This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CyberCom | |
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536 | |
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536 | |
https://customermgmt.net/page/macrocosm - 37.220.6.115 (AS 20860 (Iomart Cloud Services Limited)) | |
b09bce085a2bbc1c0498baf3f75b48f8c86db132ebfc64d72b300f47b7435e89 - Powermet , 2017-01-14 03:35Z |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Source Blog Post | |
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a | |
--- | |
#Yara Rules | |
--- | |
rule WinntiLinux_Dropper : azazel_fork | |
{ | |
meta: | |
desc = "Detection of Linux variant of Winnti" |
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
samples day signers Signer 1 Signer 2 Signer 3 Extra Stuff | |
a83f2d4073b7ecaf4f277db62ec44f8b10a9f16a297ebb4db9826a7a08eb06d2 2019-02-20 南昌博众彩软件有限公司; WoTrus Code Signing CA; Certum Trusted Network CA 南昌博众彩软件有限公司 WoTrus Code Signing CA Certum Trusted Network CA | |
7639f505eb9b8ab4e585a2dd5e9f300e936ba73e5b5db4c51bcb0ba52e751581 2018-08-20 A&W Global Ltd; thawte SHA256 Code Signing CA; thawte A&W Global Ltd thawte SHA256 Code Signing CA thawte | |
bf920c41e76de53a7660c12b7d14d2f1ad60539b142654893e7cc420b2bdbc2b 2018-12-19 深圳市掌星立意科技有限公司; VeriSign Class 3 Code Signing 2010 CA; VeriSign 深圳市掌星立意科技有限公司 VeriSign Class 3 Code Signing 2010 CA VeriSign | |
d3aaad15925caae5262366e3a5bf4edec0246877c340e2ba75e5dc96f8410c4a 2018-10-05 LEMONADE EVENTS LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™ LEMONADE EVENTS LIMITED COMODO RSA Code Signing CA COMODO SECURE™ | |
54fb9e302b497f99c6e7ac891e31faaeaf62245e8c0f65ca7a81c7916225d511 2018-10-25 AmeriTechnology Group, Inc.; Go Daddy Secure Certificate Authority - G2; Go Daddy Roo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940 | |
acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918 | |
9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2 | |
426a4cd4fc593ad0b9b8050a3e4e89299db5aa32f72647f41905e43ab74abea3 | |
5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993 | |
523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df | |
25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b | |
1cdc2057c31742b43538d29d749b6a4a1f62be12beeb3a384c77ce17826ef9b9 | |
5c06e75410dd1dbae2fadf7ffe09e7ef2d3dab3c24760141ff3ca20f2f80c140 | |
30a44e3a5ea574049809eb57638b0fd7f11aab150ac791d202d930b7d3e7bd09 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
b17ff8c0d83d07fca854d669d1389e8e24718ca54ed1543fdb09e9b9b39456ef | |
f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940 | |
f5d39e20d406c846041343fe8fbd30069fd50886d7d3d0cce07c44008925d434 | |
b4a65070354d2a89e84b5ddae81a954a868a714a248a48b72c832c759d85558a | |
acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918 | |
9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2 | |
5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993 | |
523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df | |
25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b | |
11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sourced from VT search, YARA rule provided by US-CERT, modified for VTGrep | |
content:fjiejffndxklfsdkfjsaadiepwn AND (content:google.co OR content:naver.co) | |
Ref: https://www.bleepingcomputer.com/news/security/dhs-and-fbi-issue-advisory-on-north-korean-hoplight-malware/ | |
a1eb5a0f15cbe7cdd5eb84839f7490aecf38979467f549a9f9b0591e75d7fab6 | |
b0284e9c4cba2bfd019436d4cbe8f1238fd3f6ed4cb79576057be8c4b74d95e0 | |
741c0e5234c85c488f165d5248707436210f15a5c9a43003fec741da1ad05f98 | |
797a23e0900113b23d468d0050cd0c05f15d3afb34eec4d0e27a6f06398dd849 | |
5712e44c3083e394310042afaef6eb40fbe0c56e551433a6370b1f4b9ef0c0e9 | |
889b744a81ccf1209d724798aa1ef1aa2212ba82007c942a6a8746b7b0c3d616 |
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 3.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
first_submitted (epoch),first_submitted,sha256,file_magic,size,num_detections,RESULTS,signers,full_sig,country | |
1546950000,2019-01-08 12:20:00,c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4,PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly,2097664,27,"Win64/Filecoder.LockerGoga.A,W64/Filecoder_LockerGoga.A!tr.ransom,Trojan-Ransom.LockerGoga",,,NL | |
1547710000,2019-01-17 7:26:40,5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c,PE32 executable for MS Windows (GUI) Intel 80386 32-bit,1284112,40,"Trojan[Ransom]/Win32.LockerGoga.a,Ransom.LockerGoga.S5239812,a variant of Win32/Filecoder.LockerGoga.A","""MIKL LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™""","[{""status"":""Trust for this certificate or one of the certificates in the certificate chain has been revoked."",""valid usage"":""Code Signing"",""name"":""MIKL LIMITED"",""algorithm"":""sha256RSA"",""valid from"":""12:00 AM 06/25/2018"",""valid to"":""11:59 PM 06/25/2019"",""serial number"":""3D 25 80 E8 9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5ae51f890d8c99d4332dfed5e823bafc51f746dbe78de5663c724c97b29ab90f | |
c44653c5317b897ab9192fbaba95f6844221b3598a785733d98f76f67b19edb9 | |
9690b0623ef3a29ed5ac20318afa2bed1d4da4da26350fd2265c5baa7173f9ac | |
fea7356239b18ee60184f844d563f2c35b6f5e5461baadd62e1c8a46e643c22d | |
e423f68c36c629b1160069303a87a926182ae6e1d60cd4d88cfb42198870a1ef | |
f5ed20002cccd20a5096fea1ce46febb6eaa677048c4b3a82ba5ae16319de4c1 | |
c68b49f15b750abff169e855507dc0c5afc0dfa03a8f3136cbe7fd983258565a | |
1944deb7d7030d9984c7695607ccb842c239ac0438da4390167f8cb8b43d25c6 | |
56e69d7ff0fa3212bb613654c862d1fe6087c6f6a4d107dc42b480082194bd12 | |
9864893e31021debe9df71f6995e562ca46b3a32412ea6d0661f402110d99855 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a34fcd5496fab5dce127701c2edbeca41a2fdd9407ae1ecb2aaabbe7dcd51e5d | |
c0bd8ea4a5eb03c1c011694dc281e99f26fb4e6eb9dd1c5f51c174df5aad8b9a | |
d0ec1dccf63cc373b5799fd5a36be786aa1ad15b96b4688960a928a7d47cddc5 | |
f5d3771c764945a091df5d49d8526acf4bc0b6deb8529c8e9263b1478f92a385 | |
4c9ccbd475b0e44bb280052407f6724c33bfc8a837eabb9cc7821aa8b2bf30e3 | |
d054a1207332dddc61fdec378763bc6db93c7337e76ab6847fc99b0f2193c7db | |
3776594e0978a844b5f0153ab9a348630f5cb85c1b2e9dc3006e7b639882554b | |
ad525b5f0e55e0275a092a3fc890066f5ebc1d03c4aae64af9ae326697fecec8 | |
6dc3aa44055834b68b8d111f8fb1d46d8384c629eea18df6622b9ae0870f2d21 | |
58b7e97f8dd79ad3d9ceb412e2e409130f493b6cca1ba1dd40000cb143542b48 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0062692aa2341873911a34738d654dc2ef985620a3dc3b5b7a0733d531fe2038 | |
01da5a902c26bf9aaf5b73f1b12d9ace6721f49e011c1746da4a856e2ee20315 | |
079bcf1087e9dd2e1d63d15a784ee36aab95bf09c0f57c1ccdf69ef2348ea77b | |
0a07cfc820b9ff728dabb39d8295ce0efbb5390f86d1cd525879b64b56231aac | |
0a3f0bb71442c58ff7d83f42d4c17eaa6467048f9c551ae535ab7fdde93650c8 | |
0bd37ceff94394828645a0cb4d43e363b1e12c516164d42187c2c1641bfa268d | |
0c2299de95c6449104d90410646ab19ab540d42ec19a74e28642dfac4be9782b | |
12eeb4d6ed06fdaa609b2bedb2c8433c5c1426cf8fec63aa0d9b62d53857656a | |
12f9a8c99798490cf35deaf4a33c1396fa295baa43703c09899a8c30c3e5a9d4 | |
136ad986a085a7ac59c2bdea852972f44849d1f92264e88b3a59ba31df143771 |