Pulse Detail — Threat Intelligence

PULSE NAME

SocGholish Campaigns and Initial Access Kit

WHITE AlienVault 2022-05-26 Modified: 2022-06-25

IOCs

HIGH VOLUME

A look at the SocGholish initial access kit and how the threat group has developed and used it to target businesses and government organisations across the globe, writes Jason Reaves and Joshua Platt.

socgholish FAKEUPDATES

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1547 T1073 T1584.001 T1059 T1082

MALWARE FAMILIES

NetSupport SocGholish

Indicators of Compromise (70)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	3c554503ac79cbdbf81f8db3bd90ac8e	MD5 of fe2502a6432f272e6fcb7406182907cd54a94a958ee449be1528263a8caf0ac0	2022-05-26
FileHash-MD5	69334dbcbf3beef684d96ac525fa08d4	MD5 of 8b7ece2a8678eef68c30332c283abcac6518732bf75eb19418516c18b361fafd	2022-05-26
FileHash-MD5	72ab3e7bdfcbeab301fd9e2858bcb556	MD5 of 82ddf784507fffbbbcca749a687990345041c6c6cb5f4d768ee4136b3b4f4f03	2022-05-26
FileHash-MD5	93984bb8308d4004ca562e28bb72ce8e	MD5 of abf625d2b1f5f0eb5149fa32ab6e81d148c7316ccb03da2b3db29c964a0cffe7	2022-05-26
FileHash-MD5	c28b5bb4cc0608fed45b1450a19bf8ed	MD5 of 4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21	2022-05-26
FileHash-MD5	fcba3b3ef5710087b5c4801e3787794f	MD5 of 584de2da31e64ccb44b618173344c5625288ba478d8b74cddd0b12ec7b689be4	2022-05-26
FileHash-SHA1	0bf7c6a89c229931f368d4151e25c73faa6baf12	SHA1 of 4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21	2022-05-26
FileHash-SHA1	164910514f7183af18f813d285477e1f96d3ca78	SHA1 of abf625d2b1f5f0eb5149fa32ab6e81d148c7316ccb03da2b3db29c964a0cffe7	2022-05-26
FileHash-SHA1	635a2885797dda5051dabbcd21488a87a2ec51cf	SHA1 of 8b7ece2a8678eef68c30332c283abcac6518732bf75eb19418516c18b361fafd	2022-05-26
FileHash-SHA1	c30b975d5a51a8d598b8bab18da0f20a713d7d4e	SHA1 of 584de2da31e64ccb44b618173344c5625288ba478d8b74cddd0b12ec7b689be4	2022-05-26
FileHash-SHA1	cc6e4d281b405f1d4b53d99cbc1c3cc24289b3d0	SHA1 of 82ddf784507fffbbbcca749a687990345041c6c6cb5f4d768ee4136b3b4f4f03	2022-05-26
FileHash-SHA1	f0d9c5f8c2725bb2ef84174251d42c4f97509411	SHA1 of fe2502a6432f272e6fcb7406182907cd54a94a958ee449be1528263a8caf0ac0	2022-05-26
FileHash-SHA256	465ab5550bc788a274e38a71ecdc246d407c453a7a2d533a9b4aa2d9e53a8463	—	2022-05-26
FileHash-SHA256	4ca5c2c0cc2bd56626c3499a88bd5b4ce2bf053c37e50902722220279e2d26d5	—	2022-05-26
FileHash-SHA256	4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21	—	2022-05-26
FileHash-SHA256	56de90d87bb9afc5345991b910a17cf0c6ee95cb97ea4b6de87fd93a8f22c9c0	—	2022-05-26
FileHash-SHA256	584de2da31e64ccb44b618173344c5625288ba478d8b74cddd0b12ec7b689be4	—	2022-05-26
FileHash-SHA256	61707f944c47121ba23f3889773aa7c858aa2aae174a145f0170ad7d0384d3bd	—	2022-05-26
FileHash-SHA256	617c331b65e0d26e1e64a04f06555891e719b578fd2bdc41065458176821f0c1	—	2022-05-26
FileHash-SHA256	82ddf784507fffbbbcca749a687990345041c6c6cb5f4d768ee4136b3b4f4f03	—	2022-05-26
FileHash-SHA256	8b7ece2a8678eef68c30332c283abcac6518732bf75eb19418516c18b361fafd	—	2022-05-26
FileHash-SHA256	9d8d289dd7fe149e89152983e40b2c1031e0dba3de9d89513163068bfb27a314	—	2022-05-26
FileHash-SHA256	a1f710e70688c61f447d575a081f10f21c999170e67cdedff11acb6b87b0ba14	—	2022-05-26
FileHash-SHA256	a79b86d06a64f3df1d503a5052a912de767eb1081b6b5192a1acfb9ce2c0a26e	—	2022-05-26
FileHash-SHA256	abf625d2b1f5f0eb5149fa32ab6e81d148c7316ccb03da2b3db29c964a0cffe7	—	2022-05-26
FileHash-SHA256	ba757fa287f859745578b293896e4405b040dad3b393a7128966f15fa28dd7d8	—	2022-05-26
FileHash-SHA256	bcd004db9f44f2414c7094f79afb2d80230611e5b4f97960685157d236186126	—	2022-05-26
FileHash-SHA256	ccc0204486cbf8b6db43711ddf8d847cfc15d5f713c60b53c461c4e4eeeb1a4f	—	2022-05-26
FileHash-SHA256	ee526c0f6ce5632e585b38322c2b6332730dfa9702d0d94c99dff7a36f98db1b	—	2022-05-26
FileHash-SHA256	fac07b49491d3639c0e8c800a71432b4ad1e4d827e9436b49fbbaefeadd853f9	—	2022-05-26
FileHash-SHA256	fe2502a6432f272e6fcb7406182907cd54a94a958ee449be1528263a8caf0ac0	—	2022-05-26
URL	http://149.28.68.114/form_irs_check.png	—	2022-05-26
URL	http://194.180.158.173/fakeurl.htm	—	2022-05-26
URL	http://45.76.172.113/fakeurl.htm	—	2022-05-26
URL	http://45.77.87.77/form_irs_check.png	—	2022-05-26
URL	http://5.252.178.213/restore.dat	—	2022-05-26
URL	http://5.252.178.213/restore.dat'	—	2022-05-26
URL	http://5.252.178.213/thumb_cdn.png	—	2022-05-26
URL	http://87.120.8.141/fakeurl.htm	—	2022-05-26
URL	http://aasdig8g7b448ugudf.cn:443	—	2022-05-26
URL	http://asaicuuvuvyy33ifbcia33.cn:443	—	2022-05-26
URL	http://businessaudit.tax/verification.php	—	2022-05-26
URL	http://irsbusinessaudit.net/captcha.php	—	2022-05-26
URL	http://irsgetwell.net:443	—	2022-05-26
URL	http://mixerspring.cn:443	—	2022-05-26
URL	http://nsncasicuasyca831cs3vvz.cn:443	—	2022-05-26
URL	http://sjvuvja.com:443	—	2022-05-26
URL	http://solenica.com/wp-content/themes/twentyfive/order.vhd	—	2022-05-26
URL	https://10b33845.xen.hill-family.us/pixel.gif']	—	2022-05-26
URL	https://design.lawrencetravelco.com/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy	—	2022-05-26
URL	https://irsbusinessaudit.net/captcha.php	—	2022-05-26
URL	https://payyourintern.com/two-p-1-posts-in-the-un-for-young-specialists	—	2022-05-26
domain	aasdig8g7b448ugudf.cn	—	2022-05-26
domain	asaasdivu73774vbaa33.cn	—	2022-05-26
domain	asaicuuvuvyy33ifbcia33.cn	—	2022-05-26
domain	businessaudit.tax	—	2022-05-26
domain	contentcdns.net	—	2022-05-26
domain	hill-family.us	—	2022-05-26
domain	hlmequipment.com	—	2022-05-26
domain	irsbusinessaudit.net	—	2022-05-26
domain	irsbusinessaudit.tax	—	2022-05-26
domain	irsgetwell.net	—	2022-05-26
domain	mixerspring.cn	—	2022-05-26
domain	nsncasicuasyca831cs3vvz.cn	—	2022-05-26
domain	payyourintern.com	—	2022-05-26
domain	sjvuvja.com	—	2022-05-26
email	info@tulsadiamond.com	—	2022-05-26
email	tgentry@comfortmc.com	—	2022-05-26
hostname	10b33845.xen.hill-family.us	—	2022-05-26
hostname	design.lawrencetravelco.com	—	2022-05-26

References (1)

↗ https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee