Revil Ransomware Targeted Kaseya

 

Revil Ransomware Targeted Kaseya
 

REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. The REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform. 

Indicators of Compromise

URLs/Domains:

architekturbuero-wagner.net
mindpackstudios.com
vitavia.lt
bouncingbonanza.com
lukeshepley.wordpress.com
igfap.com
bockamp.com
levihotelspa.fi
exenberger.at
tinyagency.com
familypark40.com
alfa-stroy72.com
boompinoy.com
mdacares.com
architecturalfiberglass.org
slupetzky.at
sinal.org
qualitus.com
deepsouthclothingcompany.com
groupe-frayssinet.fr
synlab.lt
kamienny-dywan24.pl
ilcdover.com
humancondition.com
insigniapmg.com
arteservicefabbro.com
team-montage.dk
iviaggisonciliegie.it
austinlchurch.com
rehabilitationcentersinhouston.net
zervicethai.co.th
vickiegrayimages.com
ziegler-praezisionsteile.de
crediacces.com
comarenterprises.com
courteney-cox.net
trapiantofue.it
space.ua
odiclinic.org
noesis.tech
urmasiimariiuniri.ro
8449nohate.org
xltyu.com
kikedeoliveira.com
remcakram.com
degroenetunnel.com
strandcampingdoonbeg.com
haar-spange.com
pmcimpact.com
ceid.info.tr
gemeentehetkompas.nl
stopilhan.com
dareckleyministries.com
sportverein-tambach.de
ivivo.es
braffinjurylawfirm.com
pcprofessor.com
bordercollie-nim.nl
hrabritelefon.hr
ctrler.cn
makeitcount.at
foryourhealth.live
seproc.hn
ianaswanson.com
nijaplay.com
brandl-blumen.de
lubetkinmediacompanies.com
ouryoungminds.wordpress.com
micro-automation.de
apprendrelaudit.com
securityfmm.com
geisterradler.de
morawe-krueger.de
nmiec.com
sla-paris.com
figura.team
vitalyscenter.es
jvanvlietdichter.nl
crosspointefellowship.church
handi-jack-llc.com
femxarxa.cat
wsoil.com.sg
xlarge.at
groupe-cets.com
admos-gleitlager.de
liikelataamo.fi
sevenadvertising.com
nancy-informatique.fr
ateliergamila.com
stefanpasch.me
wacochamber.com
aurum-juweliere.de
hatech.io
centuryrs.com
ilive.lt
fensterbau-ziegler.de
zflas.com
thefixhut.com
goodgirlrecovery.com
botanicinnovations.com
saxtec.com
tips.technology
smalltownideamill.wordpress.com
pt-arnold.de
tarotdeseidel.com
bildungsunderlebnis.haus
brevitempore.net
imadarchid.com
sportiomsportfondsen.nl
digivod.de
darrenkeslerministries.com
smhydro.com.pl
echtveilig.nl
schlafsack-test.net
galserwis.pl
eraorastudio.com
faroairporttransfers.net
connectedace.com
pcp-nc.com
jyzdesign.com
suncrestcabinets.ca
offroadbeasts.com
teresianmedia.org
greenfieldoptimaldentalcare.com
thomas-hospital.de
embracinghiscall.com
ralister.co.uk
rosavalamedahr.com
quizzingbee.com
richard-felix.co.uk
sipstroysochi.ru
todocaracoles.com
shiftinspiration.com
campusoutreach.org
bodyforwife.com
katiekerr.co.uk


 
IPs/Subnets

91.218.114.0/24
195.189.99.74
45.86.163.78

Hashes

bb684e83eb3740cde6afa61cb926ce2bf4d0be7a
75dfedb628d3527c78b210339fb7047cfe152e14
4a65a0c7f4790409d9d5c3f831660ce96d1f58e6
80cb15bb66cdc9ebb21d8c37187247a00c55205b
3c1b50f2ca73ec21c0458992e28ef2311f940395
dfc77a86fb58c2aa04b6b0399eea6dd0d642baa0
9e6e19c145cbf359c0a151b38d17e30ccbad6f4b
45831987fabeb7b32c70f662be8cb24e2efef1dc
35bff002183a579b816f99178150421671e53483
a2265feffda659c49a1b948baec75d121196c9ab88f8b970ab2311919d276e59
24d813ca1e650cc5ae770c27fb8f423795f1388c65927c249f1d9af5d1098e31
ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705
4c051e7271b06cf26f59d2076be6e543595ae8599d7c62b55dbfbc438d6e4fe8
4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
7ee403ca56a0bd609ff8eb9f9c893eb06456be283e0c3a0feeda15fd32173742
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
c1142340db4f1f423fc1cce14e657dd5861c9eb59788dec6d4c54ea227a437b9
767e8ba21d351fa1d93dbd9224d60b29b806221c9c5d30f24c6a4a5f73f3a6c1
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1
98a2dff94084c6be7c2fa47785a5cdd994b6f5ccf73154e7fc6da33af37b3690
db617d3ca09f78673aef2a706a0161b9a7e160f58891f14a1e7250b39e3d9fb2
91424ac700abaf7d7a690bdeaba2f670c8383f11f15b2b412a52ec4260a12dc1
f83ad22496f9033fbb8b947756578709d8dd303d341197a86dddd527c6be0f63
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
f03172bd32ed16df6dda8e8146d24b073b864da59d669218fcc5e97835a5e956
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc
a6bf25b3bfc2ab57ad8c1c7e130379a3a4dc0a97b6b3da04e27db79ed361e697
8e07e33d3b8addb77b8cb43ea4f72d401890a0347b72852b597b6a5500d974ee
c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b
c3a6e9b12ff1ae89ad643b0c6cf4e2029bdf2bdf8a47dac665f7864d34fded63
fb71eaae22e6d93286d10228fc08229b1edf805e5817f698accfe2ec18968458
0507e84b6d1371b3dad04f78c2cb543c62d08171ba2391a229bb570d683c6ec6
3deba4a9282b61f05fcc86203af501d6ab484cb9fff953a167f68da8c2023b0d
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
2c69536793ab6f3a38bd0ab79d70ad8fb271b975c8c707175246f11d5be22f8c
4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a 
dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735
0c63005d6a2c116f1b20e3b7a26ab84674c235e6b4bfab266858025e6935a8c7
24fa7fe6ad714c12f0e224a41169004cbd917603d5c8cabab2c98231265c5306
18f03c65bf58549e8e230b8ef8595287fe51db0e5e411adfeaf261f87574543e
0424472bcb19d06b20e060d397ed23ce4c883467ff4f08d1be6eea355afc3005
2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1

 

Comments

Post a Comment

Popular posts from this blog

Buer Loader provides malware-as-a-service

Image
  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...
Read more

BANDOOK(RAT)

Image
    BANDOOK(RAT)-Malware   The payload in this attack is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server sends basic information about the infected machine and waits for additional commands from the server. Indicators of Compromise File Hash MD5 27f8d8bbbeeda5fc439ee18d9d4da343 44584c8d010242fddb44afe5ce860872 a6501c62b3a6ffa8d028a88138fe509f 7c15ee5b9a12dacaace8fb62271f12f1 4e9e12c98cfbc5f3aa3c1345bd063fa0 7ef261c151519e66ec369c63e4b1aed4 6effed1b1bb5e9ed6aafacb075c1d4e2 0475771b8bc3efc28b1834f3add608f3 045ce6679ed4086e2ded58470e24c15a 28ad9ace11919b57bf54...
Read more