FireEye - Writeup -- Archive Link
FireEye - Sunburst Countermeasures
Microsoft
SolarWinds Security Advisory -- Archive Link
volexity - (additional iocs)
Twitter - How to DeObfuscate Malware
Twitter - Thread Showing some functions of the malware
| md5 | sha256 | Notes |
|---|---|---|
| 2c4a910a1299cdae2a4e55988a2f102e | 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 | PasteBin FEYE |
| 846e27a652a5e1bfbd0ddd38a16dc865 | ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 | |
| b91ce2fa41029f6955bff20079468448 | 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 | PasteBin FEYE |
| dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b | PasteBin | |
| eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed | PasteBin | |
| c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 | PasteBin | |
| ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c | PasteBin | |
| e18a6a21eb44e77ca8d739a72209c370 | a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc | PasteBin |
| 3e329a4c9030b26ba152fb602a1d5893 | d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af | PasteBin |
| 02af7cec58b9a5da1c542b5a32151ba1 | d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 | FEYE |
| 08e35543d6110ed11fdf558bb093d401 | 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 | FEYE |
| 4f2eb62fa529c0283b28d05ddd311fae | 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 | FEYE |
| 56ceb6d0011d87b6e4d7023d7ef85676 | c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 | FEYE |
No certs found on crt.sh
2020-04-13 52.170.43.150
2020-04-13 52.171.141.69
2020-04-13 13.65.251.83
2020-04-13 52.171.135.15
2020-04-13 13.92.233.22
2020-04-13 13.90.103.231
2020-04-13 13.84.134.105
2019-11-27 107.161.23.204
2019-11-27 192.161.187.200
2019-11-27 209.141.38.71
Subdomains
ns1.avsvmcloud.com 54.164.147.101
a11-64.avsvmcloud.com 54.164.147.101
a1-139.avsvmcloud.com 3.101.88.204
a20-65.avsvmcloud.com 54.164.147.101
a6-66.avsvmcloud.com 3.101.88.204
a26-67.avsvmcloud.com 3.101.88.204
a4-65.avsvmcloud.com 54.164.147.101
Self hosted DNS Server - USE EXTREME CAUTION
Based on domain hosting and IP changes, looks like interesting date ranges are 2019-12-06 -- current.
The transfer to self controlled name servers occurred on/around 2020-02-07
52.170.43.150 = Microsoft
52.171.141.69 = Microsoft
13.65.251.83 = Microsoft
52.171.135.15 = Microsoft
13.92.233.22 = Microsoft
13.90.103.231 = Microsoft
13.84.134.105 = Microsoft
54.164.147.101 = AWS
3.101.88.204 = AWS
107.161.23.204, 192.161.187.200, and 209.141.38.71 seems to be Name Silo domain parked (parking.namesilo.com
has resolved to these ips)
Possible this was hosted on Azure?
HAS CERTS on crt.sh
2020-04-22 13.57.184.217
2019-11-09 104.28.0.84
2019-11-09 104.28.1.84
2019-05-04 23.94.69.34
2018-09-06 72.52.4.119
2015-07-29 173.193.106.11
Subdomains
hostmaster.digitalcollege.org 13.57.184.217
cpanel.digitalcollege.org 23.94.69.34
webmail.digitalcollege.org 23.94.69.34
www.digitalcollege.org
2020-08-05 13.57.184.217
2020-03-05 198.54.117.218
2020-03-05 198.54.117.217
2020-03-05 198.54.117.211
2020-03-05 198.54.117.215
2020-03-05 198.54.117.216
2020-03-05 198.54.117.210
2020-03-05 198.54.117.212
2019-08-07 104.28.1.84
2019-08-07 104.28.0.84
2019-05-04 23.94.69.34
2017-09-25 210.188.199.140
2015-11-29 173.193.106.11
Based on domain hosting, registration, and IP changes, looks like interesting date ranges are 2019-03-24 -- current.
It appears to have been transferred to Cloudflare, and then about the time of the campaign transferred out of CF.
104.28.1.84 and 104.28.0.84 are Cloudflare.
'13.57.184.217' = AWS
198.54.117.218 = NameCheap
23.94.69.34 = Electro Nebula LLC
Certificate Transparency via crt.sh shows TLS cert created on:
- 2019-03-24 (Lets Encrypt)
- 2019-03-28 (CloudFlare)
- 2019-05-04 (Lets Encrypt)
- 2019-06-02 (CloudFlare)
- 2020-03-05 (Sectigo)
2020-04-13 13.59.205.66
2020-02-13 209.141.38.71
2020-02-13 192.161.187.200
2020-02-13 107.161.23.204
2019-12-09 52.58.78.16
2019-11-30 52.201.79.206
2019-11-30 52.23.148.124
2018-09-05 37.60.253.181
Subdomains
www.deftsecurity.com
2020-02-13 192.161.187.200
2020-02-13 45.58.190.82
2020-02-13 168.235.88.209
2020-02-13 209.141.38.71
2020-02-13 70.39.125.244
2020-02-13 198.251.84.92
2020-02-13 188.164.131.200
2020-02-13 107.161.23.204
2020-02-13 64.32.22.102
2020-02-13 198.251.81.30
2020-02-13 204.188.203.155
2019-12-09 52.58.78.16
2019-08-12 52.23.148.124
2019-08-12 52.201.79.206
Based on domain hosting, registration, and IP changes, looks like interesting date ranges are 2019-02-12 -- current.
2020-02-13 ips seem to be NameSilo "parking" domain (parking.namesilo.com has resolved to these ips)
192.161.187.200, 45.58.190.82, 168.235.88.209, 209.141.38.71, 70.39.125.244, 198.251.84.92,
188.164.131.200, 188.164.131.200, 107.161.23.204, 64.32.22.102, 198.251.81.30, 204.188.203.155
13.59.205.66 = AWS
Certificate Transparency via crt.sh shows TLS cert created on:
- 2019-03-31 (Lets Encrypt)
- 2019-04-08 (Lets Encrypt)
- 2019-07-10 (Lets Encrypt)
- 2019-08-11 (Lets Encrypt)
- 2019-12-09 (Lets Encrypt)
- 2020-02-08 (Lets Encrypt)
- 2020-02-13 (Lets Encrypt)
##Domain -
thedoccloud[.]com- VT
2020-02-06 54.215.192.52
2019-11-28 192.161.187.200
2019-11-28 209.141.38.71
2019-11-28 107.161.23.204
2017-05-19 167.114.213.199
Subdomains
www.thedoccloud.com
2020-02-06 54.215.192.52
2019-07-16 198.251.84.92
2019-07-16 204.188.203.154
2019-07-16 188.164.131.200
2019-07-16 70.39.125.243
2019-07-16 209.141.38.71
2019-07-16 107.161.23.204
2019-07-16 64.32.22.101
2019-07-16 45.58.190.82
2019-07-16 107.191.99.119
2019-07-16 192.161.187.200
2019-07-16 173.44.37.208
2019-07-16 198.251.81.30
Based on domain hosting, registration, and IP changes, looks like interesting date ranges are 2018-04-06 -- current.
2019-07-16 ips seem to be NameSilo "parking" domain (parking.namesilo.com has resolved to these ips)
45.58.190.82, 209.141.38.71, 198.251.84.92, 188.164.131.200, 107.161.23.204, 198.251.81.30,
204.188.203.154, 70.39.125.243, 64.32.22.101, 107.191.99.119, 173.44.37.208
54.215.192.52 = AWS
Certificate Transparency via crt.sh shows TLS cert created on:
- 2020-02-06 (Sectigo)
HAS CERTS on crt.sh
2020-08-05 66.172.27.175
2020-08-04 66.172.11.120
2020-07-23 91.195.241.136
2020-06-30 198.54.115.106
2020-06-19 45.88.202.115
2019-10-13 52.58.78.16
2019-09-28 209.141.38.71
2019-09-28 107.161.23.204
2019-09-28 192.161.187.200
2019-06-01 91.195.240.126
Subdomains
www.virtualdataserver.com
2020-08-04 66.172.11.120
2020-06-30 198.54.115.106
2020-06-19 45.88.202.115
2019-10-13 52.58.78.16
2019-06-12 192.161.187.200
2019-06-12 173.44.37.208
2019-06-12 107.161.23.204
2019-06-12 188.164.131.200
2019-06-12 45.58.190.82
2019-06-12 198.251.84.92
2019-06-12 204.188.203.154
2019-06-12 64.32.22.101
2019-06-12 209.141.38.71
2019-06-12 198.251.81.30
2019-06-12 107.191.99.119
2019-06-12 70.39.125.243
Domain - incomeupdate[.]com - VT (associated with CoblatStrike Beacon Activity)
HAS CERTS on crt.sh
2020-10-04 198.54.117.200
2020-10-04 198.54.117.199
2020-10-04 198.54.117.198
2020-10-04 198.54.117.197
2019-11-30 5.252.177.25
2019-09-14 192.64.119.148
2019-07-25 50.87.144.180
Subdomains
www.incomeupdate.com 5.252.177.25
looks like interesting dates are 2016-10-04 -- 2020-11-14.
198.54.117.197-200 and 192.64.119.148 seem to be hosting many "parked" domains
5.252.117.25 = MivoCloud SRL
50.87.114.180 = Blue Host
Certificate Transparency via crt.sh shows TLS cert created on 2020-04-14 valid until 2021-04-14
Domain - zupertech[.]com - VT (assoicated with Cobalt Strike BEACON Activity)
HAS CERTS on crt.sh
2020-05-13 51.89.125.18
2019-11-30 192.161.187.200
2019-11-30 209.141.38.71
2019-11-30 107.161.23.204
2019-10-04 52.58.78.16
2016-08-21 167.114.213.199
2016-08-18 164.132.212.72
Domain - databasegalore[.]com - VT (assoicated with Cobalt Strike BEACON Activity)
HAS CERTS on crt.sh
2020-03-12 5.252.177.21
2019-12-16 3.19.54.58
Subdomains
www.databasegalore.com
5.252.177.21
Domain - panhardware[.]com - VT (associated with Cobalt Strike BEACON Activity)
2020-04-10 204.188.205.176
2020-01-19 192.161.187.200
2020-01-19 107.161.23.204
2020-01-19 209.141.38.71
2019-10-22 172.110.0.2
2019-09-13 185.53.178.6
2019-05-20 208.91.197.87
2019-05-20 209.99.64.18
2019-03-17 91.195.240.89
2019-03-03 91.195.240.87
2018-10-02 216.239.36.21
2018-10-02 216.239.32.21
2018-10-02 216.239.38.21
2018-10-02 216.239.34.21
Subdomains
www.panhardware.com
2020-04-10 204.188.205.176
2019-10-22 172.110.0.2
2018-04-21 74.125.124.121
2018-02-11 108.177.112.121
2015-09-03 173.194.196.121
webdisk.panhardware.com
172.110.0.2
Based on domain hosting and IP changes, looks like interesting date ranges are 2019-10-22 -- current
172.110.0.2 = Subnet Labs LLC (Impact VPS is owned by Subnet labs)
204.188.205.176 = Sharktech (VPS Provider)
Certificate Transparency via crt.sh shows TLS cert created on:
- 2019-10-22 (cpanel)
- 2020-01-06 (cpanel)
- 2020-04-10 (Sectigo)
2020-02-11 54.193.127.66
2019-10-15 108.179.242.236
2014-09-20 192.232.218.126
Subdomains
mg4h399b.freescanonline.com
54.193.127.66
www.freescanonline.com
54.193.127.66
108.179.242.236
webdisk.freescanonline.com
108.179.242.236
webmail.freescanonline.com
108.179.242.236
mail.freescanonline.com
108.179.242.236
autodiscover.freescanonline.com
108.179.242.236
cpanel.freescanonline.com
108.179.242.236
2020-06-29 18.253.52.187
2020-02-04 34.203.203.23
2020-02-01 54.167.33.145
2019-09-28 192.161.187.200
2019-09-28 209.141.38.71
2019-09-28 107.161.23.204
2019-07-29 99.81.40.78
2019-07-24 45.63.114.134
2015-02-16 108.61.172.221
2019-12-27 139.99.115.204
2019-11-30 52.58.78.16
2019-03-22 91.195.240.126
Subdomains
wordpress.highdatabase.com
139.99.115.204
www.highdatabase.com
139.99.115.204
52.58.78.16
From Volexity Writeup
From Volexity Writeup
From Volexity Writeup
From Volexity Writeup
From Volexity Writeup
From Volexity Writeup
From Volexity Writeup