2024/2024.02.13.Water_Hydra/ioc-list-water-hydra-cve-2024-21412.txt

CVE-2024-21412: Water Hydra Targets Traders with Windows Defender SmartScreen Zero-Day
=======================================================================================
Indicators of Compromise
=======================================================================================

[URL]
hxxp[://]84[.]32[.]189[.]74
hxxp[://]84[.]32[.]189[.]74/xampp/
hxxp[://]84[.]32[.]189[.]74/webdav/
hxxps[://]fxbulls[.]ru
hxxps[://]fxbulls[.]ru/wp-content/uploads
hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]htm
hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]html
hxxps[://]84[.]32[.]189[.]74@0[.]0[.]0[.]80/fxbulls/net/2[.]url

hxxp[://]84[.]32[.]189[.]74/fxbulls
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29[.]jpg[.]url
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/Thumbs[.]db 
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/2[.]url 
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip 
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip/a2[.]cmd
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/b3[.]dll
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]dll
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]exe
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29s[.]jpg
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/My2[.]zip

hxxp[://]84[.]32[.]189[.]74/fxbulls
hxxp[://]84[.]32[.]189[.]74/fxbulls/images
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29[.]jpg[.]url
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/Thumbs[.]db 
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/2[.]url 
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip 
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip/a2[.]cmd
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/b3[.]dll
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]dll
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]exe
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29s[.]jpg
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/My2[.]zip

hxxp[://]84[.]32[.]189[.]74/fxbulls/net
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29[.]jpg[.]url
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/Thumbs[.]db 
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/2[.]url 
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip 
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip/a2[.]cmd
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/b3[.]dll
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]dll
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]exe
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29s[.]jpg
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/My2[.]zip

hxxp[://]84[.]32[.]189[.]74/underwall/docs
hxxp[://]84[.]32[.]189[.]74/underwall/docs/7z.zip
hxxp[://]84[.]32[.]189[.]74/underwall/docs/passport.jpg.url
hxxp[://]84[.]32[.]189[.]74/underwall/docs/warop.url
hxxp[://]84[.]32[.]189[.]74/underwall/expand
hxxp[://]84[.]32[.]189[.]74/underwall/expand/7z.zip
hxxp[://]84[.]32[.]189[.]74/underwall/expand/photo_2023-12-26.jpg.url
hxxp[://]84[.]32[.]189[.]74/underwall/expand/warop.url
hxxp[://]84[.]32[.]189[.]74/underwall/society
hxxp[://]84[.]32[.]189[.]74/underwall/society/7z.zip
hxxp[://]84[.]32[.]189[.]74/underwall/society/photo_2023-12-26.jpg.url
hxxp[://]84[.]32[.]189[.]74/underwall/society/warop.url

[PATHS]
/fxbulls
/fxbulls/pictures
/fxbulls/pictures/photo_2023-12-29[.]jpg[.]url
/fxbulls/pictures/Thumbs[.]db 
/fxbulls/pictures/2[.]url 
/fxbulls/pictures/a2[.]zip 
/fxbulls/pictures/a2[.]zip/a2[.]cmd
/fxbulls/pictures/a2[.]zip
/fxbulls/pictures/b3[.]dll
/fxbulls/pictures/7z[.]dll
/fxbulls/pictures/7z[.]exe
/fxbulls/pictures/photo_2023-12-29s[.]jpg
/fxbulls/pictures/My2[.]zip

/fxbulls
/fxbulls/images
/fxbulls/images/photo_2023-12-29[.]jpg[.]url
/fxbulls/images/Thumbs[.]db 
/fxbulls/images/2[.]url 
/fxbulls/images/a2[.]zip 
/fxbulls/images/a2[.]zip/a2[.]cmd
/fxbulls/images/a2[.]zip
/fxbulls/images/b3[.]dll
/fxbulls/images/7z[.]dll
/fxbulls/images/7z[.]exe
/fxbulls/images/photo_2023-12-29s[.]jpg
/fxbulls/images/My2[.]zip

/fxbulls/net
/fxbulls/net/photo_2023-12-29[.]jpg[.]url
/fxbulls/net/Thumbs[.]db 
/fxbulls/net/2[.]url 
/fxbulls/net/a2[.]zip 
/fxbulls/net/a2[.]zip/a2[.]cmd
/fxbulls/net/a2[.]zip
/fxbulls/net/b3[.]dll
/fxbulls/net/7z[.]dll
/fxbulls/net/7z[.]exe
/fxbulls/net/photo_2023-12-29s[.]jpg
/fxbulls/net/My2[.]zip

/underwall/docs
/underwall/docs/7z.zip
/underwall/docs/passport.jpg.url
/underwall/docs/warop.url

/underwall/expand
/underwall/expand/7z.zip
/underwall/expand/photo_2023-12-26.jpg.url
/underwall/expand/warop.url

/underwall/society
/underwall/society/7z.zip
/underwall/society/photo_2023-12-26.jpg.url
/underwall/society/warop.url

[DOMAINS]
fxbulls[.]ru
87iavv[.]com
unfawjelesst322[.]com
p2oaviwt39ui[.]com

[WEBDAV]
\\84[.]32[.]189[.]74@80

\\84[.]32[.]189[.]74@80
\\84[.]32[.]189[.]74@80\pictures
\\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29[.]jpg[.]url
\\84[.]32[.]189[.]74@80\pictures\Thumbs[.]db 
\\84[.]32[.]189[.]74@80\pictures\2[.]url 
\\84[.]32[.]189[.]74@80\pictures\a2[.]zip 
\\84[.]32[.]189[.]74@80\pictures\a2[.]zip\a2[.]cmd
\\84[.]32[.]189[.]74@80\pictures\a2[.]zip
\\84[.]32[.]189[.]74@80\pictures\b3[.]dll
\\84[.]32[.]189[.]74@80\pictures\7z[.]dll
\\84[.]32[.]189[.]74@80\pictures\7z[.]exe
\\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29s[.]jpg
\\84[.]32[.]189[.]74@80\pictures\My2[.]zip

\\84[.]32[.]189[.]74@80
\\84[.]32[.]189[.]74@80\images
\\84[.]32[.]189[.]74@80\images\photo_2023-12-29[.]jpg[.]url
\\84[.]32[.]189[.]74@80\images\Thumbs[.]db 
\\84[.]32[.]189[.]74@80\images\2[.]url 
\\84[.]32[.]189[.]74@80\images\a2[.]zip 
\\84[.]32[.]189[.]74@80\images\a2[.]zip\a2[.]cmd
\\84[.]32[.]189[.]74@80\images\a2[.]zip
\\84[.]32[.]189[.]74@80\images\b3[.]dll
\\84[.]32[.]189[.]74@80\images\7z[.]dll
\\84[.]32[.]189[.]74@80\images\7z[.]exe
\\84[.]32[.]189[.]74@80\images\photo_2023-12-29s[.]jpg
\\84[.]32[.]189[.]74@80\images\My2[.]zip

\\84[.]32[.]189[.]74@80\net
\\84[.]32[.]189[.]74@80\net\photo_2023-12-29[.]jpg[.]url
\\84[.]32[.]189[.]74@80\net\Thumbs[.]db 
\\84[.]32[.]189[.]74@80\net\2[.]url 
\\84[.]32[.]189[.]74@80\net\a2[.]zip 
\\84[.]32[.]189[.]74@80\net\a2[.]zip\a2[.]cmd
\\84[.]32[.]189[.]74@80\net\a2[.]zip
\\84[.]32[.]189[.]74@80\net\b3[.]dll
\\84[.]32[.]189[.]74@80\net\7z[.]dll
\\84[.]32[.]189[.]74@80\net\7z[.]exe
\\84[.]32[.]189[.]74@80\net\photo_2023-12-29s[.]jpg
\\84[.]32[.]189[.]74@80\net\My2[.]zip

\\84[.]32[.]189[.]74@80\docs
\\84[.]32[.]189[.]74@80\docs\7z[.]zip
\\84[.]32[.]189[.]74@80\docs\passport[.]jpg[.]url
\\84[.]32[.]189[.]74@80\docs\warop[.]url

\\84[.]32[.]189[.]74@80\expand
\\84[.]32[.]189[.]74@80\expand\7z[.]zip
\\84[.]32[.]189[.]74@80\expand\photo_2023-12-26[.]jpg[.]url
\\84[.]32[.]189[.]74@80\expand\warop[.]url

\\84[.]32[.]189[.]74@80\society
\\84[.]32[.]189[.]74@80\society\7z[.]zip
\\84[.]32[.]189[.]74@80\society\photo_2023-12-26[.]jpg[.]url
\\84[.]32[.]189[.]74@80\society\warop[.]url

[IP ADDRESSES]
84[.]32[.]189[.]74
179[.]43[.]172[.]127
179[.]43[.]172[.]191
64[.]31[.]63[.]70
64[.]31[.]63[.]194

[FILES]									[DETECTION NAME]
1458a762332676f7807ab45f8f236c22a1a7bb0c21fcd8c779f972f2446a11d0	Trojan.HTML.CVE202421412.A
758c6364ab560fbeff2bfa8712a2e09132d85d0bf6918e6acc79fe12f5b71ec3	Trojan.HTML.CVE202421412.A
77d685e29c3dbe75fa8a82c69c68c731a09904020a76145ca27aeaf0058455cd	Trojan.HTML.CVE202421412.A
b36dc329a5dc766c2645d5f5b6cdaa9542ec3b0aa1bc13dc1f899ce6d95d59fb	Trojan.HTML.CVE202421412.A
d895fff3c909ea2eb6624fc5f154c924fe0af51c6c899fd9093dc3cd27a5dad2	Trojan.HTML.CVE202421412.A
008e57d62caa8cfa991f5519eabe3f15d79799b81ba8cc6b67cde6da0dbffdab	Trojan.Win32.CVE202421412.A
087878208755420d5d7ae2eb6a84482768cb8972732911ac16096cd0c95fa0f7	Trojan.Win32.CVE202421412.A
1115e4bed3949493d8ab184e5c42f047355f13b9bf91c1621acb7971a148bea2	Trojan.Win32.CVE202421412.A
18b1dc2e00245cb017ebdedfe63881929d7542eeffa8f42ee0ad20cc2ebf181a 	Trojan.Win32.CVE202421412.A
1956bcd3df47e76b2e9f396514f072311563d092ae02509f817c488567749998	Trojan.Win32.CVE202421412.A
1fbc621a71578cb22d4e3a0feec68735321358a3aeb18adbe4a20630c7f788b8	Trojan.Win32.CVE202421412.A
39fb9fb06910f1133f3b23c523a5139f61d243380802b0670a664473d00e1fa9	Trojan.Win32.CVE202421412.A
3e420ce1dc1a8503f48815b880381dd23206e08be2474d151f1353df7df2d796	Trojan.Win32.CVE202421412.A
4201ab8c0c4cf0f01f5a25d8e4e7221634776b5bad8c3faad5ad819ec58619ad	Trojan.Win32.CVE202421412.A
58b0f5da4a53e956b35e77f55ced641291a596e16067b1dab6ac54d9cb6a52a5	Trojan.Win32.CVE202421412.A
5b16ac1edb747053ee5a085ab826c61218c5b471eaa04f2471dc2e80b5621023	Trojan.Win32.CVE202421412.A
5c85a0fe230d351b35da364c797cc95557f5dcceec034eb648e1805237c7203b	Trojan.Win32.CVE202421412.A
5f4ef55201080ef3a62b0fbdc4c27e0ccdf4041f41c04471f35b127ff6515405	Trojan.Win32.CVE202421412.A
61de01bc154b1118caacfed3839c996a795d6c21c2efbf1da6b926414f5d182d	Trojan.Win32.CVE202421412.A
65cc5594b307c2ac4e3c251aeae68dedf7d1f24ba3b0d7ab5ad3623e8a9fc865	Trojan.Win32.CVE202421412.A
6793e0fbc2def9173bf8e2a6c1aa357ba7fc3e32dc1cf81107677166f175c890	Trojan.Win32.CVE202421412.A
6bec457f83d0d98f6f6ea1243c2327e012db38fb61680f6bd68dbab0dc07170a	Trojan.Win32.CVE202421412.A
7058ae0f02e116b38536ee1ec20f47645aecf761361b5a5e85de2961f3cc88c6	Trojan.Win32.CVE202421412.A
70b4c2d696a24a5ae2f5e5095dc44e68b4605e4690c8a49930194ee87eb80252 	Trojan.Win32.CVE202421412.A
73922ab0d048b45a01f13ba967f1423bc6cd6cc711f8e7d00a4cf2b1d3646f4e	Trojan.Win32.CVE202421412.A
761fa42bc4cc5332a640c7389240324242981176ca1626e4267cc8a00cf9545f	Trojan.Win32.CVE202421412.A
88bb1df99e02021801b08beeff87ec3ceb9e16c42f62904c5ac04c1a26213a48	Trojan.Win32.CVE202421412.A
941cf63028bf8314bc7114a088f4d1f1dd995bec4a4b7c51fda34fbb3528667f	Trojan.Win32.CVE202421412.A
a45e0ea5a17ba6f3a2ce7258f6cc81c6f93f37873b49218a25ec638987da6f96	Trojan.Win32.CVE202421412.A
a5096c4624a523a660242e3451c2f4d644431a35098e36b724fab9f7d88d145d	Trojan.Win32.CVE202421412.A
a9633da58719f07159702101474b6ba78f2ffee28b3f7ebda3feb36db4e2d0e9	Trojan.Win32.CVE202421412.A
b0ab19986ab1297870854980f1287f1a4b8d003c540773a6c04fb3565e5701ee	Trojan.Win32.CVE202421412.A
b350a787c19a756c0824e14eec7e9d746450d1aafb28a5d15209ec9f34c58129	Trojan.Win32.CVE202421412.A
b738e92afc95cba819aa7aebfad459de38743c478e9e8b8f29f9919697b495b0 	Trojan.Win32.CVE202421412.A
b8b6b6d98b7ea689f0c33d55a06afcf20482b25c51929ca9a1b302374290b337	Trojan.Win32.CVE202421412.A
babbd9c94dedb94be8baac2ddc5b4714c44a8d0c60d49c0dc91708784bc0d57f	Trojan.Win32.CVE202421412.A
bbdf52481bd1a15710d75b89240c7a360450e2f4f00ba2cb140affba79ebec94	Trojan.Win32.CVE202421412.A
c86ba0da732e1fa1f06549d3ebc5ae6ae091199e95930681ac2a9152a8834184	Trojan.Win32.CVE202421412.A
d6000a19198b8b9719fc17f7c06366e542802a8e7e232ba731b72c31226cc890	Trojan.Win32.CVE202421412.A
d81e7d95004441ea4f5344215232db57f48579bf335c7ba4ed7f6ec6f9136ed0	Trojan.Win32.CVE202421412.A
db1bc70c0d0c7121f1d4422a6fcd0e0668d9da786affb52dd77852641e425710	Trojan.Win32.CVE202421412.A
ddda5737b2c3207d72d728bf40709a7296c31e7c50951dcad441f4707581ccb1	Trojan.Win32.CVE202421412.A
e1b903eba88b920909876442306e1160eed9b69c69a05ea370cba2121e305ba1	Trojan.Win32.CVE202421412.A
e49a7d9083b2e448274d117405c39b0c1b2c0c20ab5195bdf94aaeda7cc113d7	Trojan.Win32.CVE202421412.A
f44964c8fdf6dbdb21c141df61b45467bba5a4482f7ab19fd6f1841fdb791f2a	Trojan.Win32.CVE202421412.A
f6b01df60d526f1de530230724d41b482adfff81084a1872bb97c316b76e45e3	Trojan.Win32.CVE202421412.A
f701f500d348b63f3250239cd8305a8b38230e67d74456f3333c6efeeef85bbb	Trojan.Win32.CVE202421412.A
fb67be10a5a8b26ca86f8f79935ddd4a5b40379bb6d0af21d23f56af14bb2a90	Trojan.Win32.CVE202421412.A
4307a067db6b6abd852441e6d70de29c3bd0e4d6a68f0449b403401518b7e037 	Trojan.Win32.CVE202421412.B
69fc5bed55acf559035f2c5550bf8807236b580f8e2db88966b3fc80c83914d3 	Trojan.Win32.CVE202421412.B
4c43b4575063d50ca5668e45a434aaf288970c89e8a4414812560ee787307f58 	Trojan.Win32.CVE202421412.B
135cfefe353ca57d24cfb7326f6cf99085f8af7d1785f5967b417985e8a1153c	Trojan.Win32.DARKME.A
252351cb1fb743379b4072903a5f6c5d29774bf1957defd9a7e19890b3f84146	Trojan.Win32.DARKME.A
594e7f7f09a943efc7670edb0926516cfb3c6a0c0036ac1b2370ce3791bf2978	Trojan.Win32.DARKME.A
6e825a6eb4725b82bd534ab62d3f6f37082b7dbc89062541ee1307ecd5a5dd49	Trojan.Win32.DARKME.A
71d0a889b106350be47f742495578d7f5dbde4fb36e2e464c3d64c839b1d02bc	Trojan.Win32.DARKME.A
b69d36e90686626a16b79fa7b0a60d5ebfd17de8ada813105b3a351d40422feb	Trojan.Win32.DARKME.A
bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c	Trojan.Win32.DARKME.A
dc1b15e48b68e9670bf3038e095f4afb4b0d8a68b84ae6c05184af7f3f5ecf54	Trojan.Win32.DARKME.A