Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
ReadMe.md
hashes.csv
hostnames.csv
ip.csv
url.csv

ReadMe.md

Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter

With season two of Mr. Robot approaching, the storyline follows a hacker group that takes down an evil global corporation and collapses the financial market. Led by the mysterious Mr. Robot, the hackers use a variety of tricks to evade detection, and seem to cover their tracks at every turn. There are similarities shared by the show's hackers and real-life attackers.

Hackers are human. Like the rest of us, they are creatures of habit, turning to familiar tools and techniques time and time again. As they hone their craft, attackers develop their skills and accumulate knowledge. And while they go to great lengths to hide from view and keep their actions under the radar, they leave tracks if you know where to look. By examining subtle clues attackers leave behind, it’s possible for threat researchers to track malware back to a specific actor.

Malware artifacts provide these valuable clues, serving as tools, techniques and procedures (TTPs) in tracking the ongoing operations of a specific threat actor. In this case, we focus on MAN1, a sophisticated crypter dating back to 2014 that's still used today.

Please review our research here on our blog

Raw IOCs:

Chanitor:

o3qz25zwu4or5mak[.]tor2web[.]org/gate.php
xdndo2okt43cjx44[.]tor2web.blutmagie[.]de/gate.php
xdndo2okt43cjx44[.]tor2web[.]fi/gate.php
xdndo2okt43cjx44[.]tor2web[.]org/gate.php
um6fsdil5ecma5kf[.]tor2web.blutmagie[.]de/gate.php
mps23[.]ru/libraries/fof/controller/1304.exe
buloftoty[.]com/sl/gate.php
buloftoty[.]com/sl/gate.php
letatandone[.]ru/sl/gate.php
nkdoscqnp3myjiyr.onion[.]to/sl/gate.php
buzines24[.]ru/source/pm.dll
buzines24[.]ru/source/inst1.exe

95914f3cb47e2d200408456abc2fc277
63cc107d6f4464eb311324f950386b9f
db36c2f4db086a7f8e483187289e1c93
f5efd86c80538e104503c309e458efa9

Vawtrak:

hartwelstay[.]com/stats/00/counter/0000003A/56EB9C2B
weltfarystar[.]com/stats/00/counter/0000003A/56EB9C2B
rewdepehat[.]ru/stats/00/counter/0000003A/56EB9C2B
uldryledda[.]ru/stats/00/counter/0000003A/56EB9C2B
uldfiparevent[.]ru/stats/00/counter/0000003A/56EB9C2B
roldinglygo[.]ru/stats/00/counter/0000003A/56EB9C2B
perundmaheg[.]ru/stats/00/counter/0000003A/56EB9C2B
velyama[.]com/stats/00/counter/0000003A/56EB9C2B
shumines[.]com/stats/00/counter/0000003A/56EB9C2B
ceglolu[.]com/stats/00/counter/0000003A/56EB9C2B
ceglolu[.]com/stats/02/counter/0000003A/56EB9C2B
dunella[.]net/upd/58?id=1458281515&o=4&n=5
greatcountrygor[.]ru/stats/00/counter/0000006E/56EB9C2B
firstforestmonth[.]ru/stats/00/counter/0000006E/56EB9C2B
hornetwart[.]ru/stats/00/counter/0000006E/56EB9C2B
weronpalace[.]ru/stats/00/counter/0000006E/56EB9C2B
westnerthgom[.]ru/stats/00/counter/0000006E/56EB9C2B
dorthgornet[.]com/stats/00/counter/0000006E/56EB9C2B
andheduse[.]ru/stats/00/counter/0000006E/56EB9C2B
rinheca[.]ru/stats/00/counter/0000006E/56EB9C2B
etningand[.]ru/stats/00/counter/0000006E/56EB9C2B
termyen[.]ru/stats/00/counter/0000006E/56EB9C2B
haptalher[.]ru/stats/00/counter/0000006E/56EB9C2B
robonwas[.]ru/stats/00/counter/0000006E/56EB9C2B
wassinrat[.]ru/stats/00/counter/0000006E/56EB9C2B
parowheck[.]ru/stats/00/counter/0000006E/56EB9C2B
pergeca[.]ru/stats/00/counter/0000006E/56EB9C2B
astramanton[.]com/stats/00/counter/0000006E/56EB9C2B
haptedidti[.]ru/stats/00/counter/0000006E/56EB9C2B
betpeharrep[.]ru/stats/00/counter/0000006E/56EB9C2B
tothetinbu[.]ru/stats/00/counter/0000006E/56EB9C2B
wawronbonot[.]ru/stats/00/counter/0000006E/56EB9C2B
freeseathere[.]com/stats/00/counter/0000006E/56EB9C2B
gerbertdowen[.]com/stats/00/counter/0000006E/56EB9C2B
hertgotlitt[.]ru/stats/00/counter/0000006E/56EB9C2B
weasterd[.]com/stats/00/counter/0000006E/56EB9C2B
ronughmeligh[.]ru/stats/00/counter/0000006E/56EB9C2B
parwoonetons[.]ru/stats/00/counter/0000006E/56EB9C2B
sahissofreb[.]ru/stats/00/counter/0000006E/56EB9C2B
etdidnrowrab[.]ru/stats/00/counter/0000006E/56EB9C2B
sedsparkeun[.]ru/stats/00/counter/0000006E/56EB9C2B
righhowhanin[.]ru/stats/00/counter/0000006E/56EB9C2B
ketretdidnbe[.]ru/stats/00/counter/0000006E/56EB9C2B
kedathenrit[.]ru/stats/00/counter/0000006E/56EB9C2B
fonotoftret[.]ru/stats/00/counter/0000006E/56EB9C2B
drawnearme[.]ru/stats/00/counter/0000006E/56EB9C2B
fivelisterman[.]ru/stats/00/counter/0000006E/56EB9C2B
newquietlist[.]ru/stats/00/counter/0000006E/56EB9C2B
weoplitu[.]ru/stats/00/counter/0000006E/56EB9C2B
sdertunclis[.]ru/stats/00/counter/0000006E/56EB9C2B
betadvalyf[.]ru/stats/00/counter/0000006E/56EB9C2B
pwinmoxyfe[.]ru/stats/00/counter/0000006E/56EB9C2B
lazmestah[.]ru/stats/00/counter/0000006E/56EB9C2B
fortwronsit[.]ru/stats/00/counter/0000006E/56EB9C2B
lestrinate[.]com/stats/00/counter/0000006E/56EB9C2B
withreshersgot[.]ru%2520/stats/00/counter/0000006E/56EB9C2B
natosinhem[.]ru/stats/00/counter/0000006E/56EB9C2B
winfertrow[.]com/stats/00/counter/0000006E/56EB9C2B
quirtenatel[.]com/stats/00/counter/0000006E/56EB9C2B
masterstargon[.]ru/stats/00/counter/0000006E/56EB9C2B
laskrowler[.]ru/stats/00/counter/0000006E/56EB9C2B
uznatus[.]com/stats/00/counter/0000006E/56EB9C2B
cakedhisjohn[.]com/stats/00/counter/0000006E/56EB9C2B
idthentehed[.]com/stats/00/counter/0000006E/56EB9C2B
rebteugrigh[.]com/stats/00/counter/0000006E/56EB9C2B
othersforrep[.]com/stats/00/counter/0000006E/56EB9C2B
shumines[.]com/stats/00/counter/0000006E/56EB9C2B
perundmaheg[.]ru/stats/00/counter/0000006E/56EB9C2B
penothec[.]ru/stats/00/counter/0000006E/56EB9C2B
dowronrab[.]ru/stats/00/counter/0000006E/56EB9C2B
melebet[.]ru/stats/00/counter/0000006E/56EB9C2B
fawilut[.]ru/stats/00/counter/0000006E/56EB9C2B
dorthgornet[.]com/stats/00/counter/0000006E/56EB9C2B
fastrevertnom[.]com/stats/00/counter/0000006E/56EB9C2B
wergilesrest[.]com/stats/00/counter/0000006E/56EB9C2B
polnerfirst[.]com/stats/00/counter/0000006E/56EB9C2B
azmyto[.]ru/stats/00/counter/0000006E/56EB9C2B
mgsmedia[.]ru/Work/new/index.php
textidea[.]com/Work/new/index.php
vintageselects[.]com/Work/new/index.php
pausephone[.]com/Work/new/index.php
hybridtrend[.]com/Work/new/index.php
basislabel[.]com/Work/new/index.php
finehotels[.]net/Work/new/index.php
circlewear[.]net/Work/new/index.php
helloalliance[.]net/Work/new/index.php
seaboy[.]net/Work/new/index.php
wildclick[.]net/Work/new/index.php
camelcap[.]com/Work/new/index.php
ideagreens[.]com/Work/new/index.php
guesstrade[.]com/Work/new/index.php
castuning[.]ru/Work/new/index.php
basislabel[.]com/Work/new/index.php
camelcap[.]com/Work/new/index.php
castuning[.]ru/Work/new/index.php
circlewear[.]net/Work/new/index.php
finehotels[.]net/Work/new/index.php
guesstrade[.]com/Work/new/index.php
helloalliance[.]net/Work/new/index.php
hybridtrend[.]com/Work/new/index.php
ideagreens[.]com/Work/new/index.php
mgsmedia[.]ru/Work/new/index.php
ninthclub[.]com/Work/new/index.php
seaboy[.]net/Work/new/index.php
basislabel[.]com/Work/new/index.php
camelcap[.]com/Work/new/index.php
castuning[.]ru/Work/new/index.php
circlewear[.]net/Work/new/index.php
finehotels[.]net/Work/new/index.php
guesstrade[.]com/Work/new/index.php
helloalliance[.]net/Work/new/index.php
hybridtrend[.]com/Work/new/index.php
ideagreens[.]com/Work/new/index.php
mgsmedia[.]ru/Work/new/index.php
ninthclub[.]com/Work/new/index.php
pausephone[.]com/Work/new/index.php
seaboy[.]net/Work/new/index.php
textidea[.]com/Work/new/index.php
vintageselects[.]com/Work/new/index.php
wildclick[.]net/Work/new/index.php
foundingcast[.]com/rss/feed/stream
dringeraout[.]com/rss/feed/stream
broilerona[.]com/rss/feed/stream
bookeranto[.]com/rss/feed/stream
vineriadana[.]com/rss/feed/stream
greyscrolling[.]com/rss/feed/stream
solidarepapero[.]com/rss/feed/stream
svenorta[.]com/rss/feed/stream
goodtrade[.]bid/rss/feed/stream
todaywith[.]date/rss/feed/stream
quicklinks[.]download/rss/feed/stream
beproudof[.]faith/rss/feed/stream
takeaphoto[.]loan/rss/feed/stream
oldblackman[.]party/rss/feed/stream
fastblackspeed[.]racing/rss/feed/stream
cangetyour[.]review/rss/feed/stream
epicsimple[.]science/rss/feed/stream
fastandeasy[.]trade/rss/feed/stream
seeyounow[.]webcam/rss/feed/stream
championinred[.]win/rss/feed/stream
chalengeforyou[.]win/rss/feed/stream
cookingwithme[.]date/rss/feed/stream
vigriada[.]com/rss/feed/stream
fugredoma[.]com/rss/feed/stream
edreciano[.]com/rss/feed/stream
derfeicon[.]com/rss/feed/stream
boelongo[.]com/rss/feed/stream
baberigia[.]com/rss/feed/stream
pachuliko[.]com/rss/feed/stream
tuberosan[.]com/rss/feed/stream

e3b6acf4ccd7f0257d201977bb600e04
feb49bde382fec4c821e4e608d0134f5
6d046ea72343a1e49c8f3932ea7f6c75
7fc75215d5502cdd1ff5413d2a882331
77561141a0f15ff56c70995c4f1ddc98
5238cd34caae600b3f592e2595aa6949
6fad86a0fcc912f32474f6c7a86fe37a
fb4d250b6a733ce4f5c583e9ebb667bc
1a03b0020ead9bbf5d03761cddb929fa
2e2e21875ad473bd71ff3d32b405ada3
0ad71b4f28064748b22f3853ec544402

Pony:

mystoredoc[.]com/gate.php
sestoreinv[.]com/gate.php
menstoreins[.]com/gate.php
cukierniacapri[.]pl/wp-content/plugins/cached_data/m1.exe
cyctechnology[.]com/wp-content/plugins/cached_data/m1.exe
curatedayton[.]com/wp-content/plugins/cached_data/m1.exe
manydocsfastrack[.]com/gate.php
invoiceformater[.]com/gate.php
doclibrarymk[.]com/gate.php
en[.]beyoglugida[.]com/wp-content/plugins/cached_data/n1.exe
encentivhealth[.]com/wp-content/plugins/cached_data/n1.exe
en[.]inbar-solar[.]com/wp-content/plugins/cached_data/n1.exe
en[.]kotmed[.]com/wp-content/plugins/cached_data/n1.exe
essera[.]com/wp-content/plugins/cached_data/n1.exe
etc-coop[.]com/wp-content/plugins/cached_data/n1.exe
etc-ops[.]com/wp-content/plugins/cached_data/n1.exe
everylifecoach[.]org/wp-content/plugins/cached_data/n1.exe
docscountry[.]com/gate.php
sampledocstrash[.]com/gate.php
manterinvoice[.]com/gate.php
diamondlogosacademy[.]org/wp-content/plugins/cached_data/w2.exe
dierenkliniekpendrecht[.]nl/wp-content/plugins/cached_data/w2.exe
discoverbalaton[.]com/wp-content/plugins/cached_data/w2.exe
dev[.]mariocorp[.]com/wp-content/plugins/cached_data/w1.exe
dev[.]wbiz[.]it/wp-content/plugins/cached_data/w1.exe
diamondnailsvalpo[.]com/wp-content/plugins/cached_data/w1.exe
titanikvmoskalii[.]com/gate.php
toldronher[.]com/gate.php
tumanvmoskalii[.]com/gate.php
atolyedunyam[.]com/wp-content/plugins/feedweb_data/k1.exe
infogranizo[.]es/wp-content/plugins/feedweb_data/k1.exe
kinesis-gym[.]gr/wp-content/plugins/feedweb_data/k1.exe
servo-maszyny[.]pl/ADM/utility/tiny_mce/plugins/searchreplace/k1.exe
www.advisorz[.]co[.]uk/wp-content/plugins/feedweb_data/k1.exe
www.impulsos[.]net/wp-content/plugins/feedweb_data/k1.exe
leftofttarigh[.]ru/gate.php
undugdaid[.]ru/gate.php
lerecofrom[.]ru/gate.php
camemart[.]com/win.exe
akshajcreation[.]com/media/system/win.exe
digipillar[.]com/media/system/win.exe
wicytergo[.]ru/gate.php
unlaccothe[.]ru/gate.php
thetedrenre[.]ru/gate.php
eextensions[.]co/host.exe
www.10203040[.]at/host.exe
www.eshtari[.]me/host.exe
wicytergo[.]ru/sliva/gate.php
unlaccothe[.]ru/sliva/gate.php
thetedrenre[.]ru/sliva/gate.php
eextensions[.]co/m.exe
www.10203040[.]at/m.exe
www.eshtari[.]me/m.exe
dethetear[.]ru/gate.php
fortformares[.]ru/gate.php
tonslachesand[.]ru/gate.php
writeonlabels[.]biz/media/system/h1.exe
aultomax[.]com[.]au/h1.exe
sauvarinsglass[.]co[.]nz/h1.exe
dethetear[.]ru/sliva/gate.php
fortformares[.]ru/sliva/gate.php
tonslachesand[.]ru/sliva/gate.php
writeonlabels[.]biz/media/system/m.exe
aultomax[.]com[.]au/m.exe
sauvarinsglass[.]co[.]nz/m.exe
hagurowrob[.]ru/gate.php
betrewhattit[.]ru/gate.php
botepetan[.]ru/gate.php
www.raveshia[.]com/wp-content/plugins/cached_data/print.exe
elfielatorestaurante[.]com/wp-content/plugins/cached_data/print.exe
spiceone-food[.]com/wp-content/plugins/feedweb_data/print.exe
rewthenperhed[.]ru/gate.php
littmahedtbo[.]ru/gate.php
hedtheresran[.]ru/gate.php
guedesrusso[.]com/system/logs/print.exe
noshykart[.]com/system/logs/print.exe
php9[.]650mb[.]com/wp-content/plugins/cached_data/print.exe
buthimetrab[.]com/zapoy/gate.php
ughtotdinghar[.]ru/zapoy/gate.php
gebiketo[.]ru/zapoy/gate.php
retoftontto[.]com/zapoy/gate.php
hididnjustha[.]ru/zapoy/gate.php
hinjuskinuse[.]ru/zapoy/gate.php
buloftoty[.]com/zapoy/gate.php
soonbito[.]ru/zapoy/gate.php
letatandone[.]ru/zapoy/gate.php
wasscaltontuld[.]com/zapoy/gate.php
hemorananing[.]ru/zapoy/gate.php
ontedrirop[.]ru/zapoy/gate.php

f5efd86c80538e104503c309e458efa9
4ed1786f75251376f23bc0df2cd98fff
c1bfbfe0db4a74611e32cc7f49cc9383
379c67ae879872d3fa0b601892c59605
8c62d43ee165859603c532beecdbadde
be1f62fcbe151ad251a3a8d1d0d8b5e3
121cc78adcf9097b51813fbdbe0f4872
cd445e52eb7d2ca7359a8513157dd0a9
5e49ae017af49f89b2d7cc986677a266
0f7fd85685e7835fee897f2ab36652ac
896908f5cb3c8e045eb45c367f7cfdd6
b6226b00ea36f50d855e8c6da147b5c1
4e88d4d6ad6d581ec37c3597f6db8019
3e7541a41b84046e4994f660bda5dadc
3bfc4c70be70456d607c7fdc054f7252

H1N1:

britecompanies[.]com/pm.dll
britecompanies[.]com/inst1.exe
buthimetrab[.]com:80/h/gate.php
ughtotdinghar[.]ru:80/h/gate.php
gebiketo[.]ru:80/h/gate.php
retoftontto[.]com:80/h/gate.php
hididnjustha[.]ru:80/h/gate.php
hinjuskinuse[.]ru:80/h/gate.php
quonigeria[.]com/pm.dll
Ungr[.]net/inst.exe
crr-medvezonok[.]ru/about/inst3.exe
crr-medvezonok[.]ru/about/inst1.exe
crr-medvezonok[.]ru/about/inst2.exe
crr-medvezonok[.]ru/about/pm.dll
ontedrirop[.]ru/h/gate.php
hemorananing[.]ru/h/gate.php
wasscaltontuld[.]com/h/gate.php

4d0829e6c17c127d37a6ac6417787504

H1N1 DocDroppers:
B8b13f5b9fb54017b3a4b54cb0fc97c4
1265be272d9f4d37f34c0702c6841fb2     

Nymaim:

162.244.32.157:8458 – Gozi Module BackConnect Server
oxrdmfdis[.]in/deip7/index.php
oxrdmfdis[.]in/awxCAe1jyu/index.php
xnkhfbc[.]in/qzlshd9xfv/index.php

ae4145a0a4859d5ab56b143adb148ee9
90e4d03aff298fca4641acda4e6493f2
4cadf61e96c2d62292320c556fd34fe6

Andromeda:

secure.adnxs.metalsystems[.]it/new_and/state.php
upfd.pilenga[.]co[.]uk/new_and/state.php
37.59.66.231/js/calc[.]pack
www.amicimusica.ud[.]it/audio/js.mod
antoniocaroli[.]it/prova/sd/LnMSLFOfwwout.exe

96daa23d7723f8f04690bb93642a9bae
f983ba24d259b4afac4451f7036e7636f6a35df175c6f7302e309ea7daab45ab

Andromeda RC4 key:
15ed0db7475d3c93e06a3677c194f855

ISFB/Gozi:

goyanok[.]at/krp3cmg/images/
outaplaceshave[.]cn/krp3cmg/images/
noopex[.]at/krp3cmg/images/
hothegivforsuffer[.]cn/krp3cmg/images/
lopertopgo[.]su/krp3cmg/images/
nexpoo[.]at/krp3cmg/images/
pergozip[.]at/krp3cmg/images/
justiceseasfriends[.]cn/krp3cmg/images/
mid100[.]at/krp3cmg/images/
goinumder[.]su/krp3cmg/images/
trepeatedandequal[.]cn/krp3cmg/images/
hulivam[.]at/krp3cmg/images/
therepalon[.]su/krp3cmg/images/
creatortherefore[.]cn/krp3cmg/images/

797717b96a3422d27b68365b4d54ebe9568b7b705d31bdc745f72b40b778c1bb

Dyre:

nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua[.]b32[.]i2p:443
62.122.69.172:4443
91.238.74.70:443
181.189.152.131:443
194.28.190.183:443
91.238.74.70:443
62.122.69.172:4443
181.189.152.131:443
194.28.190.183:443
95.67.88.84:4443
176.56.24.229:443
178.136.123.22:443
91.194.239.126:4443
94.231.178.46:4443
194.28.190.167:443
80.234.34.137:443
213.111.243.60:4443
46.149.253.52:4443
37.57.101.221:4443
134.249.63.46:443
85.192.165.229:443
195.34.206.204:443
62.122.69.159:4443
188.123.34.203:443
178.18.172.215:4443
91.232.157.139:443
195.206.255.131:443
37.232.185.114:443
62.182.33.16:443
46.180.147.50:443
46.175.23.130:443
84.16.54.22:443
84.16.55.122:443
93.184.71.88:4443
83.168.164.18:443
212.89.237.65:443
176.109.58.78:443
212.37.81.96:4443
95.165.196.227:443
195.34.239.93:443
77.234.235.48:443
217.12.59.238:443
212.62.58.238:443
212.69.14.89:443
195.206.254.15:443
46.167.219.231:443
31.28.115.88:443
62.122.69.137:4443
84.16.55.12:443
62.122.69.151:4443
194.28.190.84:443
194.28.190.146:443
194.28.191.144:443
194.28.191.213:443
213.87.54.111:443
213.87.54.111:443
46.16.111.158:443
31.41.90.230:4443
158.255.255.87:4443
109.195.2.150:443
88.208.22.210/30.su3
senyuplastics[.]com/75462354.txt
senyuplastics[.]com/lns.txt
91.194.254.235/uss/file.exe
91.194.254.222/us2/file.exe
77.85.204.114:443
194.28.190.99:443
194.28.190.88:443
94.180.109.121:443
194.28.190.86:443
91.242.53.142:4443
85.66.249.207:443
194.12.117.68:443
62.122.102.105:443
46.151.48.149:443
78.109.34.34:443
89.189.174.40:443
46.151.49.128:443
46.151.48.97:443
89.250.145.129:443
188.123.34.192:443
46.151.48.184:443
5.255.166.200/0.su3
87.116.153.216:443
176.120.201.9:443
80.87.219.35:443
31.42.170.118:443
91.240.97.141:443
93.91.154.243:443
184.164.97.60:443
77.95.192.36:443
178.22.222.89:443
67.207.228.144:443
69.9.204.37:443
84.237.229.49:443
217.23.194.237:443
107.161.199.59:4443
67.206.96.30:443
67.219.166.113:443
77.104.206.150:443
178.219.10.23:443
75.134.44.251:443
188.255.241.22:4443
67.206.97.238:443
69.146.233.162:4443
69.118.144.195:4443
188.255.236.227:4443
38.124.169.163:4443
185.31.33.98:443
95.143.131.73:443
46.37.205.163:443
41.75.67.80:443
41.75.68.226:443
41.75.68.242:443
41.215.182.109:443
46.44.28.44:443
78.8.174.25:443
78.58.131.116:443
118.179.219.210:443
132.255.212.105:443
150.129.49.11:443
154.73.140.26:443
176.106.122.32:443
178.168.109.92:443
179.49.117.33:4443
181.143.49.146:443
181.143.223.10:443
181.174.76.17:4443
190.111.20.50:443
193.189.77.76:443
196.2.10.17:443
197.231.198.234:4443
212.109.14.145:443
217.30.78.174:443
185.46.217.70:443
41.191.118.234:443
41.75.67.249:443
41.77.130.160:443
41.203.118.202:443
62.233.252.206:443
62.233.252.247:443
83.241.176.230:4443
91.232.45.149:443
109.196.1.13:4443
154.73.100.124:443
172.242.228.68:4443
173.185.166.94:4443
173.252.50.124:4443
186.42.215.214:443
186.46.185.174:443
190.63.152.74:443
190.151.95.243:443
190.215.141.163:443
197.254.104.166:4443
201.187.95.250:443
203.189.148.116:443
212.182.101.2:4443
93.126.47.107:443
46.143.196.142:443
31.40.1.32:443
87.248.158.109:443
107.181.174.68:443
107.181.174.68:443
185.49.68.145:4443
51.254.98.180:443 

88ed077e12a8109933472ce6ca6a0296
ddebcf8183b9b8082a016aa646f899bb
46d84fb13afaab16b15322e52cd73b48
d6c0e93fce69f0e16ef11bc2e285be55

MacroDocs:

bankruptcy-software[.]com/wp-content/themes/classic/1.php?r
91.194.254.213/us/file.jpg
penis-enhancement-secrets[.]com/wp-content/plugins/lns.txt
peakperformancelifestyle[.]com/wp-content/plugins/lns.txt
penis-enhancement-secrets[.]com/wp-content/plugins/6612536153.txt
peakperformancelifestyle[.]com/wp-content/plugins/6612536153.txt
91.194.254.80/us705/file.exe
senyuplastics[.]com/75462354.txt
senyuplastics[.]com/lns.txt
91.194.254.235/uss/file.exe
91.194.254.222/us2/file.exe
capehilldentalsurgery[.]co[.]uk/wp-admin/includes/89172387.txt
brianlonchar[.]com/home/wp-includes/fonts/89172387.txt
capehilldentalsurgery[.]co[.]uk/wp-admin/includes/lns.txt
brianlonchar[.]com/home/wp-includes/fonts/lns.txt
carallianz[.]com/boilerd/keys/pa.exe
modern7technologiesx0[.]tk/x1656/dfiubgh5.exe
forbiddentextmate58[.]tk/x1656/ctruiovy.exe
temporary777winner777[.]tk/x1656/fdgbh44b.exe
former12futuristik888[.]tk/x1656/fdgjbhis75.exe
mehmetcanta[.]com/system/logs/office.exe

e763e99edac813ba6161c5545229cb34
0c98a7e39b0d9a0cb338faee3901182b
0c1f3d79559e261c4b60a76f665c364d
0cfd0039a3b9781e52c9b86c584da04a
8211ae4365f96c48a35619482fa7842d
a19cba9a758aff2d773c68cc42131fd3
b41205f6aeeeb1aa1fd8e0dcbddf270e

Older man1.exe from 20Jun2016:
4c4b2817873e0ae17cd05b7bd233d201

EmailLinks:

dovepersonnel[.]com[.]au/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
easydash[.]com[.]br/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
duvertepetasiyicilar[.]com/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
eciusda[.]org/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
dogadateknoloji[.]com/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
ecghouston[.]org/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
dutcharchitects[.]info/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
einkubator[.]com/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
dnacomvisual[.]com[.]br/wp-content/plugins/cached_data/aa_ticket_8392051302.zip
dodoty[.]com/wp-content/plugins/cached_data/aa_ticket_8392051302.zip
ogadateknoloji[.]com/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
dugunorganizasyonu[.]co/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
dymacorp[.]com/wp-content/plugins/cached_data/aa_ticket_9017937910.zip
djasad[.]co[.]uk/wp-content/plugins/cached_data/aa_ticket_8392051302.zip
dj-collision[.]com/wp-content/plugins/cached_data/aa_ticket_8392051302.zip
docitachocolates[.]com[.]br/wp-content/plugins/cached_data/aa_ticket_8392051302.zip
joetradeco[.]com/images/poultry/large/aa_ticket_8392051302.zip
drmuratcaglayan[.]com/wp-content/plugins/cached_data/aa_ticket_9017937910.zip

Dalexis:

ofigesvi[.]es:80/modules/history.jpg
pbescastell[.]es:80/pcss/history.jpg
onlinecomputer[.]at/wp-includes/history.jpg
artesanjuan[.]es/SpryAssets/history.jpg
mondoclinicsistem[.]ro/[.]htpasswds/history.jpg
www186[.]e1007[.]servidornet[.]com/wp-admin/history.jpg
pensiunea-lamuncel[.]ro/history.jpg
procosta[.]es/history.jpg
pensiunituristicebucovina[.]ro/pensiunea-lamuncel[.]ro/history.jpg

35096228e2d6e644cdd51259dcdaf03d

CTB-Locker:

3fdzgtam4qk625n6[.]tor2web[.]blutmagie[.]de

cbde2e916ae7accb98bb247bb93846c9

ReactorBot:

rc7thuhy8agn43zzgi[.]biz
heckwassleftran[.]ru
heckwassleftran2[.]ru
heckwassleftran3[.]ru
zdnuohzdydlpx5kd[.]onion
heckwassleftran[.]ru/cgi-bin/050515/post[.]cgi
heckwassleftran[.]ru/host[.]dat
heckwassleftran[.]ru/101/list32[.]dat
heckwassleftran[.]ru/101/1880376902_32[.]dat
heckwassleftran[.]ru/101/3257F7F8
heckwassleftran[.]ru/101/EB4E2654
heckwassleftran[.]ru/101/B06139B1    

eff29f0ba620760a42c1ac0514007bff
3f11c42687d09d4a56c715f671143a58

P2P Gozi variant:

4e3a0ce170d66eaea6d55a3d6c551653