IOC - Royal Ransomware

Conteúdo do arquivo

#Enderecos IP Maliciosos:
102.157.44.105
105.158.118.241
105.69.155.85
113.169.187.159
134.35.9.209
139.195.43.166
139.60.161.213
148.213.109.165
163.182.177.80
181.141.3.126
181.164.194.228
185.143.223.69
186.64.67.6
186.86.212.138
190.193.180.228
196.70.77.11
197.11.134.255
197.158.89.85
197.204.247.7
197.207.181.147
197.207.218.27
197.94.67.207
23.111.114.52
41.100.55.97
41.107.77.67
41.109.11.80
41.251.121.35
41.97.65.51
42.189.12.36
45.227.251.167
5.44.42.20
61.166.221.46
68.83.169.91
81.184.181.215
82.12.196.197
98.143.70.147
140.82.48.158
147.135.36.162
147.135.11.223
152.89.247.50
179.43.167.10
185.7.214.218
193.149.176.157
193.235.146.104
209.141.36.116
45.61.136.47
45.8.158.104
5.181.234.58
5.188.86.195
77.73.133.84
89.108.65.136
94.232.41.105
47.87.229.39

#Dominios Maliciosos
ciborkumari.xyz
sombrat.com
gororama.com
softeruplive.com
altocloudzone.live
ciborkumari.xyz
myappearinc.com
parkerpublic.com
pastebin.mozilla.org/Z54Vudf9/raw
tumbleproperty.com
myappearinc.com/acquire/draft/c7lh0s5jv

#Ferramentas e respectivos Hashes (SHA256)
AV tamper 8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel) 8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk) 4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader 4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals) 08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep) f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Executável d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Executável b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c
Executável 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725
Windows Command Line (NirCmd) 216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo) 19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618

#Scripts Bash e respectivos hashes:
2.bat 585b05b290d241a249af93b1896a9474128da969
3.bat 41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat c96154690f60a8e1f2271242e458029014ffe30a
kl.bat 65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat 82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat 74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat 342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE