Name	Name	Last commit message	Last commit date
parent directory ..
README.adoc	README.adoc	Add IoCs for Machete	Aug 5, 2019
misp-machete-event.json	misp-machete-event.json	Add IoCs for Machete	Aug 5, 2019
samples.md5	samples.md5	Add IoCs for Machete	Aug 5, 2019
samples.sha1	samples.sha1	Add IoCs for Machete	Aug 5, 2019
samples.sha256	samples.sha256	Add IoCs for Machete	Aug 5, 2019

Machete — Indicators of Compromise

For a technical analysis of Machete, check the white paper available on WeLiveSecurity.

A high level summary is also available as a blog post here.

The MISP event is available in misp-machete-event.json.

Sample hashes

GoogleUpdate.exe

SHA-1 hash	ESET Detection Name
`048C40EB606DA3DEF08C9F6997C1948AFBBC959B`	Python/Machete.F
`2E8D8508096CAA38493414F6BA788D0041EA9E15`	Python/Machete.F
`85BDD7D871108C737701AC30C14A2D343CBDEF94`	Python/Machete.D
`8ED8CB784512F7DADD147347FC94E945FAF16338`	Python/Machete.F
`9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E`	Python/Machete.A
`AB8DD6B0CC950618589603012863B57F7ADB9D9B`	Python/Machete.A

Chrome.exe

SHA-1 hash	ESET Detection Name
`318496B58CF5052EFD49A95C721D9165278E9FCE`	Python/Machete.B
`3BB345032B6D0226D6771BA65FE4DA0FAF628631`	Python/Machete.B
`946A24DFBD0AE94209EF7C284D3F462548566A3C`	Python/Machete.B
`984B9202A6DBD7D3DD696CAE1220338A68092DC9`	Python/Machete.B
`EABD45D0A86113F5CCFF9FD292C1E482A5727815`	Python/Machete.B
`F05BC018C90B560DC4932758956ADFFBC10588CE`	Python/Machete.B

GoogleCrash.exe

SHA-1 hash	ESET Detection Name
`204A2850548E5994D4696E9002F90DFCCBE2093A`	Python/Machete.C
`3792588EDC809270E6666A4677EC85A3400BA4CF`	Python/Machete.E
`4899A2C2CECEB92D2CC4ED17D092D1D599379284`	Python/Machete.A
`A42756280AA352F4612BED85AABF7F3267E676C2`	Python/Machete.E
`A97CF05AD7F3102BDE45E4B4947ED435EFEA1968`	Python/Machete.E

RAR/7z SFX: config + malicious components

ESET detection names vary for these samples, depending on the malicious components they hold inside.

SHA-1 hash	Filename
`00397DA69B8E748720AEDFD80D78166573C33EC8`	ders.exe
`03929A5530639C1D9DBD395A298C59FD7EFF1DEC`	chrome.sfx.exe
`0922DEFB82FF1140BBE3481BAB27564BB966D50B`	ChrOme_UpdAte.sfx.exe
`0AC64E08E63601AD9D6A4EF019E5B374784AF80A`	chrome.sfx.exe
`0BA5BCE133B50EF80FD9241C3EA5CB9135CA4EB1`	ders.exe
`161629F63422AB34108854662313F87A278DD7F5`	chrome.sfx.exe
`24752DAB28C3ADD4C31591F2EC480CE3CA83E0AA`	python27.exe
`341F2EFA0FD11B4480D8503BFB81C62AF667D72D`	chrome_Up.sfx.exe
`4C130AA110B290A0CF4FF1C099EA2A705081A9CB`	Chrome_Update.sfx.exe
`50C23690C23EE070AD3A20FCED7311BFDF098833`	ders.exe
`67ECBC1E9A66719C599E6DDED33A85F70DACA13E`	chrome.sfx.exe
`6A69A2A2D4A2F8690B71386F0F092B04EA5A647D`	ders.exe
`92C56AF6815597C0135C21EF5A35D41B0E2A460F`	Python_27.exe
`9E52E1C015B97D4FB2CAC888F8FC69D729AF78F5`	finaser.aes
`A48A71B9D1C00A683397F97C02E0DBB3F4606863`	ders.exe
`B6E436A0FFF117A1C3D3D70947F62D4CAC66C95E`	ders.exe
`C4ACCF6071F51ADE102190C6FA350435FC202654`	Python.27.exe
`D5238CDE036EEFCC6D8D686B3A00247F27DA894C`	Python.27.exe
`DDA105D8D894F73B16518D546270E4F783CB5178`	python27.exe
`E85C1EF38C39B6087EA9AC8171DDD1416B9A5306`	python27.exe
`FD52B10E9D4E5D343E589627444A6766357D5E47`	Security.exe

7z SFX: decoy + downloader

SHA-1 hash	Filename
`52B680F472AE463436979DA325DB7AD64D5AF1EF`	Mapa_monitoreo_WRF_ind02052018.scr
`69109287D41C002FA70BB3D6238C4056B2B24B2F`	Mapa_monitoreo_WRF_ind02052018.scr
`89C0FDEED36A69099E935A590A103339B0CBE525`	Mapa_monitoreo_WRF_ind02052018.scr
`9EA7832D83C74C839A49580B4211E627A24571BE`	Programa Formacion en Contratacion Publica.scr
`BFD0CBEF5B9C329792B38274474F04BD8109DF66`	RGMA0_1_629.scr
`FB871AACA0DDCF2F009A2D11ECF672CFB61B7357`	CALENDARIO_ACTIVIDADES_COLCO_EC.scr
`FDE89FCEC30FCAABB3D42ED87180843F3E760CD8`	Mapa_monitoreo_WRF_ind02052018.scr

RAR SFX: URL config + downloader

SHA-1 hash	Filename
`9912BDBE08179122DC3797A2585D463573D1B5A5`	04Down.exe
`AB16808B5B4706B6265C5FF5FEF8B8460C8A51F8`	4Down.sfx.exe
`BDAAB0B356EC9FE61FEE1723E1DD52E39DDC6699`	04Down.exe
`DED6509458DF62D3CE60C68F3A2A87E59F1F96BE`	Down.sfx.exe

Downloader

SHA-1 hash	Filename	ESET Detection Name
`2B7404F6B0075BC1192D61D4AF135D521D5F08A3`	RdrCEF.exe	Python/Machete.A
`53102E57B40FEACB64566C26D101D9242DECE77C`	Down.exe	Python/Machete.A
`56E8743E0773286A4B9E055147D96D53A43BECA1`	Down.exe	Python/Machete.A
`71F69F04307C8F5675DCADEAA80B8C2B95691B01`	Down.exe	Python/Machete.A
`904137B61F1DED66C8CA76EBF198DEC1B638B5D4`	Down.exe	Python/Machete.A
`FBB485B40477F5A014E7096747B1B4A494CE50EF`	Down.exe	Python/Machete.A

RAR/7z SFX: decoy + payload (no downloader)

SHA-1 hash	Filename
`0468D3776435E527DBA52B9DA61D38C076DDA09A`	FORMATO UNICO DE RENDIMIENTO OPERATIVO GNB 11JUNIO2019 CZGNB-13 xlsx.scr
`10EB152039CB0A379DAAB272151BC1BAA8C6D4DB`	Radiograma 004026_pdf.scr
`173664DE0A9A08218098ABFB86D2C64F25B5EE37`	Diseño_pptx.scr
`212F3697117D17EC3F299D037845CF3DB20CE88A`
`29EA8A983E56229AC69FFF9958319B66C006020B`	RDGMA 1101 001 jpg.scr
`3562CB8D37E68025787C31A0B4654A1CE209E62F`	20190611101428 pdf.scr
`35E4ECB61F1FA09BEC8A4528C592D982D33B6C6B`	INVITADOS_MEXICANOS.scr
`442E6CC28D118CFAF1A5482E2000C7DC00D9A7B9`
`5C56AC14CA7159804A9D53FE037CFD0D99D45AB1`	JUNIO_19_PROPUESTA_CLARO_RENOVACION.scr
`61DE62436B3806A3A645C96677D7AD9D802E30A8`	FORMATO DE NOVEDADES PARA DC PERSONAL xls.scr
`62800D245A3726CA390D08B7BF17FE2C37F2B3CF`	20190611101331.scr
`64F1322BF2A898278AA1E73803FDD500B6E5E7C7`	RAD_N_0961_21MAY19.scr
`79AC512389EF9E27A3598CA2968573DB4F5FD58F`	RAD OFL0120_jpg.scr
`7A1AD75A1AA73EC72EE21B213FCCA55D57A0CD58`	S_E_ARLETTE_MARENCO_NOTA_INFORMANDO_TERMINO_DE_MISION_001.scr
`8E0AC29B8BD0C086B20C23B254CF047AA30A0529`	07_1379.scr
`91F2C7EED2EE92D11BC6B8FD8D3CBA0B02C8D074`	Blason.scr
`97EDCDFD6E674591C1E809381C7E68F11DFA81FC`	08_1159.scr
`9D65B55168526161A79F4743A37B1A7358C67037`	INSTRUCCIONES DEL JSO 08JUN19 docx.scr
`A19648A5576E0B9FC449D89ADDC569BA1350ECFF`
`A94916F9696D861FE040891634B3F2DA09557F13`	REPORTE OPERACIONAL 10JUN19 pdf.scr
`B451F623FE9F315EB886B83F27139FC236A07EC9`	20190611101428.scr
`C39B9D966AED0372619B3989995AB9AD12F94D38`	NOTA_CICR_00079.scr
`CF10E0313177FF4C9C588232218078EB870C0079`	BOLETA DE PERMISO NELSON GUERERE docx.scr
`E8BBCB0F6538D1543BFA3F7A66F20155EBC2BCC8`	JUNIO_27_PROPUESTA_CLARO_RENOVACION.scr
`EA3D823DF9F0E41AD1DA2FD3492B418693BED8BD`	20190611101331 pdf.scr
`EB82401CE6B2497AEB1FC666697D7D9CE66E4D5B`	Asimilacion.scr

\_hashlbi.pyw

SHA-1 hash	ESET Detection Name
`1B3723651E1D321D4F34F2A243D7751D17288257`	Python/Machete.G
`7FFB9C7DA20C536B694E78538B65726EACB1B055`	Python/Machete.G
`B1ADF4B46350FB801CE54DA9C93A4EF79674F3F5`	Python/Machete.G

\_bsdbd.pyw

SHA-1 hash	ESET Detection Name
`0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3`	Python/Machete.G
`314D9B4C25DD69453D86E4C7062DCE6DEDDA0533`	Python/Machete.G
`D4CF22F3DB78BDC1CEB55431857D88166CE677D4`	Python/Machete.G

\_clypes.pyw

SHA-1 hash	ESET Detection Name
`26FB301AF7393B5E564B8C802F5795EDEBD7CECF`	Python/Machete.G
`979859B5A177650EF0549C81FD66D36E9DEA8078`	Python/Machete.G
`A07E38DF9887EA7811369CD72C57FD6D44523CD6`	Python/Machete.G

\_elementree.pyw

SHA-1 hash	ESET Detection Name
`07E383E9FF04F587769845306DC4BFE75630BAAA`	Python/Machete.G
`3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3`	Python/Machete.G
`56765B7511372A8E9BE017F48A764D141F485474`	Python/Machete.G
`CF2DC40926D8747AEC572DFD711BBFD766AADB10`	Python/Machete.G

\_mssi.pyw

SHA-1 hash	ESET Detection Name
`6B42091CA2F89A59F4E27E30ACDACF32EB83F824`	Python/Machete.G
`708F159F2CFE22FF0C4464F2FEDAA0501868BDD8`	Python/Machete.G
`DE639618B550DBE9071E999AAA5B4FC81F63A5A6`	Python/Machete.G

\_multiproccessing.pyw

SHA-1 hash	ESET Detection Name
`0B6F61AF3E2C6551F15E0F888177EEC91F20BA99`	Python/Machete.G
`76AABC0AF5D487A80BCBA19555191B46766139FA`	Python/Machete.G
`7FF87649CA1D9178A02CD9942856D1B590652C6E`	Python/Machete.G
`8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D`	Python/Machete.G
`8AF19AA3F18CB35F12EE3966931E11799C3AC5A4`	Python/Machete.G
`E1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD`	Python/Machete.G

Domain names

tobabean.expert
koliast.com
u929489355.hostingerapp.com
u154611594.hostingerapp.com
6e24a5fb.ngrok.io
f9527d03.ngrok.io
adtiomtardecessd.zapto.org
mcsi.gotdns.ch
djcaps.gotdns.ch
tokeiss.ddns.net
artyomt.com
lawyersofficial.mipropia.com
ceofanb18.mipropia.com

Server IPs

185.224.137.63
156.67.222.88
158.69.9.209
142.44.236.215
199.79.63.188
109.61.164.33

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

machete

machete

README.adoc

Machete — Indicators of Compromise

Sample hashes

GoogleUpdate.exe

Chrome.exe

GoogleCrash.exe

RAR/7z SFX: config + malicious components

7z SFX: decoy + downloader

RAR SFX: URL config + downloader

Downloader

RAR/7z SFX: decoy + payload (no downloader)

\_hashlbi.pyw

\_bsdbd.pyw

\_clypes.pyw

\_elementree.pyw

\_mssi.pyw

\_multiproccessing.pyw

Domain names

Server IPs

Files

machete

Directory actions

More options

Directory actions

More options

Latest commit

History

machete

Folders and files

parent directory

README.adoc

Machete — Indicators of Compromise

Sample hashes

GoogleUpdate.exe

Chrome.exe

GoogleCrash.exe

RAR/7z SFX: config + malicious components

7z SFX: decoy + downloader

RAR SFX: URL config + downloader

Downloader

RAR/7z SFX: decoy + payload (no downloader)

\_hashlbi.pyw

\_bsdbd.pyw

\_clypes.pyw

\_elementree.pyw

\_mssi.pyw

\_multiproccessing.pyw

Domain names

Server IPs