Skip to content
Branch: master
Find file History

README.adoc

TeleBots Indicators of Compromise

The blog post about Telebots is available on WeLiveSecurity at http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/.

ESET detection names

  • VBA/TrojanDropper.Agent.SD trojan

  • Win32/TrojanDownloader.Agent.CWY trojan

  • Python/TeleBot.AA trojan

  • Python/Agent.Q trojan

  • Python/Agent.AE trojan

  • Python/Agent.AD trojan

  • VBS/Agent.AQ trojan

  • VBS/Agent.AO trojan

  • VBS/Agent.AP trojan

  • Win32/HackTool.NetHacker.N trojan

  • Win32/HackTool.NetHacker.O trojan

  • Win64/Riskware.Mimikatz.H application

  • Win32/RiskWare.Mimikatz.I application

  • Win32/PSW.Delf.OQU trojan

  • Win32/PSW.Agent.OCO trojan

  • Win32/PSW.Agent.OCP trojan

  • Win64/Spy.KeyLogger.G trojan

  • Win32/KillDisk.NBH trojan

  • Win32/KillDisk.NBI trojan

Network indicators

C&C servers

  • 93.190.137.212

  • 95.141.37.3

  • 80.233.134.147

Legitimate servers abused by malware authors

  • srv70.putdrive.com (IP: 188.165.14.185)

  • api.telegram.org (IP: 149.154.167.200, 149.154.167.197, 149.154.167.198, 149.154.167.199)

  • smtp-mail.outlook.com (IP: 65.55.176.126)

Samples

All hashes are SHA-1.

XLS documents with malicious macro

7FC462F1734C09D8D70C6779A4F1A3E6E2A9CC9F
C361A06E51D2E2CD560F43D4CC9DABE765536179

Win32/TrojanDownloader.Agent.CWY

F1BF54186C2C64CD104755F247867238C8472504

Python/TeleBot.AA backdoor

16C206D9CFD4C82D6652AFB1EEBB589A927B041B
1DC1660677A41B6622B795A1EB5AA5E5118D8F18
26DA35564D04BB308D57F645F353D1DE1FB76677
30D2DA7CAF740BAAA8A1300EE48220B3043A327D
385F26D29B46FF55C5F4D6BBFD3DA12EB5C33ED7
4D5023F9F9D0BA7A7328A8EE341DBBCA244F72C5
57DAD9CDA501BC8F1D0496EF010146D9A1D3734F
68377A993E5A85EB39ADED400755A22EB7273CA0
77D7EA627F645219CF6B8454459BAEF1E5192467
7B87AD4A25E80000FF1011B51F03E48E8EA6C23D
7C822F0FDB5EC14DD335CBE0238448C14015F495
86ABBF8A4CF9828381DDE9FD09E55446E7533E78
9512A8280214674E6B16B07BE281BB9F0255004B
B2E9D964C304FC91DCAF39FF44E3C38132C94655
FE4C1C6B3D8FDC9E562C57849E8094393075BC93

VBS backdoors

F00F632749418B2B75CA9ECE73A02C485621C3B4
06E1F816CBAF45BD6EE55F74F0261A674E805F86
35D71DE3E665CF9D6A685AE02C3876B7D56B1687
F22CEA7BC080E712E85549848D35E7D5908D9B49
C473CCB92581A803C1F1540BE2193BC8B9599BFE

BCS-server

4B692E2597683354E106DFB9B90677C9311972A1
BF3CB98DC668E455188EBB4C311BD19CD9F46667

Modified Mimikatz

B0BA3405BB2B0FA5BA34B57C2CC7E5C184D86991
AD2D3D00C7573733B70D9780AE3B89EEB8C62C76
D8614BC1D428EBABCCBFAE76A81037FF908A8F79

LDAP query tool

81F73C76FBF4AB3487D5E6E8629E83C0568DE713

CredRaptor password stealer

FFFC20567DA4656059860ED06C53FD4E5AD664C2
58A45EF055B287BAD7B81033E17446EE6B682E2D

Win64/Spy.KeyLogger.G trojan

7582DE9E93E2F35F9A63B59317EBA48846EEA4C7

Intercepter-NG and silent WinPCAP installer

64CB897ACC37E12E4F49C4DA4DFAD606B3976225
A0B9A35675153F4933C3E55418B6566E1A5DBF8A

Win32/KillDisk

71A2B3F48828E4552637FA9753F0324B7146F3AF
8EB8527562DDA552FC6B8827C0EBF50968848F1A
You can’t perform that action at this time.