-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathPoseidon Malware IoCs
57 lines (50 loc) · 2.79 KB
/
Poseidon Malware IoCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Poseidon Payload SHA-256 Hashes
78480e7c9273a66498d0514ca4e959a2c002f8f5578c8ec9153bb83cbcc2b206
3285032b8e1cd080ce5df8839db03a1eb9e4d16db252fd64d4c0c5a66d8b0ff8
3164c7d572bd3f59f31a3bb6ac8a7f0769f2cbdddea7cadf843b99076a952b81
8affdfea794bc04340a453160237e7b6ae77bd909146321daf2ed50401928827
4fac5b0618348de1e6e4843bb4560320eea175ecc4ba807beadd56e2e6a66e32
58eedd3277014bb45a294f4c299bbfcdfc38a212fa0cda7a781dda132e8928a5
3d180606a60e0a25b78fde6b3cb52afc8443105e672cdcc420be781e9ec32488
9bb990a54460437c14be4cdd25ab5f8027a49c4e8e8b83445bd57f06ad1e1512
cc53c74a8be261fab1f231e20d127cb815787ff3437daff8162855130f8ff271
dcfb42328840a3524ceda176f5fe5041e1dd5c86e126dc6e4fc47826a1bbcc96
40a42f392fc58c047cfbbda566d70ebd2654f2919f8ee8e6b5d76e5bc11ec5cc
51ff7043b2bc87f52e71a265080acd0a1b3d5d2a07ef541ebf3af5c6d44b3761
fe843154f38202f17379dd2bed25306e8357e9e1bf56bd89565e81a67a286d6e
95ed0e02c6bbfe065ad79d595b7a607de64156c368cf1e85323ce829bffb3d0b
67a0d54e73ab0f76634e80b2723c3ac7d4df73b55aea5323856a42bbc19859a6
dc1ec8aa04a71f595454dba88473fba2a970533eceee2d155a3956d8dc9ecda0
91e08c6ee0d6b6f472a5df371318d56d2442c3487caad0a093754f57142ece6f
ec93724a82f487f960acd51f427e660793f6e868a25f666e4cf5babb3bdcfe54
aa53cfadd21956ea50e1a504ac6b4287076c64056e4b57a877b2f564ea315eb9
8f19a4b6a3fe19d577e71c458c3c0565599b57863f0efbdf4e109b4e92c0bbeb
7328240b03a5992537f7b3371bab7fd4e3b631d31b3919596daa8265886a07ae
e45909e6a7c50b34deba248c7e1b419706c3d6e9c638980099d6860db9e5c53b
f688280c7cc7523989809472594c36f97d7e2cc5e3ef5721ca67ab1f8b458104
185254efe497aed539fe0d95ca40451985b8fa60a54a707760bfe5c53cce56d9
489703daffea94c11319c74f2a43d4ca3198baa9081a42f047f029a39c335981
0416006b9043b8f45f343fedcef9bfdb8e1c8cafc30951755c0d7eb60e409c78
3b8b06eb6e30296e74fc7c6a039c1a05d6785bce9745b85851fe686306abbf35
34059561b4adc524128c61e886177f8e87674ebe90f227acc8828b9d566f3e5c
293e51eecb94da90d4237b219584efd6afc805b0da2792ffa53fc132cf1d32b3
7f6b1ed3549fc58ade807898bd458fff0bbfd7aaddbc75a2710ddfc580f5248a
897bd48be8fc5b10603e10d262035282024d0c092ef8dbde796568d627aa1c60
8626a35ce2b1211fad630909165b67ae1391da02529da20e0c1fa05ba989bcf4
5b41f55410f835a0fc2702dffe74b32ab1eebdd22437585ca5349729329a89d8
ca3f34dfd9540e59bc0cdb36bbe6fe77cbb9eb44d682add9e38123281a3f4e55
37ffaccba0469d9125dd072241ec7d99652e2e46897f7c6d3db98a19d92b20e6
IP Address / Domain
70[.]34[.]214[.]252
sharing1[.]filesharetalk[.]com/bosshelp
YARA RULE
rule poseidon_elf{
strings:
$main_func = {E8 ?? 2? D4 FF 31 C0 48 8D 1D ?? 0B 00}
$command_call = {48 8B 42 08 48 8B 5A 10 48 8B 4A 18 48 8B 7A 20 F2
0F 10 42 28 48 8B 72 30 4C 8B 42 38 4C 8B 4A 40 66 90 E8 ?B ?? F?
FF 48 8B 6C 24 40 48 83 C4 48 C3}
$s1 = "poseidon_tcp"
condition:
$main_func or $command_call or $s1
}