← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Cmstar Downloader: Lurid and Enfal's New Cousin
WHITE AlienVault 2015-05-18 Modified: 2017-07-24
85
IOCs
HIGH VOLUME
In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.
cmstartrojanaptMNKitTran Duy Linhluridenfalpaloalto
Indicators of Compromise (85)
All FileHash-SHA256 domain URL hostname FileHash-MD5 CVE email Mutex YARA FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 e39b0e777ef0135c1f737b67988df70c2e6303c3d2b01d3cdea3efc1d03d9ad9 2015-05-18
FileHash-SHA256 42ed2edc37b957266ff7b02955a007dd82d955c09ef7be23e685d938e40ad61d 2015-05-18
FileHash-SHA256 c26c67eac20614038aaadfda19b604862926433333893d65332928b5e36796aa 2015-05-18
FileHash-SHA256 b65dd4da9f83c11fcb5beaec43fabd0df0f7cb61de94d874f969ca926e085515 2015-05-18
FileHash-SHA256 b9d597aea53023727d8564e47e903b652f5e98a2c32bdc23bc4936448fb2d593 2015-05-18
FileHash-SHA256 1cf44815f9eb735e095f68c929d5549e0ebc44af9988cccaf1852baeb96bb386 2015-05-18
FileHash-SHA256 df34aa9c8021f1f0bdf33249908efc4a9628941453ad79b281b3a46bf9a7f37f 2015-05-18
FileHash-SHA256 a8fa487d9f2152738bf49c8c69e8a147aae55c06f37c7e25026a28f21601ad7f 2015-05-18
FileHash-SHA256 e0b3cc07d3a9b509480b240368dee2a29713ea1e240674c0ccf610c84810a7c5 2015-05-18
FileHash-SHA256 ab934c6177be0fdc3b6dfbf21f60ce7837a30e6599dcfb111b43008c75ceb91f 2015-05-18
FileHash-SHA256 f4b8f71c0e10a345a855763e01033e2144e949c8f98c271755cc025e3f55b7da 2015-05-18
FileHash-SHA256 5b338decffe665a2141d1079c32b2d612057d1fdbfddf198cc28003dae7f0516 2015-05-18
FileHash-SHA256 4883286b8229a2c43db17eb1e1c5bd79d1933e840cdfedff80d5b99a84c9e39f 2015-05-18
FileHash-SHA256 0a10d7bb317dceccd05d18408fd6b8b12c784910e5f7e035ee22c2c5d7e4cbf5 2015-05-18
FileHash-SHA256 7ade616a8f1750cecba944a02e2bce1340b18a55697b29f721ccc4701aadba6e 2015-05-18
FileHash-SHA256 d541280b37dd5e2101cc5cd47b0991b8320714f5627b37646330136cddef0c23 2015-05-18
FileHash-SHA256 87bcc6d18c6a81d92d826b232703dee84b522bd1d0cae56f74bcf58fdca0930e 2015-05-18
FileHash-SHA256 7dc78caf515d1d3d2b84be7c023ccbd0b4fd670a42babcbcbd5a5ba65bbdd166 2015-05-18
FileHash-SHA256 adb05c1eecd789582886b3354b53831df9c9a06e891bb687633ee7ce21417edc 2015-05-18
FileHash-SHA256 88184983733f4d4fa767ad4e7993b01c5754f868470dd78ac1bad2b02c9e5001 2015-05-18
FileHash-SHA256 6b557c22ab12e8ea43d29e4f9f8a9483e3e75cd41338a674c9069b6dacdf7ba7 2015-05-18
FileHash-SHA256 c99c0b37f2fd64fa523d39c35ead6416a684ae203ae728feb5feff8490eb902c 2015-05-18
FileHash-SHA256 a330c52b7643de9d8be51a4ae0150b7b8390dbabaea9704069694835fbd3298e 2015-05-18
FileHash-SHA256 239a25ac2b38f0be9392ceeaeab0d64cb239f033af07ed56565ba9d6a7ddcf1f 2015-05-18
FileHash-SHA256 9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c 2015-05-18
FileHash-SHA256 a37f337d0bc3cebede2039b0a3bd5afd0624e181d2dcc9614d2f7d816b5a7a6b 2015-05-18
FileHash-SHA256 45027d11ab783993c413f97e8e29759d04b04564f8916f005f5c632f291697bb 2015-05-18
FileHash-SHA256 671dfc4d47a43cf0bd9205a0f654dcd5050175aef54b69388b0c5f4610896c6a 2015-05-18
FileHash-SHA256 2e00a98212c5a2015d12612f0d26039a0c2dfee3e1b384675f613e683f276e02 2015-05-18
FileHash-SHA256 a0aeb172a72442d2c2c02e1d32b48accb9975c4da7742df24d9350a8ccd401f2 2015-05-18
FileHash-SHA256 13c1d7eb2fd64591e224dec9534d8252f4b91e425e8f047b36605138d15cbf2d 2015-05-18
domain biortherm.com 2015-05-18
domain suttgte.com 2015-05-18
domain brabbq.com 2015-05-18
domain kruptcy.com 2015-05-18
domain cowforhelp.com 2015-05-18
domain flash-vip.com 2015-05-18
domain marubir.com 2015-05-18
domain regebky.com 2015-05-18
domain shiesiido.com 2015-05-18
domain diskfunc.com 2015-05-18
domain basiccompare.com 2015-05-18
URL http://happy.launchtrue.com:8080/cgl-bin/update.cgi 2015-05-18
hostname help.ubxpi0s.com 2015-05-18
hostname happy.launchtrue.com 2015-05-18
hostname question.eboregi.com 2015-05-18
hostname help.redhag.com 2015-05-18
hostname stone.timmf.com 2015-05-18
hostname new.hoticq.com 2015-05-18
hostname links.dogsforhelp.com 2015-05-18
hostname bakler.featurvoice.com 2015-05-18
hostname xphome.mailru-vip.com 2015-05-18
hostname sarey.phdreport.com 2015-05-18
hostname three.earewq.com 2015-05-18
hostname mssage.hotoicq.com 2015-05-18
hostname here.pechooin.com 2015-05-18
hostname error.yandex-pro.com 2015-05-18
hostname turber.xoxcobbs.com 2015-05-18
hostname dns.thinkttun.com 2015-05-18
FileHash-MD5 9da10a36daf845367e0fc2f3e7e54336 2015-05-18
FileHash-MD5 94499ff857451ab7ef8823bf067189e7 2015-05-18
FileHash-MD5 46bf922d9ae07a9bc3667a374605bdbb 2015-05-18
FileHash-MD5 c5ae7bd6aec1e01aa53edcf41962ac04 2015-05-18
FileHash-MD5 3fff0bf6847d0d056636caef9c3056c3 2015-05-18
FileHash-MD5 e0417547ba54b58bb2c8f795bca0345c 2015-05-18
FileHash-MD5 783a423f5e285269126d0d98f53c795b 2015-05-18
FileHash-MD5 510b3272342765743a202373261c08da 2015-05-18
FileHash-MD5 f7d47e1de4f5f4ad530bca0fc080ea53 2015-05-18
FileHash-MD5 d05f012c9c1a7fb669a07070be821072 2015-05-18
FileHash-MD5 76ffb9c2d8d0ae46e8ea792ffacc8018 2015-05-18
FileHash-MD5 3d41e3c902502c8b0ea30f5947307d56 2015-05-18
FileHash-MD5 5aeb8a5aa8f6e2408016cbd13b3dfaf0 2015-05-18
FileHash-MD5 6fdeadacfe1dafd2293ce5c4e178b668 2015-05-18
FileHash-MD5 30a6c3c7723fe14c4b6960fa3e4e57ba 2015-05-18
CVE CVE-2012-0158 2015-05-18
email wangminghua6@gmail.com 2015-05-18
Mutex {53A4988C-F91F-4054-9076-220AC5EC03F3} 2015-05-18
YARA d132d5e5bdbd551ae660033e5b28c182b46930ce 2017-07-24
YARA 2c4fa3992f8843108d75535822b79cad14375cce 2017-07-24
YARA e45ed109e5c0d14ef4d874e8f473b259115f7a38 2017-07-24
YARA c9b5b484c3a839f51d5824e3327ac9fe034a2a02 2017-07-24
FileHash-SHA1 6c7c8b804cc76e2c208c6e3b6453cb134d01fa41 2017-07-24
FileHash-SHA1 6d484daba3927fc0744b1bbd7981a56ebef95790 2017-07-24
FileHash-SHA1 9639ec9aca4011b2724d8e7ddd13db19913e3e16 2017-07-24
FileHash-SHA1 d4071272cc1bf944e3867db299b3f5dce126f82b 2017-07-24
References (1)
↗ http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/