13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

General
Target

13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

Size

2MB

Sample

220320-lref4sbghm

Score
10 /10
MD5

7f6060451f81564336bd5d9e5c95797a

SHA1

70c756af084d013e703d5e1c0f561eea6cb2f781

SHA256

13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

SHA512

c5263836ef7264e48e4166042827340244fe430b490ad41acde7fef378757731e7d3fecfe05c5d75695d32dcba7a13db86bea36366c5f4fb1e0ea3e321032abf

Malware Config

Extracted

Path C:\Users\Admin\Desktop\sample.txt
Family ryuk
Ransom Note
%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"553f5c1e-a363-4b45-8eac-425444a78b00","type":"vulnerability","category":"External analysis","value":"CVE-2019-1003029","comment":"A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier","description":"","mitre_techniques":[],"campaigns":[{"id":"6f03a212-a5c5-4146-ac93-b57af6ebcf57","name":"Multiple Vulnerabilities And Tactics Used To Spread Capoae Malware","description":"The Capoae malicious software exploited multiple vulnerabilities and used weak credentials to attack Oracle WebLogic, ThinkPHP, WordPress, and Jenkins servers. Web shells, port scanners, and XMRig mining software were dropped onto the infected systems to mine for digital currency and find additional devices to infect. The malware maintained persistence by adding an entry to crontab and adding a public key into the SSH authorized_keys file. \r\n\r\nMcAfee’s ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Akamai Technologies and shared publicly https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"55459d45-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"5548bf24-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554c1128-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554f1351-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to
Emails

\"github@eset.com\"

\"cdoman@cadosecurity.com\"\r\n

URLs

https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-16T21:00:52.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211","https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"]},"is_coat":0,"created_on":"2021-07-16T21:00:52.000Z"}]},{"id":"55521ab5-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","threat_level_id":1,"kb_article_link":null,"coverage":{"dat_version":{"min":4695}},"updated_on":"2022-03-10T22:12:48.000Z","external_analysis":{"links":["https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html"]},"is_coat":1,"created_on":"2022-01-25T16:59:37.000Z"}]},{"id":"55587287-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"555b74bd-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

Extracted

Path C:\Users\Admin\Desktop\try.txt
Family ryuk
Ransom Note
%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"553f5c1e-a363-4b45-8eac-425444a78b00","type":"vulnerability","category":"External analysis","value":"CVE-2019-1003029","comment":"A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier","description":"","mitre_techniques":[],"campaigns":[{"id":"6f03a212-a5c5-4146-ac93-b57af6ebcf57","name":"Multiple Vulnerabilities And Tactics Used To Spread Capoae Malware","description":"The Capoae malicious software exploited multiple vulnerabilities and used weak credentials to attack Oracle WebLogic, ThinkPHP, WordPress, and Jenkins servers. Web shells, port scanners, and XMRig mining software were dropped onto the infected systems to mine for digital currency and find additional devices to infect. The malware maintained persistence by adding an entry to crontab and adding a public key into the SSH authorized_keys file. \r\n\r\nMcAfee�s ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Akamai Technologies and shared publicly https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"55459d45-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"5548bf24-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554c1128-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554f1351-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to
Emails

\"github@eset.com\"

\"cdoman@cadosecurity.com\"\r\n

URLs

https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-16T21:00:52.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211","https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"]},"is_coat":0,"created_on":"2021-07-16T21:00:52.000Z"}]},{"id":"55521ab5-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","threat_level_id":1,"kb_article_link":null,"coverage":{"dat_version":{"min":4695}},"updated_on":"2022-03-10T22:12:48.000Z","external_analysis":{"links":["https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html"]},"is_coat":1,"created_on":"2022-01-25T16:59:37.000Z"}]},{"id":"55587287-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"555b74bd-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"556b77d0-82d6-48e3-bc24-e19274b7298a","type":"yara","category":"Payload

https://github.com/Neo23x0/signature-base/blob/master/LICENSE\"\r\n\t\tauthor

https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-23T21:08:39.000Z","external_analysis":{"links":["https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html"]},"is_coat":0,"created_on":"2021-09-23T05:08:48.000Z"}]},{"id":"5572c500-4fb6-4ecf-b438-558cefa2a0f1","type":"yara","category":"Payload

https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-30T21:00:36.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","https://github.com/craiu/iocs/blob/main/lemonduck/hashes.txt","https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/"]},"is_coat":0,"created_on":"2021-07-28T21:00:44.000Z"}]},{"id":"5600d974-8c73-4140-895d-664d35e4d812","type":"vulnerability","category":"External

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-20T21:08:42.000Z","external_analysis":{"links":["https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html#more"]},"is_coat":0,"created_on":"2021-10-20T21:08:42.000Z"}]},{"id":"5619e328-4e9c-4ed5-a95a-d627e0def0eb","type":"command-line","category":"Other","value":"\"CSIDL_SYSTEM\\wscript.exe\"

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2022-03-10T20:06:17.000Z","external_analysis":{"links":["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"]},"is_coat":0,"created_on":"2022-02-01T06:14:49.000Z"}]},{"id":"56223e89-06ec-40a4-a152-24e10b3bbe8e","type":"command-line","category":"Other","value":"curl

http://45.9.148[.]182/bin/bot/chimera.cc

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-19T21:08:39.000Z","external_analysis":{"links":["https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","https://securityaffairs.co/wordpress/123535/cyber-crime/teamtnt-docker-attack.html"]},"is_coat":0,"created_on":"2021-10-08T21:08:42.000Z"}]},{"id":"5625cca8-c8ea-4a20-8770-2cd1da012ec9","type":"yara","category":"Payload

https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html\nlogsource:\n

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n

https://blog.talosintelligence.com/2017/05/wannacry.html\n

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n

https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n

https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\n

https://github.com/Neo23x0/Raccine#the-process\n

https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\ntags:\n

https://decoded.avast.io/anhho/blustealer/","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95191","coverage":{"dat_version":{"min":4582}},"updated_on":"2022-02-21T19:15:54.000Z","external_analysis":{"links":["https://decoded.avast.io/anhho/blustealer/"]},"is_coat":1,"created_on":"2021-09-23T21:08:42.000Z"}]},{"id":"5648773d-ce03-4ff6-8065-824153ab8dae","type":"vulnerability","category":"External

https://unit42.paloaltonetworks.com/sockdetour/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2022-03-16T11:37:40.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/sockdetour/"]},"is_coat":1,"created_on":"2022-02-25T06:12:05.000Z"}]},{"id":"564c3854-5a70-4a6b-a659-c409bbdcd96a","type":"sigma","category":"Payload

https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\r\nauthor

https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-04T21:08:42.000Z","external_analysis":{"links":["https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/"]},"is_coat":0,"created_on":"2021-10-04T21:08:42.000Z"}]},{"id":"5665bbd5-45bf-447a-8fa5-09101fe3ad10","type":"command-line","category":"Other","value":"cmd

https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":4706}},"updated_on":"2022-02-24T17:21:43.000Z","external_analysis":{"links":["https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/"]},"is_coat":1,"created_on":"2022-02-17T22:13:42.000Z"}]},{"id":"5683dc9a-1bd6-42e0-ba0f-48545f63ac92","type":"sigma","category":"Payload

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml\nauthor

https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":4687}},"updated_on":"2022-03-09T12:19:32.000Z","external_analysis":{"links":["https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/"]},"is_coa

Extracted

Path C:\Users\Admin\AppData\Local\Temp\708_264607501\english_wikipedia.txt
Family prometheus
Ransom Note
the of and in was is for as on with by he at from his an were are which doc https also or has had first one their its after new who they two her she been other when time during there into school more may years over only year most would world city some where between later three state such then national used made known under many university united while part season team these american than film second born south became states war through being including both before north high however people family early history album area them series against until since district county name work life group music following number company several four called played released career league game government house each based day same won use station club international town located population general college east found age march end september began home public church line june river member system place century band july york january october song august best former british party named held village show local november took service december built another major within along members five single due although small old left final large include building served president received games death february main third set children own order species park law air published road died book men women army often according education central country division english top included development french community among water play side list times near late form original different center power led students german moved court six land council island u.s. record million research art established award street military television given region support western production non political point cup period business title started various election using england role produced become program works field total office class written association radio union level championship director few force created department founded services married though per n't site open act short society version royal present northern worked professional full returned joined story france european currently language social california india days design st. further round australia wrote san project control southern railway board popular continued free battle considered video common position living half playing recorded red post described average records special modern appeared announced areas rock release elected others example term opened similar formed route census current schools originally lake developed race himself forces addition information upon province match event songs result events win eastern track lead teams science human construction minister germany awards available throughout training style body museum australian health seven signed chief eventually appointed sea centre debut tour points media light range character across features families largest indian network less performance players refer europe sold festival usually taken despite designed committee process return official episode institute stage followed performed japanese personal thus arts space low months includes china study middle magazine leading japan groups aircraft featured federal civil rights model coach canadian books remained eight type independent completed capital academy instead kingdom organization countries studies competition sports size above section finished gold involved reported management systems industry directed market fourth movement technology bank ground campaign base lower sent rather added provided coast grand historic valley conference bridge winning approximately films chinese awarded degree russian shows native female replaced municipality square studio medical data african successful mid bay attack previous operations spanish theatre student republic beginning provide ship primary owned writing tournament culture introduced texas related natural parts governor reached ireland units senior decided italian whose higher africa standard income professor placed regional los buildings championships active novel energy generally interest via economic previously stated itself channel below operation leader traditional trade structure limited runs prior regular famous saint navy foreign listed artist catholic airport results parliament collection unit officer goal attended command staff commission lived location plays commercial places foundation significant older medal self scored companies highway activities programs wide musical notable library numerous paris towards individual allowed plant property annual contract whom highest initially required earlier assembly artists rural seat practice defeated ended soviet length spent manager press associated author issues additional characters lord zealand policy engine township noted historical complete financial religious mission contains nine recent represented pennsylvania administration opening secretary lines report executive youth closed theory writer italy angeles appearance feature queen launched legal terms entered issue edition singer greek majority background source anti cultural complex changes recording stadium islands operated particularly basketball month uses port castle mostly names fort selected increased status earth subsequently pacific cover variety certain goals remains upper congress becoming studied irish nature particular loss caused chart dr. forced create era retired material review rate singles referred larger individuals shown provides products speed democratic poland parish olympics cities themselves temple wing genus households serving cost wales stations passed supported view cases forms actor male matches males stars tracks females administrative median effect biography train engineering camp offered chairman houses mainly 19th surface therefore nearly score ancient subject prime seasons claimed experience specific jewish failed overall believed plot troops greater spain consists broadcast heavy increase raised separate campus 1980s appears presented lies composed recently influence fifth nations creek references elections britain double cast meaning earned carried producer latter housing brothers attempt article response border remaining nearby direct ships value workers politician academic label 1970s commander rule fellow residents authority editor transport dutch projects responsible covered territory flight races defense tower emperor albums facilities daily stories assistant managed primarily quality function proposed distribution conditions prize journal code vice newspaper corps highly constructed mayor critical secondary corporation rugby regiment ohio appearances serve allow nation multiple discovered directly scene levels growth elements acquired 1990s officers physical 20th latin host jersey graduated arrived issued literature metal estate vote immediately quickly asian competed extended produce urban 1960s promoted contemporary global formerly appear industrial types opera ministry soldiers commonly mass formation smaller typically drama shortly density senate effects iran polish prominent naval settlement divided basis republican languages distance treatment continue product mile sources footballer format clubs leadership initial offers operating avenue officially columbia grade squadron fleet percent farm leaders agreement likely equipment website mount grew method transferred intended renamed iron asia reserve capacity politics widely activity advanced relations scottish dedicated crew founder episodes lack amount build efforts concept follows ordered leaves positive economy entertainment affairs memorial ability illinois communities color text railroad scientific focus comedy serves exchange environment cars direction organized firm description agency analysis purpose destroyed reception planned revealed infantry architecture growing featuring household candidate removed situated models knowledge solo technical organizations assigned conducted participated largely purchased register gained combined headquarters adopted potential protection scale approach spread independence mountains titled geography applied safety mixed accepted continues captured rail defeat principal recognized lieutenant mentioned semi owner joint liberal actress traffic creation basic notes unique supreme declared simply plants sales massachusetts designated parties jazz compared becomes resources titles concert learning remain teaching versions content alongside revolution sons block premier impact champions districts generation estimated volume image sites account roles sport quarter providing zone yard scoring classes presence performances representatives hosted split taught origin olympic claims critics facility occurred suffered municipal damage defined resulted respectively expanded platform draft opposition expected educational ontario climate reports atlantic surrounding performing reduced ranked allows birth nominated younger newly kong positions theater philadelphia heritage finals disease sixth laws reviews constitution tradition swedish theme fiction rome medicine trains resulting existing deputy environmental labour classical develop fans granted receive alternative begins nuclear fame buried connected identified palace falls letters combat sciences effort villages inspired regions towns conservative chosen animals labor attacks materials yards steel representative orchestra peak entitled officials returning reference northwest imperial convention examples ocean publication painting subsequent frequently religion brigade fully sides acts cemetery relatively oldest suggested succeeded achieved application programme cells votes promotion graduate armed supply flying communist figures literary netherlands korea worldwide citizens 1950s faculty draw stock seats occupied methods unknown articles claim holds authorities audience sweden interview obtained covers settled transfer marked allowing funding challenge southeast unlike crown rise portion transportation sector phase properties edge tropical standards institutions philosophy legislative hills brand fund conflict unable founding refused attempts metres permanent starring applications creating effective aired extensive employed enemy expansion billboard rank battalion multi vehicle fought alliance category perform federation poetry bronze bands entry vehicles bureau maximum billion trees intelligence greatest screen refers commissioned gallery injury confirmed setting treaty adult americans broadcasting supporting pilot mobile writers programming existence squad minnesota copies korean provincial sets defence offices agricultural internal core northeast retirement factory actions prevent communications ending weekly containing functions attempted interior weight bowl recognition incorporated increasing ultimately documentary derived attacked lyrics mexican external churches centuries metropolitan selling opposed personnel mill visited presidential roads pieces norwegian controlled 18th rear influenced wrestling weapons launch composer locations developing circuit specifically studios shared canal wisconsin publishing approved domestic consisted determined comic establishment exhibition southwest fuel electronic cape converted educated melbourne hits wins producing norway slightly occur surname identity represent constituency funds proved links structures athletic birds contest users poet institution display receiving rare contained guns motion piano temperature publications passenger contributed toward cathedral inhabitants architect exist athletics muslim courses abandoned signal successfully disambiguation tennessee dynasty heavily maryland jews representing budget weather missouri introduction faced pair chapel reform height vietnam occurs motor cambridge lands focused sought patients shape invasion chemical importance communication selection regarding homes voivodeship maintained borough failure aged passing agriculture oregon teachers flow philippines trail seventh portuguese resistance reaching negative fashion scheduled downtown universities trained skills scenes views notably typical incident candidates engines decades composition commune chain inc. austria sale values employees chamber regarded winners registered task investment colonial swiss user entirely flag stores closely entrance laid journalist coal equal causes turkish quebec techniques promote junction easily dates kentucky singapore residence violence advance survey humans expressed passes streets distinguished qualified folk establish egypt artillery visual improved actual finishing medium protein switzerland productions operate poverty neighborhood organisation consisting consecutive sections partnership extension reaction factor costs bodies device ethnic racial flat objects chapter improve musicians courts controversy membership merged wars expedition interests arab comics gain describes mining bachelor crisis joining decade 1930s distributed habitat routes arena cycle divisions briefly vocals directors degrees object recordings installed adjacent demand voted causing businesses ruled grounds starred drawn opposite stands formal operates persons counties compete wave israeli ncaa resigned brief greece combination demographics historian contain commonwealth musician collected argued louisiana session cabinet parliamentary electoral loan profit regularly conservation islamic purchase 17th charts residential earliest designs paintings survived moth items goods grey anniversary criticism images discovery observed underground progress additionally participate thousands reduce elementary owners stating iraq resolution capture tank rooms hollywood finance queensland reign maintain iowa landing broad outstanding circle path manufacturing assistance sequence gmina crossing leads universal shaped kings attached medieval ages metro colony affected scholars oklahoma coastal soundtrack painted attend definition meanwhile purposes trophy require marketing popularity cable mathematics mississippi represents scheme appeal distinct factors acid subjects roughly terminal economics senator diocese prix contrast argentina czech wings relief stages duties 16th novels accused whilst equivalent charged measure documents couples request danish defensive guide devices statistics credited tries passengers allied frame puerto peninsula concluded instruments wounded differences associate forests afterwards replace requirements aviation solution offensive ownership inner legislation hungarian contributions actors translated denmark steam depending aspects assumed injured severe admitted determine shore technique arrival measures translation debuted delivered returns rejected separated visitors damaged storage accompanied markets industries losses gulf charter strategy corporate socialist somewhat significantly physics mounted satellite experienced constant relative pattern restored belgium connecticut partners harvard retained networks protected mode artistic parallel collaboration debate involving journey linked salt authors components context occupation requires occasionally policies tamil ottoman revolutionary hungary poem versus gardens amongst audio makeup frequency meters orthodox continuing suggests legislature coalition guitarist eighth classification practices soil tokyo instance limit coverage considerable ranking colleges cavalry centers daughters twin equipped broadway narrow hosts rates domain boundary arranged 12th whereas brazilian forming rating strategic competitions trading covering baltimore commissioner infrastructure origins replacement praised disc collections expression ukraine driven edited austrian solar ensure premiered successor wooden operational hispanic concerns rapid prisoners childhood meets influential tunnel employment tribe qualifying adapted temporary celebrated appearing increasingly depression adults cinema entering laboratory script flows romania accounts fictional pittsburgh achieve monastery franchise formally tools newspapers revival sponsored processes vienna springs missions classified 13th annually branches lakes gender manner advertising normally maintenance adding characteristics integrated decline modified strongly critic victims malaysia arkansas nazi restoration powered monument hundreds depth 15th controversial admiral criticized brick honorary initiative output visiting birmingham progressive existed carbon 1920s credits colour rising hence defeating s
URLs

https

http

Targets
Target

13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

MD5

7f6060451f81564336bd5d9e5c95797a

Filesize

2MB

Score
10/10
SHA1

70c756af084d013e703d5e1c0f561eea6cb2f781

SHA256

13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

SHA512

c5263836ef7264e48e4166042827340244fe430b490ad41acde7fef378757731e7d3fecfe05c5d75695d32dcba7a13db86bea36366c5f4fb1e0ea3e321032abf

Tags

Signatures

  • Prometheus Ransomware

    Description

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

    Tags

  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    Tags

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Tasks

                  static1

                  5/10