Professional Documents
Culture Documents
Indicators of Compromise: Everisso-Csirt
Indicators of Compromise: Everisso-Csirt
Company: everis
Owner: everisSO-CSIRT
SEG00000203
Indicators of Compromise
www.everis.com
Index
1. Indicators of compromise .................................................................................. 3
Compromised website .............................................................................. 3
Malicious file............................................................................................. 4
Lateral movement .................................................................................... 4
Infection ................................................................................................... 4
-2- everisSO-CSIRT
1. Indicators of compromise
Compromised website
A compromised website with a modification of the source code to simulate a fake browser
update.
Indicators of Compromise
URL
Compromised
hxxps://esancendoc[.]esan[.]edu[.]pe/
website
1 https://github.com/EmpireProject/Empire
-3- everisSO-CSIRT
Malicious file
Indicators of Compromise
Chrome.Update.3f61f4.js
a9db3444e9c50da5ce6845ccc116255c MD5
c1a5725f45e6a35bd82852210e29f941 MD5
URL to download the malware
hxxps://click[.]clickanalytics208[.]com/s_code[.]js?cid=240&v=73a55f6de3dee2a751c3 URL
EMOTET - crhome.update.3f61f4.exe
628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c SHA256
IP: 195.123.213.19
IP:Port
Port: 443
EMOTET - d0409052256c6efc85b155f58cc03f70.exe
1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05 SHA256
Lateral movement
Indicators of Compromise
Empire Framework
IP: 185.92.74.215 Attackers IP and
Port: 443 port
Infection
Indicators of Compromise
BitPaymer/IEncrypt
evrs.exe
bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f SHA256
-4- everisSO-CSIRT