A Deep Dive Into the APT28’s stealer called CredoMap
Tags
| country: | Russia Ukraine |
| attack-pattern: | Data Credentials - T1589.001 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | d63373f5-7520-4290-905e-611349154bdf |
| Fingerprint | ac159d9ae8382aaf |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Dec. 27, 2022, midnight |
| Added to db | Jan. 16, 2023, 3:54 p.m. |
| Last updated | Nov. 18, 2024, 1:38 a.m. |
| Headline | A Deep Dive Into the APT28’s stealer called CredoMap |
| Title | A Deep Dive Into the APT28’s stealer called CredoMap |
| Detected Hints/Tags/Attributes | 39/2/15 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://securityscorecard.com/research/apt28s-stealer-called-credomap |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 172 | cve-2022-30190 |
|
| Details | File | 1 | gcmblockcipher.ini |
|
| Details | File | 60 | cookies.sql |
|
| Details | File | 64 | logins.json |
|
| Details | File | 41 | key4.db |
|
| Details | File | 12 | cert9.db |
|
| Details | File | 24 | signons.sql |
|
| Details | File | 36 | key3.db |
|
| Details | File | 10 | cert8.db |
|
| Details | File | 25 | interop.dll |
|
| Details | File | 2127 | cmd.exe |
|
| Details | sha256 | 3 | 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933 |
|
| Details | IPv4 | 3 | 162.241.216.236 |
|
| Details | Threat Actor Identifier - APT | 783 | APT28 |
|
| Details | Yara rule | 1 | rule CredoMap_APT28 {
meta:
author = "Vlad Pasca - SecurityScorecard"
Date = "2022-09-16"
strings:
$s1 = "\\cookies.sqlite" wide fullword
$s2 = "SQLite.Interop.dll" wide fullword
$s3 = "Subject:" wide fullword
$s4 = "$ LOGIN" wide fullword
$s5 = "/C Del" wide fullword
condition:
(uint16(0) == 0x5A4D) and (4 of ($s*))
} |