{"id":120,"date":"2018-09-04T18:22:31","date_gmt":"2018-09-04T16:22:31","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=120"},"modified":"2026-06-08T23:18:14","modified_gmt":"2026-06-08T23:18:14","slug":"indicators-of-compromise-september-2018","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/indicators-of-compromise-september-2018\/","title":{"rendered":"Indicators of Compromise \u2014 4 September 2018"},"content":{"rendered":"<p style=\"text-align: justify\">Indicators of compromise related to banking malware infections (<strong>Emotet and TrickBot<\/strong>) deployed during malware campaigns targeting Italian infrastructure.<\/p>\n<p style=\"text-align: justify\">The compromises are associated with activity conducted during August\u2013September 2018.<\/p>\n<p style=\"text-align: justify\">Campaigns of this type consistently target systems and IT infrastructure. In certain periods, up to 4 distinct malware campaigns employing the same malware have been observed within a 30-day window.<\/p>\n<p style=\"text-align: justify\" class=\"\"><strong>Emotet\/TrickBot Malware (SHA256 HASH):<\/strong><\/p>\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5c3750d7d96e6286111603-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5c3750d7d96e6286111603-33\">33<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-1\"><strong><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1st<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Stage<\/span><span class=\"crayon-sy\">)<\/span><\/strong><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-2\"><span class=\"crayon-cn\">6EF5C474B7706E547257B65711D44C5D8183420ACF6D1D673A445FC30D3E2ACD<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-3\"><span class=\"crayon-cn\">483375f638c20330ccdc6425483a59d84dfc7e4da81f2a26363b7ee16a5a3cd9<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-4\"><span class=\"crayon-cn\">1c1e2db21c30fe50d3dcb4b4f756bc154d319cf1365afb3962631941b9513859<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-5\"><span class=\"crayon-cn\">14b8461975d56583ef0a575e6b3edee10da4583d4d9d2959ea5abd99996fe68a<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-6\"><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-7\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/fluorescent[.]cc\/IkSd44UwZs<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-8\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/www.inancspor[.]com\/1ymVXSaT7J<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-9\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/mainlis[.]pt\/0f9WStspZ<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-10\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/thexda[.]com\/ZptEBCytV<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-11\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/samarthdparikh[.]com\/mConYIy<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-12\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/imrenocakbasi&lt;span&gt;[.]com\/pNDq<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-13\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/opaljeans&lt;span&gt;[.]com\/T<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-14\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/atoliyeh&lt;span&gt;[.]com\/fhlb<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-15\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/linkbio&lt;span&gt;[.]net\/mYKl<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-16\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/proinnovation2013[.]com\/0k6vpL79<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-17\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/rtnbd24[.]com\/JLbh1WGtMu<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-18\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/goldsellingsuccess[.]com\/pXo3156n2G<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-19\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/cuentocontigo[.]net\/eS663S6XX2<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-20\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/manatour[.]cl\/6Vo9r2CAU<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-21\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/omlinux[.]com\/SGNChoG&amp;gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-22\"><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-23\"><strong><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2nd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Stage<\/span><span class=\"crayon-sy\">)<\/span><\/strong><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-24\"><span class=\"crayon-cn\">02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-25\"><span class=\"crayon-s\">&#8220;C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\searchatsd.exe&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-26\"><span class=\"crayon-s\">&#8220;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&#8221;<\/span><span class=\"crayon-h\"> <\/span><strong><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">Key<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">searchatsd<\/span><span class=\"crayon-sy\">)<\/span><\/strong><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-27\"><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-28\"><strong><span class=\"crayon-v\">(Command<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Control<\/span><span class=\"crayon-sy\">)<\/span><\/strong><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-29\"><span class=\"crayon-cn\">81<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">21<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">85<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">89<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7080<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-30\"><span class=\"crayon-cn\">213<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-cn\">182<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">53<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7080<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-31\"><span class=\"crayon-cn\">136<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">56<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">30<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">168<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5c3750d7d96e6286111603-32\"><span class=\"crayon-cn\">128<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">97<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">187<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">8443<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5c3750d7d96e6286111603-33\"><span class=\"crayon-cn\">76<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">120<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">104<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-cn\">107<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">443<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify\">The second-stage payload demonstrates persistence mechanisms via registry modification (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) and establishes command-and-control communication through multiple IP addresses on non-standard ports. Tracking of these indicators through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> feeds enables rapid detection and containment of infected endpoints. The multi-stage deployment pattern\u2014initial dropper followed by persistent backdoor installation\u2014reflects the operational security practices common to banking trojan distribution networks during this period. Organizations maintaining updated IOC repositories and network-based detection rules can significantly reduce dwell time and lateral movement risk associated with Emotet and TrickBot infections.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Indicators of Compromise from August-September 2018 banking-malware campaigns (Emotet, TrickBot) targeting Italian infrastructures.<\/p>\n","protected":false},"author":1,"featured_media":126,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[125,185,3358,3360,3359,337,361,1609],"class_list":["post-120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-emotet","tag-ioc","tag-ioc-bulletin","tag-italian-banking-targeting","tag-september-2018","tag-statistics","tag-trickbot","tag-trickbot-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":9928,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/120\/revisions\/9928"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}