ioc[.]one - OSINT Cyber Threat Intelligence Database

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

Tags

cmtmf-attack-pattern:	Masquerading
country:	Azerbaijan Belarus Kazakhstan Uzbekistan Russia Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Javascript - T1059.007 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Multi-Factor Authentication - T1556.006 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Social Media - T1593.001 Software - T1592.002 Tool - T1588.002 Masquerading - T1036 Powershell - T1086 Masquerading

Show in Graph

Common Information

Type	Value
UUID	15e68f6e-abc4-41d5-96c1-ff6c3a4810b2
Fingerprint	842b190b1135a329
Analysis status	DONE
Considered CTI value	0
Text language
Published	Oct. 22, 2024, 11:30 a.m.
Added to db	Oct. 22, 2024, 1:52 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
Title	Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
Detected Hints/Tags/Attributes	83/4/32

Source URLs

	Redirection	Url
Details	Source	https://malware.news/t/threat-actor-abuses-gophish-to-deliver-new-powerrat-and-dcrat/87687

URL Provider

Details	Provider	Source level domain
Details	malware.news	malware.news

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	158	✔	Malware Analysis, News and Indicators - Latest topics	https://malware.news/latest.rss	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	File	4	usercache.ini
Details	Domain	3	disk-yanbex.ru
Details	Domain	3	ec2-34-236-234-165.compute-1.amazonaws.com
Details	Domain	3	e-connection.ru
Details	Domain	4	cr87986.tw1.ru
Details	Domain	904	snort.org
Details	File	4	lnk.js
Details	File	155	cscript.exe
Details	File	54	file.exe
Details	File	165	csrss.exe
Details	File	172	dllhost.exe
Details	File	26	taskhostw.exe
Details	File	212	winlogon.exe
Details	File	2	c:\users\admin\desktop\zahrebvc.log
Details	File	2	c:\users\admin\desktop\hqlydhol.log
Details	File	2	c:\users\admin\desktop\qjutjujw.log
Details	File	2	c:\users\default\appdata\roaming\microsoft\windows\start menu\taskhostw.exe
Details	File	2	c:\programdata\dllhost.exe
Details	File	2	c:\users\default\pictures\csrss.exe
Details	File	2	c:\users\default\saved games\winlogon.exe
Details	File	249	schtasks.exe
Details	File	2	c:\users\public\dllhost.exe
Details	File	2	c:\users\all users\dllhost.exe
Details	File	2	c:\users\default\start menu\taskhostw.exe
Details	File	3	c:\users\admin\appdata\local\temp\file.exe
Details	File	2	phishing.vbs
Details	File	2	phishing.js
Details	IPv4	3	34.236.234.165
Details	IPv4	5	94.103.85.47
Details	IPv4	5	5.252.176.55
Details	Url	3	http://cr87986.tw1.ru/l1nc0in.php
Details	Windows Registry Key	8	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows