[ { "id": 3593444796, "indicator": "http://drechslerstammtisch.de", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444814, "indicator": "https://descontador.com.br", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444797, "indicator": "https://el-energiaki.gr", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444798, "indicator": "https://www.elaboro.pl", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436934, "indicator": "0ea68856c4f56f4056502208e97e9033", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444800, "indicator": "211897664d51cffdfd7f78d684602ecc", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3285675229, "indicator": "22bbe1747933531e9c240e0db86268e2", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "TEL:Trojan:Win64/GoCLR.MR!MTB", "description": "MD5 of c2a8776e21403eb00b38bfccd36d1c03dffb009e", "expiration": null, "is_active": 1 }, { "id": 3237094343, "indicator": "27f7186499bc8d10e51d17d3d6697bc5", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "compromised_site_redirector_fromcharcode", "description": "MD5 of 52332ce16ee0c393b8eea6e71863ad41e3caeafd", "expiration": null, "is_active": 1 }, { "id": 3593436935, "indicator": "50cc3a3bca96d7096c8118e838d9bc16", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "stack_string", "description": "MD5 of b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf", "expiration": null, "is_active": 1 }, { "id": 2646209326, "indicator": "a0e9f5d64349fb13191bc781f81f42e1", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436936, "indicator": "d2df4601c8d43e655163c0b292bc4cc9", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3472202990, "indicator": "de7c4da78a6cbba096e32e5eecb00566", "type": "FileHash-MD5", "created": "2022-11-29T09:00:21", "content": "", "title": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "description": "MD5 of 02b4f495e9995cc2251c19cd9984763f52122951", "expiration": null, "is_active": 1 }, { "id": 3472202991, "indicator": "02b4f495e9995cc2251c19cd9984763f52122951", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444801, "indicator": "08651822714c977d40d3c126c20ba4033d6836d3", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444802, "indicator": "1f8e37351e7c5d89ce7808391edaef34bd8db6c0", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444803, "indicator": "3a2079b02bcb1a2653ba9b5a5f56fd8b14a59820", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3237094345, "indicator": "52332ce16ee0c393b8eea6e71863ad41e3caeafd", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "compromised_site_redirector_fromcharcode", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444804, "indicator": "74e2d1bd3cec8fa72ba06cf4eef8e58fb5e0e237", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444805, "indicator": "8b749fb1260b92b9170e4e69fa1bd2f34e94d766", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444806, "indicator": "a3eed2b760abddfd62014fcf9ae81f435b216473", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436937, "indicator": "b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "stack_string", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436938, "indicator": "b80c987c8849bf7905ea8f283b79d98753e3c15a", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3285675240, "indicator": "c2a8776e21403eb00b38bfccd36d1c03dffb009e", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "TEL:Trojan:Win64/GoCLR.MR!MTB", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436939, "indicator": "f6727d5d04f2728a3353fbd45d7b2cb19e98802c", "type": "FileHash-SHA1", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3237094347, "indicator": "18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566", "type": "FileHash-SHA256", "created": "2022-11-29T09:00:21", "content": "", "title": "compromised_site_redirector_fromcharcode", "description": "SHA256 of 52332ce16ee0c393b8eea6e71863ad41e3caeafd", "expiration": null, "is_active": 1 }, { "id": 3472202992, "indicator": "1bf9314ae67ab791932c43e6c64103b1b572a88035447dae781bffd21a1187ad", "type": "FileHash-SHA256", "created": "2022-11-29T09:00:21", "content": "", "title": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "description": "SHA256 of 02b4f495e9995cc2251c19cd9984763f52122951", "expiration": null, "is_active": 1 }, { "id": 3593436940, "indicator": "41e230134deca492704401ddf556ee2198ef6f32b868ec626d9aefbf268ab6b1", "type": "FileHash-SHA256", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3285675246, "indicator": "53ae3567a34097f29011d752f1d3afab8f92beb36a8d6a5df5c1d4b12edc1703", "type": "FileHash-SHA256", "created": "2022-11-29T09:00:21", "content": "", "title": "TEL:Trojan:Win64/GoCLR.MR!MTB", "description": "SHA256 of c2a8776e21403eb00b38bfccd36d1c03dffb009e", "expiration": null, "is_active": 1 }, { "id": 3593436941, "indicator": "6424b4983f83f477a5da846a1dc3e2565b7a7d88ae3f084f3d3884c43aec5df6", "type": "FileHash-SHA256", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436942, "indicator": "f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee", "type": "FileHash-SHA256", "created": "2022-11-29T09:00:21", "content": "", "title": "stack_string", "description": "SHA256 of b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf", "expiration": null, "is_active": 1 }, { "id": 3593444808, "indicator": "http://139.60.160.18:443", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444809, "indicator": "http://139.60.160.18:80", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444810, "indicator": "http://84.17.49.114:1249", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444811, "indicator": "http://dhnconstrucciones.com.ar", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444812, "indicator": "http://dilsrl.com", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444813, "indicator": "https://api.floppasoftware.com", "type": "URL", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436930, "indicator": "8ed58983ae99d3e81e60a747056a1741da418bdc", "type": "YARA", "created": "2022-11-29T09:00:21", "content": "rule dontsleep { \n meta: \n description = \"15184_ - file dontsleep.exe\" \n author = \"The DFIR Report\" \n reference = \"https://thedfirreport.com\" \n date = \"2022-11-28\" \n hash1 = \"f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee\" \n strings: \n $s1 = \"shell32.dll,Control_RunDLL\" fullword ascii \n $s2 = \"powrprof.DLL\" fullword wide \n $s3 = \"CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST \\\"res\\\\\\\\APP.exe.manifest\\\"\" fullword ascii \n $s4 = \"msinfo32.exe\" fullword ascii \n $s5 = \"user32.dll,LockWorkStation\" fullword wide \n $s6 = \"DontSleep.exe\" fullword wide \n $s7 = \"UMServer.log\" fullword ascii \n $s8 = \"_Autoupdate.exe\" fullword ascii \n $s9 = \"BlockbyExecutionState: %d on:%d by_enable:%d\" fullword wide \n $s10 = \"powrprof.dll,SetSuspendState\" fullword wide \n $s11 = \"%UserProfile%\" fullword wide \n $s12 = \" 2010-2019 Nenad Hrg SoftwareOK.com\" fullword wide \n $s13 = \"https://sectigo.com/CPS0C\" fullword ascii \n $s14 = \"https://sectigo.com/CPS0D\" fullword ascii \n $s15 = \"?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v\" fullword ascii \n $s16 = \"Unable to get response from Accept Thread withing specified Timeout ->\" fullword ascii \n $s17 = \"3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%\" fullword ascii \n $s18 = \"Unable to get response from Helper Thread within specified Timeout ->\" fullword ascii \n $s19 = \" \" fullword ascii \n $s20 = \"_selfdestruct.bat\" fullword wide \n condition: \n uint16(0) == 0x5a4d and filesize < 700KB and \n 8 of them \n }", "title": "", "description": "15184_ - file dontsleep.exe", "expiration": null, "is_active": 1 }, { "id": 3593436931, "indicator": "dd77e4fdffdedafb8d57456fd1ce0a013b322db1", "type": "YARA", "created": "2022-11-29T09:00:21", "content": "rule ___FilesToHash_17jun { \n meta: \n description = \"15184_ - file 17jun.exe\" \n author = \"The DFIR Report\" \n reference = \"https://thedfirreport.com\" \n date = \"2022-11-28\" \n hash1 = \"41e230134deca492704401ddf556ee2198ef6f32b868ec626d9aefbf268ab6b1\" \n strings: \n $x1 = \" to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWCreateProcessAsUserWCryptAcq\" ascii \n $x2 = \"0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125ERROR: unable to download agent fromGo pointer stored in\" ascii \n $x3 = \".lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625CLIENT_HANDSHAKE_TRAFFIC_SECRETCent\" ascii \n $x4 = \"slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc\" ascii \n $x5 = \"VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 \" ascii \n $x6 = \"file descriptor in bad statefindrunnable: netpoll with pforgetting unknown stream idfound pointer to free objectgcBgMarkWorker: \" ascii \n $x7 = \"tls: certificate used with invalid signature algorithmtls: server resumed a session with a different versionx509: cannot verify \" ascii \n $x8 = \"non-IPv4 addressnon-IPv6 addressobject is remotepacer: H_m_prev=proxy-connectionreflect mismatchremote I/O errorruntime: g: g=\" ascii \n $x9 = \"lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnablestrict-trans\" ascii \n $x10 = \"unixpacketunknown pcuser-agentws2_32.dll of size (targetpc= ErrCode=%v KiB work, freeindex= gcwaiting= idleprocs= in status \" ascii \n $x11 = \"100-continue152587890625762939453125Bidi_ControlCIDR addressCONTINUATIONContent TypeContent-TypeCookie.ValueECDSA-SHA256ECDSA-SH\" ascii \n $x12 = \"entersyscallexit status gcBitsArenasgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal seekinvalid baseinvalid \" ascii \n $x13 = \"streamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%vx509: malformed validityzlib: in\" ascii \n $x14 = \"IP addressInstaller:Keep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCO\" ascii \n $x15 = \" to non-Go memory , locked to thread298023223876953125: day out of rangeArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCr\" ascii \n $x16 = \"= flushGen for type gfreecnt= pages at runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= target\" ascii \n $x17 = \"(unknown), newval=, oldval=, plugin:, size = , tail = --site-id244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDi\" ascii \n $x18 = \" is unavailable()<>@,;:\\\\\\\"/[]?=,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse ASCII_Hex_DigitAccept\" ascii \n $x19 = \"span set block with unpopped elements found in resettls: received a session ticket with invalid lifetimetls: server selected uns\" ascii \n $x20 = \"bad defer entry in panicbad defer size class: i=bypassed recovery failedcan't scan our own stackcertificate unobtainablechacha20\" ascii \n condition: \n uint16(0) == 0x5a4d and filesize < 14000KB and \n 1 of ($x*) \n }", "title": "", "description": "15184_ - file 17jun.exe", "expiration": null, "is_active": 1 }, { "id": 3483749492, "indicator": "descontador.com.br", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3472202732, "indicator": "dhnconstrucciones.com.ar", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3483749493, "indicator": "dilsrl.com", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3472208665, "indicator": "drechslerstammtisch.de", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3434463149, "indicator": "el-energiaki.gr", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3467462498, "indicator": "floppasoftware.com", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3472135706, "indicator": "juanjik.com", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3460419865, "indicator": "survefuz.com", "type": "domain", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436932, "indicator": "api.floppasoftware.com", "type": "hostname", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593444815, "indicator": "icanhazip.tacticalrmm.io", "type": "hostname", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3593436933, "indicator": "mesh.floppasoftware.com", "type": "hostname", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3472202743, "indicator": "www.elaboro.pl", "type": "hostname", "created": "2022-11-29T09:00:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 } ]