Bellingcat Malware Investigation

    Monday, August 26, 2024 In: Threat Research Print

    Date: 08/26/2024

    Severity: Medium

    Summary

    The "Bellingcat Malware Investigation" refers to a series of investigative efforts by the open-source intelligence group Bellingcat to analyze and uncover details about malware used in cyberattacks. This investigation typically involves tracking the origins, capabilities, and targets of the malware, often focusing on attribution to specific threat actors or state-sponsored groups. Bellingcat's work is notable for its use of publicly available information and advanced analytical techniques to provide insights into the malware's impact and the broader cyber threat landscape.

    Indicators of Compromise (IOC) List

    URL/Domain

    zdg.re

    news4you.top

    pdf-online.top

    usaid.pm

    IP Address

    141.8.193.27

    18.213.250.117

    46.29.239.17

    185.185.71.250

    193.106.174.139

    80.78.26.183

    Hash

    c3faaa3a6b0831f1d3974fcee80588812ca7afeb53cc173e0b83bcb6787fa13e

506a64c619580bc91a51bde3a3c3f5aced3ed1106413ac11a721c56817b04573

9341cd36d012f03d8829234a12b9ff4e0045cb233e86127ef322dc1c2bb0b585

114935488cc5f5d1664dbc4c305d97a7d356b0f6d823e282978792045f1c7ddb

61edbae96a0e64d68f457fdc0fc4f4a66df61436a383b8e4ea2a30d9c9c2adde

5fa3d13366348e7c999cca9a06e4d2f5ec7f518aca3b36f0366ecedba5f2b057

e058bc966a436982aef3b2cbc78a380be324e80fd0789716d0c069dd441d9a48

a5270b4e69f042fd7232b2bfc529c72416a8867b282b197f4aea1045fd327921

f080eec275f07aec6b7a617e215d034e67e011184e1de5b2e71e441a6dd8027f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "zdg.re" or url like "zdg.re" or userdomainname like "news4you.top" or url like "news4you.top" or userdomainname like "pdf-online.top" or url like "pdf-online.top" or userdomainname like "usaid.pm" or url like "usaid.pm"

    Detection Query 2

    dstipaddress IN ("141.8.193.27","18.213.250.117","46.29.239.17","185.185.71.250","193.106.174.139","80.78.26.183") or ipaddress IN ("141.8.193.27","18.213.250.117","46.29.239.17","185.185.71.250","193.106.174.139","80.78.26.183") or publicipaddress IN ("141.8.193.27","18.213.250.117","46.29.239.17","185.185.71.250","193.106.174.139","80.78.26.183") or srcipaddress IN ("141.8.193.27","18.213.250.117","46.29.239.17","185.185.71.250","193.106.174.139","80.78.26.183")

    Detection Query 3

    sha256hash IN ("c3faaa3a6b0831f1d3974fcee80588812ca7afeb53cc173e0b83bcb6787fa13e","506a64c619580bc91a51bde3a3c3f5aced3ed1106413ac11a721c56817b04573","9341cd36d012f03d8829234a12b9ff4e0045cb233e86127ef322dc1c2bb0b585","114935488cc5f5d1664dbc4c305d97a7d356b0f6d823e282978792045f1c7ddb","61edbae96a0e64d68f457fdc0fc4f4a66df61436a383b8e4ea2a30d9c9c2adde","5fa3d13366348e7c999cca9a06e4d2f5ec7f518aca3b36f0366ecedba5f2b057","e058bc966a436982aef3b2cbc78a380be324e80fd0789716d0c069dd441d9a48","a5270b4e69f042fd7232b2bfc529c72416a8867b282b197f4aea1045fd327921","f080eec275f07aec6b7a617e215d034e67e011184e1de5b2e71e441a6dd8027f")

    Reference:

    https://gurucul.com/blog/bellingcat-malware-investigation/#ioc-s

    https://www.virustotal.com/gui/collection/03b092720da6446d24723a6667af1ebdcf33061a63c764b703cfbd90014fb8f6/iocs?ref=intelcorgi.com

     

     

     


    Tags

    MalwareAPTGurucul

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.