Pulse Detail — Threat Intelligence

PULSE NAME

The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure

WHITE AlienVault 2017-08-15 Modified: 2017-08-15

IOCs

HIGH VOLUME

Recently, I’ve been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear. This posting is a follow-up of my previous work on this subject in “Pulling Back the Curtains on EncodedCommand PowerShell Attacks”.

Chthonic

Indicators of Compromise (24 / 83 total)

All domain FileHash-SHA256 URL

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://CERT.PL	—	2017-08-15
URL	http://ditetec.com/ts.exe	—	2017-08-15
URL	http://ditetec.com/u2.exe	—	2017-08-15
URL	http://domass.com.ua/index.gif	—	2017-08-15
URL	http://firop.com/ego.exe	—	2017-08-15
URL	http://unoset.com/jpx.exe	—	2017-08-15
URL	http://unoset.com/sxr.exe	—	2017-08-15
URL	https://doci.download/inc.exe	—	2017-08-15
URL	https://farhenzel.co/gls.exe	—	2017-08-15
URL	https://farhenzel.co/gls.exe&amp#39;+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe	—	2017-08-15
URL	https://farsonka.co/trb.exe	—	2017-08-15
URL	https://formsonat.co/mrb.exe	—	2017-08-15
URL	https://fortuma.co/scu.exe	—	2017-08-15
URL	https://iilliiill.bid/6ven.exe	—	2017-08-15
URL	https://iilliiill.bid/ven.exe	—	2017-08-15
URL	https://iilliiill.bid/ven.tvv	—	2017-08-15
URL	https://lom.party/mov.exe	—	2017-08-15
URL	https://naiillad.date/ex3.exe	—	2017-08-15
URL	https://naiillad.date/u3.exe	—	2017-08-15
URL	https://naiillad.date/u3.exe&amp#39;+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe	—	2017-08-15
URL	https://naiillad.date/vmer.exe	—	2017-08-15
URL	https://naiillad.date/vsync.exe	—	2017-08-15
URL	https://prof.cricket/wp.exe	—	2017-08-15
URL	https://tvavi.win/pago.exe	—	2017-08-15

References (1)

↗ https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/