IPv4: 47.252.45.173 35.203.111.228 47.253.165.1 35.247.194.72 94.228.169.143 47.253.141.12 8.209.99.230 47.252.33.131 34.16.181.0 127.0.0.2 127.0.0.1:15064 Domains: lewru.top claimunclaimed.org XmlSerializer.dll lugbara.top freelookup.org ni.dll halibut.sbs myunclaimedcash.org Environment.dll bikeontop.shop capitalfinders.org googleadservices.com whatup.cloud positivereview.cloud msmith-dc45389tyt.zip google.com dreamteamup.shop TreasuryDept.org claimprocessing.org infocatalog.pics treasurydept.org gfind.org thebesttime.buzz ignitethefund.com ClaimProcessing.org assetfinder.org barracudas.sbs soulcarelife.org pastebin.com Sub Domains: mesa.halibut.sbs plano.soulcarelife.org System.IO.Log.ni.dll arlington.barracudas.sbs www.treasurydept.org System.Xml.XmlSerializer.dll pittsburgh.soulcarelife.org www.google.com www.googleadservices.com durham.soulcarelife.org www.assetfinder.org www.myunclaimedcash.org www.claimprocessing.org Box.LocalComServer.Fix.Environment.dll URLs: https://www.google.com/search?q=finding+unclaimed+money+in+california&rlz= http://infocatalog.pics:8080/msiyifrmouv https://www.claimprocessing.org/roxif/pateromyx.php http://infocatalog.pics:8080 https://l..com/l.php?u= https://www.googleadservices.com/pagead/aclk?sa= https://durham.soulcarelife.org/?n3sqd95xk20z2b3vue9tnpiadp2j6 https://plano.soulcarelife.org/?n0igoun59hzb3eguo63j1hmjobmjw8 https://plano.soulcarelife.org/?vc4njfp8xnwzb30akwaf2pj3fjs36q https://www.treasurydept.org/gujijed/tokew.php https://pittsburgh.soulcarelife.org/?sxykn3bjp0rmnaefzc8jb3qc2704 https://www.claimprocessing.org/?utm_source=ads&utm_medium=cpc&utm_campaign=claim& https://www.treasurydept.org/?utm_source=googlesearch&utm_medium=cpc&utm_campaign=google md5: 9f9c5a1269667171e1ac328f7f7f6cb3 2c16eafd0023ea5cb8e9537da442047e 862a42a91b5734062d47c37fdd80c633 9120c82b0920b9db39894107b5494ccd 7544f5bb88ad481f720a9d9f94d95b30 650b0b12b21e9664d5c771d78738cf9f sha1: 8b5ff2c452da06b69d49a695fbf13fe2f71712d5 878ecd062105626c480471cb53ab2a310f4d5dce 4f4f593102f69c0d7714d3f66bb777a30fd3dd63 4deb04a5db4e971864cc728b392238dd0b96d07a aa16db91b3f1b4cd7862b5eeb7d9c7cef098fc65 sha256: cac930364eba1174da21a390c7d044cd3487582fcc5dd3cb6ec4506572433e75 d235d49d680bfb534c1915b833f523fd96cd210530952587aa4e3f83e03ee776 927d91403036e1e1480736bc037aaed0c6758221b8858f160c629a9505fd26a3 5e2c7949afe8b1a72fc902a183eae5340cf3c27c1037978c129a71765737e7bb a7312f01db21efd84be0a4e596fefb6ebbc388655ab19a642bf44360f1409382 File Names: khscrk.au3 RUNDLL32.EXE curl.exe msiexec.exe MSI23C9.tmp cmd.exe copy.exe pateromyx.php HLWOIRTAA9P.bin Msiexec.exe Oadsoophotfp.dll msedge.exe NVJwQupTC.exe tokew.php flast_d45534i.zip rundll32.exe QAcyqLqxgu.msi Aroeihiaietwq.tmp qgEYlIKPDYzj.msi explorer.exe msmith-dc45389tyt.zip l.php tmpAEA8.tmp Y9U68YA55.bin 1DR.png CoNyuYT.exe MSI4F8C.tmp CoreReborn32.bin Box.LocalComServer.Fix.Environment.dll Prfpdh.tmp chrome.exe KFSELqcUm.exe BEqvhTR.msi Temp1_flast_d45534i.zip shell32.dll flast_d45534i.vbs AutoIt3.exe FM40VY7.bin SYUxEbPz.msi yfir.exe wscript.exe schtasks.exe yifr.exe ihcbzhY.exe Autoit3.exe Yara Rules: ruleM_Backdoor_DANABOT_2 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $code={A1[4]05[4]A3[4]A1[4]2B05[4]A3[4]837DBC0B} $str1="System.Xml.XmlSerializer.dll"wide $str2="System.IO.Log.ni.dll"wide $str3="ncrypt.dll"wide condition: uint160==0x5A4Danduint32uint320x3C==0x00004550and pe.is_dllandpe.exports"ServiceMain"andpe.exports"start"andallofthem } ruleM_Downloader_PAPERDROP_2 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $str1="Scripting.Dictionary" $str2="CreateObject" $str3="Execute" $str4="Mod2=0and" $str5="WScript.Sleep" $str6="=Timer" $str7="*Rnd+" $str8="nP=nP&\"C\"" condition: allofthem } ruleM_Downloader_PAPERDROP_3 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $str1="vbSystemModal+vbCritical" $str2="CreateObject\"WScript.Shell\"" $str3="MSXML2.ServerXMLhttp" $str4="ADODB.Stream" $str5="winmgmts:Win32_Process" $str8=".create" condition: allofthem } ruleM_Backdoor_DARKGATE_1 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $str1="IFNOTFILEEXISTS@PROGRAMFILESDIR AND@USERNAME<>\"SYSTEM\"THEN" $str2="BINARYTOSTRING\"0x\"&" $str3="C:\\ProgramFilesx86\\Sophos" $str4="EXECUTEBINARYTOSTRING\"0x" $str5="DLLSTRUCTCREATE" $str6="446C6C43616C6C28227573657233322E646C6C222C20226C726573756 C74222C20224322266368722839372926226C6C57696E646F7750726F63222C20227 07472222C20446C6C5374727563744765745074722824" condition: allofthemandfilesize<500KB } ruleM_Downloader_PAPERDROP_4 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $str1="-1.2" $str2="CreateObject" $str3="Execute" $str4="Mod2=0andDict.count=256then" $str5="=\"https://" condition: allofthem } ruleM_Backdoor_DARKGATE_3 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $x1="SYSTEMElevation:Completed.newDarkGateconnectionwith SYSTEMprivileges"ascii $x2="-u0xDark"ascii $x3="DarkGate"ascii $x4="/ccmdkey/generic:\"127.0.0.2\"/user:\"SafeMode\" /pass:\"darkgatepassword0\""ascii $s1="c:\\temp\\crash.txt"ascii $s2="/cookiesfile\""ascii $s3="/crmdir/s/q\""ascii $s4="/cxcopy/E/I/Y\"%s\"\"%s\"&&exit"ascii $s5="U_MemScan"ascii $s6="U_Google_AD"ascii $s7="untBotUtils"ascii $s8="____padoru____"ascii $s9="u_SysHook"ascii $s10= "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+="ascii $s11="C:\\Windows\\System32\\ntdll.dll"fullwordascii $s12=/SYSTEM?Elevation:Cannot|Ialready|ATRAW|FAILURE/ascii $s13=/Stub:WARNING:|Configurationupdated: |GlobalPingInvoked/ascii condition: uint160==0x5a4dand3of$x*or2of$x*and3of$s* or1of$x*and5of$s*or6of$s*or10ofthem } ruleM_Downloader_PAPERDROP_1 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonlyand hasnotbeentestedtoruninaproductionenvironment." strings: $v1_1="missingfromUIHFadcomputer" $v1_2="DimUIHFad:setUIHFad=CreateObject\"ADODB.Stream\"" $v2_1="a=\"QJWRWIIPQLYYREESOR" $v2_2="temp=temp+ChrWDict.ItemMida.y-1.2" $v3_1="ChrWDict.ItemMid" $v3_2="-1.2" $v3_3="Mod2=0andDict.count<>256then" $v4_1="=CreateObject" $v4_2="Mod2=0and" $v4_3="Execute" $v4_4=/if\w+Mod2=0and\w+.count<>\w+ then[\x0a\x0d]{1.2}\w+.AddMid\\w+.\w+-1.2\./ condition: uint160!=0x5A4Dandallof$v1*orallof$v2* orallof$v3*orallof$v4* } ruleM_Downloader_PAPERTEAR_2 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $str1="WinhttpRequest"ascii $str2="ShellExecute"ascii $str3=".Open\"post\""ascii $str4=".responseText"ascii $str5="Shell.Application"ascii condition: allofthemandfilesize<5MB } ruleM_Backdoor_DANABOT_1 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $api1="ZwWow64WriteVirtualMemory64"wide $api2="ConvertStringSecurityDescriptorToSecurityDescriptorW"wide $code1={DF2C01DF2883F9087E11DF680883F9107E06DF 6810DF7A10DF7A08DF3ADF3C11} $code2={8A45AB049F2C1A7304} condition: uint160==0x5A4Danduint32uint320x3C==0x00004550 andallofthem } ruleM_Backdoor_DARKGATE_2 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $str1="IFNOTFILEEXISTS@PROGRAMFILESDIRAND @USERNAME<>\"SYSTEM\"THEN" $str2="BINARYTOSTRING\"0x\"&" $str3="C:\\ProgramFilesx86\\Sophos" $str4="EXECUTEBINARYTOSTRING\"0x" $str5="DLLSTRUCTCREATE" $str6="00C680A438000045C680A538000000C680A638000049C680A738000000C68 0A83800004EC680A938000000C680AA38000046" $str7="CF013183C0024B75D28B420403C28BD08BC28BC82B4DD48B5DDC3B8BA4000000 72A68B45DC8B40288945E48B45E80345E4FF" $str8="446C6C43616C6C28227573657233322E646C6C222C20226C726573756C74222C 20224322266368Ω22839372926226C6C57696E646F7750726F63222C2022707472222 C20446C6C5374727563744765745074722824" condition: allofthem } ruleM_Downloader_PAPERTEAR_1 { meta: author="Mandiant" disclaimer="Thisruleisforhuntingpurposesonly andhasnotbeentestedtoruninaproductionenvironment." strings: $s1=".setRequestHeader\"a\".all_process"ascii $s2="CreateObject"ascii $s3="Select*fromWin32_Process"ascii $s4="ForEach"ascii $s5="http"ascii condition: filesize<1MBandallof$s* } TTPs: Hash cac930364eba1174da21a390c7d044cd3487582fcc5dd3cb6ec4506572433e75: Source: Zenbox Tactic Name: Execution Tactic ID: TA0002 Technique Name: Windows Management Instrumentation Technique ID: T1047 Technique Name: Scripting Technique ID: T1064 Technique Name: Exploitation for Client Execution Technique ID: T1203 Tactic Name: Discovery Tactic ID: TA0007 Technique Name: Remote System Discovery Technique ID: T1018 Technique Name: Query Registry Technique ID: T1012 Technique Name: Virtualization/Sandbox Evasion Technique ID: T1497 Technique Name: System Information Discovery Technique ID: T1082 Tactic Name: Command and Control Tactic ID: TA0011 Technique Name: Application Layer Protocol Technique ID: T1071 Technique Name: Non-Application Layer Protocol Technique ID: T1095 Technique Name: Encrypted Channel Technique ID: T1573 Tactic Name: Defense Evasion Tactic ID: TA0005 Technique Name: Process Injection Technique ID: T1055 Technique Name: Scripting Technique ID: T1064 Technique Name: Masquerading Technique ID: T1036 Technique Name: Virtualization/Sandbox Evasion Technique ID: T1497 Technique Name: Obfuscated Files or Information Technique ID: T1027 Tactic Name: Privilege Escalation Tactic ID: TA0004 Technique Name: Process Injection Technique ID: T1055 Hash d235d49d680bfb534c1915b833f523fd96cd210530952587aa4e3f83e03ee776: Hash 927d91403036e1e1480736bc037aaed0c6758221b8858f160c629a9505fd26a3: Hash 5e2c7949afe8b1a72fc902a183eae5340cf3c27c1037978c129a71765737e7bb: Source: CAPE Sandbox Tactic Name: Execution Tactic ID: TA0002 Technique Name: Scripting Technique ID: T1064 Technique Name: Command and Scripting Interpreter Technique ID: T1059 Tactic Name: Command and Control Tactic ID: TA0011 Technique Name: Web Protocols Technique ID: T1071.001 Technique Name: Application Layer Protocol Technique ID: T1071 Tactic Name: Defense Evasion Tactic ID: TA0005 Technique Name: Scripting Technique ID: T1064 Technique Name: Hide Artifacts Technique ID: T1564 Technique Name: Indirect Command Execution Technique ID: T1202 Technique Name: Hidden Window Technique ID: T1564.003 Source: Zenbox Tactic Name: Collection Tactic ID: TA0009 Technique Name: Data from Local System Technique ID: T1005 Tactic Name: Persistence Tactic ID: TA0003 Technique Name: DLL Side-Loading Technique ID: T1574.002 Technique Name: Registry Run Keys / Startup Folder Technique ID: T1547.001 Tactic Name: Execution Tactic ID: TA0002 Technique Name: Command and Scripting Interpreter Technique ID: T1059 Technique Name: Windows Management Instrumentation Technique ID: T1047 Technique Name: Scripting Technique ID: T1064 Tactic Name: Discovery Tactic ID: TA0007 Technique Name: Security Software Discovery Technique ID: T1518.001 Technique Name: Remote System Discovery Technique ID: T1018 Technique Name: Process Discovery Technique ID: T1057 Technique Name: Application Window Discovery Technique ID: T1010 Technique Name: System Network Configuration Discovery Technique ID: T1016 Technique Name: System Information Discovery Technique ID: T1082 Technique Name: File and Directory Discovery Technique ID: T1083 Technique Name: Virtualization/Sandbox Evasion Technique ID: T1497 Tactic Name: Command and Control Tactic ID: TA0011 Technique Name: Non-Application Layer Protocol Technique ID: T1095 Technique Name: Application Layer Protocol Technique ID: T1071 Technique Name: Ingress Tool Transfer Technique ID: T1105 Technique Name: Non-Standard Port Technique ID: T1571 Tactic Name: Defense Evasion Tactic ID: TA0005 Technique Name: Masquerading Technique ID: T1036 Technique Name: Process Injection Technique ID: T1055 Technique Name: DLL Side-Loading Technique ID: T1574.002 Technique Name: Obfuscated Files or Information Technique ID: T1027 Technique Name: Disable or Modify Tools Technique ID: T1562.001 Technique Name: Scripting Technique ID: T1064 Technique Name: Virtualization/Sandbox Evasion Technique ID: T1497 Tactic Name: Privilege Escalation Tactic ID: TA0004 Technique Name: Process Injection Technique ID: T1055 Technique Name: DLL Side-Loading Technique ID: T1574.002 Technique Name: Registry Run Keys / Startup Folder Technique ID: T1547.001 Tactic Name: Credential Access Tactic ID: TA0006 Technique Name: OS Credential Dumping Technique ID: T1003 Hash a7312f01db21efd84be0a4e596fefb6ebbc388655ab19a642bf44360f1409382: Source: VMRay Tactic Name: Execution Tactic ID: TA0002 Technique Name: Windows Management Instrumentation Technique ID: T1047 Tactic Name: Discovery Tactic ID: TA0007 Technique Name: System Information Discovery Technique ID: T1082 Source: Zenbox Tactic Name: Execution Tactic ID: TA0002 Technique Name: Windows Management Instrumentation Technique ID: T1047 Technique Name: Scripting Technique ID: T1064 Technique Name: Command and Scripting Interpreter Technique ID: T1059 Tactic Name: Discovery Tactic ID: TA0007 Technique Name: Process Discovery Technique ID: T1057 Technique Name: File and Directory Discovery Technique ID: T1083 Technique Name: Security Software Discovery Technique ID: T1518.001 Technique Name: Virtualization/Sandbox Evasion Technique ID: T1497 Technique Name: System Information Discovery Technique ID: T1082 Tactic Name: Command and Control Tactic ID: TA0011 Technique Name: Non-Application Layer Protocol Technique ID: T1095 Technique Name: Ingress Tool Transfer Technique ID: T1105 Technique Name: Application Layer Protocol Technique ID: T1071 Technique Name: Non-Standard Port Technique ID: T1571 Tactic Name: Defense Evasion Tactic ID: TA0005 Technique Name: Process Injection Technique ID: T1055 Technique Name: Scripting Technique ID: T1064 Technique Name: Virtualization/Sandbox Evasion Technique ID: T1497 Technique Name: Obfuscated Files or Information Technique ID: T1027 Tactic Name: Privilege Escalation Tactic ID: TA0004 Technique Name: Process Injection Technique ID: T1055