Indicators of Compromise (IOCs) List from Analyzed Samples

Updated: Jan 23

Below is a list of indicators of compromise (IOCs) from samples I've analyzed and published so far. Click one of the links below to jump to the malware of interest:


Emotet

Dridex

QakBot

RedLineStealer

Kazy Trojan


EMOTET

File hash:

1a243db583013a6999761dad88d6952351fdc2cd17d2016990276a9dd11ac90b


File names:

erum.ocx


Domains:

https://zml.laneso[.]com/packet/AlvJ80dtSYEeeCQP/

http://ostadsarma[.]com/wp-admin/JNgASjNC/

http://govtjobresultbd[.]xyz/sjjz/UIUh0HsLqj0y9/



DRIDEX

File hash: 77ea99933030294970a8d11a20f0fab4e540133931e91358d2dde3b97d6a521d


Writes:

C:\ProgramData\mhunigger.bin


Downloads:

ReMxcvxKeOzodickpenis.bin

ZvdFNlHdickpenis.bin

CdNiUWXvKRUbUidickpenis.bin


Domains:

https://caioaraujo[.]vip



QAKBOT

File Hash: 62bb4d89d905a988f154fcb9bd60a376cca42c1343e03b03a897d039eb8d4036


IPs:

46.105.81[.]76

185.82.127[.]219

101.99.90[.]108


Filenames:

Pattern: 44575.516********.dat

44575.51608796296.dat

44575.51611111111.dat

44575.51613425926.dat

44575.51615740741.dat2

44575.516180555554.dat2

44575.5162037037.dat2


File Paths:

C:\ProgramData\Dotr1.ocx

C:\ProgramData\Dotr2.ocx

C:\ProgramData\Dotr3.ocx

C:\ProgramData\Dotr4.ocx

C:\ProgramData\Dotr5.ocx

C:\ProgramData\Dotr6.ocx



REDLINE STEALER


File name: setup_x86_x64_install.exe

File hash: a12d74b1756d49531e21f755fef2049ab6c83626f0834cb945c781c39d40a177


File name: Sat19d470e8e0597fc47.exe (or similarly named matching the same alphanumeric pattern)

File path: C:\Users\User\AppData\Local\Temp\7zS4441B019\Sat19d470e8e0597fc47.exe

File hash: BC118B7708D56B93707A9BB025D3BF62D723B7932435A08299F59249C1C37DBE


File name: @.cmd

File path: C:\Users\User\AppData\Local\Temp\IXP000.TMP\@.cmd

File hash: 286227287F1FA79D5D5D909C2F457FC4D0AEFA6BE9E940F9A1F214D113FF88B4


File name: Sat195518974c.exe

File path: C:\Users\User\AppData\Local\Temp\7zS0437FC5D\Sat195518974c.exe

File hash: 13357A53F4C23BD8AC44790AA1DB3233614C981DED62949559F63E841354276A


File name: IXP000.TMP

File path: C:\Users\User\AppData\Local\Temp\IXP000.TMP


Directory: C:\Program Files (x86)\FarLabUninstaller\*


Domains :

www.hhiuew33[.]com

gp.gamebuy768[.]com

one-mature-tube[.]com

cloudjah[.]com

kelenxz[.]xyz

ad-postback[.]biz


IPs:

212.193.30[.]45

159.69.246[.]184


Registry keys:

HKLM\SOFTWARE\Microsoft\Tracing\Sat194d446031aec9ca_RASAPI32 HKLM\SOFTWARE\Microsoft\Tracing\Sat194d446031aec9ca_RASMANCS HKLM\SOFTWARE\Microsoft\Tracing\Sat19f1c04426464e86_RASAPI32 HKLM\SOFTWARE\Microsoft\Tracing\Sat19f1c04426464e86_RASMANCS

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FarLabUninstaller.exe_is1



KAZY TROJAN

File Hash: 8abb47ca7c0c4871c28b89aa0e75493e5eb01e403272888c11fef9e53d633ffe

File name: 21.exe


Writes:

C:\Program Files\Common Files\whh02053.ocx

54 views0 comments