ioc[.]one - OSINT Cyber Threat Intelligence Database

AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America

Tags

country:	Brazil Laos Portugal
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Serverless - T1583.007 Serverless - T1584.007 Social Media - T1593.001 Software - T1592.002 Windows Command Shell - T1059.003 Mshta - T1170 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	676cdb59-15bb-49d1-a782-e4717f3d8cb1
Fingerprint	e4600999a7336742
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 28, 2024, 4:36 p.m.
Added to db	Aug. 31, 2024, 10:52 a.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America
Title	AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America
Detected Hints/Tags/Attributes	102/3/127

Source URLs

	Redirection	Url
Details	Source	https://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/

URL Provider

Details	Provider	Source level domain
Details	harfanglab.io	harfanglab.io

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	422	✔	Inside The Lab - HarfangLab	https://harfanglab.io/insidethelab/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	20	is.gd
Details	Domain	1	nfe-digital.digital
Details	Domain	1	notafiscal.nfe-digital.digital
Details	Domain	17	python.org
Details	Domain	20	www.python.org
Details	Domain	1	python-3.10.0-embed-win32.zip
Details	Domain	1	cp3.zip
Details	Domain	1	brazilsouth.cloudapp.azure.com
Details	Domain	1	date.today
Details	Domain	291	raw.githubusercontent.com
Details	Domain	1	nhefxgbdedndzhebcfedufbgkfecgbccfecgbcc.brazilsouth.cloudapp.azure.com
Details	Domain	7	gd.is
Details	Domain	1	nota-fiscal.nfe-digital.top
Details	Domain	1	nfe-digital.online
Details	Domain	1	nfe-digital.site
Details	Domain	1	nfe-digital.top
Details	Domain	1	abrir-documento-adobe-reader-1.brazilsouth.cloudapp.azure.com
Details	Domain	4127	github.com
Details	Domain	59	www.cybereason.com
Details	Domain	2	www.gov.br
Details	Domain	207	learn.microsoft.com
Details	File	1	notafiscal.pdf
Details	File	1	pdf-icon.png
Details	File	22	%windir%\system32\cmd.exe
Details	File	1	%userprofile%downloadsnotafiscal.pdf
Details	File	1	%userprofile%\downloads\notafiscal.pdf
Details	File	2125	cmd.exe
Details	File	27	www.py
Details	File	1	0-embed-win32.zip
Details	File	1	cp3.zip
Details	File	27	pythonw.exe
Details	File	1	cp3.exe
Details	File	1	executor.dll
Details	File	456	mshta.exe
Details	File	1	execute_dll.exe
Details	File	1	execute_dll.zip
Details	File	1	access_pc_client_dll.dll
Details	File	6	itauaplicativo.exe
Details	File	1	c:\users\bert1m\desktop\test.html
Details	File	1	c:\users\bert1m\desktop\meu driver\delphi xe5\cliente\zlibexapi.pas
Details	File	1	c:\users\bert1m\desktop\meu driver\delphi xe5\cliente\conectar.pas
Details	File	36	datetime.dat
Details	File	1	d.iso
Details	Github username	1	oxahax
Details	Github username	2	executemalware
Details	md5	1	bfccc0fd975348c980dd89e57f94815f
Details	md5	1	b44bb61abebf41d695a4580f072d9b74
Details	sha256	1	8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535
Details	sha256	1	6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e
Details	sha256	1	99d0de52a63e5ff790e468dbb8cd0d5273b51ca3b67b5963c0bdedc3a4f44f12
Details	sha256	1	65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841
Details	sha256	1	ac4b4b6cfe4d4e8710384246c008764cdb7547a6c3081e72687fefdf0614c7a5
Details	sha256	1	46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780
Details	sha256	1	2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea
Details	sha256	1	a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef
Details	sha256	1	1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6
Details	sha256	1	278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400
Details	sha256	1	f848c0f66afc7b5a10f060c1db129529a974ae0ad71a767f7c7793351bb7ca04
Details	sha256	1	c300749ea44f886be1887b3e19b946efbdbbc3e1bf3e416c78cfbff8d23bf70a
Details	sha256	1	0d94547a0b8f9795e97e2a4a58b0ece65b4ea4b6e6019cbc96e1c79f373b4587
Details	sha256	1	d9877dc1ba0f977d100e687da59c216454d27e3988532652ac8f6331debbd071
Details	sha256	1	21e22c4736e7567b198b505ed303c3ca933e0c2d931b886756f6db18a9884a75
Details	sha256	1	2c1251ae1ec9d417bbbdd1f6ac99baa3f16a7639d0c12cb2883ef8c22c73e58e
Details	sha256	1	e50bde1e319e699f587d3b5403c487e46deed61cc3f078fe951e7cb9f6896259
Details	sha256	1	f00cb0603c055c85c7cdf9963d919d527b13013c182dc115ba733d28da57b1d9
Details	sha256	1	cd9f5773bd7672a3e09f2d05ef26775e8c7241879d5f4d13c5c5bc1704c49fa1
Details	sha256	1	4546bc56c85ad2967859dc34b2c84f15891fcd192e86bfc630c49dc8d59e3e71
Details	sha256	1	40c37bfcc9b0e0d1b3840cb7c751162fec91fe833d4caf4a17bc8b97d53c88b5
Details	sha256	1	a839dfbe1e7979dbd15ef6c5e472afb3efca044ee8ad27185b01161ce01e4f36
Details	sha256	1	610f0ec33603ef4d1fd6530a8f6b0121a4c9cc62fb6fa2ceee8e2f5b2f866e4c
Details	sha256	1	c0bf82a3f7807e0c88076e0d500b07e253b106914058b02e112d45eeb6209998
Details	sha256	1	6f05d8f85384808036d3c77732b056e2b9cd429587a77b6be3ccdbd4bb558023
Details	sha256	1	3962c8a4d0472f91d4be45140eccf661ad6c579319953156dec438dc6a07eeb2
Details	sha256	1	b2e1f630c4593830ead91e7f3615d8d5214762dc5a1dd65bef7382d6f6c9f258
Details	sha256	1	010d9f1f16c01db5ff37ff9b519d7ecf3be096e00ae597d7bec12b7099b2f852
Details	sha256	1	eb2cd71e72ff676d80eb746b961840fea3601d8f6402201d7c0e849a670240ee
Details	sha256	1	643563613fb78f88fd90a6cf253ace9e9e6686568fdf6b6d7ec9760667d4d72b
Details	sha256	1	f2db799d892f2a7ac82bfa15826e74d778abdfa153ccafb9db1fdf56a0248a40
Details	sha256	1	d051c0aee007f2a1d0026330719a45e81c726251015837e66cf9348df3bd7210
Details	sha256	1	dd3f1829cc743942d1fc3719c8d8162bc45ca624352ac71f43c08dafd54bbb7f
Details	sha256	1	8a1aba66841ae4b20df95eea8a271538453a76a53596fd3254d47d4d57a3ab3a
Details	sha256	1	3b450994add1e3a206c56a7f8fd28e4132cffb27f3df345e07e8908d7989751f
Details	sha256	1	35329c2fb7a1844576a5defd5d9a7d250d78db51479b2612e3923e18539b0695
Details	sha256	1	19c02c5724622be4eedff95633f3fbaa604449aa50cc0761693bb8adb1e8cf97
Details	sha256	1	5782b9bc96ce5ad011c122496ff0ff0dc08d6444c6d2e98606ada82130d5f21a
Details	sha256	1	3b0eb25ed6c0dff76a613bdcfd20ca1d2f482e3c1739747bf50834ca784e66bb
Details	sha256	1	19594c51c61fc5fd833ddd0eecb648acebdf4d789b337f00cda0a03efbb1afcf
Details	sha256	1	7e0051d9221c13a47245359a2cd2804b4d3d9302a321fc8085da1cf1a64bac91
Details	sha256	1	b8b3963967232916cd721a22c80c11cd33057bd5629dcfa3f4b03d8a6dbf1403
Details	sha256	1	e7aa64726783ec6f7249483e984ae20b31a091a488a3ed0f83c210702c506d20
Details	sha256	1	b152346c2679392d7e15d1cc72a39a21d24e55360c4c1c845ef3524924e93fa9
Details	sha256	1	7232e3318fdc370e611b2bcbaaec3d58a0d687927714c24dc81fe60767d53a31
Details	sha256	1	883c49b7c869019951eff94699480a7ecc97c9c45060a15797ecbd5fce060d26
Details	sha256	1	561e6a42e23d12abe6bba8c98f84c3ba7c45a5df840bfa6fd0dfea803c9b4b7e
Details	sha256	1	ab3a284ae6e4e466a0715c162cfab85d75522bec48fa25947b16a0891ec2358a
Details	sha256	1	3c89775ae7c35fe3d1ec7e75ac9d4a19959d082d31ab412af243125440ffea6c
Details	IPv4	1	191.232.38.222
Details	IPv4	1	191.239.123.241
Details	IPv4	1	191.234.212.140
Details	IPv4	1	191.239.116.217
Details	IPv4	1	191.235.87.229
Details	IPv4	1	20.197.250.132
Details	IPv4	1	104.41.57.122
Details	IPv4	1	191.235.235.69
Details	IPv4	1	4.203.105.118
Details	IPv4	1	191.233.241.96
Details	IPv4	1	104.41.51.80
Details	IPv4	1	191.235.233.246
Details	IPv4	1	191.233.248.170
Details	Url	1	https://is.gd/as1idv?0192524.3043
Details	Url	1	https://notafiscal.nfe-digital.digital/nota-estadual/?notafiscal=
Details	Url	1	https://www.python.org/ftp/python/3.10.0/python-3.10.0-embed-win32.zip
Details	Url	1	https://raw.githubusercontent.com/marinabarros320168/new/main/execute_dll.exe
Details	Url	1	https://raw.githubusercontent.com/marinabarros320168/new/main/execute_dll.exe\|executorloader
Details	Url	1	https://raw.githubusercontent.com/alexiadarocha195267/rp/raw/main/execute_dll.zip\|executorloader
Details	Url	1	http://jucatyo6.autodesk360.com/shares/download/file/shd38bfqt1fb47330c999c2a86b9a6d091b6/dxjuomfkc2sud2lwchjvzdpmcy5mawxlonzmlny0uk5ubhlyu0jxd0hllxjyzwk0t2c_dmvyc2lvbj0x?bfccc0fd975348c980dd89e57f94815f
Details	Url	1	https://dpsols7.autodesk360.com/shares/download/file/shd38bfqt1fb47330c99c55d44aacebd2ec7/dxjuomfkc2sud2lwchjvzdpmcy5mawxlonzmljhzc1hbs2q2vhnda0z1nkz0q2tqdhc_dmvyc2lvbj00?b44bb61abebf41d695a4580f072d9b74
Details	Url	1	https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview?pivots=programming
Details	Url	1	https://github.com/oxahax/brazilian-malwares/tree/master/pascal-delphi/kl-remota-kl/kl
Details	Url	1	https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat
Details	Url	1	https://www.cybereason.com/blog/research/brazilian-financial-malware-banking-europe-south-america
Details	Url	1	https://www.gov.br/nfse/pt-br/copy_of_perguntas-frequentes/copy_of_faq-nfs-e
Details	Url	1	https://github.com/executemalware/malware-iocs/blob/main/2023-11-28
Details	Url	1	https://learn.microsoft.com/en-us/windows/win32/shell/search-protocol#examples
Details	Windows Registry Key	112	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Details	Yara rule	1	rule allasenhamaycampaign_executorloader { meta: description = "Detects Delphi ExecutorLoader DLLs and executables." references = "TRR240501" date = "2024-05-28" author = "HarfangLab" context = "file,memory" strings: $delphi = "Embarcadero Delphi" ascii fullword $s1 = "\\SysWOW64\\mshta.exe" wide fullword $s2 = "\\System32\\mshta.exe" wide fullword $s3 = "RcDll" wide fullword $default1 = "Default_" wide fullword $default2 = "Default~" wide fullword condition: $delphi and all of ($s) and any of ($default) }
Details	Yara rule	1	rule allasenhamaycampaign_allasenha { meta: description = "Detects AllaSenha banking trojan DLLs." references = "TRR240501" date = "2024-05-28" author = "HarfangLab" context = "file,memory" strings: $a1 = "<\|NOSenha\|>" wide fullword $a2 = "<\|SENHA\|>QrCode: " wide fullword $a3 = "<\|SENHA\|>Senha 6 : " wide fullword $a4 = "<\|SENHA\|>Snh: " wide fullword $a5 = "<\|SENHA\|>Token: " wide fullword $a6 = "<\|BB-AMARELO\|>" wide fullword $a7 = "<\|BB-AZUL\|>" wide fullword $a8 = "<\|BB-PROCURADOR\|>" wide fullword $a9 = "<\|ITAU-SNH-CARTAO\|>" wide fullword $a10 = "<\|ITAU-TK-APP\|>" wide fullword $dga = { 76 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 78 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 7A 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 77 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 6B 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 79 00 00 00 } condition: $dga and (4 of ($a*)) }