AA23-061A StopRansomware Royal Ransomware
Indicators
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released this joint Cybersecurity Advisory (CSA) to disseminate information about Royal ransomware identified through FBI threat response activities as recently as January 2023.
The original cyber criminals' activities related to this advisory, which include successful compromise of dozens of U.S. and international organizations with a Royal ransomware variant, were observed as early as of September 2022.
This STIX file provides indicators of compromise (IOCs) associated with malicious activity reported in CISA Joint Cybersecurity Advisory, AA23-061A #StopRansomware: Royal Ransomware.
Please be advised that some of the IP addresses listed are more than a year old, therefore, FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action like blocking.
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2023-02-27T00:00:00Z
Malicious URL Indicator
URL Watchlist
pastebin.mozilla.org/Z54Vudf9/raw
Malicious File Indicator
File Hash Watchlist
MD5
CDCF4F24DC07D5DA5BE076793983A308
SHA1
0488348645EBB39EE7A51A09F2705C87D89D27F1
SHA256
0A9A342CF4B9CCBA811922B32C55498A3448B198702E2EC17269653C161BBDA3
Malicious URL Indicator
URL Watchlist
myappearinc.com/acquire/draft/c7lh0s5jv
Malicious FQDN Indicator
parkerpublic.com
Malicious IPv4 Indicator
IP Watchlist
47.87.229.39
Malicious IPv4 Indicator
IP Watchlist
5.181.234.58
Malicious IPv4 Indicator
IP Watchlist
45.61.136.47
Malicious IPv4 Indicator
IP Watchlist
193.235.146.104
Malicious IPv4 Indicator
IP Watchlist
193.149.176.157
Malicious IPv4 Indicator
IP Watchlist
185.7.214.218
Malicious IPv4 Indicator
IP Watchlist
152.89.247.50
Malicious IPv4 Indicator
IP Watchlist
147.135.11.223
Malicious IPv4 Indicator
IP Watchlist
147.135.36.162
Malicious IPv4 Indicator
IP Watchlist
140.82.48.158
Malicious File Indicator
File Hash Watchlist
SHA256
74D81EF0BE02899A177D7FF6374D699B634C70275B3292DBC67E577B5F6A3F3C
Malicious File Indicator
File Hash Watchlist
SHA256
82F1F72F4B1BFD7CC8AFBE6D170686B1066049BC7E5863B51AA15CCC5C841F58
Malicious File Indicator
File Hash Watchlist
MD5
527C71C523D275C8367B67BBEBF48E9F
SHA1
7902B08FB184CFB9580D0AD950BAF048A795F7C1
SHA256
8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451
Malicious FQDN Indicator
ciborkumari.xyz
Malicious File Indicator
File Hash Watchlist
kl.bat
MD5
0191D87B91F1545E13B3AF4A442AE949
SHA1
65DC04F3F75DEB3B287CCA3138D9D0EC36B8BEA0
SHA256
A83A5810EA7A4F02D4623C509DD9B88AD4E432177143E9E9B2B30F9B2943A1B0
Malicious File Indicator
File Hash Watchlist
8.bat
SHA1
C96154690F60A8E1F2271242E458029014FFE30A
Malicious File Indicator
File Hash Watchlist
4.bat
SHA1
A84ED0F3C46B01D66510CCC9B1FC1E07AF005C60
Malicious File Indicator
File Hash Watchlist
3.bat
SHA1
41A79F83F8B00AC7A9DD06E1E225D64D95D29B1D
Malicious File Indicator
File Hash Watchlist
2.bat
SHA1
585B05B290D241A249AF93B1896A9474128DA969
Malicious File Indicator
File Hash Watchlist
runanddelete.bat
MD5
5CB9D80F82F674B065C3D80816A370C4
SHA1
DD37973BE7E6EDE23C131A48919A4F6E1FB49328
SHA256
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
Malicious File Indicator
File Hash Watchlist
MD5
92283D4D0E7E730C3F4F5485BFA48CB6
SHA1
3288F6F98BC2445F4AD688B562FE12414893C1AC
SHA256
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
Malicious File Indicator
File Hash Watchlist
SHA256
D47D4B52E75E8CF3B11EA171163A66C06D1792227C1CF7CA49D7DF60804A1681
Malicious File Indicator
File Hash Watchlist
MD5
57BD8FBA4AA26033FA080F390B31ED0E
SHA1
1206BD44744D61F6C31ABA2234C34D3E35B5BAC7
SHA256
4CD00234B18E04DCD745CC81BB928C8451F6601AFFB5FA45F20BB11BFB5383CE
Malicious File Indicator
File Hash Watchlist
SHA256
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Malicious File Indicator
File Hash Watchlist
SHA256
BE030E685536EB38BA1FEC1C90E90A4165F6641C8DC39291DB1D23F4EE9FA0B1
Malicious File Indicator
File Hash Watchlist
SHA256
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
Malicious FQDN Indicator
myappearinc.com
Malicious FQDN Indicator
tumbleproperty.com
Malicious File Indicator
File Hash Watchlist
MD5
50CC3A3BCA96D7096C8118E838D9BC16
SHA1
B286B58ED32B6DF4ECDB5DF86D7D7D177BB7BFAF
SHA256
F8CFF7082A936912BAF2124D42ED82403C75C87CB160553A7DF862F8D81809EE
Malicious FQDN Indicator
altocloudzone.live
Malicious IPv4 Indicator
IP Watchlist
77.73.133.84
Malicious IPv4 Indicator
IP Watchlist
179.43.167.10
Malicious IPv4 Indicator
IP Watchlist
5.44.42.20
Malicious FQDN Indicator
gororama.com
Malicious FQDN Indicator
softeruplive.com
Malicious IPv4 Indicator
IP Watchlist
94.232.41.105
Malicious IPv4 Indicator
IP Watchlist
209.141.36.116
Malicious FQDN Indicator
sombrat.com
Malicious IPv4 Indicator
IP Watchlist
105.69.155.85
Malicious IPv4 Indicator
IP Watchlist
98.143.70.147
Malicious IPv4 Indicator
IP Watchlist
82.12.196.197
Malicious IPv4 Indicator
IP Watchlist
81.184.181.215
Malicious IPv4 Indicator
IP Watchlist
68.83.169.91
Malicious IPv4 Indicator
IP Watchlist
61.166.221.46
Malicious IPv4 Indicator
IP Watchlist
45.227.251.167
Malicious IPv4 Indicator
IP Watchlist
42.189.12.36
Malicious IPv4 Indicator
IP Watchlist
41.97.65.51
Malicious IPv4 Indicator
IP Watchlist
41.251.121.35
Malicious IPv4 Indicator
IP Watchlist
41.109.11.80
Malicious IPv4 Indicator
IP Watchlist
41.107.77.67
Malicious IPv4 Indicator
IP Watchlist
41.100.55.97
Malicious IPv4 Indicator
IP Watchlist
197.94.67.207
Malicious IPv4 Indicator
IP Watchlist
197.207.218.27
Malicious IPv4 Indicator
IP Watchlist
197.207.181.147
Malicious IPv4 Indicator
IP Watchlist
197.204.247.7
Malicious IPv4 Indicator
IP Watchlist
197.158.89.85
Malicious IPv4 Indicator
IP Watchlist
197.11.134.255
Malicious IPv4 Indicator
IP Watchlist
196.70.77.11
Malicious IPv4 Indicator
IP Watchlist
190.193.180.228
Malicious IPv4 Indicator
IP Watchlist
186.64.67.6
Malicious IPv4 Indicator
IP Watchlist
181.164.194.228
Malicious IPv4 Indicator
IP Watchlist
181.141.3.126
Malicious IPv4 Indicator
IP Watchlist
163.182.177.80
Malicious IPv4 Indicator
IP Watchlist
148.213.109.165
Malicious IPv4 Indicator
IP Watchlist
139.195.43.166
Malicious IPv4 Indicator
IP Watchlist
134.35.9.209
Malicious IPv4 Indicator
IP Watchlist
113.169.187.159
Malicious IPv4 Indicator
IP Watchlist
105.158.118.241
Malicious IPv4 Indicator
IP Watchlist
102.157.44.105
Malicious IPv4 Indicator
IP Watchlist
186.86.212.138
Malicious IPv4 Indicator
IP Watchlist
139.60.161.213
Malicious IPv4 Indicator
IP Watchlist
45.8.158.104
Malicious File Indicator
File Hash Watchlist
MD5
CB8A14388E1DA3956849D638AF50FE9D
SHA1
A0EE0761602470E24BCEA5F403E8D1E8BFA29832
SHA256
08C6E20B1785D4EC4E3F9956931D992377963580B4B2C6579FD9930E08882B1C
Malicious IPv4 Indicator
IP Watchlist
23.111.114.52
Malicious File Indicator
File Hash Watchlist
AnyDesk.exe; AnyDesk.exe
MD5
BD1C7369830EBD781ED5EADE64F8F9E4
SHA1
4F65118960BD8BCC744D62E6F464F8BC82C85A9E
SHA256
4A9DDE3979C2343C024C6EEEDDFF7639BE301826DD637C006074E04A1E4E9FE7
Malicious File Indicator
File Hash Watchlist
NSudo.exe; NSudo.exe; SecuriteInfo.com.PUA.Tool.NSudo.1.21350.21023; SecuriteInfo.com.PUA.Tool.NSudo.1.21350.21023
252928
MD5
5CAE01AEA8ED390CE9BEC17B6C1237E4
SHA1
3A80A49EFAAC5D839400E4FB8F803243FB39A513
SHA256
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Malicious IPv4 Indicator
IP Watchlist
185.143.223.69
Malicious IPv4 Indicator
IP Watchlist
5.188.86.195
Malicious IPv4 Indicator
IP Watchlist
89.108.65.136
Initial Access - Exploit Public-Facing Application [T1190]
Initial Access - External Remote Services [T1133]
Initial Access - Phishing: Spearphishing Attachment [T1566.001]
Initial Access - Phishing: Spearphishing Link [T1566.002]
Execution - Command and Scripting Interpreter [T1059]
Execution - Command and Scripting Interpreter: PowerShell [T1059.001]
Persistence - Valid Accounts: Domain Accounts [T1078.002]
Defense Evasion - Domain Policy Modification: Group Policy Modification [T1484.001]
Defense Evasion - Impair Defenses: Disable or Modify Tools [T1562.001]
Defense Evasion - Indicator Removal on Host: Clear Windows Event Logs [T1070.001]
Credential Access - Credentials from Password Stores: Password Managers [T1555.005]
Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]
Collection - Automated Collection [T1119]
Command and Control - Protocol Tunneling [T1572]
Command and Control - Remote File Copy [T1105]
Impact - Data Encrypted for Impact [T1486]