From 9a615e1afda064de6727814eb4a3871db0c05ce8 Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Sun, 12 Jan 2025 22:40:13 -0500 Subject: [PATCH] Upload files to "yara" --- yara/Bifrost-suricata-20250112.txt | 2 + yara/Bifrost-yara-20250112.yar | 12 + yara/BlackTech-suricata-20250112.txt | 64 +++++ yara/BlackTech-yara-20250112.yar | 324 ++++++++++++++++++++++++++ yara/Flagpro-suricata-20250112.txt | 10 + yara/Flagpro-yara-20250112.yar | 24 ++ yara/Plead-suricata-20250112.txt | Bin 0 -> 1024 bytes yara/Plead-yara-20250112.yar | 22 ++ yara/TsCookie-suricata-20250112.txt | 6 + yara/TsCookie-yara-20250112.yar | 61 +++++ yara/TsCookiev2-suricata-20250112.txt | Bin 0 -> 1024 bytes yara/TsCookiev2-yara-20250112.yar | 13 ++ yara/waterbear-suricata-20250112.txt | 24 ++ yara/waterbear-yara-20250112.yar | 79 +++++++ 14 files changed, 641 insertions(+) create mode 100644 yara/Bifrost-suricata-20250112.txt create mode 100644 yara/Bifrost-yara-20250112.yar create mode 100644 yara/BlackTech-suricata-20250112.txt create mode 100644 yara/BlackTech-yara-20250112.yar create mode 100644 yara/Flagpro-suricata-20250112.txt create mode 100644 yara/Flagpro-yara-20250112.yar create mode 100644 yara/Plead-suricata-20250112.txt create mode 100644 yara/Plead-yara-20250112.yar create mode 100644 yara/TsCookie-suricata-20250112.txt create mode 100644 yara/TsCookie-yara-20250112.yar create mode 100644 yara/TsCookiev2-suricata-20250112.txt create mode 100644 yara/TsCookiev2-yara-20250112.yar create mode 100644 yara/waterbear-suricata-20250112.txt create mode 100644 yara/waterbear-yara-20250112.yar diff --git a/yara/Bifrost-suricata-20250112.txt b/yara/Bifrost-suricata-20250112.txt new file mode 100644 index 0000000..1435810 --- /dev/null +++ b/yara/Bifrost-suricata-20250112.txt @@ -0,0 +1,2 @@ +alert ip 107.191.61.247 any -> any any (msg:"Suspicious Bifrost IP detected Entering Network: 107.191.61.247 (source) - APT Group: BlackTech"; sid:7744721591; rev:1;) +alert ip any any -> 107.191.61.247 any (msg:"Suspicious Bifrost IP detected Leaving Network: 107.191.61.247 (destination) - APT Group: BlackTech"; sid:7744721592; rev:1;) diff --git a/yara/Bifrost-yara-20250112.yar b/yara/Bifrost-yara-20250112.yar new file mode 100644 index 0000000..232e20b --- /dev/null +++ b/yara/Bifrost-yara-20250112.yar @@ -0,0 +1,12 @@ +Bifrost_IOCs { + meta: + creator = "Cpl Iverson" + date = "2025-01-12" + description = "Suspicious IPs, Hashes, and Domains" + apt_group = "BlackTech" + strings: + $ip_107_191_61_247 = "107.191.61.247" + $md5_8fd3925dadf37bebcc8844214f2bcd18 = "8fd3925dadf37bebcc8844214f2bcd18" + condition: + any of them +} diff --git a/yara/BlackTech-suricata-20250112.txt b/yara/BlackTech-suricata-20250112.txt new file mode 100644 index 0000000..2c431f0 --- /dev/null +++ b/yara/BlackTech-suricata-20250112.txt @@ -0,0 +1,64 @@ +alert ip 59.124.71.29 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 59.124.71.29 (source) - APT Group: BlackTech"; sid:754179006; rev:1;) +alert ip any any -> 59.124.71.29 any (msg:"Suspicious BlackTech IP detected Leaving Network: 59.124.71.29 (destination) - APT Group: BlackTech"; sid:754179007; rev:1;) +alert ip 61.56.11.42 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 61.56.11.42 (source) - APT Group: BlackTech"; sid:7681016193; rev:1;) +alert ip any any -> 61.56.11.42 any (msg:"Suspicious BlackTech IP detected Leaving Network: 61.56.11.42 (destination) - APT Group: BlackTech"; sid:7681016194; rev:1;) +alert ip 210.242.211.175 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 210.242.211.175 (source) - APT Group: BlackTech"; sid:3725887954; rev:1;) +alert ip any any -> 210.242.211.175 any (msg:"Suspicious BlackTech IP detected Leaving Network: 210.242.211.175 (destination) - APT Group: BlackTech"; sid:3725887955; rev:1;) +alert ip 114.27.132.233 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 114.27.132.233 (source) - APT Group: BlackTech"; sid:709943673; rev:1;) +alert ip any any -> 114.27.132.233 any (msg:"Suspicious BlackTech IP detected Leaving Network: 114.27.132.233 (destination) - APT Group: BlackTech"; sid:709943674; rev:1;) +alert ip 122.117.107.178 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 122.117.107.178 (source) - APT Group: BlackTech"; sid:2924766347; rev:1;) +alert ip any any -> 122.117.107.178 any (msg:"Suspicious BlackTech IP detected Leaving Network: 122.117.107.178 (destination) - APT Group: BlackTech"; sid:2924766348; rev:1;) +alert ip 59.125.132.175 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 59.125.132.175 (source) - APT Group: BlackTech"; sid:1025446180; rev:1;) +alert ip any any -> 59.125.132.175 any (msg:"Suspicious BlackTech IP detected Leaving Network: 59.125.132.175 (destination) - APT Group: BlackTech"; sid:1025446181; rev:1;) +alert ip 211.23.191.4 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 211.23.191.4 (source) - APT Group: BlackTech"; sid:1096202446; rev:1;) +alert ip any any -> 211.23.191.4 any (msg:"Suspicious BlackTech IP detected Leaving Network: 211.23.191.4 (destination) - APT Group: BlackTech"; sid:1096202447; rev:1;) +alert ip 220.132.50.81 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 220.132.50.81 (source) - APT Group: BlackTech"; sid:380105595; rev:1;) +alert ip any any -> 220.132.50.81 any (msg:"Suspicious BlackTech IP detected Leaving Network: 220.132.50.81 (destination) - APT Group: BlackTech"; sid:380105596; rev:1;) +alert ip 61.222.32.205 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 61.222.32.205 (source) - APT Group: BlackTech"; sid:3491818927; rev:1;) +alert ip any any -> 61.222.32.205 any (msg:"Suspicious BlackTech IP detected Leaving Network: 61.222.32.205 (destination) - APT Group: BlackTech"; sid:3491818928; rev:1;) +alert ip 220.134.98.3 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 220.134.98.3 (source) - APT Group: BlackTech"; sid:2758518549; rev:1;) +alert ip any any -> 220.134.98.3 any (msg:"Suspicious BlackTech IP detected Leaving Network: 220.134.98.3 (destination) - APT Group: BlackTech"; sid:2758518550; rev:1;) +alert ip 1.170.118.233 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 1.170.118.233 (source) - APT Group: BlackTech"; sid:9801135185; rev:1;) +alert ip any any -> 1.170.118.233 any (msg:"Suspicious BlackTech IP detected Leaving Network: 1.170.118.233 (destination) - APT Group: BlackTech"; sid:9801135186; rev:1;) +alert ip 60.251.199.226 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 60.251.199.226 (source) - APT Group: BlackTech"; sid:9774568301; rev:1;) +alert ip any any -> 60.251.199.226 any (msg:"Suspicious BlackTech IP detected Leaving Network: 60.251.199.226 (destination) - APT Group: BlackTech"; sid:9774568302; rev:1;) +alert ip 123.110.131.86 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 123.110.131.86 (source) - APT Group: BlackTech"; sid:3997918156; rev:1;) +alert ip any any -> 123.110.131.86 any (msg:"Suspicious BlackTech IP detected Leaving Network: 123.110.131.86 (destination) - APT Group: BlackTech"; sid:3997918157; rev:1;) +alert ip 59.120.169.51 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 59.120.169.51 (source) - APT Group: BlackTech"; sid:216812622; rev:1;) +alert ip any any -> 59.120.169.51 any (msg:"Suspicious BlackTech IP detected Leaving Network: 59.120.169.51 (destination) - APT Group: BlackTech"; sid:216812623; rev:1;) +alert ip 220.133.73.13 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 220.133.73.13 (source) - APT Group: BlackTech"; sid:1823793281; rev:1;) +alert ip any any -> 220.133.73.13 any (msg:"Suspicious BlackTech IP detected Leaving Network: 220.133.73.13 (destination) - APT Group: BlackTech"; sid:1823793282; rev:1;) +alert ip 220.134.10.17 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 220.134.10.17 (source) - APT Group: BlackTech"; sid:4706859242; rev:1;) +alert ip any any -> 220.134.10.17 any (msg:"Suspicious BlackTech IP detected Leaving Network: 220.134.10.17 (destination) - APT Group: BlackTech"; sid:4706859243; rev:1;) +alert ip 60.249.208.167 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 60.249.208.167 (source) - APT Group: BlackTech"; sid:5130034148; rev:1;) +alert ip any any -> 60.249.208.167 any (msg:"Suspicious BlackTech IP detected Leaving Network: 60.249.208.167 (destination) - APT Group: BlackTech"; sid:5130034149; rev:1;) +alert ip 118.163.168.223 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 118.163.168.223 (source) - APT Group: BlackTech"; sid:370437273; rev:1;) +alert ip any any -> 118.163.168.223 any (msg:"Suspicious BlackTech IP detected Leaving Network: 118.163.168.223 (destination) - APT Group: BlackTech"; sid:370437274; rev:1;) +alert ip 111.249.102.102 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 111.249.102.102 (source) - APT Group: BlackTech"; sid:9108918494; rev:1;) +alert ip any any -> 111.249.102.102 any (msg:"Suspicious BlackTech IP detected Leaving Network: 111.249.102.102 (destination) - APT Group: BlackTech"; sid:9108918495; rev:1;) +alert ip 61.58.90.11 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 61.58.90.11 (source) - APT Group: BlackTech"; sid:3978267590; rev:1;) +alert ip any any -> 61.58.90.11 any (msg:"Suspicious BlackTech IP detected Leaving Network: 61.58.90.11 (destination) - APT Group: BlackTech"; sid:3978267591; rev:1;) +alert ip 125.227.225.181 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 125.227.225.181 (source) - APT Group: BlackTech"; sid:7005467689; rev:1;) +alert ip any any -> 125.227.225.181 any (msg:"Suspicious BlackTech IP detected Leaving Network: 125.227.225.181 (destination) - APT Group: BlackTech"; sid:7005467690; rev:1;) +alert ip 118.163.14.17 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 118.163.14.17 (source) - APT Group: BlackTech"; sid:2425784574; rev:1;) +alert ip any any -> 118.163.14.17 any (msg:"Suspicious BlackTech IP detected Leaving Network: 118.163.14.17 (destination) - APT Group: BlackTech"; sid:2425784575; rev:1;) +alert ip 122.147.248.69 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 122.147.248.69 (source) - APT Group: BlackTech"; sid:741663504; rev:1;) +alert ip any any -> 122.147.248.69 any (msg:"Suspicious BlackTech IP detected Leaving Network: 122.147.248.69 (destination) - APT Group: BlackTech"; sid:741663505; rev:1;) +alert ip 125.227.241.2 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 125.227.241.2 (source) - APT Group: BlackTech"; sid:3174873956; rev:1;) +alert ip any any -> 125.227.241.2 any (msg:"Suspicious BlackTech IP detected Leaving Network: 125.227.241.2 (destination) - APT Group: BlackTech"; sid:3174873957; rev:1;) +alert ip 114.39.59.244 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 114.39.59.244 (source) - APT Group: BlackTech"; sid:8569925249; rev:1;) +alert ip any any -> 114.39.59.244 any (msg:"Suspicious BlackTech IP detected Leaving Network: 114.39.59.244 (destination) - APT Group: BlackTech"; sid:8569925250; rev:1;) +alert ip 59.125.7.185 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 59.125.7.185 (source) - APT Group: BlackTech"; sid:1118471843; rev:1;) +alert ip any any -> 59.125.7.185 any (msg:"Suspicious BlackTech IP detected Leaving Network: 59.125.7.185 (destination) - APT Group: BlackTech"; sid:1118471844; rev:1;) +alert ip 61.219.96.18 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 61.219.96.18 (source) - APT Group: BlackTech"; sid:1486351566; rev:1;) +alert ip any any -> 61.219.96.18 any (msg:"Suspicious BlackTech IP detected Leaving Network: 61.219.96.18 (destination) - APT Group: BlackTech"; sid:1486351567; rev:1;) +alert ip 61.58.90.63 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 61.58.90.63 (source) - APT Group: BlackTech"; sid:576420246; rev:1;) +alert ip any any -> 61.58.90.63 any (msg:"Suspicious BlackTech IP detected Leaving Network: 61.58.90.63 (destination) - APT Group: BlackTech"; sid:576420247; rev:1;) +alert ip 210.67.101.84 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 210.67.101.84 (source) - APT Group: BlackTech"; sid:3472083329; rev:1;) +alert ip any any -> 210.67.101.84 any (msg:"Suspicious BlackTech IP detected Leaving Network: 210.67.101.84 (destination) - APT Group: BlackTech"; sid:3472083330; rev:1;) +alert ip 203.74.123.121 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 203.74.123.121 (source) - APT Group: BlackTech"; sid:3303612154; rev:1;) +alert ip any any -> 203.74.123.121 any (msg:"Suspicious BlackTech IP detected Leaving Network: 203.74.123.121 (destination) - APT Group: BlackTech"; sid:3303612155; rev:1;) +alert ip 18.163.14.17 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 18.163.14.17 (source) - APT Group: BlackTech"; sid:5957364886; rev:1;) +alert ip any any -> 18.163.14.17 any (msg:"Suspicious BlackTech IP detected Leaving Network: 18.163.14.17 (destination) - APT Group: BlackTech"; sid:5957364887; rev:1;) +alert ip 177.135.177.54 any -> any any (msg:"Suspicious BlackTech IP detected Entering Network: 177.135.177.54 (source) - APT Group: BlackTech"; sid:4954509509; rev:1;) +alert ip any any -> 177.135.177.54 any (msg:"Suspicious BlackTech IP detected Leaving Network: 177.135.177.54 (destination) - APT Group: BlackTech"; sid:4954509510; rev:1;) diff --git a/yara/BlackTech-yara-20250112.yar b/yara/BlackTech-yara-20250112.yar new file mode 100644 index 0000000..721eb78 --- /dev/null +++ b/yara/BlackTech-yara-20250112.yar @@ -0,0 +1,324 @@ +BlackTech_IOCs { + meta: + creator = "Cpl Iverson" + date = "2025-01-12" + description = "Suspicious IPs, Hashes, and Domains" + apt_group = "BlackTech" + strings: + $ip_59_124_71_29 = "59.124.71.29" + $ip_61_56_11_42 = "61.56.11.42" + $ip_210_242_211_175 = "210.242.211.175" + $ip_114_27_132_233 = "114.27.132.233" + $ip_122_117_107_178 = "122.117.107.178" + $ip_59_125_132_175 = "59.125.132.175" + $ip_211_23_191_4 = "211.23.191.4" + $ip_220_132_50_81 = "220.132.50.81" + $ip_61_222_32_205 = "61.222.32.205" + $ip_220_134_98_3 = "220.134.98.3" + $ip_1_170_118_233 = "1.170.118.233" + $ip_60_251_199_226 = "60.251.199.226" + $ip_123_110_131_86 = "123.110.131.86" + $ip_59_120_169_51 = "59.120.169.51" + $ip_220_133_73_13 = "220.133.73.13" + $ip_220_134_10_17 = "220.134.10.17" + $ip_60_249_208_167 = "60.249.208.167" + $ip_118_163_168_223 = "118.163.168.223" + $ip_111_249_102_102 = "111.249.102.102" + $ip_61_58_90_11 = "61.58.90.11" + $ip_125_227_225_181 = "125.227.225.181" + $ip_118_163_14_17 = "118.163.14.17" + $ip_122_147_248_69 = "122.147.248.69" + $ip_125_227_241_2 = "125.227.241.2" + $ip_114_39_59_244 = "114.39.59.244" + $ip_59_125_7_185 = "59.125.7.185" + $ip_61_219_96_18 = "61.219.96.18" + $ip_61_58_90_63 = "61.58.90.63" + $ip_210_67_101_84 = "210.67.101.84" + $ip_203_74_123_121 = "203.74.123.121" + $ip_18_163_14_17 = "18.163.14.17" + $ip_177_135_177_54 = "177.135.177.54" + $md5_34a0be585725b0076e017c8fcb0fc180 = "34a0be585725b0076e017c8fcb0fc180" + $md5_1423e253f7a8954ca3c74432b5e4d038 = "1423e253f7a8954ca3c74432b5e4d038" + $md5_b7bf246b1481b24ff262cd03c53caf15 = "b7bf246b1481b24ff262cd03c53caf15" + $md5_fda02aaff2ea8c91283f1041257cf36f = "fda02aaff2ea8c91283f1041257cf36f" + $md5_3d341703a981388b3fde70173a172f89 = "3d341703a981388b3fde70173a172f89" + $md5_59e9af5b230f46df15e076cd6dd82d1e = "59e9af5b230f46df15e076cd6dd82d1e" + $md5_bd917f5ac3dc380a6fc53c60c9223deb = "bd917f5ac3dc380a6fc53c60c9223deb" + $md5_e5c8b3017d309a7383c9504d7e318596 = "e5c8b3017d309a7383c9504d7e318596" + $md5_926f008ef342ae1cc138687ff68a424a = "926f008ef342ae1cc138687ff68a424a" + $md5_1c460850b55125a7d1f554ee0203fa25 = "1c460850b55125a7d1f554ee0203fa25" + $md5_65f4245e3e7f80c47c7e5b7aa23c5920 = "65f4245e3e7f80c47c7e5b7aa23c5920" + $md5_2a94c32c20dd4632e0a5084b134e6344 = "2a94c32c20dd4632e0a5084b134e6344" + $md5_cc18bdaf99fa701796518db86e651702 = "cc18bdaf99fa701796518db86e651702" + $md5_6a97ff47b8d715be62305ff15fb47332 = "6a97ff47b8d715be62305ff15fb47332" + $md5_9bb0135b4808331933490d4749d30c11 = "9bb0135b4808331933490d4749d30c11" + $md5_ab9b323901bcf38b8b990db3cae2b596 = "ab9b323901bcf38b8b990db3cae2b596" + $md5_87af1c51d21d13899db75f675b1faa87 = "87af1c51d21d13899db75f675b1faa87" + $md5_dc2b8aefe8bd08f196ea7a6f0caa2764 = "dc2b8aefe8bd08f196ea7a6f0caa2764" + $md5_cad875330c25231211fc9a416c3846b7 = "cad875330c25231211fc9a416c3846b7" + $md5_019ef03e6b34991c31518ceafa3c6498 = "019ef03e6b34991c31518ceafa3c6498" + $md5_0db2c1195c97fc909b6fdb4b09227457 = "0db2c1195c97fc909b6fdb4b09227457" + $md5_eae2ea929c754a6d65e2b216e5d32e7a = "eae2ea929c754a6d65e2b216e5d32e7a" + $md5_a11d30dcfb8cedcb56dad172b213f388 = "a11d30dcfb8cedcb56dad172b213f388" + $md5_5694a226f66e3b07aeb188a54304b371 = "5694a226f66e3b07aeb188a54304b371" + $md5_b04fab560ac090e0ff3f1c602f3fcfd7 = "b04fab560ac090e0ff3f1c602f3fcfd7" + $md5_299d0c5f43e59fc9415d70816aee56c6 = "299d0c5f43e59fc9415d70816aee56c6" + $md5_296dcc2bd1f6359466ff068c8001bbec = "296dcc2bd1f6359466ff068c8001bbec" + $md5_5a7d8fe286333416796cefc19b0f5cba = "5a7d8fe286333416796cefc19b0f5cba" + $md5_57c0114780d2860a3adbae095c72a97d = "57c0114780d2860a3adbae095c72a97d" + $md5_6b18b1e939e5a06303220ee16f045a50 = "6b18b1e939e5a06303220ee16f045a50" + $md5_062bcc4ed28b41bab70d7efc2e8b1b11 = "062bcc4ed28b41bab70d7efc2e8b1b11" + $md5_3214cdac71fa4313d195eb81eace4db8 = "3214cdac71fa4313d195eb81eace4db8" + $md5_1fe7391ac994bf37d7ccb9c7358c4419 = "1fe7391ac994bf37d7ccb9c7358c4419" + $md5_1134972f093ab1ef08b912cabbc43b39 = "1134972f093ab1ef08b912cabbc43b39" + $md5_b2559336f0e73830a411ce6032474d6e = "b2559336f0e73830a411ce6032474d6e" + $md5_f0c1cc799d56d58f528f41039895f8f8 = "f0c1cc799d56d58f528f41039895f8f8" + $md5_65a4384fcbe3d010a57a8530b27e0a4e = "65a4384fcbe3d010a57a8530b27e0a4e" + $md5_7a00205cdb74c1d5811cc3c44739a348 = "7a00205cdb74c1d5811cc3c44739a348" + $md5_6ea02a64df51ab2f12530ffd2e3688de = "6ea02a64df51ab2f12530ffd2e3688de" + $md5_5699884869d8796ab33416c3af5305a2 = "5699884869d8796ab33416c3af5305a2" + $md5_4085f90f6934422921bd8602f0a975c0 = "4085f90f6934422921bd8602f0a975c0" + $md5_fa4bb0c43fcfaaa4d98d6322c376281d = "fa4bb0c43fcfaaa4d98d6322c376281d" + $md5_18c409071622553a1d66e0a02d261f7f = "18c409071622553a1d66e0a02d261f7f" + $md5_d39b01a44f1487c4bb3c68a528438144 = "d39b01a44f1487c4bb3c68a528438144" + $md5_b9b6488f990a96a1c2f5c3e99a43a212 = "b9b6488f990a96a1c2f5c3e99a43a212" + $md5_737c6923effeee58717f613db304955a = "737c6923effeee58717f613db304955a" + $md5_662edc1100e2d8863bf713ae47985245 = "662edc1100e2d8863bf713ae47985245" + $md5_5f06d234fc285ee9f127f95206696796 = "5f06d234fc285ee9f127f95206696796" + $md5_96be4a1c418f10c50659bab0b25b9115 = "96be4a1c418f10c50659bab0b25b9115" + $md5_34e38d4b970be9f19b6f29c83023b498 = "34e38d4b970be9f19b6f29c83023b498" + $md5_73fabddce8887d0253503daa4a50fdf7 = "73fabddce8887d0253503daa4a50fdf7" + $md5_64ec5419edd9ff050d839845a0a5bea3 = "64ec5419edd9ff050d839845a0a5bea3" + $md5_5633009e7ce55be0213e76c74fdcf9d6 = "5633009e7ce55be0213e76c74fdcf9d6" + $md5_cab9d743c0868f7edfe11fa9fb99262b = "cab9d743c0868f7edfe11fa9fb99262b" + $md5_8a81e6a62d3bdcffe074807d7173840f = "8a81e6a62d3bdcffe074807d7173840f" + $md5_7a1b0e86d2c7da3f52c74a4ce4b675af = "7a1b0e86d2c7da3f52c74a4ce4b675af" + $md5_7745f7a89aa20da8d681fee4f25741df = "7745f7a89aa20da8d681fee4f25741df" + $md5_5fc4a20161b6d95d5bd0c0567472c4b0 = "5fc4a20161b6d95d5bd0c0567472c4b0" + $md5_9e529a8fbc25cc73bafc1e9d881f320f = "9e529a8fbc25cc73bafc1e9d881f320f" + $md5_9b6f818f769655c8618ae0420bc994ec = "9b6f818f769655c8618ae0420bc994ec" + $md5_8edf98a3e38cf8e2a5414f2ff9a1c2a6 = "8edf98a3e38cf8e2a5414f2ff9a1c2a6" + $md5_ea1a6799ee02bcadf70b34f7801e525f = "ea1a6799ee02bcadf70b34f7801e525f" + $md5_259ce74e8a6ddc2507efa64371f3d45e = "259ce74e8a6ddc2507efa64371f3d45e" + $md5_6d355a4339f92d6056f2708194213440 = "6d355a4339f92d6056f2708194213440" + $md5_76055e90b1e1e9d67139c7645c21092e = "76055e90b1e1e9d67139c7645c21092e" + $md5_0929230644a301857bac09379257883a = "0929230644a301857bac09379257883a" + $md5_22ede86834e0060a88d6f45ce3982277 = "22ede86834e0060a88d6f45ce3982277" + $md5_ec7c6b43beec56df72cb74dd28b5b1d2 = "ec7c6b43beec56df72cb74dd28b5b1d2" + $md5_76b464c98790d8f01e02d24b53f4486d = "76b464c98790d8f01e02d24b53f4486d" + $md5_93b68ae2023940bb2e8506d6131d9d27 = "93b68ae2023940bb2e8506d6131d9d27" + $md5_289286f8289b707d41e74a199a88be64 = "289286f8289b707d41e74a199a88be64" + $md5_97fdb683e7b56bdf198d2b4c0e9b2715 = "97fdb683e7b56bdf198d2b4c0e9b2715" + $md5_70b31b12a5ba644de0093970af9866b8 = "70b31b12a5ba644de0093970af9866b8" + $md5_2267326efac998fa4ddbc7d8e3940c0d = "2267326efac998fa4ddbc7d8e3940c0d" + $md5_6c145f1ad75de785a75903a4a5d485e8 = "6c145f1ad75de785a75903a4a5d485e8" + $md5_28da4707d69de5cc3d544d6a90fff8ff = "28da4707d69de5cc3d544d6a90fff8ff" + $md5_4446ba673bc5c2adf31823301a4fdd3a = "4446ba673bc5c2adf31823301a4fdd3a" + $md5_37bf2df225650b39c9874ecf392a9a9b = "37bf2df225650b39c9874ecf392a9a9b" + $md5_976f0e7d1b1d5a4c5dc3f714885134dd = "976f0e7d1b1d5a4c5dc3f714885134dd" + $md5_468571266346f4b659b948a67e8ab005 = "468571266346f4b659b948a67e8ab005" + $md5_1d87a00f54a16f9c0ee135731296eb58 = "1d87a00f54a16f9c0ee135731296eb58" + $md5_8820d713e7052abe411cccb92c365783 = "8820d713e7052abe411cccb92c365783" + $md5_f77bd5d0d0b85c0fb2f986d952891071 = "f77bd5d0d0b85c0fb2f986d952891071" + $md5_410ceb4d5008887a66587130d57adeee = "410ceb4d5008887a66587130d57adeee" + $md5_09d1ebf1a6c10083f8d66003418e6e06 = "09d1ebf1a6c10083f8d66003418e6e06" + $md5_9d014bc00ecb311db63beeadf0d8bb19 = "9d014bc00ecb311db63beeadf0d8bb19" + $md5_5b83dcd3f6615e9b18104088523eaaf3 = "5b83dcd3f6615e9b18104088523eaaf3" + $md5_3d356c2d84c39bab9fcb1fea1a132f6a = "3d356c2d84c39bab9fcb1fea1a132f6a" + $md5_e448666cf15651eff32e7296f2f57206 = "e448666cf15651eff32e7296f2f57206" + $md5_b3dfe482568c508bc21f8da8a291f2cd = "b3dfe482568c508bc21f8da8a291f2cd" + $md5_5e72bcafef281999bafeff7b9085dc7c = "5e72bcafef281999bafeff7b9085dc7c" + $md5_01a916c6863f98d8126bb75a4f291a5d = "01a916c6863f98d8126bb75a4f291a5d" + $md5_47a0e644aae76b040aaecf7f7b75404b = "47a0e644aae76b040aaecf7f7b75404b" + $md5_c56f890e9a3e4d9ffd2aba80d95b2f89 = "c56f890e9a3e4d9ffd2aba80d95b2f89" + $md5_8d31ebecdf790a80175d358212b3dd19 = "8d31ebecdf790a80175d358212b3dd19" + $md5_a735b9c81e6cffd576abd914cc635aea = "a735b9c81e6cffd576abd914cc635aea" + $md5_a2bfef210952aa4177ec03000b231228 = "a2bfef210952aa4177ec03000b231228" + $md5_791dbd6071c8d5e04fcaad95b9b6a039 = "791dbd6071c8d5e04fcaad95b9b6a039" + $md5_089d583667b28c2182be1b65b74c2ffb = "089d583667b28c2182be1b65b74c2ffb" + $md5_b0969efc34fe6d06542942b14295305b = "b0969efc34fe6d06542942b14295305b" + $md5_601a4718678a290c004b531b498e40fa = "601a4718678a290c004b531b498e40fa" + $md5_811ad8d894c461c446843de4a9a3fd42 = "811ad8d894c461c446843de4a9a3fd42" + $md5_dcd88df79393a92bbf29824580649d0c = "dcd88df79393a92bbf29824580649d0c" + $md5_18ca4159820c1766f358de2ffc92a271 = "18ca4159820c1766f358de2ffc92a271" + $md5_50ee06096d78ca5eff8d19de8aacf76e = "50ee06096d78ca5eff8d19de8aacf76e" + $md5_fd016b952c98a8be9c51c44d2a288c71 = "fd016b952c98a8be9c51c44d2a288c71" + $md5_3470568793761e75d72eb0c99a4bb6ec = "3470568793761e75d72eb0c99a4bb6ec" + $md5_cb612bd16abae8bdbd551e78278988f4 = "cb612bd16abae8bdbd551e78278988f4" + $md5_cea5d1fcf92da7212bcdc2989a3518e7 = "cea5d1fcf92da7212bcdc2989a3518e7" + $md5_7d166e7a86084eeae5f42211ace8622c = "7d166e7a86084eeae5f42211ace8622c" + $md5_69d83dd95abf0f3e9cccaf30d909d8ab = "69d83dd95abf0f3e9cccaf30d909d8ab" + $md5_f7675431685701edb506ffebc182f6ef = "f7675431685701edb506ffebc182f6ef" + $md5_4bcb99623c05fc2abaa1b4090b0bee6c = "4bcb99623c05fc2abaa1b4090b0bee6c" + $md5_c6e098547bace9c4844dd99230a525b8 = "c6e098547bace9c4844dd99230a525b8" + $md5_5bb14699b14e48608d43f51c56b88a04 = "5bb14699b14e48608d43f51c56b88a04" + $md5_1c00baebd1d2979a1009652dbc58c1fd = "1c00baebd1d2979a1009652dbc58c1fd" + $md5_87375cc6cdf60fc92c973ca984946e7f = "87375cc6cdf60fc92c973ca984946e7f" + $md5_3406ce96eaafd68fa469af2409ad6ffe = "3406ce96eaafd68fa469af2409ad6ffe" + $md5_dee1f09ef83a041555ce8b1f3effab01 = "dee1f09ef83a041555ce8b1f3effab01" + $md5_c40b172d7e99335e1724dc8ba18a42d7 = "c40b172d7e99335e1724dc8ba18a42d7" + $md5_04a420981c8724b654b30ecb13a1b9a5 = "04a420981c8724b654b30ecb13a1b9a5" + $md5_402627c57c6127187c7ee1ba9b4e11ad = "402627c57c6127187c7ee1ba9b4e11ad" + $md5_413a34cb61e954c4e82a63875cce9a67 = "413a34cb61e954c4e82a63875cce9a67" + $md5_87835a271ff098d7a0a44e45be83a9d8 = "87835a271ff098d7a0a44e45be83a9d8" + $md5_7f84dea46b4e29911604a2afaf1c57ab = "7f84dea46b4e29911604a2afaf1c57ab" + $md5_9c863613cc5890067a9733eb15cf749e = "9c863613cc5890067a9733eb15cf749e" + $md5_61d318aacfd97961a9248f696025177e = "61d318aacfd97961a9248f696025177e" + $md5_23b1717f7690f2670585ce42abcf07c0 = "23b1717f7690f2670585ce42abcf07c0" + $md5_e5761a294e7955bf234f7dd38b980633 = "e5761a294e7955bf234f7dd38b980633" + $md5_7021e319704ba7bddcdc37716a5c879e = "7021e319704ba7bddcdc37716a5c879e" + $md5_f60de91238d965455629b12694fb9dbc = "f60de91238d965455629b12694fb9dbc" + $md5_7ca58dd5daa70dd5dc278070512eb394 = "7ca58dd5daa70dd5dc278070512eb394" + $md5_391974cd1e5338938faf7f9a22ee3bf5 = "391974cd1e5338938faf7f9a22ee3bf5" + $md5_842e7ed1d9a3148c706e2f5e80e01735 = "842e7ed1d9a3148c706e2f5e80e01735" + $md5_45ed3086b3d03b253f8746a174a060d1 = "45ed3086b3d03b253f8746a174a060d1" + $md5_639637d46f64f4e0164e704be98c7c67 = "639637d46f64f4e0164e704be98c7c67" + $md5_2a233c4f6571a2fc3342d6edf3c1e98d = "2a233c4f6571a2fc3342d6edf3c1e98d" + $md5_77e8503f721a715a5309f89c88f1da8c = "77e8503f721a715a5309f89c88f1da8c" + $md5_6b022a8cea1bd0e3b511961c7f12da0e = "6b022a8cea1bd0e3b511961c7f12da0e" + $md5_5bc08352ad0ca4b3727bd7c509515693 = "5bc08352ad0ca4b3727bd7c509515693" + $md5_dbeb16d8745a9b9b0daf946d2caecae0 = "dbeb16d8745a9b9b0daf946d2caecae0" + $md5_3da2ad2d32f02172623cc5dfb342e43c = "3da2ad2d32f02172623cc5dfb342e43c" + $md5_c288f4729f7cdce991dcf7c2b156e854 = "c288f4729f7cdce991dcf7c2b156e854" + $md5_acc03ef1eef25c397972ae27087621a6 = "acc03ef1eef25c397972ae27087621a6" + $md5_63d453db999cb3a9b388180b7364d43c = "63d453db999cb3a9b388180b7364d43c" + $md5_89eb892d945034e549118cda2120c17d = "89eb892d945034e549118cda2120c17d" + $md5_d016d961bf0cf4b3aec5619b1b5ebc60 = "d016d961bf0cf4b3aec5619b1b5ebc60" + $md5_17cece9c7bbe0c2d6c37056742a7a7e9 = "17cece9c7bbe0c2d6c37056742a7a7e9" + $md5_c6c5b4de5cc10418e2f14305d6541bd4 = "c6c5b4de5cc10418e2f14305d6541bd4" + $md5_b90b0ff065be669d4d882a2861115ea5 = "b90b0ff065be669d4d882a2861115ea5" + $md5_5708d6c871e56833020be00fcac9b4fa = "5708d6c871e56833020be00fcac9b4fa" + $md5_cfc48c66c7630653faa136ba83617cb0 = "cfc48c66c7630653faa136ba83617cb0" + $md5_8c2e717c09cee5234bec059decc04fbc = "8c2e717c09cee5234bec059decc04fbc" + $md5_03823081d5de20d03cf85259ae7ee47c = "03823081d5de20d03cf85259ae7ee47c" + $md5_cf128ba5945102e1b1a089032f2e4bc1 = "cf128ba5945102e1b1a089032f2e4bc1" + $md5_b14f8f099e4ebbaf4312eb86d739267f = "b14f8f099e4ebbaf4312eb86d739267f" + $md5_3b30e94191d82f3566de058a60c4ce41 = "3b30e94191d82f3566de058a60c4ce41" + $md5_f5cce3e8c5d8d24edca83ae34d505d61 = "f5cce3e8c5d8d24edca83ae34d505d61" + $md5_32549e52c76cacf4a4725340c5eaaabd = "32549e52c76cacf4a4725340c5eaaabd" + $md5_0fd48bd160854bea6e9df66a9451b9ed = "0fd48bd160854bea6e9df66a9451b9ed" + $md5_ea475f5a99ae4f81d23be81bdcfbb6ac = "ea475f5a99ae4f81d23be81bdcfbb6ac" + $md5_123a97612de9089409ad512f3bb2379a = "123a97612de9089409ad512f3bb2379a" + $md5_808e8a7ff27e284bbd07cee65403b66c = "808e8a7ff27e284bbd07cee65403b66c" + $md5_73993f9f448449f0c5c6977664cfd8fa = "73993f9f448449f0c5c6977664cfd8fa" + $md5_58ebad50377af27347a4a216625ec8c7 = "58ebad50377af27347a4a216625ec8c7" + $md5_bc6b1264f9dfebdde7a4b94ff0f61c83 = "bc6b1264f9dfebdde7a4b94ff0f61c83" + $md5_593d2f1113836a49cb27cef3ce699933 = "593d2f1113836a49cb27cef3ce699933" + $md5_463d74f0085a613c44dc9ded28ba903d = "463d74f0085a613c44dc9ded28ba903d" + $md5_c74a645b0a52812f026f5cfe6d168f40 = "c74a645b0a52812f026f5cfe6d168f40" + $md5_69b4467e347dcf360ef7d2dd2a869601 = "69b4467e347dcf360ef7d2dd2a869601" + $md5_7163a7326321ce88f14c2156c29f8386 = "7163a7326321ce88f14c2156c29f8386" + $md5_73add080471429445ecba08d95f03b01 = "73add080471429445ecba08d95f03b01" + $md5_4892a108c084f7471b601194957ec431 = "4892a108c084f7471b601194957ec431" + $md5_0fbf6146e6478d9a6945341a45885400 = "0fbf6146e6478d9a6945341a45885400" + $md5_6ff0374bf169ddedaf2654c94b985617 = "6ff0374bf169ddedaf2654c94b985617" + $md5_c64778a2ddcc66db666e63ca6781ef3f = "c64778a2ddcc66db666e63ca6781ef3f" + $md5_462372c1f7f27ad12cc452dbb3358122 = "462372c1f7f27ad12cc452dbb3358122" + $md5_a6b48f5675c55b124908dd11635919ac = "a6b48f5675c55b124908dd11635919ac" + $md5_79f1af23d5ab729a3071d1f4c2a0606f = "79f1af23d5ab729a3071d1f4c2a0606f" + $domain_ting_qpoe_com = "ting.qpoe.com" + $domain_moutain_onmypc_org = "moutain.onmypc.org" + $domain_cust_compradecedines_com_ar = "cust.compradecedines.com.ar" + $domain_cecs_ben-wan_com = "cecs.ben-wan.com" + $domain_edit_ctotw_tw = "edit.ctotw.tw" + $domain_rio_onmypc_org = "rio.onmypc.org" + $domain_techlawilo_effers_com = "techlawilo.effers.com" + $domain_moc_mrface_com = "moc.mrface.com" + $domain_every_b0ne_com = "every.b0ne.com" + $domain_usamovie_mylftv_com = "usamovie.mylftv.com" + $domain_applestore_dnset_com = "applestore.dnset.com" + $domain_fastnews_ezua_com = "fastnews.ezua.com" + $domain_accounts_fartit_com = "accounts.fartit.com" + $domain_music_ftp_sh = "music.ftp.sh" + $domain_ikwb55_ikwb_com = "ikwb55.ikwb.com" + $domain_pcphoto_servehalflife_com = "pcphoto.servehalflife.com" + $domain_festival_lflinkup_net = "festival.lflinkup.net" + $domain_kh7710103_qnoddns_org_cn = "kh7710103.qnoddns.org.cn" + $domain_soo_dtdns_net = "soo.dtdns.net" + $domain_sysinfo_itemdb_com = "sysinfo.itemdb.com" + $domain_injure_ignorelist_com = "injure.ignorelist.com" + $domain_linenews_mypicure_info = "linenews.mypicure.info" + $domain_forums_happyforever_com = "forums.happyforever.com" + $domain_showgirls_mooo_com = "showgirls.mooo.com" + $domain_dcns_chickenkiller_com = "dcns.chickenkiller.com" + $domain_xuite_myMom_info = "xuite.myMom.info" + $domain_kukupy_chatnook_com = "kukupy.chatnook.com" + $domain_support_bonbonkids_hk = "support.bonbonkids.hk" + $domain_tabf_garrarufaworld_com = "tabf.garrarufaworld.com" + $domain_hehagame_Got-Game_org = "hehagame.Got-Game.org" + $domain_newspaper_otzo_com = "newspaper.otzo.com" + $domain_greeting_hopewill_com = "greeting.hopewill.com" + $domain_picture_diohwm_com = "picture.diohwm.com" + $domain_npa_dynamicdns_org_uk = "npa.dynamicdns.org.uk" + $domain_formosa_happyforever_com = "formosa.happyforever.com" + $domain_moea_crabdance_com = "moea.crabdance.com" + $domain_subnotes_ignorelist_com = "subnotes.ignorelist.com" + $domain_forums_toythieves_com = "forums.toythieves.com" + $domain_paperspot_wikaba_com = "paperspot.wikaba.com" + $domain_firstme_mysecondarydns_com = "firstme.mysecondarydns.com" + $domain_nspo_itaiwans_com = "nspo.itaiwans.com" + $domain_asus_strangled_net = "asus.strangled.net" + $domain_freeonshop_x24hr_com = "freeonshop.x24hr.com" + $domain_mirdc_happyforever_com = "mirdc.happyforever.com" + $domain_job_jobical_com = "job.jobical.com" + $domain_hinet_homenet_org = "hinet.homenet.org" + $domain_cypd_slyip_com = "cypd.slyip.com" + $domain_picture_brogrammer_org = "picture.brogrammer.org" + $domain_17ublig_1dumb_com = "17ublig.1dumb.com" + $domain_cert_dynet_com = "cert.dynet.com" + $domain_cwb_soportetechmdp_com_ar = "cwb.soportetechmdp.com.ar" + $domain_zing_youdontcare_com = "zing.youdontcare.com" + $domain_mozila_strangled_net = "mozila.strangled.net" + $domain_tios_nsicscores_com = "tios.nsicscores.com" + $domain_setting_herbalsolo_com = "setting.herbalsolo.com" + $domain_pictures_wasson_com = "pictures.wasson.com" + $domain_jog_punked_us = "jog.punked.us" + $domain_pictures_happyforever_com = "pictures.happyforever.com" + $domain_superapple_sendsmtp_com = "superapple.sendsmtp.com" + $domain_rdec_compress_to = "rdec.compress.to" + $domain_timehigh_ddns_info = "timehigh.ddns.info" + $domain_amazon_otzo_com = "amazon.otzo.com" + $domain_teacher_yahoomit_com = "teacher.yahoomit.com" + $domain_dream_wikaba_com = "dream.wikaba.com" + $domain_webmail_24-7_ro = "webmail.24-7.ro" + $domain_av100_mynetav_net = "av100.mynetav.net" + $domain_yahoo_zzux_com = "yahoo.zzux.com" + $domain_zip_zyns_com = "zip.zyns.com" + $domain_avira_justdied_com = "avira.justdied.com" + $domain_dwnic_crabdance_com = "dwnic.crabdance.com" + $domain_africa_themafia_info = "africa.themafia.info" + $domain_wordhasword_darktech_org = "wordhasword.darktech.org" + $domain_techlaw_linestw_com = "techlaw.linestw.com" + $domain_webey_sbfhome_net = "webey.sbfhome.net" + $domain_twcert_compress_to = "twcert.compress.to" + $domain_INetGIS_faceboktw_com = "INetGIS.faceboktw.com" + $domain_idb_jamescyoung_com = "idb.jamescyoung.com" + $domain_icst_compress_to = "icst.compress.to" + $domain_needjustword_bbsindex_com = "needjustword.bbsindex.com" + $domain_blognews_onmypc_org = "blognews.onmypc.org" + $domain_su27_oCry_com = "su27.oCry.com" + $domain_dcns_soniceducation_com = "dcns.soniceducation.com" + $domain_front_fartit_com = "front.fartit.com" + $domain_sushow_xxuz_com = "sushow.xxuz.com" + $domain_motc_linestw_com = "motc.linestw.com" + $domain_facebook_itsaol_com = "facebook.itsaol.com" + $domain_tw_chatnook_com = "tw.chatnook.com" + $domain_newpower_jkub_com = "newpower.jkub.com" + $domain_boe_pixarworks_com = "boe.pixarworks.com" + $domain_docsedit_cleansite_us = "docsedit.cleansite.us" + $domain_wendy_uberleet_com = "wendy.uberleet.com" + $domain_flog_pgp_com_mx = "flog.pgp.com.mx" + $domain_zany_strangled_net = "zany.strangled.net" + $domain_microsfot_ikwb_com = "microsfot.ikwb.com" + $domain_blognews_ezua_com = "blognews.ezua.com" + $domain_beersale_servebeer_com = "beersale.servebeer.com" + $domain_ametoy_acmetoy_com = "ametoy.acmetoy.com" + $domain_effinfo_effers_com = "effinfo.effers.com" + $domain_movieonline_redirectme_net = "movieonline.redirectme.net" + $domain_tw_shop_tm = "tw.shop.tm" + $domain_asus0213_asuscomm_com = "asus0213.asuscomm.com" + $domain_furniture_home_kg = "furniture.home.kg" + $domain_dpp_edesizns_com = "dpp.edesizns.com" + condition: + any of them +} diff --git a/yara/Flagpro-suricata-20250112.txt b/yara/Flagpro-suricata-20250112.txt new file mode 100644 index 0000000..f67b646 --- /dev/null +++ b/yara/Flagpro-suricata-20250112.txt @@ -0,0 +1,10 @@ +alert ip 107.191.61.40 any -> any any (msg:"Suspicious Flagpro IP detected Entering Network: 107.191.61.40 (source) - APT Group: BlackTech"; sid:518411836; rev:1;) +alert ip any any -> 107.191.61.40 any (msg:"Suspicious Flagpro IP detected Leaving Network: 107.191.61.40 (destination) - APT Group: BlackTech"; sid:518411837; rev:1;) +alert ip 172.104.109.217 any -> any any (msg:"Suspicious Flagpro IP detected Entering Network: 172.104.109.217 (source) - APT Group: BlackTech"; sid:2259028385; rev:1;) +alert ip any any -> 172.104.109.217 any (msg:"Suspicious Flagpro IP detected Leaving Network: 172.104.109.217 (destination) - APT Group: BlackTech"; sid:2259028386; rev:1;) +alert ip 139.162.87.180 any -> any any (msg:"Suspicious Flagpro IP detected Entering Network: 139.162.87.180 (source) - APT Group: BlackTech"; sid:3339182745; rev:1;) +alert ip any any -> 139.162.87.180 any (msg:"Suspicious Flagpro IP detected Leaving Network: 139.162.87.180 (destination) - APT Group: BlackTech"; sid:3339182746; rev:1;) +alert ip 45.76.184.227 any -> any any (msg:"Suspicious Flagpro IP detected Entering Network: 45.76.184.227 (source) - APT Group: BlackTech"; sid:3650785005; rev:1;) +alert ip any any -> 45.76.184.227 any (msg:"Suspicious Flagpro IP detected Leaving Network: 45.76.184.227 (destination) - APT Group: BlackTech"; sid:3650785006; rev:1;) +alert ip 45.32.23.140 any -> any any (msg:"Suspicious Flagpro IP detected Entering Network: 45.32.23.140 (source) - APT Group: BlackTech"; sid:9643976871; rev:1;) +alert ip any any -> 45.32.23.140 any (msg:"Suspicious Flagpro IP detected Leaving Network: 45.32.23.140 (destination) - APT Group: BlackTech"; sid:9643976872; rev:1;) diff --git a/yara/Flagpro-yara-20250112.yar b/yara/Flagpro-yara-20250112.yar new file mode 100644 index 0000000..ce36feb --- /dev/null +++ b/yara/Flagpro-yara-20250112.yar @@ -0,0 +1,24 @@ +Flagpro_IOCs { + meta: + creator = "Cpl Iverson" + date = "2025-01-12" + description = "Suspicious IPs, Hashes, and Domains" + apt_group = "BlackTech" + strings: + $ip_107_191_61_40 = "107.191.61.40" + $ip_172_104_109_217 = "172.104.109.217" + $ip_139_162_87_180 = "139.162.87.180" + $ip_45_76_184_227 = "45.76.184.227" + $ip_45_32_23_140 = "45.32.23.140" + $sha256_e197c583 = "e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970" + $sha256_840ce62f = "840ce62f92fc519cd1a33b62f4b9f92a962b7fb28c12d2f607dec0b520e6a4b2" + $sha256_e81255ff = "e81255ff6e0ed937603748c1442ce9d6588decf6922537037cf3f1a7369a8876" + $sha256_655ca39b = "655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5" + $sha256_54e6ea47 = "54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b" + $sha256_77680fb9 = "77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9" + $sha256_ba27ae12 = "ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d" + $domain_update_centosupdates_com = "update.centosupdates.com" + $domain_org_misecure_com = "org.misecure.com" + condition: + any of them +} diff --git a/yara/Plead-suricata-20250112.txt b/yara/Plead-suricata-20250112.txt new file mode 100644 index 0000000000000000000000000000000000000000..06d7405020018ddf3cacee90fd4af10487da3d20 GIT binary patch literal 1024 ScmZQz7zLvtFd70QH3R?z00031 literal 0 HcmV?d00001 diff --git a/yara/Plead-yara-20250112.yar b/yara/Plead-yara-20250112.yar new file mode 100644 index 0000000..7430455 --- /dev/null +++ b/yara/Plead-yara-20250112.yar @@ -0,0 +1,22 @@ +Plead_IOCs { + meta: + creator = "Cpl Iverson" + date = "2025-01-12" + description = "Suspicious IPs, Hashes, and Domains" + apt_group = "BlackTech" + strings: + $sha1_13D064741B801E421E3B53BC5DABFA7031C98DD9 = "13D064741B801E421E3B53BC5DABFA7031C98DD9" + $sha1_62A693F5E4F92CCB5A2821239EFBE5BD792A46CD = "62A693F5E4F92CCB5A2821239EFBE5BD792A46CD" + $sha1_11A5D1A965A3E1391E840B11705FFC02759618F8 = "11A5D1A965A3E1391E840B11705FFC02759618F8" + $sha1_B01D8501F1EEAF423AA1C14FCC816FAB81AC8ED8 = "B01D8501F1EEAF423AA1C14FCC816FAB81AC8ED8" + $sha1_1DB4650A89BC7C810953160C6E41A36547E8CF0B = "1DB4650A89BC7C810953160C6E41A36547E8CF0B" + $sha1_9C4F8358462FAFD83DF51459DBE4CD8E5E7F2039 = "9C4F8358462FAFD83DF51459DBE4CD8E5E7F2039" + $sha1_80AE7B26AC04C93AD693A2D816E8742B906CC0E3 = "80AE7B26AC04C93AD693A2D816E8742B906CC0E3" + $sha1_239786038B9619F9C22401B110CF0AF433E0CEAD = "239786038B9619F9C22401B110CF0AF433E0CEAD" + $sha1_CA160884AE90CFE6BEC5722FAC5B908BF77D9EEF = "CA160884AE90CFE6BEC5722FAC5B908BF77D9EEF" + $domain_okinawas_ssl443_org = "okinawas.ssl443.org" + $domain_office_panasocin_com = "office.panasocin.com" + $domain_amazon_panasocin_com = "amazon.panasocin.com" + condition: + any of them +} diff --git a/yara/TsCookie-suricata-20250112.txt b/yara/TsCookie-suricata-20250112.txt new file mode 100644 index 0000000..add9bdb --- /dev/null +++ b/yara/TsCookie-suricata-20250112.txt @@ -0,0 +1,6 @@ +alert ip 220.130.216.76 any -> any any (msg:"Suspicious TsCookie IP detected Entering Network: 220.130.216.76 (source) - APT Group: BlackTech"; sid:8166465416; rev:1;) +alert ip any any -> 220.130.216.76 any (msg:"Suspicious TsCookie IP detected Leaving Network: 220.130.216.76 (destination) - APT Group: BlackTech"; sid:8166465417; rev:1;) +alert ip 60.244.52.29 any -> any any (msg:"Suspicious TsCookie IP detected Entering Network: 60.244.52.29 (source) - APT Group: BlackTech"; sid:7569006617; rev:1;) +alert ip any any -> 60.244.52.29 any (msg:"Suspicious TsCookie IP detected Leaving Network: 60.244.52.29 (destination) - APT Group: BlackTech"; sid:7569006618; rev:1;) +alert ip 45.76.102.145 any -> any any (msg:"Suspicious TsCookie IP detected Entering Network: 45.76.102.145 (source) - APT Group: BlackTech"; sid:8497073872; rev:1;) +alert ip any any -> 45.76.102.145 any (msg:"Suspicious TsCookie IP detected Leaving Network: 45.76.102.145 (destination) - APT Group: BlackTech"; sid:8497073873; rev:1;) diff --git a/yara/TsCookie-yara-20250112.yar b/yara/TsCookie-yara-20250112.yar new file mode 100644 index 0000000..cc2d403 --- /dev/null +++ b/yara/TsCookie-yara-20250112.yar @@ -0,0 +1,61 @@ +TsCookie_IOCs { + meta: + creator = "Cpl Iverson" + date = "2025-01-12" + description = "Suspicious IPs, Hashes, and Domains" + apt_group = "BlackTech" + strings: + $ip_220_130_216_76 = "220.130.216.76" + $ip_60_244_52_29 = "60.244.52.29" + $ip_45_76_102_145 = "45.76.102.145" + $sha256_5443ee54 = "5443ee54a532846da3182630e2bb031f54825025700bcd5f0e34802e7345c7b2" + $sha256_0683437a = "0683437aebd980c395a83e837a6056df1a21e137e875f234d1ed9f9a91dfdc7f" + $sha256_1fa7cbe5 = "1fa7cbe57eedea0ebc8eb37b91e7536c07be7da7775a6c01e5b14489387b9ca8" + $sha256_201bf3cd = "201bf3cd2a723d6c728d18a9e41ff038549eac8406f453c5197a1a7b45998673" + $sha256_cdf0e4c4 = "cdf0e4c415eb55bccb43a650e330348b63bc3cbb53f71a215c44ede939b4b830" + $sha256_20f7f367 = "20f7f367f9cb8beca7ce1ba980fafa870863245f27fea48b971859a8cb47eb09" + $sha256_afe780ba = "afe780ba2af6c86babf2d0270156da61f556c493259d4ca54c67665c17b02023" + $sha256_06a9c713 = "06a9c71342eeb14b7e8871f77524e8acc7b86670411b854fa7f6f57c918ffd2b" + $sha256_6d2f5675 = "6d2f5675630d0dae65a796ac624fb90f42f35fbe5dec2ec8f4adce5ebfaabf75" + $sha256_6b66c6d8 = "6b66c6d8859dfe06c0415be4df2bd836561d5a6eabce98ddd2ee54e89e37fd44" + $sha256_39d7d764 = "39d7d764405b9c613dff6da4909d9bc46620beee7a7913c4666acf9e76a171e4" + $sha256_96306202 = "96306202b0c4495cf93e805e9185ea6f2626650d6132a98a8f097f8c6a424a33" + $sha256_12b0f133 = "12b0f1337bda78f8a7963d2744668854d81e1f1b64790b74d486281bc54e6647" + $sha256_2bd13d63 = "2bd13d63797864a70b775bd1994016f5052dc8fd1fd83ce1c13234b5d304330d" + $sha256_35f96618 = "35f966187098ac42684361b2a93b0cee5e2762a0d1e13b8d366a18bccf4f5a91" + $sha256_0debbcc2 = "0debbcc297cb8f9b81c8c217e748122243562357297b63749c3847af3b7fd646" + $sha256_17f1996a = "17f1996ad7e602bd2a7e9524d7d70ee8588dac51469b08017df9aaaca09d8dd9" + $sha256_203c924c = "203c924cd274d052e8e95246d31bd168f3d8a0700a774c98eff882c8b8399a2f" + $sha256_e451a1e0 = "e451a1e05c0cc363a185a98819cd2af421ac87154702bf72007ecc0134c7f417" + $sha256_1da9b4a8 = "1da9b4a84041b8c72dad9626db822486ce47b9a3ab6b36c41b0637cd1f6444d6" + $sha256_f16befd7 = "f16befd79b7f8ffdaf934ef337a91a5f1dc6da54c4b2bee5fe7a0eb38e8af39e" + $sha256_4a8237f9 = "4a8237f9ecdad3b51ffd00d769e23f61f1e791f998d1959ad9b61d53ea306c09" + $domain_apk36501_flnet_org = "apk36501.flnet.org" + $domain_okinawas_ssl443_org = "okinawas.ssl443.org" + $domain_gethappy_effers_com = "gethappy.effers.com" + $domain_ntp_ukrootns1_com = "ntp.ukrootns1.com" + $domain_twnicsi_ignorelist_com = "twnicsi.ignorelist.com" + $domain_jpcerts_jpcertinfo_com = "jpcerts.jpcertinfo.com" + $domain_eoffice_etowns_org = "eoffice.etowns.org" + $domain_lang_suroot_com = "lang.suroot.com" + $domain_office_dns04_com = "office.dns04.com" + $domain_jpcert_ignorelist_com = "jpcert.ignorelist.com" + $domain_epayplus_flnet_org = "epayplus.flnet.org" + $domain_lookatinfo_dnset_com = "lookatinfo.dnset.com" + $domain_longdays_csproject_org = "longdays.csproject.org" + $domain_langlang_dnset_com = "langlang.dnset.com" + $domain_appinfo_fairuse_org = "appinfo.fairuse.org" + $domain_fatgirls_fatdiary_org = "fatgirls.fatdiary.org" + $domain_carcolors_effers_com = "carcolors.effers.com" + $domain_ktyguxs_dnset_com = "ktyguxs.dnset.com" + $domain_newtowns_flnet_org = "newtowns.flnet.org" + $domain_sslmaker_ssl443_org = "sslmaker.ssl443.org" + $domain_twcertcc_jumpingcrab_com = "twcertcc.jumpingcrab.com" + $domain_iawntsilk_dnset_com = "iawntsilk.dnset.com" + $domain_edu_microsoftmse_com = "edu.microsoftmse.com" + $domain_inewdays_csproject_org = "inewdays.csproject.org" + $domain_savecars_dnset_com = "savecars.dnset.com" + $domain_splashed_effers_com = "splashed.effers.com" + condition: + any of them +} diff --git a/yara/TsCookiev2-suricata-20250112.txt b/yara/TsCookiev2-suricata-20250112.txt new file mode 100644 index 0000000000000000000000000000000000000000..06d7405020018ddf3cacee90fd4af10487da3d20 GIT binary patch literal 1024 ScmZQz7zLvtFd70QH3R?z00031 literal 0 HcmV?d00001 diff --git a/yara/TsCookiev2-yara-20250112.yar b/yara/TsCookiev2-yara-20250112.yar new file mode 100644 index 0000000..f4ce683 --- /dev/null +++ b/yara/TsCookiev2-yara-20250112.yar @@ -0,0 +1,13 @@ +TsCookiev2_IOCs { + meta: + creator = "Cpl Iverson" + date = "2025-01-12" + description = "Suspicious IPs, Hashes, and Domains" + apt_group = "BlackTech" + strings: + $sha256_fc863fbd = "fc863fbd71e22c99eaa2b1b0eb72d806cedeb536213e600afb03f0fbea9d2bb3" + $domain_home_mwbsys_org = "home.mwbsys.org" + $domain_app_dynamicrosoft_com = "app.dynamicrosoft.com" + condition: + any of them +} diff --git a/yara/waterbear-suricata-20250112.txt b/yara/waterbear-suricata-20250112.txt new file mode 100644 index 0000000..05da30a --- /dev/null +++ b/yara/waterbear-suricata-20250112.txt @@ -0,0 +1,24 @@ +alert ip 45.77.181.203 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 45.77.181.203 (source) - APT Group: BlackTech"; sid:5921737425; rev:1;) +alert ip any any -> 45.77.181.203 any (msg:"Suspicious waterbear IP detected Leaving Network: 45.77.181.203 (destination) - APT Group: BlackTech"; sid:5921737426; rev:1;) +alert ip 103.40.112.228 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 103.40.112.228 (source) - APT Group: BlackTech"; sid:3182573330; rev:1;) +alert ip any any -> 103.40.112.228 any (msg:"Suspicious waterbear IP detected Leaving Network: 103.40.112.228 (destination) - APT Group: BlackTech"; sid:3182573331; rev:1;) +alert ip 59.125.119.202 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 59.125.119.202 (source) - APT Group: BlackTech"; sid:8583068955; rev:1;) +alert ip any any -> 59.125.119.202 any (msg:"Suspicious waterbear IP detected Leaving Network: 59.125.119.202 (destination) - APT Group: BlackTech"; sid:8583068956; rev:1;) +alert ip 139.180.201.6 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 139.180.201.6 (source) - APT Group: BlackTech"; sid:7607440005; rev:1;) +alert ip any any -> 139.180.201.6 any (msg:"Suspicious waterbear IP detected Leaving Network: 139.180.201.6 (destination) - APT Group: BlackTech"; sid:7607440006; rev:1;) +alert ip 139.162.112.74 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 139.162.112.74 (source) - APT Group: BlackTech"; sid:5681332719; rev:1;) +alert ip any any -> 139.162.112.74 any (msg:"Suspicious waterbear IP detected Leaving Network: 139.162.112.74 (destination) - APT Group: BlackTech"; sid:5681332720; rev:1;) +alert ip 172.104.92.110 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 172.104.92.110 (source) - APT Group: BlackTech"; sid:5363415535; rev:1;) +alert ip any any -> 172.104.92.110 any (msg:"Suspicious waterbear IP detected Leaving Network: 172.104.92.110 (destination) - APT Group: BlackTech"; sid:5363415536; rev:1;) +alert ip 168.95.1.1 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 168.95.1.1 (source) - APT Group: BlackTech"; sid:2071065055; rev:1;) +alert ip any any -> 168.95.1.1 any (msg:"Suspicious waterbear IP detected Leaving Network: 168.95.1.1 (destination) - APT Group: BlackTech"; sid:2071065056; rev:1;) +alert ip 45.76.218.116 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 45.76.218.116 (source) - APT Group: BlackTech"; sid:5808228675; rev:1;) +alert ip any any -> 45.76.218.116 any (msg:"Suspicious waterbear IP detected Leaving Network: 45.76.218.116 (destination) - APT Group: BlackTech"; sid:5808228676; rev:1;) +alert ip 108.160.138.235 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 108.160.138.235 (source) - APT Group: BlackTech"; sid:5795869186; rev:1;) +alert ip any any -> 108.160.138.235 any (msg:"Suspicious waterbear IP detected Leaving Network: 108.160.138.235 (destination) - APT Group: BlackTech"; sid:5795869187; rev:1;) +alert ip 211.72.242.120 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 211.72.242.120 (source) - APT Group: BlackTech"; sid:6756046166; rev:1;) +alert ip any any -> 211.72.242.120 any (msg:"Suspicious waterbear IP detected Leaving Network: 211.72.242.120 (destination) - APT Group: BlackTech"; sid:6756046167; rev:1;) +alert ip 108.160.132.108 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 108.160.132.108 (source) - APT Group: BlackTech"; sid:2503198458; rev:1;) +alert ip any any -> 108.160.132.108 any (msg:"Suspicious waterbear IP detected Leaving Network: 108.160.132.108 (destination) - APT Group: BlackTech"; sid:2503198459; rev:1;) +alert ip 220.135.71.92 any -> any any (msg:"Suspicious waterbear IP detected Entering Network: 220.135.71.92 (source) - APT Group: BlackTech"; sid:121564119; rev:1;) +alert ip any any -> 220.135.71.92 any (msg:"Suspicious waterbear IP detected Leaving Network: 220.135.71.92 (destination) - APT Group: BlackTech"; sid:121564120; rev:1;) diff --git a/yara/waterbear-yara-20250112.yar b/yara/waterbear-yara-20250112.yar new file mode 100644 index 0000000..12d1708 --- /dev/null +++ b/yara/waterbear-yara-20250112.yar @@ -0,0 +1,79 @@ +waterbear_IOCs { + meta: + creator = "Cpl Iverson" + date = "2025-01-12" + description = "Suspicious IPs, Hashes, and Domains" + apt_group = "BlackTech" + strings: + $ip_45_77_181_203 = "45.77.181.203" + $ip_103_40_112_228 = "103.40.112.228" + $ip_59_125_119_202 = "59.125.119.202" + $ip_139_180_201_6 = "139.180.201.6" + $ip_139_162_112_74 = "139.162.112.74" + $ip_172_104_92_110 = "172.104.92.110" + $ip_168_95_1_1 = "168.95.1.1" + $ip_45_76_218_116 = "45.76.218.116" + $ip_108_160_138_235 = "108.160.138.235" + $ip_211_72_242_120 = "211.72.242.120" + $ip_108_160_132_108 = "108.160.132.108" + $ip_220_135_71_92 = "220.135.71.92" + $sha256_eed2ab9f = "eed2ab9f2c09e47c7689204ad7f91e5aef3cb25a41ea524004a48bb7dc59f969" + $sha256_649675ba = "649675baef92381ffcdfa42e8959015e83c1ab1c7bbfd64635ce5f6f65efd651" + $sha256_3f26a971 = "3f26a971e393d7f6ce7bf4416abdbfa1def843a0cf74d8b7bb841ca90f5c9ed9" + $sha256_7532fe7a = "7532fe7a16ba1db4d5e8d47de04b292d94882920cb672e89a48d07e77ddd0138" + $sha256_50ba9a22 = "50ba9a2235b9b67e16e6bd26ae042a958d065eb2c5273f07eee20ec86c58a653" + $sha256_884cefcc = "884cefccd5b3c3a219a176c0c614834b5b6676abbac1d1c98f39624fccc71bf9" + $sha256_7c0d2782 = "7c0d2782a33debb65b488893705e71a001ea06c4eb4fe88571639ed71ac85cdd" + $sha256_4c05ee58 = "4c05ee584530fd9622b9e3be555c9132fad961848ea215ecb0dd9430df7e4ed8" + $sha256_9c436db4 = "9c436db49b27bed20b42157b50d8bdad414b12f01e2127718250565017a08d84" + $sha256_bda6812c = "bda6812c3bbba3c885584d234be353b0a2d1b1cbd29161deab0ef8814ac1e8e1" + $sha256_78581711 = "7858171120792e5c98cfa75ccde7cba49e62a2aeb32ed62322aae0a80a50f1ea" + $sha256_05d0ab2f = "05d0ab2fbeb7e0ba7547afb013d307d32588704daac9c12002a690e5c1cde3a4" + $sha256_485d5af4 = "485d5af4ad86e9241abd824df7b3f7d658b1b77c7dcc3c9b74bfe1ddc074c87d" + $sha256_6d40c289 = "6d40c289a154142cdd5298e345bcea30b13f26b9eddfe2d9634e71e1fb935fbe" + $sha256_d4d5c73c = "d4d5c73c40f50cdef1500fca8329bc8f3f05f6e2ffda9c8feb9be1dcca6ccd31" + $sha256_81a4b847 = "81a4b84700b5f4770b11a5fe30a8df42e5579fd622fd54143b3d2578df4b559d" + $sha256_f2160168 = "f21601686a2af1a312e0f99effa2c2755f872b693534dbe14f034fa23587ac0b" + $sha256_3fefceea = "3fefceeab9f845f9ddbe9c3a0712d45aad4c87fdbb178d13955944dbe6b338a3" + $sha256_aa51b69d = "aa51b69d05741144d139b422c3b90fdf6d7d5a36dd6c7090c226a0fc155ada34" + $sha256_9603b622 = "9603b62268c2bbb06da5c99572c3dc2ec988c49c86db2abc391acf53c1cccceb" + $sha256_53402b66 = "53402b662679f0bfd08de3abb064930af40ff6c9ec95469ce8489f65796e36c3" + $sha256_acb2abc7 = "acb2abc7fb44c2fdea0b65706d1e8b4c0bfb20e4bd4dcee5b95b346a60c6bd31" + $sha256_dea5c564 = "dea5c564c9d961ccf2ed535139fbfca4f1727373504f2972ac92acfaf21da831" + $sha256_f9f6bc63 = "f9f6bc637f59ef843bc939cb6be5000da5b9277b972904bf84586ea0a17a6000" + $sha256_cb1a536e = "cb1a536e11ae1000c1b29233544377263732ca67cd679f3f6b20016fbd429817" + $sha256_b9f3a3b9 = "b9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361" + $sha256_3277e3f3 = "3277e3f370319f667170fc7333fc5e081a0a87cb85b928219b3b3caf7f1e549c" + $sha256_3d18bb8b = "3d18bb8b9a5af20ab10441c8cd40feff0aabdd3f4c669ad40111e3aa5e8c54b8" + $sha256_abb91dfd = "abb91dfd95d11a232375d6b5cdf94b0f7afb9683fb7af3e50bcecdb2bd6cb035" + $sha256_638cfbe6 = "638cfbe609d7f3e88767133be5ea5f9a75f1d703275f38eb9ec2414e179483b9" + $sha256_5818bfe7 = "5818bfe75d73a92eb775fae3b876086a9e70e1e677b7c162b49fb8c1cc996788" + $sha256_b32ab70f = "b32ab70f3f441a775771d6c824d4526715460c0fd72a1dfdec8cd531aef5fabd" + $sha256_5a35672f = "5a35672f293f8f586fa9cfac0b09c2c52a85d4e8bc77b1ed4d7c16c58fe97a81" + $sha256_a7f3b8af = "a7f3b8afb963528b4821b6151d259cf05ae970bc4400b805f7713bd8a0902a42" + $sha256_73799d67 = "73799d67d32a2b5554c39330e81e7c8069feaa56520e22a7fd0a52e8857c510c" + $sha256_8cd6dfff = "8cd6dfffc251f9571f7a82cca2eca09914c950f3b96aaaeaeaaeeac342f9b550" + $sha256_28ca0c21 = "28ca0c218e14041b9f32a0b9a17d6ee5804e4ff52e9ef228a1f0f8b00ba24c11" + $sha256_3909e837 = "3909e837f3a96736947e387a84bb57e57974db9b77fb1d8fa5d808a89f9a401b" + $sha256_fcfdd079 = "fcfdd079b5861c0192e559c80e8f393b16ba419186066a21aab0294327ea9e58" + $sha256_8da532ea = "8da532ea294cc2c99e02ce8513a15b108a7c49bd90f7001ce6148955304733cb" + $sha256_9e3ecda0 = "9e3ecda0f8e23116e1e8f2853cf07837dd5bc0e2e4a70d927b37cfe4f6e69431" + $sha256_69d60562 = "69d60562a8d69500e8cb47a48293894385743716e2214fd4e81682ab6ed1c46b" + $sha256_35bd3c96 = "35bd3c96abbf9e4da9f7a4433d72f90bfe230e3e897a7aaf6f3d54e9ff66a05a" + $sha256_39668008 = "39668008deb49a9b9a033fd01e0ea7c5243ad958afd82f79c1665fb73c7cfadf" + $sha256_3442c076 = "3442c076c8824d5da065616063a6520ee1d9385d327779b5465292ac978dec26" + $sha256_f11e2146 = "f11e2146b4b7da69112f4681daca0c5ec18917acc4cf4f78d8bff7ac0b53e15c" + $sha256_c7c7b227 = "c7c7b2270767aaa2d66018894a7425ba6192730b4fe2130d290cd46af5cc0b7b" + $sha256_6f970227 = "6f97022782d63c6cea53ad151c5b7e764e62533d8257e439033c0307437bfb2a" + $domain_apple_wikaba_com = "apple.wikaba.com" + $domain_itaiwans_com = "itaiwans.com" + $domain_ntstore_hosthampster_com = "ntstore.hosthampster.com" + $domain_asiainfo_hpcloudnews_com = "asiainfo.hpcloudnews.com" + $domain_loop_microsoftmse_com = "loop.microsoftmse.com" + $domain_microsoftmse_com = "microsoftmse.com" + $domain_mx_msdtc_tw = "mx.msdtc.tw" + $domain_naaakkk_wikaba_com = "naaakkk.wikaba.com" + $domain_blog_mysecuritycamera_com = "blog.mysecuritycamera.com" + condition: + any of them +}