Skip to content
Branch: master
Find file History
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.adoc Fix formatting in mispadu README for GitHub Asciidoc renderer Nov 20, 2019
samples.md5 Added IoCs for Mispadu Nov 19, 2019
samples.sha1 Added IoCs for Mispadu Nov 19, 2019
samples.sha256 Added IoCs for Mispadu Nov 19, 2019

README.adoc

Mispadu Indicators of Compromise

The blog post about Mispadu "Mispadu: advertisement for a discounted Unhappy Meal" is available on WeLiveSecurity at https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/.

Hashes

Brazilian campaign

SHA-1 Description ESET detection name

A4EDA0DD2C33A644FEEF170F5C24CF7595C19017

MSI installer

VBS/TrojanDownloader.Agent.RVY

A9BADCBF3BD5C22EEB6FAF7DB8FC0A24CF18D121

Mispadu injector

Win32/Injector.EHXF

337892E76F3B2DF0CA851CCF4479E56EAF2DB8FD

Mispadu banking trojan

Win32/Spy.Mispadu.C

A8CD12CC0BBD06F14AA136EA5A9A2E299E450B18

Mispadu banking trojan

Win32/Spy.Mispadu.C

Mexican campaign

SHA-1 Description ESET detection name

CFE21DBFB97C2E93F099D351DE54099A3FC0C98B

MSI installer

VBS/TrojanDownloader.Agent.RVY

251AC7386D1B376FB1CB0E02BDFC45472387C7BC

Mispadu injector

Win32/Injector.EHXF

A4FC4162162A02CE6FEADFE07B22465686A0EC39

Mispadu banking trojan

Win32/Spy.Mispadu.J

710A20230B9774B3D725539385D714B2F80A5599

Mispadu banking trojan

Win32/Spy.Mispadu.J

Google Chrome extension

SHA-1 Description ESET detection name

3486F6F21034A33C5425A398839DE80AC88FECA8

Component 1 (manipulating windows)

JS/Spy.Banker.DQ

1D19191FB2E9DED396B6352CBF5A6746193D05E8

Component 2 (credit cards)

JS/Spy.Banker.DQ

22E6EBDFAB7C2B07FF8748AFE264737C8260E81E

Component 3 (banking and Boleto data)

JS/Spy.Banker.DQ

Potentially unwanted applications for credential theft

SHA-1 Description ESET detection name

63DCBE2DB9CC14564EB84D5E953F2F9F5C54ACD9

Email client credential stealer

Win32/PSWTool.MailPassView.E

8B950BF660AA7B5FB619E1F6E665D348BF56C86A

Google Chrome credential stealer

Win32/PSWTool.ChromePass.A

F6021380AD6E26038B5629189A7ADA5E0022C313

Mozilla Firefox credential stealer

Win32/PSWTool.PassFox.F

76F70276EB95FFEC876010211B7198BCBC460646

Internet Explorer credential stealer

Win32/PSWTool.IEPassView.NAH

Filenames

  • C:\Users\Public\%COMPUTERNAME%[1]

  • C:\Users\Public\%COMPUTERNAME%[1]_

  • C:\Users\Public\{winx86,libeay32,ssleay32}.dll (legitimate DLLs downloaded by the loader script; partial indicator)

Servers used

  • http://18.219.25.133/br/mp1a{1,sq,sl,ss}.aj5

  • http://3.19.223.147/br/mp1a{1,sq,sl,ss}.aj5

  • http://51.75.95.179/la8a{1,sq,sl,ss}.ay2

Discount coupon URLs

  • Brazil

    • http://promoscupom.cf/

    • http://mcdonalds.promoscupom.cf/index3.html

  • Mexico

    • http://mcdonalds.promoscupom.cf/index2.html

Bitcoin wallet

  • 3QWffRcMw6mmwv4dCyYZsXYFq7Le9jpuWc

You can’t perform that action at this time.