Pulse Detail — Threat Intelligence

PULSE NAME

#StopRansomware: Cuba Ransomware

WHITE Oracle02 2023-04-20 Modified: 2023-04-20

145

IOCs

HIGH VOLUME

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors identified through FBI investigations, third-party reporting, and open-source reporting

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003 T1059 T1068 T1072 T1078 T1090 T1133 T1190 T1558 T1562 T1563 T1566 T1584

Indicators of Compromise (145)

All IPv4 BitcoinAddress CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
IPv4	104.217.8.100	CC=US ASN=AS40676 AS40676	2023-04-20
IPv4	104.238.134.63	CC=US ASN=AS20473 AS-CHOOPA	2023-04-20
IPv4	62.210.54.235	CC=FR ASN=AS12876 Online S.a.s.	2023-04-20
IPv4	69.30.232.138	CC=US ASN=AS32097 WII	2023-04-20
IPv4	159.203.70.39	CC=US ASN=AS14061 DIGITALOCEAN-ASN	2023-04-20
IPv4	185.153.199.163	CC=MD ASN=AS56380 ''it Fruit'' S.r.l.	2023-04-20
IPv4	185.153.199.164	CC=MD ASN=AS56380 ''it Fruit'' S.r.l.	2023-04-20
IPv4	185.153.199.169	CC=MD ASN=AS56380 ''it Fruit'' S.r.l.	2023-04-20
IPv4	192.137.100.98	CC=US	2023-04-20
IPv4	193.34.167.17	CC=NL ASN=AS62370 Snel.com B.V.	2023-04-20
IPv4	31.184.198.90	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	45.164.21.13	CC=MX	2023-04-20
IPv4	45.86.162.34	CC=NL ASN=AS199959 Gwy It Pty Ltd	2023-04-20
IPv4	64.52.169.174	CC=US ASN=AS13886 CLOUD-SOUTH	2023-04-20
BitcoinAddress	bc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc	—	2023-04-20
BitcoinAddress	bc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x	—	2023-04-20
BitcoinAddress	bc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z	—	2023-04-20
BitcoinAddress	bc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t	—	2023-04-20
BitcoinAddress	bc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83	—	2023-04-20
BitcoinAddress	bc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl	—	2023-04-20
BitcoinAddress	bc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza	—	2023-04-20
BitcoinAddress	bc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3	—	2023-04-20
BitcoinAddress	bc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus	—	2023-04-20
BitcoinAddress	bc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh	—	2023-04-20
BitcoinAddress	bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x	—	2023-04-20
BitcoinAddress	bc1qjep0vx2lap93455p7h29unruvr05cs242mrcah	—	2023-04-20
BitcoinAddress	bc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7	—	2023-04-20
BitcoinAddress	bc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx	—	2023-04-20
BitcoinAddress	bc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr	—	2023-04-20
BitcoinAddress	bc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y	—	2023-04-20
BitcoinAddress	bc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h	—	2023-04-20
BitcoinAddress	bc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv	—	2023-04-20
CVE	CVE-2020-1472	—	2023-04-20
CVE	CVE-2022-24521	—	2023-04-20
FileHash-MD5	03c835b684b21ded9a4ab285e4f686a3	MD5 of eaced2fcfdcbf3dca4dd77333aaab055345f3ab4	2023-04-20
FileHash-MD5	236f5de8620a6255f9003d054f08574b	—	2023-04-20
FileHash-MD5	4c32ef0836a0af7025e97c6253054bca	—	2023-04-20
FileHash-SHA1	241ce8af441db2d61f3eb7852f434642739a6cc3	—	2023-04-20
FileHash-SHA1	86ed4544eeca78dc64881a916fe1e1f73dc17f7b	SHA1 of 4c32ef0836a0af7025e97c6253054bca	2023-04-20
FileHash-SHA1	9b546bd99272cf4689194d698c830a2510194722	—	2023-04-20
FileHash-SHA1	eaced2fcfdcbf3dca4dd77333aaab055345f3ab4	—	2023-04-20
FileHash-SHA256	0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3	SHA256 of eaced2fcfdcbf3dca4dd77333aaab055345f3ab4	2023-04-20
FileHash-SHA256	1d142c36c6cdd393fe543a6b7782f25a9cbafca17a1cfa0f3fc0f5a9431dbf3f	SHA256 of 4c32ef0836a0af7025e97c6253054bca	2023-04-20
IPv4	103.114.163.197	CC=US ASN=AS35913 DEDIPATH-LLC	2023-04-20
IPv4	103.27.203.197	CC=TH ASN=AS58955 Bangmod Enterprise Co., Ltd.	2023-04-20
IPv4	108.170.31.115	CC=US ASN=AS20454 SSASN2	2023-04-20
IPv4	128.31.0.34	CC=US ASN=AS3 MIT-GATEWAYS	2023-04-20
IPv4	128.31.0.39	CC=US ASN=AS3 MIT-GATEWAYS	2023-04-20
IPv4	141.98.87.124	CC=RU ASN=AS52000 MIRholding B.V.	2023-04-20
IPv4	144.172.83.13	CC=US ASN=AS397031 GALAXYGATE	2023-04-20
IPv4	149.255.35.131	CC=US ASN=AS29802 HVC-AS	2023-04-20
IPv4	154.35.175.225	CC=US ASN=AS14987 RETHEMHOSTING	2023-04-20
IPv4	170.39.212.69	CC=US ASN=AS397423 TIER-NET	2023-04-20
IPv4	185.153.199.162	CC=MD ASN=AS56380 ''it Fruit'' S.r.l.	2023-04-20
IPv4	185.153.199.168	CC=MD ASN=AS56380 ''it Fruit'' S.r.l.	2023-04-20
IPv4	192.137.100.96	CC=US	2023-04-20
IPv4	192.137.101.205	CC=US	2023-04-20
IPv4	192.137.101.46	CC=US	2023-04-20
IPv4	194.109.206.212	CC=NL ASN=AS3265 KPN B.V.	2023-04-20
IPv4	195.54.160.149	CC=IT ASN=AS62005 BlueVPS OU	2023-04-20
IPv4	209.127.187.245	CC=US ASN=AS55286 SERVER-MANIA	2023-04-20
IPv4	209.76.253.84	CC=US ASN=AS7018 ATT-INTERNET4	2023-04-20
IPv4	212.192.241.230	CC=CZ	2023-04-20
IPv4	213.32.39.43	CC=ES ASN=AS16276 OVH SAS	2023-04-20
IPv4	216.45.55.3	CC=US ASN=AS8100 ASN-QUADRANET-GLOBAL	2023-04-20
IPv4	216.45.55.30	CC=US ASN=AS8100 ASN-QUADRANET-GLOBAL	2023-04-20
IPv4	217.79.43.148	CC=BG ASN=AS8717 A1 Bulgaria EAD	2023-04-20
IPv4	222.252.53.33	CC=VN ASN=AS45899 VNPT Corp	2023-04-20
IPv4	23.227.198.246	CC=US ASN=AS29802 HVC-AS	2023-04-20
IPv4	31.184.192.44	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.194.42	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.111	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.74	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.80	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.82	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.83	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.84	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.85	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.198.86	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.184.199.82	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.44.184.100	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	31.44.184.84	CC=RU ASN=AS34665 Petersburg Internet Network ltd.	2023-04-20
IPv4	37.120.247.39	CC=RO ASN=AS9009 M247 Europe SRL	2023-04-20
IPv4	37.44.253.21	CC=RU ASN=AS26548 PUREVOLTAGE-INC	2023-04-20
IPv4	38.108.119.121	CC=US ASN=AS174 COGENT-174	2023-04-20
IPv4	45.32.229.66	CC=US ASN=AS20473 AS-CHOOPA	2023-04-20
IPv4	45.91.83.176	CC=US ASN=AS8796 FD-298-8796	2023-04-20
IPv4	46.17.106.230	CC=FI ASN=AS207569 I-servers Ltd	2023-04-20
IPv4	64.235.39.82	CC=US ASN=AS26277 PREMIANET	2023-04-20
IPv4	79.141.169.220	CC=HK ASN=AS133398 Tele Asia Limited	2023-04-20
IPv4	84.17.52.135	CC=CH ASN=AS212238 Datacamp Limited	2023-04-20
IPv4	92.222.172.172	CC=FR ASN=AS16276 OVH SAS	2023-04-20
IPv4	92.222.172.39	CC=FR ASN=AS16276 OVH SAS	2023-04-20
IPv4	94.103.9.79	CC=NL ASN=AS200904 Foxcloud Llp	2023-04-20
URL	http://babbedidndu.ru/ls5/forum.php	—	2023-04-20
URL	http://cuba4ikm4jakjgmkeztyawtdgr2xymvy6nvgw5cglswg3si76icnqd.onion/	—	2023-04-20
URL	http://fabickng.ru/7/forum.php	—	2023-04-20
URL	http://facabeand.com/sliva/gate.php	—	2023-04-20
URL	http://johntotrepwron.com/ls5/gate.php	—	2023-04-20
URL	http://leftthenhispar.ru/ls5/gate.php	—	2023-04-20
URL	http://nagirlstylast.com/ls6/gate.php	—	2023-04-20
URL	http://nastylgilast.com/ls6/gate.php	—	2023-04-20
URL	http://nastylgilast.com/ugr/gate.php	—	2023-04-20
URL	http://ningwitjohnno.ru/ls5/gate.php	—	2023-04-20
URL	http://otinrofha.ru/ls4/gate.php	—	2023-04-20
URL	http://reninparwil.com/ls5/gate.php	—	2023-04-20
URL	http://tandugolastsp.com/ls6/gate.php	—	2023-04-20
URL	http://thehentoftbet.ru/ls5/gate.php	—	2023-04-20
URL	http://tinheranter.com/ls5/gate.php	—	2023-04-20
URL	http://toftoflethens.com/ugr/gate.php	—	2023-04-20
URL	http://torsketronand.ru/ls5/gate.php	—	2023-04-20
URL	http://tycahatit.ru/ls5/gate.php	—	2023-04-20
URL	http://witorophron.com/ugr/gate.php	—	2023-04-20
domain	babbedidndu.ru	—	2023-04-20
domain	cuba4ikm4jakjgmkeztyawtdgr2xymvy6nvgw5cglswg3si76icnqd.onion	—	2023-04-20
domain	fabickng.ru	—	2023-04-20
domain	facabeand.com	—	2023-04-20
domain	johntotrepwron.com	—	2023-04-20
domain	leftthenhispar.ru	—	2023-04-20
domain	nagirlstylast.com	—	2023-04-20
domain	nastylgilast.com	—	2023-04-20
domain	ningwitjohnno.ru	—	2023-04-20
domain	otinrofha.ru	—	2023-04-20
domain	reninparwil.com	—	2023-04-20
domain	tandugolastsp.com	—	2023-04-20
domain	thehentoftbet.ru	—	2023-04-20
domain	tinheranter.com	—	2023-04-20
domain	toftoflethens.com	—	2023-04-20
domain	torsketronand.ru	—	2023-04-20
domain	tycahatit.ru	—	2023-04-20
domain	vu42i55fqimjx6koo7oqh3zzvy2xghqe7ot4h2ftcv2pimbauupjyqyd.onion	—	2023-04-20
domain	witorophron.com	—	2023-04-20
email	admin@cuba-supp.com	—	2023-04-20
email	admin@encryption-support.com	—	2023-04-20
email	berkberk@cock.li	—	2023-04-20
email	cloudkey@cock.li	—	2023-04-20
email	cuba_support@exploit.im	—	2023-04-20
email	filebase@cock.li	—	2023-04-20
email	frankstore@cock.li	—	2023-04-20
email	inbox@mail.supports24.net	—	2023-04-20
email	magikkey@cock.li	—	2023-04-20
email	sonom@cock.li	—	2023-04-20
email	waterstatus@cock.li	—	2023-04-20
hostname	0.dns.alleivice.com	—	2023-04-20
hostname	mail.supports24.net	—	2023-04-20

References (1)

↗ https://www.cisa.gov/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf