#StopRansomware: RansomHub Ransomware

    Friday, August 30, 2024 In: Threat Research Print

    Date: 08/30/2024

    Severity: Critical

    Summary

    This joint Cybersecurity Advisory is part of the #StopRansomware initiative, aimed at informing network defenders about various ransomware variants and threat actors. It includes tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to enhance ransomware protection. For more advisories and resources, visit stopransomware.gov. The FBI, CISA, MS-ISAC, and HHS have released this advisory to share known RansomHub ransomware IOCs and TTPs.

    Indicators of Compromise (IOC) List

    Domains/Urls

    http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources.exe

    http://89.23.96.203/333/mshtml.dll

    https://samuelelena.co/npm

    http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.exe

    http://89.23.96.203/333/92.exe

    http://89.23.96.203/333/4.exe

    http://89.23.96.203/333/information.exe

    http://samuelelena.co/

    https://samuelelena.co/npm/module.tripadvisor/module.tripadvisor.js

    http://89.23.96.203/333/urlmon.dll

    http://89.23.96.203/333/7.exe

    http://89.23.96.203/333/cryptnet.dll

    https://12301230.co/npm/module.tripadvisor/module.tripadvisor.css

    http://188.34.188.7/555

    http://samuelelena.co/npm/module.external/client.min.js

    https://samuelelena.co/npm/module.tripadvisor/module.tripadvisor.

    http://89.23.96.203/333/iertutil.dll

    https://12301230.co/npm/module.external/jquery.min.js

    http://samuelelena.co:443/

    http://188.34.188.7/555/newofficialprogramcauseofnewupdate.exe

    https://40031.co/npm/module.tripadvisor/module.tripadvisor.js

    http://89.23.96.203/333/12.exe

    http://89.23.96.203/

    https://samuelelena.co/npm/module.external

    https://12301230.co/npm/module.external/moment.min.js

    12301230.co

    http://89.23.96.203/333/1.exe

    https://samuelelena.co/

    http://89.23.96.203/333/1.exe.config

    https://samuelelena.co/npm/module.external/jquery.min.js

    http://89.23.96.203/333/msi.dll

    http://188.34.188.7/555/newofficialprogramcauseofnewupdate.exe.config

    http://89.23.96.203/333/8.exe

    http://89.23.96.203/333

    http://89.23.96.203/333/information.ini

    http://89.23.96.203/333/winnlsres.dll

    https://40031.co/npm/module.tripadvisor/module.tripadvisor.css

    http://89.23.96.203/333/cv4tcgxujvs.exe

    40031.co

    http://89.23.96.203/333/ambapdf.ico.dll

    http://89.23.96.203/333/xwenxub285p83ecrzvft.exe

    http://89.23.96.203/333/bcrypt.dll

    https://samuelelena.co/np

    http://89.23.96.203/333/winhttp.dll

    http://89.23.96.203/333/2.exe

    http://89.23.96.203/333/10.exe

    http://89.23.96.203/333/

    samuelelena.co

    https://samuelelena.co/npm/module.external/moment.min.js

    http://89.23.96.203/333/webio.dll

    http://89.23.96.203/333/en

    http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources.dll

    temp.sh

    http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.dll

    http://89.23.96.203/333/2wrrr6sw6xjtsxypzuhwhdg7qwn4es.exe

    http://89.23.96.203/333/tmsla6kdcu8jxkzpmvbuvwetef5ycr.exe

    http://89.23.96.203/333/3.exe

    http://89.23.96.203/333/5.exe.config

    http://89.23.96.203/333/6.exe

    http://samuelelena.co/npm/

    http://188.34.188.7/555/en

    https://samuelelena.co/npm/module.external/client.min.js

    https://12301230.co/npm/module.external/client.min.js

    http://89.23.96.203/333/ambapdf.ico

    http://89.23.96.203/333/5.exe

    https://40031.co/npm/module.external/client.min.js

    https://12301230.co/npm/module.tripadvisor/module.tripadvisor.js

    http://188.34.188.7/555/

    https://40031.co/npm/module.external/jquery.min.js

    http://89.23.96.203/333/9.exe

    onionmail.org

    http://samuelelena.co/npm/module.tripadvisor/module.tripadvisor.js

    http://188.34.188.7/555/bcrypt.dll

    grabify.link

    http://188.34.188.7/555/amba16.ico

    https://40031.co/npm/module.external/moment.min.js

    http://samuelelena.co/npm/module.external/jquery.min.js

    http://188.34.188.7/555/cryptsp.dll

    http://188.34.188.7/555/en-us

    http://188.34.188.7/555/newofficialprogramcauseofnewupdate.ini

    http://89.23.96.203/333/12.exe.config

    http://89.23.96.203/333/2.exe.config

    http://89.23.96.203/333/2wrrr6sw6xjtsxypzuhwhdg7qwn4es.exe.config 

    http://89.23.96.203/333/cryptbase.dll

    http://89.23.96.203/333/cryptsp.dll

    http://89.23.96.203/333/cabinet.dll

    http://89.23.96.203/333/dpapi.dll

    http://89.23.96.203/333/iphlpapi.dll

    http://89.23.96.203/333/sspicli.dll

    http://89.23.96.203/333/tmsla6kdcu8jxkzpmvbuvwetef5ycr.exe.config

    http://89.23.96.203/333/userenv.dll

    http://89.23.96.203/333/wininet.dll

    http://89.23.96.203/333/winmm.dll

    http://89.23.96.203/333/winmmbase.dll

    http://89.23.96.203/333/en-us

    http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources.dll

    http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources.exe

    http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.dll

    http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.exe

    http://89.23.96.203/333/information.exe.config

    http://89.23.96.203/333/xwenxub285p83ecrzvft.exe.config

    http://temp.sh/kncqd/superloop.exe

    https://samuelelena.co/npm/module.external/jquery.min.js

    https://grabify.link/y33yxp

    https://i.ibb.co/2kbydfw/112882618.png

    https://i.ibb.co/4g6jh2j/2773036704.png

    https://i.ibb.co/fxhyq6t/2077411869.png

    https://i.ibb.co/hk0jv1g/534475006.png

    https://i.ibb.co/sxqlwym/1038436121.png

    https://i.ibb.co/v3kj1c2/1154761258.png

    https://i.ibb.co/x2fr8kz/2113791011.png

    https://i.ibb.co/b1bzbpg/2615174623.png

    https://i.ibb.co/nbmnnw4/2501108160.png

    https://i.ibb.co/p1rctpy/2681232755.png

    https://i.ibb.co/v1bn9zk/369210627.png

    https://i.ibb.com:443/v3kj1c2/1154761258.png

    protonmail.com

    i.ibb.co

    i.ibb.com

    ibb.co

    ibb.com

    IP Address

    188.34.188.7

    193.106.175.107

    193.124.125.78

    193.233.254.21

    45.134.140.69

    45.135.232.2

    45.95.67.41

    8.211.2.97

    89.23.96.203

    Process Creation

    BITSAdmin 

    Cobalt Strike

    Mimikatz

    PSExec

    PowerShell

    RClone

    Sliver

    SMBExec

    WinSCP

    CrackMapExec

    Kerberoast

    AngryIPScanner

    Crackmapexec.exe

    Kerbrute.exe

    Anydesk.exe

    IamBatMan.exe

    Stealer_cli_v2.exe

    Nmap-7.94-setup.exe

    Nmap.exe

    mimikatz.exe

    File Creation 

    C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\crackmapexec.exe

    C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\kerbrute.exe

    C:\Users\%USERNAME%\Downloads\Anydesk.exe

    C:\Users\%USERNAME%\Desktop\IamBatMan.exe

    C:\Users\backupexec\Desktop\stealer_cli_v2.exe

    C:\Users\%USERNAME%\Downloads\nmap-7.94-setup.exe

    C:\Program Files (x86)\Nmap\nmap.exe

    C:\Users\%USERNAME%\Downloads\mimikatz_trunk\x64\mimikatz.exe

    C:\Users\backupexec\Downloads\x64\mimikatz.exe

    Email Address

    brahma2023@onionmail.org

    <victim_organization_name>@protonmail.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains/Urls Query 1

    userdomainname like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources.exe" or url like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources.exe" or userdomainname like "http://89.23.96.203/333/mshtml.dll" or url like "http://89.23.96.203/333/mshtml.dll" or userdomainname like "https://samuelelena.co/npm" or url like "https://samuelelena.co/npm" or userdomainname like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.exe" or url like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.exe" or userdomainname like "http://89.23.96.203/333/92.exe" or url like "http://89.23.96.203/333/92.exe" or userdomainname like "http://89.23.96.203/333/4.exe" or url like "http://89.23.96.203/333/4.exe" or userdomainname like "http://89.23.96.203/333/information.exe" or url like "http://89.23.96.203/333/information.exe" or userdomainname like "http://samuelelena.co/" or url like "http://samuelelena.co/" or userdomainname like "https://samuelelena.co/npm/module.tripadvisor/module.tripadvisor.js" or url like "https://samuelelena.co/npm/module.tripadvisor/module.tripadvisor.js" or userdomainname like "http://89.23.96.203/333/urlmon.dll" or url like "http://89.23.96.203/333/urlmon.dll" or userdomainname like "http://89.23.96.203/333/7.exe" or url like "http://89.23.96.203/333/7.exe" or userdomainname like "http://89.23.96.203/333/cryptnet.dll" or url like "http://89.23.96.203/333/cryptnet.dll" or userdomainname like "https://12301230.co/npm/module.tripadvisor/module.tripadvisor.css" or url like "https://12301230.co/npm/module.tripadvisor/module.tripadvisor.css" or userdomainname like "http://188.34.188.7/555" or url like "http://188.34.188.7/555" or userdomainname like "http://samuelelena.co/npm/module.external/client.min.js" or url like "http://samuelelena.co/npm/module.external/client.min.js" or userdomainname like "https://samuelelena.co/npm/module.tripadvisor/module.tripadvisor." or url like "https://samuelelena.co/npm/module.tripadvisor/module.tripadvisor." or userdomainname like "http://89.23.96.203/333/iertutil.dll" or url like "http://89.23.96.203/333/iertutil.dll" or userdomainname like "https://12301230.co/npm/module.external/jquery.min.js" or url like "https://12301230.co/npm/module.external/jquery.min.js" or userdomainname like "http://samuelelena.co:443/" or url like "http://samuelelena.co:443/" or userdomainname like "http://188.34.188.7/555/newofficialprogramcauseofnewupdate.exe" or url like "http://188.34.188.7/555/newofficialprogramcauseofnewupdate.exe" or userdomainname like "https://40031.co/npm/module.tripadvisor/module.tripadvisor.js" or url like "https://40031.co/npm/module.tripadvisor/module.tripadvisor.js" or userdomainname like "http://89.23.96.203/333/12.exe" or url like "http://89.23.96.203/333/12.exe" or userdomainname like "http://89.23.96.203/" or url like "http://89.23.96.203/" or userdomainname like "https://samuelelena.co/npm/module.external" or url like "https://samuelelena.co/npm/module.external" or userdomainname like "https://12301230.co/npm/module.external/moment.min.js" or url like "https://12301230.co/npm/module.external/moment.min.js" or userdomainname like "12301230.co" or url like "12301230.co" or userdomainname like "http://89.23.96.203/333/1.exe" or url like "http://89.23.96.203/333/1.exe" or userdomainname like "https://samuelelena.co/" or url like "https://samuelelena.co/" or userdomainname like "http://89.23.96.203/333/1.exe.config" or url like "http://89.23.96.203/333/1.exe.config" or userdomainname like "https://samuelelena.co/npm/module.external/jquery.min.js" or url like "https://samuelelena.co/npm/module.external/jquery.min.js" or userdomainname like "http://89.23.96.203/333/msi.dll" or url like "http://89.23.96.203/333/msi.dll" or userdomainname like "http://188.34.188.7/555/newofficialprogramcauseofnewupdate.exe.config" or url like "http://188.34.188.7/555/newofficialprogramcauseofnewupdate.exe.config" or userdomainname like "http://89.23.96.203/333/8.exe" or url like "http://89.23.96.203/333/8.exe" or userdomainname like "http://89.23.96.203/333" or url like "http://89.23.96.203/333"

    Domain / Urls Query 2

    userdomainname like "http://89.23.96.203/333/information.ini" or url like "http://89.23.96.203/333/information.ini" or userdomainname like "http://89.23.96.203/333/winnlsres.dll" or url like "http://89.23.96.203/333/winnlsres.dll" or userdomainname like "https://40031.co/npm/module.tripadvisor/module.tripadvisor.css" or url like "https://40031.co/npm/module.tripadvisor/module.tripadvisor.css" or userdomainname like "http://89.23.96.203/333/cv4tcgxujvs.exe" or url like "http://89.23.96.203/333/cv4tcgxujvs.exe" or userdomainname like "40031.co" or url like "40031.co" or userdomainname like "http://89.23.96.203/333/ambapdf.ico.dll" or url like "http://89.23.96.203/333/ambapdf.ico.dll" or userdomainname like "http://89.23.96.203/333/xwenxub285p83ecrzvft.exe" or url like "http://89.23.96.203/333/xwenxub285p83ecrzvft.exe" or userdomainname like "http://89.23.96.203/333/bcrypt.dll" or url like "http://89.23.96.203/333/bcrypt.dll" or userdomainname like "https://samuelelena.co/np" or url like "https://samuelelena.co/np" or userdomainname like "http://89.23.96.203/333/winhttp.dll" or url like "http://89.23.96.203/333/winhttp.dll" or userdomainname like "http://89.23.96.203/333/2.exe" or url like "http://89.23.96.203/333/2.exe" or userdomainname like "http://89.23.96.203/333/10.exe" or url like "http://89.23.96.203/333/10.exe" or userdomainname like "http://89.23.96.203/333/" or url like "http://89.23.96.203/333/" or userdomainname like "samuelelena.co" or url like "samuelelena.co" or userdomainname like "https://samuelelena.co/npm/module.external/moment.min.js" or url like "https://samuelelena.co/npm/module.external/moment.min.js" or userdomainname like "http://89.23.96.203/333/webio.dll" or url like "http://89.23.96.203/333/webio.dll" or userdomainname like "http://89.23.96.203/333/en" or url like "http://89.23.96.203/333/en" or userdomainname like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources.dll" or url like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources.dll" or userdomainname like "temp.sh" or url like "temp.sh" or userdomainname like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.dll" or url like "http://89.23.96.203/333/en/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.dll" or userdomainname like "http://89.23.96.203/333/2wrrr6sw6xjtsxypzuhwhdg7qwn4es.exe" or url like "http://89.23.96.203/333/2wrrr6sw6xjtsxypzuhwhdg7qwn4es.exe" or userdomainname like "http://89.23.96.203/333/tmsla6kdcu8jxkzpmvbuvwetef5ycr.exe" or url like "http://89.23.96.203/333/tmsla6kdcu8jxkzpmvbuvwetef5ycr.exe" or userdomainname like "http://89.23.96.203/333/3.exe" or url like "http://89.23.96.203/333/3.exe" or userdomainname like "http://89.23.96.203/333/5.exe.config" or url like "http://89.23.96.203/333/5.exe.config" or userdomainname like "http://89.23.96.203/333/6.exe" or url like "http://89.23.96.203/333/6.exe" or userdomainname like "http://samuelelena.co/npm/" or url like "http://samuelelena.co/npm/" or userdomainname like "http://188.34.188.7/555/en" or url like "http://188.34.188.7/555/en" or userdomainname like "https://samuelelena.co/npm/module.external/client.min.js" or url like "https://samuelelena.co/npm/module.external/client.min.js" or userdomainname like "https://12301230.co/npm/module.external/client.min.js" or url like "https://12301230.co/npm/module.external/client.min.js" or userdomainname like "http://89.23.96.203/333/ambapdf.ico" or url like "http://89.23.96.203/333/ambapdf.ico" or userdomainname like "http://89.23.96.203/333/5.exe" or url like "http://89.23.96.203/333/5.exe" or userdomainname like "https://40031.co/npm/module.external/client.min.js" or url like "https://40031.co/npm/module.external/client.min.js" or userdomainname like "https://12301230.co/npm/module.tripadvisor/module.tripadvisor.js" or url like "https://12301230.co/npm/module.tripadvisor/module.tripadvisor.js" or userdomainname like "http://188.34.188.7/555/" or url like "http://188.34.188.7/555/" or userdomainname like "https://40031.co/npm/module.external/jquery.min.js" or url like "https://40031.co/npm/module.external/jquery.min.js" or userdomainname like "http://89.23.96.203/333/9.exe" or url like "http://89.23.96.203/333/9.exe" or userdomainname like "onionmail.org" or url like "onionmail.org" or userdomainname like "http://samuelelena.co/npm/module.tripadvisor/module.tripadvisor.js" or url like "http://samuelelena.co/npm/module.tripadvisor/module.tripadvisor.js" or userdomainname like "http://188.34.188.7/555/bcrypt.dll" or url like "http://188.34.188.7/555/bcrypt.dll" or userdomainname like "grabify.link" or url like "grabify.link" or userdomainname like "http://188.34.188.7/555/amba16.ico" or url like "http://188.34.188.7/555/amba16.ico" or userdomainname like "https://40031.co/npm/module.external/moment.min.js" or url like "https://40031.co/npm/module.external/moment.min.js" or userdomainname like "http://samuelelena.co/npm/module.external/jquery.min.js" or url like "http://samuelelena.co/npm/module.external/jquery.min.js" or userdomainname like "http://188.34.188.7/555/cryptsp.dll" or url like "http://188.34.188.7/555/cryptsp.dll" or userdomainname like "http://188.34.188.7/555/en-us" or url like "http://188.34.188.7/555/en-us" or userdomainname "http://188.34.188.7/555/newofficialprogramcauseofnewupdate.ini" or url like "http://188.34.188.7/555/newofficialprogramcauseofnewupdate.ini" or userdomainname like "http://89.23.96.203/333/12.exe.config" or url like "http://89.23.96.203/333/12.exe.config" or userdomainname like "http://89.23.96.203/333/2.exe.config" or url like "http://89.23.96.203/333/2.exe.config" or userdomainname like "http://89.23.96.203/333/2wrrr6sw6xjtsxypzuhwhdg7qwn4es.exe.config" or url like "http://89.23.96.203/333/2wrrr6sw6xjtsxypzuhwhdg7qwn4es.exe.config" 

    Domain / Urls Query 3

    userdomainname like "http://89.23.96.203/333/cryptbase.dll" or url like "http://89.23.96.203/333/cryptbase.dll" or userdomainname like "http://89.23.96.203/333/cryptsp.dll" or url like "http://89.23.96.203/333/cryptsp.dll" or userdomainname like "http://89.23.96.203/333/cabinet.dll" or url like "http://89.23.96.203/333/cabinet.dll" or userdomainname like "http://89.23.96.203/333/dpapi.dll" or url like "http://89.23.96.203/333/dpapi.dll" or userdomainname like "http://89.23.96.203/333/iphlpapi.dll" or url like "http://89.23.96.203/333/iphlpapi.dll" or userdomainname like "http://89.23.96.203/333/sspicli.dll" or url like "http://89.23.96.203/333/sspicli.dll" or userdomainname like "http://89.23.96.203/333/tmsla6kdcu8jxkzpmvbuvwetef5ycr.exe.config" or url like "http://89.23.96.203/333/tmsla6kdcu8jxkzpmvbuvwetef5ycr.exe.config" or userdomainname like "http://89.23.96.203/333/userenv.dll" or url like "http://89.23.96.203/333/userenv.dll" or userdomainname like "http://89.23.96.203/333/wininet.dll" or url like "http://89.23.96.203/333/wininet.dll" or userdomainname like "http://89.23.96.203/333/winmm.dll" or url like "http://89.23.96.203/333/winmm.dll" or userdomainname like "http://89.23.96.203/333/winmmbase.dll" or url like "http://89.23.96.203/333/winmmbase.dll" or userdomainname like "http://89.23.96.203/333/en-us" or url like "http://89.23.96.203/333/en-us" or userdomainname like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources.dll" or url like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources.dll" or userdomainname like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources.exe" or url like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources.exe" or userdomainname like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.dll" or url like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.dll" or userdomainname like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.exe" or url like "http://89.23.96.203/333/en-us/d%e5%ad%97%e5%ad%97.resources/d%e5%ad%97%e5%ad%97.resources.exe" or userdomainname like "http://89.23.96.203/333/information.exe.config" or url like "http://89.23.96.203/333/information.exe.config" or userdomainname like "http://89.23.96.203/333/xwenxub285p83ecrzvft.exe.config" or url like "http://89.23.96.203/333/xwenxub285p83ecrzvft.exe.config" or userdomainname like "http://temp.sh/kncqd/superloop.exe" or url like "http://temp.sh/kncqd/superloop.exe" or userdomainname like "https://samuelelena.co/npm/module.external/jquery.min.js " or url like "https://samuelelena.co/npm/module.external/jquery.min.js" or userdomainname like "https://grabify.link/y33yxp" or url like "https://grabify.link/y33yxp" or userdomainname like "https://i.ibb.co/2kbydfw/112882618.png" or url like "https://i.ibb.co/2kbydfw/112882618.png" or userdomainname like "https://i.ibb.co/4g6jh2j/2773036704.png" or url like "https://i.ibb.co/4g6jh2j/2773036704.png" or userdomainname like "https://i.ibb.co/fxhyq6t/2077411869.png" or url like "https://i.ibb.co/fxhyq6t/2077411869.png" or userdomainname like "https://i.ibb.co/hk0jv1g/534475006.png" or url like "https://i.ibb.co/hk0jv1g/534475006.png" or userdomainname like "https://i.ibb.co/sxqlwym/1038436121.png" or url like "https://i.ibb.co/sxqlwym/1038436121.png" or userdomainname like "https://i.ibb.co/v3kj1c2/1154761258.png" or url like "https://i.ibb.co/v3kj1c2/1154761258.png" or userdomainname like "https://i.ibb.co/x2fr8kz/2113791011.png" or url like "https://i.ibb.co/x2fr8kz/2113791011.png" or userdomainname like "https://i.ibb.co/b1bzbpg/2615174623.png" or url like "https://i.ibb.co/b1bzbpg/2615174623.png" or userdomainname like "https://i.ibb.co/nbmnnw4/2501108160.png" or url like "https://i.ibb.co/nbmnnw4/2501108160.png" or userdomainname like "https://i.ibb.co/p1rctpy/2681232755.png" or url like "https://i.ibb.co/p1rctpy/2681232755.png" or userdomainname like "https://i.ibb.co/v1bn9zk/369210627.png" or url like "https://i.ibb.co/v1bn9zk/369210627.png" or userdomainname like "https://i.ibb.com:443/v3kj1c2/1154761258.png" or url like "https://i.ibb.com:443/v3kj1c2/1154761258.png" or Userdomainname like "protonmail.com" or url like "protonmail.com" or userdomainname like "i.ibb.co" or url like "i.ibb.co" or userdomainname like "i.ibb.com" or url like "i.ibb.com" or userdomainname like "ibb.co" or url like "ibb.co" or userdomainname like "ibb.com" or url like "ibb.com"

    IP Address

    dstipaddress IN ("8.211.2.97","45.95.67.41","193.124.125.78","45.134.140.69","89.23.96.203","188.34.188.7","45.135.232.2","193.233.254.21","193.106.175.107") or ipaddress IN ("8.211.2.97","45.95.67.41","193.124.125.78","45.134.140.69","89.23.96.203","188.34.188.7","45.135.232.2","193.233.254.21","193.106.175.107") or publicipaddress IN ("8.211.2.97","45.95.67.41","193.124.125.78","45.134.140.69","188.34.188.7","45.135.232.2","193.233.254.21","89.23.96.203","193.106.175.107") or srcipaddress IN ("8.211.2.97","45.95.67.41","193.124.125.78","45.134.140.69","188.34.188.7","45.135.232.2","193.233.254.21","89.23.96.203","193.106.175.107")

    Process Creation 1

    (resourceName = "Windows Security"  AND eventtype = "4688"  ) AND processname In ("BITSAdmin" , "'Cobalt Strike" , "Mimikatz" , "PSExec" , "PowerShell" , "RClone" , "Sliver" , "SMBExec" , "WinSCP" , "CrackMapExec" , "Kerberoast" , "AngryIPScanner" , "crackmapexec.exe" , "kerbrute.exe" , "Anydesk.exe" , "IamBatMan.exe" , "stealer_cli_v2.exe" , "nmap-7.94-setup.exe" , "nmap.exe" , "mimikatz.exe")

    Process Creation 2

    (Technologygroup = "EDR" AND eventtype = "4688"  ) AND processname In ("BITSAdmin" , "'Cobalt Strike" , "Mimikatz" , "PSExec" , "PowerShell" , "RClone" , "Sliver" , "SMBExec" , "WinSCP" , "CrackMapExec" , "Kerberoast" , "AngryIPScanner" , "crackmapexec.exe" , "kerbrute.exe" , "Anydesk.exe" , "IamBatMan.exe" , "stealer_cli_v2.exe" , "nmap-7.94-setup.exe" , "nmap.exe" , "mimikatz.exe")

    File Creation 1

    resourcename in ("Sysmon" ) AND eventtype = "11" AND TargetFilename in ("C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\crackmapexec.exe","C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\kerbrute.exe","C:\Users\%USERNAME%\Downloads\Anydesk.exe","C:\Users\%USERNAME%\Desktop\IamBatMan.exe","C:\Users\backupexec\Desktop\stealer_cli_v2.exe","C:\Users\%USERNAME%\Downloads\nmap-7.94-setup.exe","C:\Program Files (x86)\Nmap\nmap.exe","C:\Users\%USERNAME%\Downloads\mimikatz_trunk\x64\mimikatz.exe","C:\Users\backupexec\Downloads\x64\mimikatz.exe")

    File Creation 2

    Technologygroup = "EDR" AND TargetFilename in ("C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\crackmapexec.exe","C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\kerbrute.exe","C:\Users\%USERNAME%\Downloads\Anydesk.exe","C:\Users\%USERNAME%\Desktop\IamBatMan.exe","C:\Users\backupexec\Desktop\stealer_cli_v2.exe","C:\Users\%USERNAME%\Downloads\nmap-7.94-setup.exe","C:\Program Files (x86)\Nmap\nmap.exe","C:\Users\%USERNAME%\Downloads\mimikatz_trunk\x64\mimikatz.exe","C:\Users\backupexec\Downloads\x64\mimikatz.exe")

    Email Address 

    resourcename = "Email"  AND sender = "brahma2023@onionmail.org" OR recipient = "brahma2023@onionmail.org"

    resourcename = "Email"  AND sender = "<victim_organization_name>@protonmail.com" OR recipient = "<victim_organization_name>@protonmail.com"

    Reference:

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a 


    Tags

    MalwareRansomware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.