initial commit

Author: ThreatLabz

README.md

@@ -0,0 +1,2 @@
+# Zscaler ThreatLabz IOCs
+This repository is for Indicators of Compromise (IOCs) from Zscaler ThreatLabz public reports

ares/hashes.txt

@@ -0,0 +1,8 @@
+7498e37c332d55c14247ae4b675e726336a8683900d8fd1da412905567d2de4a
+e5d624b7060c0e885abe11a0973a43a355c9930fc6912ff5eac83d1a9eec9c29
+035793d479c4229693fc6dcceaa639cd51ae89334b43e552b9c47a6dea68ce30
+94b084ea925990742f4eaaada1eef9a42c13066bf4f4c7a3b12a1509e32ff9e6
+09897c6ef88b9e9bc20917a2b47ec86ff2b727a2923678f5e2df6bb6437d3312
+956ae36f40d0d847daa00d7964906e7e9d1671d0f3f2e7d257d5a8d324388c31
+6c5dac9043b2f112543f3eca6503d4bcc70d762b47d75dcb85f9767c603de56f
+b3348405cd0fa66661b46bc6cbab97b55708be26a2ed7a745e1632b46d1b3f41

blackbyte/hashes.txt

@@ -0,0 +1,7 @@
+1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
+388163c9ec1458c779849db891e17efb16a941ca598c4c3ac3a50a77086beb69
+44a5e78fce5455579123af23665262b10165ac710a9f7538b764af76d7771550
+6f36a4a1364cfb063a0463d9e1287248700ccf1e0d8e280e034b02cf3db3c442
+ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa
+9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe
+e434ec347a8ea1f0712561bccf0153468a943e16d2cd792fbc72720bd0a8002e

conti/hashes.txt

@@ -0,0 +1,5 @@
+fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847
+16cc7519945bace49ef729e69db7d19e00252f2bd559903e1631c8878c2360f4
+e6818bf8c6d20501485fc0cc644d33fcea4bd9a3b45c5d61e98317bda5c080c4
+182f94d26de58b8b02ddf7223f95d153b5e907fa103c34ed76cae2c816f865f0
+e950c625a94ce9e609778fcc86325530774e45572ff58ebc6549e2627941b5cc

doppelpaymer/hashes.txt

@@ -0,0 +1,5 @@
+b5c188e82a1dad02f71fcb40783cd8b910ba886acee12f7f74c73ed310709cd2
+91e310cf795dabd8c51d1061ac78662c5bf4cfd277c732385a82f181e8c29556
+dda4598f29a033d2ec4f89f4ae687e12b927272462d25ca1b8dec4dc0acb1bec
+0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0
+b21ad8622623ce4bcdbf8c5794ef93e2fb6c46cd202d70dbeb088ea6ca4ff9c8

dreambus/hashes.txt

@@ -0,0 +1,11 @@
+e78fc101133d1803cd462b68058c5c238f56b1fe9416e5997cfe7d44947092a2
+2556c8cedd6f0ff7d16be9093bbfd0e86ede3e47fab13dfeb8d3964f10b18ea4
+0e726a4fff8efeff3fdd127bed6ed28d5f51ff2c4f1e40a267984f7edae8e7d3
+636accbee3f2163945886fa8f68c74449eb3d54769a1747728197e7804339b91
+f0ded99a521dc8be2b331fe7cdfff56d428ba3a4882d25eac9b7f7b9cefeea3d
+33b0b3649faa07f9b62727f24a09ee5edc6b0ffc00e1a57633166abf7783fc7b
+aa38ca6252eee5c7a2cb51a7a2fe8b2660145ca5717f462ca83248bec5929608
+378253939be1eded3fc70c70d8d8471b90e4a8da917bc2ed412175e906555673
+71efa6b7dafc8c6af2aa5579f0358161308c56a3a6c3b947f53410415675e261
+8f82943f33ab4dd5979b7654d0402e256334c96d962d13de1bddebb9bc54f994
+030c5dec24dc8fafff71dc4f0b68ef80b23bd1a276cd76c9530e26ac1e273412

emotet/c2_ips.txt

@@ -0,0 +1,20 @@
+81.0.236[.]93:443
+94.177.248[.]64:443
+66.42.55[.]5:7080
+103.8.26[.]103:8080
+185.184.25[.]237:8080
+45.76.176[.]10:8080
+188.93.125[.]116:8080
+103.8.26[.]102:8080
+178.79.147[.]66:8080
+58.227.42[.]236:80
+45.118.135[.]203:7080
+103.75.201[.]2:443
+195.154.133[.]20:443
+45.142.114[.]231:8080
+212.237.5[.]209:443
+207.38.84[.]195:8080
+104.251.214[.]46:8080
+138.185.72[.]26:8080
+51.68.175[.]8:8080
+210.57.217[.]132:8080

emotet/cobaltstrike_beacon.json

@@ -0,0 +1,64 @@
+{
+    "BeaconType": [
+        "HTTPS"
+    ],
+    "Port": 443,
+    "SleepTime": 5000,
+    "MaxGetSize": 1403644,
+    "Jitter": 10,
+    "MaxDNS": "Not Found",
+"PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbcI0B4jpE0I6Ioj0qYRjoDYlN52X78HX2BZ1bBLV60oOeXcvOGi7Rxcz/n0luXq
+mSpsw9M4x0dnUWFYPL2HUxzufEfchGPyxEnH6ASasVbS0OWqIkUsuri/5vJUvisrcKT9Ebodon8Z2AUqOaZZ8s37VUxJhSm4IxsLJ6WRgFkwIDAQABAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+==",
+    "C2Server": "lartmana\.com,/jquery-3.3.1.min.js",
+    "UserAgent": "Not Found",
+    "HttpPostUri": "/jquery-3.3.2.min.js",
+    "HttpGet_Metadata": "Not Found",
+    "HttpPost_Metadata": "Not Found",
+    "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
+    "PipeName": "Not Found",
+    "DNS_Idle": "Not Found",
+    "DNS_Sleep": "Not Found",
+    "SSH_Host": "Not Found",
+    "SSH_Port": "Not Found",
+    "SSH_Username": "Not Found",
+    "SSH_Password_Plaintext": "Not Found",
+    "SSH_Password_Pubkey": "Not Found",
+    "HttpGet_Verb": "GET",
+    "HttpPost_Verb": "POST",
+    "HttpPostChunk": 0,
+    "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
+    "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
+    "CryptoScheme": 0,
+    "Proxy_Config": "Not Found",
+    "Proxy_User": "Not Found",
+    "Proxy_Password": "Not Found",
+    "Proxy_Behavior": "Use IE settings",
+    "Watermark": 0,
+    "bStageCleanup": "True",
+    "bCFGCaution": "False",
+    "KillDate": 0,
+    "bProcInject_StartRWX": "False",
+    "bProcInject_UseRWX": "False",
+    "bProcInject_MinAllocSize": 17500,
+    "ProcInject_PrependAppend_x86": [
+        "kJA=",
+        "Empty"
+    ],
+    "ProcInject_PrependAppend_x64": [
+        "kJA=",
+        "Empty"
+    ],
+    "ProcInject_Execute": [
+        "ntdll:RtlUserThreadStart",
+        "CreateThread",
+        "NtQueueApcThread-s",
+        "CreateRemoteThread",
+        "RtlCreateUserThread"
+    ],
+    "ProcInject_AllocationMethod": "NtMapViewOfSection",
+    "bUsesCookies": "True",
+    "HostHeader": "",
+    "version": 4
+}

emotet/hashes.txt

@@ -0,0 +1,12 @@
+c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01
+8f683e032dd715da7fb470b0fb7976db35548139d91f4a1a3ad5d64f1ce8daad
+3c755a3a4bc5a4d229b98563262227d64ac18f5ff97d3b1f8fa37cfd30148142
+6f998e7f3aea5f5100e352135b089e585a7f95257d59a6c7b79a2fe3ae1445f4
+bc0c8796411e71eb962909b0db3b281a2eb68facd402cc88768867cdd1848431
+0ea7d56ea6cc2d838964dda792e148d872ebaab769a0d29abaf29009d6766ce7
+fe5c53781c3ea6def61f69f78ec92eb7a711f898190443bb67ff266494bf2a35
+8ea4c69f707693b58cac94842f88e63f49b893adf95cf5a9ba0adbe61ee0a0a9
+e730fb1b7466975558b9e22732c84c88ef6c447261f94bbb8b6d4cbc17fc95fd
+461648507a0ea26c886f1aeab55206a63457f1842106cb48533eb991cdf7d2d6
+40148daea1d5e04b0a756b827bd83a1e0f3c0bad3cd77361c52b96019eb7d1cc
+5b5fa30bf12f13f881708222824517d662f410b212a0f7f7ce5c611fd809f809

industrialspy/hashes.txt

@@ -0,0 +1,7 @@
+8a5c7fff7a7a52dca5b48afc77810142b003b9dae1c0d6b522984319d44d135a
+dfd6fa5eea999907c49f6be122fd9a078412eeb84f1696418903f2b369bec4e0
+5ed4ffbd9a1a1acd44f4859c39a49639babe515434ca34bec603598b50211bab
+62051ec55c990d2ff21f36a90115986e4ac0eada18306f39687e209f49f2c6ec
+911153af684ef3460bdf568d18a4356b84efdb638e3e581609eb5cd5223f0010
+85ea71c910ebb00ba8cae266bf18400a15b08bd341e37e12083ab9a79ff6c943
+c96b098cab47c0a33d0b6d8f14b24e7c9ba897b0c59a2ac1f3dc608ca7a2ed7e