Category: Malspam

SAGE 2.2 Ransomware from Good Man Gate

IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...

&

“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs: 211.149.241.201 – phpwind.0592yt[.]com/result – Download location 115.29.247.219 – 902f[.]com/result- Download location 176.114.0.20 – shema.org[.]ua/result – Download location 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location 202.133.118.222 – aqua-inter[.]com/result – Download location 194.28.49.140 – cdsp[.]pl/result – Download location 216.110.144.152 – hanavanpools[.]com/result – Download location 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location 193.201.225.124 – POST /checkupdate – Locky C2 ...

&

“Bill for Papers” Drops Locky (.Osiris) (/checkupdate)

IOCs: 162.144.116.161 – aghadiinfotechforclient.com/jht76gh – Download location found in script 222.124.206.41 – simperizinan.sragenkab.go.id/jht76gh – Download location found in script 199.101.51.76 – livingfreehomeramps.com/jht76gh – Download location found in script 107.180.1.210 – adenadataediting.com/jht76gh – Download location found in script 176.121.14.95 – POST /checkupdate – C2 IP Traffic: Hashes: SHA256: d2984c1181749bc2bd0d2ad56c6d5865d38dee3c29276cb41297f4b20543a544 File name: 765-HIGV0613.wsf Hybrid-Analysis Submission SHA256: 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be ...

&

“Payment Receipt” Drops Locky (.osiris)

IOCs: 62.75.162.77 – test.grafixx.org – GET /098tb?oAzjRAPD=HlElhIQVI Additional Download Locations (contained in obfuscated JS downloader): u-niwon.com/098tb – 218.232.104.232 chanet.jp/098tb – 210.196.232.211 valuationssa.com.au/098tb – 104.27.149.238 More compromised sites being used as download locations (posted by Techhelplist): aetech-solutions.com/098tb – 37.59.51.53 bigtrust.co.kr/098tb – 211.40.221.90 braindouble.com/098tb – 207.45.186.214 haibeiwuliu.com/098tb – 122.114.99.100 laferwear.com/098tb – 97.74.215.147 malamut.org/098tb – 212.85.104.64 markettv.ro/098tb – ...

&

“Card Receipt” Leads to Locky (.osiris)

IOCs: 116.255.193.108 – yulexiuba.com – GET /1324w?oohNgc=hswXFnBHeja – Distribution Site Additional Distribution Sites: wiktorek140.cba.pl (95.211.144.65) yourwebstek.nl (185.87.184.130) xxmaoyi.com (120.25.161.125) eroicgrvh38j3f3.com (94.231.77.230) 91.142.90.46 – POST /checkupdate Traffic: Hashes: SHA256: 3fa9335000e47b944dca40defb9107fd2624e73e6ce3efd2de1408afcda9cdea File name: img(194).jse Hybrid-Analysis Link (JS Nemucod) SHA256: 9dde9d37349bf3b28c2e36f514d98b7ce27c580fa8dcf747d0d77bc9480333f6 File name: msTTSUO1 SHA256: 053e51da8f8e2c53f7e11ea305fa8a09554c24a67ef0b4ec0db3eec993ae59a1 File name: msTTSUO1.dll Hybrid-Analysis Link Email: The attached file is a ZIP ...

M

Malspam Leads to Locky (.zzzzz)

IOCs: 185.25.149.13 – xn--pasaer-spb.pl – Distribution Site 139.224.165.195 – temail.com – Distribution Site DNS queries: bqukfjfv.org (69.195.129.70) abwwngsovislmi.info sqoygkkolb.biz vbtjntlcl.info akhsipwfesvxmer.xyz iwswtkibjbsrqj.ru eltbqgwtjmqvf.su hmthqpva.su hxbvgunernmw.pw vqpiuffvpgdop.pw qrdobtle.pw udfkorp.xyz wibcjkwrk.ru szwanrong.com (119.29.99.214) amnclgo.click ktlgpiilbj.biz hhmunlxtxjpv.xyz egxjtbh.work nrkvwucxxqgbi.org qijftdcnky.click Traffic: Hashes: SHA256: ee530b2234501b4d24adfc2505ae940082750fb32d6ed8a4c43cb8342d8b92a7 File name: 201612031056373427451410.vbs Hybrid-Analysis Link SHA256: 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e File name: uQzqIRdHQ.34 SHA256: 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf File name: ...

M

Malspam Contains WSF, Downloads Locky (.thor) (/linuxsucks.php)

IOCs: 93.185.104.25 – bestline.cz – GET /76vvyt?cFqotowK=rUUwhHw 37.153.89.141 – carmenortigosa.com – GET /76vvyt?cFqotowK=rUUwhHw 108.163.209.27 – decactus.cl – GET /76vvyt?cFqotowK=rUUwhHw 194.1.239.152 – POST /linuxsucks.php 51.255.107.20 – POST /linuxsucks.php 194.28.87.26 – POST /linuxsucks.php Traffic: DNS Requests: Domain IP Address Country iyemdymjdev.pl qcatgljdsgfvcqq.pw pllyggakgcuto.org moyihqyicfciqf.ru mygyylys.biz uxwamyckkeyfndcrg.xyz odysdabvtgvjqguls.pw bestline.cz 93.185.104.25 Czech Republic decactus.cl 108.163.209.27 United States hrogqamrchfj.info qsrxtej.info ...

&

“Urgent Payment Request” Malspam Leads to Locky (.thor) (/message.php)

IOCs: 185.17.41.83 – dx-team.org – GET /jhb6576?GChuOAtzYEq=GVUYNDbBRRE 69.195.129.70 – disvfthejnadoufh.biz – POST /message.php 176.103.56.119 – POST /message.php 109.234.35.230 – POST /message.php Traffic: DNS Requests: Domain IP Address Country xbgokbdvilnrlw.info cwvmkawujq.su ukyrrqcxd.su jkvhihqdaaoyd.org ihdteyhyewuaid.click bjbsbpmhlpwaxf.pl torproject.org 82.195.75.101 Germany ojxbkeexoqrbirtq.org bqpkcrxsx.su dx-team.org 185.17.41.83 Poland mwddgguaa5rj7b54.onion.to 185.100.85.150 Romania kcnwtdns.pw jyvityqhfggxicasf.pw mwddgguaa5rj7b54.tor2web.org 38.229.70.4 United States Hashes: SHA256: 9fd3e2fc50b2b44d174cb37964016ea0a12c2c8657a32ae6039c4fdc851e9be0 File ...

M

Malspam Leads to Locky (.shit) (/linuxsucks.php)

IOCs: 192.186.241.104 – demoinfolink[.]com – GET /076wc?KEMaUkmgWf=TfJgJx 108.168.206.100 – naacllc[.]com – GET /076wc?KEMaUkmgWf=TfJgJx – Locky 208.100.26.234 – gtlbihmxh.pw – POST /linuxsucks.php Additional Distribution Domains from Hybrid-Analysis Report: sowkinah.com – 62.84.69.75 bagnet.ir – 176.9.129.91 nanrangy.net – 120.117.3.119 Traffic: IDS Alerts: Hashes: SHA256: b1c35b291a296b948758729f9fc775504ec764098dbc5c2e02796ee4ab174e0e File name: Receipt 17577-140426.wsf Hybrid-Analysis Report SHA256: b54802e6f6430c75d0683140ef0529c6603418b4ef602d80e85aaa88fe730c79 File name: AvURdJbXv2.dll Infection Chain: ...

Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)

IOCs: 77.246.149.178 – ledintutat[.]com/ls5/gate.php – Hancitor C2 81.169.145.93 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony 77.246.149.178 – ledintutat[.]com/zapoy/gate.php – Pony C2 104.31.87.182 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak 185.75.46.13 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC) Traffic: IDS Events: Hashes: SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8 File name: contract_54262.doc SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926 File name: hancitor.dll SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495 File name: ...