Pulse Detail — Threat Intelligence

PULSE NAME

#Firmware new relic script/update corruption riotgsmes used to deliver

WHITE dorkingbeauty1 2022-05-18 Modified: 2022-06-17

1488

IOCs

HIGH VOLUME

Common = 162.247.243.148 TCP traffic to 104.16.119.50 on port 49260 TCP traffic to 104.16.206.131 on port 49263 TCP traffic to 8.251.168.124 on port 49284 TCP traffic to 162.247.243.238 on port

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1010 T1012 T1018 T1027 T1055 T1056 T1057 T1070 T1082 T1095 T1112 T1114 T1120 T1486 T1497 T1518 T1553 T1571 T1573

Indicators of Compromise (268 / 1488 total)

All URL domain hostname email FileHash-SHA256 CVE FileHash-MD5 FileHash-SHA1 SSLCertFingerprint

TYPE	INDICATOR	DESCRIPTION	CREATED
hostname	www2.public-trust.com	—	2022-05-18
hostname	www.unicode.org	—	2022-05-18
hostname	www.riotgames.com	—	2022-05-18
hostname	www.markmonitor.com	—	2022-05-18
hostname	www.icann.org	—	2022-05-18
hostname	www.digicert.com	—	2022-05-18
hostname	whois.markmonitor.com	—	2022-05-18
hostname	usw.pp.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	ns3.riotgames.com	—	2022-05-18
hostname	ns3.p21.dynect.net	—	2022-05-18
hostname	metric-api.newrelic.com	—	2022-05-18
hostname	logo.verisign.com	—	2022-05-18
hostname	log-api.newrelic.com	—	2022-05-18
hostname	insights-collector.newrelic.com	—	2022-05-18
hostname	data.riotgames.com	—	2022-05-18
hostname	clientconfig.rpg.riotgames.com	—	2022-05-18
hostname	a104-114-76-158.deploy.akamaitechnologies.com	—	2022-05-18
hostname	a1-195.akam.net	—	2022-05-18
hostname	clicktrack.pubmatic.com	—	2022-05-18
hostname	wildrift.secure.dyn.riotcdn.net	—	2022-05-18
hostname	valorant.secure.dyn.riotcdn.net	—	2022-05-18
hostname	update-account.riotgames.com	—	2022-05-18
hostname	unconfigured.edge.rms.si.riotgames.com	—	2022-05-18
hostname	tpe3-clientconfig.rpg.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	tigohn.webdns.eu.org	—	2022-05-18
hostname	static.olymptrade.com	—	2022-05-18
hostname	staging-mobile-crash.newrelic.com	—	2022-05-18
hostname	staging-collector-102.newrelic.com	—	2022-05-18
hostname	rnet-stable.chat.si.riotgames.com	—	2022-05-18
hostname	ritoplus.secure.dyn.riotcdn.net	—	2022-05-18
hostname	riot-geo.pas.si.riotgames.com	—	2022-05-18
hostname	riot-client.secure.dyn.riotcdn.net	—	2022-05-18
hostname	riot-client.dyn.riotcdn.net	—	2022-05-18
hostname	pp-globalqa.rpg.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	playerpreferences.riotgames.com	—	2022-05-18
hostname	pcbs.loyalty.riotgames.com	—	2022-05-18
hostname	neulion-a.akamaihd.net.edgesuite.net	—	2022-05-18
hostname	neulion-a.akamaihd.net	—	2022-05-18
hostname	na1-clientconfig.rpg.riotgames.com	—	2022-05-18
hostname	metric-api.newrelic.com.cdn.cloudflare.net	—	2022-05-18
hostname	europe.tas.riotgames.com	—	2022-05-18
hostname	euc.pp.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	entitlements.auth.riotgames.com	—	2022-05-18
hostname	ekg.riotgames.com	—	2022-05-18
hostname	dns1.p07.nsone.net	—	2022-05-18
hostname	collector-008.newrelic.com	—	2022-05-18
hostname	clientconfig.rpg.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	bkk2-clientconfig.rpg.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	bacon.secure.dyn.riotcdn.net	—	2022-05-18
hostname	authenticate.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	authenticate.riotgames.com	—	2022-05-18
hostname	auth.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	auth.riotgames.com	—	2022-05-18
hostname	asia.tas.riotgames.com	—	2022-05-18
hostname	apne.pp.riotgames.com.cdn.cloudflare.net	—	2022-05-18
hostname	api.account.riotgames.com	—	2022-05-18
hostname	api.account.leagueoflegends.co.kr	—	2022-05-18
hostname	ads-v-darwin-dual.hulustream.com	—	2022-05-18
hostname	a1992.dscb.akamai.net	—	2022-05-18
hostname	a1971.dscb.akamai.net	—	2022-05-18
hostname	a1936.b.akamai.net	—	2022-05-18
hostname	a1835.dscw16.akamai.net	—	2022-05-18
hostname	a1790.b.akamai.net	—	2022-05-18
hostname	187685766663-ct6bdnthcq6jlllecpg1guhthoc7i8vv.apps.googleusercontent.com	—	2022-05-18
hostname	http-va-darwin-dual.hulustream.com	—	2022-05-18
hostname	live.rte.ie	—	2022-05-18
hostname	lol.secure.dyn.riotcdn.net	—	2022-05-18
hostname	lq.jp1.lol.riotgames.com	—	2022-05-18
hostname	media.pepsico.com	—	2022-05-18
hostname	mon-va.tiktokv.com	—	2022-05-18
hostname	mon-va.tiktokv.com.edgesuite.net	—	2022-05-18
hostname	nonprod.media.amwtips.com	—	2022-05-18
hostname	cdn.herogame.com	—	2022-05-18
hostname	cdnstatic-hw.herogame.com	—	2022-05-18
hostname	hgsdk-ak.herogame.com	—	2022-05-18
hostname	hgsdkcdn.herogame.com	—	2022-05-18
hostname	hgsdkcdnakm.herogame.com	—	2022-05-18
hostname	lhcx-tw-ak.herogame.com	—	2022-05-18
hostname	prod-myplanetcdn-ak.herogame.com	—	2022-05-18
hostname	uglobal-ak.herogame.com	—	2022-05-18
hostname	media.amwtips.com	—	2022-05-18
hostname	cache.download.casinoseuropas.net	—	2022-05-18
hostname	cdn-lt-hds-vod.tv2oj.dk	—	2022-05-18
hostname	cdn-lt-hls-vod.tv2oj.dk	—	2022-05-18
hostname	nyhedsbrev.tv2oj.dk	—	2022-05-18
hostname	media-cdn-olympics.tmgvideo.nl	—	2022-05-18
hostname	media.tmgvideo.nl	—	2022-05-18
hostname	affiliates.sportium.es	—	2022-05-18
hostname	afiliados.sportium.es	—	2022-05-18
hostname	bgtsportium.sportium.es	—	2022-05-18
hostname	bo-mexos.sportium.es	—	2022-05-18
hostname	click.sac.sportium.es	—	2022-05-18
hostname	cloud.sac.sportium.es	—	2022-05-18
hostname	image.sac.sportium.es	—	2022-05-18
hostname	online.sportium.es	—	2022-05-18
hostname	sport-mobile.sportium.es	—	2022-05-18
hostname	a-mi.schaeffler-cdn.com	—	2022-05-18
hostname	cdn01.doax-venusvacation.jp	—	2022-05-18
hostname	cdnstatic.herogame.com	—	2022-05-18
hostname	www.bursdagskongen.com	—	2022-05-18
hostname	www.charitystream.se	—	2022-05-18
hostname	www.24hshop.fi	—	2022-05-18
hostname	of.legends.live	—	2022-05-18
hostname	blog.impl.cc	—	2022-05-18
hostname	git.impl.cc	—	2022-05-18
hostname	tunnel.impl.cc	—	2022-05-18
hostname	stage.superbid.com.pe	—	2022-05-18
hostname	mail2.exmail.work	—	2022-05-18
hostname	bayerbms.pool4tool.com	—	2022-05-18
hostname	blog.pool4tool.com	—	2022-05-18
hostname	covestro.pool4tool.com	—	2022-05-18
hostname	customer.pool4tool.com	—	2022-05-18
hostname	debugfixes.pool4tool.com	—	2022-05-18
hostname	demo.pool4tool.com	—	2022-05-18
hostname	event.pool4tool.com	—	2022-05-18
hostname	product.pool4tool.com	—	2022-05-18
hostname	resources.pool4tool.com	—	2022-05-18
hostname	webinar.pool4tool.com	—	2022-05-18
hostname	collector-003.newrelic.com	—	2022-05-18
hostname	ks-foundation.secure.dyn.riotcdn.net	—	2022-05-18
hostname	cdn2.medik8.com	—	2022-05-18
hostname	us.medik8.com	—	2022-05-18
hostname	dxm.v33-recette.wedia-group.com	—	2022-05-18
hostname	app-login.q-dance.com	—	2022-05-18
hostname	chromecast.q-dance.com	—	2022-05-18
hostname	cdn-global.smusou-sp.com	—	2022-05-18
hostname	game.smusou-sp.com	—	2022-05-18
hostname	canada4-mw.rebel.com	—	2022-05-18
hostname	dev.staff.rebel.com	—	2022-05-18
hostname	dev.vaultgate.rebel.com	—	2022-05-18
hostname	monitorcanada4-mw.rebel.com	—	2022-05-18
hostname	sst.rebel.com	—	2022-05-18
hostname	status.rebel.com	—	2022-05-18
hostname	ams.daybreakgames.com	—	2022-05-18
hostname	gvid.daybreakgames.com	—	2022-05-18
hostname	launchpad.patch.daybreakgames.com	—	2022-05-18
hostname	lvs-gt-els02.daybreakgames.com	—	2022-05-18
hostname	mi.daybreakgames.com	—	2022-05-18
hostname	www-cdn.daybreakgames.com	—	2022-05-18
hostname	link.hariri.my.id	—	2022-05-18
hostname	novel.hariri.my.id	—	2022-05-18
hostname	pixel.briefly.co.za	—	2022-05-18
hostname	read-also.briefly.co.za	—	2022-05-18
hostname	dxm.engiesa-pp.wedia-group.com	—	2022-05-18
hostname	euca-d.whoosh.media	—	2022-05-18
hostname	euca-e.whoosh.media	—	2022-05-18
hostname	euca-f.whoosh.media	—	2022-05-18
hostname	euca-g.whoosh.media	—	2022-05-18
hostname	grand-central-pre-release.whoosh.media	—	2022-05-18
hostname	gwr-pre-release.whoosh.media	—	2022-05-18
hostname	hornbeam.whoosh.media	—	2022-05-18
hostname	lner-pre-release.whoosh.media	—	2022-05-18
hostname	northern-pre-release.whoosh.media	—	2022-05-18
hostname	nr-pre-release.whoosh.media	—	2022-05-18
hostname	rail.whoosh.media	—	2022-05-18
hostname	swr-pre-release.whoosh.media	—	2022-05-18
hostname	willow.whoosh.media	—	2022-05-18
hostname	bibliaonline.sasapp.tech	—	2022-05-18
hostname	biruitorul.sasapp.tech	—	2022-05-18
hostname	dns2.sasapp.tech	—	2022-05-18
hostname	harfa.sasapp.tech	—	2022-05-18
hostname	harfaevangheliei.sasapp.tech	—	2022-05-18
hostname	stat.sasapp.tech	—	2022-05-18
hostname	whois.domainsatcost.ca	—	2022-05-18
hostname	api.besmarmy.com	—	2022-05-18
hostname	download.besmarmy.com	—	2022-05-18
hostname	origin.5centscdn.net	—	2022-05-18
hostname	status.5centscdn.net	—	2022-05-18
hostname	blog.hee.ink	—	2022-05-18
hostname	archive.ubtu.net	—	2022-05-18
hostname	mirrors.ubtu.net	—	2022-05-18
hostname	security.ubtu.net	—	2022-05-18
hostname	status.ubtu.net	—	2022-05-18
hostname	pve.alwaysbetinkering.com	—	2022-05-18
hostname	vault.alwaysbetinkering.com	—	2022-05-18
hostname	sp-rc.vdresource.com	—	2022-05-18
hostname	tempo-rc.vdresource.com	—	2022-05-18
hostname	tempo-vvc-sync.vdresource.com	—	2022-05-18
hostname	tempo-vvc.vdresource.com	—	2022-05-18
hostname	srv.sololibri.net	—	2022-05-18
hostname	dam-covea-pp.wedia-group.com	—	2022-05-18
hostname	dxm.adeo-pp.wedia-group.com	—	2022-05-18
hostname	dxm.adeo.wedia-group.com	—	2022-05-18
hostname	dxm.lkq-production.wedia-group.com	—	2022-05-18
hostname	dxm.thuasne-preprod.wedia-group.com	—	2022-05-18
hostname	engiesa-pp.wedia-group.com	—	2022-05-18
hostname	evp-adeo-dameo-isoprod-cdn.wedia-group.com	—	2022-05-18
hostname	evp-technip-dam-prod-cdn.wedia-group.com	—	2022-05-18
hostname	icade-pp.wedia-group.com	—	2022-05-18
hostname	media-total-darksites.wedia-group.com	—	2022-05-18
hostname	polsinelli-pp.wedia-group.com	—	2022-05-18
hostname	rlb-mkt-stg.wedia-group.com	—	2022-05-18
hostname	suewag-medienkatalog-stg.wedia-group.com	—	2022-05-18
hostname	v33-recette.wedia-group.com	—	2022-05-18
hostname	kroger-promo-api-qa.przone.net	—	2022-05-18
hostname	wag-core-api-clone2.przone.net	—	2022-05-18
hostname	wag-dc-api-clone2.przone.net	—	2022-05-18
hostname	wag-dwa-api-clone2.przone.net	—	2022-05-18
hostname	wag-dwa-api-prod.przone.net	—	2022-05-18
hostname	wag-images-prod.przone.net	—	2022-05-18
hostname	wag-oms-clone2.przone.net	—	2022-05-18
hostname	wag-promo-api-clone2.przone.net	—	2022-05-18
hostname	cdnimg.izooto.in	—	2022-05-18
hostname	play.puzzleplusgames.net	—	2022-05-18
hostname	puzzle-public.puzzleplusgames.net	—	2022-05-18
hostname	cdn.easypalletideas.com	—	2022-05-18
hostname	api.formatlog.com	—	2022-05-18
hostname	cdn.formatlog.com	—	2022-05-18
hostname	dl.formatlog.com	—	2022-05-18
hostname	api.holdingmypage.com	—	2022-05-18
hostname	install-cdnh.holdingmypage.com	—	2022-05-18
hostname	install.holdingmypage.com	—	2022-05-18
hostname	cpcalendars.shortcut.name	—	2022-05-18
hostname	cpcontacts.shortcut.name	—	2022-05-18
hostname	www.hee.ink	—	2022-05-18
hostname	pic.zimiao.moe	—	2022-05-18
hostname	dyntest2.blackberrymessenger.net	—	2022-05-18
hostname	adam777.freeddns.org	—	2022-05-18
hostname	www.ambergroup.io	—	2022-05-18
hostname	www-cdn.everquest.com	—	2022-05-18
hostname	wag-images-staging.przone.net	—	2022-05-18
hostname	media-axa.wedia-group.com	—	2022-05-18
hostname	images.briefly.co.za	—	2022-05-18
hostname	vpn.iloveccp.top	—	2022-05-18
hostname	www.pcbportal.com	—	2022-05-18
hostname	oakforest-8774873895.duckdns.org	—	2022-05-18
hostname	juniper.whoosh.media	—	2022-05-18
hostname	dns1.sasapp.tech	—	2022-05-18
hostname	dns.sasapp.tech	—	2022-05-18
hostname	dns.hariri.my.id	—	2022-05-18
hostname	launch.daybreakgames.com	—	2022-05-18
hostname	feed.q-dance.com	—	2022-05-18
hostname	clig.multtv.tv.br	—	2022-05-18
hostname	cledge.mpl.live	—	2022-05-18
hostname	challenge.line-alpha.me	—	2022-05-18
hostname	cdn.smusou-sp.com	—	2022-05-18
hostname	cdn.medik8.com	—	2022-05-18
hostname	2fads.esm1.net	—	2022-05-18
hostname	guacamole.nike.co.id	—	2022-05-18
hostname	hostmaster.hostmaster.hostmaster.mx.mx.mx.www.nike.co.id	—	2022-05-18
hostname	hostmaster.hostmaster.hostmaster.mx.nike.co.id	—	2022-05-18
hostname	mail7.nike.co.id	—	2022-05-18
hostname	mx.mx.mx.mx.mx.mail.nike.co.id	—	2022-05-18
hostname	mx.mx.mx.mx.mx.mx.mx.nike.co.id	—	2022-05-18
hostname	owa.nike.co.id	—	2022-05-18
hostname	pcx.nike.co.id	—	2022-05-18
hostname	pcxprod.nike.co.id	—	2022-05-18
hostname	shop.nike.co.id	—	2022-05-18
hostname	trello.nike.co.id	—	2022-05-18
hostname	data-services-uat.michiganlottery.com	—	2022-05-18
hostname	emailus.michiganlottery.com	—	2022-05-18
hostname	igao-qa.michiganlottery.com	—	2022-05-18
hostname	okontoorbrands.darkskinmedia.com.ng	—	2022-05-18
hostname	252fwww.acurargv.com	—	2022-05-18
hostname	aglobals.servers.chat.chat	—	2022-05-18
hostname	newrelic.lucky777.fbi.dnsw.xyz	—	2022-05-18
hostname	servers.chat.chat	—	2022-05-18
hostname	whois.rebel.com	—	2022-05-18
hostname	www.rebel.com	—	2022-05-18
hostname	yelsinml10.gamingdns.xyz	—	2022-05-18
hostname	cdn-lt-live.tv2oj.dk	—	2022-05-18
hostname	console.peak10.com	—	2022-05-18
hostname	content.tmgvideo.nl	—	2022-05-18
hostname	e1.365dm.de	—	2022-05-18
hostname	globalriot.pdx2.rnet-live.riotclient.foundation	—	2022-05-18
hostname	globals.servers.chat.chat	—	2022-05-18
hostname	legends.live.game	—	2022-05-18
hostname	x-22.a2ng.com	—	2022-05-18

References (6)

↗ VALORANT.exe ↗ 162.247.243.148 ↗ Queries firmware table information (may be used to fingerprint/evade) details "RiotClientServices.exe" at 00000000-00003384-00000033-3266853 "RiotClientServices.exe" at 00000000-00003384-00000033-3267044 "RiotClientServices.exe" at 00000000-00003400-00000033-3764888 "RiotClientServices.exe" at 00000000-00003400-00000033-3765111 "RiotClientServices.exe" at 00000000-00002172-00000033-13613833225596776 "RiotClientServices.exe" at 00000000-00002172-00000033-13613833225597548 "RiotClientServices.exe" at 00000000 ↗ #Firmware ↗ https://hybrid-analysis.com/sample/c16e4bccd6961c074ec0f43d37727061e494d7647f5953c89107c98fc42a2d04/62161ffe897ab2603a7a39e9 ↗ helped by someone else's hybrid scan thank you