Doge Big Balls Ransomware Edward Coristine
Tags
cmtmf-attack-pattern: Boot Or Logon Autostart Execution Command And Scripting Interpreter Obfuscated Files Or Information
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Abuse Elevation Control Mechanism - T1626 Abuse Elevation Control Mechanism - T1548 Boot Or Logon Autostart Execution - T1547 Cloud Services - T1021.007 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Data From Local System - T1533 Dns - T1071.004 Dns - T1590.002 Execution Guardrails - T1480 Execution Guardrails - T1627 Exploitation For Privilege Escalation - T1404 Hardware - T1592.001 Ingress Tool Transfer - T1544 Inhibit System Recovery - T1490 Ip Addresses - T1590.005 System Network Configuration Discovery - T1422 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Registry Run Keys / Startup Folder - T1547.001 Software - T1592.002 System Location Discovery - T1614 Token Impersonation/Theft - T1134.001 Tool - T1588.002 Command-Line Interface - T1059 Data From Local System - T1005 Exploitation For Privilege Escalation - T1068 Remote File Copy - T1105 Obfuscated Files Or Information - T1027 Powershell - T1086 Signed Binary Proxy Execution - T1218 System Information Discovery - T1082 System Network Configuration Discovery - T1016
Show in Graph
Common Information
Type Value
UUID 1bb5f268-d231-427e-8a73-984d7b7fdd1d
Fingerprint b40788121537bac2
Analysis status DONE
Considered CTI value 2
Text language
Published April 14, 2025, 8:58 a.m.
Added to db April 14, 2025, 3:38 p.m.
Last updated April 18, 2025, 3:11 a.m.
Headline DOGE “Big Balls” Ransomware and the False Connection to Edward Coristine
Title Doge Big Balls Ransomware Edward Coristine
Detected Hints/Tags/Attributes 127/3/58
Source URLs
Redirection Url
Details Source https://cyble.com/blog/doge-big-balls-ransomware-edward-coristine/
URL Provider
Details Provider Source level domain
Details cyble.com cyble.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 98 Cyble https://cyble.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 16 
cve-2015-2291
Details Domain 37 
wigle.net
Details Domain 3 
adjustment.zip
Details Domain 1 
hilarious-trifle-d9182e.netlify.app
Details Domain 9 
netlify.app
Details Domain 1 
api.wigle.net
Details File 3 
adjustment.zip
Details File 2 
adjustment.pdf
Details File 2 
stage1.ps1
Details File 1 
cwiper.exe
Details File 21 
acrobat.exe
Details File 3 
ktool.exe
Details File 2 
lootsubmit.ps1
Details File 1 
ransomnote.txt
Details File 4 
dbglog.sys
Details File 469 
readme.txt
Details File 390 
vssadmin.exe
Details File 5 
iqvw64e.sys
Details File 49 
x64.dll
Details File 10 
iqvw64.sys
Details sha256 1 
5402c5dc6656697b22a20e90f6ab7a2cd216ce7c70126ed0e855682035c299be
Details sha256 1 
d802bdaad6713549b5098d3545e07794900869c01a68024a1282fea74d40c4a3
Details sha256 1 
4106345cd7a879597c5132b307f9c616e539616241d39a32393a1a8cd0c23452
Details sha256 1 
ffe6f62b8e76fb8be1498e403941406a0f6a4dea8816878c27c031c78ca44045
Details sha256 1 
ac6533a2702a16e90746ce9f84895e8d579314c0e18589610e4e281d5571a954
Details sha256 1 
44b7eebf7a26d466f9c7ad4ddb058503f7066aded180ab6d5162197c47780293
Details sha256 1 
3d2cbef9be0c48c61a18f0e1dc78501ddabfd7a7663b21c4fcc9c39d48708e91
Details sha256 1 
f08b5316f6bc009d0cb41d4ce0086e615bf130b667cb2cdceecad07fda24fc49
Details sha256 1 
8e209e4f7f10ca6def27eabf31ecc0dbb809643feaecb8e52c2f194daa0511aa
Details sha256 1 
805b2f5cab2a4ba6088e6b6f91d6f1f0671c61092b571358969d69ff8c184c30
Details sha256 1 
30a6688899c22a3ce4c1b977fae762e3f7342d776e1aa2c90835e785d42f60c1
Details sha256 1 
ecfed78315f942fe0e6762acd73ef7f30c34620615ef5e71f899e1d069dabd9e
Details sha256 1 
2c38a56beec1f7c8b919a1a2d9f9497358e763a1c8d9d71aa8a0e4ef062d3ec2
Details sha256 1 
4ad9216a0a6ac84a7b0b5593b0fc97e27de9cdfeb84ab7e5339ae5a4102100c0
Details sha256 1 
8d843c757aea85087a95794f93071bfacb7c4db06f33520308f39b97cf88cabb
Details sha256 1 
330e415ed1dd462486bd99676ef03bcc1da05c17ced655f82b2fbd0787e7dc8f
Details sha256 1 
a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df
Details MITRE ATT&CK Techniques 518 
T1566
Details MITRE ATT&CK Techniques 607 
T1059.001
Details MITRE ATT&CK Techniques 501 
T1547.001
Details MITRE ATT&CK Techniques 53 
T1134.001
Details MITRE ATT&CK Techniques 263 
T1068
Details MITRE ATT&CK Techniques 752 
T1027
Details MITRE ATT&CK Techniques 82 
T1218.005
Details MITRE ATT&CK Techniques 1143 
T1082
Details MITRE ATT&CK Techniques 297 
T1016
Details MITRE ATT&CK Techniques 64 
T1614
Details MITRE ATT&CK Techniques 604 
T1005
Details MITRE ATT&CK Techniques 589 
T1105
Details MITRE ATT&CK Techniques 599 
T1486
Details MITRE ATT&CK Techniques 336 
T1490
Details Url 1 
https://hilarious-trifle-d9182e.netlify.app/stage1.ps1
Details Url 1 
https://hilarious-trifle-d9182e.netlify.app/cwiper.exe
Details Url 1 
https://hilarious-trifle-d9182e.netlify.app/ktool.exe
Details Url 1 
https://hilarious-trifle-d9182e.netlify.app/lootsubmit.ps1
Details Url 1 
https://api.wigle.net/api
Details Url 1 
https://hilarious-trifle-d9182e.netlify.app
Details Url 1 
https://hilarious-trifle-d9182e.netlify.app/pay