-
Notifications
You must be signed in to change notification settings - Fork 0
/
IOCs.txt
executable file
·255 lines (127 loc) · 3.43 KB
/
IOCs.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
Indicators of Compromise (IOCs)
IOC
IOC Type
Description
faa80e0692ba120e38924ccd46f6be3c25b8edf7cddaa8960fe9ea632dc4a045
SHA256
PE Attachment - our infrastructure offer ann‮cod.exe
b7960d1f40b727bbea18a0e5c62bafcb54c9ec73be3e69e787b7ddafd2aae364
SHA256
PE Attachment - powersafe courses ann‮cod.exe
26eb8a1f0bdde626601d039ea0f2c92a7921152371bafe5e811c6a1831f071ce
SHA256
FlowCloud MS Word Macro Attachment - personal invitation.doc
cd8f877c9a1c31179b633fd74bd5050e4d48eda29244230348c6f84878d0c33c
SHA256
Dropped Files - Cert.pem
e4ad5d3213425c58778d8a0244df4cd99c748f58852d8ac71b46326efd5b3220
SHA256
Dropped Files - pense1.txt
589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4
SHA256
Dropped Files - Temptcm.tmp
1334c742f2aec7e8412d76ba228b99935a49dc96a1e8e1f3446d9f61247ae47e
SHA256
Dropped Files - EhStorAuthn.exe
de30929ef958211f9315e27a7aa45ef061726a76990ddc6b9d9f189b9fbdd45a
SHA256
Dropped Files - dlcore.dll
0b013ccd9e10d7589994629aed18ffe2388cbd745b5b28ab39c07835295a1ca9
SHA256
Dropped Files - rebare.dat
479954b9e7d5c5f7086a2a1ff1dba99de2eab2e1b1bc75ad8f3b211088eb4ee9
SHA256
Dropped Files - rescure.dat
d5191327a984fab990bfb0e811688e65e9aaa751c3d93fa92487e8a95cb2eea8
SHA256
Dropped Files - responsor.dat
0701cc7eb1af616294e90cbb35c99fa2b29d2aada9fcbdcdaf578b3fcf9b56c7
SHA256
Dropped Files - EhStorAuthn_shadow.exe
27f5df1d35744cf283702fce384ce8cfb2f240bae5d725335ca1b90d6128bd40
SHA256
Dropped Files - rescure64.dat
13e761f459c87c921dfb985cbc6489060eb86b4200c4dd99692d6936de8df5ba
SHA256
Dropped Files - rescure86.dat
2481fd08abac0bfefe8d8b1fa3beb70f8f9424a1601aa08e195c0c14e1547c27
SHA256
Dropped Files - hha.dll
188.131.233[.]27
IP
C&C IP
118.25.97[.]43
IP
Sender IP
34.80.27[.]200
IP
Sender IP
134.209.99[.]169
IP
Staging IP
101.99.74[.]234
IP
Staging IP
Asce[.]email
Domain
Phishing Domain
powersafetrainings[.]org
Domain
Phishing Domain
mails.daveengineer[.]com
Domain
Phishing Domain
powersafetraining[.]net
Domain
Related Infrastructure
mails.energysemi[.]com
Domain
Related Infrastructure
www.mails.energysemi[.]com
Domain
Related Infrastructure
www.powersafetraining[.]net
Domain
Related Infrastructure
www.powersafetrainings[.]org
Domain
Related Infrastructure
ffca.caibi379[.]com
Domain
Macro Domain
http://ffca.caibi379[.]com/rwjh/qtinfo.txt
URL
FlowCloud Macro Delivery URL Inactive
https://www.dropbox[.]com:443/s/ddgifm4ityqwx60/Cert.pem?dl=1
URL
FlowCloud Macro Delivery URL
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\2
Registry Key
FlowCloud Registry Key
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\3
Registry Key
FlowCloud Registry Key
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\4
Registry Key
FlowCloud Registry Key
HKEY_LOCAL_MACHINE\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}
Registry Key
FlowCloud Registry Key
HKEY_LOCAL_MACHINE\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}
Registry Key
FlowCloud Registry Key
HKEY_LOCAL_MACHINE\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}
Registry Key
FlowCloud Registry Key
G:\FlowCloud\trunk\Dev\src\fcClient\Release\QQSetupEx_func.pdb
File Path
FlowCloud PDB Path
g:\FlowCloud\trunk\Dev\src\fcClient\Release\fcClientDll.pdb
File Path
FlowCloud PDB Path
F:\FlowCloud\trunk\Dev\src\fcClient\kmspy\Driver\Release\Driver.pdb
File Path
FlowCloud PDB Path
F:\FlowCloud\trunk\Dev\src\fcClient\kmspy\Driver\x64\Release\Driver.pdb
File Path
FlowCloud PDB Path