IoCs/dtrack_lazarus_group.md at master · jeFF0Falltrades/IoCs
Tags
attack-pattern: | Data |
Common Information
Type | Value |
---|---|
UUID | 8615f388-3c95-45c2-897d-56e661df1d66 |
Fingerprint | 4149f6b0967e27f |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | Jan. 1, 2022, midnight |
Added to db | Sept. 26, 2022, 9:30 a.m. |
Last updated | Dec. 19, 2024, 8:21 a.m. |
Headline | DTrack |
Title | IoCs/dtrack_lazarus_group.md at master · jeFF0Falltrades/IoCs |
Detected Hints/Tags/Attributes | 7/1/16 |
Source URLs
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | File | 3 | %d.tmp |
|
Details | File | 2 | execute_%s.log |
|
Details | sha256 | 4 | 3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682 |
|
Details | sha256 | 5 | bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364 |
|
Details | sha256 | 2 | 51ac3966b48c91947de4ce51a90aee9deb730d86cedf8c863d9dcdf0fb322537 |
|
Details | sha256 | 1 | 61c1b9afa2347c315a6b4628f9dff3ada6f8d040345402d4708881f05b1ec48b |
|
Details | sha256 | 2 | ee9cd8decf752a47eefe24369a806976dce8ac2c29a8271c68bc407326fb19a9 |
|
Details | sha256 | 2 | 791c59a0d6456ac1d9976fe82dc6b13f3e5980c6cfa2fd9d58a3cc849755ea9f |
|
Details | sha256 | 4 | 93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9 |
|
Details | sha256 | 4 | a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68 |
|
Details | sha256 | 4 | c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c |
|
Details | sha256 | 1 | b0bf63300fd4f6a0b1544663b6326c250086369b128d241287d150e6e6409fd8 |
|
Details | sha256 | 2 | 1ba8cba6337da612d1db2cdfe1b44f6110741d91ba696a5b125ebd3e9b081ed7 |
|
Details | sha256 | 2 | 4701cc722f03253fb332747f951fff4c4ff023e13096a7e090a22b95c70efbf3 |
|
Details | Pdb | 1 | mystub.pdb |
|
Details | Yara rule | 1 | rule dtrack_2020 { meta: author = "jeFF0Falltrades" strings: $pdb = "Users \\ user \\ Documents \\ Visual Studio 2008 \\ Projects \\ MyStub \\ Release \\ MyStub.pdb" ascii wide $str_log = "------------------------------ Log File Create...." ascii wide $str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" ascii wide $str_chrome = "Local Settings \\ Application Data \\ Google \\ Chrome \\ User Data \\ Default \\ History" ascii wide $str_tmp = "%s \\ ~%d.tmp" ascii wide $str_exc = "Execute_%s.log" ascii wide $str_reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/ $str_reg_move = /move \/y %s \\\\[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\\C\ $ \\Windows\\Temp\\MpLogs\\/ $hex_1 = { D1 ?? 33 ?? FC 81 ?? FF 00 00 00 C1 ?? 17 } $hex_2 = { C1 ?? 08 8B ?? FC C1 ?? 10 } $hex_3 = { 81 0D [4] 1C 31 39 29 } condition: 2 of them or $hex_3 } |