================================================================================ INDICATORS OF COMPROMISE (IoCs) SHADOW-EARTH-053 & SHADOW-EARTH-054 | Threat Intelligence Report ================================================================================ NOTE: All indicators are defanged. Replace [.] with . before use in tooling. ================================================================================ -------------------------------------------------------------------------------- FILE HASHES -------------------------------------------------------------------------------- [ShadowPad loader — graphics-hook-filter32.dll] SHA-256 f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745 SHA-1 2dc1ad07b7529af3ba5c11a58519681909971a81 Analysis TROJ_FRS.VSNTDH26 SHA-256 0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed SHA-1 3229ba46dd54802093c81e6e2123fd1520faf960 Analysis TROJ_FRS.VSNTDH26 SHA-256 0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9 SHA-1 128f3ad395f86be6569ef2a957d42902a910de6c Analysis TROJ_FRS.VSNTDH26 SHA-256 4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265 SHA-256 a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89 SHA-256 83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3 SHA-1 9a83466f6c34e588ba3e99d6cbfac0102e173cdd Analysis TROJ_FRS.VSNTDH26 SHA-256 996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb SHA-1 9244cd99a27a8741a78e0b449cea063fdcfb0090 Analysis TROJ_FRS.VSNTGU25 SHA-256 3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a SHA-1 8a5ac2682d70eacff7eb554e242227c82e2baa94 Analysis TROJ_FRS.VSNTDH26 SHA-256 a65483b86847995a67de0fcb2a5487cdbc96361cb2e9dea8ab74005c8fef65ce SHA-1 31b3dd9ee46805b0ed6e6dd6a5ee17facadfd2ff Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ShadowPad loader — imjp14k.dll] SHA-256 5bf35daaf26508fc136157818ead48cc5c7fa3a3e6273cde2c757673586a78a6 SHA-1 3f858c007d4d49dd7fa260bcc786c34d4f78dbf5 Analysis Backdoor.Win32.SHADOWPAD.YXGDBZ SHA-256 41f74c3fc32752b5c7b88e7a5723441cb827958bc21b647fffae469407f1ce99 SHA-256 2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255 SHA-1 579bc9a640ac939b1f75eda852815f063cebd332 Analysis TROJ_FRS.VSNTDH26 SHA-256 f19a67b9c8805b335676f0fc17495839327f8135f791aa11d5d9adba2c83cc1c SHA-1 824f13f758ce278f72a4aeaf1e15a703d5107dd7 Analysis TROJ_FRS.VSNTKS25 SHA-256 5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe SHA-1 ec38a56f9368eac67106a4ad61538e12053f03d1 Analysis TROJ_FRS.VSNTDH26 SHA-256 eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ShadowPad loader — uxtheme.dll] SHA-256 75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51 SHA-1 35cc0b684b0906aed9d672a1a8635510fe91aa67 Analysis TROJ_FRS.VSNTDH26 SHA-256 0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36 SHA-1 2dd614427b80cdd38e8bbe0ace24a484671c0da2 Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ShadowPad loader — MPS.dll] SHA-256 97ea803792929f802388e9d0e75a3c79c28260d589bc2d87902c73c729ed6f9e SHA-1 4541e55b70ca12ae4a79e38c0b4c31f067eb5cdc Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [IOX Proxy] SHA-256 b8a2a9ca58fb2b383a52f8be75cae44f08f2c3f8907bd8661ee8a4a78fd7dda3 SHA-1 36061be6ccd17e87e3d1ef15f8e7058f279439d1 Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [EVILCREATEDUMP] SHA-256 0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9 SHA-1 861a686461ad830b268977808ba56730616c7684 Analysis Normal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [SHADOW-EARTH-053 — Mdync.exe] SHA-256 3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [SHADOW-EARTH-053 loader — found by infrastructure pivoting] SHA-256 884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2 SHA-1 95015643ecb3ba321b8cff8eca2907e5356e8659 Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [Possible RDP Launcher] SHA-256 26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [Privileged Process Launcher] SHA-256 8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [TosBtKbd.dll Custom Registry Loader] SHA-256 e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020 SHA-1 ac7ffce58c70fb9f837e11a44d655d6c28e276f5 Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [data.aspx webshell] SHA-256 03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ExchangeExport.exe] SHA-256 d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [Newdcsync.exe] SHA-256 0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [RingQ.exe] SHA-256 23c2ebc8f9bac96b2fbbb9b00b457c48d65a9f66ec24fbfba339eeefd0539ad7 SHA-1 e1bcf36ed2f7a60dd0dde52abf11c942e2657e31 Analysis Normal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [SHADOW-EARTH-054 malware] SHA-256 55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd SHA-1 b8d586d376b342b08b3dd8a77c788480e025ad12 Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [SHADOW-EARTH-054 loader] SHA-256 c935ded2729f0513672e261170d73d4e0e13a9b837f104d840c44a39b84c0d71 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [DomainMachines.exe — Custom discovery tool] SHA-256 165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [IOX (code.exe)] SHA-256 1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [Unknown proxy (code.exe / tunnel-core.exe)] SHA-256 4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [GOST tunnel (gost.exe)] SHA-256 188c72b101cd8ad96ef971e8943bddb3acd9dc45fe1d8719217d171e600a29aa SHA-1 211e1fc502152ea272edb5a81a5b4405a28c48f9 Analysis TROJ_FRS.VSNTDH26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [Wstunnel (wt.exe)] SHA-256 9dda789b85fce6294f91a79b7271a93de36dfcef21fc680dc2bf4235141e47df SHA-1 ebfd92291714e6d7e57cf4830aa8f87950b796bb Analysis Normal -------------------------------------------------------------------------------- DOMAINS -------------------------------------------------------------------------------- [ShadowPad C&C — TrendAI telemetry] time[.]microsofttrends[.]com erp[.]kaspersky[.]icu [Infrastructure Hunting] dns[.]dnsmap[.]icu cert[.]kaspersky[.]icu news[.]kaspersky[.]icu ns1[.]kaspersky[.]icu ns2[.]kaspersky[.]icu www[.]kaspersky[.]icu dns[.]dnserver[.]life nslookup[.]dnserver[.]life router[.]dnserver[.]life ww12[.]dnserver[.]life ns1[.]group-ib[.]icu ns2[.]group-ib[.]icu www[.]group-ib[.]icu check[.]dnsmaps[.]com [Infrastructure Hunting — Malware Hosting] update[.]kaspersky[.]icu [NOODLERAT C&C] check[.]office365-update[.]com [SHADOW-EARTH-054 C&C] zimbra-beta[.]info zimbra[.]life microsi0ft[.]com -------------------------------------------------------------------------------- IP ADDRESSES -------------------------------------------------------------------------------- [SHADOW-EARTH-053 C&C] 141[.]164[.]46[.]77 96[.]9[.]125[.]227 [SHADOW-EARTH-053 Malware Hosting — TrendAI telemetry] 194[.]38[.]11[.]3 [SHADOW-EARTH-054 VShell C&C] 209[.]141[.]40[.]254 [SHADOW-EARTH-054 IOX Proxy] 45[.]61[.]62[.]172 -------------------------------------------------------------------------------- URLS -------------------------------------------------------------------------------- [SHADOW-EARTH-054 VShell C&C] hxxp://209[.]141[.]40[.]254:8443/update ================================================================================ END OF DOCUMENT ================================================================================