CVE-2024-21412: Water Hydra Targets Traders with Windows Defender SmartScreen Zero-Day ======================================================================================= Indicators of Compromise ======================================================================================= [URL] hxxp[://]84[.]32[.]189[.]74 hxxp[://]84[.]32[.]189[.]74/xampp/ hxxp[://]84[.]32[.]189[.]74/webdav/ hxxps[://]fxbulls[.]ru hxxps[://]fxbulls[.]ru/wp-content/uploads hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]htm hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]html hxxps[://]84[.]32[.]189[.]74@0[.]0[.]0[.]80/fxbulls/net/2[.]url hxxp[://]84[.]32[.]189[.]74/fxbulls hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29[.]jpg[.]url hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/Thumbs[.]db hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/2[.]url hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip/a2[.]cmd hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/b3[.]dll hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]dll hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]exe hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29s[.]jpg hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/My2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls hxxp[://]84[.]32[.]189[.]74/fxbulls/images hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29[.]jpg[.]url hxxp[://]84[.]32[.]189[.]74/fxbulls/images/Thumbs[.]db hxxp[://]84[.]32[.]189[.]74/fxbulls/images/2[.]url hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip/a2[.]cmd hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls/images/b3[.]dll hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]dll hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]exe hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29s[.]jpg hxxp[://]84[.]32[.]189[.]74/fxbulls/images/My2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls/net hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29[.]jpg[.]url hxxp[://]84[.]32[.]189[.]74/fxbulls/net/Thumbs[.]db hxxp[://]84[.]32[.]189[.]74/fxbulls/net/2[.]url hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip/a2[.]cmd hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip hxxp[://]84[.]32[.]189[.]74/fxbulls/net/b3[.]dll hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]dll hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]exe hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29s[.]jpg hxxp[://]84[.]32[.]189[.]74/fxbulls/net/My2[.]zip hxxp[://]84[.]32[.]189[.]74/underwall/docs hxxp[://]84[.]32[.]189[.]74/underwall/docs/7z.zip hxxp[://]84[.]32[.]189[.]74/underwall/docs/passport.jpg.url hxxp[://]84[.]32[.]189[.]74/underwall/docs/warop.url hxxp[://]84[.]32[.]189[.]74/underwall/expand hxxp[://]84[.]32[.]189[.]74/underwall/expand/7z.zip hxxp[://]84[.]32[.]189[.]74/underwall/expand/photo_2023-12-26.jpg.url hxxp[://]84[.]32[.]189[.]74/underwall/expand/warop.url hxxp[://]84[.]32[.]189[.]74/underwall/society hxxp[://]84[.]32[.]189[.]74/underwall/society/7z.zip hxxp[://]84[.]32[.]189[.]74/underwall/society/photo_2023-12-26.jpg.url hxxp[://]84[.]32[.]189[.]74/underwall/society/warop.url [PATHS] /fxbulls /fxbulls/pictures /fxbulls/pictures/photo_2023-12-29[.]jpg[.]url /fxbulls/pictures/Thumbs[.]db /fxbulls/pictures/2[.]url /fxbulls/pictures/a2[.]zip /fxbulls/pictures/a2[.]zip/a2[.]cmd /fxbulls/pictures/a2[.]zip /fxbulls/pictures/b3[.]dll /fxbulls/pictures/7z[.]dll /fxbulls/pictures/7z[.]exe /fxbulls/pictures/photo_2023-12-29s[.]jpg /fxbulls/pictures/My2[.]zip /fxbulls /fxbulls/images /fxbulls/images/photo_2023-12-29[.]jpg[.]url /fxbulls/images/Thumbs[.]db /fxbulls/images/2[.]url /fxbulls/images/a2[.]zip /fxbulls/images/a2[.]zip/a2[.]cmd /fxbulls/images/a2[.]zip /fxbulls/images/b3[.]dll /fxbulls/images/7z[.]dll /fxbulls/images/7z[.]exe /fxbulls/images/photo_2023-12-29s[.]jpg /fxbulls/images/My2[.]zip /fxbulls/net /fxbulls/net/photo_2023-12-29[.]jpg[.]url /fxbulls/net/Thumbs[.]db /fxbulls/net/2[.]url /fxbulls/net/a2[.]zip /fxbulls/net/a2[.]zip/a2[.]cmd /fxbulls/net/a2[.]zip /fxbulls/net/b3[.]dll /fxbulls/net/7z[.]dll /fxbulls/net/7z[.]exe /fxbulls/net/photo_2023-12-29s[.]jpg /fxbulls/net/My2[.]zip /underwall/docs /underwall/docs/7z.zip /underwall/docs/passport.jpg.url /underwall/docs/warop.url /underwall/expand /underwall/expand/7z.zip /underwall/expand/photo_2023-12-26.jpg.url /underwall/expand/warop.url /underwall/society /underwall/society/7z.zip /underwall/society/photo_2023-12-26.jpg.url /underwall/society/warop.url [DOMAINS] fxbulls[.]ru 87iavv[.]com unfawjelesst322[.]com p2oaviwt39ui[.]com [WEBDAV] \\84[.]32[.]189[.]74@80 \\84[.]32[.]189[.]74@80 \\84[.]32[.]189[.]74@80\pictures \\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29[.]jpg[.]url \\84[.]32[.]189[.]74@80\pictures\Thumbs[.]db \\84[.]32[.]189[.]74@80\pictures\2[.]url \\84[.]32[.]189[.]74@80\pictures\a2[.]zip \\84[.]32[.]189[.]74@80\pictures\a2[.]zip\a2[.]cmd \\84[.]32[.]189[.]74@80\pictures\a2[.]zip \\84[.]32[.]189[.]74@80\pictures\b3[.]dll \\84[.]32[.]189[.]74@80\pictures\7z[.]dll \\84[.]32[.]189[.]74@80\pictures\7z[.]exe \\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29s[.]jpg \\84[.]32[.]189[.]74@80\pictures\My2[.]zip \\84[.]32[.]189[.]74@80 \\84[.]32[.]189[.]74@80\images \\84[.]32[.]189[.]74@80\images\photo_2023-12-29[.]jpg[.]url \\84[.]32[.]189[.]74@80\images\Thumbs[.]db \\84[.]32[.]189[.]74@80\images\2[.]url \\84[.]32[.]189[.]74@80\images\a2[.]zip \\84[.]32[.]189[.]74@80\images\a2[.]zip\a2[.]cmd \\84[.]32[.]189[.]74@80\images\a2[.]zip \\84[.]32[.]189[.]74@80\images\b3[.]dll \\84[.]32[.]189[.]74@80\images\7z[.]dll \\84[.]32[.]189[.]74@80\images\7z[.]exe \\84[.]32[.]189[.]74@80\images\photo_2023-12-29s[.]jpg \\84[.]32[.]189[.]74@80\images\My2[.]zip \\84[.]32[.]189[.]74@80\net \\84[.]32[.]189[.]74@80\net\photo_2023-12-29[.]jpg[.]url \\84[.]32[.]189[.]74@80\net\Thumbs[.]db \\84[.]32[.]189[.]74@80\net\2[.]url \\84[.]32[.]189[.]74@80\net\a2[.]zip \\84[.]32[.]189[.]74@80\net\a2[.]zip\a2[.]cmd \\84[.]32[.]189[.]74@80\net\a2[.]zip \\84[.]32[.]189[.]74@80\net\b3[.]dll \\84[.]32[.]189[.]74@80\net\7z[.]dll \\84[.]32[.]189[.]74@80\net\7z[.]exe \\84[.]32[.]189[.]74@80\net\photo_2023-12-29s[.]jpg \\84[.]32[.]189[.]74@80\net\My2[.]zip \\84[.]32[.]189[.]74@80\docs \\84[.]32[.]189[.]74@80\docs\7z[.]zip \\84[.]32[.]189[.]74@80\docs\passport[.]jpg[.]url \\84[.]32[.]189[.]74@80\docs\warop[.]url \\84[.]32[.]189[.]74@80\expand \\84[.]32[.]189[.]74@80\expand\7z[.]zip \\84[.]32[.]189[.]74@80\expand\photo_2023-12-26[.]jpg[.]url \\84[.]32[.]189[.]74@80\expand\warop[.]url \\84[.]32[.]189[.]74@80\society \\84[.]32[.]189[.]74@80\society\7z[.]zip \\84[.]32[.]189[.]74@80\society\photo_2023-12-26[.]jpg[.]url \\84[.]32[.]189[.]74@80\society\warop[.]url [IP ADDRESSES] 84[.]32[.]189[.]74 179[.]43[.]172[.]127 179[.]43[.]172[.]191 64[.]31[.]63[.]70 64[.]31[.]63[.]194 [FILES] [DETECTION NAME] 1458a762332676f7807ab45f8f236c22a1a7bb0c21fcd8c779f972f2446a11d0 Trojan.HTML.CVE202421412.A 758c6364ab560fbeff2bfa8712a2e09132d85d0bf6918e6acc79fe12f5b71ec3 Trojan.HTML.CVE202421412.A 77d685e29c3dbe75fa8a82c69c68c731a09904020a76145ca27aeaf0058455cd Trojan.HTML.CVE202421412.A b36dc329a5dc766c2645d5f5b6cdaa9542ec3b0aa1bc13dc1f899ce6d95d59fb Trojan.HTML.CVE202421412.A d895fff3c909ea2eb6624fc5f154c924fe0af51c6c899fd9093dc3cd27a5dad2 Trojan.HTML.CVE202421412.A 008e57d62caa8cfa991f5519eabe3f15d79799b81ba8cc6b67cde6da0dbffdab Trojan.Win32.CVE202421412.A 087878208755420d5d7ae2eb6a84482768cb8972732911ac16096cd0c95fa0f7 Trojan.Win32.CVE202421412.A 1115e4bed3949493d8ab184e5c42f047355f13b9bf91c1621acb7971a148bea2 Trojan.Win32.CVE202421412.A 18b1dc2e00245cb017ebdedfe63881929d7542eeffa8f42ee0ad20cc2ebf181a Trojan.Win32.CVE202421412.A 1956bcd3df47e76b2e9f396514f072311563d092ae02509f817c488567749998 Trojan.Win32.CVE202421412.A 1fbc621a71578cb22d4e3a0feec68735321358a3aeb18adbe4a20630c7f788b8 Trojan.Win32.CVE202421412.A 39fb9fb06910f1133f3b23c523a5139f61d243380802b0670a664473d00e1fa9 Trojan.Win32.CVE202421412.A 3e420ce1dc1a8503f48815b880381dd23206e08be2474d151f1353df7df2d796 Trojan.Win32.CVE202421412.A 4201ab8c0c4cf0f01f5a25d8e4e7221634776b5bad8c3faad5ad819ec58619ad Trojan.Win32.CVE202421412.A 58b0f5da4a53e956b35e77f55ced641291a596e16067b1dab6ac54d9cb6a52a5 Trojan.Win32.CVE202421412.A 5b16ac1edb747053ee5a085ab826c61218c5b471eaa04f2471dc2e80b5621023 Trojan.Win32.CVE202421412.A 5c85a0fe230d351b35da364c797cc95557f5dcceec034eb648e1805237c7203b Trojan.Win32.CVE202421412.A 5f4ef55201080ef3a62b0fbdc4c27e0ccdf4041f41c04471f35b127ff6515405 Trojan.Win32.CVE202421412.A 61de01bc154b1118caacfed3839c996a795d6c21c2efbf1da6b926414f5d182d Trojan.Win32.CVE202421412.A 65cc5594b307c2ac4e3c251aeae68dedf7d1f24ba3b0d7ab5ad3623e8a9fc865 Trojan.Win32.CVE202421412.A 6793e0fbc2def9173bf8e2a6c1aa357ba7fc3e32dc1cf81107677166f175c890 Trojan.Win32.CVE202421412.A 6bec457f83d0d98f6f6ea1243c2327e012db38fb61680f6bd68dbab0dc07170a Trojan.Win32.CVE202421412.A 7058ae0f02e116b38536ee1ec20f47645aecf761361b5a5e85de2961f3cc88c6 Trojan.Win32.CVE202421412.A 70b4c2d696a24a5ae2f5e5095dc44e68b4605e4690c8a49930194ee87eb80252 Trojan.Win32.CVE202421412.A 73922ab0d048b45a01f13ba967f1423bc6cd6cc711f8e7d00a4cf2b1d3646f4e Trojan.Win32.CVE202421412.A 761fa42bc4cc5332a640c7389240324242981176ca1626e4267cc8a00cf9545f Trojan.Win32.CVE202421412.A 88bb1df99e02021801b08beeff87ec3ceb9e16c42f62904c5ac04c1a26213a48 Trojan.Win32.CVE202421412.A 941cf63028bf8314bc7114a088f4d1f1dd995bec4a4b7c51fda34fbb3528667f Trojan.Win32.CVE202421412.A a45e0ea5a17ba6f3a2ce7258f6cc81c6f93f37873b49218a25ec638987da6f96 Trojan.Win32.CVE202421412.A a5096c4624a523a660242e3451c2f4d644431a35098e36b724fab9f7d88d145d Trojan.Win32.CVE202421412.A a9633da58719f07159702101474b6ba78f2ffee28b3f7ebda3feb36db4e2d0e9 Trojan.Win32.CVE202421412.A b0ab19986ab1297870854980f1287f1a4b8d003c540773a6c04fb3565e5701ee Trojan.Win32.CVE202421412.A b350a787c19a756c0824e14eec7e9d746450d1aafb28a5d15209ec9f34c58129 Trojan.Win32.CVE202421412.A b738e92afc95cba819aa7aebfad459de38743c478e9e8b8f29f9919697b495b0 Trojan.Win32.CVE202421412.A b8b6b6d98b7ea689f0c33d55a06afcf20482b25c51929ca9a1b302374290b337 Trojan.Win32.CVE202421412.A babbd9c94dedb94be8baac2ddc5b4714c44a8d0c60d49c0dc91708784bc0d57f Trojan.Win32.CVE202421412.A bbdf52481bd1a15710d75b89240c7a360450e2f4f00ba2cb140affba79ebec94 Trojan.Win32.CVE202421412.A c86ba0da732e1fa1f06549d3ebc5ae6ae091199e95930681ac2a9152a8834184 Trojan.Win32.CVE202421412.A d6000a19198b8b9719fc17f7c06366e542802a8e7e232ba731b72c31226cc890 Trojan.Win32.CVE202421412.A d81e7d95004441ea4f5344215232db57f48579bf335c7ba4ed7f6ec6f9136ed0 Trojan.Win32.CVE202421412.A db1bc70c0d0c7121f1d4422a6fcd0e0668d9da786affb52dd77852641e425710 Trojan.Win32.CVE202421412.A ddda5737b2c3207d72d728bf40709a7296c31e7c50951dcad441f4707581ccb1 Trojan.Win32.CVE202421412.A e1b903eba88b920909876442306e1160eed9b69c69a05ea370cba2121e305ba1 Trojan.Win32.CVE202421412.A e49a7d9083b2e448274d117405c39b0c1b2c0c20ab5195bdf94aaeda7cc113d7 Trojan.Win32.CVE202421412.A f44964c8fdf6dbdb21c141df61b45467bba5a4482f7ab19fd6f1841fdb791f2a Trojan.Win32.CVE202421412.A f6b01df60d526f1de530230724d41b482adfff81084a1872bb97c316b76e45e3 Trojan.Win32.CVE202421412.A f701f500d348b63f3250239cd8305a8b38230e67d74456f3333c6efeeef85bbb Trojan.Win32.CVE202421412.A fb67be10a5a8b26ca86f8f79935ddd4a5b40379bb6d0af21d23f56af14bb2a90 Trojan.Win32.CVE202421412.A 4307a067db6b6abd852441e6d70de29c3bd0e4d6a68f0449b403401518b7e037 Trojan.Win32.CVE202421412.B 69fc5bed55acf559035f2c5550bf8807236b580f8e2db88966b3fc80c83914d3 Trojan.Win32.CVE202421412.B 4c43b4575063d50ca5668e45a434aaf288970c89e8a4414812560ee787307f58 Trojan.Win32.CVE202421412.B 135cfefe353ca57d24cfb7326f6cf99085f8af7d1785f5967b417985e8a1153c Trojan.Win32.DARKME.A 252351cb1fb743379b4072903a5f6c5d29774bf1957defd9a7e19890b3f84146 Trojan.Win32.DARKME.A 594e7f7f09a943efc7670edb0926516cfb3c6a0c0036ac1b2370ce3791bf2978 Trojan.Win32.DARKME.A 6e825a6eb4725b82bd534ab62d3f6f37082b7dbc89062541ee1307ecd5a5dd49 Trojan.Win32.DARKME.A 71d0a889b106350be47f742495578d7f5dbde4fb36e2e464c3d64c839b1d02bc Trojan.Win32.DARKME.A b69d36e90686626a16b79fa7b0a60d5ebfd17de8ada813105b3a351d40422feb Trojan.Win32.DARKME.A bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c Trojan.Win32.DARKME.A dc1b15e48b68e9670bf3038e095f4afb4b0d8a68b84ae6c05184af7f3f5ecf54 Trojan.Win32.DARKME.A