TargetCompany Ransomware Abuses FUD Obfuscator Packers

SHA256									Description							Detection
734803d815af2b27fbbb7b4516df3f6fb29ed76d1b16c661a38dbe860831b906	kfxuza.bat							Backdoor.BAT.REMCOS.THCOFBC
d59f6e95075026e755a415a5dd5fd4b617516c99d064b833e01c7e5d583cf2fd	<Extracted Payload Layer 1>					Backdoor.MSIL.REMCOS.THCOFBC
2aa688bebce1788d58ca8d42628b5642a4891adaf275b3ac246f7859f6280115	<Extracted Payload Layer 2>					Backdoor.Win32.REMCOS.THCOFBC
26a674f981da653d72d139331e0a46e7dc09142ce2bc602655d6fbb37626c668	Uasnydaafc.bat							Ransom.BAT.TARGETCOMP.THBBGBC
bcff44c6673ded04c8fb76b733837ce109ac6cbb0e4d1ba5b290f76632a4e718	<Extracted Payload>						Ransom.MSIL.TARGETCOMP.THBBGBC
22816dc4dda6beec453e9a48520842b8409c54933cc81f1a338bc77199ab917e	Belueqlpobiymhezugmbdpkiller.bat				Trojan.BAT.KILLPROC.THBBGBC
52fe40246265e29ab791c26e57e568b18cbc4f57c3db5b12beb1415c416d64bb	C:\Users\[~redacted]\Desktop\FF.bat				Trojan.BAT.KILLAV.YPDG2T
1ef8aebbb3816d7d534a581c1d1d8730a73355068e8b39587b2363ccbe692c08	C:\Users\[~redacted]\Desktop\Vcgjpdh.bat			Ransom.BAT.TARGETCOMP.YPDGVT
2efdffd1cf3adab21ff760f009d8893d8c4cbcf63b2c3bfcc1139457c9cd430b	C:\Users\[~redacted]\Desktop\64bit\64bit\unlocker-setup.exe	N/A
094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde	C:\Users\[~redacted]\Desktop\PowerTool64.exe			HackTool.Win32.ToolPow.SM
f0e68af393967d8a236461815dd601baf7ebced7b807c224bceb51d0e8bb4b87	C:\Users\[~redacted]\Desktop\64bit\64bit\ava.exe		HackTool.Win32.ToolPow.SM
18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7	C:\Users\[~redacted]\AppData\Local\Temp\uxldapoc.sys		N/A
08cfd5a321a47a55c5e8732e3d12bf937ca32426dcd668c7d620cfae48159348	C:\Users\[~redacted]\Desktop\64bit\64bit\222.exe		N/A
e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173	C:\Users\[~redacted]\Desktop\64bit\64bit\22123123.exe		N/A
e0d4dc05991211e86c920092966d7025f8e40b77a799428f8491c4f7fa6078a6	C:\temp\straightforward.exe					Trojan.Win32.MSPLOYT.YPDG2T
12842d49038c066464ac723b9665ff93f634042646bdd6947b54042fd0e06342	C:\Users\MSSQL$SQLEXPRESS\AppData\Local\Temp\tzt.exe		Backdoor.MSIL.REMCOS.YPDGVT
bf28b8a8576beb4755ec6a9d93fc4539e40dee7197b6399dfad5224f5ee74b19	C:\Users\MSSQL$SQLEXPRESS\AppData\Local\Temp\tzt.exe		Backdoor.MSIL.REMCOS.YPDGVT
eb75b7d31a9bd3686fcb0088c684972439687171101368ebf9134a53abac3c20	C:\Users\MSSQL$SQLEXPRESS\AppData\Local\Temp\tzt.exe		Backdoor.MSIL.REMCOS.YPDGVT
3c665d38c5ccb0b41983ad492b31c499b176219ca7a93494fd902f592cee2ff6	N/A								Ransom.BAT.REMCOS.YPDGVT
777a5782426e5b42e0e5e8445dd9602d123e8acc27aca4daa8e9c053f3d5b899	N/A								Ransom.BAT.REMCOS.YPDGVT
4b1949536f3f6140da0a9fc87eb0430b61206852145ada5cecbc279b242bce10	C:\Users\MSSQL$~1\AppData\Local\Temp\[~Redacted].tmp		Trojan.MSIL.CSHELLR.A


URLs
URL						Path				Notes
_hxxp://80.66.75[.]37				/drtse.exe
						:8080/lighting.exe
						/Ayhhny.exe
						/lawer.exe
						/Bwarp.exe			Remcos download binaries
_hxxp://185.209.230[.]21:8080			/Auptxums.bat			Remcos download (FUD)
195.3.146[.]183									Metasploit command and control (C&C)
80.66.75[.]116									Download URL/IP address 
80.66.75[.]*									General TargetCompany ransomware-related network
hxxps_://whyers[.]io/QWEwqdsvsf/ap.php 						Ransomware C&C server