Energetic Bear report https://securelist.com/energetic-bear-crouching…

…-yeti/85345/

filename-iocs.txt

@@ -1,2 +1,18 @@
-demo/evil.jsp
-# END - DO NOT REMOVE
+/var/tmp/.pipe.sock
+/code29/.php
+/proxy87/.php
+/usr/share/python2.7/sma.php
+/usr/share/python2.7/theme.php
+/root/theme.php
+/usr/lib/libng/media.php
+/usr/lib/libng/ftpChecker.py
+/usr/lib/libng/dirsearch/
+/usr/share/python2.7/dirsearch/
+/usr/lib/libng/commix/
+/usr/lib/libng/subbrute-master/
+/usr/share/python2.7/sqlmap/
+/usr/lib/libng/sqlmap-dev/
+/usr/lib/libng/wpscan/
+/usr/share/python2.7/wpscan/
+/usr/share/python2.7/Sublist3r/
+# END - DO NOT REM

hash-iocs.txt

@@ -1,96 +1,10 @@
-329cd07f4dd67947ff10d8a6550ff779;Demo file - evil.jsp
-
-866f94f30d9865995494a0f7228329c26149eef2960500b2177c736c5c846035;Equation APT
-8447dabffd37eb7fcb1bc1d6c6f1d164;Htran Chinese APT Tunneling Tool Sample
-
-5d853a8de18d844a9ab269f3d51e5072;Five Eyes QUERTY Malware20120.dll.bin
-cc8b737edb3f11c9c5dba57035c63103;Five Eyes QUERTY Malware20120.xml
-67ac8dc6589a07d950bd12f534dc9789;Five Eyes QUERTY Malware20120_cmdDef.xml
-40451f20371329b992fb1b85c754d062;Five Eyes QUERTY Malware20121.dll.bin
-ff0afae5c68c5177ed0a3d6339810cae;Five Eyes QUERTY Malware20121.xml
-1bc8f4df4551c6efbbb1fe9f965dca49;Five Eyes QUERTY Malware20121_cmdDef.xml
-0ed11a73694999bc45d18b4189f41ac2;Five Eyes QUERTY Malware20123.sys.bin
-066b6253afc3ad0efe9a15cead4ef7d8;Five Eyes QUERTY Malware20123.xml
-790d1b448e97985deb710a94eb927c27;Five Eyes QUERTY Malware20123_cmdDef.xml
-
-ad61e8daeeba43e442514b177a1b41ad4b7c6727;Skeleton Key Malware
-5083b17ccc50dd0557dfc544f84e2ab55d6acd92;Skeleton Key Malware
-66da7ed621149975f6e643b4f9886cfd;Symantec Report http://goo.gl/9Tmq2e msuta64.dll
-bf45086e6334f647fda33576e2a05826;Symantec Report http://goo.gl/9Tmq2e ole64.dll
-a487f1668390df0f4951b7292bae6ecf;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
-8ba4df29b0593be172ff5678d8a05bb3;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
-f01026e1107b722435126c53b2af47a9;Symantc Report http://goo.gl/9Tmq2e HookDC.dll
-747cc5ce7f2d062ebec6219384b57e8c;Symantec Report http://goo.gl/9Tmq2e ole.dll
-600b604784594e3339776c6563aa45a1;Symantec Report http://goo.gl/9Tmq2e jqs.exe (Backdoor.Winnti dropper)
-48377c1c4cfedebe35733e9c3675f9be;Symantec Report http://goo.gl/9Tmq2e tmp8296.tmp (Backdoor.Winnti variant)
-
-20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92;Regin Malware Sample
-225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430;Regin Malware Sample
-392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e;Regin Malware Sample
-40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b;Regin Malware Sample
-4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be;Regin Malware Sample
-4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9;Regin Malware Sample
-5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823;Regin Malware Sample
-5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90;Regin Malware Sample
-7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7;Regin Malware Sample
-7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926;Regin Malware Sample
-8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13;Regin Malware Sample
-8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7;Regin Malware Sample
-8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db;Regin Malware Sample
-9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f;Regin Malware Sample
-9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379;Regin Malware Sample
-a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355;Regin Malware Sample
-a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880;Regin Malware Sample
-a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35;Regin Malware Sample
-a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669;Regin Malware Sample
-a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
-a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
-b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047;Regin Malware Sample
-b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce;Regin Malware Sample
-c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513;Regin Malware Sample
-cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601;Regin Malware Sample
-df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c;Regin Malware Sample
-e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902;Regin Malware Sample
-e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935;Regin Malware Sample
-ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69;Regin Malware Sample
-f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e;Regin Malware Sample
-f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4;Regin Malware Sample
-fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef;Regin Malware Sample
-fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129;Regin Malware Sample
-
-9bec941bec02c7fbe037a97db8c89f18;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-6ce69e4bec14511703a8957e90ded1fa;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-1c05164fede51bf947f1e78cba811063;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-5129c26818ef712bde318dff970eba8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-bdce0ed65f005a11d8e9a6747a3ad08c;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-e04ad0ec258cbbf94910a677f4ea54f0;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
-928d0ef4c17f0be21f2ec5cc96182e0c;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
-d686ce4ed3c46c3476acf1be0a1324e6;Symantec Waterbug Attack http://goo.gl/9Tlk90 typecli.exe
-22fb51ce6e0bc8b52e9e3810ca9dc2e1;Symantec Waterbug Attack http://goo.gl/9Tlk90 msc32.exe
-df06bde546862336ed75d8da55e7b1cc;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-a85616aec82078233ea25199c5668036;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-b7d80000100f2cb50a37a8a5f21b185f;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-552a8e8d60731022dcb5a89fd4f313ec;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-a1ecf883627a207ed79d0fd103534576;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-560f47c8c50598760914310c6411d3b1;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-b28cbcd6998091f903c06a0a46a0fd8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-b0952e130f6f8ad207998000a42531de;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-c04190dc190b6002f064e3d13ac22212;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-959ed9d60a8f645fd46b7c7a9b62870c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-305801a809b7d9136ab483682e26d52d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-e5a9fc45ab11dd0845508d122a6c8c8c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-bf0e4d46a51f27493cbe47e1cfb1b2ea;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
-22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
-f156ff2a1694f479a079f6777f0c5af0;Symantec Waterbug Attack http://goo.gl/9Tlk90 pxinsi64.exe 64-bit driver possibly used by vboxdev_win32.dll
-eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 mswme32.exe Collects files with extensions (.*library, *.inf, *.exe, .*dll, .*dot), Encrypts with Trojan.Turla XOR key
-56f423c7a7fef041f3039319f2055509;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
-22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
-eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnet32.exe
-20c9df1e5f426f9eb7461cd99d406904;Symantec Waterbug Attack http://goo.gl/9Tlk90 rpcsrv.exe RPC server using ncacn_np identifier and binds to \\pipe\ hello, Can be used as a proxy
-ed3509b103dc485221c85d865fafafac;Symantec Waterbug Attack http://goo.gl/9Tlk90 charmap32.exe Executes msinfo32.exe /nfo and direct output to winview.nfo
-09886f7c1725fe5b86b28dd79bc7a4d1;Symantec Waterbug Attack http://goo.gl/9Tlk90 mqsvc32.exe Capable of sending exfiltrated data through email using MAPI32.dll
-fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 msrss.exe Registers as a service “svcmgr” with display name ‘Windows Svcmgr’
-fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 dc1.exe
-fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 svcmgr.exe
-98992c12e58745854a885f9630124d3e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msx32.exe Used to encrypt file (supplied as argument on command line) using common Trojan.Turla XOR key, Output written to [FILE NAME].XOR
+f3e3e25a822012023c6e81b206711865;Energetic Bear Hashes - ini.php 
+f3e3e25a822012023c6e81b206711865;Energetic Bear Hashes - mysql.php 
+c76470e85b7f3da46539b40e5c552712;Energetic Bear Hashes - opts.php 
+155385cc19e3092765bcfed034b82ccb;Energetic Bear Hashes - error_log.php 
+1644af9b6424e8f58f39c7fa5e76de51;Energetic Bear Hashes - code29.php 
+1644af9b6424e8f58f39c7fa5e76de51;Energetic Bear Hashes - proxy87.php 
+2292f5db385068e161ae277531b2e114;Energetic Bear Hashes - theme.php 
+7ec514bbdc6dd8f606f803d39af8883f;Energetic Bear Hashes - sma.php 
+78c31eff38fdb72ea3b1800ea917940f;Energetic Bear Hashes - media.php 
 # END - DO NOT REMOVE

string-iocs.txt

@@ -1,4 +1,4 @@
-<%eval request("ice")%>
-1%27%20OR%201%3D1
-FILE HAS EVIL CONTENT
+eval(gzuncompress(base64_decode
+ZXZhbCg
+\x65\x76\x61\x6C\x28\x67
 # END - DO NOT REMOVE - contents passed to grep - double escape square brackets