-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2024-01-31-IOCs-from-Timely-Threat-Intel-post.txt
46 lines (32 loc) · 2.65 KB
/
2024-01-31-IOCs-from-Timely-Threat-Intel-post.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
2024-01-31 (WEDNESDAY): UPDATE TO INFECTION CAMPAIGN PREVIOUSLY REPORTED AS PUSHING AZORULT
REFERENCES:
- https://www.linkedin.com/posts/unit42_azorult-timelythreatintel-unit42threatintel-activity-7158565872784019457-axg_
- https://twitter.com/Unit42_Intel/status/1752800214795055209
NOTES:
- Campaign originally reported at: https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/
- We discovered an update to the infection chain that uses an .msi instead of a .bat file.
- This was ongoing as recently as last week. Some examples follow
4 EXAMPLES OF SHA256 HASHES FOR ZIP ARCHIVES:
- 12d5c8201d462576f38a2c1cf62eb3f9f09c3799b4212325d33509ef1253f4e7 citibank_statement_Dec_2023.zip
- 2cfc868cb40b56731a780dfa2b7a0846dd68c07871734162d1c522409875172a [name unknown]
- 564feb259d7b57a39096e52144501ccdc19adfa9d0f0ff3e0e9fd890018bbd88 citibank_statement_Dec_2023.zip
- 5b524804b111045386657c118c97fede66c9544a25d6b55c396995fe67383504 citibank_statement_Dec_2023.zip
- cd198cc166d1739b7f09e4ff1f0873a11aa4101dffd88f5f2bb97f0fc6282941 citibank_statement_Dec_2023.zip
SHA256 HASHES FOR EXTRACTED WINDOWS SHORTCUT FILES:
- 308c9761057bfb6f03df26098424a40232b40faabfdd993a4259b77c07541432 citibank_statement_Dec_2023.Lnk
- 5d9ce9b131f2eae4b2e2109bc72cf6f49a8f843da41822f3d03f4acb6fdd7078 [name unknown]
- fe6e8562f2cc9e19436ca3dacffb6a9280376642e8413db3add2f4ac072dfabe citibank_statement_Dec_2023.Lnk
- ac56e203726a3e8c65ded489b076ff49edfa3321a2071d2ec43968858cf0401d citibank_statement_Dec_2023.Lnk
- 52307607508a94a64d1afdb805274904a4cd1feeb1b90c0cf30ad9376f1896c1 citibank_statement_Dec_2023.Lnk
URLS CONTACTED BY THE ABOVE WINDOWS SHORTCUT FILES:
- hxxps://onedrive[.]live[.]com/download?cid=85B4181C5D4F7514&resid=F308D37440058965%21162&authkey=ABzcv7ofhAvMZiQ&.msi
- hxxps://onedrive[.]live[.]com/download?cid=85B4181C5D4F7514&resid=269ACD1A87F57BB5%21126&authkey=APDxsVshJA4PNGE&.msi
- hxxps://onedrive[.]live[.]com/download?cid=85B4181C5D4F7514&resid=269ACD1A87F57BB5%21188&authkey=ADmjb8zvNZHhwLc&.msi
- hxxps://onedrive[.]live[.]com/download?cid=85B4181C5D4F7514&resid=727E23581ED1347F%21145&authkey=AG3ulcj2nuOJlYQ&.msi
- hxxps://onedrive[.]live[.]com/download?cid=85B4181C5D4F7514&resid=8AF1295DA3BD6959%21204&authkey=AE1txFLokHN75gM&.msi
SHA256 HASHES OF DOWNLOADED MSI EXAMPLES:
- 6df1cda132d06e5cc00d6d8d88dfa8ed2dea8c036225d505008cd842a4de378c 38MirrorsConnectionAgent.msi
- 8aac79ce5ff07259eed8be3d9beef6a2e14fce7f54d85083f6c4390654841fde 97WiseU_Connect_Home.msi
URLS GENERATED BY THE ABOVE MSI FILES:
- hxxp://152.89.198[.]227:5000/m%20l%20Z%20o%20v%20y%20r%20l%208%205%20K%20J
- hxxp://152.89.198[.]227:5000/l%20F%20L%20Q%20J%20T%20M%20Z%20n%20D%205%20t