Stresspaint Malware IOC's

One thing that continues to amaze me is that anytime something like this hits the news, IOC's are limited to what files (by name) it drops. Ya know what's even more useful? Hashes, hashes are more useful. So here's a few I was able to pull.

Note: I seem to be missing DX.exe and update.dll that were posted here. I'm not sure why I didn't see these drop, perhaps it's only periodically. If you have them, drop me a message on Twitter.


SHA-256: 4A972D009561EA1960C7E866665979D74506C2D84EB0AD594540366873AB0441
MD5: 4B8AF22DCD9B3F3FD578CF880A8F2C56
SHA-1: 072DE9FEF3A56AC2C601AAFE9221231B7A6D5962


SHA-256: 13654CBE13A3585B28B1B19042A49DA0531A8DB0A93FF7C6D6E52C497F247CDA
MD5: A8347481E8B974E0501429ECF6D1DC08

c:\programdata\sqlite3.dll (not sure if malicious, or just used by)

SHA-256: 181500371FBBD5F2E47882168FACFB9D017297377FFE53D7E17629792ED03CDB
MD5: B1FB2856008C5493B93F748B670162D2
SHA-1: 3998E7C7EC1B86696F82A6C9E5F979B8DA05AFA7

Win7 x64 -
Win7 x32 -

Relieve_stress_Paint_1.6.exe -
ctfmon -

And some known network connections. These seem to vary, so this may be shared hosting, round-robbining, etc. No garentee of maliciousness. - /

Lastly, the sites that have been hosting it (currently offline?)