= GreyEnergy -- Indicators of Compromise For a description of GreyEnergy, please see the article about https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/[GreyEnergy] on https://www.welivesecurity.com[WeLiveSecurity]. == ESET detection names - VBA/TrojanDownloader.Agent.EYV - Win32/Agent.SCT - Win32/Agent.SCM - Win32/Agent.SYN - Win64/Agent.SYN - Win32/Agent.WTD - Win32/GreyEnergy - Win64/GreyEnergy - Win32/Diskcoder.MoonrakerPetya.A - PHP/Agent.JS - PHP/Agent.JX - PHP/Agent.KJ - PHP/Agent.KK - PHP/Agent.KL - PHP/Agent.KM - PHP/Agent.KN - PHP/Agent.KO - PHP/Agent.KP - PHP/Agent.KQ - PHP/Agent.KR - PHP/Agent.KS - PHP/Agent.KT - PHP/Agent.KU - PHP/Agent.LC - PHP/Agent.NBP - PHP/Kryptik.AB - PHP/TrojanProxy.Agent.B - ASP/Agent.L - Win64/HackTool.PortScanner.A - Win32/HackTool.PortScanner.A - Win64/Riskware.Mimikatz.A - Win64/Riskware.Mimikatz.AE - Win64/Riskware.Mimikatz.AH - Win32/Winexe.A - Win64/Winexe.A - Win64/Winexe.B == Samples All hashes are SHA-1 === GreyEnergy document ---- 177AF8F6E8D6F4952D13F88CDF1887CB7220A645 ---- === GreyEnergy mini ---- 455D9EB9E11AA9AF9717E0260A70611FF84EF900 51309371673ACD310F327A10476F707EB914E255 CB11F36E271306354998BB8ABB6CA67C1D6A3E24 CC1CE3073937552459FB8ED0ADB5D56FA00BCD43 30AF51F1F7CB9A9A46DF3ABFFB6AE3E39935D82C ---- === GreyEnergy droppers ---- 04F75879132B0BFBA96CB7B210124BC3D396A7CE 69E2487EEE4637FE62E47891154D97DFDF8AAD57 716EFE17CD1563FFAD5E5E9A3E0CAC3CAB725F92 93EF4F47AC160721768A00E1A2121B45A9933A1D 94F445B65BF9A0AB134FAD2AAAD70779EAFD9288 A414F0A651F750EEA18F6D6C64627C4720548581 B3EF67F7881884A2E3493FE3D5F614DBBC51A79B EBD5DC18C51B6FB0E9985A3A9E86FF66E22E813E EC7E018BA36F07E6DADBE411E35B0B92E3AD8ABA ---- === GreyEnergy dropped DLLs ---- 0B5D24E6520B8D6547526FCBFC5768EC5AD19314 10D7687C44BECA4151BB07F78C6E605E8A552889 2A7EE7562A6A5BA7F192B3D6AED8627DFFDA4903 3CBDC146441E4858A1DE47DF0B4B795C4B0C2862 4E137F04A2C5FA64D5BF334EF78FE48CF7C7D626 62E00701F62971311EF8E57F33F6A3BA8ED28BF7 646060AC31FFDDFBD02967216BC71556A0C1AEDF 748FE84497423ED209357E923BE28083D42D69DE B75D0379C5081958AF83A542901553E1710979C7 BFC164E5A28A3D56B8493B1FC1CA4A12FA1AC6AC C1EB0150E2FCC099465C210B528BF508D2C64520 CBB7BA92CDF86FA260982399DAB8B416D905E89B DF051C67EE633231E4C76EC247932C1A9868C14F DFD8665D91C508FAF66E2BC2789B504670762EA2 E2436472B984F4505B4B938CEE6CAE26EF043FC7 E3E61DF9E0DD92C98223C750E13001CBB73A1E31 E496318E6644E47B07D6CAB00B93D27D0FE6B415 EDA505896FFF9A29BD7EAE67FD626D7FFA36C7B2 F00BEFDF08678B642B69D128F2AFAE32A1564A90 F36ECAC8696AA0862AD3779CA464B2CD399D8099 ---- === GreyEnergy in-memory-only DLLs ---- 0BCECB797306D30D0BA5EAEA123B5BF69981EFF4 11159DB91B870E6728F1A7835B5D8BE9424914B9 6ABD4B82A133C4610E5779C876FCB7E066898380 848F0DBF50B582A87399428D093E5903FFAEEDCD 99A81305EF6E45F470EEE677C6491045E3B4D33A A01036A8EFE5349920A656A422E959A2B9B76F02 C449294E57088E2E2B9766493E48C98B8C9180F8 C7FC689FE76361EF4FDC1F2A5BAB71C0E2E09746 D24FC871A721B2FD01F143EB6375784144365A84 DA617BC6DCD2083D93A9A83D4F15E3713D365960 E4FCAA1B6A27AA183C6A3A46B84B5EAE9772920B ---- === Moonraker Petya ---- 1AA1EF7470A8882CA81BB9894630433E5CCE4373 ---- === PHP and ASP scripts ---- 10F4D12CF8EE15747BFB618F3731D81A905AAB04 13C5B14E19C9095ABA3F1DA56B1A76793C7144B9 1BA30B645E974DE86F24054B238FE77A331D0D2C 34F8323B3B6BCF4B47D0ABEFCF9E38E15ECD2858 438C8F9607E06E7AC1261F99F8311B004C23DEC3 4D1C282F9942EC87C5B4D9363187AFDC120F4DC7 4E0C5CCFFB7E2D17C26F82DB5564E47F141300B3 5377ADB779DE325A74838C0815EEA958B4822F82 58A69A8D1B94E751050DECF87F2572E09794F0F8 5DD34FB1C8E224C17DCE04E02A4409E9393BCE58 639BCE78F961C4B9ECD9FE1A8537733388B99857 7127B880C8E31FBEB1D376EB55A6F878BC77B21A 71BA8FE0C9C32A9B987E2BB827FE54DAE905D65E 78A7FBDD6ADF073EA6D835BE69084E071B4DA395 81332D2F96A354B1B8E11984918C43FB9B5CB9DB 8CC008B3189F8CE9A96C2C41F864D019319EB2EE 940DE46CD8C50C28A9C0EFC65AEE7D567117941B A415E12591DD47289E235E7022A6896CB2BFDE96 D3AE97A99D826F49AD03ADDC9F0D5200BE46AB5E E69F5FF2FCD18698BB584B6BC15136D61EB4F594 E83A090D325E4A9E30B88A181396D62FEF5D54D5 ECF21EFC09E4E2ACFEEB71FB78CB1F518E1F5724 ---- === Custom port scanner ---- B371A5D6465DC85C093A5FB84D7CDDEB1EFFCC56 B40BDE0341F52481AE1820022FA8376E53A20040 ---- === Mimikatz ---- 89D7E0DA80C9973D945E6F62E843606B2E264F7E 8B295AB4789105F9910E4F3AF1B60CBBA8AD6FC0 AD6F835F239DA6683CAA54FCCBCFDD0DC40196BE ---- === WinExe ---- 0666B109B0128599D535904C1F7DDC02C1F704F2 2695FCFE83AB536D89147184589CCB44FC4A60F3 3608EC28A9AD7AF14325F764FB2F356731F1CA7A 37C837FB170164CBC88BEAE720DF128B786A71E0 594B809343FEB1D14F80F0902D764A9BF0A8C33C 7C1F7CE5E57CBDE9AC7755A7B755171E38ABD70D 90122C0DC5890F9A7B5774C6966EA694A590BD38 C59F66808EA8F07CBDE74116DDE60DAB4F9F3122 CEB96B364D6A8B65EA8FA43EB0A735176E409EB0 FCEAA83E7BD9BCAB5EFBA9D1811480B8CB0B8A3E ---- == Network indicators === GreyEnergy mini's C&C servers URLs ---- https://82.118.236[.]23:8443/27c00829d57988279f3ec61a05dee75a http://82.118.236[.]23:8080/27c00829d57988279f3ec61a05dee75a https://88.198.13[.]116:8443/xmlservice http://88.198.13[.]116:8080/xmlservice https://217.12.204[.]100/news/ http://217.12.204[.]100/news/ http://pbank.co[.]ua/favicon.ico (IP: 185.128.40.90) ---- === GreyEnergy's C&C servers IP addresses [options="header"] |===== | Active period | IP address | 2015 - 2016 | `109.200.202.7` | 2015 - 2015 | `193.105.134.68` | 2015 - 2016 | `163.172.7.195` | 2015 - 2016 | `163.172.7.196` | 2016 - 2016 | `5.149.248.77` | 2016 - 2016 | `31.148.220.112` | 2016 - 2016 | `62.210.77.169` | 2016 - 2016 | `85.25.211.10` | 2016 - 2016 | `138.201.198.164` | 2016 - 2017 | `124.217.254.55` | 2017 - 2017 | `46.249.49.231` | 2017 - 2017 | `37.59.14.94` | 2017 - 2017 | `213.239.202.149` | 2017 - 2017 | `88.198.13.116` | 2017 - 2017 | `217.12.202.111` | 2017 - 2017 | `176.31.116.140` | 2017 - 2018 | `185.217.0.121` | 2017 - 2018 | `178.150.0.200` | 2018 - 2018 | `176.121.10.137` | 2018 - 2018 | `178.255.40.194` | 2018 - 2018 | `193.105.134.56` | 2018 - 2018 | `94.130.88.50` | 2018 - 2018 | `185.216.33.126` |=====