ioc[.]one - OSINT Cyber Threat Intelligence Database

“Red October”. Detailed Malware Description 3. Second Stage of Attack

Tags

country:	Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Clipboard Data - T1414 Credentials - T1589.001 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Domain Account - T1087.002 Domain Account - T1136.002 Hooking - T1617 Lsa Secrets - T1003.004 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Clipboard Data - T1115 Hooking - T1179 Hooking

Show in Graph

Common Information

Type	Value
UUID	3f0aeab1-9d3c-46d8-85c9-24945ac88994
Fingerprint	b42e2c5a65a7a39c
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 17, 2013, 4:07 p.m.
Added to db	Jan. 16, 2023, 4:58 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	“Red October”. Detailed Malware Description 3. Second Stage of Attack
Title	“Red October”. Detailed Malware Description 3. Second Stage of Attack
Detected Hints/Tags/Attributes	88/3/147

Source URLs

	Redirection	Url
Details	Source	https://securelist.com/red-october-detailed-malware-description-3-second-stage-of-attack/36802/

URL Provider

Details	Provider	Source level domain
Details	securelist.com	securelist.com

Attributes

Details	Type	#Events	Value
Details	Domain	246	mail.ru
Details	Domain	1	access.in
Details	Domain	1	file.here
Details	Domain	2	www.mail.ru
Details	Domain	116	command.com
Details	Email	1	key[000#victim@mail.ru
Details	Email	1	000#victim@mail.ru
Details	File	1	%appdata%mraupdatever.txt
Details	File	7	ver.txt
Details	File	1	avp2.log
Details	File	1	mslog.tmp
Details	File	2	avp.log
Details	File	18	pstorec.dll
Details	File	2126	cmd.exe
Details	File	1	smrdprev.tmp
Details	File	1	samhash_2_20121002_034519.txt
Details	File	2	msc.bat
Details	File	1	system32ocxms.dat
Details	File	1	winocx_%integercounter%_rdtp.tmp
Details	File	1	syspart.bat
Details	File	1	%d%d.tmp
Details	File	1	sec%.txt
Details	File	1	jusched32s.dat
Details	File	1	filejusched32s.dat
Details	File	1	mso.dat
Details	File	3	%d.tmp
Details	File	1	0x1f3e231.tmp
Details	File	1	%d.eml
Details	File	1	igfxtrayms.exe
Details	File	1	imapisync32.dat
Details	File	409	c:\windows\system32\cmd.exe
Details	File	1	%path_to_dropper.exe
Details	File	1	c:\wusb.exe
Details	File	1	ms32jxtr.dat
Details	File	1	wmilibrt.dat
Details	File	1	nt.config
Details	File	2	keylogger.log
Details	File	1122	svchost.exe
Details	File	1	ssdtrbsx%.sys
Details	md5	1	7b669c32e6ee2c65bec5e09024fc5415
Details	md5	1	b7327bfa4a101a21f0cc1b366aa8e107
Details	md5	1	a39fa7340b2f1d7b42342b3e2f06df71
Details	md5	1	cd170625655424149573c88c59716cc4
Details	md5	1	f60436b984962e741b81720ea604ad27
Details	md5	1	2cf23cd8a7f85529576ba6c759f8cf37
Details	md5	1	9bb32272be87a4dde8c8b05f49ded9f7
Details	md5	1	ed72b6150e9fbc8f71e61dfea682a303
Details	md5	1	f6e1637e04b33a3e0c57ab355d3e677e
Details	md5	1	fa66821fd895b3814e501b804176ef98
Details	md5	1	3538fea2c2f9a7117a6a919c87112731
Details	md5	1	a008d1ec659c3758e95bc3f0aafbe3a5
Details	md5	1	68d72e12c402038195175b568b3dd0bb
Details	md5	1	4b62cc78508b46d74cdd172dc493ec8a
Details	md5	1	09e75477e03a968eead17a28d8aef0ce
Details	md5	1	10603f7ec89c3472b238e9342f5ba62b
Details	md5	1	C196e32764dc698bb88714adfb874667
Details	md5	1	0fe600e06a69ccebbb5baf6c9f5f51a6
Details	md5	1	c3a50d78669cd58b2cd4e38e30c1e986
Details	md5	1	298c4562c8463bed3039ff2d12669adc
Details	md5	1	1f91b25d0893d4e1b0418ffeb21f1f03
Details	md5	1	521b45d21b4b2fc48f7ab29ab222d6ee
Details	md5	1	7883b174ce69ffed41d3aea54855ff97
Details	md5	1	3975b42d9bb39741e988f78020edeb44
Details	md5	1	224c382316be4be7e0009f08b84cd91e
Details	md5	1	100e53ee8fbeb4546b31eb7e0aad8752
Details	md5	1	b9568a91d6f6b0904de8b2e9d9a2d32c
Details	md5	1	f0eaec0b25afc24a416810fe46242590
Details	md5	1	865ba7958efe7e54501dcf2c19dcd99e
Details	md5	1	9572cc04fd442027cfd61178bdf73c0c
Details	md5	1	feba0bbead1a810c223cf8252b529d65
Details	md5	1	4aabfd510ef66e066946087617638090
Details	md5	1	1d124d06666cfa6b33768f1147208b9c
Details	md5	1	260ad160972ca6bc071b7cb518a9b5fa
Details	md5	1	ab72d7ed99c3c18f2582b6e9cd5ec875
Details	md5	1	ef6751567cbf7c92cd3880fc7aa425c9
Details	md5	1	56c06123e34dcc8a8e464da9acd852bb
Details	md5	1	a6d549d7c90c412a20fc9e7abc829eb5
Details	md5	1	be6f3c214d2a579728fc3537c6454f8c
Details	md5	1	0883d6533aa4fb0e40a6e48a66ea84d4
Details	md5	1	c3e70e9b50cd3f6cfcd0ac75a60b3464
Details	md5	1	75b824c5a6a9b950ccbdaee577fe964b
Details	md5	1	9bb26fb5179db8515cdc81cb9f40387d
Details	md5	1	d9851c67bfeec5cc37db99be07061857
Details	md5	1	07999110cab8c6558be11684d2c02793
Details	md5	1	9d5bb8f9441d31148bf4f190e27764cc
Details	md5	1	ecd7bec9522e64df7b179b512e71c154
Details	md5	1	5e215b9272e4a0ff0d9725ac94bd1541
Details	md5	1	9a9dbd2a398fda91167169b0866047d1
Details	md5	1	4355f29680630980cf732e46306a39ce
Details	md5	1	d4d959bffa33b0e3076421a02e69f13b
Details	md5	1	f2bb34acdebcbbd335e6cc2816a0c5f0
Details	md5	1	ca25ca44ef0106c4080415f1c2090400
Details	md5	1	83ee5deb488d58d924134781e76c416c
Details	md5	1	9aa8f3ed12ef1003d24c771af69879f8
Details	md5	1	19cc111e41d804f20e5f65c6d0a48953
Details	md5	1	acfc7040304b19422ba0a1278b4d9c48
Details	md5	1	a515279eee527f7d20f82ef673308151
Details	md5	1	51d5f5a5c7de6a175e269236c2c574b0
Details	md5	1	bbe23b8baec0afbd54154820f4a9d7ea
Details	md5	1	6abd3d906ebd0e6bf4fb8d00273fdc66
Details	md5	1	b9114882ed3a184f8a58284f3fe57cb0
Details	md5	1	657f0f4f6183cd2e87fdfd8a88f927c9
Details	md5	1	900ab792a9dc9ae35c821cce98164d81
Details	md5	1	18bd71030b18f3bc93d08b650ae0d43d
Details	md5	1	187adc0380142c61224c53eac9a70955
Details	md5	1	78f2c84fefe80bc84361c40d2bbd0501
Details	md5	1	b2c60688dc2de4dd4de1f393ae59e317
Details	md5	1	3b4125c8dc55ae54fa244a8fdcea8bc9
Details	md5	1	760333093fbcc38f6b8d7e1667d192b8
Details	md5	1	ffd4096c5d2a2a4801ac6e8ab250a0d0
Details	md5	1	92b6b580f1d2e5409a6feb5c8883de2b
Details	md5	1	daf244aacbac081693b914a4a1486fa5
Details	md5	1	2b08ae138fd27ba62b7ea1e35d38b56f
Details	md5	1	48c4e2386cbae6a71b4eccab21ead6e5
Details	md5	1	a39636c2fb253ae9ff7b7c0294abf8ac
Details	md5	1	f27870dd7bfa952636850a76205f4ba3
Details	md5	1	c64343fad7c1f98a8342bd29829fcdf1
Details	md5	1	58fbcf7d9146eba51c22e91bdf7128d0
Details	md5	1	5c563e849ec86a542daf492b31dde2bb
Details	md5	1	4c205fc9c7dbd95316f9ed5aafa34712
Details	md5	1	b0e2f3c972477e750d5adbed3650ae81
Details	md5	1	33bda0e77b840809e66e12d020e054c5
Details	md5	1	3cb7318ed40239f7219d86343a17b54b
Details	md5	1	dfcce19f2852db652071088bf9461b4a
Details	md5	1	6079a0746e76c1090dc110e08de645e2
Details	md5	1	57897c997c699135b9460c0be7a4b27e
Details	md5	1	ecc7a5ef3f5e92f0c7da0bef8d392b5f
Details	Windows Registry Key	1	HKCUSoftwareMail.RuAgentmagent_logins
Details	Windows Registry Key	1	HKCUSoftwareMail.RuAgentmagent_logins2
Details	Windows Registry Key	1	HKCUSoftwareMail.RuAgentmagent_logins3
Details	Windows Registry Key	22	HKCU\Software\Microsoft\Internet
Details	Windows Registry Key	3	HKCU\Software\Microsoft\Office\Outlook\OMI
Details	Windows Registry Key	31	HKCU\Software\Microsoft\Windows
Details	Windows Registry Key	1	HKCU\Subsystem\Profiles\Microsoft\Outlook
Details	Windows Registry Key	1	HKCU\Software\Microsoft\ADOSoftware32\ProductID
Details	Windows Registry Key	1	HKLM\Software\Microsoft\ADOSoftware32\ProductID
Details	Windows Registry Key	4	HKLM\SOFTWARE\Microsoft\Internet
Details	Windows Registry Key	1	HKCR\HTTP\shell\open\command
Details	Windows Registry Key	1	HKCR\https\shell\open\command
Details	Windows Registry Key	1	HKCR\htmlfile\shell\open\command
Details	Windows Registry Key	1	HKCR\mailto\shell\open\command
Details	Windows Registry Key	41	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Details	Windows Registry Key	112	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Details	Windows Registry Key	1	HKLM\SOFTWARE\Microsoft\ADOSoftware32
Details	Windows Registry Key	1	HKCU\SOFTWARE\Microsoft\ADOSoftware32
Details	Windows Registry Key	1	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon32rt
Details	Windows Registry Key	1	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winns32comp