Pulse Detail — Threat Intelligence

PULSE NAME

More xHunt – New PowerShell Backdoor Blocked Through DNS Tunnel Detection

WHITE AlienVault 2019-10-11 Modified: 2019-10-11

IOCs

HIGH VOLUME

↓ CSV ↓ JSON

MITRE ATT&CK & Malware Families

MALWARE FAMILIES

CASHY200

Indicators of Compromise (56)

All URL hostname domain FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://%7Brandom%7D.firewallsupports.com/	—	2019-10-11
URL	http://cui0d716336363935.firewallsupports.com/	—	2019-10-11
URL	http://firewallsupports.com/	—	2019-10-11
URL	http://ns1.firewallsupports.com/	—	2019-10-11
URL	http://ns2.firewallsupports.com/	—	2019-10-11
URL	http://qerqk646336363935.firewallsupports.com/	—	2019-10-11
URL	http://www.firewallsupports.com/	—	2019-10-11
URL	http://windows64x.com/	—	2019-10-11
URL	http://ns1.windows-updates.com/	—	2019-10-11
URL	http://ns2.windows-updates.com/	—	2019-10-11
URL	http://windows-updates.com/	—	2019-10-11
URL	http://windows-updates.com/Defult.phpJl6	—	2019-10-11
URL	http://windows-updates.com/Warning.phpJl6	—	2019-10-11
URL	http://windows-updates.com/forms.php?id=hOsdJl6	—	2019-10-11
URL	http://windows-updates.com/hui	—	2019-10-11
URL	http://windows-updates.com/menu.phpJl6	—	2019-10-11
URL	http://winx64-microsoft.com	—	2019-10-11
URL	http://winx64-microsoft.com/	—	2019-10-11
hostname	%7brandom%7d.firewallsupports.com	—	2019-10-11
hostname	cui0d716336363935.firewallsupports.com	—	2019-10-11
hostname	ns1.firewallsupports.com	—	2019-10-11
hostname	ns2.firewallsupports.com	—	2019-10-11
hostname	qerqk646336363935.firewallsupports.com	—	2019-10-11
hostname	www.firewallsupports.com	—	2019-10-11
hostname	1fix.org.windows-updates.com	—	2019-10-11
hostname	auth.windows-updates.com	—	2019-10-11
hostname	crs.windows-updates.com	—	2019-10-11
hostname	dev.windows-updates.com	—	2019-10-11
hostname	ftp0.windows-updates.com	—	2019-10-11
hostname	home.windows-updates.com	—	2019-10-11
hostname	ns1.windows-updates.com	—	2019-10-11
hostname	ns2.windows-updates.com	—	2019-10-11
hostname	id.windows-updates.com	—	2019-10-11
hostname	mail.windows-updates.com	—	2019-10-11
hostname	microsoft.windows-updates.com	—	2019-10-11
hostname	mirror.windows-updates.com	—	2019-10-11
domain	windows-updates.com	—	2019-10-11
domain	firewallsupports.com	—	2019-10-11
domain	winx64-microsoft.com	—	2019-10-11
domain	windows64x.com	—	2019-10-11
FileHash-SHA256	79c8ceb3627a8d35c8e7255007d87af8e20f1eb341b5446da1e063cf5da39c6f	—	2019-10-11
FileHash-SHA256	45b2db5a78758f9d5125897da4a31c67e68424269eeed58646a87326a2b45d80	—	2019-10-11
FileHash-SHA256	eccc65711cbd154f680e8c8ef343d53f29e4a6237510abd4ad1eab5742b035b3	—	2019-10-11
FileHash-SHA256	3e13f539071d56106e252566b436933ccffd2d509f0c3fae916748971663946c	—	2019-10-11
FileHash-SHA256	396235b998ab348e7f82f1145e8566820652f187c28df2cdeb0dc9b0ef790422	—	2019-10-11
FileHash-SHA256	2b73fe5b9ba44fadcee8657cb2d2b37aab8d0a3be4ed1f437c83f4594e501cd6	—	2019-10-11
FileHash-SHA256	5a3c156565f4243eacf179b95696a15a2e1c460315ff0940c0c71c4f587eb4b3	—	2019-10-11
FileHash-SHA256	0b5476369bca1d9998aa4a53dfe9e958268cd48ac69f9a16001f842330133fe6	—	2019-10-11
FileHash-SHA256	ce6b44af79db56be053f63426acee02c591a2e19ef29f43227ea5b0640e9b24a	—	2019-10-11
FileHash-SHA256	e36a4056b32e094ff6b0aefb2ffe11f033969dc10fa58199559d8c117d0e1b6f	—	2019-10-11
FileHash-SHA256	788687e478704b324089af011cbe20d9d3a590283dd85e45ffe3e51a340f58ca	—	2019-10-11
FileHash-SHA256	ffe2e9b274b00ea967c96eca9c177048c35de75599488f1b8be5ae1cceba00d9	—	2019-10-11
FileHash-SHA256	a0ce856d224ee04558e5cb67bda8ae4733dd40f5a8e59ab5a799d7d1378625b4	—	2019-10-11
FileHash-SHA256	bce37fc0d97ac6bed24098ecf4187081e9a664c87d4fe558f3e46928140c835f	—	2019-10-11
FileHash-SHA256	1f48eceb9dca085d8eb2bcea1dde28e2643e1b198b0a7e998d7708fa68d43575	—	2019-10-11
FileHash-SHA256	b62c3aa413cc5bd551836328b9740ddd50c1a8aa7a04ea0e301fa507724e18f6	—	2019-10-11

References (2)

↗ https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/ ↗ https://twitter.com/Voulnet/status/1014951078364876801