- Notifications
You must be signed in to change notification settings - Fork 110
Files
/
crimson_palace_post-08-2023.csv
71 lines (71 loc) · 5.77 KB
/
crimson_palace_post-08-2023.csv
1 | Indicator | Data | Notes |
|---|---|---|---|
2 | sha256 | 58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d | C:\ProgramData\mios.exe (Malicious File) used in conjuction with cmdline containing '172.19.120.60 65211' and '178.128.221.202 443' |
3 | sha256 | 776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f | C:\Windows\Help\Help\mscorsvc.dll (Malicious DLL) |
4 | sha256 | 430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b | C:\ProgramData\mscorsvc.dll (Malicious DLL) |
5 | sha256 | a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477 | C:\Windows\Temp\ntpsapi.dll (EDR unhooking, benign version of ntdll.dll) |
6 | sha256 | cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272 | C:\windows\syswow64\WWindows.Data.Devices.Config.dll (SharpHound/BloodHound) |
7 | sha256 | e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee | locale.nlp (ATK/DonutLdr-A) |
8 | sha256 | fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395 | C:\Windows\debug\net.LOG (Havoc) |
9 | sha256 | 52e248b9fb32ac3aaa4be4b41c66f1e7d9f2d4605aae98f20584f21ea1f33202 | swprv.dll (Malicious DLL sideloaded by swprv service) |
10 | sha256 | e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7 | iscsiexe.dll (MSiSCSI payload) |
11 | sha256 | 6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b | version.dll (Malicious DLL sideloaded by swi_update.exe) |
12 | file_path_name | c:\windows\help\help\tmdbglog.dll ( | Malicious DLL sideloaded by PTWatchDog.exe |
13 | sha256 | 3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53 | DecrptDumper.exe (Malicious File, no execution data) |
14 | sha256 | da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da | c:\windows\help\prow.xml (Havoc) |
15 | sha256 | 8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7 | ~docpdf.tmp (Havoc) |
16 | sha256 | 75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50 | C:/PerfLogs/libcef.dll (Havoc) |
17 | sha256 | 609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9 | <REDACTED>DOC20231100001603KMAP.pdf (webshell) |
18 | sha256 | e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7 | C:/Windows/System32/wbem/ncobjapi.dll |
19 | sha256 | 5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655 | <REDACTED>DOC20231200001924KMAP.aspx |
20 | sha256 | bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d | 111 (Shellcode loader) |
21 | sha256 | 4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0 | C:/Windows/Vss/Writers/Application/libcef.dll (Shellcode Loader for Havoc) |
22 | sha256 | 4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae | C:/Windows/Vss/Writers/Application/libcef.dll (Shellcode Loader for Havoc) |
23 | sha256 | 101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86 | <REDACTED>DOC20231200001922KMAP.asp (webshell) |
24 | sha256 | 9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88 | <REDACTED>DOC20231200002062KMAP.php (webshell) |
25 | sha256 | 1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9 | log.ini (Havoc) |
26 | sha256 | 5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655 | <REDACTED>DOC20231200001919KMAP.aspx (Webshell) |
27 | sha256 | 101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86 | <REDACTED>DOC20231200001923KMAP.asp (Webshell) |
28 | sha256 | 5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655 | <REDACTED>DOC20231200001924KMAP.pdf (Webshell) |
29 | sha256 | 5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b | 1.exe (Invoke WMI) |
30 | sha256 | 299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f | msedge_elf.dll (Shellcode Loader, Havoc) |
31 | sha256 | c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704 | chrome.exe (Shellcode Loader, Havoc) |
32 | sha256 | 8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff | msedge_elf.dll (Shellcode Loader, Havoc) |
33 | sha256 | 71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81 | C:/ProgramData/conhost.exe (Alcatraz Git Project EDR Evasion) |
34 | sha256 | d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38 | C:\Windows\Vss\Writers\Application\libcef.dll |
35 | sha256 | 2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504 | C:\Windows\Vss\Writers\libcef.dll |
36 | file_path_name | C:\Windows\Vss\Writers\log.bin | |
37 | sha256 | 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c | C:\PerfLogs\vcruntime140.dll |
38 | sha256 | c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce | C:\PerfLogs\jli.dll |
39 | file_path_name | C:\Windows\Temp\temp.log | (Shellcode loader) |
40 | sha256 | b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f | C:\PerfLogs\pt.exe (unsigned executable with certificate stating that it is MS Edge) |
41 | sha256 | f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957 | C:\Users\Public\r2.exe (Unknown threat file) |
42 | sha256 | c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704 | C:\Users\Public\chrome.exe (Shellcode loader, WIN-PROT-VDL-MALWARE-ATK-SCLOAD-Q) |
43 | sha256 | fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f | C:\PerfLogs\msedge_elf.dll |
44 | ip | 178.128.221.202 | mios.exe C2 |
45 | domain | gsenergyspeedtest.com | Cobalt Strike C2 |
46 | ip | 192.142.18.15 | Interacted with webshell (VPN subnet) |
47 | ip | 192.142.18.27 | Interacted with webshell (VPN subnet) |
48 | ip | 192.142.18.25 | Dropped webshell (VPN subnet) |
49 | domain | hpupdate.net | Havoc C2 |
50 | url | https://www.hpupdate.net/us-en/drivers/printers | Havoc C2 URI |
51 | ip | 45.15.143.151 | Havoc C2 |
52 | ip | 198.244.237.13 | Havoc C2 payload host |
53 | ip | 123.253.35.100 | swprv.dll C2 |
54 | domain | cancelle.net | swprv.dll C2 |
55 | domain | dmsz.org | swprv.dll C2 |
56 | domain | gandeste.net | swprv.dll C2 |
57 | ip | 103.56.5.224 | swprv.dll C2 |
58 | ip | 49.157.28.114 | swprv.dll C2 |
59 | ip | 103.56.5.224 | swprv.dll C2 |
60 | ip | 141.136.44.219 | Havoc C2 |
61 | ip | 145.14.158.235 | Havoc C2 |
62 | ip | 107.148.41.114 | Havoc C2 |
63 | ip | 66.42.56.233 | Havoc C2 / XiebroC2 |
64 | domain | test1.zhangliyong.cn | Havoc C2 / XiebroC2 |
65 | ip | 191.96.53.132 | Havoc C2 / XiebroC2 |
66 | ip | 45.9.191.183 | Havoc C2 / XiebroC2 |
67 | ip | 64.176.50.42 | Havoc C2 / XiebroC2 |
68 | ip | 191.96.53.132 | Havoc C2 |
69 | ip | 45.77.46.245 | Havoc C2 |
70 | ip | 64.176.37.107 | Havoc C2 |