Request a Demo
Rewterz
Rewterz Threat Alert – Ryuk Ransomware – Active IOCs
March 2, 2022
Rewterz
Rewterz Threat Advisory – Microsoft Zero-Day Vulnerabilities
March 2, 2022

Rewterz Threat Alert – ColdStealer Malware – Active IOCs

Severity

High

Analysis Summary

A new malicious code named Coldstealer has been discovered by a security researcher. For this code there are two cases of malicious code distribution. 

  1. As CryptBot and RedLine, in case of distributing a single malicious code
  2. It is a dropper-type code by which several codes are executed and decompressed. 

The malicious code has six main functions.

  • Stealing cryptocurrency wallet information
  • Stealing system information
  • Sending exception (error) information
  • Stealing system information
  • file-hijacking
  • stealing browser information
image-102.png?resize=966%2C574&ssl=1

ASEC 

If the downloader malicious code exists inside the dropper malicious code, and the downloader malicious code is executed, it downloads the ColdStealer malicious code from C2.

Impact

  • Credential Theft
  • Information Theft
  • Exposure of Sensitive Data

Indicators of Compromise

MD5

  • 1578ad8f244ae82c36e3feadeb7d66e3
  • 8f021266830397dac3e34f1b3bdde60c
  • 05c97434f3c6970103a3ceda97572481
  • 529951790a4a6da8743af98a24c4088e
  • a141acc27f79584575a7d2af634be917
  • 8550ebb8f4f5b377df3a3492dbc08f63
  • 511b48b4471e8ab08a4ec6495157f62a
  • 0b3b4b02ed9d4844ec53a3f2a7064432
  • 8e0486fb2291090d4411f58aa030dd23
  • 758f815f3775e1b063eba3ab33479a9f
  • 0d34d8571c6998796a2edb212a8037f5
  • 6953629af9858647b65c47ae738334db
  • f94e8d62921d078c58860ffc2374a357
  • 50f2b28aba4d4cb47544bcc98980a63e
  • 9ec150a4c04da6a1087a3cd36086fde3
  • 79a9f2ae5af2b370eea6c7fc6681e3ef
  • 3b94bf347edcc8f137741989de3eb882
  • 485edc4695212c4e97cf2e841661151c
  • dc2cbd65ca5411b8a9326338c74c7758
  • 940d63f67b70b37e7ee662b851ae389b
  • 05748b4e8730bb2a705fe1e2e00c5d77
  • 8f0f4e736d83e296b55802c2337f341b
  • 01144efd1dc06a0b9d3ea8a1e632dc26
  • cd9ba1e78dab227e2fda2cf952adcab4

SHA-256

  • 2abe925806d415dbc47f1cfa3b1689c2ca2d148f0729899c04ab30db7b156748
  • 6a9ea9890622716e75b20972498ec9254afaa71c1753d4ba2b21a5cdf232f161
  • 72a6f27f01dc0b247a4f0ceeee13862f23d200ddb48f05d5138f6687096c65c4
  • f2bea4530290688b1cb07d386baccb310d8f8f4d48cebb5ab42abc39e74abd83
  • 7fa7d9341b491e4c9d074c7eadb353d1d51090ae34c07eb3608d39c4a67e5b34
  • 4ce378a5ea71af10bfcbcc5b39dadbeb86718437cc92566a77641222ab2bd44e
  • 8cb9bbf14cd76507c5c3066d8efd4f0ac50bb1504b7489aa433642315e6feabb
  • d1d9224d4ed1d8dcc4b13b1cc76b2067ff45355eab59415ebe92fb321b84a146
  • 2fc398405ccae03da421d4a6f66d75062300bd094a8171d3cb066063768e3d69
  • 8ab69eeff9996df8a6fde60ad7baecb3bc156d0f1f52f1e883c9636dad9c30b9
  • badcf84e94ccf106c02ab45330ef15d5e163f487e1351ec1a204d5a02fd510e0
  • e52109d0d5c72033905f7faa95c118d55acd8c21aaa428dba792191749dde03e
  • 99fab148f1cb8b5a5644759d377401b35d1e554e6d226230a2b7c2031eec7bb4
  • 135d54659ab9d7d0bf7bb6b6470c20400bf6070cf8d9b475b5063190d9da60c5
  • 9e21e39cd313c6974c5ca9133f9c29acd59f09a90d2c78cf6302516fd4d93897
  • 4c172e5402f4e9f38c421e8367acf9218ad6da092da92b574298fb6fe2dedcce
  • e222f43909926934381160d8257bb6cdb3e10c0f0bcca3c8237cd358c04beb4b
  • 1fd2625f418014cdb9bb1bac15eecfa1b05ad9a3000385c7a3daf3a6b1f2f650
  • bfd7c97e7e949dc629d5365aeaa6c733122940f4af9f863d2f1f91f0d7c41bae
  • ba76b48941747901ed1349301b6c3c9536589f6b8327bd9f7086d8080be944db
  • 98519882b0cd89805dd60ee1da6120066c95288eff6f5777935c905b66764e50
  • 4e3be477ddde4a5e372424179168dfb6cb366f9d12543bdfa9cdd3407c375004
  • dd4cdbeb0537a388a5db4efb9d70217272508358e8c23254dc777d34d8fabbc5
  • a2659c8dd3dabaeab91824c37f7366bbd6bb1224a8b94af4b3cf312c14a41822

SHA-1

  • 701d12fdc004e20a2fbb782e22f6d76cbc1b5999
  • d03dd91572a155f84b2e7b613684f5edbf9a7f69
  • 678498535cc39b82646c0c83fa255964e451d04e
  • 3cb16f25c694b8b4e10c08b960a177f9bf2b7c02
  • e486a2119884aa3bd0a2b5e5ac66ca23fa7c67e9
  • b28aa83aa21501a8d12bba80d964da54adcb4162
  • 9aac51dfedc377f61b0c69a13a45f35308dc3e1f
  • 885cba2105146a6f7351859920418de8de02d241
  • 2b887c5c880b1a02c4bae6346ac41c14fe39b3eb
  • 967f2eb72c088fef9ac91611a09d54499e0958bb
  • 049ad7a3aa9c81985420bb19baeb8bf76470faca
  • ea584c3206cca0c5c08732857045f184fb7b3fed
  • 57ac28bb30baf005c06e85ff058177dad30f1b82
  • 22ca0136d588e3c8182a4b6086cbe4fcb1d1f953
  • d67ef87f7f756ea776ae3f63a2b2a86e2a3fe061
  • a2c2baa0e0cfced33c4387441545329a14a0594a
  • d44b7c2d4194109af17b76d96d1592e3618647ad
  • 8d78e5b67eea3014f1a3530e68e7c1c21750990e
  • 543244a68c0dbba46dade98699195897649415a3
  • dd0a39ca5e2570dc8909e2732c48e89f2bcd98e7
  • 3e4f646d9af5ad09064cf3b2d7b40ecfd5837aec
  • aa21c54c8b3a1f4b0eb13351114bda762ac799a5
  • 1968fe09cc14c328542b9c0627bbe920c0a0934f
  • 80c97556d5c5c9203978d3e6795f4f2abea711db

URL

  • http[:]//jordanserver232[.]com
  • http[:]//realacademicmediausa[.]com
  • http[:]//topexpertshop[.]com
  • http[:]//realmoneycreate[.]xyz
  • http[:]//thehomenow[.]xyz
  • http[:]//enter-me[.]xyz

Remediation

  • Block the threat indicators at their respective controls.
  • Search for IOCs in your environment.