Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

    Tuesday, September 9, 2025 In: Threat Research Print

    Date: 09/09/2025

    Severity: Critical

    Summary

    The intrusion began in September 2024 via a malicious EarthTime installer that deployed SectopRAT and connected to its C2 server. Persistence was established by moving the file and adding a Startup shortcut, followed by creating a local admin account. The actor deployed SystemBC, accessed the host via RDP, ran discovery commands, and performed a DCSync attack. They used RDP and PsExec to move laterally, executed SystemBC with SYSTEM privileges, and performed domain enumeration.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    504e1c95.host.njalla.net

    IP Address :

    45.141.87.55

    149.28.101.219

    80.78.28.149

    144.202.61.209

    Hash :

    71f703024c3d3bfc409f66bb61f971a0

    e963d598a86c5ee428a2eefa34d1ffbb

    5675a7773f6d3224bfefdc01745f8411

    c6f92d1801d7d212282a6dd8f11b44fe

    95c96de7dcb5a643559ac66045559cc9

    abb2a6a0f771ab20ce2037d2c4ef5783

    88df27b6e794e3fd5f93f28b1ca1d3d0

    12011c44955fd6631113f68a99447515

    829a9dfd2cdcf50519a1cec1f529854b

    27f7186499bc8d10e51d17d3d6697bc5

    f24fc14f39c160b54dc3b2fbd1eba605ec0eb04f

    142294249feb536e0edbe6e2de3eb3c3415ecf39

    c0e5e4b5fcbd0a30b042e602d99a6ee81ad5d8d7

    d15d45d9d9a8ef7a9f048d74b386f620f3b82576

    68b6d0cc1430e2d4f70e2ba5026d1c4847324269

    ac0fcbc148e45e172c9be0acf9c307186f898803

    2114d655805f465d11b720830d150c145039bcd4

    4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d

    5bf41754bfb3a18611b2a02f7f385960ed24f8e1

    52332ce16ee0c393b8eea6e71863ad41e3caeafd

    bcff246f0739ed98f8aa615d256e7e00bc1cb24c8cabaea609b25c3f050c7805

    6f9326224e6047458e692cd27aeb1054b9381c67aaf2fe238dbebfbc916c4b33

    ae7c31d4547dd293ba3fd3982b715c65d731ee07a9c1cc402234d8705c01dfca

    e1521e077079032df974c7ae39e4737cdb4f05c6ded677ed5446167466eeb899

    a4bc6bebabb52ed9816987b77ebae6ef70e174533a643aea6265bdf1ed9b8952

    aeaf7cc7364a44b381af9f317fe6f78c2717217800b93bee8839ab3e56233254

    f8810179ab033a9b79cd7006c1a74fbcde6ed0451c92fbb8c7ce15b52499353a

    c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3

    a7240d8a7aee872c08b915a58976a1ddee2ff5a8a679f78ec1c7cf528f40deed

    18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection              

    Domains\URLs :

    domainname like "504e1c95.host.njalla.net" or url like "504e1c95.host.njalla.net" or siteurl like "504e1c95.host.njalla.net"

    IP Address :

    dstipaddress IN ("45.141.87.55","149.28.101.219","80.78.28.149","144.202.61.209") or srcipaddress IN ("45.141.87.55","149.28.101.219","80.78.28.149","144.202.61.209")

    Hash 1:

    md5hash IN ("88df27b6e794e3fd5f93f28b1ca1d3d0","e963d598a86c5ee428a2eefa34d1ffbb","27f7186499bc8d10e51d17d3d6697bc5","71f703024c3d3bfc409f66bb61f971a0","5675a7773f6d3224bfefdc01745f8411","c6f92d1801d7d212282a6dd8f11b44fe","95c96de7dcb5a643559ac66045559cc9","abb2a6a0f771ab20ce2037d2c4ef5783","12011c44955fd6631113f68a99447515","829a9dfd2cdcf50519a1cec1f529854b")

    Hash 2 :

    sha1hash IN ("142294249feb536e0edbe6e2de3eb3c3415ecf39","f24fc14f39c160b54dc3b2fbd1eba605ec0eb04f","2114d655805f465d11b720830d150c145039bcd4","c0e5e4b5fcbd0a30b042e602d99a6ee81ad5d8d7","5bf41754bfb3a18611b2a02f7f385960ed24f8e1","4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d","d15d45d9d9a8ef7a9f048d74b386f620f3b82576","68b6d0cc1430e2d4f70e2ba5026d1c4847324269","ac0fcbc148e45e172c9be0acf9c307186f898803","52332ce16ee0c393b8eea6e71863ad41e3caeafd")

    Hash 3 :

    sha256hash IN ("bcff246f0739ed98f8aa615d256e7e00bc1cb24c8cabaea609b25c3f050c7805","ae7c31d4547dd293ba3fd3982b715c65d731ee07a9c1cc402234d8705c01dfca","6f9326224e6047458e692cd27aeb1054b9381c67aaf2fe238dbebfbc916c4b33","18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566","f8810179ab033a9b79cd7006c1a74fbcde6ed0451c92fbb8c7ce15b52499353a","a7240d8a7aee872c08b915a58976a1ddee2ff5a8a679f78ec1c7cf528f40deed","c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3","e1521e077079032df974c7ae39e4737cdb4f05c6ded677ed5446167466eeb899","a4bc6bebabb52ed9816987b77ebae6ef70e174533a643aea6265bdf1ed9b8952","aeaf7cc7364a44b381af9f317fe6f78c2717217800b93bee8839ab3e56233254")

    Reference:   

    https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/#detections


    Tags

    MalwareRansomwareSectopRATDCSync

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.