Hunting the LockBit Gang's Exfiltration Infrastructures - Yoroi
Tags
| country: | Italy |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Msbuild - T1127.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Whois - T1596.002 |
Common Information
| Type | Value |
|---|---|
| UUID | 4818fab4-2d85-4df0-8e11-999d59ec28d8 |
| Fingerprint | bc001999d7acd21b |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 24, 2021, 9:36 a.m. |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 17, 2024, 6:49 p.m. |
| Headline | Hunting the LockBit Gang's Exfiltration Infrastructures |
| Title | Hunting the LockBit Gang's Exfiltration Infrastructures - Yoroi |
| Detected Hints/Tags/Attributes | 77/3/27 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 285 | microsoft.net |
|
| Details | File | 130 | ws2_32.dll |
|
| Details | File | 100 | ntuser.dat.log |
|
| Details | File | 99 | bootsect.bak |
|
| Details | File | 243 | autorun.inf |
|
| Details | File | 143 | thumbs.db |
|
| Details | File | 101 | iconcache.db |
|
| Details | File | 38 | restore-my-files.txt |
|
| Details | File | 351 | recycle.bin |
|
| Details | sha256 | 3 | 3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d |
|
| Details | sha256 | 1 | 2f18e61e3d9189f6ff5cc95252396bebaefe0d76596cc51cf0ade6a5156c6f66 |
|
| Details | sha256 | 3 | 4db7eeed852946803c16373a085c1bb5f79b60d2122d6fc9a2703714cdd9dac0 |
|
| Details | sha256 | 1 | 07a3dcb8d9b062fb480692fa33d12da05c21f544492cbaf9207956ac647ba9ae |
|
| Details | sha256 | 2 | bd14872dd9fdead89fc074fdc5832caea4ceac02983ec41f814278130b3f943e |
|
| Details | sha256 | 1 | ced3de74196b2fac18e010d2e575335e2af320110d3fdaff09a33165edb43ca2 |
|
| Details | sha256 | 1 | 107d9fce05ff8296d0417a5a830d180cd46aa120ced8360df3ebfd15cb550636 |
|
| Details | IPv4 | 4 | 139.60.160.200 |
|
| Details | IPv4 | 4 | 193.162.143.218 |
|
| Details | IPv4 | 4 | 193.38.235.234 |
|
| Details | IPv4 | 4 | 45.227.255.190 |
|
| Details | IPv4 | 3 | 93.190.139.223 |
|
| Details | IPv4 | 4 | 168.100.11.72 |
|
| Details | IPv4 | 4 | 174.138.62.35 |
|
| Details | IPv4 | 4 | 93.190.143.101 |
|
| Details | IPv4 | 4 | 88.80.147.102 |
|
| Details | IPv4 | 5 | 185.215.113.39 |
|
| Details | Yara rule | 1 | rule stealbit_decode {
meta:
description = "Yara Rule for StealBit Configuration decryption"
author = "Yoroi Malware Zlab"
last_updated = "2021_09_01"
tlp = "white"
category = "informational"
strings:
$Offset = { FF 17 18 19 20 00 00 00 00 00 00 }
$decode_Conf = { 8B C1 83 E0 0F 8A 8? ?? ?? ?? ?? 30 8? ?? ?? ?? ?? 41 83 F9 7C }
condition:
all of them
} |