add grandoreiro c2s and hashes

Author: ThreatLabz

grandoreiro/c2s.txt

@@ -0,0 +1,42 @@
+Embedded Domains: (Same used for Check-In Request)
+
+http[:]//barusgorlerat[.]me
+http[:]//damacenapirescontab[.]com
+http[:]//assesorattlas[.]me
+http[:]//perfomacepnneu[.]me
+
+Grandoreiro Loader URLs:
+
+35[.]181[.]59[.]254/info99908hhzzb.zip
+35[.]180[.]117[.]32/$FISCALIGENERAL3489213839012
+35[.]181[.]59[.]254/$FISCALIGE54327065410839012?id_JIBBRS=DR-307494
+52[.]67[.]27[.]173/deposito(1110061313).zip
+54[.]232[.]38[.]61/notificacion(flfit48202).zip
+54[.]232[.]38[.]61/notificacion(egmux24178).zip
+
+
+Final Grandoreiro Payload URLs with Check-In URL:
+
+15[.]188[.]63[.]127/$TIME
+167[.]114[.]137[.]244/$TIME
+15[.]188[.]63[.]127:36992/zxeTYhO.xml
+15[.]188[.]63[.]127:36992/vvOGniGH.xml
+15[.]188[.]63[.]127[:]36992/eszOscat.xml
+15[.]188[.]63[.]127:36992/YSRYIRIb.xml
+167[.]114[.]137[.]244:48514/eyGbtR.xml
+barusgorlerat[.]me/MX/
+assesorattlas[.]me/MX/
+assesorattlas[.]me/AR/
+atlasassessorcontabilidade[.]com/BRAZIL/
+vamosparaonde[.]com/segundona/
+mantersaols[.]com/MEX/MX/
+premiercombate[.]eastus.cloudapp.azure.com/PUMA/
+
+Grandoreiro CnC:
+
+Pcbbcrjcgbcghjpbcgkccbjorkhhjcjj[.]fantasyleague[.]cc -> fantasyleague[.]cc
+jmllmedvhgmhldjgmhvmmlljhvgdzvzz[.]dynns[.]com
+ciscofreak[.]com
+chjjhjmomaoheoojjbynnyjiidfcncc.cable-modem.org -> cable-modem.org
+odbbdbmgmagdfggbbnynnyjiidfcncc.blogsyte.com -> blogsyte.com
+ifnnfnmcmacfdccnnjynnyjiidfcncc.collegefan.org -> collegefan.org

grandoreiro/hashes.txt

@@ -0,0 +1,14 @@
+Grandoreiro Loader:
+970f00d7383e44538cac7f6d38c23530
+724f26179624dbb9918609476ec0fce4
+2ec2d539acfe23107a19d731a330f61c
+6433f9af678fcd387983d7afafae2af2
+56416fa0e5137d71af7524cf4e7f878d
+7ea19ad38940ddb3e47c50e622de2aae
+
+Grandoreiro Final Payload:
+
+e02c77ecaf1ec058d23d2a9805931bf8
+6ab9b317178e4b2b20710de96e8b36a0
+5b7cbc023390547cd4e38a6ecff5d735
+531ac581ae74c0d2d59c22252aaac499