We've recently intercepted, a currently, circulating, malicious, spam, campaign, exposing, users, to, a, multi-tude, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, PCs, to, a, variety, of, malicious, software.
In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Malicious MD5s known to have participated in the campaign:
MD5: 6b422988b8b66e54e68f110c64914744
MD5: 414fc339b2dd57bab972b3175a18d64a
Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://hrtests.ru/S.php - 136.243.126.105; 146.185.243.133; 5.135.104.91; 178.33.188.142; 178.32.238.223; 178.208.83.7; 88.214.200.145
hxxp://managtest.ru/WinRAR.exe - 176.126.71.5; 5.196.241.192; 88.214.200.145
Related malicious MD5s known to have phoned back to the same C&C server IPs (136.243.126.105):
MD5: e974e77d0f69b46b9f6c88d98c76c0c6
MD5: 908bb37015af1c863e8e73bb76fdb127
MD5: 87882046d21d2468ee993ea7c3159c4d
MD5: 299c6ac73e225ec5a355b2fb7a618e8f
MD5: 7f2862b5f399bc74dd6d8079da819126
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 47c18c76540b74a1bca6ca3ae10ebd50
MD5: 024807c29f147dd77450a5bc62e59fa5
MD5: e283f13766be7f705c0271bc42681270
MD5: a29d67dad13eef259dc5c872706f15a6
MD5: 2cf7bf436ef8cbfda0136efd11e92341
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 2cf7bf436ef8cbfda0136efd11e92341
MD5: 3a5f263a24728d3805045778978f00b5
MD5: 87435a3fc3799d271b3608955d1c6c4d
MD5: 95c0194351bc2685535544574eb3f5df
MD5: 7224e3698edec9590a5198defae66ef1
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server IP:
hxxp://worktests.ru/test0.txt
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://testswork.ru/test15.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test20.txt
hxxp://testswork.ru/test21.txt
Once executed a sample malware phones, back, to, the, following, C&C, server, IP:
hxxp://tradetests.ru/test0.txt
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (176.126.71.5):
MD5: 44c3ac885206d641a6d2dce5a675f378
MD5: 2bf97da5f11b655428622fb10c68ff11
MD5: 6911f4a5a85e266229debfdf0832faad
MD5: 8f1b264ceef3e116522ec213ee691cd2
MD5: af7275d12796b53f0ad4d7866be49a4c
Once executed, a, sample, malware, phones, back, to, the, following, C&C server, IPs:
61.246.33.84:7974
187.2.210.167:6688
199.189.86.18:6199
62.103.89.163:9333
95.104.13.237:7158
203.231.71.85:6413
150.129.184.145:5560
213.184.4.236:5531
198.27.96.43:6327
115.110.36.121:8009
46.150.36.126:8404
118.233.56.195:6159
187.55.178.150:6984
219.71.10.251:6070
190.37.215.91:7443
122.117.152.249:7894
14.141.70.162:8811
188.173.150.210:6598
60.171.206.39:6349
103.47.194.115:6959
116.241.49.160:7023
175.45.228.54:6324
158.58.204.215:6789
82.76.230.210:6266
220.134.149.93:6688
201.24.187.30:9088
84.108.148.178:6822
186.95.199.115:5943
113.160.112.8:6439
24.190.4.178:6554
52.26.185.23:6549
115.165.241.228:6623
190.254.83.226:7961
177.103.154.31:6554
114.35.121.231:5774
202.65.136.234:7594
91.186.3.83:8673
31.170.141.113:11802
190.205.137.158:6554
223.255.202.23:5949
175.45.228.56:6249
202.143.149.66:9333
5.189.177.10:6843
91.224.25.225:7677
113.176.82.247:6315
121.42.15.50:11649
189.51.15.2:6018
108.61.213.137:9595
96.56.17.58:6126
61.216.32.170:8513
202.166.162.6:6519
119.236.147.67:6755
96.23.181.97:5531
190.142.66.233:7269
Related malicious MD5s known to have phoned back to the same C&C server IP (5.196.241.192):
MD5: 57f6c25f57f6af3feb149d2cf0ca7b70
MD5: 45bc494e569671ac902ac4abeaf52d0e
MD5: b23b41bc40dd6b2d707c07dfb7da8a8b
MD5: 6458ddbaa59448352cfd18d774af1114
MD5: 89bd709329d7a2666e538ee0fdc7e6a0
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://stafftest.ru/test.html
Related malicious MD5s known to have participated in the campaign:
MD5: 414fc339b2dd57bab972b3175a18d64a
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://stafftest.ru
hxxp://hrtests.ru
hxxp://profetest.ru
hxxp://testpsy.ru
hxxp://pstests.ru
hxxp://qptest.ru
hxxp://prtests.ru
hxxp://jobtests.ru
hxxp://iqtesti.ru
Related malicious MD5s known to have participated in the campaign:
MD5: 7838ccf4e448d8c7404bfe86f5c9d116
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://managtest.ru/minerd
hxxp://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s
We'll continue monitoring the campaign and post updates as soon as new developments, take, place.
In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Malicious MD5s known to have participated in the campaign:
MD5: 6b422988b8b66e54e68f110c64914744
MD5: 414fc339b2dd57bab972b3175a18d64a
Once executed, a, sample, malware, phones, back, to, the, following, C&C server:
hxxp://hrtests.ru/S.php - 136.243.126.105; 146.185.243.133; 5.135.104.91; 178.33.188.142; 178.32.238.223; 178.208.83.7; 88.214.200.145
hxxp://managtest.ru/WinRAR.exe - 176.126.71.5; 5.196.241.192; 88.214.200.145
Related malicious MD5s known to have phoned back to the same C&C server IPs (136.243.126.105):
MD5: e974e77d0f69b46b9f6c88d98c76c0c6
MD5: 908bb37015af1c863e8e73bb76fdb127
MD5: 87882046d21d2468ee993ea7c3159c4d
MD5: 299c6ac73e225ec5a355b2fb7a618e8f
MD5: 7f2862b5f399bc74dd6d8079da819126
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 47c18c76540b74a1bca6ca3ae10ebd50
MD5: 024807c29f147dd77450a5bc62e59fa5
MD5: e283f13766be7f705c0271bc42681270
MD5: a29d67dad13eef259dc5c872706f15a6
MD5: 2cf7bf436ef8cbfda0136efd11e92341
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C server IP (146.185.243.133):
MD5: 2cf7bf436ef8cbfda0136efd11e92341
MD5: 3a5f263a24728d3805045778978f00b5
MD5: 87435a3fc3799d271b3608955d1c6c4d
MD5: 95c0194351bc2685535544574eb3f5df
MD5: 7224e3698edec9590a5198defae66ef1
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server IP:
hxxp://worktests.ru/test0.txt
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://testswork.ru/test15.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test18.txt
hxxp://testswork.ru/test20.txt
hxxp://testswork.ru/test21.txt
Once executed a sample malware phones, back, to, the, following, C&C, server, IP:
hxxp://tradetests.ru/test0.txt
Related malicious MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (176.126.71.5):
MD5: 44c3ac885206d641a6d2dce5a675f378
MD5: 2bf97da5f11b655428622fb10c68ff11
MD5: 6911f4a5a85e266229debfdf0832faad
MD5: 8f1b264ceef3e116522ec213ee691cd2
MD5: af7275d12796b53f0ad4d7866be49a4c
Once executed, a, sample, malware, phones, back, to, the, following, C&C server, IPs:
61.246.33.84:7974
187.2.210.167:6688
199.189.86.18:6199
62.103.89.163:9333
95.104.13.237:7158
203.231.71.85:6413
150.129.184.145:5560
213.184.4.236:5531
198.27.96.43:6327
115.110.36.121:8009
46.150.36.126:8404
118.233.56.195:6159
187.55.178.150:6984
219.71.10.251:6070
190.37.215.91:7443
122.117.152.249:7894
14.141.70.162:8811
188.173.150.210:6598
60.171.206.39:6349
103.47.194.115:6959
116.241.49.160:7023
175.45.228.54:6324
158.58.204.215:6789
82.76.230.210:6266
220.134.149.93:6688
201.24.187.30:9088
84.108.148.178:6822
186.95.199.115:5943
113.160.112.8:6439
24.190.4.178:6554
52.26.185.23:6549
115.165.241.228:6623
190.254.83.226:7961
177.103.154.31:6554
114.35.121.231:5774
202.65.136.234:7594
91.186.3.83:8673
31.170.141.113:11802
190.205.137.158:6554
223.255.202.23:5949
175.45.228.56:6249
202.143.149.66:9333
5.189.177.10:6843
91.224.25.225:7677
113.176.82.247:6315
121.42.15.50:11649
189.51.15.2:6018
108.61.213.137:9595
96.56.17.58:6126
61.216.32.170:8513
202.166.162.6:6519
119.236.147.67:6755
96.23.181.97:5531
190.142.66.233:7269
Related malicious MD5s known to have phoned back to the same C&C server IP (5.196.241.192):
MD5: 57f6c25f57f6af3feb149d2cf0ca7b70
MD5: 45bc494e569671ac902ac4abeaf52d0e
MD5: b23b41bc40dd6b2d707c07dfb7da8a8b
MD5: 6458ddbaa59448352cfd18d774af1114
MD5: 89bd709329d7a2666e538ee0fdc7e6a0
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server, IP:
hxxp://stafftest.ru/test.html
Related malicious MD5s known to have participated in the campaign:
MD5: 414fc339b2dd57bab972b3175a18d64a
Once executed, a, sample, malware, phones, back, to, the, following, C&C servers:
hxxp://stafftest.ru
hxxp://hrtests.ru
hxxp://profetest.ru
hxxp://testpsy.ru
hxxp://pstests.ru
hxxp://qptest.ru
hxxp://prtests.ru
hxxp://jobtests.ru
hxxp://iqtesti.ru
Related malicious MD5s known to have participated in the campaign:
MD5: 7838ccf4e448d8c7404bfe86f5c9d116
Once executed, a, sample, malware, phones, back, to, the, following, C&C, server:
hxxp://managtest.ru/minerd
hxxp://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s
We'll continue monitoring the campaign and post updates as soon as new developments, take, place.
