ioc[.]one - OSINT Cyber Threat Intelligence Database

An infostealer comes to town: Dissecting a highly evasive malware targeting Italy

Tags

cmtmf-attack-pattern:	Application Layer Protocol Command And Scripting Interpreter Obfuscated Files Or Information Process Injection
country:	Germany Italy
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Software Discovery - T1418 Application Layer Protocol - T1437 Command And Scripting Interpreter - T1623 Domains - T1583.001 Domains - T1584.001 Exfiltration Over C2 Channel - T1646 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hidden Files And Directories - T1564.001 Hide Artifacts - T1628 Hide Artifacts - T1564 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Phishing - T1660 Phishing - T1566 Portable Executable Injection - T1055.002 Powershell - T1059.001 Process Injection - T1631 Security Software Discovery - T1418.001 Security Software Discovery - T1518.001 Server - T1583.004 Server - T1584.004 Software Discovery - T1518 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 System Checks - T1633.001 System Checks - T1497.001 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Virtualization/Sandbox Evasion - T1497 Virtualization/Sandbox Evasion - T1633 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Deobfuscate/Decode Files Or Information - T1140 Exfiltration Over Command And Control Channel - T1041 File And Directory Discovery - T1083 File Deletion - T1107 Hidden Files And Directories - T1158 Indicator Removal On Host - T1070 Remote File Copy - T1105 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Injection - T1055 Security Software Discovery - T1063 Spearphishing Link - T1192 System Information Discovery - T1082 System Owner/User Discovery - T1033 User Execution - T1204 User Execution

Show in Graph

Common Information

Type	Value
UUID	f93c107f-68f0-40b8-aa7c-c976481b1585
Fingerprint	ac2c0d676fbf8781
Analysis status	DONE
Considered CTI value	2
Text language
Published	Dec. 22, 2022, 4:39 p.m.
Added to db	Aug. 13, 2023, 1:02 a.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	An infostealer comes to town: Dissecting a highly evasive malware targeting Italy
Title	An infostealer comes to town: Dissecting a highly evasive malware targeting Italy
Detected Hints/Tags/Attributes	107/4/65

Source URLs

	Redirection	Url
Details	Source	https://blog.cluster25.duskrise.com/2022/12/22/an-infostealer-comes-to-town

URL Provider

Details	Provider	Source level domain
Details	duskrise.com	blog.cluster25.duskrise.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	28	✔	—	https://blog.cluster25.duskrise.com/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	28	dl.dropboxusercontent.com
Details	Domain	1	downloadpdf-fattura.de
Details	Domain	2	doc9848-14-12-2022.zip
Details	Domain	1	netframework.zip
Details	Domain	1	wininfo64.zip
Details	Domain	4127	github.com
Details	Domain	339	system.net
Details	Domain	285	microsoft.net
Details	Domain	1	utente.service-fatturecloud.de
Details	Domain	1	service-fatturecloud.de
Details	Domain	291	raw.githubusercontent.com
Details	File	1	it_fattura_n99392.zip
Details	File	2	doc9848-14-12-2022.zip
Details	File	1	fattura_it9032003.bat
Details	File	1208	powershell.exe
Details	File	39	image.png
Details	File	1	netframework.zip
Details	File	1	c:\program files\netframework.zip
Details	File	13	start.exe
Details	File	1	c:\programdata\fattura_it9032003.bat
Details	File	1	wininfo64.zip
Details	File	1	lib32.exe
Details	File	1	c:\program files\netframework\start.exe
Details	File	1	solby.exe
Details	File	83	sbiedll.dll
Details	File	48	applaunch.exe
Details	md5	1	3b905c615bc3ee49fcb1b58c1aa34936
Details	sha256	1	2681a33478967ac0953785eac5f3b924c5159b6137ae96a619943c8dd1c8131b
Details	sha256	1	048159f1f7f087ed7704a7035cdcb8555ccb864e468a452e69c2d02864eb2ea1
Details	sha256	1	703fc33e07203b936f2cb2e24ee2ba40c1f07a998210617d16d511fcc0e207db
Details	sha256	1	32312ed6fc1968c041c331c74760d465897b28ccd939749949d07c23df063823
Details	sha256	1	ccfa2a59f817a699433738eb52fef5e6aa236051fa68d6709e7b8a2c576c3de1
Details	sha256	1	8d4ed7017342c8b737b13f98b95956a5f3d2b2fcfbb921661d93a2c48a916911
Details	sha256	1	d3aa8fca03e9eb9911bbb51302d703afa9c04ce94d94ce6c3cd5086999e49471
Details	sha256	1	752a84ba60cc53ec23642402ff87c1eee074ca6ae7703bec7b1ef9e600f63e9a
Details	sha256	1	cbe92ec74d77f6524ddd4836b378b6e721db8f04f6d5f9df2a131d145d4f5bb8
Details	sha256	2	a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274
Details	sha256	1	6386dd85be2a3bd3529e8524c26cad7c4e8682f7dfcc25792a8db8f5d5d9528a
Details	IPv4	1	116.203.19.97
Details	IPv4	1	195.201.23.210
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	94	T1564.001
Details	MITRE ATT&CK Techniques	97	T1497.001
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	40	T1055.002
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	141	T1518.001
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	422	T1041
Details	Url	1	https://dl.dropboxusercontent.com/s/52eq2p19vc0dcei/it_fattura_n99392.zip
Details	Url	1	https://downloadpdf-fattura.de/dpd/doc9848-14-12-2022.zip
Details	Url	1	http://116.203.19.97/1/lib32
Details	Url	1	https://github.com/net-framework-x64/net/raw/main/netframework.zip
Details	Url	1	https://github.com/alibaba2044/haul2/raw/main/wininfo64.zip
Details	Url	1	http://raw.githubusercontent.com/alibaba2044/haul2/main/wininfo64.zip
Details	Yara rule	1	rule AUI001_InfoStealer_85233_98005 { meta: author = "Cluster25" description = "Detects final-stage payload of AUI001 InfoStealer RAT" tlp = "white" score = 100 strings: $r1 = "Pool" ascii fullword $r2 = "Soccer" ascii fullword $r3 = "Street" ascii fullword $r4 = "Football" ascii fullword $g1 = "GZipStream" ascii fullword $f1 = "get_Module" ascii fullword $f2 = "Reverse" ascii fullword $f3 = "BlockCopy" ascii fullword $f4 = "ReadByte" ascii fullword $s1 = "{11111-22222-10009-11112}" wide fullword $s2 = "{11111-22222-50001-00000}" wide fullword $s3 = { 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 20 00 00 0B 41 00 6C 00 6C 00 6F 00 63 00 00 0D 57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 00 0D 4D 00 65 00 6D 00 6F 00 72 00 79 00 00 0F 50 00 72 00 6F 00 74 00 65 00 63 00 74 00 00 0B 4F 00 70 00 65 00 6E 00 20 00 00 0F 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 00 0D 43 00 6C 00 6F 00 73 00 65 00 20 00 00 0D 48 00 61 00 6E 00 64 00 6C 00 65 00 00 0F 6B 00 65 00 72 00 6E 00 65 00 6C 00 20 00 00 0D 33 00 32 00 2E 00 64 00 6C 00 6C } condition: uint16(0) == 0x5a4d and $g1 and (all of ($r) or (all of ($f) and 2 of ($s*))) }