Fantasy – a new Agrius wiper deployed through a supply-chain attack
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Develop Capabilities Masquerading
country: United Arab Emirates Hong Kong Iran Israel South Africa
attack-pattern: Data Direct Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data Destruction - T1662 Data Destruction - T1485 Develop Capabilities - T1587 Disk Content Wipe - T1561.001 Disk Content Wipe - T1488 Disk Structure Wipe - T1561.002 Disk Wipe - T1561 Domain Accounts - T1078.002 Exploits - T1587.004 Exploits - T1588.005 File Deletion - T1070.004 File Deletion - T1630.002 Indicator Removal On Host - T1630 Lateral Tool Transfer - T1570 Local Accounts - T1078.003 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Python - T1059.006 Rundll32 - T1218.011 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 System Shutdown/Reboot - T1529 Windows Command Shell - T1059.003 Timestomp - T1070.006 Tool - T1588.002 Vulnerabilities - T1588.006 Access Token Manipulation - T1134 Command-Line Interface - T1059 Credential Dumping - T1003 File Deletion - T1107 Indicator Removal On Host - T1070 Masquerading - T1036 Network Share Discovery - T1135 Remote Services - T1021 Rundll32 - T1085 Valid Accounts - T1078 Timestomp - T1099 Data Destruction Indicator Removal On Host Masquerading Valid Accounts
Show in Graph
Common Information
Type Value
UUID 87dd0036-b3cc-46bf-a52b-90cec8ef79dd
Fingerprint e530af538f616580
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 7, 2022, midnight
Added to db Oct. 24, 2023, 1:34 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Fantasy – a new Agrius wiper deployed through a supply-chain attack
Title Fantasy – a new Agrius wiper deployed through a supply-chain attack
Detected Hints/Tags/Attributes 135/3/39
Source URLs
Redirection Url
Details Source https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
URL Provider
Details Provider Source level domain
Details welivesecurity.com www.welivesecurity.com
Attributes
Details Type #Events CTI Value
Details Domain 114 
eset.com
Details Domain 88 
secretsdump.py
Details Email 69 
threatintel@eset.com
Details File 122 
psexec.exe
Details File 2 
fantasy35.exe
Details File 1 
fantasy45.exe
Details File 1 
registry.bat
Details File 11 
%windir%\system32\rundll32.exe
Details File 229 
advapi32.dll
Details File 7 
system.bat
Details File 4 
remover.bat
Details File 1 
host2ip.exe
Details File 5 
minidump.exe
Details File 85 
secretsdump.py
Details File 1 
spchost.exe
Details sha1 1 
1a62031bbb2c3f55d44f59917fd32e4ed2041224
Details sha1 1 
820ad7e30b4c54692d07b29361aecd0bb14df3be
Details sha1 2 
1aae62acee3c04a6728f9edc3756fabd6e342252
Details sha1 1 
5485c627922a71b04d4c78fbc25985cdb163313b
Details sha1 1 
db11cbffe30e0094d6de48259c5a919c1eb57108
Details sha1 1 
3228e6bc8c738781176e65ebbc0eb52020a44866
Details sha1 1 
b3b1edd6b80af0cdadadd1ee1448056e6e1b3274
Details MITRE ATT&CK Techniques 56 
T1587
Details MITRE ATT&CK Techniques 96 
T1587.001
Details MITRE ATT&CK Techniques 71 
T1078.002
Details MITRE ATT&CK Techniques 43 
T1078.003
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 116 
T1134
Details MITRE ATT&CK Techniques 93 
T1070.006
Details MITRE ATT&CK Techniques 289 
T1003
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 118 
T1570
Details MITRE ATT&CK Techniques 93 
T1485
Details MITRE ATT&CK Techniques 15 
T1561.002
Details MITRE ATT&CK Techniques 8 
T1561.001
Details MITRE ATT&CK Techniques 48 
T1529
Details Windows Registry Key 1 
HKCR\.EXE
Details Windows Registry Key 1 
HKCR\.dll