77112EE1D7C856D90366EA19C436F5723ED67556EF018D3F47CEA3711AA8 |
| SHA256 | 2DC953AD0703D0E921C6E840BB4E136E27C18340CDBECFCA93A50F34925C6B6A |
| SHA256 | 4DD8BA0D5AC44A54B2192267F717057E0DB3597B9B0DDE873690802CD347E830 |
| SHA256 | AB1D6EACD13C7CE70852C85F8DA60605B30722D728928EE6D65647750061C6F2 |
| SHA256 | 1D11FEE370AB3997737F58DF6F80162981C24B61266D0818036D257E7217BBB9 |
| SHA256 | B7EFA1277C0C0FBA754994ADF9792FBB3FEAC9EC3E589B3DA4D0125957CC95A4 |
| SHA256 | 121E2902C085CF41C9B9CDDAB5BF499DA02B01F36EF999AA9AA8F7D818A884AC |
| SHA256 | DF078999B09C399A0E74AAD75582A781264DEDDB8392385C4D80DF336B1260D5 |
| SHA256 | 452F2A77F8EBD6AAEB99456DC11CA95B24F6452A0C19C69B409F59949F641369 |
| SHA256 | 1477B09D53363D8F4C717DFB9C8636F1AA8D81786FA2DEF6C347535863374355 |
| IP-DST | 109.248.11.132 |
| IP-DST | 109.248.11.204 |
| IP-DST | 109.248.203.10 |
| IP-DST | 109.248.203.112 |
| IP-DST | 109.248.203.168 |
| IP-DST | 109.248.203.198 |
| IP-DST | 109.248.203.202 |
| IP-DST | 109.248.203.207 |
| IP-DST | 109.248.203.23 |
| IP-DST | 109.248.203.33 |
| IP-DST | 185.186.142.191 |
| IP-DST | 185.186.142.32 |
| IP-DST | 185.186.142.59 |
| IP-DST | 185.186.142.67 |
| IP-DST | 188.130.138.130 |
| IP-DST | 188.130.138.22 |
| IP-DST | 188.130.138.236 |
| IP-DST | 188.130.138.57 |
| IP-DST | 188.130.138.61 |
| IP-DST | 188.130.138.63 |
| IP-DST | 188.130.138.70 |
| IP-DST | 188.130.139.103 |
| IP-DST | 188.130.139.203 |
| IP-DST | 188.130.139.228 |
| IP-DST | 188.130.139.5 |
| IP-DST | 188.130.139.88 |
| IP-DST | 46.8.210.13 |
| IP-DST | 46.8.210.30 |
| IP-DST | 51.15.27.25 |
| IP-DST | 109.248.11.85 |
| IP-DST | 109.248.203.50 |
| IP-DST | 185.212.131.44 |
| IP-DST | 188.130.138.16 |
| IP-DST | 188.130.139.158 |
| IP-DST | 195.62.53.109 |
| DOMAIN | hotaiddeal.su |
| DOMAIN | yourmedsquality.su |
| DOMAIN | goodherbwebmart.com |
| HOSTNAME | ella.purecaremarket.su |
| HOSTNAME | banking.sparkasse.de-id1897ajje9021ucn9021345345b0juah10zb1092uhda.xyz |
| HOSTNAME | banking.sparkasse.de-id1897ajjed9021uc421sn9345514ah10zb4351092uhda.xyz |
| HOSTNAME | banking.sparkasse.de-id1877au901501fj82a7fnat9bhwhboa8ss02bauc248naxx.xyz |
| HOSTNAME | banking.sparkasse.de-id1877au901501fj82ca7cf2nas9bswsdfhaswhboa802bauc248naxx.xyz |
| HOSTNAME | banking.sparkasse.de-id-19dhjb732ba9nabcz29acb78s21acz19icnba7s.xyz |
| URL | http://85.90.247.25/campo/a/a |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://172.104.151.55/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://139.162.190.91/campo/m/m |
| URL | http://195.123.222.26/campo/t3/t3 |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://85.90.247.25/campo/o/o |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://195.123.222.26/campo/t/t |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://139.162.190.64/campo/t3/t3 |
| URL | http://195.123.220.220/campo/t2/t2 |
| URL | http://195.123.220.220/campo/t2/t2 |
| URL | http://195.123.220.220/campo/t2/t2 |
| URL | http://195.123.220.220/campo/t2/t2 |
| URL | http://195.123.220.220/campo/t2/t2 |
| URL | http://195.123.222.26/campo/t/t |
| URL | https://aramiglobal.com/ds/0502.gif |
| URL | https://inpulsion.net/ds/0702.gif |
| URL | http://155.94.193.10/user/get/MaintainingFollowing1619186878 |
| URL | http://155.94.193.10/user/get/ButPrinciple1619186669 |
| URL | http://155.94.193.10/user/get/workflowsFunctionalPrivateConstant1619186670 |
| URL | secure-doc-viewer.com |
| URL | https://e186aeb2.news.pocketstay.com/1x1.gif |
| URL | http://4107e577.payment.refinedwebs.com/1x1.gif |
| URL | http://195.123.241.180/kiytrscuvbuytnkudjvt/winshell.exe |
| URL | http://195.123.241.180/kiytrscuvbuytnkudjvt/winshell.exe |
| URL | https://maarselectrical.com/images/Menu/smcs.exe |
| URL | https://honeyminer.live/file/honeyminer.exe |
| URL | http://fyz10eijkl03mytjfb.com/index.gif |
| URL | http://satursed.com/8/forum.php |
| URL | http://desuctoette.ru/8/forum.php |
| URL | http://ementincied.com/8/forum.php |
| URL | http://watoredprocaus.ru/8/forum.php |
| URL | http://noriblerughly.ru/8/forum.php |
| URL | http://froursmonesed.com/8/forum.php |
| URL | http://cametateleb.ru/8/forum.php |
| URL | http://polionallas.ru/8/forum.php |
| URL | http://divelerevol.com/8/forum.php |
| URL | http://tricilidiany.com/8/forum.php |
| URL | http://intaticducalso.ru/8/forum.php |
| URL | http://gloporiente.ru/8/forum.php |
| URL | http://eviddinlahal.com/8/forum.php |
| URL | http://saisepsdrablis.ru/8/forum.php |
| URL | http://shifiticans.com/8/forum.php |
| URL | http://anumessensan.ru/8/forum.php |
| URL | http://lationvold.com/8/forum.php |
| URL | http://popubjettor.ru/8/forum.php |
| URL | http://thabilemithe.ru/8/forum.php |
| URL | http://speritentz.com/8/forum.php |
| URL | http://afternearde.ru/8/forum.php |
| URL | http://counivicop.ru/8/forum.php |
| URL | http://denazao.info/images/1j.djvu |
| URL | http://twotimercvac.uno/ |
| URL | https://huvpn.com/free-vpn/ |
| URL | https://windscribe.s3.us-east-2.amazonaws.com/Windscribe.exe |
Minimum Content Versions:
| Content Type | Version |
| V2 DAT (VirusScan Enterprise) | 9971 |
| V3 DAT (Endpoint Security) | 4423 |
Detection Summary
| IOC | Scanner | Detection |
| C98990D05F745F21E96770571123C6A2651EE3D874AF36D1747A2893B4C96412 | AVEngine V2 | W97M/Downloader.dij |
| AVEngine V3 | W97M/Downloader.dij | |
| JTI (ATP Rules) | JTI/Suspect.196612!878720ddc0d8 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 8686D43C68B9803440D762D05E76A8FC1BEA292B0C0CB725684884090CEEFC20 | AVEngine V2 | W97M/Dropper.he |
| AVEngine V3 | W97M/Dropper.he | |
| JTI (ATP Rules) | JTI/Suspect.196612!6e5ebd19421e | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| D26A56178FD6D15D1E6A8A15218F1DEA8DAEB5C2E36E8ECC8B9DB3C305B5D16D | AVEngine V2 | X97M/Downloader.ha |
| AVEngine V3 | X97M/Downloader.ha | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 0A9CA5D5106405262D74DBD8006F982687C58EDA0362CF5542CF7068A4AD3DB5 | AVEngine V2 | X97M/Dropper.ar |
| AVEngine V3 | X97M/Dropper.ar | |
| JTI (ATP Rules) | JTI/Suspect.196612!8d54e98795c4 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 8F329F8FD20ACB25617C0D49D002EF7F55A064294483A284CF66466E28E59C6F | AVEngine V2 | X97M/Downloader.ha |
| AVEngine V3 | X97M/Downloader.ha | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| E904E0E341412166588DAD98DB9EED82535F88947D1091EE80DC4E98DCE8E64A | AVEngine V2 | X97M/Downloader.hc |
| AVEngine V3 | X97M/Downloader.hc | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| A7BF77112EE1D7C856D90366EA19C436F5723ED67556EF018D3F47CEA3711AA8 | AVEngine V2 | X97M/Downloader.ha |
| AVEngine V3 | X97M/Downloader.ha | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 2DC953AD0703D0E921C6E840BB4E136E27C18340CDBECFCA93A50F34925C6B6A | AVEngine V2 | X97M/Downloader.hc |
| AVEngine V3 | X97M/Downloader.hc | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 4DD8BA0D5AC44A54B2192267F717057E0DB3597B9B0DDE873690802CD347E830 | AVEngine V2 | X97M/Downloader.ha |
| AVEngine V3 | X97M/Downloader.ha | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| AB1D6EACD13C7CE70852C85F8DA60605B30722D728928EE6D65647750061C6F2 | AVEngine V2 | X97M/Downloader.ha |
| AVEngine V3 | X97M/Downloader.ha | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 1D11FEE370AB3997737F58DF6F80162981C24B61266D0818036D257E7217BBB9 | AVEngine V2 | W97M/Dropper.he |
| AVEngine V3 | W97M/Dropper.he | |
| JTI (ATP Rules) | JTI/Suspect.196612!dd285d84d4a7 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| B7EFA1277C0C0FBA754994ADF9792FBB3FEAC9EC3E589B3DA4D0125957CC95A4 | AVEngine V2 | X97M/Dropper.ar |
| AVEngine V3 | X97M/Dropper.ar | |
| JTI (ATP Rules) | JTI/Suspect.196612!8d54e98795c4 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 121E2902C085CF41C9B9CDDAB5BF499DA02B01F36EF999AA9AA8F7D818A884AC | AVEngine V2 | W97M/Dropper.he |
| AVEngine V3 | W97M/Dropper.he | |
| JTI (ATP Rules) | JTI/Suspect.196612!b0932c3df3a9 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| DF078999B09C399A0E74AAD75582A781264DEDDB8392385C4D80DF336B1260D5 | AVEngine V2 | X97M/Dropper.ar |
| AVEngine V3 | X97M/Dropper.ar | |
| JTI (ATP Rules) | JTI/Suspect.196612!8d54e98795c4 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 452F2A77F8EBD6AAEB99456DC11CA95B24F6452A0C19C69B409F59949F641369 | AVEngine V2 | X97M/Downloader.ha |
| AVEngine V3 | X97M/Downloader.ha | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 1477B09D53363D8F4C717DFB9C8636F1AA8D81786FA2DEF6C347535863374355 | AVEngine V2 | W97M/Dropper.he |
| AVEngine V3 | W97M/Dropper.he | |
| JTI (ATP Rules) | JTI/Suspect.196612!94b741060fed | |
| RP Static | - | |
| RP Dynamic | - |
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Advanced Threat Protection:
Rule ID: 4 Use GTI file reputation to identify trusted or malicious files
Endpoint Security - Exploit Prevention:
Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Rule ID: 6086 Powershell Command Restriction - Command
Rule ID: 6086 Powershell Command Restriction - Command
Host Intrusion Prevention:
Rule ID: 6135 Unmanaged Powershell Detected
Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Host Intrusion Prevention:
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 2806 Attempt to create a hardlink to a file
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 2806 Attempt to create a hardlink to a file
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 1020 Windows Agent Shielding - File Access
