Updated Indicator of compromise (IoC) of FASTCash 2.0

Short Description:

About BeagleBoyz: “BeagleBoyz ” is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38.

The primary modus operandi (not limited to) of the BeagleBoyz is social engineering, spearphishing, and watering hole tactics. Contained within the Malware Analysis Reports (MAR) cited above are unique malware samples that are a combination of remote access tools/trojans (RAT), a tunneling proxy tool, keylogger/screen capturing, and man in the middle attacks—all specifically targeting ISO 8583 Point of Sale (POS) system messages, ATM transaction requests, and ATM balance inquiries 

BGD e-GOV CIRT detect possible Updated Indicator of compromise (IoC) of FASTCash 2.0, from its (BGD e-GOV CIRT) trusted sources.

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Indicator typeIndicator
FileHash-SHA256820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6
FileHash-SHA256d928b1c1096e636463afbd19f40a6b325e159196b4497895748c31535ea503dc
FileHash-SHA25616251b20e449d46e2b431c3aed229cd1f43f1ff18db67cc5a7fa7dd19673a9bc
FileHash-SHA256f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
FileHash-SHA2560e3552c8232e007f421f241ea4188ea941f4d34eab311a5c2341488749d892c7
FileHash-SHA2564a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756
FileHash-SHA2562938200b7c0300c31aa458860b9f4f684f4f3f5893ab0f1d67c9d797168cad17
FileHash-SHA256a1f06d69bd6379e310b10a364d689f21499953fa1118ec699a25072779de5d9b
FileHash-SHA256d48b211533f37e082a907d4ee3b0364e5a363f1da14f74a81b187e1ce19945a8
FileHash-SHA256f9d29b21bb93004cea6431e79f7aa24b9cc419289ca04c0353d9e3db3c587930
FileHash-MD54c26b2d0e5cd3bfe0a3d07c4b85909a4
FileHash-MD5cf733e719e9677ebfbc84a3ab08dd0dc
FileHash-MD541fd85ff44107e4604db2f00e911a766
FileHash-MD55cfa1c2cb430bec721063e3e2d144feb
FileHash-MD552ec074d8cb8243976963674dd40ffe7
FileHash-MD5f34b72471a205c4eee5221ab9a349c55
FileHash-MD501d397df2a1cf1d4c8e3615b7064856c
FileHash-MD5b484b0dff093f358897486b58266d069
FileHash-MD54f67f3e4a7509af1b2b1c6180a03b3e4
FileHash-MD5d1d779314250fab284fd348888c2f955
FileHash-SHA1c1a9044f180dc7d0c87e256c4b9356463f2cb7c6
FileHash-SHA171f1bf658e0adb69240546df2bb95005e7e70f33
FileHash-SHA1157cfb98caa48c2adb3475305c88986e777d9aa3
FileHash-SHA143a7858a0564c500e7f248762353f5b1ec3f3ef8
FileHash-SHA1e8b58b9db83b4902a607559301f6985763d2647a
FileHash-SHA1a0ebe36c61d4de405fe531ecf013720a3d56d5a1
FileHash-SHA1810c7f2c3d045b7c755fb29646297a221cff163f
FileHash-SHA151b9d982abf1d866ed4e86e63dfee548c2f5a3fd
FileHash-SHA11c9a437ed876a0ce0e5374bd93acdfd9e9023f1f
FileHash-SHA1a20ef335481c2b3a942df1879fca7762f2c69704
YARA32fda75483f01579b78607113799a19382d72f4d
YARAbbea5a6a1e6ad2446f2dc23414fbf0ca6dc834f6
YARAb9d1e879e11d6ce46fa206879cb516d74e024b5e
YARAace0684fa59024586a396bfd428af8fc5521494e
FileHash-SHA2569a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852
FileHash-SHA256c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
FileHash-SHA256129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0
FileHash-SHA256a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118
FileHash-SHA25632a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8
FileHash-SHA256f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de
FileHash-SHA2568cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1
FileHash-SHA256aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83
FileHash-SHA2565cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b
FileHash-SHA2569ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e
FileHash-SHA256efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e
FileHash-MD53122b0130f5135b6f76fca99609d5cbe
FileHash-MD5d45931632ed9e11476325189ccb6b530
FileHash-MD5889e320cf66520485e1a0475107d7419
FileHash-MD5c4141ee8e9594511f528862519480d36
FileHash-MD5a2b1a45a242cee03fab0bedb2e460587
FileHash-MD597aaf130cfa251e5207ea74b2558293d
FileHash-MD5acd15f4393e96fe5eb920727dc083aed
FileHash-MD534404a3fb9804977c6ab86cb991fb130
FileHash-MD540e698f961eb796728a57ddf81f52b9a
FileHash-MD5bda82f0d9e2cb7996d2eefdd1e5b41c4
FileHash-MD5dfd09e91b7f86a984f8687ed6033af9d
FileHash-SHA1f5fc9d893ae99f97e43adcef49801782daced2d7
FileHash-SHA19ff715209d99d2e74e64f9db894c114a8d13229a
FileHash-SHA1c92529097cad8996f3a3c8eb34b56273c29bdce5
FileHash-SHA1b345e6fae155bfaf79c67b38cf488bb17d5be56d
FileHash-SHA12b22d9c673d031dfd07986906184e1d31908cea1
FileHash-SHA1081d5bd155916f8a7236c1ea2148513c0c2c9a33
FileHash-SHA1c7e7dd96fefca77bb1097aeeefef126d597126bd
FileHash-SHA150b4f9a8fa6803f0aabb6fd9374244af40c2ba4c
FileHash-SHA1ce6bc34b887d60f6d416a05d5346504c54cff030

YARA(Another Recursive Acronym) is the name of a tool primarily used in malware research and detection.

32fda75483f01579b78607113799a19382d72f4d

rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan     
{         meta:             Author = "CISA Trusted Third Party"             Incident = "10301706.r2.v1"             Date = "2020-08-11"             Actor = "Hidden Cobra"             Category = "Backdoor Dropper Proxy Spyware Trojan"             Family = "TWOPENCE"             Description = "Detects strings in TWOPENCE proxy tool"             MD5_1 = "40e698f961eb796728a57ddf81f52b9a"             SHA256_1 = "a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118"             MD5_2 = "dfd09e91b7f86a984f8687ed6033af9d"             SHA256_2 = "aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83"             MD5_3 = "bda82f0d9e2cb7996d2eefdd1e5b41c4"             SHA256_3 = "f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de"             MD5_4 = "97aaf130cfa251e5207ea74b2558293d"             SHA256_4 = "9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852"             MD5_5 = "889e320cf66520485e1a0475107d7419"             SHA256_5 = "8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1"         strings:             $cmd1 = "ssylka"             $cmd2 = "ustanavlivat"             $cmd3 = "poluchit"             $cmd4 = "pereslat"             $cmd5 = "derzhat"             $cmd6 = "vykhodit"             $cmd7 = "Nachalo"             $cmd8 = "kliyent2podklyuchit"             $frmt1 = "Host: %s%s%s:%hu"             $frmt2 = "%s%s%s%s%s%s%s%s%s%s"         condition:             (4 of ($cmd*)) and (1 of ($frmt*))     
}

bbea5a6a1e6ad2446f2dc23414fbf0ca6dc834f6

rule CISA_10257062_01 : ATM_Malware     
{        
meta:             Author = "CISA Code & Media Analysis"             Incident = "10257062"             Date = "2019-09-26"             Last_Modified = "20200117_1732"             Actor = "n/a"             Category = "Financial"             Family = "ATM_Malware"             Description = "n/a"             MD5_1 = "c4141ee8e9594511f528862519480d36"             SHA256_1 = "129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0"         strings:             $x3 = "RECV SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port= %d" fullword ascii             $x4 = "init_hashmap succ" fullword ascii             $x5 = "89*(w8y92r3y9*yI2H28Y9(*y3@*" fullword ascii         condition:             ($x3) and ($x4) and ($x5)     
}

b9d1e879e11d6ce46fa206879cb516d74e024b5e

rule CISA_3P_10257062 : HiddenCobra FASTCASH trojan     
{         meta:             Author = "CISA Trusted Third Party"             Incident = "10257062"             Date = "2020-08-11"             Actor = "Hidden Cobra"             Category = "Trojan"             Family = "FASTCASH"             Description = "Detects HiddenCobra FASTCASH samples"             MD5_1 = "a2b1a45a242cee03fab0bedb2e460587"             SHA256_1 = "5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b"         strings:             $sn_config_key1 = "Slsklqc^mNgq`lyznqr[q^123"             $sn_config_key2 = "zRuaDglxjec^tDttSlsklqc^m"             $sn_logfile1 = "C:\\intel\\_DMP_V\\spvmdl.dat"             $sn_logfile2 = "C:\\intel\\_DMP_V\\spvmlog_%X.dat"             $sn_logfile3 = "C:\\intel\\_DMP_V\\TMPL_%X.dat"             $sn_logfile4 = "C:\\intel\\mvblk.dat"             $sn_logfile5 = "C:\\intel\\_DMP_V\\spvmsuc.dat"         condition:             all of ($sn*)     
}

ace0684fa59024586a396bfd428af8fc5521494e

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan     
{         meta:             Author = "CISA Trusted Third Party"             Incident = "10301706.r1.v1"             Date = "2020-08-11"             Actor = "Hidden Cobra"             Category = "Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan"             Family = "ECCENTRICBANDWAGON"             Description = "Detects strings in ECCENTRICBANDWAGON proxy tool"             MD5_1 = "d45931632ed9e11476325189ccb6b530"             SHA256_1 = "efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e"             MD5_2 = "acd15f4393e96fe5eb920727dc083aed"             SHA256_2 = "32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8"             MD5_3 = "34404a3fb9804977c6ab86cb991fb130"             SHA256_3 = "c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec"             MD5_4 = "3122b0130f5135b6f76fca99609d5cbe"             SHA256_4 = "9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e"         strings:             $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }             $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }             $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }             $sn4 = "%s\\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d" wide ascii nocase             $sn5 = "c:\\windows\\temp\\TMP0389A.tmp" wide ascii nocase         condition:             any of them     
}

Yara Rule Acknowledged by: www.cisa.gov

Share