Stresspaint Malware IOC's

One thing that continues to amaze me is that anytime something like this hits the news, IOC's are limited to what files (by name) it drops. Ya know what's even more useful? Hashes, hashes are more useful. So here's a few I was able to pull.

Note: I seem to be missing DX.exe and update.dll that were posted here. I'm not sure why I didn't see these drop, perhaps it's only periodically. If you have them, drop me a message on Twitter.

relieve_stress_paint_1.6.exe

SHA-256: 4A972D009561EA1960C7E866665979D74506C2D84EB0AD594540366873AB0441
MD5: 4B8AF22DCD9B3F3FD578CF880A8F2C56
SHA-1: 072DE9FEF3A56AC2C601AAFE9221231B7A6D5962

c:\programdata\ctfmon.exe

SHA-256: 13654CBE13A3585B28B1B19042A49DA0531A8DB0A93FF7C6D6E52C497F247CDA
MD5: A8347481E8B974E0501429ECF6D1DC08
SHA-1: A3D134AEEC18E66ECDDEB3B2F27A5315D28FDC7E

c:\programdata\sqlite3.dll (not sure if malicious, or just used by)

SHA-256: 181500371FBBD5F2E47882168FACFB9D017297377FFE53D7E17629792ED03CDB
MD5: B1FB2856008C5493B93F748B670162D2
SHA-1: 3998E7C7EC1B86696F82A6C9E5F979B8DA05AFA7

And Hybrid-Analysis links:

Win7 x64 - https://www.hybrid-analysis.com/sample/4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441/5ad8906b7ca3e116860b7c33
Win7 x32 - https://www.hybrid-analysis.com/sample/4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441/5ad8958d7ca3e1200b3a2663

Virus Total links:

Relieve_stress_Paint_1.6.exe - https://www.virustotal.com/en/file/4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441/analysis/#comments
ctfmon - https://www.virustotal.com/en/file/13654cbe13a3585b28b1b19042a49da0531a8db0a93ff7c6d6e52c497f247cda/analysis/

And some known network connections. These seem to vary, so this may be shared hosting, round-robbining, etc. No garentee of maliciousness.

179.60.195.36
185.60.216.35
187.60.195.17
207.148.118.18 - count.homepagetools.online / 207.148.118.18.vultr.com
31.13.65.17
31.13.65.36

Lastly, the sites that have been hosting it

xn--p1aca6f.com
xn--80a2a18a.net (currently offline?)