ioc[.]one - OSINT Cyber Threat Intelligence Database

MAR-10376640-1.v1 – IsaacWiper and HermeticWizard | CISA

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Impersonation - T1656 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Windows Management Instrumentation - T1047

Show in Graph

Common Information

Type	Value
UUID	64042f0f-ffa3-40ca-afd0-3f4d064d867a
Fingerprint	cf853b334def0eaf
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 28, 2022, noon
Added to db	June 5, 2023, 10:32 a.m.
Last updated	Nov. 17, 2024, 5:57 p.m.
Headline	MAR-10376640-1.v1 – IsaacWiper and HermeticWizard
Title	MAR-10376640-1.v1 – IsaacWiper and HermeticWizard \| CISA
Detected Hints/Tags/Attributes	55/2/32

Source URLs

	Redirection	Url
Details	Source	https://www.cisa.gov/news-events/analysis-reports/ar22-115b

URL Provider

Details	Provider	Source level domain
Details	cisa.gov	www.cisa.gov

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	85	✔	—	https://cisa.gov/uscert/ncas/analysis-reports.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	469	www.cisa.gov
Details	Domain	154	us-cert.cisa.gov
Details	Domain	84	malware.us-cert.gov
Details	Domain	84	ftp.malware.us-cert.gov
Details	Email	84	submit@malware.us-cert.gov
Details	File	7	cleaner.dll
Details	File	2	exec_x32.dll
Details	File	4	romance.dll
Details	File	4	wizard.dll
Details	File	8	cleaner.exe
Details	File	5	c:\programdata\log.txt
Details	File	85	log.txt
Details	md5	2	0959bf541d52b6e2915420442bf44ce8
Details	md5	2	58d71fff346017cf8311120c69c9946a
Details	md5	3	517d2b385b846d6ea13b75b8adceb061
Details	md5	2	aa98b92e3320af7a1639de1bac6c17cc
Details	md5	2	8061889aaebd955ba6fb493abe7a4de1
Details	md5	3	ecce8845921a91854ab34bff2623151e
Details	sha256	9	13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033
Details	sha256	2	2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b
Details	sha256	2	5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48
Details	sha256	5	a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec
Details	sha256	2	abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f
Details	sha256	2	afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a
Details	sha256	18	0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
Details	Url	43	http://www.cisa.gov/tlp.
Details	Url	53	https://us-cert.cisa.gov/forms/feedback
Details	Url	84	https://malware.us-cert.gov
Details	Yara rule	2	rule CISA_10376640_02 : trojan wiper worm HERMETICWIZARD { meta: Author = "CISA Code & Media Analysis" Incident = "10376640" Date = "2022-03-12" Last_Modified = "20220413_1300" Actor = "n/a" Category = "Trojan Wiper Worm" Family = "HERMETICWIZARD" Description = "Detects Hermetic Wizard samples" MD5_1 = "0959bf541d52b6e2915420442bf44ce8" SHA256_1 = "5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48" strings: $s0 = { 70 00 69 00 70 00 65 00 5C 00 25 00 73 } $s1 = { 6E 00 6D 00 61 00 6E 00 73 00 65 00 72 00 76 } $s2 = { 73 61 6D 72 } $s3 = { 62 72 6F 77 73 65 72 } $s4 = { 6E 65 74 6C 6F 67 6F 6E } $s5 = { 6C 73 61 72 70 63 } $s6 = { 6E 74 73 76 63 73 } $s7 = { 73 76 63 63 74 6C } $s8 = { 73 74 61 72 74 20 63 6D 64 20 2F 63 20 22 70 69 6E 67 20 6C 6F 63 61 6C 68 6F 73 74 } $s9 = { 67 00 75 00 65 00 73 00 74 } $s10 = { 74 00 65 00 73 00 74 } $s11 = { 75 00 73 00 65 00 72 } $s12 = { 61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F } $s13 = { 51 00 61 00 7A 00 31 00 32 00 33 } $s14 = { 51 00 77 00 65 00 72 00 74 00 79 00 31 00 32 } $s15 = { 63 6D 64 20 2F 63 20 73 74 61 72 74 20 72 65 67 } condition: all of them }
Details	Yara rule	2	rule CISA_10376640_03 : trojan wiper worm HERMETICWIZARD { meta: Author = "CISA Code & Media Analysis" Incident = "10376640" Date = "2022-03-13" Last_Modified = "20220413_1300" Actor = "n/a" Category = "Trojan Wiper Worm" Family = "HERMETICWIZARD" Description = "Detects Hermetic Wizard samples" MD5_1 = "58d71fff346017cf8311120c69c9946a" SHA256_1 = "2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b" strings: $s0 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F } $s1 = { 5C 00 5C 00 25 00 73 00 5C 00 70 00 69 00 70 00 65 00 5C 00 25 00 73 } $s2 = { 64 00 6C 00 6C 00 00 00 2D 00 69 } $s3 = { 2D 00 68 00 00 00 00 00 2D 00 73 } $s4 = { 2D 00 63 00 00 00 00 00 2D 00 61 } $s5 = { 43 6F 6D 6D 61 6E 64 4C 69 6E 65 54 6F 41 72 67 76 57 } condition: all of them }
Details	Yara rule	2	rule CISA_10376640_05 : trojan wiper worm HERMETICWIZARD { meta: Author = "CISA Code & Media Analysis" Incident = "10376640" Date = "2022-04-14" Last_Modified = "20220414_1037" Actor = "n/a" Category = "Trojan Wiper Worm" Family = "HERMETICWIZARD" Description = "Detects Hermetic Wizard samples" MD5_1 = "517d2b385b846d6ea13b75b8adceb061" SHA256 = "a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec" strings: $s0 = { 57 69 7A 61 72 64 2E 64 6C 6C } $s1 = { 69 6E 66 6C 61 74 65 } $s2 = { 4D 61 72 6B 20 41 64 6C 65 72 } condition: all of them and filesize < 2000KB }
Details	Yara rule	2	rule CISA_10376640_01 : trojan wiper ISAACWIPER { meta: Author = "CISA Code & Media Analysis" Incident = "10376640" Date = "2022-03-14" Last_Modified = "20220418_1900" Actor = "n/a" Category = "Trojan Wiper" Family = "ISAACWIPER" Description = "Detects ISACC Wiper samples" MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc" SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" MD5_2 = "8061889aaebd955ba6fb493abe7a4de1" SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" MD5_3 = "ecce8845921a91854ab34bff2623151e" SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 } $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C } $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 } $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F } $s5 = { 53 74 61 72 74 40 34 } $s6 = { 3B 57 34 74 2D 6A } $s7 = { 43 6C 65 61 6E 65 72 2E } condition: all of ($s0, $s1, $s2, $s3, $s4) or all of ($s5, $s6, $s7) }