ioc[.]one - OSINT Cyber Threat Intelligence Database

Dark Pink

Tags

cmtmf-attack-pattern:	Event Triggered Execution
country:	Bosnia And Herzegovina Malaysia Cambodia China North Korea Indonesia Iran Pakistan Philippines Vietnam U.S. Virgin Islands
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Bypass User Account Control - T1548.002 Change Default File Association - T1546.001 Credentials - T1589.001 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Dll Side-Loading - T1574.002 Email Addresses - T1589.002 Event Triggered Execution - T1624 Event Triggered Execution - T1546 Malware - T1587.001 Malware - T1588.001 Msbuild - T1127.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Scheduled Task - T1053.005 Software - T1592.002 Template Injection - T1221 Tool - T1588.002 Bypass User Account Control - T1088 Change Default File Association - T1042 Dll Side-Loading - T1073 Powershell - T1086 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	6f65ba27-05e6-4a39-ad8c-d426046c39a6
Fingerprint	b02c0a9b8e6795c9
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 1, 2023, midnight
Added to db	Aug. 31, 2024, 1:02 a.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Dark Pink
Title	Dark Pink
Detected Hints/Tags/Attributes	149/4/85

Source URLs

	Redirection	Url
Details	Source	http://blog.group-ib.com/dark-pink-apt
Details	Source	https://blog.group-ib.com/dark-pink-apt

URL Provider

Details	Provider	Source level domain
Details	group-ib.com	blog.group-ib.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	36	✔	Blog Group-IB	https://blog.group-ib.com/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	107	system.management
Details	Domain	272	outlook.com
Details	Domain	13	smtp-mail.outlook.com
Details	Domain	1	outlook.com.vn
Details	Domain	339	system.net
Details	Domain	20	ifconfig.me
Details	Domain	61	system.windows
Details	Domain	5	drawing.graphics
Details	Domain	5	image.save
Details	Domain	13	archive.zip
Details	Domain	2	ab.zip
Details	Domain	145	api.telegram.org
Details	Domain	291	raw.githubusercontent.com
Details	Domain	7	xxx.zip
Details	Domain	372	wscript.shell
Details	Domain	13	shortcut.save
Details	Domain	19	file.zip
Details	Domain	228	system.io
Details	Email	1	lanhuong.jsc@outlook.com
Details	Email	2	blackpink.301@outlook.com
Details	Email	2	blackred.113@outlook.com
Details	Email	1	alibaba.113@outlook.com
Details	Email	1	alibaba.113@outlook.com.vn
Details	Email	1	nphuongmai.97@outlook.com
Details	File	33	forfiles.exe
Details	File	380	notepad.exe
Details	File	2126	cmd.exe
Details	File	22	dism.exe
Details	File	1	dism.sys
Details	File	11	dismcore.dll
Details	File	7	system.bat
Details	File	1260	explorer.exe
Details	File	46	automation.ps
Details	File	1	lanhuong.js
Details	File	1	%temp%\kovosrlvmu\ folder in files with the .dat
Details	File	10	archive.zip
Details	File	2	telegram.txt
Details	File	2	afkslfsa.csv
Details	File	2	ab.zip
Details	File	5	xxx.gif
Details	File	6	xxx.zip
Details	File	351	recycle.bin
Details	File	13	shortcut.tar
Details	File	9	%systemroot%\system32\cmd.exe
Details	File	7	shortcut.ico
Details	File	11	%systemroot%\system32\shell32.dll
Details	File	1	zzzzzzzzzzzzz.txt
Details	File	18	file.zip
Details	File	5	'.doc
Details	File	3	'.docx
Details	File	3	'.xls
Details	File	3	'.xlsx
Details	File	3	'.ppt
Details	File	3	'.pptx
Details	File	8	'.pdf
Details	Github username	3	efimovah
Details	md5	1	926027F0308481610C85F4E3E433573B
Details	md5	1	728AFA40B20DF6D2540648EF845EB754
Details	md5	1	7EAF1B65004421AC07C6BB1A997487B2
Details	md5	1	732091AD428419247BCE87603EA79F00
Details	sha1	2	24f65e0ee158fc63d98352f9828d014ab239ae16
Details	sha1	2	d8df672ecd9018f3f2d23e5c966535c30a54b71d
Details	sha1	2	18ca159183c98f52df45d3e9db0087e17596a866
Details	sha1	2	142f909c26bd57969ef93d7942587cdf15910e34
Details	sha256	1	9976625b5a3035dc68e878ad5ac3682ccb74ef2007c501c8023291548e11301a
Details	sha256	1	c60f778641942b7b0c00f3214211b137b683e8296abb1905d2557bfb245bf775
Details	sha256	1	e3181ee97d3ffd31c22c2c303c6e75d0196912083d0c21536e5833ee7d108736
Details	sha256	1	e45df7418ca47a9a4c4803697f4b28c618469c6e5a5678213ab81df9fcc9fd51
Details	Pdb	1	c:\users\hoang\source\repos\cucky\cucky\obj\release\net46\cucky.pdb
Details	Pdb	1	c:\users\build\source\repos\ctealwebcredential\release\ctealwebcredential.pdb
Details	Threat Actor Identifier - APT	522	APT41
Details	Url	1	https://ifconfig.me/ip.
Details	Url	3	https://ifconfig.me/ip
Details	Url	33	https://api.telegram.org/bot
Details	Url	1	https://api.telegram.org/bot$($token)/getupdates").result\|
Details	Url	3	https://raw.githubusercontent.com/efimovah/abcd/main/xxx.gif
Details	Url	1	https://raw.githubusercontent.com/efimovah/abcd/main/zzzzzzzzzzzzz.txt
Details	Windows Registry Key	9	HKCU\Environment\UserInitMprLogonScript
Details	Windows Registry Key	18	HKCU\SOFTWARE\Microsoft\Windows
Details	Windows Registry Key	1	HKCU\SOFTWARE\Classes\abcdfile\shell\abcd
Details	Windows Registry Key	1	HKCU\Environment\Update
Details	Windows Registry Key	1	HKCU\Environment\guid
Details	Windows Registry Key	1	HKCU\Environment\OSBuild
Details	Windows Registry Key	1	HKCU\Environment\STMP
Details	Windows Registry Key	1	HKCU\Environment\SYSPS