Crypt0l0cker (TorrentLocker): Old Dog, New Tricks

 In Malware, Ransomware
Image from bleepingcomputer.com

Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years. In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker (aka TorrentLocker or Teerac) ransomware. Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis. Several indicators inside the samples we have analysed point to a new major version of the malware. We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015. It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks. This post will also give you insights about the level of sophistication this malware has reached.

REFERENCE: http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html

Indicators of Compromise:

Indicator type Indicator
domain divamind.org
URL http://glutenfreeworks.com/lftAd.vfd
URL http://prorubim.com/led.poi
URL http://4839.js2-order.pl/file/set.rte
URL http://48f4339.js2-order.pl/file/set.rte
URL http://quatang.thackhoi.com/system.ohp
URL http://arkatechknowledges.com/wp-admin/link.rew
FileHash-SHA256 744b169cc40871e9c39409dbd89879c499433625f9fed1adfc700edcf293b1b0
FileHash-SHA256 de183a7886c3dedbbb1d9260934f0d6e7d4abca72fb942c573dc74ac449c4bfc
FileHash-SHA256 899c4eb640f97c3b198970e9d25d0464361f3bf5f8839b16f1e10493a82c5382
FileHash-SHA256 3c413bf58186282a6ecfec8e6a3f7a6b931b15cd404961accfc7665ad8372a92
FileHash-SHA256 ccb3eba9526df1d9eb983bb5259c47e552efb4fdf8cd95e6a6b6856351114b8f
FileHash-SHA256 78f720f09a6ad23a0332c6531c4792a74d554d66d36f007d1e94bdd9c4fb2d1a
FileHash-SHA256 ace22efeff8824d0297d7ecd7430ca1f89bf49f394185ec6208e754d0bf505bc
FileHash-SHA256 5bd73eb812173508fc8dc2d8d23f50ea219dc94211a64d5840655ba3e6b0d889
FileHash-SHA256 c11762004e8a1f31e5e45c21c7af2db2fb304952f0d02e467bc55a8fc0194e8c
FileHash-SHA256 2c8c0d8e1d74a02c44b92e1ee90a1f192e3ea3f65b29bcbba8fe6fc860e8dc6b
FileHash-SHA256 1e2cb0cf9b5b7e7b825fda20a37e5c6e1bb9c548eb89cc457026e4cbee35cd23
FileHash-SHA256 9e0ee793008c69494627383251098e1d500212a77fd025f6645c47ffabf015eb
FileHash-SHA256 76f3828bfc53aa3d2f3057521c913797c1e3a7cb8331112bb1771ec6d4241e66
FileHash-SHA256 07dab1e46585e90dd9fc1d82b572d454102e09e25e50fc634145dd999b440ee7
FileHash-SHA256 7505f9a8c2092b255f9f41571fba2c09143b69c7ab9505c28188c88d4c80c5a7
FileHash-SHA256 bcd94a7c4a24645948c46afb2616720e2bb166bc327e63dfe2b8c3135accb548
FileHash-SHA256 cb9050f37dfc7e19b59d3ef4e332efcf2bc04c5707f41b43453f6c50d3740bc4
FileHash-SHA256 e32cbfce6291382a188d2dae50c4b3c2a173097f2b4fc17904daceac9b2f3396
FileHash-SHA256 c326b820c6184521b18fef27741fadb628414839ace202352db29608f17f995d
FileHash-SHA256 3745e6e8419a2090130473cb0b8197031fee9c07a824395d1ab261257def3100
FileHash-SHA256 e3166a14289b69956beba9fe0ac91aaeeff4c50fc9eb6a15a22864575fcc22fc
FileHash-SHA256 076bb85648f5a5e09c85dbf5997b58e7580031e64e5555a58ac0c3bce62a857b
FileHash-SHA256 ea1f0f1ff85130dc4634019d9e305d35097483d38e37c8aa4dc6c81b7aed1418
FileHash-SHA256 87fce23e17a86775b210c81089013ca7c058c03cd1b83b79b73413bd380efced
FileHash-SHA256 197aa2490e81362e651af2ab8e4ae2c41a5da1a2812e4377719596a2eb2b8c8f
FileHash-SHA256 0044e8a82a234674a070e9695f80f418ab72d351a4123b528e51b2b9eb2e44eb
FileHash-SHA256 f893dbf5891995984e564c44878dd5c8dea94812c3df7b995d79159bca051f79
domain syhkhuiml35mt5qh.onion
domain kghynzmoq7kvdzis.onion
domain x5sbb5gesp6kzwsh.onion
domain sharptok.org
domain w7yr6b5oktcjo2jj.onion
URL http://saunabau.sk/index.pjk
URL http://activmedia.net/license.ttx
URL http://saudail-alpin.no/point.gkp
URL http://biotechclinical.com/leet.tjr
URL http://www.girokonto.club/wp-conf.ghj
URL http://blisunn.com/test.gtr
URL http://fms-uchet.ru/multi.rty
URL http://nji.fileserver4390.org/file/bord.vcx
URL http://staracer.com.br/robots.ckl
URL http://mayaastro.com/wp-conf.bgt
URL http://www.mmgmarketing.com/wu.vbn
URL http://fanrp.com/test.bhu
URL http://partylimobusnj.com/wp-conf.tyu
URL http://directory.submitlocally.com/res.jnb
URL http://ansagoldcoast.com/pols.vfr
URL http://gidrostroy-nn.ru/wp-includes/feed.gtb
URL http://humannecessityfoundation.com/php.oiw
URL http://ileriteknikservis.com/wp-log.bnm
URL http://iuhd873.omniheart.pl/file/set.rte
URL http://ltmp.joymes.pl/file/vet.bnm
URL http://ltmp.joymes.pl/file/nib.vcb
URL http://flyanairliner.com/tire.bnm
URL http://drjacobberger.com/fav.vcb
URL http://ltmp.applepice.pl/file/set.rte
URL http://cyjt.com/left.lop
URL http://rubbishinteriors.com/401.hji
URL http://ltmp.joymes.pl/file/bon.ijn
domain giftbests.com

 

Looking for automated defense from Advanced Threats like these? Get in touch with us right now

Recent Posts

Start typing and press Enter to search