ioc[.]one - OSINT Cyber Threat Intelligence Database

OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group

Tags

attack-pattern:

Data Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 Domains - T1583.001 Domains - T1584.001 Powershell - T1059.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Whois - T1596.002 Powershell - T1086 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	d9997e40-2cc3-4a87-95f4-fd8658be27e2
Fingerprint	a41f0d5bad31c7d4
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 27, 2017, 2 a.m.
Added to db	Sept. 26, 2022, 9:33 a.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
Title	OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
Detected Hints/Tags/Attributes	78/1/42

Source URLs

	Redirection	Url
Details	Source	https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
Details	Source	https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com
Details	paloaltonetworks.com	researchcenter.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	Domain	184	www.fireeye.com
Details	Domain	4	ntpupdateserver.com
Details	Domain	1	www.ntpupdateserver.com
Details	Domain	1	303e5cf0a861479b80e2.ntpupdateserver.com
Details	Domain	1	ns1.ntupdateserver.com
Details	Domain	1	ns2.ntpupdateserver.com
Details	Domain	4	microsoft-publisher.com
Details	Domain	1	adobeproduct.com
Details	Domain	136	mail.com
Details	Domain	2	fireeyeupdate.com
Details	Domain	2	chrome-dns.com
Details	Domain	2	tatavpnservices.com
Details	Domain	2	miedafire.com
Details	Domain	272	outlook.com
Details	Domain	1	cache-service.net
Details	Domain	2	level3-resolvers.net
Details	Domain	3	mslicensecheck.com
Details	Domain	1	55957d20569c43c9a401e5d446b92b9e.mslicensecheck.com
Details	Email	2	paul.mcalister@mail.com
Details	Email	1	bolips@outlook.com
Details	File	1	%public%\libraries\b642.txt
Details	File	1	b642.txt
Details	File	2	%public%\libraries\servicereset.exe
Details	File	2	servicereset.exe
Details	File	1	%public%\libraries\officeservicesstatus.vbs
Details	File	1	officeservicesstatus.vbs
Details	File	5	targeted_attacksaga.html
Details	File	2127	cmd.exe
Details	File	2	%public%\libraries\licensecheck.vbs
Details	md5	1	55957d20569c43c9a401e5d446b92b9e
Details	sha256	1	3eb14b6705179590f0476d3d3cbd71665e7c1935ecac3df7b876edc9bd7641b6
Details	sha256	2	52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9
Details	sha256	1	5ac939a5426db8614165bd8b6a02d3e8d9f167379c6ed28025bf3b37f1aea902
Details	sha256	1	aa52dcaf6df43c6aa872fe0f73725f61e082d32c33fc976741d4eca17679533d
Details	sha256	2	ca8cec08b4c74cf68c71a39176bfc8ee1ae4372f98f75c892706b2648b1e7530
Details	sha256	1	bbfc05177e5e29b3c8c4ef0148969d07e6239140da5bff57473c32409e76c070
Details	sha256	1	af4d8604d0cd09b8dc01dbafc33c6d240d356cad366f9917192a2725e0121a0d
Details	IPv4	1	142.54.179.90
Details	IPv6	2	a67d:0db8:a2a1:7334:7654:4325:0370:2aa3
Details	IPv6	2	a67d:0db8:85a3:4325:7654:8a2a:0370:7334
Details	Url	3	https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
Details	Url	1	http://142.54.179.90/action2/t0tpodczodayntg1ntk4xdvonkdktjy5ytr0s0g