Indicators of Compromise — 4 September 2018
Indicators of compromise related to banking malware infections (Emotet and TrickBot) deployed during malware campaigns targeting Italian infrastructure.
The compromises are associated with activity conducted during August–September 2018.
Campaigns of this type consistently target systems and IT infrastructure. In certain periods, up to 4 distinct malware campaigns employing the same malware have been observed within a 30-day window.
Emotet/TrickBot Malware (SHA256 HASH):
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
(1st Stage)
6EF5C474B7706E547257B65711D44C5D8183420ACF6D1D673A445FC30D3E2ACD
483375f638c20330ccdc6425483a59d84dfc7e4da81f2a26363b7ee16a5a3cd9
1c1e2db21c30fe50d3dcb4b4f756bc154d319cf1365afb3962631941b9513859
14b8461975d56583ef0a575e6b3edee10da4583d4d9d2959ea5abd99996fe68a
http://fluorescent[.]cc/IkSd44UwZs
http://www.inancspor[.]com/1ymVXSaT7J
http://mainlis[.]pt/0f9WStspZ
http://thexda[.]com/ZptEBCytV
http://samarthdparikh[.]com/mConYIy
http://imrenocakbasi<span>[.]com/pNDq
http://opaljeans<span>[.]com/T
http://atoliyeh<span>[.]com/fhlb
http://linkbio<span>[.]net/mYKl
http://proinnovation2013[.]com/0k6vpL79
http://rtnbd24[.]com/JLbh1WGtMu
http://goldsellingsuccess[.]com/pXo3156n2G
http://cuentocontigo[.]net/eS663S6XX2
http://manatour[.]cl/6Vo9r2CAU
http://omlinux[.]com/SGNChoG>
(2nd Stage)
02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290
“C:\Users\admin\AppData\Local\Microsoft\Windows\searchatsd.exe”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” (Key:searchatsd)
(Command & Control)
81[.]21[.]85[.]89:7080
213[.]12[.].182[.]53:7080
136[.]56[.]30[.]168
128[.]2[.]97[.]187:8443
76[.]120[.]104[.]107:443
|
The second-stage payload demonstrates persistence mechanisms via registry modification (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) and establishes command-and-control communication through multiple IP addresses on non-standard ports. Tracking of these indicators through Cyber Threat Intelligence feeds enables rapid detection and containment of infected endpoints. The multi-stage deployment pattern—initial dropper followed by persistent backdoor installation—reflects the operational security practices common to banking trojan distribution networks during this period. Organizations maintaining updated IOC repositories and network-based detection rules can significantly reduce dwell time and lateral movement risk associated with Emotet and TrickBot infections.
