62 lines
3.7 KiB
Plaintext
62 lines
3.7 KiB
Plaintext
TsCookie_IOCs {
|
|
meta:
|
|
creator = "Cpl Iverson"
|
|
date = "2025-01-12"
|
|
description = "Suspicious IPs, Hashes, and Domains"
|
|
apt_group = "BlackTech"
|
|
strings:
|
|
$ip_220_130_216_76 = "220.130.216.76"
|
|
$ip_60_244_52_29 = "60.244.52.29"
|
|
$ip_45_76_102_145 = "45.76.102.145"
|
|
$sha256_5443ee54 = "5443ee54a532846da3182630e2bb031f54825025700bcd5f0e34802e7345c7b2"
|
|
$sha256_0683437a = "0683437aebd980c395a83e837a6056df1a21e137e875f234d1ed9f9a91dfdc7f"
|
|
$sha256_1fa7cbe5 = "1fa7cbe57eedea0ebc8eb37b91e7536c07be7da7775a6c01e5b14489387b9ca8"
|
|
$sha256_201bf3cd = "201bf3cd2a723d6c728d18a9e41ff038549eac8406f453c5197a1a7b45998673"
|
|
$sha256_cdf0e4c4 = "cdf0e4c415eb55bccb43a650e330348b63bc3cbb53f71a215c44ede939b4b830"
|
|
$sha256_20f7f367 = "20f7f367f9cb8beca7ce1ba980fafa870863245f27fea48b971859a8cb47eb09"
|
|
$sha256_afe780ba = "afe780ba2af6c86babf2d0270156da61f556c493259d4ca54c67665c17b02023"
|
|
$sha256_06a9c713 = "06a9c71342eeb14b7e8871f77524e8acc7b86670411b854fa7f6f57c918ffd2b"
|
|
$sha256_6d2f5675 = "6d2f5675630d0dae65a796ac624fb90f42f35fbe5dec2ec8f4adce5ebfaabf75"
|
|
$sha256_6b66c6d8 = "6b66c6d8859dfe06c0415be4df2bd836561d5a6eabce98ddd2ee54e89e37fd44"
|
|
$sha256_39d7d764 = "39d7d764405b9c613dff6da4909d9bc46620beee7a7913c4666acf9e76a171e4"
|
|
$sha256_96306202 = "96306202b0c4495cf93e805e9185ea6f2626650d6132a98a8f097f8c6a424a33"
|
|
$sha256_12b0f133 = "12b0f1337bda78f8a7963d2744668854d81e1f1b64790b74d486281bc54e6647"
|
|
$sha256_2bd13d63 = "2bd13d63797864a70b775bd1994016f5052dc8fd1fd83ce1c13234b5d304330d"
|
|
$sha256_35f96618 = "35f966187098ac42684361b2a93b0cee5e2762a0d1e13b8d366a18bccf4f5a91"
|
|
$sha256_0debbcc2 = "0debbcc297cb8f9b81c8c217e748122243562357297b63749c3847af3b7fd646"
|
|
$sha256_17f1996a = "17f1996ad7e602bd2a7e9524d7d70ee8588dac51469b08017df9aaaca09d8dd9"
|
|
$sha256_203c924c = "203c924cd274d052e8e95246d31bd168f3d8a0700a774c98eff882c8b8399a2f"
|
|
$sha256_e451a1e0 = "e451a1e05c0cc363a185a98819cd2af421ac87154702bf72007ecc0134c7f417"
|
|
$sha256_1da9b4a8 = "1da9b4a84041b8c72dad9626db822486ce47b9a3ab6b36c41b0637cd1f6444d6"
|
|
$sha256_f16befd7 = "f16befd79b7f8ffdaf934ef337a91a5f1dc6da54c4b2bee5fe7a0eb38e8af39e"
|
|
$sha256_4a8237f9 = "4a8237f9ecdad3b51ffd00d769e23f61f1e791f998d1959ad9b61d53ea306c09"
|
|
$domain_apk36501_flnet_org = "apk36501.flnet.org"
|
|
$domain_okinawas_ssl443_org = "okinawas.ssl443.org"
|
|
$domain_gethappy_effers_com = "gethappy.effers.com"
|
|
$domain_ntp_ukrootns1_com = "ntp.ukrootns1.com"
|
|
$domain_twnicsi_ignorelist_com = "twnicsi.ignorelist.com"
|
|
$domain_jpcerts_jpcertinfo_com = "jpcerts.jpcertinfo.com"
|
|
$domain_eoffice_etowns_org = "eoffice.etowns.org"
|
|
$domain_lang_suroot_com = "lang.suroot.com"
|
|
$domain_office_dns04_com = "office.dns04.com"
|
|
$domain_jpcert_ignorelist_com = "jpcert.ignorelist.com"
|
|
$domain_epayplus_flnet_org = "epayplus.flnet.org"
|
|
$domain_lookatinfo_dnset_com = "lookatinfo.dnset.com"
|
|
$domain_longdays_csproject_org = "longdays.csproject.org"
|
|
$domain_langlang_dnset_com = "langlang.dnset.com"
|
|
$domain_appinfo_fairuse_org = "appinfo.fairuse.org"
|
|
$domain_fatgirls_fatdiary_org = "fatgirls.fatdiary.org"
|
|
$domain_carcolors_effers_com = "carcolors.effers.com"
|
|
$domain_ktyguxs_dnset_com = "ktyguxs.dnset.com"
|
|
$domain_newtowns_flnet_org = "newtowns.flnet.org"
|
|
$domain_sslmaker_ssl443_org = "sslmaker.ssl443.org"
|
|
$domain_twcertcc_jumpingcrab_com = "twcertcc.jumpingcrab.com"
|
|
$domain_iawntsilk_dnset_com = "iawntsilk.dnset.com"
|
|
$domain_edu_microsoftmse_com = "edu.microsoftmse.com"
|
|
$domain_inewdays_csproject_org = "inewdays.csproject.org"
|
|
$domain_savecars_dnset_com = "savecars.dnset.com"
|
|
$domain_splashed_effers_com = "splashed.effers.com"
|
|
condition:
|
|
any of them
|
|
}
|