Playing defense against Gamaredon Group — Elastic Security Labs
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 5e9d73cb-203b-4a66-869e-381b5230a3eb |
| Fingerprint | b405091a48ae0aeb |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 21, 2022, midnight |
| Added to db | Nov. 19, 2023, 6:21 a.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | Playing defense against Gamaredon Group |
| Title | Playing defense against Gamaredon Group — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 87/3/56 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 41 | ddns.net |
|
| Details | Domain | 23 | hopto.org |
|
| Details | Domain | 2 | pos.dot |
|
| Details | Domain | 2 | ipt.ne |
|
| Details | Domain | 2 | ting.fi |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | Domain | 15 | wscript.network |
|
| Details | Domain | 2 | ns.ne |
|
| Details | Domain | 2 | libcrash.ddns.net |
|
| Details | Domain | 18 | microsoft.office |
|
| Details | Domain | 4 | bounceme.net |
|
| Details | Domain | 369 | microsoft.com |
|
| Details | Domain | 12 | skype.com |
|
| Details | Domain | 2 | document-out.hopto.org |
|
| Details | Domain | 2 | beercraft.space |
|
| Details | Domain | 2 | skymage.fun |
|
| Details | Domain | 4 | masseffect.space |
|
| Details | Domain | 2 | masseffect.website |
|
| Details | File | 66 | settings.xml |
|
| Details | File | 3 | wordprocessingml.doc |
|
| Details | File | 2 | pos.dot |
|
| Details | File | 2 | posolreboot.php |
|
| Details | File | 3 | security.vbs |
|
| Details | File | 41 | msxml2.xml |
|
| Details | File | 2 | excelmymacros.vb |
|
| Details | File | 2 | wordmacros.vb |
|
| Details | File | 2 | excel.dll |
|
| Details | File | 2 | word.dll |
|
| Details | File | 4 | microsoft.vb |
|
| Details | File | 25 | interop.dll |
|
| Details | File | 3 | wordmacros.txt |
|
| Details | File | 271 | chrome.exe |
|
| Details | File | 263 | iexplore.exe |
|
| Details | File | 199 | firefox.exe |
|
| Details | File | 323 | winword.exe |
|
| Details | File | 199 | excel.exe |
|
| Details | File | 92 | powerpnt.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 376 | wscript.exe |
|
| Details | File | 3 | excelmymacros.txt |
|
| Details | sha256 | 2 | 86e0701349903105b0c346df9485dd59d85dd9463c2bee46d974ea1b1d7059d4 |
|
| Details | sha256 | 2 | feb0596e9735e03ae929d9b5ee862da19e16e5cdf57dd2a795205e591a55940f |
|
| Details | sha256 | 2 | c4089686965df5e52105b6eac06703aa11c4891695278446370f623d531b505e |
|
| Details | sha256 | 2 | 02e6e2bfaaf6e77cfaccadaf26167135c53cf2c934d17c5a83e5bbcadd85b47d |
|
| Details | sha256 | 3 | 2f310c5b16620d9f6e5d93db52607f21040b4829aa6110e22ac55fab659e9fa1 |
|
| Details | sha256 | 4 | c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f |
|
| Details | sha256 | 3 | 145a61a14ec6d32b105a6279cd943317b41f1d27f21ac64df61bcdd464868edd |
|
| Details | IPv4 | 3 | 141.8.195.60 |
|
| Details | IPv4 | 2 | 141.8.192.153 |
|
| Details | IPv4 | 3 | 188.225.25.50 |
|
| Details | IPv4 | 2 | 185.200.241.88 |
|
| Details | IPv4 | 2 | 188.225.46.94 |
|
| Details | Threat Actor Identifier - APT | 132 | APT32 |
|
| Details | Url | 2 | http://libcrash.ddns.net/endpoint1_96l02g3d//posolreboot.php |
|
| Details | Windows Registry Key | 18 | HKCU\Software\Microsoft\Office |
|
| Details | Windows Registry Key | 18 | HKEY_CURRENT_USER\Software\Microsoft\Office |