Updated Indicator of compromise (IoC) of FASTCash 2.0
by CIRT Team
Short Description:
About BeagleBoyz: “BeagleBoyz ” is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38.
The primary modus operandi (not limited to) of the BeagleBoyz is social engineering, spearphishing, and watering hole tactics. Contained within the Malware Analysis Reports (MAR) cited above are unique malware samples that are a combination of remote access tools/trojans (RAT), a tunneling proxy tool, keylogger/screen capturing, and man in the middle attacks—all specifically targeting ISO 8583 Point of Sale (POS) system messages, ATM transaction requests, and ATM balance inquiries
BGD e-GOV CIRT detect possible Updated Indicator of compromise (IoC) of FASTCash 2.0, from its (BGD e-GOV CIRT) trusted sources.
Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
| Indicator type | Indicator |
| FileHash-SHA256 | 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 |
| FileHash-SHA256 | d928b1c1096e636463afbd19f40a6b325e159196b4497895748c31535ea503dc |
| FileHash-SHA256 | 16251b20e449d46e2b431c3aed229cd1f43f1ff18db67cc5a7fa7dd19673a9bc |
| FileHash-SHA256 | f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9 |
| FileHash-SHA256 | 0e3552c8232e007f421f241ea4188ea941f4d34eab311a5c2341488749d892c7 |
| FileHash-SHA256 | 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 |
| FileHash-SHA256 | 2938200b7c0300c31aa458860b9f4f684f4f3f5893ab0f1d67c9d797168cad17 |
| FileHash-SHA256 | a1f06d69bd6379e310b10a364d689f21499953fa1118ec699a25072779de5d9b |
| FileHash-SHA256 | d48b211533f37e082a907d4ee3b0364e5a363f1da14f74a81b187e1ce19945a8 |
| FileHash-SHA256 | f9d29b21bb93004cea6431e79f7aa24b9cc419289ca04c0353d9e3db3c587930 |
| FileHash-MD5 | 4c26b2d0e5cd3bfe0a3d07c4b85909a4 |
| FileHash-MD5 | cf733e719e9677ebfbc84a3ab08dd0dc |
| FileHash-MD5 | 41fd85ff44107e4604db2f00e911a766 |
| FileHash-MD5 | 5cfa1c2cb430bec721063e3e2d144feb |
| FileHash-MD5 | 52ec074d8cb8243976963674dd40ffe7 |
| FileHash-MD5 | f34b72471a205c4eee5221ab9a349c55 |
| FileHash-MD5 | 01d397df2a1cf1d4c8e3615b7064856c |
| FileHash-MD5 | b484b0dff093f358897486b58266d069 |
| FileHash-MD5 | 4f67f3e4a7509af1b2b1c6180a03b3e4 |
| FileHash-MD5 | d1d779314250fab284fd348888c2f955 |
| FileHash-SHA1 | c1a9044f180dc7d0c87e256c4b9356463f2cb7c6 |
| FileHash-SHA1 | 71f1bf658e0adb69240546df2bb95005e7e70f33 |
| FileHash-SHA1 | 157cfb98caa48c2adb3475305c88986e777d9aa3 |
| FileHash-SHA1 | 43a7858a0564c500e7f248762353f5b1ec3f3ef8 |
| FileHash-SHA1 | e8b58b9db83b4902a607559301f6985763d2647a |
| FileHash-SHA1 | a0ebe36c61d4de405fe531ecf013720a3d56d5a1 |
| FileHash-SHA1 | 810c7f2c3d045b7c755fb29646297a221cff163f |
| FileHash-SHA1 | 51b9d982abf1d866ed4e86e63dfee548c2f5a3fd |
| FileHash-SHA1 | 1c9a437ed876a0ce0e5374bd93acdfd9e9023f1f |
| FileHash-SHA1 | a20ef335481c2b3a942df1879fca7762f2c69704 |
| YARA | 32fda75483f01579b78607113799a19382d72f4d |
| YARA | bbea5a6a1e6ad2446f2dc23414fbf0ca6dc834f6 |
| YARA | b9d1e879e11d6ce46fa206879cb516d74e024b5e |
| YARA | ace0684fa59024586a396bfd428af8fc5521494e |
| FileHash-SHA256 | 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852 |
| FileHash-SHA256 | c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec |
| FileHash-SHA256 | 129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0 |
| FileHash-SHA256 | a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118 |
| FileHash-SHA256 | 32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8 |
| FileHash-SHA256 | f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de |
| FileHash-SHA256 | 8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1 |
| FileHash-SHA256 | aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83 |
| FileHash-SHA256 | 5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b |
| FileHash-SHA256 | 9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e |
| FileHash-SHA256 | efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e |
| FileHash-MD5 | 3122b0130f5135b6f76fca99609d5cbe |
| FileHash-MD5 | d45931632ed9e11476325189ccb6b530 |
| FileHash-MD5 | 889e320cf66520485e1a0475107d7419 |
| FileHash-MD5 | c4141ee8e9594511f528862519480d36 |
| FileHash-MD5 | a2b1a45a242cee03fab0bedb2e460587 |
| FileHash-MD5 | 97aaf130cfa251e5207ea74b2558293d |
| FileHash-MD5 | acd15f4393e96fe5eb920727dc083aed |
| FileHash-MD5 | 34404a3fb9804977c6ab86cb991fb130 |
| FileHash-MD5 | 40e698f961eb796728a57ddf81f52b9a |
| FileHash-MD5 | bda82f0d9e2cb7996d2eefdd1e5b41c4 |
| FileHash-MD5 | dfd09e91b7f86a984f8687ed6033af9d |
| FileHash-SHA1 | f5fc9d893ae99f97e43adcef49801782daced2d7 |
| FileHash-SHA1 | 9ff715209d99d2e74e64f9db894c114a8d13229a |
| FileHash-SHA1 | c92529097cad8996f3a3c8eb34b56273c29bdce5 |
| FileHash-SHA1 | b345e6fae155bfaf79c67b38cf488bb17d5be56d |
| FileHash-SHA1 | 2b22d9c673d031dfd07986906184e1d31908cea1 |
| FileHash-SHA1 | 081d5bd155916f8a7236c1ea2148513c0c2c9a33 |
| FileHash-SHA1 | c7e7dd96fefca77bb1097aeeefef126d597126bd |
| FileHash-SHA1 | 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c |
| FileHash-SHA1 | ce6bc34b887d60f6d416a05d5346504c54cff030 |
YARA(Another Recursive Acronym) is the name of a tool primarily used in malware research and detection.
32fda75483f01579b78607113799a19382d72f4d
rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan { meta: Author = "CISA Trusted Third Party" Incident = "10301706.r2.v1" Date = "2020-08-11" Actor = "Hidden Cobra" Category = "Backdoor Dropper Proxy Spyware Trojan" Family = "TWOPENCE" Description = "Detects strings in TWOPENCE proxy tool" MD5_1 = "40e698f961eb796728a57ddf81f52b9a" SHA256_1 = "a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118" MD5_2 = "dfd09e91b7f86a984f8687ed6033af9d" SHA256_2 = "aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83" MD5_3 = "bda82f0d9e2cb7996d2eefdd1e5b41c4" SHA256_3 = "f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de" MD5_4 = "97aaf130cfa251e5207ea74b2558293d" SHA256_4 = "9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852" MD5_5 = "889e320cf66520485e1a0475107d7419" SHA256_5 = "8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1" strings: $cmd1 = "ssylka" $cmd2 = "ustanavlivat" $cmd3 = "poluchit" $cmd4 = "pereslat" $cmd5 = "derzhat" $cmd6 = "vykhodit" $cmd7 = "Nachalo" $cmd8 = "kliyent2podklyuchit" $frmt1 = "Host: %s%s%s:%hu" $frmt2 = "%s%s%s%s%s%s%s%s%s%s" condition: (4 of ($cmd*)) and (1 of ($frmt*)) } |
bbea5a6a1e6ad2446f2dc23414fbf0ca6dc834f6
rule CISA_10257062_01 : ATM_Malware |
b9d1e879e11d6ce46fa206879cb516d74e024b5e
rule CISA_3P_10257062 : HiddenCobra FASTCASH trojan { meta: Author = "CISA Trusted Third Party" Incident = "10257062" Date = "2020-08-11" Actor = "Hidden Cobra" Category = "Trojan" Family = "FASTCASH" Description = "Detects HiddenCobra FASTCASH samples" MD5_1 = "a2b1a45a242cee03fab0bedb2e460587" SHA256_1 = "5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b" strings: $sn_config_key1 = "Slsklqc^mNgq`lyznqr[q^123" $sn_config_key2 = "zRuaDglxjec^tDttSlsklqc^m" $sn_logfile1 = "C:\\intel\\_DMP_V\\spvmdl.dat" $sn_logfile2 = "C:\\intel\\_DMP_V\\spvmlog_%X.dat" $sn_logfile3 = "C:\\intel\\_DMP_V\\TMPL_%X.dat" $sn_logfile4 = "C:\\intel\\mvblk.dat" $sn_logfile5 = "C:\\intel\\_DMP_V\\spvmsuc.dat" condition: all of ($sn*) } |
ace0684fa59024586a396bfd428af8fc5521494e
rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan { meta: Author = "CISA Trusted Third Party" Incident = "10301706.r1.v1" Date = "2020-08-11" Actor = "Hidden Cobra" Category = "Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan" Family = "ECCENTRICBANDWAGON" Description = "Detects strings in ECCENTRICBANDWAGON proxy tool" MD5_1 = "d45931632ed9e11476325189ccb6b530" SHA256_1 = "efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e" MD5_2 = "acd15f4393e96fe5eb920727dc083aed" SHA256_2 = "32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8" MD5_3 = "34404a3fb9804977c6ab86cb991fb130" SHA256_3 = "c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec" MD5_4 = "3122b0130f5135b6f76fca99609d5cbe" SHA256_4 = "9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e" strings: $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD } $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD } $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 } $sn4 = "%s\\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d" wide ascii nocase $sn5 = "c:\\windows\\temp\\TMP0389A.tmp" wide ascii nocase condition: any of them } |
Yara Rule Acknowledged by: www.cisa.gov
Recommended Posts
Cyber Threat Alert: Surge in Attacks via Compromised Third-Party Service Providers
08 Feb 2024 - Articles, English articles, Security Advisories & Alerts
Subscribe here
MEMBER OF:
