ioc[.]one - OSINT Cyber Threat Intelligence Database

Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Develop Capabilities Scheduled Task/Job
country:	Canada United Kingdom United States Of America
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Indirect Model Clipboard Data - T1414 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Credentials In Files - T1552.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Develop Capabilities - T1587 Disable Or Modify System Firewall - T1562.004 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Domain Account - T1087.002 Domain Account - T1136.002 Domain Groups - T1069.002 Domain Trust Discovery - T1482 Exfiltration Over Alternative Protocol - T1639 Exfiltration Over Web Service - T1567 Exfiltration To Cloud Storage - T1567.002 File And Directory Discovery - T1420 Impair Defenses - T1562 Impair Defenses - T1629 Indicator Blocking - T1562.006 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Local Account - T1087.001 Local Account - T1136.001 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Ntds - T1003.003 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Remote Access Software - T1663 Remote Desktop Protocol - T1021.001 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Software - T1592.002 Windows Command Shell - T1059.003 Transfer Data To Cloud Account - T1537 Unsecured Credentials - T1552 Vulnerabilities - T1588.006 Account Discovery - T1087 Account Manipulation - T1098 Clipboard Data - T1115 Command-Line Interface - T1059 Create Account - T1136 Credential Dumping - T1003 Credentials In Files - T1081 Exfiltration Over Alternative Protocol - T1048 External Remote Services - T1133 File And Directory Discovery - T1083 Remote File Copy - T1105 Modify Registry - T1112 Network Service Scanning - T1046 Network Share Discovery - T1135 Permission Groups Discovery - T1069 Powershell - T1086 Query Registry - T1012 Remote Access Tools - T1219 Remote Desktop Protocol - T1076 Remote Services - T1021 Remote System Discovery - T1018 Scheduled Task - T1053 System Owner/User Discovery - T1033 Valid Accounts - T1078 External Remote Services Remote System Discovery Valid Accounts

Show in Graph

Common Information

Type	Value
UUID	abfe90ba-98d4-47d5-a420-5c6d268262d5
Fingerprint	aa844152a83c341f
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 13, 2023, 10 a.m.
Added to db	July 13, 2023, 12:01 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group
Title	Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group
Detected Hints/Tags/Attributes	169/4/43

Source URLs

	Redirection	Url
Details	Source	https://socradar.io/threat-actor-profile-bianlian-the-shape-shifting-ransomware-group/

URL Provider

Details	Provider	Source level domain
Details	socradar.io	socradar.io

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	238	✔	SOCRadar® Cyber Intelligence Inc.	https://socradar.io/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	140	cve-2023-27350
Details	CVE	20	cve-2022-37042
Details	CVE	29	cve-2022-27925
Details	CVE	60	cve-2021-4034
Details	CVE	142	cve-2021-34523
Details	Domain	3	quickconnect.io
Details	Domain	4	synology.me
Details	Domain	2	favgrandson7.sytes.net
Details	Domain	3	fv9-2.failiem.lv
Details	Domain	3	cmnb9.cc
Details	File	1	times.json
Details	File	1	addons.json
Details	File	60	cookies.sql
Details	File	1	handlers.json
Details	File	2	content-prefs.sql
Details	File	1	container.json
Details	File	6	edb.log
Details	File	196	desktop.ini
Details	File	2126	cmd.exe
Details	File	13	down.php
Details	sha256	5	eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2
Details	sha256	3	597c492a5af56d935d360fcfd2c1e89928dde492c86975f2c5cc33ec90b042ce
Details	sha256	2	f7a3a8734c004682201b8873691d684985329be3fcdba965f268103a086ebaad
Details	sha256	2	de31a4125eb74d0b7cbf2451b40fdb2d66d279a8b8fd42191660b196a9ac468f
Details	sha256	4	dda89e9e6c70ff814c65e1748a27b42517690acb12c65c3bbd60ae3ab41e7aca
Details	sha256	2	da7a959ae7ea237bb6cd913119a35baa43a68e375f892857f6d77eaa62aabbaf
Details	IPv4	2	40.127.240.158
Details	IPv4	2	20.31.108.18
Details	IPv4	2	20.54.89.15
Details	IPv4	3	45.15.156.210
Details	IPv4	2	45.92.156.105
Details	IPv4	2	5.188.6.118
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	11	T1562.006
Details	MITRE ATT&CK Techniques	89	T1552.001
Details	MITRE ATT&CK Techniques	125	T1555.003
Details	MITRE ATT&CK Techniques	472	T1486
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	Url	1	http://quickconnect.io/synology.me
Details	Url	1	http://favgrandson7.sytes.net:1993
Details	Url	2	https://fv9-2.failiem.lv/down.php?i=nvge8wkk3
Details	Url	1	http://cmnb9.cc
Details	Url	1	http://45.15.156.210