Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
======================================================================================================
[Indicators of Compromise]
======================================================================================================

[File]
[SHA256]								[Detection name]
42d4eb7f04111631891379c5cce55480d2d9d2ef8feaf1075e1aed0c52df4bb9	Backdoor.Win32.ZINGDOOR.ZHKH
95062728536f23b1335756ae1a1d68f1df22d58594ece9998cae6b73772fd49f	Trojan.MSIL.DULLOAD.ZHKL
6a4de5c7787e212dea5f033f8f7cd39aefc93e7c83c8564dc2204813e8e76ff2	Backdoor.Win32.COBEACON.ZHKL.enc
27042218e8d1a0491525b35a6dc2fc0737841bcaed65b751e78769eadeda9751	Trojan.Win32.DULLOAD.ZHKL
c32156a7de42a61f5d584e82dfbced690d23fd72080024c14a9143e5f20f0ad8	Backdoor.Win32.COBEACON.ZHKL
a298031b1c28f11f00d3b9f6311fbfae881d6c789e70c4bc5e6ccdf8165b94c6	Backdoor.Win32.CRYPTMERLIN.ZHKL
cdde7878ed0529f9ef3ad58aa3084f1df6e2fb371807b15539187539b060fed2	TrojanSpy.Win64.NINJACOPY.ZYLA
6f274955b1fb58cc9a60476bc5a9cd9d54c962cc29e73db41b7786148cb74505	Trojan.Win64.DRACULOADER.ZBLD
09abc579097b0bd8d115702bb1eeb546d2401373c83385a52386ad4243f945e8	Backdoor.Win64.ZINGDOOR.ZBKJ
292f70bff5717608c289f4146febcc06a2c5d8192529a8c51e18ec0f7b44d1cf	Backdoor.Win64.ZINGDOOR.ZBKJ
cd8630f8e07e16203195f563457a84beb08112fcbb4d9ee1056a788174cf8f6b 	Backdoor.Win32.CROWDOOR.ZCLC
98ddf03ca6ade4770cc06ac8034b3468bd94094f5813d28b74885e5ca6958895	Backdoor.Win32.CROWDOOR.ZTLC
03365cce37db511fdfaf8d77a14f806a2d822a111aa8cc032b5b341c0b0064a5	Trojan.Win32.DULLOAD.ZCLB
1378bde3aee0057ca2a5854fee4d184479491ec624a3bbf215098afaa6b82299	Trojan.Win32.DRACULOADER.ZCLB
b17660d1a4c0258739024187497be0b11530791d1307d9e5556f04f0ac58d42f	Trojan.Win32.DULLOAD.ZCLB
b450311b5fc4333b26955f7c709ca61fcfdba168f1a8839a93979a892a8c22cc	Trojan.Win32.DRACULOADER.ZAKH
39f1c7095e1db05944eeda08a2e1c1b8c513ea581bfc0cb36ad106e3a8f38b5f	Trojan.Win32.DRACULOADER.ZALJ
0c8c0b2837fbb9c15da1bfb904ed3f3903e2d4d49c999394068f274b014a09dd	Trojan.Win32.DRACULOADER.ZALJ
a113c637bb81f9bbd39731672b242a8da5915ef4b5e93d72cc9a7454b5e120bd	Trojan.Win64.DRACULOADER.ZCLJ
4aeaa0d954268d4fc7179ec7578258c3459ee95b82698363e0cafb700c05181a	Trojan.Win64.DRACULOADER.ZBLJ
d0575b3ced944dc627d047c60f23d25bd3aa0c4deab69f784b9a80aae50fbd7b	Trojan.Win64.DRACULOADER.ZCLJ
25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b	Trojan.Win32.SNAPPYBEE.ZMLJ
6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc	Trojan.Win32.SNAPPYBEE.ZOLK
======================================================================================================

[Network]
[Type]		[Indicators]
IP address	103.159.133[.]209
IP address	45.192.178[.]208 
IP address	38.54.71[.]140 (Snappybee)
IP address	103.159.133[.]205
IP address	103.103.131[.]40
IP address	103.15.28[.]228
IP address	154.220.3[.]17
IP address	156.255.2[.]202
IP address	103.103.128[.]121
IP address	162.19.135[.]182
Domain		cdglobalclouds[.]com
Domain		broadmediacloud[.]com
Domain		zmail.broadmediacloud[.]com (CrowDoor)
Domain		www.nodtecloud[.]com
Domain		mail2-0da8aa1c.oxcdntech[.]com (Zingdoor)
Domain		helpdesk.athenatechlabs[.]com (CrowDoor)
Domain		supports.flarecastdns[.]com (CrowDoor)
Domain		ns.starkaero[.]com (Cobeacon)
Domain		pay.johannesburghotel[.]net (CRYPTMERLIN)
Domain		kidshomeworkabc.global.ssl.fastly[.]net (Cobeacon)
Domain		ap.missmichiko[.]com (Zingdoor)
Domain		portal[.]sppokemon[.]com (Zingdoor)
Domain		svn.truecdnnetwork[.]com (Cobeacon)
Domain		lync.realtxholdem[.]com
Domain		globalnetzone.b-cdn[.]net
Domain		amazoncdns[.]com
Domain		www[.]euphemismscase[.]site
Domain		www[.]dbacloudsupport[.]com
Domain		www[.]cloudshappen[.]com
Domain		www[.]amazoncdns[.]com
Domain		supports[.]dbacloudsupport[.]com
Domain		ssl3[.]awsdns-531[.]com
Domain		soffice[.]offices-analytics[.]com
Domain		services[.]offices-analytics[.]com
Domain		resource[.]offices-analytics[.]com
Domain		redsquare[.]redcrossco[.]com
Domain		portal[.]techmersion[.]com
Domain		portal[.]cdglobalclouds[.]com
Domain		opengl[.]cloudshappen[.]com
Domain		ns108[.]cloudshappen[.]com
Domain		ns101[.]awsdns-531[.]com
Domain		ms119[.]newsfreecloud[.]com
Domain		ms101[.]cloudshappen[.]com
Domain		mail[.]euphemismscase[.]site
Domain		llnw-dd[.]awsdns-531[.]com
Domain		images[.]dbacloudsupport[.]com
Domain		helpdesk[.]cloudshappen[.]com
Domain		helpdesk[.]athenatechlabs[.]com
Domain		global[.]techmersion[.]com
Domain		ge[.]huseinhbz[.]click
Domain		ftp[.]techmersion[.]com
Domain		euphemismscase[.]site
Domain		emv1[.]techmersion[.]com
Domain		emv1[.]cdglobalclouds[.]com
Domain		de[.]huseinhbz[.]click
Domain		credits[.]offices-analytics[.]com
Domain		cloudsrv[.]cloudfrontsrv[.]com
Domain		cdn181[.]awsdns-531[.]com
Domain		cdn101[.]cloudflaresrv[.]com
Domain		cdglobalclouds[.]com
Domain		cas04[.]awsdns-531[.]com
Domain		cachecloud[.]cloudflaresrv[.]com
Domain		cache10[.]newsfreecloud[.]com
Domain		c11r[.]awsdns-531[.]com
Domain		blog[.]techmersion[.]com
Domain		auth[.]boxlibraries[.]com