malware-ioc/grandoreiro at master · eset/malware-ioc · GitHub
Skip to content

Latest commit

 

History

History

grandoreiro

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.adoc
README.adoc
 
 
samples.md5
samples.md5
 
 
samples.sha1
samples.sha1
 
 
samples.sha256
samples.sha256
 
 

README.adoc

Grandoreiro Indicators of Compromise

Table of Contents

Grandoreiro disruption

The blog post about the Grandoreiro disruption operation is available on WeLiveSecurity at https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/.

Hashes

SHA-1 Filename Detection Description

FB32344292AB36080F2D040294F17D39F8B4F3A8

Notif.FEL.RHKVYIIPFVBCGQJPOQÃ.msi

Win32/Spy.Grandoreiro.DB

MSI downloader

08C7453BD36DE1B9E0D921D45AEF6D393659FDF5

RYCB79H7B-7DVH76Y3-67DVHC6T20-CH377DFHVO-6264704.msi

Win32/Spy.Grandoreiro.DB

MSI downloader

A99A72D323AB5911ADA7762FBC725665AE01FDF9

pcre.dll

Win32/Spy.Grandoreiro.BM

Grandoreiro

4CDF7883C8A0A83EB381E935CD95A288505AA8B8

iconv.dll

Win32/Spy.Grandoreiro.BM

Grandoreiro (with binary padding)

Network

IP Domain Hosting provider First seen Details

20.237.166[.]161

DGA-generated

Azure

2024-01-12

C&C server.

20.120.249[.]43

DGA-generated

Azure

2024-01-16

C&C server.

52.161.154[.]239

DGA-generated

Azure

2024-01-18

C&C server.

167.114.138[.]249

DGA-generated

OVH

2024-01-02

C&C server.

66.70.160[.]251

DGA-generated

OVH

2024-01-05

C&C server.

167.114.4[.]175

DGA-generated

OVH

2024-01-09

C&C server.

18.215.238[.]53

DGA-generated

AWS

2024-01-03

C&C server.

54.219.169[.]167

DGA-generated

AWS

2024-01-09

C&C server.

3.144.135[.]247

DGA-generated

AWS

2024-01-12

C&C server.

77.246.96[.]204

DGA-generated

VDSina

2024-01-11

C&C server.

185.228.72[.]38

DGA-generated

Master da Web

2024-01-02

C&C server.

62.84.100[.]225

N/A

VDSina

2024-01-18

Distribution server.

20.151.89[.]252

N/A

Azure

2024-01-10

Distribution server.

Grandoreiro: How engorged can an EXE get?

The blog post about Grandoreiro "Grandoreiro: How engorged can an EXE get?" is available on WeLiveSecurity at https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/.

Hashes

Grandoreiro banking trojan

SHA-1 Description ESET detection name

40FBC932BD45FEB3D2409B3A4C7029DDDE881389

Old version of Grandoreiro (2017)

Win32/Spy.Grandoreiro.A

7905DB9BBE2CB29519A5371B175551C6612255EF

Grandoreiro

Win32/Spy.Grandoreiro.AE

BD88A809B05168D6EFDBA4DC149653B0E1E1E448

Grandoreiro

Win32/Spy.Grandoreiro.AJ

Grandoreiro Win32 downloaders

SHA-1 Description ESET detection name

7C2ED8B4AA65BEFCC229A36CE50539E9D6A70EE3

Grandoreiro downloader

Win32/TrojanDownloader.Banload.YJR

27A434D2EF4D1D021F283BCB93C6C7E50ACB8EA6

Grandoreiro downloader

Win32/TrojanDownloader.Banload.YLZ

28D58402393B6BCA73FF0EAC319226233181EDC9

Grandoreiro downloader

Win32/TrojanDownloader.Banload.YJB

42892DF64F00F4C091E1C02F74C2BB8BAD131FC5

Grandoreiro downloader

Win32/TrojanDownloader.Banload.YMI

Grandoreiro spam tool

SHA-1 Description ESET detection name

BCED5D138ACEADA1EF11BFD22C2D6359CDA183DB

Grandoreiro spam tool

Win32/Spy.Grandoreiro.AD

Windows Registry

  • HKCU\Software\%USER_NAME%

  • HKCU\Software\ToolTech-RM

User-Agent

  • h55u4u4u5uii5

Filenames

  • %INSTALL_DIR%\ *

    • MDL_YEL_01.dll

    • MDL_BLU_BR_02.dll

    • MDL_SIC_BR_03.dll

    • MDL_SANT_BR_04.dll

    • MDL_ITA_BR_05.dll

    • MDL_BRADA_BR_06.dll

    • MDL_SICCB_BR_07.dll

    • MDL_SAFRA_BR_08.dll

    • MDL_ORIGI_BR_09.dll

    • MDL_NORDES_BR_10.dll

    • MDL_BANEST_BR_11.dll

    • MDL_BANEZE_BR_12.dll

    • MDL_AMAZON_BR_13.dll

    • MDL_UNICRE_BR_14.dll

    • MDL_BRB_BR_15.dll

    • MDL_WUPDATE_BR_001.dll

    • %INSTALL_DIR% is the path where Grandoreiro is installed