FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 35d50f44-036a-4099-a151-80d438458f22 |
| Fingerprint | 2c3d94124ea8cc51 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | July 18, 2023, midnight |
| Added to db | Aug. 12, 2023, 10:28 a.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware |
| Title | FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware |
| Detected Hints/Tags/Attributes | 84/2/42 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 99 | ✔ | Cyware News - Latest Cyber News | https://cyware.com/allnews/feed | 2024-08-30 22:08 |
| Details | 241 | ✔ | Broadcom Software Blogs | https://symantec-enterprise-blogs.security.com/blogs/rss/v1/blogs/rss.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 339 | system.net |
|
| Details | Domain | 2 | 37-10-71-215.nip.io |
|
| Details | Domain | 49 | wmiexec.py |
|
| Details | Domain | 6 | api-cdn.net |
|
| Details | Domain | 6 | git-api.com |
|
| Details | Domain | 6 | api-cdnw5.net |
|
| Details | Domain | 5 | 104-168-237-21.sslip.io |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 18 | 1.ps1 |
|
| Details | File | 45 | wmiexec.py |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 1 | shvnc.ps1 |
|
| Details | File | 142 | wmiprvse.exe |
|
| Details | File | 478 | lsass.exe |
|
| Details | md5 | 1 | 2BDf39983402C1E50e1d4b85766AcF7a |
|
| Details | sha256 | 4 | 1d3e573d432ef094fba33f615aa0564feffa99853af77e10367f54dc6df95509 |
|
| Details | sha256 | 3 | 307c3e23a4ba65749e49932c03d5d3eb58d133bc6623c436756e48de68b9cc45 |
|
| Details | sha256 | 4 | 48e3add1881d60e0f6a036cfdb24426266f23f624a4cd57b8ea945e9ca98e6fd |
|
| Details | sha256 | 4 | 4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31 |
|
| Details | sha256 | 3 | 356adc348e9a28fc760e75029839da5d374d11db5e41a74147a263290ae77501 |
|
| Details | sha256 | 3 | e7175ae2e0f0279fe3c4d5fc33e77b2bea51e0a7ad29f458b609afca0ab62b0b |
|
| Details | sha256 | 4 | e4e3a4f1c87ff79f99f42b5bbe9727481d43d68582799309785c95d1d0de789a |
|
| Details | sha256 | 3 | 2cd2e79e18849b882ba40a1f3f432a24e3c146bb52137c7543806f22c617d62c |
|
| Details | sha256 | 3 | 78109d8e0fbe32ae7ec7c8d1c16e21bec0a0da3d58d98b6b266fbc53bb5bc00e |
|
| Details | sha256 | 4 | ede6ca7c3c3aedeb70e8504e1df70988263aab60ac664d03995bce645dff0935 |
|
| Details | sha256 | 5 | 5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28 |
|
| Details | sha256 | 5 | 4e73e9a546e334f0aee8da7d191c56d25e6360ba7a79dc02fe93efbd41ff7aa4 |
|
| Details | sha256 | 5 | 05236172591d843b15987de2243ff1bfb41c7b959d7c917949a7533ed60aafd9 |
|
| Details | sha256 | 4 | edfd3ae4def3ddffb37bad3424eb73c17e156ba5f63fd1d651df2f5b8e34a6c7 |
|
| Details | sha256 | 4 | 827448cf3c7ddc67dca6618f4c8b1197ee2abe3526e27052d09948da2bc500ea |
|
| Details | sha256 | 4 | 0e11a050369010683a7ed6a51f5ec320cd885128804713bb9df0e056e29dc3b0 |
|
| Details | sha256 | 4 | 0980aa80e52cc18e7b3909a0173a9efb60f9d406993d26fe3af35870ef1604d0 |
|
| Details | sha256 | 4 | 64f8ac7b3b28d763f0a8f6cdb4ce1e5e3892b0338c9240f27057dd9e087e3111 |
|
| Details | sha256 | 4 | 2d39a58887026b99176eb16c1bba4f6971c985ac9acbd9e2747dd0620548aaf3 |
|
| Details | sha256 | 4 | 8cfb05cde6af3cf4e0cb025faa597c2641a4ab372268823a29baef37c6c45946 |
|
| Details | sha256 | 5 | 72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a |
|
| Details | sha256 | 4 | 6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432 |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 4 | 37.10.71.215 |
|
| Details | Threat Actor Identifier - FIN | 68 | FIN8 |
|
| Details | Threat Actor Identifier - FIN | 377 | FIN7 |
|
| Details | Url | 2 | https://37-10-71-215.nip.io:8443/7ea5fa |