-
Notifications
You must be signed in to change notification settings - Fork 103
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fenrir with Sandworm Centreon IOCs and Strings
- Loading branch information
Showing
5 changed files
with
19 additions
and
228 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,125 +1,2 @@ | ||
201.191.202.34 | ||
216.58.192.68 | ||
185.11.146.191 | ||
185.11.146.151 | ||
185.62.190.62 | ||
185.62.190.82 | ||
185.62.190.156 | ||
185.62.190.222 | ||
185.62.190.253 | ||
188.209.49.163 | ||
188.209.52.195 | ||
188.209.49.131 | ||
188.209.49.165 | ||
185.130.5.165 | ||
185.130.5.174 | ||
185.130.5.200 | ||
185.130.5.205 | ||
185.130.5.246 | ||
80.82.64.177 | ||
80.82.78.12 | ||
89.248.168.29 | ||
89.248.172.201 | ||
94.102.53.144 | ||
89.248.162.167 | ||
89.248.162.171 | ||
89.248.166.131 | ||
89.248.168.39 | ||
89.248.172.166 | ||
89.248.172.173 | ||
94.102.49.197 | ||
94.102.63.136 | ||
46.165.251.153 | ||
178.162.199.88 | ||
178.162.205.4 | ||
178.162.205.29 | ||
178.162.205.30 | ||
178.162.211.200 | ||
178.162.211.211 | ||
178.162.211.213 | ||
178.162.211.214 | ||
178.162.211.215 | ||
178.162.211.216 | ||
178.162.211.217 | ||
149.202.153.56 | ||
173.208.196.202 | ||
188.0.236.27 | ||
188.209.52.228 | ||
192.210.220.3 | ||
198.23.238.215 | ||
198.23.238.251 | ||
208.67.1.130 | ||
208.67.1.33 | ||
208.69.31.11 | ||
5.152.206.162 | ||
5.196.8.171 | ||
89.248.162.167 | ||
115.239.248.62 | ||
117.27.158.104 | ||
117.27.158.71 | ||
117.27.158.78 | ||
117.27.158.91 | ||
122.225.103.118 | ||
122.225.103.122 | ||
122.225.103.125 | ||
122.225.103.97 | ||
122.225.109.102 | ||
122.225.109.103 | ||
122.225.109.108 | ||
122.225.109.109 | ||
122.225.109.114 | ||
122.225.109.121 | ||
122.225.109.125 | ||
122.225.109.202 | ||
122.225.109.214 | ||
122.225.109.220 | ||
122.225.109.99 | ||
218.2.0.121 | ||
218.2.0.132 | ||
218.2.0.133 | ||
218.2.0.137 | ||
221.235.188.210 | ||
222.186.34.121 | ||
222.186.58.70 | ||
60.169.77.228 | ||
61.174.50.172 | ||
61.174.50.177 | ||
61.174.50.184 | ||
61.174.50.216 | ||
61.174.51.214 | ||
61.174.51.226 | ||
61.174.51.229 | ||
61.174.51.230 | ||
61.174.51.233 | ||
61.174.51.235 | ||
61.174.50.184 | ||
122.225.103.118 | ||
218.2.0.132 | ||
122.225.103.125 | ||
122.225.109.99 | ||
122.225.103.97 | ||
122.225.103.122 | ||
61.174.51.226 | ||
117.27.158.71 | ||
61.174.51.233 | ||
122.225.109.108 | ||
122.225.109.109 | ||
61.174.50.177 | ||
61.174.51.214 | ||
117.27.158.104 | ||
61.174.50.172 | ||
222.186.34.121 | ||
117.27.158.91 | ||
222.186.58.70 | ||
61.174.51.229 | ||
122.225.109.214 | ||
61.174.50.216 | ||
117.27.158.78 | ||
221.235.188.210 | ||
122.225.109.121 | ||
167.114.153.55 | ||
94.237.37.28 | ||
82.118.242.171 | ||
31.220.61.251 | ||
128.199.199.187 | ||
176.31.225.204 | ||
# END |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,9 @@ | ||
demo/evil.jsp | ||
# END - DO NOT REMOVE | ||
/tmp/.applocktx | ||
/tmp/.applock$ | ||
/usr/local/centreon/www/search.php | ||
/usr/share/centreon/www/search.php | ||
/usr/share/centreon/www/modules/Discovery/include/DB−Drop.php | ||
/usr/share/centreon/www/htmlHeader.php | ||
/configtx\.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,98 +1,3 @@ | ||
329cd07f4dd67947ff10d8a6550ff779;Demo file - evil.jsp | ||
|
||
866f94f30d9865995494a0f7228329c26149eef2960500b2177c736c5c846035;Equation APT | ||
8447dabffd37eb7fcb1bc1d6c6f1d164;Htran Chinese APT Tunneling Tool Sample | ||
|
||
5d853a8de18d844a9ab269f3d51e5072;Five Eyes QUERTY Malware20120.dll.bin | ||
cc8b737edb3f11c9c5dba57035c63103;Five Eyes QUERTY Malware20120.xml | ||
67ac8dc6589a07d950bd12f534dc9789;Five Eyes QUERTY Malware20120_cmdDef.xml | ||
40451f20371329b992fb1b85c754d062;Five Eyes QUERTY Malware20121.dll.bin | ||
ff0afae5c68c5177ed0a3d6339810cae;Five Eyes QUERTY Malware20121.xml | ||
1bc8f4df4551c6efbbb1fe9f965dca49;Five Eyes QUERTY Malware20121_cmdDef.xml | ||
0ed11a73694999bc45d18b4189f41ac2;Five Eyes QUERTY Malware20123.sys.bin | ||
066b6253afc3ad0efe9a15cead4ef7d8;Five Eyes QUERTY Malware20123.xml | ||
790d1b448e97985deb710a94eb927c27;Five Eyes QUERTY Malware20123_cmdDef.xml | ||
|
||
ad61e8daeeba43e442514b177a1b41ad4b7c6727;Skeleton Key Malware | ||
5083b17ccc50dd0557dfc544f84e2ab55d6acd92;Skeleton Key Malware | ||
66da7ed621149975f6e643b4f9886cfd;Symantec Report http://goo.gl/9Tmq2e msuta64.dll | ||
bf45086e6334f647fda33576e2a05826;Symantec Report http://goo.gl/9Tmq2e ole64.dll | ||
a487f1668390df0f4951b7292bae6ecf;Symantec Report http://goo.gl/9Tmq2e HookDC.dll | ||
8ba4df29b0593be172ff5678d8a05bb3;Symantec Report http://goo.gl/9Tmq2e HookDC.dll | ||
f01026e1107b722435126c53b2af47a9;Symantc Report http://goo.gl/9Tmq2e HookDC.dll | ||
747cc5ce7f2d062ebec6219384b57e8c;Symantec Report http://goo.gl/9Tmq2e ole.dll | ||
600b604784594e3339776c6563aa45a1;Symantec Report http://goo.gl/9Tmq2e jqs.exe (Backdoor.Winnti dropper) | ||
48377c1c4cfedebe35733e9c3675f9be;Symantec Report http://goo.gl/9Tmq2e tmp8296.tmp (Backdoor.Winnti variant) | ||
|
||
20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92;Regin Malware Sample | ||
225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430;Regin Malware Sample | ||
392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e;Regin Malware Sample | ||
40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b;Regin Malware Sample | ||
4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be;Regin Malware Sample | ||
4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9;Regin Malware Sample | ||
5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823;Regin Malware Sample | ||
5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90;Regin Malware Sample | ||
7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7;Regin Malware Sample | ||
7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926;Regin Malware Sample | ||
8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13;Regin Malware Sample | ||
8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7;Regin Malware Sample | ||
8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db;Regin Malware Sample | ||
9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f;Regin Malware Sample | ||
9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379;Regin Malware Sample | ||
a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355;Regin Malware Sample | ||
a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880;Regin Malware Sample | ||
a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35;Regin Malware Sample | ||
a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669;Regin Malware Sample | ||
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample | ||
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample | ||
b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047;Regin Malware Sample | ||
b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce;Regin Malware Sample | ||
c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513;Regin Malware Sample | ||
cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601;Regin Malware Sample | ||
df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c;Regin Malware Sample | ||
e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902;Regin Malware Sample | ||
e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935;Regin Malware Sample | ||
ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69;Regin Malware Sample | ||
f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e;Regin Malware Sample | ||
f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4;Regin Malware Sample | ||
fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef;Regin Malware Sample | ||
fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129;Regin Malware Sample | ||
|
||
9bec941bec02c7fbe037a97db8c89f18;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network | ||
6ce69e4bec14511703a8957e90ded1fa;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network | ||
1c05164fede51bf947f1e78cba811063;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network | ||
5129c26818ef712bde318dff970eba8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network | ||
bdce0ed65f005a11d8e9a6747a3ad08c;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network | ||
e04ad0ec258cbbf94910a677f4ea54f0;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section | ||
928d0ef4c17f0be21f2ec5cc96182e0c;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section | ||
d686ce4ed3c46c3476acf1be0a1324e6;Symantec Waterbug Attack http://goo.gl/9Tlk90 typecli.exe | ||
22fb51ce6e0bc8b52e9e3810ca9dc2e1;Symantec Waterbug Attack http://goo.gl/9Tlk90 msc32.exe | ||
df06bde546862336ed75d8da55e7b1cc;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
a85616aec82078233ea25199c5668036;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
b7d80000100f2cb50a37a8a5f21b185f;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
552a8e8d60731022dcb5a89fd4f313ec;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
a1ecf883627a207ed79d0fd103534576;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
560f47c8c50598760914310c6411d3b1;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
b28cbcd6998091f903c06a0a46a0fd8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
b0952e130f6f8ad207998000a42531de;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
c04190dc190b6002f064e3d13ac22212;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
959ed9d60a8f645fd46b7c7a9b62870c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
305801a809b7d9136ab483682e26d52d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
e5a9fc45ab11dd0845508d122a6c8c8c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter | ||
bf0e4d46a51f27493cbe47e1cfb1b2ea;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information | ||
22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information | ||
f156ff2a1694f479a079f6777f0c5af0;Symantec Waterbug Attack http://goo.gl/9Tlk90 pxinsi64.exe 64-bit driver possibly used by vboxdev_win32.dll | ||
eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 mswme32.exe Collects files with extensions (.*library, *.inf, *.exe, .*dll, .*dot), Encrypts with Trojan.Turla XOR key | ||
56f423c7a7fef041f3039319f2055509;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe | ||
22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe | ||
eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnet32.exe | ||
20c9df1e5f426f9eb7461cd99d406904;Symantec Waterbug Attack http://goo.gl/9Tlk90 rpcsrv.exe RPC server using ncacn_np identifier and binds to \\pipe\ hello, Can be used as a proxy | ||
ed3509b103dc485221c85d865fafafac;Symantec Waterbug Attack http://goo.gl/9Tlk90 charmap32.exe Executes msinfo32.exe /nfo and direct output to winview.nfo | ||
09886f7c1725fe5b86b28dd79bc7a4d1;Symantec Waterbug Attack http://goo.gl/9Tlk90 mqsvc32.exe Capable of sending exfiltrated data through email using MAPI32.dll | ||
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 msrss.exe Registers as a service “svcmgr” with display name ‘Windows Svcmgr’ | ||
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 dc1.exe | ||
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 svcmgr.exe | ||
98992c12e58745854a885f9630124d3e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msx32.exe Used to encrypt file (supplied as argument on command line) using common Trojan.Turla XOR key, Output written to [FILE NAME].XOR | ||
|
||
c709e0963ad64f87d9c7a05ddd2eb7c5;APT28 IOT script https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ | ||
84837778682450cdca43d1397afd2310;PAS Webshell | ||
92ef0aaf5f622b1253e5763f11a08857;Exaramel Malware | ||
# END - DO NOT REMOVE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,8 @@ | ||
eval request( | ||
bash -i >/dev/tcp/ | ||
chmod +x /tmp/ | ||
() { :; }; | ||
packed with the UPX executable packer | ||
/tmp/.applock | ||
.substr(md5(strrev( | ||
Archive created by P.A.S. | ||
socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print | ||
SQL Dump created by P.A.S. | ||
odhyrfjcnfkdtslt | ||
configtx.json | ||
# END - DO NOT REMOVE - contents passed to grep - double escape square brackets |