Category

captcha

Close Panel

Indicateurs de compromission (ioc)

by Admin | 27th février 2019

Indicateurs de compromission (ioc)

INDICATOR_VALUETYPEROLEATTACK_PHASEOBSERV_DATEDESCRIPTION
hxxp://hr-suncor[.]com/Suncor_employment_form[.]docURLURL WATCHLISTDELIVERY2018-11-27According to open-source analysis, the URL is a spear phishing link that leads to a file containing a malicious macro; the file is designed to look like a legitimate file available on the Suncor Energy website. At the time of analysis, the URL led to file "stat.php" [MD5: ca783981d8cff646eececb652f636a3b]. File is clean according to antivirus engines.
hxxp://hr-wipro[.]com/Wipro_Working_Conditions[.]docURLURL WATCHLISTDELIVERY2019-01-10According to open-source analysis, the URL is a spear phishing link that leads to a malicious file. At the time of analysis, research into the the URL did not result in any file information.
hr-wipro[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE2018-11-27According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP "185.161.211.79" which is geolocated in the Netherlands.
hr-suncor[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE2018-11-27According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP "185.161.211.79" which is geolocated in the Netherlands.
0ffice36o[.]comFQDNDOMAIN WATCHLISTC22018-11-27According to open-source analysis, this is a C2 server domain for a remote administration tool (RAT) malware and communicates with the malware over HTTP and DNS. At the time of analysis, the domain resolved to IP "185.20.187.8", which is geolocated in the Netherlands.
cloudipnameserver[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE2019-01-11According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP "209.99.40.222", which is geolocated in the USA.
cloudnamedns[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE2019-01-11According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP "209.99.40.223", which is geolocated in the USA.
lcjcomputing[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE2019-01-11According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP " 198.54.117.210", which is geolocated in the USA.
mmfasi[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE2019-01-11According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP "192.64.147.142", which is geolocated in the USA.
Interaland[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE2019-01-11According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP "52.58.78.16", which is geolocated in Germany.
128[.]199[.]50[.]175IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
139[.]162[.]144[.]139IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
139[.]59[.]134[.]216IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
142[.]54[.]179[.]69IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA.
146[.]185[.]143[.]158IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
178[.]62[.]218[.]244IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
185[.]15[.]247[.]140IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
185[.]161[.]209[.]147IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
185[.]161[.]211[.]72IPV4ADDRIP_WATCHLISTC22018-11-27According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands.
185[.]161[.]211[.]79IPV4ADDRIP_WATCHLISTC22019-01-14According to open-source analysis, this IP, at some point, resolved to domains "hr-suncor.com" and "hr-wipro.com". Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the Netherlands and at the time of analysis, resolved to domain "files-sender.com".
185[.]174[.]101[.]168IPV4ADDRIP_WATCHLISTC22019-01-14According to open-source analysis, this IP, at some point, resolved to domains "hr-suncor.com" and "hr-wipro.com". Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the USA.
185[.]20[.]184[.]138IPV4ADDRIP_WATCHLISTC22018-11-27According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands.
185[.]20[.]187[.]8IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. At the time of analysis, the IP resolved to domain "0ffice36o.com". The IP is geolocated in the Netherlands.
185[.]236[.]78[.]63IPV4ADDRIP_WATCHLISTC22019-01-14According to open-source analysis, this IP was used for establishing a remote desktop protocol (RDP) session over an SSH tunnel. The IP is geolocaed in the Netherlands.
188[.]166[.]119[.]57IPV4ADDRIP_WATCHLISTC22018-10-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
199[.]247[.]3[.]191IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
206[.]221[.]184[.]133IPV4ADDRIP_WATCHLISTC22018-11-20According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA.
37[.]139[.]11[.]155IPV4ADDRIP_WATCHLISTC22018-11-02According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. At the time of analysis, the IP resolved to newly registered domain "anexamination.info" (1/2/2019).
89[.]163[.]206[.]26IPV4ADDRIP_WATCHLISTC22019-01-10According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
82[.]196[.]11[.]127IPV4ADDRIP_WATCHLISTC22018-12-01According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands
82[.]196[.]8[.]43IPV4ADDRIP_WATCHLISTC22018-10-01According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
9c8507a1fd7d2579777723b53fee1f3eMD5FILE HASH WATCHLISTINSTALLATION2018-11-27According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server.
807482efce3397ece64a1ded3d436139MD5FILE HASH WATCHLISTINSTALLATION2018-11-27According to open-source analysis, this file contains malicious macros that lead to the delivery of remote administration tool (RAT) malware.
C00C9F6EBF2979292D524ACFF19DD306MD5FILE HASH WATCHLISTINSTALLATION2018-11-27According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server.
D2052CB9016DAB6592C532D5EA47CB7EMD5FILE HASH WATCHLISTINSTALLATION2018-11-27According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server.

Leave a Reply

Name (Required)

Email (Required - will not be published)

Website

Message (Required)


Hit Counter provided by Skylight