Malware Analysis: Blind Eagle's North American Journey
Tags
cmtmf-attack-pattern: Boot Or Logon Autostart Execution Command And Scripting Interpreter Process Injection
country: Colombia Spain
maec-delivery-vectors: Watering Hole
attack-pattern: Data Models Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Exploits - T1587.004 Exploits - T1588.005 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Msbuild - T1127.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Registry Run Keys / Startup Folder - T1547.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Brute Force - T1110 Command-Line Interface - T1059 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Registry Run Keys / Start Folder - T1060 Scheduled Task - T1053 User Execution - T1204 User Execution
Show in Graph
Common Information
Type Value
UUID 9b1ecf65-37cd-41e7-b533-c558d66de446
Fingerprint 15669d91a1354392
Analysis status DONE
Considered CTI value 2
Text language
Published May 29, 2024, midnight
Added to db Oct. 1, 2024, 3:44 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Blind Eagle's North American Journey
Title Malware Analysis: Blind Eagle's North American Journey
Detected Hints/Tags/Attributes 127/4/72
Source URLs
Redirection Url
Details Source https://www.esentire.com/blog/blind-eagles-north-american-journey
URL Provider
Details Provider Source level domain
Details esentire.com www.esentire.com
Attributes
Details Type #Events CTI Value
Details CVE 53 
cve-2024-29847
Details CVE 84 
cve-2024-40766
Details Domain 2 
pasteio.com
Details Domain 3 
wtools.io
Details Domain 1 
ia903401.us.archive.org
Details Domain 358 
pastebin.com
Details Domain 1 
rxms.duckdns.org
Details Domain 1 
njnjnjs.duckdns.org
Details Domain 1373 
twitter.com
Details File 2125 
cmd.exe
Details File 1208 
powershell.exe
Details File 48 
applaunch.exe
Details File 4 
aspnet_regbrowsers.exe
Details File 26 
cvtres.exe
Details File 8 
ilasm.exe
Details File 13 
jsc.exe
Details File 149 
msbuild.exe
Details File 103 
regasm.exe
Details File 72 
regsvcs.exe
Details File 1 
instalutil.exe
Details File 2 
xx1.ps1
Details File 2 
xx2.vbs
Details File 2 
xx.vbs
Details File 2 
dll.txt
Details File 1 
simples.exe
Details File 1 
vbs-crypter.exe
Details File 11 
application.exe
Details md5 1 
48b6064beec687fc110145cf7a19640d
Details md5 1 
b167a0bc7b097550a89a5ba4cb258592
Details md5 2 
5d4c903e2ba132fe886be296c10707e9
Details md5 1 
b8f878d1ee6a118f9eee4cf111193f53
Details md5 1 
4c30ea433832fb13b5d7637d3b13bead
Details md5 3 
2a59f2a51b96d9364e10182a063d9bec
Details md5 1 
99d3b2eb598775d41b18d57a9d1dc9ee
Details md5 1 
97c880a2514a9faaaa327e745a4c5c5c
Details md5 1 
9e447f721d859407da88a8e6992e4aa0
Details md5 1 
2885d0ab293d957f2a237a64f956d61a
Details md5 1 
64b690d32216049b199234c5fc092e6f
Details md5 1 
1a321713876f764543d75859a4727b9a
Details md5 1 
a5da69e6c72a8759297415a0e30cbea8
Details md5 1 
bcb0ed502a8275a23a9d627f319cb610
Details md5 1 
6ecd3d6c93cec7e7133afd691c2c2225
Details md5 1 
e14efed36bb6870d65277776281dc3b3
Details md5 1 
fb4c1a0a6d525af1e3778e9e9ee48c7d
Details md5 1 
2e30e9db2016f9cb67d0f5ec4ca3d0a3
Details md5 1 
6f62e2abb7558c83f2a4d3edefa05c7f
Details md5 1 
ffcbdcec38e077448a87f5546dada7bd
Details md5 1 
ac2940e6619dbc4dbb1a096f657dd346
Details md5 1 
e3962d6ecd509dcb7669b8df6dbb5c76
Details md5 1 
a2994443fac8cf94f497dcf204ab818e
Details md5 1 
0b9cc70477af81a3fc8a5d335162f96d
Details md5 1 
191d5bf5d3ab54549d436399bcab642d
Details md5 1 
137f21d1f8fdd5cfe86637368b526027
Details md5 2 
7b72f2775b7bf33c9778533480d34e04
Details md5 1 
917392f4b75c0b5f19839c2da1af2d37
Details md5 1 
76250bc5ea0235a90bc153e0d7262349
Details md5 1 
FF7378C2D2969BB7BFD41F14D42772D3
Details IPv4 1441 
127.0.0.1
Details IPv4 2 
1.0.15.0
Details IPv4 3 
91.213.50.74
Details MITRE ATT&CK Techniques 86 
T1055.012
Details MITRE ATT&CK Techniques 409 
T1566
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 380 
T1547.001
Details MITRE ATT&CK Techniques 460 
T1059.001
Details Threat Actor Identifier - APT-C 83 
APT-C-36
Details Url 1 
https://ia903401.us.archive.org/28/items/dll_20210416_20210416_2051/dll.txt
Details Url 1 
https://pastebin.com/raw/vwbv5pxc
Details Url 1 
https://wtools.io/code/dl/bold.
Details Url 1 
https://twitter.com/0xtoxin/status/1674401247464509441?s=20
Details Url 1 
https://twitter.com/1zrr4h/status/1677747923600257028?s=20
Details Yara rule 1 
rule Ande_Loader {
	meta:
		author = "eSentire TI"
		description = "Ande_Loader"
		date = "7/3/2023"
	strings:
		$s1 = { 37 39 31 37 32 42 31 33 2D 45 44 42 41 2D 34 30 39 36 2D 42 37 32 35 2D 38 45 39 32 42 37 33 30 42 32 42 41 }
		$s2 = { 56 41 49 }
		$s3 = { 6F 25 00 00 0A }
		$s4 = { 28 ?? 00 00 0A }
	condition:
		all of ($s*)
}