Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 67481f74-4396-4bae-8689-07530134b3b5 |
| Fingerprint | 4743a91f79a9499 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Dec. 4, 2024, 9 a.m. |
| Added to db | Dec. 5, 2024, 2:38 a.m. |
| Last updated | Dec. 17, 2024, 1:34 p.m. |
| Headline | Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage |
| Title | Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog |
| Detected Hints/Tags/Attributes | 126/3/56 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 173 | ✔ | Microsoft Security Blog | https://microsoft.com/security/blog/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 17 | cve-2022-38028 |
|
| Details | Domain | 2 | ur253.duckdns.org |
|
| Details | Domain | 3 | connectotels.net |
|
| Details | Domain | 3 | hostelhotels.net |
|
| Details | Domain | 114 | aka.ms |
|
| Details | File | 1 | arsenalv2%.exe |
|
| Details | File | 1 | connectioninfo.db |
|
| Details | File | 1 | downloadpriority.db |
|
| Details | File | 2 | cridviz.exe |
|
| Details | File | 3 | crezly.exe |
|
| Details | File | 21 | credwiz.exe |
|
| Details | File | 36 | duser.dll |
|
| Details | File | 1 | c:\windows\system32 with the filename oci.dll |
|
| Details | File | 57 | msdtc.exe |
|
| Details | File | 24 | oci.dll |
|
| Details | File | 1 | hubstck.exe |
|
| Details | File | 1 | auddrv.exe |
|
| Details | File | 1 | lustsorelfar.exe |
|
| Details | File | 1 | mfmpef.exe |
|
| Details | File | 1 | mpsvcs.dll |
|
| Details | File | 1 | winhttpsvc.dll |
|
| Details | File | 6 | regsvr.exe |
|
| Details | sha256 | 3 | e298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273 |
|
| Details | sha256 | 3 | 08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5fd1d2 |
|
| Details | sha256 | 3 | aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c |
|
| Details | sha256 | 3 | 7c4ef30bd1b5cb690d2603e33264768e3b42752660c79979a5db80816dfb2ad2 |
|
| Details | sha256 | 3 | dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced |
|
| Details | sha256 | 3 | 7c7fad6b9ecb1e770693a6c62e0cc4183f602b892823f4a451799376be915912 |
|
| Details | sha256 | 3 | e2d033b324450e1cb7575fedfc784e66488e342631f059988a9a2fd6e006d381 |
|
| Details | sha256 | 3 | c039ec6622393f9324cacbf8cfaba3b7a41fe6929812ce3bd5d79b0fdedc884a |
|
| Details | sha256 | 3 | 59d7ec6ec97c6b958e00a3352d38dd13876fecdb2bb13a8541ab93248edde317 |
|
| Details | IPv4 | 6 | 45.14.194.253 |
|
| Details | IPv4 | 3 | 94.177.198.94 |
|
| Details | IPv4 | 6 | 162.213.195.129 |
|
| Details | IPv4 | 3 | 46.249.58.201 |
|
| Details | IPv4 | 3 | 95.111.229.253 |
|
| Details | IPv4 | 6 | 146.70.158.90 |
|
| Details | IPv4 | 5 | 143.198.73.108 |
|
| Details | IPv4 | 3 | 161.35.192.207 |
|
| Details | IPv4 | 3 | 91.234.33.48 |
|
| Details | IPv4 | 6 | 154.53.42.194 |
|
| Details | IPv4 | 3 | 38.242.207.36 |
|
| Details | IPv4 | 4 | 167.86.118.69 |
|
| Details | IPv4 | 8 | 164.68.108.153 |
|
| Details | IPv4 | 13 | 144.91.72.17 |
|
| Details | IPv4 | 6 | 130.185.119.198 |
|
| Details | IPv4 | 6 | 176.57.184.97 |
|
| Details | IPv4 | 6 | 173.212.252.2 |
|
| Details | IPv4 | 6 | 209.126.11.251 |
|
| Details | IPv4 | 3 | 37.60.236.186 |
|
| Details | IPv4 | 6 | 5.189.183.63 |
|
| Details | IPv4 | 6 | 109.123.244.46 |
|
| Details | Microsoft Threat Actor Naming Taxonomy (Groups in development) | 28 | Storm-0156 |
|
| Details | Microsoft Threat Actor Naming Taxonomy (Groups in development) | 8 | Storm-0473 |
|
| Details | Threat Actor Identifier - APT | 127 | APT36 |
|
| Details | Url | 27 | https://aka.ms/threatintelblog. |