IoCs/dtrack_lazarus_group.md at master · jeFF0Falltrades/IoCs
Tags
attack-pattern: Data
Common Information
Type Value
UUID 8615f388-3c95-45c2-897d-56e661df1d66
Fingerprint 4149f6b0967e27f
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 1, 2022, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Dec. 19, 2024, 8:21 a.m.
Headline DTrack
Title IoCs/dtrack_lazarus_group.md at master · jeFF0Falltrades/IoCs
Detected Hints/Tags/Attributes 7/1/16
Attributes
Details Type #Events CTI Value
Details File 3
%d.tmp
Details File 2
execute_%s.log
Details sha256 4
3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682
Details sha256 5
bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
Details sha256 2
51ac3966b48c91947de4ce51a90aee9deb730d86cedf8c863d9dcdf0fb322537
Details sha256 1
61c1b9afa2347c315a6b4628f9dff3ada6f8d040345402d4708881f05b1ec48b
Details sha256 2
ee9cd8decf752a47eefe24369a806976dce8ac2c29a8271c68bc407326fb19a9
Details sha256 2
791c59a0d6456ac1d9976fe82dc6b13f3e5980c6cfa2fd9d58a3cc849755ea9f
Details sha256 4
93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9
Details sha256 4
a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68
Details sha256 4
c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c
Details sha256 1
b0bf63300fd4f6a0b1544663b6326c250086369b128d241287d150e6e6409fd8
Details sha256 2
1ba8cba6337da612d1db2cdfe1b44f6110741d91ba696a5b125ebd3e9b081ed7
Details sha256 2
4701cc722f03253fb332747f951fff4c4ff023e13096a7e090a22b95c70efbf3
Details Pdb 1
mystub.pdb
Details Yara rule 1
rule dtrack_2020 {
	meta:
		author = "jeFF0Falltrades"
	strings:
		$pdb = "Users \\ user \\ Documents \\ Visual Studio 2008 \\ Projects \\ MyStub \\ Release \\ MyStub.pdb" ascii wide
		$str_log = "------------------------------ Log File Create...." ascii wide
		$str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" ascii wide
		$str_chrome = "Local Settings \\ Application Data \\ Google \\ Chrome \\ User Data \\ Default \\ History" ascii wide
		$str_tmp = "%s \\ ~%d.tmp" ascii wide
		$str_exc = "Execute_%s.log" ascii wide
		$str_reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/
		$str_reg_move = /move \/y %s \\\\[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\\C\ $ \\Windows\\Temp\\MpLogs\\/
		$hex_1 = { D1 ?? 33 ?? FC 81 ?? FF 00 00 00 C1 ?? 17 }
		$hex_2 = { C1 ?? 08 8B ?? FC C1 ?? 10 }
		$hex_3 = { 81 0D [4] 1C 31 39 29 }
	condition:
		2 of them or $hex_3
}