General
-
Target
b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8
-
Size
137.8MB
-
Sample
240313-cpnsbsbh37
-
MD5
0ea49cf67d7f137a795d6754c94ed083
-
SHA1
0be02b9e47a31775cc8b3a2d18363346ef0fd053
-
SHA256
b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8
-
SHA512
4034a6c9b2cc682e222eff296109e47d0e6f5b35a3b492b07fdf80fccfaf6a1cebd3b7f21b293947866d5b69c7716e09b595fb4ab086e56f868c5dd28524e50a
-
SSDEEP
3145728:8mi9r/A/MrzSxOsokx8IyfMvNxA0RZmhPcnZW0RlXtdfmhoiT40+6toJlZ4r:8mW/A/uz8dxYq7qJc1zH+2566+
Malware Config
Targets
-
-
Target
malware-sample-library-master/APT28 FancyBear/APT28,NATOPAPER,SOFACY2004.bin
-
Size
108KB
-
MD5
7f564a6a8910b513a851b2616af8d7ee
-
SHA1
aade2da992de07c233f4d2711cb4f046984a3783
-
SHA256
1de6d9db409bef73e3585fc08f98b30e2757ec87830e6f84ba85c39210aa962b
-
SHA512
9870a3ac7cd47458aa9f0a6afd9767d19460d93c9c2f20aa5fb2fe6a2ef0e2b7361e2a83d20cd91c105af34184fe3d582b5ce4200f0bea1e780481fe7928e252
-
SSDEEP
1536:DAo8qqfNrkdOoXL60J8s8FGBOO80+yldyVZR/HmD8TK0VGaxkGbANv:DAo8zuFjyFG8x0+ylc7RftTVGOkv
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
-
-
Target
malware-sample-library-master/APT28 FancyBear/APT28DecoyDocument.doc
-
Size
333KB
-
MD5
085be1b8b8f3e90be00f6a3bcea2879f
-
SHA1
cc7607015cd7a1a4452acd3d87adabdd7e005bd7
-
SHA256
c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f
-
SHA512
9d61f7fcf4543ca2e9d282df93fa604a1736a5a50da47e7c66ecaa635465fef61b26c94af5f6204601668e646b6a140f0e248e01ad79fce056b671a3f6d8c6af
-
SSDEEP
6144:yaZ5a2auBso4RCTS8I7Dh4tkX7rETf1I3pS:35a2bBso6qGf7AT9I3pS
Score4/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/APT28DropperExcelDoc.xls
-
Size
1.1MB
-
MD5
5debb3535cba6615526c64e44d0f5e2b
-
SHA1
abaa744d9504c7f23a237f8220ac6a441016d518
-
SHA256
5bac7a020f173d6c35f73d76cd3745a36564dbb3dd32f2d5fc5021c353e76a54
-
SHA512
4435f4deebc2f03c3a5659d1a870699d22fdb52525829373cf3bc0592db04da967e14f1e3f001b1cc0b974f8bddb96887480bcb7f14f3172caba1382866676c0
-
SSDEEP
12288:/bkdb1vJu/xtIIcnIE9A3HfOoV+4qF2KhaLZA6H/EHagqNC9:TkdbVJupvSmHfOoaF2KhaLZTx89
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
malware-sample-library-master/APT28 FancyBear/APT28Hospital.doc
-
Size
76KB
-
MD5
9b10685b774a783eabfecdb6119a8aa3
-
SHA1
f293a2bfb728060c54efeeb03c5323893b5c80df
-
SHA256
a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
-
SHA512
26a0f0dd37439da543526704b5a689ed9f9317baf357d9a7a4d885855d80b5745a07972da3a1c5b06f39fcbbbff9e94f0729edbdba8963b0dcb8c650addbdc48
-
SSDEEP
1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Registers new Windows logon scripts automatically executed at logon.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
malware-sample-library-master/APT28 FancyBear/APT28Implant.bin
-
Size
175KB
-
MD5
6e52b4466cf1dcedf82c8f7463114469
-
SHA1
32996f2b03ba76412b3160231352a3f06306c203
-
SHA256
489a1b13b5ec415f24bc4f1b4ed6c6e0bdc50ae95513645a839655bc75d4d9d6
-
SHA512
06c08f1444c1e49aada3dca91573e36321aaa8d94749293bb3b1a569d1d76297089bf22d44106a16f5714e56cff95cfc40b5144c150fc263e058cd37f07534a3
-
SSDEEP
3072:VLz69Ofiiw7n7dMgfIe0/T2Bk3FdEFSwSGSnII3mVt:NZwb7ygU/fFdEFPSnnrmV
Score3/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/APT28wmsApplication.exe
-
Size
192KB
-
MD5
92b90b0208805daaa8ab45fa19d36b14
-
SHA1
657b3e726b56618577f4fb2cbe7c8b7f9bab8dcf
-
SHA256
6f2589be92c2d0fa6050e52fbedb967c2590a8abbc4a9459fb7f78bc52407195
-
SHA512
21290d68aca3ac47e48d9ba04290bf8ac5824fdd6cd29c135aadd6bc138cf3a37782cfbce231dc63fab4ed3343de5ff0766383ee784c07628e3ba23b964a8715
-
SSDEEP
3072:Flnoi11sepXwT57rrr+sjvbGADINlGVSvWej5fe:Po4+eU52qb1DGs6Wk
Score3/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/Backdoor.XTunnel.exe
-
Size
1.8MB
-
MD5
9e7053a4b6c9081220a694ec93211b4e
-
SHA1
f09780ba9eb7f7426f93126bc198292f5106424b
-
SHA256
4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976
-
SHA512
f231dc71616aa96a5d44bf4ceef8855ca367ba4bfde1fc82af1b383c89699a66c656758fb049cf012a25e3bff82db506e0cdfada87d7d71273eddb1a4ce42bac
-
SSDEEP
24576:JKw4ZZ6rTIBJwqEaxChz52shpktYlecs5ZCo+jlxf1NTfkYJ+nbgEvrZmDxcP+4F:Iw4ZMrTeJKisRki+F8q24eZxtP
Score1/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/FancyBearZekapab.bin
-
Size
776KB
-
MD5
1bcf064650aef06d83484d991bdf6750
-
SHA1
fa67e97c52788de5dea0959d455362aa4843eff0
-
SHA256
19be1aedc36a6f7d1fcbd9c689757d3d09b7dad7136b4f419a45e6187f54f772
-
SHA512
03f0c777f26391cadb1e1754e0405f518976390948bd83f8be63897f6127af9dd2ca8cc2297197fd207cf1241d184e9d85e37a5780de1a5e6256e0f7dc4a1bbd
-
SSDEEP
24576:P7AKkolpDEI+UTUqCg5D5WmQW9Ulg/bdG:PblVfP9+gzA
Score1/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/FancyBearZekapabImplant.bin
-
Size
785KB
-
MD5
d1755976a6f7e1cbf21132ac4fdcf553
-
SHA1
a4e6f56a67149cd1d96eb03317098188c8f673a1
-
SHA256
963c3bf38e90c2971e6875490e9d2393b9567f5cc3ee5e4c098b988bd2b852c5
-
SHA512
6a58f404feaec1f33b0ce2f0c87eac5939184bc33a069d1f66ee4602715ecbeb8604b9b0af5657eaccff7f97b8b911c6da6484c34aa7628945411e5bc7cbd8a8
-
SSDEEP
12288:9sFTxmLKQENZn8k+UYOHp2hh0nYsuCY2WmQCiDz/jaLRQq36GmXQfBWy:QUOQENik+uQhhUYqWmQCioiowy
Score1/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/FancyImplant.bin
-
Size
682KB
-
MD5
2c27f24939144655677bb73d2790d668
-
SHA1
78167e4cfcb96536138a46984f6208c5c7780d2b
-
SHA256
044f8ab501090fd77ae6e9ebf57e7fba9041be7ab986ce58f38583f4839a5126
-
SHA512
3c86f84481678a6b5e58e09394b0e924aff3f33c0e1b7ac66569ef03208140abaec97a7cbbfa161784e53fd1bb08fdf5e347b42a61781d9f9a333d8b24f08d1c
-
SSDEEP
12288:GGrBnWo0y/2n0kEgLYxsboEOEoWlnrCFUVWmQui6PIk21tBN9k:x3g0MLYxsbwPWt+2WmQui6wkQ6
Score1/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/LoJaxInfo_EFI.exe
-
Size
334KB
-
MD5
e00216958f15f1db6371b583a3ea438a
-
SHA1
4b9e71615b37aea1eaeb5b1cfa0eee048118ff72
-
SHA256
81e96c07e6c9cb02f72c0943a42ff9f8f09a09c508f8bbaa1142a9ee4f1326cf
-
SHA512
9d46b4fbf26c775929e95e145b390f0d12566e482920f629b342db2aaa37c5a40a789226ecfe51ba0f0b94fce827b9f53180232cda48bae510cce1e3b37bed16
-
SSDEEP
3072:/1sLvFfS/tB4NebyKwhlUHMjIV8JEmoXIpVoJEmoXIpVoJEmoXIpVoJEmoXIpVoW:/qFMtSLKwhAooXzoXzoXzoXzoXzoX
Score8/10-
Drops file in Drivers directory
-
-
-
Target
malware-sample-library-master/APT28 FancyBear/LoJaxSmallAgent.exe
-
Size
17KB
-
MD5
595aff5212df3534fb8af6a587c6038e
-
SHA1
1771e435ba25f9cdfa77168899490d87681f2029
-
SHA256
dcbfd12321fa7c4fa9a72486ced578fdc00dcee79e6d95aa481791f044a55af3
-
SHA512
281d601178ac8a1e589a3ae8ba0e324b180aa3dde121eee399448beb6752b67c0cf0add7a99913816e23d9985bf9a2b1dee7495ca018f1583cab52b30d7607e0
-
SSDEEP
384:R1Wx2a/j+qDaF400vvnIPxAvDJ1SvAPnXnG1l:R1I2ab+qq400nnIpAN1SvAP36
Score7/10-
Loads dropped DLL
-
-
-
Target
malware-sample-library-master/APT28 FancyBear/LoJaxSmall_AgentDLL.exe
-
Size
17KB
-
MD5
10036063be45f92a9a743425fbf5abc7
-
SHA1
d70db6a6d660aae58ccfc688a2890391fd873bfb
-
SHA256
3f48dbbf86f29e01809550f4272a894ff4b09bd48b0637bd6745db84d2cec2b6
-
SHA512
a2fc426489193993e97fe3cedd529f52702c1f0d7a348960cbe5955b173cb8e1b77d117f389afd1db55a8bd33a81a72ceb6088fe5175927921e120f9fea82493
-
SSDEEP
384:x1Wx2a/j+qDaF400vvnIPxAvDJ1SvAPnXnG1l:x1I2ab+qq400nnIpAN1SvAP36
Score1/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin
-
Size
131KB
-
MD5
4400ec9c4732a32149ca58e7c5806178
-
SHA1
d9bcd2f745acca38c403dd9131b3d2cdf23c2b3c
-
SHA256
96a19a90caa41406b632a2046f3a39b5579fbf730aca2357f84bf23f2cbc1fd3
-
SHA512
fadb351bf1d11c977b62e2b5143ed4afe59cb36918dfc5f259150875992b9e21285e05f3c541b1e6afddb572aa6538a1db0fac984540a3be50dd20982a20606b
-
SSDEEP
1536:mmuG6zRg+/Hfx0X2zTCDsQvGVSzNPMihlv72zVXB6Yjzral1Y:zujRHfxm2zTCgQOg00vKzVXB6YjzK1Y
Score1/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/X-AgentTrojan.bin
-
Size
325KB
-
MD5
4fa6cd01571905b9c7c8fc9a359b655e
-
SHA1
46e2957e699fae6de1a212dd98ba4e2bb969497d
-
SHA256
b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6
-
SHA512
186a479db30c2e026ca6cae5ff452e48f9bf38a494c2aa774ef0248a5803704dfed418482650fe972c73069524e28b1d3e1da4cb90ba8fa9ca6779c7a22d1027
-
SSDEEP
6144:XqlcrjJaCmu1DbUZgiKUYhTRiVGr2ud+iDQgTOjORmoQAG:XqlcxavCvUZeUYfiyDQ2Rmo9G
Score1/10 -
-
-
Target
malware-sample-library-master/APT28 FancyBear/Xagent64.bin
-
Size
276KB
-
MD5
cc9e6578a47182a941a478b276320e06
-
SHA1
0b3852ae641df8ada629e245747062f889b26659
-
SHA256
fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5
-
SHA512
6cc6bdd0edd4b14d7f87b6c8a91cb563b7a2b1e6e2d26357b77c50e1c22a451e64a3224e6c8307623e44b626ba47d0c179114bf1137a453ab2f8ae61425a1659
-
SSDEEP
3072:0TrTaRcOsbAZo/DWEx9SYCTfyTcCuUtBwXO1HYF9GQkgYKON4hz46Gyi:+rT4cL/l9lofyTmUtBwX64FgKdhxGy
Score8/10-
Blocklisted process makes network request
-
-
-
Target
malware-sample-library-master/APT28 FancyBear/ZekaAPT28.bin
-
Size
853KB
-
MD5
c6e95fb89df8e84eb21b3ce6b8947ce2
-
SHA1
e3d9ac6aa3d828e75e1d941862b2b1df866cc618
-
SHA256
0320298eea0206b71d12f3a69730bbbec9768c5c323dfe131047f7ba4f4a8868
-
SHA512
7bb209d6caf7031c099311a984684fd2ce8aac57e90eaf795a9cce86f84e0588e35f9f617759a4fd07409d1e9335c08c75c09154feea3aac0ff1bc6a376989b0
-
SSDEEP
24576:C7AKkolpDEI+UTUqCg5D5WmQW9Ulg/oSG:CblVfP9+gQr
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Boot or Logon Initialization Scripts
1Logon Script (Windows)
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Boot or Logon Initialization Scripts
1Logon Script (Windows)
1