FROM WIPER TO RANSOMWARE: THE EVOLUTION OF AGRIUS
Show in Graph
Image Description
Common Information
Type Value
UUID 1231f786-c032-47f6-a890-a00d6470d63a
Fingerprint 229926180ced4acfd21c9088e2e79ac96c8e0f19627d3db799b92d4cf1431034
Analysis status DONE
Considered CTI value 2
Text language
Published May 25, 2021, 10:28 a.m.
Added to db April 14, 2024, 9:12 a.m.
Last updated Aug. 31, 2024, 7 a.m.
Headline FROM WIPER TO RANSOMWARE: THE EVOLUTION OF AGRIUS
Title FROM WIPER TO RANSOMWARE: THE EVOLUTION OF AGRIUS
Detected Hints/Tags/Attributes 128/3/120
Source URLs
Redirection Url
Details Source https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf
URL Provider
Details Provider Source level domain
Details sentinelone.com www.sentinelone.com
Attributes
Details Type #Events CTI Value
Details CVE 150 
cve-2018-13379
Details Domain 360 
attack.mitre.org
Details Domain 2 
hidocohen.medium.com
Details Domain 7 
agile.net
Details Domain 396 
protonmail.com
Details Domain 1 
microsoft.help
Details Domain 546 
www.recordedfuture.com
Details Domain 1 
theisnonamelikethis29123.com
Details Domain 2 
whynooneistherefornoneofthem.com
Details Domain 454 
www.google.com
Details Domain 15 
labs.sentinelone.com
Details File 2126 
cmd.exe
Details File 1 
%temp%\vbe.exe
Details File 7 
system.bat
Details File 4 
remover.bat
Details File 1 
c:\wiper_path\wiper.exe
Details File 1 
__read__me__.txt
Details File 1 
help.dll
Details File 256 
net.exe
Details File 212 
winlogon.exe
Details File 207 
login.php
Details File 64 
list.php
Details File 1 
boot.php
Details File 1 
lastupdate.php
Details File 53 
main.php
Details File 7 
mail.php
Details File 23 
about.php
Details File 1 
gip-starter-er-iso-sql-backup.sql
Details md5 1 
b451592c0934e8d91197dab1d846d9c8
Details md5 1 
9d7d20a21cf00f43e1b1701df368e172
Details md5 1 
02aa4ba656d49ebbe930b923b8399b6b
Details md5 1 
ef0740198be26c0ba32c0332a2afe133
Details md5 1 
01ed1914b55a2d6ca4e4c97827fba3f4
Details md5 1 
4ea373d0ab8d50b644c95f415e1c0694
Details md5 1 
32616cdd343ad938e385b32aa482fea4
Details md5 1 
851b7b8dd006dc889bf8f9282dc853ce
Details md5 1 
d40453a154d9254919ebf575eecdc590
Details md5 1 
a60c177bb5d293d0a0d7231f0b8cad6b
Details md5 1 
857ef30bf15ea3da9b94092da78ef0fc
Details md5 1 
338236f51e666e26e4547273e9a23d98
Details md5 1 
aea6ab1ffa2243b94ebcca7759e60f64
Details md5 1 
f88d308b1b4e6e41a9a17455978ec24b
Details md5 1 
c125149b44be78fae9ba3eb1f33d03dc
Details md5 1 
e575a627a5a98833f9fd48458e342276
Details md5 1 
d1645e55e4d10d9992793d66206fce94
Details md5 1 
a9ee524171107deb0732102dee81e7bb
Details md5 1 
1caaacebe309474d36d8243a3c393351
Details md5 1 
b05a582e28e349cbb252a7c3f5060862
Details md5 1 
aad3908e52c6987a626e4350f8f50f62
Details sha1 1 
3259b88515f97d999256fcd3bb7a75a0d4173e9c
Details sha1 1 
5ab8582a892c603b00c0989eedca668e55abbba5
Details sha1 1 
a64924df986c1682fd4f37153a917ee454a18315
Details sha1 1 
58d58356b7a1aa69e60b72be4dc2e2499929274a
Details sha1 1 
2e488d98a99a0fdffd1e8ae85b3485366ae8287b
Details sha1 1 
84aad01489fe6eefd79ef1cbb771eb76fce58fe3
Details sha1 1 
067bdb137d527f6986629dd63357592e8ad7ea92
Details sha1 1 
be2dd26946bc0ca3ec8683568dc73a5852d79235
Details sha1 1 
58cb07bf3af30363e52d64af61fe832ecc9ba70d
Details sha1 1 
f5acabb74864e95b69597b0785ef944f445c9683
Details sha1 1 
195188bfc99bbdc2d29952ed10a8413b362f4373
Details sha1 1 
9c9a5184ba377bce87fb3b4483331866f392afde
Details sha1 1 
4e74671a06748794d28c64781c3d2c96664f82a9
Details sha1 1 
4e83e61efe0af873c282336a140e899340647551
Details sha1 1 
d2fff8dec081efd972739acf2a877557397bcbb9
Details sha1 1 
f5221ddbae00e6cf2c37d5c4bdb22567fa7bbae1
Details sha1 1 
65ee66050faf0fe9c023cfc15edb73cf7f77fe4d
Details sha1 1 
e805de2d8925af37cfd4f26f7ac3e38cd7fedd36
Details sha1 1 
069e082caf0dafd3fef51b4b0be0e4e21919ae27
Details sha1 1 
c53e3ff5c3c522738ac1dfbd4e70f88a14b0f599
Details sha1 1 
34c1117f7a38eb78743f6a9f433f03e195e1b4e0
Details sha1 1 
7ce212c0a1721071351c0176fa691d6665a7bcb5
Details sha256 1 
fc949bd5aa0e704901f12624badd591768ea5613560bd3d88c396479235da095
Details sha256 1 
96cc69242a7900810c4d2e9f3f55aad8edb89137959f4c370f80a6e574ddc201
Details sha256 1 
40f329d0aaba0d55fc657802761c78be74e19a553de6fd2df592bccf3119ec16
Details sha256 1 
b30405d654c1bfcd5e2bd338cc16e971738ceb6ba069da413195358b9ca3a2a2
Details sha256 1 
6505ecd35e45e521f5e37febd01be04166d725ba87552777c17517533afc6329
Details sha256 1 
7b525fe7117ffd8df01588efb874c1b87e4ad2cd7d1e1ceecb5baf2e9c052a52
Details sha256 3 
6fb07a9855edc862e59145aed973de9d459a6f45f17a8e779b95d4c55502dcce
Details sha256 4 
19dbed996b1a814658bef433bad62b03e5c59c2bf2351b793d1a5d4a5216d27e
Details sha256 1 
e889d4b2cfb48b6e8f972846538dfbc057dbfc35fa28f0515cad4d60780a9872
Details sha256 1 
5eb5922b467474dccc7ab8780e32697f5afd59e8108b0cdafefb627b02bbd9ba
Details sha256 4 
18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f
Details sha256 3 
e37bfad12d44a247ac99fdf30f5ac40a0448a097e36f3dbba532688b5678ad13
Details sha256 1 
3e9c6f384b63ebeaa729b7c97a179d409cdd859315ee2f6372a2a550e567445f
Details sha256 1 
df94d32997e22bae2e5745eb3120947b025f79a16cf4b710131f911b12d960cc
Details sha256 1 
b5149c1aae5c899a0f3a4be162e24c08d284f67f6b9fb70439ce6d91353a540c
Details sha256 1 
85f16df007fc848731ed02e0c3d8dd3ab1f2f2bf8c1b6999f7d9ff98a1cac1c7
Details sha256 1 
bac77143cb8829c802a6723a397277aa34ba2738103d78517b36c6cfb06724ef
Details sha256 1 
e4ea1728e19699612b5614cc0b8829a4bf749870648be6efc1b8a88c036f3607
Details sha256 1 
f18dd50dde8c1101eb3c892fc2bf04b7779c2c0def27de1d6c1fd341f3ecdf6c
Details sha256 1 
4a50073f841a1beaa5900241fce76ed242659130e065dbd38be318a650b1264a
Details sha256 1 
ccfc0a2652916543e0ce972b38ba50815e8df11387502519607c9fd4f91d635f
Details sha256 1 
5f5edae2cae4db0ee988962ca2e7cccd1892e4f4b512fbb780210595c7ba7088
Details IPv4 1 
195.123.208.152
Details IPv4 1 
5.2.67.85
Details IPv4 1 
5.2.73.67
Details IPv4 1 
185.142.98.32
Details IPv4 1 
185.142.97.81
Details IPv4 1 
81.177.23.16
Details IPv4 1 
81.177.22.16
Details IPv4 1 
185.147.131.81
Details IPv4 1 
95.211.140.221
Details IPv4 1 
54.37.99.4
Details IPv4 1 
37.59.236.232
Details IPv4 1 
37.120.238.15
Details Threat Actor Identifier - APT 181 
APT33
Details Url 1 
https://attack.mitre.org/software/s0073
Details Url 1 
https://hidocohen.medium.com/shirbits-breach-backdoor-analysis-cd8273594f60
Details Url 1 
https://www.recordedfuture.com/iranian-cyber-response
Details Url 1 
http://195.123.208.152/admins/login.php
Details Url 1 
http://5.2.67.85/view/list.php
Details Url 1 
http://5.2.73.67/panel/new/file/css/boot.php
Details Url 1 
http://185.142.98.32/scripts/_data/25/lastupdate.php
Details Url 1 
http://185.142.97.81/css/v1/template/main.php
Details Url 1 
http://theisnonamelikethis29123.com/mail.php
Details Url 1 
http://whynooneistherefornoneofthem.com/about.php
Details Url 54 
http://www.google.com
Details Url 4 
https://labs.sentinelone.com
Details Yara rule 1 
rule Agrius_Webshells {
	meta:
		description = "Detects variations of webshells used by Agrius"
		author = "Amitai B @ SentinelOne"
		version = "1.0"
		TLP = "White"
		last_modified = "2021-05-11"
	strings:
		$s1 = "public string base64ToStr(string instr)"
		$s2 = "Process prcsss=new Process()"
		$s3 = "<form id=\"PRIVATECode\" runat=\"server\">"
	condition:
		(filesize > 1KB and filesize < 150KB and any of them)
}
Details Yara rule 1 
rule Agrius_Function_Names {
	meta:
		description = "Detects malware used by Agrius threat actor based on unique function names"
		author = "Amitai B @ SentinelOne"
		version = "1.0"
		TLP = "White"
		last_modified = "2021-05-11"
	strings:
		$s1 = "GetWindowsTempPath"
		$s2 = "GetCurrentProcess"
		$s3 = "GetOwnPath"
		$s4 = "PublicFunction"
		$s5 = "SelfDelete"
		$s6 = "IsFirstInstance"
	condition:
		(filesize > 1KB and filesize < 300KB and 3 of ($s*))
}