forked from Neo23x0/Fenrir
/
hash-iocs.txt
96 lines (91 loc) · 9.77 KB
/
hash-iocs.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
329cd07f4dd67947ff10d8a6550ff779;Demo file - evil.jsp
866f94f30d9865995494a0f7228329c26149eef2960500b2177c736c5c846035;Equation APT
8447dabffd37eb7fcb1bc1d6c6f1d164;Htran Chinese APT Tunneling Tool Sample
5d853a8de18d844a9ab269f3d51e5072;Five Eyes QUERTY Malware20120.dll.bin
cc8b737edb3f11c9c5dba57035c63103;Five Eyes QUERTY Malware20120.xml
67ac8dc6589a07d950bd12f534dc9789;Five Eyes QUERTY Malware20120_cmdDef.xml
40451f20371329b992fb1b85c754d062;Five Eyes QUERTY Malware20121.dll.bin
ff0afae5c68c5177ed0a3d6339810cae;Five Eyes QUERTY Malware20121.xml
1bc8f4df4551c6efbbb1fe9f965dca49;Five Eyes QUERTY Malware20121_cmdDef.xml
0ed11a73694999bc45d18b4189f41ac2;Five Eyes QUERTY Malware20123.sys.bin
066b6253afc3ad0efe9a15cead4ef7d8;Five Eyes QUERTY Malware20123.xml
790d1b448e97985deb710a94eb927c27;Five Eyes QUERTY Malware20123_cmdDef.xml
ad61e8daeeba43e442514b177a1b41ad4b7c6727;Skeleton Key Malware
5083b17ccc50dd0557dfc544f84e2ab55d6acd92;Skeleton Key Malware
66da7ed621149975f6e643b4f9886cfd;Symantec Report http://goo.gl/9Tmq2e msuta64.dll
bf45086e6334f647fda33576e2a05826;Symantec Report http://goo.gl/9Tmq2e ole64.dll
a487f1668390df0f4951b7292bae6ecf;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
8ba4df29b0593be172ff5678d8a05bb3;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
f01026e1107b722435126c53b2af47a9;Symantc Report http://goo.gl/9Tmq2e HookDC.dll
747cc5ce7f2d062ebec6219384b57e8c;Symantec Report http://goo.gl/9Tmq2e ole.dll
600b604784594e3339776c6563aa45a1;Symantec Report http://goo.gl/9Tmq2e jqs.exe (Backdoor.Winnti dropper)
48377c1c4cfedebe35733e9c3675f9be;Symantec Report http://goo.gl/9Tmq2e tmp8296.tmp (Backdoor.Winnti variant)
20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92;Regin Malware Sample
225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430;Regin Malware Sample
392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e;Regin Malware Sample
40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b;Regin Malware Sample
4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be;Regin Malware Sample
4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9;Regin Malware Sample
5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823;Regin Malware Sample
5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90;Regin Malware Sample
7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7;Regin Malware Sample
7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926;Regin Malware Sample
8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13;Regin Malware Sample
8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7;Regin Malware Sample
8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db;Regin Malware Sample
9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f;Regin Malware Sample
9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379;Regin Malware Sample
a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355;Regin Malware Sample
a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880;Regin Malware Sample
a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35;Regin Malware Sample
a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669;Regin Malware Sample
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047;Regin Malware Sample
b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce;Regin Malware Sample
c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513;Regin Malware Sample
cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601;Regin Malware Sample
df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c;Regin Malware Sample
e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902;Regin Malware Sample
e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935;Regin Malware Sample
ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69;Regin Malware Sample
f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e;Regin Malware Sample
f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4;Regin Malware Sample
fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef;Regin Malware Sample
fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129;Regin Malware Sample
9bec941bec02c7fbe037a97db8c89f18;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
6ce69e4bec14511703a8957e90ded1fa;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
1c05164fede51bf947f1e78cba811063;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
5129c26818ef712bde318dff970eba8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
bdce0ed65f005a11d8e9a6747a3ad08c;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
e04ad0ec258cbbf94910a677f4ea54f0;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
928d0ef4c17f0be21f2ec5cc96182e0c;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
d686ce4ed3c46c3476acf1be0a1324e6;Symantec Waterbug Attack http://goo.gl/9Tlk90 typecli.exe
22fb51ce6e0bc8b52e9e3810ca9dc2e1;Symantec Waterbug Attack http://goo.gl/9Tlk90 msc32.exe
df06bde546862336ed75d8da55e7b1cc;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
a85616aec82078233ea25199c5668036;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
b7d80000100f2cb50a37a8a5f21b185f;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
552a8e8d60731022dcb5a89fd4f313ec;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
a1ecf883627a207ed79d0fd103534576;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
560f47c8c50598760914310c6411d3b1;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
b28cbcd6998091f903c06a0a46a0fd8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
b0952e130f6f8ad207998000a42531de;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
c04190dc190b6002f064e3d13ac22212;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
959ed9d60a8f645fd46b7c7a9b62870c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
305801a809b7d9136ab483682e26d52d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
e5a9fc45ab11dd0845508d122a6c8c8c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
bf0e4d46a51f27493cbe47e1cfb1b2ea;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
f156ff2a1694f479a079f6777f0c5af0;Symantec Waterbug Attack http://goo.gl/9Tlk90 pxinsi64.exe 64-bit driver possibly used by vboxdev_win32.dll
eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 mswme32.exe Collects files with extensions (.*library, *.inf, *.exe, .*dll, .*dot), Encrypts with Trojan.Turla XOR key
56f423c7a7fef041f3039319f2055509;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnet32.exe
20c9df1e5f426f9eb7461cd99d406904;Symantec Waterbug Attack http://goo.gl/9Tlk90 rpcsrv.exe RPC server using ncacn_np identifier and binds to \\pipe\ hello, Can be used as a proxy
ed3509b103dc485221c85d865fafafac;Symantec Waterbug Attack http://goo.gl/9Tlk90 charmap32.exe Executes msinfo32.exe /nfo and direct output to winview.nfo
09886f7c1725fe5b86b28dd79bc7a4d1;Symantec Waterbug Attack http://goo.gl/9Tlk90 mqsvc32.exe Capable of sending exfiltrated data through email using MAPI32.dll
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 msrss.exe Registers as a service “svcmgr” with display name ‘Windows Svcmgr’
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 dc1.exe
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 svcmgr.exe
98992c12e58745854a885f9630124d3e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msx32.exe Used to encrypt file (supplied as argument on command line) using common Trojan.Turla XOR key, Output written to [FILE NAME].XOR
# END - DO NOT REMOVE