SQL Brute Force Leads to BlueSky Ransomware
Tags
cmtmf-attack-pattern: Obfuscated Files Or Information Process Injection
country: Romania
attack-pattern: Data Model Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Dns - T1071.004 Dns - T1590.002 Hidden Window - T1564.003 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Masquerade Task Or Service - T1036.004 Obfuscated Files Or Information - T1406 Powershell - T1059.001 Process Injection - T1631 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Smb/Windows Admin Shares - T1021.002 Ssh - T1021.004 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Windows Service - T1543.003 Brute Force - T1110 Connection Proxy - T1090 Credential Dumping - T1003 Hidden Window - T1143 Modify Registry - T1112 Network Share Discovery - T1135 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Injection - T1055 Scheduled Task - T1053 Service Execution - T1035 System Owner/User Discovery - T1033 Valid Accounts - T1078 Valid Accounts
Show in Graph
Common Information
Type Value
UUID 4286b394-c212-4437-8f9d-85c124f304d9
Fingerprint 8306a6f73fb6b6c6
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 4, 2023, 1:55 a.m.
Added to db Aug. 31, 2024, 8:40 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline SQL Brute Force Leads to BlueSky Ransomware
Title SQL Brute Force Leads to BlueSky Ransomware
Detected Hints/Tags/Attributes 129/3/74
Source URLs
Redirection Url
Details Source https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/
URL Provider
Details Provider Source level domain
Details thedfirreport.com thedfirreport.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 249 The DFIR Report https://thedfirreport.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 140 
cve-2023-27350
Details Domain 2 
qlqd5zqefmkcr34a.onion.sh
Details Domain 8 
asq.d6shiiwz.pw
Details Domain 6 
asd.s7610rir.pw
Details Domain 8 
asq.r77vh0.pw
Details Domain 10 
detection.fyi
Details Domain 9 
sigmasearchengine.com
Details Domain 4127 
github.com
Details File 87 
java.exe
Details File 5 
checking.ps1
Details File 1 
kallen.ps1
Details File 20 
winring0x64.sys
Details File 1 
privfalse.bat
Details File 6 
del.ps1
Details File 212 
winlogon.exe
Details File 6 
c:\windows\system32\whoami.exe
Details File 1208 
powershell.exe
Details File 1 
%windir%\\syswow64\\auditpol.exe
Details File 1 
%windir%\\sysnative\\auditpol.exe
Details File 10 
'ntdll.dll
Details File 13 
'kernel32.dll
Details File 14 
vmware.exe
Details File 5 
invoke-powerdump.ps1
Details File 62 
whoami.exe
Details Github username 19 
the-dfir-report
Details md5 4 
c12f54a3f91dc7bafd92cb59fe009a35
Details md5 16 
ec74a5c51106f0419184d0dd08fb05bc
Details md5 2 
9e88c287eb376f3c319a5cb13f980d36
Details md5 2 
7b68bc3dd393c2e5273f180e361f178a
Details md5 3 
0c0195c48b6b8582fa6f6373032118da
Details md5 2 
bfd36fd6a20ccd39f5c3bb64a5c5dd8b
Details md5 2 
08bdf000031bbad1a836381f73adace5
Details md5 2 
42a80cc2333b612b63a859f17474c9af
Details sha1 2 
501af977080d56a55ff0aeba66b58e7f3d1404ea
Details sha1 2 
07610f11d3b8ccb7b60cc8ad033dda6c7d3940c4
Details sha1 2 
d25340ae8e92a6d29f599fef426a2bc1b5217299
Details sha1 2 
e938646862477e598fcda20d0b7551863f8b651c
Details sha1 2 
3dff4ae3c421c9143978f8fc9499dca4aed0eac5
Details sha1 2 
e7be97fb2200eb99805e39513304739a7a28b17e
Details sha256 1 
74b6d14e35ff51fe47e169e76b4732b9f157cd7e537a2ca587c58dbdb15c624f
Details sha256 1 
d4f4069b1c40a5b27ba0bc15c09dceb7035d054a022bb5d558850edfba0b9534
Details sha256 6 
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
Details sha256 2 
35b95496b243541d5ad3667f4aabe2ed00066ba8b69b82f10dd1186872ce4be2
Details sha256 1 
f955eeb3a464685eaac96744964134e49e849a03fc910454faaff2109c378b0b
Details sha256 1 
3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0
Details IPv4 5 
83.97.20.81
Details IPv4 2 
5.188.86.237
Details MITRE ATT&CK Techniques 306 
T1078
Details MITRE ATT&CK Techniques 125 
T1110
Details MITRE ATT&CK Techniques 275 
T1053.005
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 298 
T1562.001
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 173 
T1003.001
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 472 
T1486
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 550 
T1112
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 180 
T1543.003
Details MITRE ATT&CK Techniques 57 
T1036.004
Details Url 2 
http://qlqd5zqefmkcr34a.onion.sh/win/checking.hta
Details Url 3 
https://asq.d6shiiwz.pw/win/hssl/d6.hta
Details Url 2 
http://83.97.20.81/win/checking.hta
Details Url 2 
http://83.97.20.81/win/update.hta
Details Url 2 
https://asd.s7610rir.pw/win/checking.hta
Details Url 4 
https://asq.r77vh0.pw/win/hssl/r7.hta
Details Url 4 
http://asq.r77vh0.pw/win/checking.hta
Details Url 2 
http://5.188.86.237/vmware.exe
Details Url 1 
https://github.com/the-dfir-report/yara-rules/blob/main/19208/19208.yar