| {"text": "Analysis of SmokeLoader sample (SHA256: 84325c9da867db65abdc37f0987c2ff1194540edbac2a154e5f5e0e2469055f4) revealed command-and-control communication with 51.7.190.71 over port 443. A secondary C2 channel was observed connecting to data-backup[.]site which resolved to 142.58.36.189. The malware binary was written to C:\\Windows\\Temp\\procdump64.exe and established persistence via a scheduled task.", "spans": {"MALWARE: SmokeLoader": [[12, 23]], "HASH: 84325c9da867db65abdc37f0987c2ff1194540edbac2a154e5f5e0e2469055f4": [[40, 104]], "IP_ADDRESS: 51.7.190.71": [[154, 165]], "DOMAIN: data-backup[.]site": [[231, 249]], "IP_ADDRESS: 142.58.36.189": [[268, 281]], "FILEPATH: C:\\Windows\\Temp\\procdump64.exe": [[317, 347]]}, "info": {"id": "synth_00001", "source": "synthetic_ioc"}} |
| {"text": "Incident Report: LockBit Gang compromised the network via initial access from 195.9.8.24. The threat actor deployed Sharphound and exfiltrated data to cdn-delivery[.]xyz. Lateral movement was observed to 109.60.130.155. A dropper with MD5 hash 567d4b6629d474d868a8cf1e0f78ef7c was found at C:\\Users\\admin\\Downloads\\invoice.exe. The exfiltration endpoint collect-log[.]tech was registered 48 hours before the attack.", "spans": {"THREAT_ACTOR: LockBit Gang": [[17, 29]], "IP_ADDRESS: 195.9.8.24": [[78, 88]], "TOOL: Sharphound": [[116, 126]], "DOMAIN: cdn-delivery[.]xyz": [[151, 169]], "IP_ADDRESS: 109.60.130.155": [[204, 218]], "HASH: 567d4b6629d474d868a8cf1e0f78ef7c": [[244, 276]], "FILEPATH: C:\\Users\\admin\\Downloads\\invoice.exe": [[290, 326]], "DOMAIN: collect-log[.]tech": [[354, 372]]}, "info": {"id": "synth_00002", "source": "synthetic_ioc"}} |
| {"text": "A phishing email was received from verify@identity-check.tech with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://backup-data[.]site/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded Ryuk (SHA256: c4474901665a0c0744866ad575c9691d2379c272cd7e554835755deddc148c1b) which was saved to C:\\ProgramData\\VMware\\update_service.dll.", "spans": {"EMAIL: verify@identity-check.tech": [[35, 61]], "URL: hxxps://backup-data[.]site/login/verify": [[155, 194]], "MALWARE: Ryuk": [[290, 294]], "HASH: c4474901665a0c0744866ad575c9691d2379c272cd7e554835755deddc148c1b": [[304, 368]], "FILEPATH: C:\\ProgramData\\VMware\\update_service.dll": [[389, 429]]}, "info": {"id": "synth_00003", "source": "synthetic_ioc"}} |
| {"text": "IOC Summary for Cobalt Strike campaign:\n- 151.208.223.2\n- 84.179.109.88\n- 151.40.56.246\n- rat-control[.]info\n- fast-cdn[.]xyz\n- SHA256: 925c5faf93a600754ce395b64ef13196e5e670d8b231e84af46c592f03efd090\n- MD5: d320dd00f5ddfb60c0ded9784da44284", "spans": {"MALWARE: Cobalt Strike": [[16, 29]], "IP_ADDRESS: 151.208.223.2": [[42, 55]], "IP_ADDRESS: 84.179.109.88": [[58, 71]], "IP_ADDRESS: 151.40.56.246": [[74, 87]], "DOMAIN: rat-control[.]info": [[90, 108]], "DOMAIN: fast-cdn[.]xyz": [[111, 125]], "HASH: 925c5faf93a600754ce395b64ef13196e5e670d8b231e84af46c592f03efd090": [[136, 200]], "HASH: d320dd00f5ddfb60c0ded9784da44284": [[208, 240]]}, "info": {"id": "synth_00004", "source": "synthetic_ioc"}} |
| {"text": "Exploitation of CVE-2023-23397 was attributed to Mustang Panda targeting Citrix ADC instances. The exploit payload was served from 37.92.217.89 and communicated with exchange-key[.]link for command-and-control. Post-exploitation, a webshell (SHA256: e01da2e9f598cd128816088ba37a1dd19ca473fd7b9387aaf7aa62864062d036) was deployed to C:\\Users\\Public\\Documents\\payload.dll.", "spans": {"CVE_ID: CVE-2023-23397": [[16, 30]], "THREAT_ACTOR: Mustang Panda": [[49, 62]], "SYSTEM: Citrix ADC": [[73, 83]], "IP_ADDRESS: 37.92.217.89": [[131, 143]], "DOMAIN: exchange-key[.]link": [[166, 185]], "HASH: e01da2e9f598cd128816088ba37a1dd19ca473fd7b9387aaf7aa62864062d036": [[250, 314]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.dll": [[332, 369]]}, "info": {"id": "synth_00005", "source": "synthetic_ioc"}} |
| {"text": "Forensic examination of the compromised host identified FormBook artifacts. The primary payload was located at C:\\ProgramData\\VMware\\update_service.dll with SHA256 hash 7aeb949379c93fb6eefd7dd8c11d4c718ba7e9390fa52a98602b131dc2a8db46. A secondary implant was found at /dev/shm/.payload (MD5: a1bd9b43f231677400faa187388aa018). Network logs showed outbound connections to 62.250.237.97 and DNS queries to mail-relay[.]icu.", "spans": {"MALWARE: FormBook": [[56, 64]], "FILEPATH: C:\\ProgramData\\VMware\\update_service.dll": [[111, 151]], "HASH: 7aeb949379c93fb6eefd7dd8c11d4c718ba7e9390fa52a98602b131dc2a8db46": [[169, 233]], "FILEPATH: /dev/shm/.payload": [[268, 285]], "HASH: a1bd9b43f231677400faa187388aa018": [[292, 324]], "IP_ADDRESS: 62.250.237.97": [[371, 384]], "DOMAIN: mail-relay[.]icu": [[404, 420]]}, "info": {"id": "synth_00006", "source": "synthetic_ioc"}} |
| {"text": "Threat Intelligence Brief (ESET): MuddyWater has been observed deploying Gh0st RAT in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from ceo@urgent-transfer.online. Infrastructure includes 171.148.50.181, 212.12.170.59, and botnet-cmd[.]biz. SHA1 indicator: 1326314af0c9be1c97a1801520ec1769761bd7d5.", "spans": {"ORGANIZATION: ESET": [[27, 31]], "THREAT_ACTOR: MuddyWater": [[34, 44]], "MALWARE: Gh0st RAT": [[73, 82]], "EMAIL: ceo@urgent-transfer.online": [[195, 221]], "IP_ADDRESS: 171.148.50.181": [[247, 261]], "IP_ADDRESS: 212.12.170.59": [[263, 276]], "DOMAIN: botnet-cmd[.]biz": [[282, 298]], "HASH: 1326314af0c9be1c97a1801520ec1769761bd7d5": [[316, 356]]}, "info": {"id": "synth_00007", "source": "synthetic_ioc"}} |
| {"text": "ALERT: TrickBot detected on Confluence Server endpoint. Process C:\\ProgramData\\VMware\\update_service.dll (MD5: 269c2b631512bc8963638ac8867798ad) initiated outbound connection to 134.222.26.98 resolving token-auth[.]space. Immediate containment recommended.", "spans": {"MALWARE: TrickBot": [[7, 15]], "SYSTEM: Confluence Server": [[28, 45]], "FILEPATH: C:\\ProgramData\\VMware\\update_service.dll": [[64, 104]], "HASH: 269c2b631512bc8963638ac8867798ad": [[111, 143]], "IP_ADDRESS: 134.222.26.98": [[178, 191]], "DOMAIN: token-auth[.]space": [[202, 220]]}, "info": {"id": "synth_00008", "source": "synthetic_ioc"}} |
| {"text": "The Royal Ransomware loader contacts three staging URLs: hxxps://dns-resolve[.]cc/download/payload.exe, hxxp://api-gateway[.]club/gate.php, and hxxps://login-verify[.]top/api/beacon. The final payload (SHA256: 9fc140d1410e9943b97811dbf6abc763574bde3534a22a4dd70c900b73fd8021) is downloaded and executed. Fallback C2 is at 104.172.69.180.", "spans": {"MALWARE: Royal Ransomware": [[4, 20]], "URL: hxxps://dns-resolve[.]cc/download/payload.exe": [[57, 102]], "URL: hxxp://api-gateway[.]club/gate.php": [[104, 138]], "URL: hxxps://login-verify[.]top/api/beacon": [[144, 181]], "HASH: 9fc140d1410e9943b97811dbf6abc763574bde3534a22a4dd70c900b73fd8021": [[210, 274]], "IP_ADDRESS: 104.172.69.180": [[322, 336]]}, "info": {"id": "synth_00009", "source": "synthetic_ioc"}} |
| {"text": "The phishing campaign used sender addresses admin@fake-portal.org and access@vpn-connect.space. Links in the emails pointed to malware-drop[.]net hosted at 85.137.187.63. The attached document dropped a payload to C:\\Temp\\mimikatz.exe with hash 02c7fa8299a913dc28b9513621319724823c5b5211a5fe69a902c4c080cb5c5e.", "spans": {"EMAIL: admin@fake-portal.org": [[44, 65]], "EMAIL: access@vpn-connect.space": [[70, 94]], "DOMAIN: malware-drop[.]net": [[127, 145]], "IP_ADDRESS: 85.137.187.63": [[156, 169]], "FILEPATH: C:\\Temp\\mimikatz.exe": [[214, 234]], "HASH: 02c7fa8299a913dc28b9513621319724823c5b5211a5fe69a902c4c080cb5c5e": [[245, 309]]}, "info": {"id": "synth_00010", "source": "synthetic_ioc"}} |
| {"text": "Multiple AsyncRAT samples identified:\n- SHA256: 20d4346443b1e9cf1ae0a388f969997489c5defccbc9c2c40ea2a98c382ac697\n- SHA256: b77958e427f54145fc2b6d719ba846367b5b496ca30879504b0b5331899ed4d8\n- MD5: 8f277b34e7ed296d4d1f69048f0ab2da\n- MD5: 2caa8607b73a1e1f0b406621489d1f5b\nAll samples beacon to 176.70.254.237 and malware-drop[.]net.", "spans": {"MALWARE: AsyncRAT": [[9, 17]], "HASH: 20d4346443b1e9cf1ae0a388f969997489c5defccbc9c2c40ea2a98c382ac697": [[48, 112]], "HASH: b77958e427f54145fc2b6d719ba846367b5b496ca30879504b0b5331899ed4d8": [[123, 187]], "HASH: 8f277b34e7ed296d4d1f69048f0ab2da": [[195, 227]], "HASH: 2caa8607b73a1e1f0b406621489d1f5b": [[235, 267]], "IP_ADDRESS: 176.70.254.237": [[290, 304]], "DOMAIN: malware-drop[.]net": [[309, 327]]}, "info": {"id": "synth_00011", "source": "synthetic_ioc"}} |
| {"text": "Gamaredon used Sharphound for credential dumping and ngrok for lateral movement. Credentials were exfiltrated to 128.176.84.216. The attacker pivoted to 203.59.211.9 and dropped C:\\Windows\\System32\\wbem\\scrcons.exe (MD5: f6be9aa669ca4daec49d487c70b29f19). C2 traffic was routed through smtp-relay[.]icu.", "spans": {"THREAT_ACTOR: Gamaredon": [[0, 9]], "TOOL: Sharphound": [[15, 25]], "TOOL: ngrok": [[53, 58]], "IP_ADDRESS: 128.176.84.216": [[113, 127]], "IP_ADDRESS: 203.59.211.9": [[153, 165]], "FILEPATH: C:\\Windows\\System32\\wbem\\scrcons.exe": [[178, 214]], "HASH: f6be9aa669ca4daec49d487c70b29f19": [[221, 253]], "DOMAIN: smtp-relay[.]icu": [[286, 302]]}, "info": {"id": "synth_00012", "source": "synthetic_ioc"}} |
| {"text": "The Conti attack began with exploitation of CVE-2023-46805. The ransomware binary (SHA256: 34bc3c67b200df0763023cbfab91e46021b3d990229b85d2d94e0f01e7d5bd12) was deployed to C:\\Windows\\System32\\wbem\\scrcons.exe. Ransom negotiation portal was hosted at ransom-pay[.]icu (109.234.242.146). Contact email for payment: billing@invoice-payment.work.", "spans": {"MALWARE: Conti": [[4, 9]], "CVE_ID: CVE-2023-46805": [[44, 58]], "HASH: 34bc3c67b200df0763023cbfab91e46021b3d990229b85d2d94e0f01e7d5bd12": [[91, 155]], "FILEPATH: C:\\Windows\\System32\\wbem\\scrcons.exe": [[173, 209]], "DOMAIN: ransom-pay[.]icu": [[251, 267]], "IP_ADDRESS: 109.234.242.146": [[269, 284]], "EMAIL: billing@invoice-payment.work": [[314, 342]]}, "info": {"id": "synth_00013", "source": "synthetic_ioc"}} |
| {"text": "DNS analysis for Agent Tesla infrastructure: smtp-relay[.]icu resolved to 80.68.36.64, phish-kit[.]xyz resolved to 213.68.192.150, and share-files[.]biz was used as a DNS-over-HTTPS tunnel. The implant hash is a780ced71594af256b57e8911b0ab73a.", "spans": {"MALWARE: Agent Tesla": [[17, 28]], "DOMAIN: smtp-relay[.]icu": [[45, 61]], "IP_ADDRESS: 80.68.36.64": [[74, 85]], "DOMAIN: phish-kit[.]xyz": [[87, 102]], "IP_ADDRESS: 213.68.192.150": [[115, 129]], "DOMAIN: share-files[.]biz": [[135, 152]], "HASH: a780ced71594af256b57e8911b0ab73a": [[210, 242]]}, "info": {"id": "synth_00014", "source": "synthetic_ioc"}} |
| {"text": "Sandbox Report: BlackBasta\nSHA256: 33e15fdf06d0ef3cba71c6252123b73fe5535721122d94a52fe5c9721ade5f71\nMD5: 0821454b0dda7148ca2cf3019d57e250\nFile created: C:\\Windows\\System32\\config\\SAM\nFile modified: C:\\Users\\Public\\Documents\\payload.dll\nNetwork connection: 181.93.57.36\nDNS query: gate-proxy[.]ru\nHTTP request: hxxps://rat-control[.]info/stage2", "spans": {"MALWARE: BlackBasta": [[16, 26]], "HASH: 33e15fdf06d0ef3cba71c6252123b73fe5535721122d94a52fe5c9721ade5f71": [[35, 99]], "HASH: 0821454b0dda7148ca2cf3019d57e250": [[105, 137]], "FILEPATH: C:\\Windows\\System32\\config\\SAM": [[152, 182]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.dll": [[198, 235]], "IP_ADDRESS: 181.93.57.36": [[256, 268]], "DOMAIN: gate-proxy[.]ru": [[280, 295]], "URL: hxxps://rat-control[.]info/stage2": [[310, 343]]}, "info": {"id": "synth_00015", "source": "synthetic_ioc"}} |
| {"text": "Analysis of QakBot sample (SHA256: b4d4850f626be905cb2e218c240d66abeba9ef0a2579c4555f09822e24402823) revealed command-and-control communication with 51.40.161.41 over port 4443. A secondary C2 channel was observed connecting to sync-cloud[.]work which resolved to 195.153.17.99. The malware binary was written to C:\\Windows\\INF\\setupapi.dev.dll and established persistence via a scheduled task.", "spans": {"MALWARE: QakBot": [[12, 18]], "HASH: b4d4850f626be905cb2e218c240d66abeba9ef0a2579c4555f09822e24402823": [[35, 99]], "IP_ADDRESS: 51.40.161.41": [[149, 161]], "DOMAIN: sync-cloud[.]work": [[228, 245]], "IP_ADDRESS: 195.153.17.99": [[264, 277]], "FILEPATH: C:\\Windows\\INF\\setupapi.dev.dll": [[313, 344]]}, "info": {"id": "synth_00016", "source": "synthetic_ioc"}} |
| {"text": "Incident Report: UNC2452 compromised the network via initial access from 144.249.142.221. The threat actor deployed ADFind and exfiltrated data to exfil-data[.]club. Lateral movement was observed to 91.175.185.30. A dropper with MD5 hash 0902d0da28bf53180fde0471fa1cdc23 was found at C:\\Windows\\Temp\\procdump64.exe. The exfiltration endpoint monitor-net[.]org was registered 48 hours before the attack.", "spans": {"THREAT_ACTOR: UNC2452": [[17, 24]], "IP_ADDRESS: 144.249.142.221": [[73, 88]], "TOOL: ADFind": [[116, 122]], "DOMAIN: exfil-data[.]club": [[147, 164]], "IP_ADDRESS: 91.175.185.30": [[199, 212]], "HASH: 0902d0da28bf53180fde0471fa1cdc23": [[238, 270]], "FILEPATH: C:\\Windows\\Temp\\procdump64.exe": [[284, 314]], "DOMAIN: monitor-net[.]org": [[342, 359]]}, "info": {"id": "synth_00017", "source": "synthetic_ioc"}} |
| {"text": "A phishing email was received from finance@wire-transfer.info with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://system-patch[.]online/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded REvil (SHA256: f40a476268e27f996d4a04e180b6107f501aa9aca27234ae01ffc48c87eb00b8) which was saved to C:\\Windows\\Temp\\nc.exe.", "spans": {"EMAIL: finance@wire-transfer.info": [[35, 61]], "URL: hxxps://system-patch[.]online/login/verify": [[155, 197]], "MALWARE: REvil": [[293, 298]], "HASH: f40a476268e27f996d4a04e180b6107f501aa9aca27234ae01ffc48c87eb00b8": [[308, 372]], "FILEPATH: C:\\Windows\\Temp\\nc.exe": [[393, 415]]}, "info": {"id": "synth_00018", "source": "synthetic_ioc"}} |
| {"text": "IOC Summary for Gh0st RAT campaign:\n- 84.117.1.245\n- 146.249.129.196\n- 88.130.234.28\n- malware-drop[.]net\n- code-deploy[.]store\n- SHA256: e812600207967f5d5e12a6203c2c5fabad5e5a0f4e54b405b82af761883b733c\n- MD5: 67c1c069b26d1aac66d67f1922686d64", "spans": {"MALWARE: Gh0st RAT": [[16, 25]], "IP_ADDRESS: 84.117.1.245": [[38, 50]], "IP_ADDRESS: 146.249.129.196": [[53, 68]], "IP_ADDRESS: 88.130.234.28": [[71, 84]], "DOMAIN: malware-drop[.]net": [[87, 105]], "DOMAIN: code-deploy[.]store": [[108, 127]], "HASH: e812600207967f5d5e12a6203c2c5fabad5e5a0f4e54b405b82af761883b733c": [[138, 202]], "HASH: 67c1c069b26d1aac66d67f1922686d64": [[210, 242]]}, "info": {"id": "synth_00019", "source": "synthetic_ioc"}} |
| {"text": "Exploitation of CVE-2022-22965 was attributed to ALPHV targeting Windows Server 2019 instances. The exploit payload was served from 95.40.96.196 and communicated with dns-resolve[.]cc for command-and-control. Post-exploitation, a webshell (SHA256: 75618d15fc854fd1ded97e184898048a0d6e2d92f8bdcfe4129815b13a153070) was deployed to /tmp/.hidden/beacon.", "spans": {"CVE_ID: CVE-2022-22965": [[16, 30]], "THREAT_ACTOR: ALPHV": [[49, 54]], "SYSTEM: Windows Server 2019": [[65, 84]], "IP_ADDRESS: 95.40.96.196": [[132, 144]], "DOMAIN: dns-resolve[.]cc": [[167, 183]], "HASH: 75618d15fc854fd1ded97e184898048a0d6e2d92f8bdcfe4129815b13a153070": [[248, 312]], "FILEPATH: /tmp/.hidden/beacon": [[330, 349]]}, "info": {"id": "synth_00020", "source": "synthetic_ioc"}} |
| {"text": "Forensic examination of the compromised host identified Ryuk artifacts. The primary payload was located at C:\\Windows\\System32\\config\\SAM with SHA256 hash fad5464ca78bf7ea789d0b75d495dd68e0be607fddb3fef461889a996900649b. A secondary implant was found at /tmp/.hidden/beacon (MD5: f2405ea9ed106751b3fab66afe53efbc). Network logs showed outbound connections to 51.238.93.225 and DNS queries to code-deploy[.]store.", "spans": {"MALWARE: Ryuk": [[56, 60]], "FILEPATH: C:\\Windows\\System32\\config\\SAM": [[107, 137]], "HASH: fad5464ca78bf7ea789d0b75d495dd68e0be607fddb3fef461889a996900649b": [[155, 219]], "FILEPATH: /tmp/.hidden/beacon": [[254, 273]], "HASH: f2405ea9ed106751b3fab66afe53efbc": [[280, 312]], "IP_ADDRESS: 51.238.93.225": [[359, 372]], "DOMAIN: code-deploy[.]store": [[392, 411]]}, "info": {"id": "synth_00021", "source": "synthetic_ioc"}} |
| {"text": "Threat Intelligence Brief (Check Point): APT28 has been observed deploying Ryuk in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from noreply@payment-confirm.top. Infrastructure includes 23.22.188.125, 212.251.195.137, and botnet-cmd[.]biz. SHA1 indicator: 02e8b81a65656c6f6f4d56959539112f29d1dc06.", "spans": {"ORGANIZATION: Check Point": [[27, 38]], "THREAT_ACTOR: APT28": [[41, 46]], "MALWARE: Ryuk": [[75, 79]], "EMAIL: noreply@payment-confirm.top": [[192, 219]], "IP_ADDRESS: 23.22.188.125": [[245, 258]], "IP_ADDRESS: 212.251.195.137": [[260, 275]], "DOMAIN: botnet-cmd[.]biz": [[281, 297]], "HASH: 02e8b81a65656c6f6f4d56959539112f29d1dc06": [[315, 355]]}, "info": {"id": "synth_00022", "source": "synthetic_ioc"}} |
| {"text": "ALERT: Mimikatz detected on Nginx endpoint. Process C:\\Users\\Public\\Libraries\\shell.ps1 (MD5: 78a8258631abcaf49dde4311227bd06b) initiated outbound connection to 204.243.141.43 resolving cert-verify[.]dev. Immediate containment recommended.", "spans": {"MALWARE: Mimikatz": [[7, 15]], "SYSTEM: Nginx": [[28, 33]], "FILEPATH: C:\\Users\\Public\\Libraries\\shell.ps1": [[52, 87]], "HASH: 78a8258631abcaf49dde4311227bd06b": [[94, 126]], "IP_ADDRESS: 204.243.141.43": [[161, 175]], "DOMAIN: cert-verify[.]dev": [[186, 203]]}, "info": {"id": "synth_00023", "source": "synthetic_ioc"}} |
| {"text": "The Vidar loader contacts three staging URLs: hxxps://web-cache[.]io/download/payload.exe, hxxp://monitor-net[.]org/gate.php, and hxxps://rat-control[.]info/api/beacon. The final payload (SHA256: 98e5bb96c027022603778697be8134a244ad4758b0015a5eb10851f70ee9ca2a) is downloaded and executed. Fallback C2 is at 95.183.80.103.", "spans": {"MALWARE: Vidar": [[4, 9]], "URL: hxxps://web-cache[.]io/download/payload.exe": [[46, 89]], "URL: hxxp://monitor-net[.]org/gate.php": [[91, 124]], "URL: hxxps://rat-control[.]info/api/beacon": [[130, 167]], "HASH: 98e5bb96c027022603778697be8134a244ad4758b0015a5eb10851f70ee9ca2a": [[196, 260]], "IP_ADDRESS: 95.183.80.103": [[308, 321]]}, "info": {"id": "synth_00024", "source": "synthetic_ioc"}} |
| {"text": "The phishing campaign used sender addresses helpdesk@reset-password.biz and cloud@storage-share.ru. Links in the emails pointed to cache-web[.]io hosted at 200.31.64.58. The attached document dropped a payload to C:\\Users\\Public\\Documents\\payload.dll with hash d272224b14b9857094138e9752bc37ba844a6d140b3abf18dce7304c4fc06dd1.", "spans": {"EMAIL: helpdesk@reset-password.biz": [[44, 71]], "EMAIL: cloud@storage-share.ru": [[76, 98]], "DOMAIN: cache-web[.]io": [[131, 145]], "IP_ADDRESS: 200.31.64.58": [[156, 168]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.dll": [[213, 250]], "HASH: d272224b14b9857094138e9752bc37ba844a6d140b3abf18dce7304c4fc06dd1": [[261, 325]]}, "info": {"id": "synth_00025", "source": "synthetic_ioc"}} |
| {"text": "Multiple LockBit samples identified:\n- SHA256: e3ec5897e095faeaf6a20a1eceb0dddc324bef053b94b44f51ec1ba8c5f2af1d\n- SHA256: 906f9a00f9a8961a34093aa0a6709940ec1afccb8ed58247105755213abad8b9\n- MD5: 5449d61503b2077aeb04dbbdaf1ff79d\n- MD5: 6f1b9f0d68e4bc85af0e740a1d2013b2\nAll samples beacon to 103.151.142.59 and auth-token[.]space.", "spans": {"MALWARE: LockBit": [[9, 16]], "HASH: e3ec5897e095faeaf6a20a1eceb0dddc324bef053b94b44f51ec1ba8c5f2af1d": [[47, 111]], "HASH: 906f9a00f9a8961a34093aa0a6709940ec1afccb8ed58247105755213abad8b9": [[122, 186]], "HASH: 5449d61503b2077aeb04dbbdaf1ff79d": [[194, 226]], "HASH: 6f1b9f0d68e4bc85af0e740a1d2013b2": [[234, 266]], "IP_ADDRESS: 103.151.142.59": [[289, 303]], "DOMAIN: auth-token[.]space": [[308, 326]]}, "info": {"id": "synth_00026", "source": "synthetic_ioc"}} |
| {"text": "UNC2452 used Brute Ratel C4 for credential dumping and Cobalt Strike for lateral movement. Credentials were exfiltrated to 216.182.162.16. The attacker pivoted to 134.18.232.9 and dropped C:\\Windows\\System32\\wbem\\scrcons.exe (MD5: c551800b48a492d547bb8c90938dd5b0). C2 traffic was routed through cloud-sync[.]work.", "spans": {"THREAT_ACTOR: UNC2452": [[0, 7]], "TOOL: Brute Ratel C4": [[13, 27]], "TOOL: Cobalt Strike": [[55, 68]], "IP_ADDRESS: 216.182.162.16": [[123, 137]], "IP_ADDRESS: 134.18.232.9": [[163, 175]], "FILEPATH: C:\\Windows\\System32\\wbem\\scrcons.exe": [[188, 224]], "HASH: c551800b48a492d547bb8c90938dd5b0": [[231, 263]], "DOMAIN: cloud-sync[.]work": [[296, 313]]}, "info": {"id": "synth_00027", "source": "synthetic_ioc"}} |
| {"text": "The LockBit attack began with exploitation of CVE-2023-20198. The ransomware binary (SHA256: c393ca0eb7bc6f728f14083b5758604c5b8faf4892456ae05961359e44cf655e) was deployed to C:\\Windows\\System32\\drivers\\ndis_helper.sys. Ransom negotiation portal was hosted at monitor-net[.]org (151.172.125.55). Contact email for payment: alert@security-warning.dev.", "spans": {"MALWARE: LockBit": [[4, 11]], "CVE_ID: CVE-2023-20198": [[46, 60]], "HASH: c393ca0eb7bc6f728f14083b5758604c5b8faf4892456ae05961359e44cf655e": [[93, 157]], "FILEPATH: C:\\Windows\\System32\\drivers\\ndis_helper.sys": [[175, 218]], "DOMAIN: monitor-net[.]org": [[260, 277]], "IP_ADDRESS: 151.172.125.55": [[279, 293]], "EMAIL: alert@security-warning.dev": [[323, 349]]}, "info": {"id": "synth_00028", "source": "synthetic_ioc"}} |
| {"text": "DNS analysis for AsyncRAT infrastructure: resolve-dns[.]cc resolved to 182.49.25.25, log-collect[.]tech resolved to 196.91.109.106, and resolve-dns[.]cc was used as a DNS-over-HTTPS tunnel. The implant hash is 6c79a41072cb700870258a4dcb260cda.", "spans": {"MALWARE: AsyncRAT": [[17, 25]], "DOMAIN: resolve-dns[.]cc": [[42, 58], [136, 152]], "IP_ADDRESS: 182.49.25.25": [[71, 83]], "DOMAIN: log-collect[.]tech": [[85, 103]], "IP_ADDRESS: 196.91.109.106": [[116, 130]], "HASH: 6c79a41072cb700870258a4dcb260cda": [[210, 242]]}, "info": {"id": "synth_00029", "source": "synthetic_ioc"}} |
| {"text": "Sandbox Report: DarkSide\nSHA256: 5315d93087e2a91ae4d43afdf75f2d294f7d24ee0db18f046ba24dcd326a83a3\nMD5: b371e6d5fa38d1c55f9163beacdb7b3b\nFile created: C:\\ProgramData\\Microsoft\\update.bat\nFile modified: C:\\Windows\\Temp\\debug.exe\nNetwork connection: 198.173.168.252\nDNS query: phish-kit[.]xyz\nHTTP request: hxxps://smtp-relay[.]icu/stage2", "spans": {"MALWARE: DarkSide": [[16, 24]], "HASH: 5315d93087e2a91ae4d43afdf75f2d294f7d24ee0db18f046ba24dcd326a83a3": [[33, 97]], "HASH: b371e6d5fa38d1c55f9163beacdb7b3b": [[103, 135]], "FILEPATH: C:\\ProgramData\\Microsoft\\update.bat": [[150, 185]], "FILEPATH: C:\\Windows\\Temp\\debug.exe": [[201, 226]], "IP_ADDRESS: 198.173.168.252": [[247, 262]], "DOMAIN: phish-kit[.]xyz": [[274, 289]], "URL: hxxps://smtp-relay[.]icu/stage2": [[304, 335]]}, "info": {"id": "synth_00030", "source": "synthetic_ioc"}} |
| {"text": "Analysis of Bumblebee sample (SHA256: c96536195fde69d6a3f326248e54d229072a3cb321d912be0b7932c0be993caa) revealed command-and-control communication with 168.205.221.28 over port 4443. A secondary C2 channel was observed connecting to portal-auth[.]info which resolved to 142.50.49.138. The malware binary was written to C:\\Windows\\System32\\drivers\\ndis_helper.sys and established persistence via a scheduled task.", "spans": {"MALWARE: Bumblebee": [[12, 21]], "HASH: c96536195fde69d6a3f326248e54d229072a3cb321d912be0b7932c0be993caa": [[38, 102]], "IP_ADDRESS: 168.205.221.28": [[152, 166]], "DOMAIN: portal-auth[.]info": [[233, 251]], "IP_ADDRESS: 142.50.49.138": [[270, 283]], "FILEPATH: C:\\Windows\\System32\\drivers\\ndis_helper.sys": [[319, 362]]}, "info": {"id": "synth_00031", "source": "synthetic_ioc"}} |
| {"text": "Incident Report: Sandworm compromised the network via initial access from 151.119.64.224. The threat actor deployed ADFind and exfiltrated data to collect-log[.]tech. Lateral movement was observed to 216.114.207.221. A dropper with MD5 hash 634eca2d6fb400a19c70368de760e221 was found at C:\\ProgramData\\Microsoft\\update.bat. The exfiltration endpoint data-backup[.]site was registered 48 hours before the attack.", "spans": {"THREAT_ACTOR: Sandworm": [[17, 25]], "IP_ADDRESS: 151.119.64.224": [[74, 88]], "TOOL: ADFind": [[116, 122]], "DOMAIN: collect-log[.]tech": [[147, 165]], "IP_ADDRESS: 216.114.207.221": [[200, 215]], "HASH: 634eca2d6fb400a19c70368de760e221": [[241, 273]], "FILEPATH: C:\\ProgramData\\Microsoft\\update.bat": [[287, 322]], "DOMAIN: data-backup[.]site": [[350, 368]]}, "info": {"id": "synth_00032", "source": "synthetic_ioc"}} |
| {"text": "A phishing email was received from verify@identity-check.tech with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://update-service[.]net/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded TrickBot (SHA256: 9657dc1942bcbba61923b7a2d4c628cb853d4de4f4e845cb78dc42516fe73a90) which was saved to C:\\Windows\\Tasks\\scheduled_task.xml.", "spans": {"EMAIL: verify@identity-check.tech": [[35, 61]], "URL: hxxps://update-service[.]net/login/verify": [[155, 196]], "MALWARE: TrickBot": [[292, 300]], "HASH: 9657dc1942bcbba61923b7a2d4c628cb853d4de4f4e845cb78dc42516fe73a90": [[310, 374]], "FILEPATH: C:\\Windows\\Tasks\\scheduled_task.xml": [[395, 430]]}, "info": {"id": "synth_00033", "source": "synthetic_ioc"}} |
| {"text": "IOC Summary for Royal Ransomware campaign:\n- 85.105.125.124\n- 109.222.103.232\n- 203.43.98.1\n- sync-cloud[.]work\n- cert-verify[.]dev\n- SHA256: 55356f5d1d275c82c5f50989c863cfe63fa7aec9064c9604538acd2dda6888dd\n- MD5: c3d8aee4b0f4a8b25b004f58a40a02fe", "spans": {"MALWARE: Royal Ransomware": [[16, 32]], "IP_ADDRESS: 85.105.125.124": [[45, 59]], "IP_ADDRESS: 109.222.103.232": [[62, 77]], "IP_ADDRESS: 203.43.98.1": [[80, 91]], "DOMAIN: sync-cloud[.]work": [[94, 111]], "DOMAIN: cert-verify[.]dev": [[114, 131]], "HASH: 55356f5d1d275c82c5f50989c863cfe63fa7aec9064c9604538acd2dda6888dd": [[142, 206]], "HASH: c3d8aee4b0f4a8b25b004f58a40a02fe": [[214, 246]]}, "info": {"id": "synth_00034", "source": "synthetic_ioc"}} |
| {"text": "Exploitation of CVE-2024-3400 was attributed to MuddyWater targeting Azure AD instances. The exploit payload was served from 195.179.246.188 and communicated with collect-log[.]tech for command-and-control. Post-exploitation, a webshell (SHA256: d3089c9af03bd92285285f2c742374b1d0304ac02c0fdca854d20571794e70c5) was deployed to C:\\Users\\Public\\desktop.ini.", "spans": {"CVE_ID: CVE-2024-3400": [[16, 29]], "THREAT_ACTOR: MuddyWater": [[48, 58]], "SYSTEM: Azure AD": [[69, 77]], "IP_ADDRESS: 195.179.246.188": [[125, 140]], "DOMAIN: collect-log[.]tech": [[163, 181]], "HASH: d3089c9af03bd92285285f2c742374b1d0304ac02c0fdca854d20571794e70c5": [[246, 310]], "FILEPATH: C:\\Users\\Public\\desktop.ini": [[328, 355]]}, "info": {"id": "synth_00035", "source": "synthetic_ioc"}} |
| {"text": "Forensic examination of the compromised host identified FormBook artifacts. The primary payload was located at C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe with SHA256 hash 4ef681cd5d368dc4607033aaa141bfd5dec0702749ba54161fb5c7c09c66910f. A secondary implant was found at /opt/.cache/reverse_shell (MD5: fbf15131b42aa11d86af50885145a269). Network logs showed outbound connections to 109.248.15.149 and DNS queries to shell-cmd[.]online.", "spans": {"MALWARE: FormBook": [[56, 64]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[111, 155]], "HASH: 4ef681cd5d368dc4607033aaa141bfd5dec0702749ba54161fb5c7c09c66910f": [[173, 237]], "FILEPATH: /opt/.cache/reverse_shell": [[272, 297]], "HASH: fbf15131b42aa11d86af50885145a269": [[304, 336]], "IP_ADDRESS: 109.248.15.149": [[383, 397]], "DOMAIN: shell-cmd[.]online": [[417, 435]]}, "info": {"id": "synth_00036", "source": "synthetic_ioc"}} |
| {"text": "Threat Intelligence Brief (SentinelOne): APT28 has been observed deploying Bumblebee in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from phishing@secure-update.net. Infrastructure includes 203.13.150.123, 208.236.219.136, and dns-resolve[.]cc. SHA1 indicator: b1acc2a42a5160b4353f6b1fdf5c21cd16612bd2.", "spans": {"ORGANIZATION: SentinelOne": [[27, 38]], "THREAT_ACTOR: APT28": [[41, 46]], "MALWARE: Bumblebee": [[75, 84]], "EMAIL: phishing@secure-update.net": [[197, 223]], "IP_ADDRESS: 203.13.150.123": [[249, 263]], "IP_ADDRESS: 208.236.219.136": [[265, 280]], "DOMAIN: dns-resolve[.]cc": [[286, 302]], "HASH: b1acc2a42a5160b4353f6b1fdf5c21cd16612bd2": [[320, 360]]}, "info": {"id": "synth_00037", "source": "synthetic_ioc"}} |
| {"text": "ALERT: Remcos RAT detected on VMware ESXi endpoint. Process C:\\Users\\Public\\Documents\\payload.dll (MD5: d2f782d5129e169f26f02799b5437553) initiated outbound connection to 23.218.48.18 resolving exchange-key[.]link. Immediate containment recommended.", "spans": {"MALWARE: Remcos RAT": [[7, 17]], "SYSTEM: VMware ESXi": [[30, 41]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.dll": [[60, 97]], "HASH: d2f782d5129e169f26f02799b5437553": [[104, 136]], "IP_ADDRESS: 23.218.48.18": [[171, 183]], "DOMAIN: exchange-key[.]link": [[194, 213]]}, "info": {"id": "synth_00038", "source": "synthetic_ioc"}} |
| {"text": "The Raccoon Stealer loader contacts three staging URLs: hxxps://smtp-relay[.]icu/download/payload.exe, hxxp://system-patch[.]online/gate.php, and hxxps://verify-cert[.]dev/api/beacon. The final payload (SHA256: 9144f94601f5dab20b11b44af0735877d3c85185e705f78ddda1a1475faeb869) is downloaded and executed. Fallback C2 is at 142.149.153.11.", "spans": {"MALWARE: Raccoon Stealer": [[4, 19]], "URL: hxxps://smtp-relay[.]icu/download/payload.exe": [[56, 101]], "URL: hxxp://system-patch[.]online/gate.php": [[103, 140]], "URL: hxxps://verify-cert[.]dev/api/beacon": [[146, 182]], "HASH: 9144f94601f5dab20b11b44af0735877d3c85185e705f78ddda1a1475faeb869": [[211, 275]], "IP_ADDRESS: 142.149.153.11": [[323, 337]]}, "info": {"id": "synth_00039", "source": "synthetic_ioc"}} |
| {"text": "The phishing campaign used sender addresses admin@fake-portal.org and tax@refund-claim.pw. Links in the emails pointed to c2-relay[.]top hosted at 210.81.240.67. The attached document dropped a payload to C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe with hash e495e89dbde475c0f493079b47970ed630be461c60d3d9c1b029643a91c81f85.", "spans": {"EMAIL: admin@fake-portal.org": [[44, 65]], "EMAIL: tax@refund-claim.pw": [[70, 89]], "DOMAIN: c2-relay[.]top": [[122, 136]], "IP_ADDRESS: 210.81.240.67": [[147, 160]], "FILEPATH: C:\\Users\\admin\\AppData\\Local\\Temp\\loader.exe": [[205, 249]], "HASH: e495e89dbde475c0f493079b47970ed630be461c60d3d9c1b029643a91c81f85": [[260, 324]]}, "info": {"id": "synth_00040", "source": "synthetic_ioc"}} |
| {"text": "Multiple Vidar samples identified:\n- SHA256: 8eae837415e160b3264c05847d823ba2d1fb5fb34bcab50289355e0d83d8906d\n- SHA256: bec132e1835c8526ab7508efdba6cba107c9c93d880f8c6b8a80baab21a04e45\n- MD5: 14eaa44a33af535cf1a961a2b0a27f4e\n- MD5: 1a4fbd4f9ace3e2828da55e2c129d9ea\nAll samples beacon to 162.62.68.102 and auth-portal[.]info.", "spans": {"MALWARE: Vidar": [[9, 14]], "HASH: 8eae837415e160b3264c05847d823ba2d1fb5fb34bcab50289355e0d83d8906d": [[45, 109]], "HASH: bec132e1835c8526ab7508efdba6cba107c9c93d880f8c6b8a80baab21a04e45": [[120, 184]], "HASH: 14eaa44a33af535cf1a961a2b0a27f4e": [[192, 224]], "HASH: 1a4fbd4f9ace3e2828da55e2c129d9ea": [[232, 264]], "IP_ADDRESS: 162.62.68.102": [[287, 300]], "DOMAIN: auth-portal[.]info": [[305, 323]]}, "info": {"id": "synth_00041", "source": "synthetic_ioc"}} |
| {"text": "Lazarus Group used Net-GPPPassword for credential dumping and ADFind for lateral movement. Credentials were exfiltrated to 158.118.81.238. The attacker pivoted to 216.3.118.160 and dropped C:\\Recovery\\WindowsRE\\agent.exe (MD5: 1d62870c66779c42edf8de1f8d3734f6). C2 traffic was routed through data-backup[.]site.", "spans": {"THREAT_ACTOR: Lazarus Group": [[0, 13]], "TOOL: Net-GPPPassword": [[19, 34]], "TOOL: ADFind": [[62, 68]], "IP_ADDRESS: 158.118.81.238": [[123, 137]], "IP_ADDRESS: 216.3.118.160": [[163, 176]], "FILEPATH: C:\\Recovery\\WindowsRE\\agent.exe": [[189, 220]], "HASH: 1d62870c66779c42edf8de1f8d3734f6": [[227, 259]], "DOMAIN: data-backup[.]site": [[292, 310]]}, "info": {"id": "synth_00042", "source": "synthetic_ioc"}} |
| {"text": "The LockBit attack began with exploitation of CVE-2022-26134. The ransomware binary (SHA256: 87d80a63fa49abfcf014eea1c6c143d3e99cf5afbad735fd20821bfcc565e990) was deployed to C:\\Users\\Public\\Documents\\payload.dll. Ransom negotiation portal was hosted at login-verify[.]top (208.68.34.239). Contact email for payment: security@alert-notification.icu.", "spans": {"MALWARE: LockBit": [[4, 11]], "CVE_ID: CVE-2022-26134": [[46, 60]], "HASH: 87d80a63fa49abfcf014eea1c6c143d3e99cf5afbad735fd20821bfcc565e990": [[93, 157]], "FILEPATH: C:\\Users\\Public\\Documents\\payload.dll": [[175, 212]], "DOMAIN: login-verify[.]top": [[254, 272]], "IP_ADDRESS: 208.68.34.239": [[274, 287]], "EMAIL: security@alert-notification.icu": [[317, 348]]}, "info": {"id": "synth_00043", "source": "synthetic_ioc"}} |
| {"text": "DNS analysis for FormBook infrastructure: key-exchange[.]link resolved to 217.181.78.157, dns-resolve[.]cc resolved to 211.3.171.210, and portal-auth[.]info was used as a DNS-over-HTTPS tunnel. The implant hash is 49a0d48b401f01849f8575f553af5279.", "spans": {"MALWARE: FormBook": [[17, 25]], "DOMAIN: key-exchange[.]link": [[42, 61]], "IP_ADDRESS: 217.181.78.157": [[74, 88]], "DOMAIN: dns-resolve[.]cc": [[90, 106]], "IP_ADDRESS: 211.3.171.210": [[119, 132]], "DOMAIN: portal-auth[.]info": [[138, 156]], "HASH: 49a0d48b401f01849f8575f553af5279": [[214, 246]]}, "info": {"id": "synth_00044", "source": "synthetic_ioc"}} |
| {"text": "Sandbox Report: REvil\nSHA256: a393d5c5acdd16e728996801f5bbb5b834c96a852cc35f4fc051db53168b0aac\nMD5: 7aa07a214ce145f5a104aa9ffe1f8577\nFile created: C:\\ProgramData\\Microsoft\\update.bat\nFile modified: C:\\ProgramData\\Microsoft\\update.bat\nNetwork connection: 46.241.225.35\nDNS query: cert-verify[.]dev\nHTTP request: hxxps://shell-cmd[.]online/stage2", "spans": {"MALWARE: REvil": [[16, 21]], "HASH: a393d5c5acdd16e728996801f5bbb5b834c96a852cc35f4fc051db53168b0aac": [[30, 94]], "HASH: 7aa07a214ce145f5a104aa9ffe1f8577": [[100, 132]], "FILEPATH: C:\\ProgramData\\Microsoft\\update.bat": [[147, 182], [198, 233]], "IP_ADDRESS: 46.241.225.35": [[254, 267]], "DOMAIN: cert-verify[.]dev": [[279, 296]], "URL: hxxps://shell-cmd[.]online/stage2": [[311, 344]]}, "info": {"id": "synth_00045", "source": "synthetic_ioc"}} |
| {"text": "Analysis of FormBook sample (SHA256: 4e0863e4cc68d9634d0af31a52e2d7933912795b397385adb96d06e507ded32e) revealed command-and-control communication with 82.70.73.155 over port 9090. A secondary C2 channel was observed connecting to exfil-data[.]club which resolved to 104.184.88.53. The malware binary was written to C:\\ProgramData\\svchost.exe and established persistence via a scheduled task.", "spans": {"MALWARE: FormBook": [[12, 20]], "HASH: 4e0863e4cc68d9634d0af31a52e2d7933912795b397385adb96d06e507ded32e": [[37, 101]], "IP_ADDRESS: 82.70.73.155": [[151, 163]], "DOMAIN: exfil-data[.]club": [[230, 247]], "IP_ADDRESS: 104.184.88.53": [[266, 279]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[315, 341]]}, "info": {"id": "synth_00046", "source": "synthetic_ioc"}} |
| {"text": "Incident Report: TA551 compromised the network via initial access from 144.232.233.217. The threat actor deployed CrackMapExec and exfiltrated data to token-auth[.]space. Lateral movement was observed to 198.24.163.109. A dropper with MD5 hash 5772834eafa955aa0426b7a2d27bb50c was found at C:\\Windows\\System32\\svchost_update.exe. The exfiltration endpoint secure-login[.]top was registered 48 hours before the attack.", "spans": {"THREAT_ACTOR: TA551": [[17, 22]], "IP_ADDRESS: 144.232.233.217": [[71, 86]], "TOOL: CrackMapExec": [[114, 126]], "DOMAIN: token-auth[.]space": [[151, 169]], "IP_ADDRESS: 198.24.163.109": [[204, 218]], "HASH: 5772834eafa955aa0426b7a2d27bb50c": [[244, 276]], "FILEPATH: C:\\Windows\\System32\\svchost_update.exe": [[290, 328]], "DOMAIN: secure-login[.]top": [[356, 374]]}, "info": {"id": "synth_00047", "source": "synthetic_ioc"}} |
| {"text": "A phishing email was received from noreply@payment-confirm.top with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://malware-drop[.]net/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded Conti (SHA256: b0f27c4938d194c85a6db3b58b8679544b7591b053705be3ed765c07a8602d21) which was saved to C:\\Temp\\mimikatz.exe.", "spans": {"EMAIL: noreply@payment-confirm.top": [[35, 62]], "URL: hxxps://malware-drop[.]net/login/verify": [[156, 195]], "MALWARE: Conti": [[291, 296]], "HASH: b0f27c4938d194c85a6db3b58b8679544b7591b053705be3ed765c07a8602d21": [[306, 370]], "FILEPATH: C:\\Temp\\mimikatz.exe": [[391, 411]]}, "info": {"id": "synth_00048", "source": "synthetic_ioc"}} |
| {"text": "IOC Summary for FormBook campaign:\n- 199.142.181.110\n- 91.29.20.242\n- 82.140.10.214\n- api-gateway[.]club\n- auth-token[.]space\n- SHA256: 57da9e9aaae0dee0c486eb9dad7f6bd56f25cda5f979d9e1172124cbc410fd43\n- MD5: ca8cf94cf0886490d3120e903edb090d", "spans": {"MALWARE: FormBook": [[16, 24]], "IP_ADDRESS: 199.142.181.110": [[37, 52]], "IP_ADDRESS: 91.29.20.242": [[55, 67]], "IP_ADDRESS: 82.140.10.214": [[70, 83]], "DOMAIN: api-gateway[.]club": [[86, 104]], "DOMAIN: auth-token[.]space": [[107, 125]], "HASH: 57da9e9aaae0dee0c486eb9dad7f6bd56f25cda5f979d9e1172124cbc410fd43": [[136, 200]], "HASH: ca8cf94cf0886490d3120e903edb090d": [[208, 240]]}, "info": {"id": "synth_00049", "source": "synthetic_ioc"}} |
| {"text": "Exploitation of CVE-2023-34362 was attributed to Winnti Group targeting Confluence Server instances. The exploit payload was served from 77.11.79.94 and communicated with secure-login[.]top for command-and-control. Post-exploitation, a webshell (SHA256: d51ab86ad6b7305fd99d17bf76097eaaba7cf0698a014af35770b207a65804cf) was deployed to C:\\Windows\\Temp\\nc.exe.", "spans": {"CVE_ID: CVE-2023-34362": [[16, 30]], "THREAT_ACTOR: Winnti Group": [[49, 61]], "SYSTEM: Confluence Server": [[72, 89]], "IP_ADDRESS: 77.11.79.94": [[137, 148]], "DOMAIN: secure-login[.]top": [[171, 189]], "HASH: d51ab86ad6b7305fd99d17bf76097eaaba7cf0698a014af35770b207a65804cf": [[254, 318]], "FILEPATH: C:\\Windows\\Temp\\nc.exe": [[336, 358]]}, "info": {"id": "synth_00050", "source": "synthetic_ioc"}} |
| {"text": "Forensic examination of the compromised host identified Raccoon Stealer artifacts. The primary payload was located at C:\\Windows\\Tasks\\scheduled_task.xml with SHA256 hash de206fdbe504837efce64b823f08a377a76f978bbf772783cacac5ac5fb42712. A secondary implant was found at /tmp/linpeas.sh (MD5: ef245857ae1413dc3df0be611fe879ef). Network logs showed outbound connections to 46.91.200.144 and DNS queries to backup-data[.]site.", "spans": {"MALWARE: Raccoon Stealer": [[56, 71]], "FILEPATH: C:\\Windows\\Tasks\\scheduled_task.xml": [[118, 153]], "HASH: de206fdbe504837efce64b823f08a377a76f978bbf772783cacac5ac5fb42712": [[171, 235]], "FILEPATH: /tmp/linpeas.sh": [[270, 285]], "HASH: ef245857ae1413dc3df0be611fe879ef": [[292, 324]], "IP_ADDRESS: 46.91.200.144": [[371, 384]], "DOMAIN: backup-data[.]site": [[404, 422]]}, "info": {"id": "synth_00051", "source": "synthetic_ioc"}} |
| {"text": "Threat Intelligence Brief (Check Point): FIN11 has been observed deploying Royal Ransomware in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from finance@wire-transfer.info. Infrastructure includes 141.222.42.250, 88.226.106.7, and vpn-tunnel[.]pw. SHA1 indicator: 2b0c3cac3641356e63c6bfa0a3d793ffe47a21dd.", "spans": {"ORGANIZATION: Check Point": [[27, 38]], "THREAT_ACTOR: FIN11": [[41, 46]], "MALWARE: Royal Ransomware": [[75, 91]], "EMAIL: finance@wire-transfer.info": [[204, 230]], "IP_ADDRESS: 141.222.42.250": [[256, 270]], "IP_ADDRESS: 88.226.106.7": [[272, 284]], "DOMAIN: vpn-tunnel[.]pw": [[290, 305]], "HASH: 2b0c3cac3641356e63c6bfa0a3d793ffe47a21dd": [[323, 363]]}, "info": {"id": "synth_00052", "source": "synthetic_ioc"}} |
| {"text": "ALERT: ShadowPad detected on Citrix ADC endpoint. Process C:\\Windows\\Tasks\\scheduled_task.xml (MD5: 5f480a2bfb43a1aa12c0cd47f0aadd1b) initiated outbound connection to 182.206.172.222 resolving shell-cmd[.]online. Immediate containment recommended.", "spans": {"MALWARE: ShadowPad": [[7, 16]], "SYSTEM: Citrix ADC": [[29, 39]], "FILEPATH: C:\\Windows\\Tasks\\scheduled_task.xml": [[58, 93]], "HASH: 5f480a2bfb43a1aa12c0cd47f0aadd1b": [[100, 132]], "IP_ADDRESS: 182.206.172.222": [[167, 182]], "DOMAIN: shell-cmd[.]online": [[193, 211]]}, "info": {"id": "synth_00053", "source": "synthetic_ioc"}} |
| {"text": "The NjRAT loader contacts three staging URLs: hxxps://dns-resolve[.]cc/download/payload.exe, hxxp://loader-bin[.]work/gate.php, and hxxps://data-backup[.]site/api/beacon. The final payload (SHA256: 032b3934962dce68afa4868f97698813c5f587600120dbc8a963fa9c585c38e0) is downloaded and executed. Fallback C2 is at 176.224.10.220.", "spans": {"MALWARE: NjRAT": [[4, 9]], "URL: hxxps://dns-resolve[.]cc/download/payload.exe": [[46, 91]], "URL: hxxp://loader-bin[.]work/gate.php": [[93, 126]], "URL: hxxps://data-backup[.]site/api/beacon": [[132, 169]], "HASH: 032b3934962dce68afa4868f97698813c5f587600120dbc8a963fa9c585c38e0": [[198, 262]], "IP_ADDRESS: 176.224.10.220": [[310, 324]]}, "info": {"id": "synth_00054", "source": "synthetic_ioc"}} |
| {"text": "The phishing campaign used sender addresses security@alert-notification.icu and billing@invoice-payment.work. Links in the emails pointed to share-files[.]biz hosted at 169.79.211.204. The attached document dropped a payload to C:\\Windows\\Tasks\\scheduled_task.xml with hash 80cb00a64ff9847bf91c83ba31283cac85fb4748450856d8e940a488cf0da6d7.", "spans": {"EMAIL: security@alert-notification.icu": [[44, 75]], "EMAIL: billing@invoice-payment.work": [[80, 108]], "DOMAIN: share-files[.]biz": [[141, 158]], "IP_ADDRESS: 169.79.211.204": [[169, 183]], "FILEPATH: C:\\Windows\\Tasks\\scheduled_task.xml": [[228, 263]], "HASH: 80cb00a64ff9847bf91c83ba31283cac85fb4748450856d8e940a488cf0da6d7": [[274, 338]]}, "info": {"id": "synth_00055", "source": "synthetic_ioc"}} |
| {"text": "Multiple Ryuk samples identified:\n- SHA256: 75d25a29646de86ae604bf927fefdba5af3d3d04b806bf8be3ab4f0fd9bfb0d0\n- SHA256: eaed36f53105a93364c678de8fd8560673f4cb5c300594540bfc0c7c7e29bd01\n- MD5: 82752ae2f5d6008330bcc2d4cab188b2\n- MD5: eefcb459329b2a8358f28e4833326f5e\nAll samples beacon to 185.169.50.103 and fast-cdn[.]xyz.", "spans": {"MALWARE: Ryuk": [[9, 13]], "HASH: 75d25a29646de86ae604bf927fefdba5af3d3d04b806bf8be3ab4f0fd9bfb0d0": [[44, 108]], "HASH: eaed36f53105a93364c678de8fd8560673f4cb5c300594540bfc0c7c7e29bd01": [[119, 183]], "HASH: 82752ae2f5d6008330bcc2d4cab188b2": [[191, 223]], "HASH: eefcb459329b2a8358f28e4833326f5e": [[231, 263]], "IP_ADDRESS: 185.169.50.103": [[286, 300]], "DOMAIN: fast-cdn[.]xyz": [[305, 319]]}, "info": {"id": "synth_00056", "source": "synthetic_ioc"}} |
| {"text": "APT29 used Rubeus for credential dumping and BloodHound for lateral movement. Credentials were exfiltrated to 151.90.165.131. The attacker pivoted to 181.174.252.216 and dropped C:\\Windows\\Temp\\procdump64.exe (MD5: a3889edbfc83694edfd257f9b0b7d090). C2 traffic was routed through fast-cdn[.]xyz.", "spans": {"THREAT_ACTOR: APT29": [[0, 5]], "TOOL: Rubeus": [[11, 17]], "TOOL: BloodHound": [[45, 55]], "IP_ADDRESS: 151.90.165.131": [[110, 124]], "IP_ADDRESS: 181.174.252.216": [[150, 165]], "FILEPATH: C:\\Windows\\Temp\\procdump64.exe": [[178, 208]], "HASH: a3889edbfc83694edfd257f9b0b7d090": [[215, 247]], "DOMAIN: fast-cdn[.]xyz": [[280, 294]]}, "info": {"id": "synth_00057", "source": "synthetic_ioc"}} |
| {"text": "The Conti attack began with exploitation of CVE-2024-21762. The ransomware binary (SHA256: b33f572efb25280ecab4e039f6c5531768492d9e41d26ee693cb37c6fd8953f5) was deployed to C:\\Windows\\Temp\\debug.exe. Ransom negotiation portal was hosted at cert-verify[.]dev (146.46.149.247). Contact email for payment: support@account-verify.xyz.", "spans": {"MALWARE: Conti": [[4, 9]], "CVE_ID: CVE-2024-21762": [[44, 58]], "HASH: b33f572efb25280ecab4e039f6c5531768492d9e41d26ee693cb37c6fd8953f5": [[91, 155]], "FILEPATH: C:\\Windows\\Temp\\debug.exe": [[173, 198]], "DOMAIN: cert-verify[.]dev": [[240, 257]], "IP_ADDRESS: 146.46.149.247": [[259, 273]], "EMAIL: support@account-verify.xyz": [[303, 329]]}, "info": {"id": "synth_00058", "source": "synthetic_ioc"}} |
| {"text": "DNS analysis for RedLine Stealer infrastructure: patch-system[.]online resolved to 162.112.156.252, login-verify[.]top resolved to 209.30.99.231, and exploit-hub[.]site was used as a DNS-over-HTTPS tunnel. The implant hash is 85be308616be93dd4a0ffa0a698a6e63.", "spans": {"MALWARE: RedLine Stealer": [[17, 32]], "DOMAIN: patch-system[.]online": [[49, 70]], "IP_ADDRESS: 162.112.156.252": [[83, 98]], "DOMAIN: login-verify[.]top": [[100, 118]], "IP_ADDRESS: 209.30.99.231": [[131, 144]], "DOMAIN: exploit-hub[.]site": [[150, 168]], "HASH: 85be308616be93dd4a0ffa0a698a6e63": [[226, 258]]}, "info": {"id": "synth_00059", "source": "synthetic_ioc"}} |
| {"text": "Sandbox Report: BazarLoader\nSHA256: 817efad8e291fe740b480d39012992d92433be9d6fa51e6617e0c8bbd8a30c23\nMD5: e4528c53ff82248ebf5adbdaaecba60d\nFile created: C:\\Users\\Public\\Libraries\\shell.ps1\nFile modified: C:\\Windows\\Temp\\procdump64.exe\nNetwork connection: 144.12.182.112\nDNS query: update-service[.]net\nHTTP request: hxxps://exfil-data[.]club/stage2", "spans": {"MALWARE: BazarLoader": [[16, 27]], "HASH: 817efad8e291fe740b480d39012992d92433be9d6fa51e6617e0c8bbd8a30c23": [[36, 100]], "HASH: e4528c53ff82248ebf5adbdaaecba60d": [[106, 138]], "FILEPATH: C:\\Users\\Public\\Libraries\\shell.ps1": [[153, 188]], "FILEPATH: C:\\Windows\\Temp\\procdump64.exe": [[204, 234]], "IP_ADDRESS: 144.12.182.112": [[255, 269]], "DOMAIN: update-service[.]net": [[281, 301]], "URL: hxxps://exfil-data[.]club/stage2": [[316, 348]]}, "info": {"id": "synth_00060", "source": "synthetic_ioc"}} |
| {"text": "Analysis of Bumblebee sample (SHA256: ee84cef4e1dfb28150d31955134d51166e2471c5b90cb014523179552dd35178) revealed command-and-control communication with 95.94.111.18 over port 9090. A secondary C2 channel was observed connecting to system-patch[.]online which resolved to 167.160.81.170. The malware binary was written to C:\\Users\\Public\\desktop.ini and established persistence via a scheduled task.", "spans": {"MALWARE: Bumblebee": [[12, 21]], "HASH: ee84cef4e1dfb28150d31955134d51166e2471c5b90cb014523179552dd35178": [[38, 102]], "IP_ADDRESS: 95.94.111.18": [[152, 164]], "DOMAIN: system-patch[.]online": [[231, 252]], "IP_ADDRESS: 167.160.81.170": [[271, 285]], "FILEPATH: C:\\Users\\Public\\desktop.ini": [[321, 348]]}, "info": {"id": "synth_00061", "source": "synthetic_ioc"}} |
| {"text": "Incident Report: MuddyWater compromised the network via initial access from 182.84.104.179. The threat actor deployed Net-GPPPassword and exfiltrated data to backup-data[.]site. Lateral movement was observed to 156.142.33.50. A dropper with MD5 hash 7540894c91f6203fc7b302ff9610d612 was found at /opt/.cache/reverse_shell. The exfiltration endpoint c2-relay[.]top was registered 48 hours before the attack.", "spans": {"THREAT_ACTOR: MuddyWater": [[17, 27]], "IP_ADDRESS: 182.84.104.179": [[76, 90]], "TOOL: Net-GPPPassword": [[118, 133]], "DOMAIN: backup-data[.]site": [[158, 176]], "IP_ADDRESS: 156.142.33.50": [[211, 224]], "HASH: 7540894c91f6203fc7b302ff9610d612": [[250, 282]], "FILEPATH: /opt/.cache/reverse_shell": [[296, 321]], "DOMAIN: c2-relay[.]top": [[349, 363]]}, "info": {"id": "synth_00062", "source": "synthetic_ioc"}} |
| {"text": "A phishing email was received from hr@resume-upload.club with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://deploy-code[.]store/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded RedLine Stealer (SHA256: 4a05cde81910f698ccafc66e867c4a3c29676f7282513bd189047b915b599a85) which was saved to C:\\Users\\Public\\desktop.ini.", "spans": {"EMAIL: hr@resume-upload.club": [[35, 56]], "URL: hxxps://deploy-code[.]store/login/verify": [[150, 190]], "MALWARE: RedLine Stealer": [[286, 301]], "HASH: 4a05cde81910f698ccafc66e867c4a3c29676f7282513bd189047b915b599a85": [[311, 375]], "FILEPATH: C:\\Users\\Public\\desktop.ini": [[396, 423]]}, "info": {"id": "synth_00063", "source": "synthetic_ioc"}} |
| {"text": "IOC Summary for Remcos RAT campaign:\n- 181.141.214.1\n- 158.74.54.111\n- 163.120.114.114\n- exfil-data[.]club\n- web-cache[.]io\n- SHA256: 2798512e2e944163ddf0807d6314066ae81afd6cb353f45ad5fdef7aafd5553a\n- MD5: 5e27f6a50b354f1e517af5943cb1c2c0", "spans": {"MALWARE: Remcos RAT": [[16, 26]], "IP_ADDRESS: 181.141.214.1": [[39, 52]], "IP_ADDRESS: 158.74.54.111": [[55, 68]], "IP_ADDRESS: 163.120.114.114": [[71, 86]], "DOMAIN: exfil-data[.]club": [[89, 106]], "DOMAIN: web-cache[.]io": [[109, 123]], "HASH: 2798512e2e944163ddf0807d6314066ae81afd6cb353f45ad5fdef7aafd5553a": [[134, 198]], "HASH: 5e27f6a50b354f1e517af5943cb1c2c0": [[206, 238]]}, "info": {"id": "synth_00064", "source": "synthetic_ioc"}} |
| {"text": "Exploitation of CVE-2023-46805 was attributed to Sandworm targeting Ivanti Connect Secure instances. The exploit payload was served from 23.73.132.170 and communicated with malware-drop[.]net for command-and-control. Post-exploitation, a webshell (SHA256: c6f93c69bbf44e85d43ead55556649ea31b5f27b803afd6b09dbd792fbae2bd6) was deployed to C:\\Temp\\mimikatz.exe.", "spans": {"CVE_ID: CVE-2023-46805": [[16, 30]], "THREAT_ACTOR: Sandworm": [[49, 57]], "SYSTEM: Ivanti Connect Secure": [[68, 89]], "IP_ADDRESS: 23.73.132.170": [[137, 150]], "DOMAIN: malware-drop[.]net": [[173, 191]], "HASH: c6f93c69bbf44e85d43ead55556649ea31b5f27b803afd6b09dbd792fbae2bd6": [[256, 320]], "FILEPATH: C:\\Temp\\mimikatz.exe": [[338, 358]]}, "info": {"id": "synth_00065", "source": "synthetic_ioc"}} |
| {"text": "Forensic examination of the compromised host identified Emotet artifacts. The primary payload was located at C:\\Windows\\Tasks\\scheduled_task.xml with SHA256 hash 6e835e50ea30aa03cbc435b6e5582213886ea53273eb4470d0f0e06d0b46b9cb. A secondary implant was found at /tmp/linpeas.sh (MD5: ab9837391347337f553ddc17b55e61d3). Network logs showed outbound connections to 159.58.207.51 and DNS queries to file-share[.]biz.", "spans": {"MALWARE: Emotet": [[56, 62]], "FILEPATH: C:\\Windows\\Tasks\\scheduled_task.xml": [[109, 144]], "HASH: 6e835e50ea30aa03cbc435b6e5582213886ea53273eb4470d0f0e06d0b46b9cb": [[162, 226]], "FILEPATH: /tmp/linpeas.sh": [[261, 276]], "HASH: ab9837391347337f553ddc17b55e61d3": [[283, 315]], "IP_ADDRESS: 159.58.207.51": [[362, 375]], "DOMAIN: file-share[.]biz": [[395, 411]]}, "info": {"id": "synth_00066", "source": "synthetic_ioc"}} |
| {"text": "Threat Intelligence Brief (FireEye): APT28 has been observed deploying Ryuk in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from delivery@package-track.cc. Infrastructure includes 216.117.107.227, 94.184.179.99, and tunnel-vpn[.]pw. SHA1 indicator: a34b97bc457d4db44b9711a1a025d703c0dd524c.", "spans": {"ORGANIZATION: FireEye": [[27, 34]], "THREAT_ACTOR: APT28": [[37, 42]], "MALWARE: Ryuk": [[71, 75]], "EMAIL: delivery@package-track.cc": [[188, 213]], "IP_ADDRESS: 216.117.107.227": [[239, 254]], "IP_ADDRESS: 94.184.179.99": [[256, 269]], "DOMAIN: tunnel-vpn[.]pw": [[275, 290]], "HASH: a34b97bc457d4db44b9711a1a025d703c0dd524c": [[308, 348]]}, "info": {"id": "synth_00067", "source": "synthetic_ioc"}} |
| {"text": "ALERT: Ryuk detected on Nginx endpoint. Process C:\\ProgramData\\Microsoft\\update.bat (MD5: 3f3ceacdf42e94f43ef3a7bd999f9530) initiated outbound connection to 80.168.177.2 resolving rat-control[.]info. Immediate containment recommended.", "spans": {"MALWARE: Ryuk": [[7, 11]], "SYSTEM: Nginx": [[24, 29]], "FILEPATH: C:\\ProgramData\\Microsoft\\update.bat": [[48, 83]], "HASH: 3f3ceacdf42e94f43ef3a7bd999f9530": [[90, 122]], "IP_ADDRESS: 80.168.177.2": [[157, 169]], "DOMAIN: rat-control[.]info": [[180, 198]]}, "info": {"id": "synth_00068", "source": "synthetic_ioc"}} |
| {"text": "The Ryuk loader contacts three staging URLs: hxxps://net-monitor[.]org/download/payload.exe, hxxp://vpn-tunnel[.]pw/gate.php, and hxxps://loader-bin[.]work/api/beacon. The final payload (SHA256: c5d6a12ee45e4a47e8004f5cd2647949cc6ed3c1e2f7e88805b5193eea5ce634) is downloaded and executed. Fallback C2 is at 210.119.13.143.", "spans": {"MALWARE: Ryuk": [[4, 8]], "URL: hxxps://net-monitor[.]org/download/payload.exe": [[45, 91]], "URL: hxxp://vpn-tunnel[.]pw/gate.php": [[93, 124]], "URL: hxxps://loader-bin[.]work/api/beacon": [[130, 166]], "HASH: c5d6a12ee45e4a47e8004f5cd2647949cc6ed3c1e2f7e88805b5193eea5ce634": [[195, 259]], "IP_ADDRESS: 210.119.13.143": [[307, 321]]}, "info": {"id": "synth_00069", "source": "synthetic_ioc"}} |
| {"text": "The phishing campaign used sender addresses support@account-verify.xyz and cloud@storage-share.ru. Links in the emails pointed to auth-portal[.]info hosted at 202.171.136.253. The attached document dropped a payload to C:\\Windows\\Temp\\procdump64.exe with hash a3a4c218208af26165e8fbfbf8e7b8733c71e86f217e1984e0629c26d5deafc5.", "spans": {"EMAIL: support@account-verify.xyz": [[44, 70]], "EMAIL: cloud@storage-share.ru": [[75, 97]], "DOMAIN: auth-portal[.]info": [[130, 148]], "IP_ADDRESS: 202.171.136.253": [[159, 174]], "FILEPATH: C:\\Windows\\Temp\\procdump64.exe": [[219, 249]], "HASH: a3a4c218208af26165e8fbfbf8e7b8733c71e86f217e1984e0629c26d5deafc5": [[260, 324]]}, "info": {"id": "synth_00070", "source": "synthetic_ioc"}} |
| {"text": "Multiple Raccoon Stealer samples identified:\n- SHA256: 7358365e2dc8ea15a4ac6ff2bae98586509a061cf4577616bfd62799064f05b6\n- SHA256: 7e4853f423e45426b3c82c646fba101a7432a3c033a6202c99d2fdada764e56a\n- MD5: dc2756314e6140a5ee196df34e851441\n- MD5: 58b4aa8a743951b94aafdb9936511320\nAll samples beacon to 162.244.194.229 and portal-auth[.]info.", "spans": {"MALWARE: Raccoon Stealer": [[9, 24]], "HASH: 7358365e2dc8ea15a4ac6ff2bae98586509a061cf4577616bfd62799064f05b6": [[55, 119]], "HASH: 7e4853f423e45426b3c82c646fba101a7432a3c033a6202c99d2fdada764e56a": [[130, 194]], "HASH: dc2756314e6140a5ee196df34e851441": [[202, 234]], "HASH: 58b4aa8a743951b94aafdb9936511320": [[242, 274]], "IP_ADDRESS: 162.244.194.229": [[297, 312]], "DOMAIN: portal-auth[.]info": [[317, 335]]}, "info": {"id": "synth_00071", "source": "synthetic_ioc"}} |
| {"text": "Gamaredon used LaZagne for credential dumping and PowerView for lateral movement. Credentials were exfiltrated to 208.110.213.233. The attacker pivoted to 200.230.41.191 and dropped C:\\Windows\\System32\\config\\SAM (MD5: 2d3d729756b6057852305fbbc10e7de0). C2 traffic was routed through portal-auth[.]info.", "spans": {"THREAT_ACTOR: Gamaredon": [[0, 9]], "TOOL: LaZagne": [[15, 22]], "TOOL: PowerView": [[50, 59]], "IP_ADDRESS: 208.110.213.233": [[114, 129]], "IP_ADDRESS: 200.230.41.191": [[155, 169]], "FILEPATH: C:\\Windows\\System32\\config\\SAM": [[182, 212]], "HASH: 2d3d729756b6057852305fbbc10e7de0": [[219, 251]], "DOMAIN: portal-auth[.]info": [[284, 302]]}, "info": {"id": "synth_00072", "source": "synthetic_ioc"}} |
| {"text": "The LockBit attack began with exploitation of CVE-2024-3400. The ransomware binary (SHA256: bfff65a170a3baa34e9506d0b7cea00f5c5207ac4c64ea20ac5f42b54b3238ff) was deployed to C:\\Windows\\Tasks\\scheduled_task.xml. Ransom negotiation portal was hosted at tunnel-vpn[.]pw (151.197.200.134). Contact email for payment: it-admin@helpdesk-ticket.site.", "spans": {"MALWARE: LockBit": [[4, 11]], "CVE_ID: CVE-2024-3400": [[46, 59]], "HASH: bfff65a170a3baa34e9506d0b7cea00f5c5207ac4c64ea20ac5f42b54b3238ff": [[92, 156]], "FILEPATH: C:\\Windows\\Tasks\\scheduled_task.xml": [[174, 209]], "DOMAIN: tunnel-vpn[.]pw": [[251, 266]], "IP_ADDRESS: 151.197.200.134": [[268, 283]], "EMAIL: it-admin@helpdesk-ticket.site": [[313, 342]]}, "info": {"id": "synth_00073", "source": "synthetic_ioc"}} |
| {"text": "DNS analysis for Ryuk infrastructure: cloud-sync[.]work resolved to 141.70.86.82, ransom-pay[.]icu resolved to 217.21.36.39, and key-exchange[.]link was used as a DNS-over-HTTPS tunnel. The implant hash is 670a0458e2ae6803ddebfe79d2709d7f.", "spans": {"MALWARE: Ryuk": [[17, 21]], "DOMAIN: cloud-sync[.]work": [[38, 55]], "IP_ADDRESS: 141.70.86.82": [[68, 80]], "DOMAIN: ransom-pay[.]icu": [[82, 98]], "IP_ADDRESS: 217.21.36.39": [[111, 123]], "DOMAIN: key-exchange[.]link": [[129, 148]], "HASH: 670a0458e2ae6803ddebfe79d2709d7f": [[206, 238]]}, "info": {"id": "synth_00074", "source": "synthetic_ioc"}} |
| {"text": "Sandbox Report: Dridex\nSHA256: b601cd0b6b131fc59d43c0891e0873165fb98a6d40d28bab6f63311a092d8944\nMD5: 2d7b099313fec62c390f2db3af228261\nFile created: C:\\Windows\\Temp\\nc.exe\nFile modified: C:\\Windows\\System32\\wbem\\scrcons.exe\nNetwork connection: 82.181.55.17\nDNS query: backup-data[.]site\nHTTP request: hxxps://monitor-net[.]org/stage2", "spans": {"MALWARE: Dridex": [[16, 22]], "HASH: b601cd0b6b131fc59d43c0891e0873165fb98a6d40d28bab6f63311a092d8944": [[31, 95]], "HASH: 2d7b099313fec62c390f2db3af228261": [[101, 133]], "FILEPATH: C:\\Windows\\Temp\\nc.exe": [[148, 170]], "FILEPATH: C:\\Windows\\System32\\wbem\\scrcons.exe": [[186, 222]], "IP_ADDRESS: 82.181.55.17": [[243, 255]], "DOMAIN: backup-data[.]site": [[267, 285]], "URL: hxxps://monitor-net[.]org/stage2": [[300, 332]]}, "info": {"id": "synth_00075", "source": "synthetic_ioc"}} |
| {"text": "Analysis of AsyncRAT sample (SHA256: 79d7fc18948dae180b8250a3cc9d08cb6e4b0f47c117536c395bccc4e670a504) revealed command-and-control communication with 188.16.53.214 over port 9090. A secondary C2 channel was observed connecting to auth-token[.]space which resolved to 188.100.232.198. The malware binary was written to C:\\Windows\\System32\\svchost_update.exe and established persistence via a scheduled task.", "spans": {"MALWARE: AsyncRAT": [[12, 20]], "HASH: 79d7fc18948dae180b8250a3cc9d08cb6e4b0f47c117536c395bccc4e670a504": [[37, 101]], "IP_ADDRESS: 188.16.53.214": [[151, 164]], "DOMAIN: auth-token[.]space": [[231, 249]], "IP_ADDRESS: 188.100.232.198": [[268, 283]], "FILEPATH: C:\\Windows\\System32\\svchost_update.exe": [[319, 357]]}, "info": {"id": "synth_00076", "source": "synthetic_ioc"}} |
| {"text": "Incident Report: Mustang Panda compromised the network via initial access from 205.2.242.91. The threat actor deployed LaZagne and exfiltrated data to backup-data[.]site. Lateral movement was observed to 158.193.100.219. A dropper with MD5 hash f5636f298b79b063d39ce8815cf1bfb8 was found at /tmp/.ICE-unix/agent. The exfiltration endpoint monitor-net[.]org was registered 48 hours before the attack.", "spans": {"THREAT_ACTOR: Mustang Panda": [[17, 30]], "IP_ADDRESS: 205.2.242.91": [[79, 91]], "TOOL: LaZagne": [[119, 126]], "DOMAIN: backup-data[.]site": [[151, 169]], "IP_ADDRESS: 158.193.100.219": [[204, 219]], "HASH: f5636f298b79b063d39ce8815cf1bfb8": [[245, 277]], "FILEPATH: /tmp/.ICE-unix/agent": [[291, 311]], "DOMAIN: monitor-net[.]org": [[339, 356]]}, "info": {"id": "synth_00077", "source": "synthetic_ioc"}} |
| {"text": "A phishing email was received from security@alert-notification.icu with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://tunnel-vpn[.]pw/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded Ryuk (SHA256: cf688b58992f4fec836d3b43440af125eca31eb17cfd81e60a166bc6a4a49576) which was saved to C:\\ProgramData\\svchost.exe.", "spans": {"EMAIL: security@alert-notification.icu": [[35, 66]], "URL: hxxps://tunnel-vpn[.]pw/login/verify": [[160, 196]], "MALWARE: Ryuk": [[292, 296]], "HASH: cf688b58992f4fec836d3b43440af125eca31eb17cfd81e60a166bc6a4a49576": [[306, 370]], "FILEPATH: C:\\ProgramData\\svchost.exe": [[391, 417]]}, "info": {"id": "synth_00078", "source": "synthetic_ioc"}} |
| {"text": "IOC Summary for Raccoon Stealer campaign:\n- 196.125.8.100\n- 168.172.174.205\n- 181.186.43.216\n- share-files[.]biz\n- auth-portal[.]info\n- SHA256: e8ff7f7c079749f487ed14d34fbc7642aa793944f82e62b35425814c31b417d6\n- MD5: 08a844da4566fe2bc9064c918d811158", "spans": {"MALWARE: Raccoon Stealer": [[16, 31]], "IP_ADDRESS: 196.125.8.100": [[44, 57]], "IP_ADDRESS: 168.172.174.205": [[60, 75]], "IP_ADDRESS: 181.186.43.216": [[78, 92]], "DOMAIN: share-files[.]biz": [[95, 112]], "DOMAIN: auth-portal[.]info": [[115, 133]], "HASH: e8ff7f7c079749f487ed14d34fbc7642aa793944f82e62b35425814c31b417d6": [[144, 208]], "HASH: 08a844da4566fe2bc9064c918d811158": [[216, 248]]}, "info": {"id": "synth_00079", "source": "synthetic_ioc"}} |
| {"text": "Exploitation of CVE-2021-21972 was attributed to APT29 targeting Windows 11 instances. The exploit payload was served from 179.152.145.170 and communicated with cdn-delivery[.]xyz for command-and-control. Post-exploitation, a webshell (SHA256: 92376589330387034357d5813804d154b6a63c47dd17e2d78055be3fc0bb95bb) was deployed to /home/www-data/.ssh/authorized_keys2.", "spans": {"CVE_ID: CVE-2021-21972": [[16, 30]], "THREAT_ACTOR: APT29": [[49, 54]], "SYSTEM: Windows 11": [[65, 75]], "IP_ADDRESS: 179.152.145.170": [[123, 138]], "DOMAIN: cdn-delivery[.]xyz": [[161, 179]], "HASH: 92376589330387034357d5813804d154b6a63c47dd17e2d78055be3fc0bb95bb": [[244, 308]], "FILEPATH: /home/www-data/.ssh/authorized_keys2": [[326, 362]]}, "info": {"id": "synth_00080", "source": "synthetic_ioc"}} |
| {"text": "Forensic examination of the compromised host identified LockBit artifacts. The primary payload was located at C:\\Windows\\System32\\drivers\\ndis_helper.sys with SHA256 hash d0d36681a4a8592f410d57c110572bd9e264e0041b98c5781c6847bb2786008a. A secondary implant was found at /lib/x86_64-linux-gnu/.libpam.so (MD5: 844f086613a67b6897b7f319326464b1). Network logs showed outbound connections to 202.47.13.67 and DNS queries to sync-cloud[.]work.", "spans": {"MALWARE: LockBit": [[56, 63]], "FILEPATH: C:\\Windows\\System32\\drivers\\ndis_helper.sys": [[110, 153]], "HASH: d0d36681a4a8592f410d57c110572bd9e264e0041b98c5781c6847bb2786008a": [[171, 235]], "FILEPATH: /lib/x86_64-linux-gnu/.libpam.so": [[270, 302]], "HASH: 844f086613a67b6897b7f319326464b1": [[309, 341]], "IP_ADDRESS: 202.47.13.67": [[388, 400]], "DOMAIN: sync-cloud[.]work": [[420, 437]]}, "info": {"id": "synth_00081", "source": "synthetic_ioc"}} |
| {"text": "Threat Intelligence Brief (SentinelOne): Turla has been observed deploying AsyncRAT in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from it-admin@helpdesk-ticket.site. Infrastructure includes 168.195.226.98, 151.193.244.213, and backup-data[.]site. SHA1 indicator: 596b138be7be8213cbb663c8a0819564bc20a953.", "spans": {"ORGANIZATION: SentinelOne": [[27, 38]], "THREAT_ACTOR: Turla": [[41, 46]], "MALWARE: AsyncRAT": [[75, 83]], "EMAIL: it-admin@helpdesk-ticket.site": [[196, 225]], "IP_ADDRESS: 168.195.226.98": [[251, 265]], "IP_ADDRESS: 151.193.244.213": [[267, 282]], "DOMAIN: backup-data[.]site": [[288, 306]], "HASH: 596b138be7be8213cbb663c8a0819564bc20a953": [[324, 364]]}, "info": {"id": "synth_00082", "source": "synthetic_ioc"}} |
| {"text": "ALERT: Gh0st RAT detected on Confluence Server endpoint. Process C:\\Windows\\Temp\\debug.exe (MD5: 44a95bcfbefb0a37275dacea5d2dc1ee) initiated outbound connection to 23.121.5.192 resolving monitor-net[.]org. Immediate containment recommended.", "spans": {"MALWARE: Gh0st RAT": [[7, 16]], "SYSTEM: Confluence Server": [[29, 46]], "FILEPATH: C:\\Windows\\Temp\\debug.exe": [[65, 90]], "HASH: 44a95bcfbefb0a37275dacea5d2dc1ee": [[97, 129]], "IP_ADDRESS: 23.121.5.192": [[164, 176]], "DOMAIN: monitor-net[.]org": [[187, 204]]}, "info": {"id": "synth_00083", "source": "synthetic_ioc"}} |
| {"text": "The Ryuk loader contacts three staging URLs: hxxps://net-monitor[.]org/download/payload.exe, hxxp://phish-kit[.]xyz/gate.php, and hxxps://cloud-sync[.]work/api/beacon. The final payload (SHA256: 82fe0cca4972d3763826f9839a91712aaf066a7426f6212f9ff51ac6902fb5b3) is downloaded and executed. Fallback C2 is at 194.194.8.244.", "spans": {"MALWARE: Ryuk": [[4, 8]], "URL: hxxps://net-monitor[.]org/download/payload.exe": [[45, 91]], "URL: hxxp://phish-kit[.]xyz/gate.php": [[93, 124]], "URL: hxxps://cloud-sync[.]work/api/beacon": [[130, 166]], "HASH: 82fe0cca4972d3763826f9839a91712aaf066a7426f6212f9ff51ac6902fb5b3": [[195, 259]], "IP_ADDRESS: 194.194.8.244": [[307, 320]]}, "info": {"id": "synth_00084", "source": "synthetic_ioc"}} |
| {"text": "The phishing campaign used sender addresses billing@invoice-payment.work and attacker@malicious-domain.com. Links in the emails pointed to deploy-code[.]store hosted at 82.62.33.122. The attached document dropped a payload to C:\\ProgramData\\Microsoft\\update.bat with hash d1710e340a054ce3298777fbee99bbd044f4c04122e990edbb27e234d6f20d75.", "spans": {"EMAIL: billing@invoice-payment.work": [[44, 72]], "EMAIL: attacker@malicious-domain.com": [[77, 106]], "DOMAIN: deploy-code[.]store": [[139, 158]], "IP_ADDRESS: 82.62.33.122": [[169, 181]], "FILEPATH: C:\\ProgramData\\Microsoft\\update.bat": [[226, 261]], "HASH: d1710e340a054ce3298777fbee99bbd044f4c04122e990edbb27e234d6f20d75": [[272, 336]]}, "info": {"id": "synth_00085", "source": "synthetic_ioc"}} |
| {"text": "Multiple RedLine Stealer samples identified:\n- SHA256: 205f238dc5be5ac306c2930ed04cab4a56d0bccc5ec87d14c88f6f08cc5cbef9\n- SHA256: 998d6b610850e314e82f2d4abfef7038f6cf8f51180df00a05c172094c9e0a81\n- MD5: 5b0ba166d78934d2c4a5467af9ebe098\n- MD5: 55853f9dc3fbbccd2cfa4fa654bba2a3\nAll samples beacon to 109.120.180.66 and botnet-cmd[.]biz.", "spans": {"MALWARE: RedLine Stealer": [[9, 24]], "HASH: 205f238dc5be5ac306c2930ed04cab4a56d0bccc5ec87d14c88f6f08cc5cbef9": [[55, 119]], "HASH: 998d6b610850e314e82f2d4abfef7038f6cf8f51180df00a05c172094c9e0a81": [[130, 194]], "HASH: 5b0ba166d78934d2c4a5467af9ebe098": [[202, 234]], "HASH: 55853f9dc3fbbccd2cfa4fa654bba2a3": [[242, 274]], "IP_ADDRESS: 109.120.180.66": [[297, 311]], "DOMAIN: botnet-cmd[.]biz": [[316, 332]]}, "info": {"id": "synth_00086", "source": "synthetic_ioc"}} |
| {"text": "Vice Society used PsExec for credential dumping and Metasploit for lateral movement. Credentials were exfiltrated to 51.200.210.42. The attacker pivoted to 159.28.149.7 and dropped C:\\Users\\Public\\desktop.ini (MD5: 2570f7222e2bcc72de49186867798c20). C2 traffic was routed through verify-cert[.]dev.", "spans": {"THREAT_ACTOR: Vice Society": [[0, 12]], "TOOL: PsExec": [[18, 24]], "TOOL: Metasploit": [[52, 62]], "IP_ADDRESS: 51.200.210.42": [[117, 130]], "IP_ADDRESS: 159.28.149.7": [[156, 168]], "FILEPATH: C:\\Users\\Public\\desktop.ini": [[181, 208]], "HASH: 2570f7222e2bcc72de49186867798c20": [[215, 247]], "DOMAIN: verify-cert[.]dev": [[280, 297]]}, "info": {"id": "synth_00087", "source": "synthetic_ioc"}} |
| {"text": "The BlackBasta attack began with exploitation of CVE-2022-30190. The ransomware binary (SHA256: de677543330be835edcc1583b47d5f8d71db0f27bfd06b307ac9a72fa575b4f9) was deployed to C:\\Recovery\\WindowsRE\\agent.exe. Ransom negotiation portal was hosted at cloud-sync[.]work (179.242.184.51). Contact email for payment: security@alert-notification.icu.", "spans": {"MALWARE: BlackBasta": [[4, 14]], "CVE_ID: CVE-2022-30190": [[49, 63]], "HASH: de677543330be835edcc1583b47d5f8d71db0f27bfd06b307ac9a72fa575b4f9": [[96, 160]], "FILEPATH: C:\\Recovery\\WindowsRE\\agent.exe": [[178, 209]], "DOMAIN: cloud-sync[.]work": [[251, 268]], "IP_ADDRESS: 179.242.184.51": [[270, 284]], "EMAIL: security@alert-notification.icu": [[314, 345]]}, "info": {"id": "synth_00088", "source": "synthetic_ioc"}} |
| {"text": "DNS analysis for Vidar infrastructure: loader-bin[.]work resolved to 62.204.252.145, botnet-cmd[.]biz resolved to 194.89.137.110, and code-deploy[.]store was used as a DNS-over-HTTPS tunnel. The implant hash is c0bc160f87890fec6a66ec19324b27bb.", "spans": {"MALWARE: Vidar": [[17, 22]], "DOMAIN: loader-bin[.]work": [[39, 56]], "IP_ADDRESS: 62.204.252.145": [[69, 83]], "DOMAIN: botnet-cmd[.]biz": [[85, 101]], "IP_ADDRESS: 194.89.137.110": [[114, 128]], "DOMAIN: code-deploy[.]store": [[134, 153]], "HASH: c0bc160f87890fec6a66ec19324b27bb": [[211, 243]]}, "info": {"id": "synth_00089", "source": "synthetic_ioc"}} |
| {"text": "Sandbox Report: BlackCat\nSHA256: 26cea5ea41514dd4d3f0078f5aa41319d387b3437c362c9abd13ac3232041be4\nMD5: a74a5f3e9e93a7d4d96d853ff54bb5a6\nFile created: C:\\Windows\\Temp\\nc.exe\nFile modified: C:\\Windows\\System32\\config\\SAM\nNetwork connection: 212.130.166.88\nDNS query: update-service[.]net\nHTTP request: hxxps://data-backup[.]site/stage2", "spans": {"MALWARE: BlackCat": [[16, 24]], "HASH: 26cea5ea41514dd4d3f0078f5aa41319d387b3437c362c9abd13ac3232041be4": [[33, 97]], "HASH: a74a5f3e9e93a7d4d96d853ff54bb5a6": [[103, 135]], "FILEPATH: C:\\Windows\\Temp\\nc.exe": [[150, 172]], "FILEPATH: C:\\Windows\\System32\\config\\SAM": [[188, 218]], "IP_ADDRESS: 212.130.166.88": [[239, 253]], "DOMAIN: update-service[.]net": [[265, 285]], "URL: hxxps://data-backup[.]site/stage2": [[300, 333]]}, "info": {"id": "synth_00090", "source": "synthetic_ioc"}} |
| {"text": "Analysis of Agent Tesla sample (SHA256: 4b2d128750932e9d1fe69c583d6ad54f5a829a51612a902776cbc082e3cb8dd1) revealed command-and-control communication with 171.163.229.213 over port 80. A secondary C2 channel was observed connecting to vpn-tunnel[.]pw which resolved to 201.182.40.112. The malware binary was written to C:\\Users\\Public\\Libraries\\shell.ps1 and established persistence via a scheduled task.", "spans": {"MALWARE: Agent Tesla": [[12, 23]], "HASH: 4b2d128750932e9d1fe69c583d6ad54f5a829a51612a902776cbc082e3cb8dd1": [[40, 104]], "IP_ADDRESS: 171.163.229.213": [[154, 169]], "DOMAIN: vpn-tunnel[.]pw": [[234, 249]], "IP_ADDRESS: 201.182.40.112": [[268, 282]], "FILEPATH: C:\\Users\\Public\\Libraries\\shell.ps1": [[318, 353]]}, "info": {"id": "synth_00091", "source": "synthetic_ioc"}} |
| {"text": "Incident Report: Gamaredon compromised the network via initial access from 213.199.124.120. The threat actor deployed BloodHound and exfiltrated data to token-auth[.]space. Lateral movement was observed to 196.212.188.152. A dropper with MD5 hash 276a463eb76edb23baa19d5eaeb35a65 was found at C:\\Windows\\System32\\config\\SAM. The exfiltration endpoint micro-update[.]net was registered 48 hours before the attack.", "spans": {"THREAT_ACTOR: Gamaredon": [[17, 26]], "IP_ADDRESS: 213.199.124.120": [[75, 90]], "TOOL: BloodHound": [[118, 128]], "DOMAIN: token-auth[.]space": [[153, 171]], "IP_ADDRESS: 196.212.188.152": [[206, 221]], "HASH: 276a463eb76edb23baa19d5eaeb35a65": [[247, 279]], "FILEPATH: C:\\Windows\\System32\\config\\SAM": [[293, 323]], "DOMAIN: micro-update[.]net": [[351, 369]]}, "info": {"id": "synth_00092", "source": "synthetic_ioc"}} |
| {"text": "A phishing email was received from it-admin@helpdesk-ticket.site with subject line 'Urgent Account Verification Required'. The email contained a hyperlink to hxxps://portal-auth[.]info/login/verify which redirected to a credential harvesting page. Victims who clicked the link also downloaded Ryuk (SHA256: 33af21e00813dd9554b194f7b8e5707a40c369ccedb2afd70840707b1e10e6a4) which was saved to C:\\ProgramData\\VMware\\update_service.dll.", "spans": {"EMAIL: it-admin@helpdesk-ticket.site": [[35, 64]], "URL: hxxps://portal-auth[.]info/login/verify": [[158, 197]], "MALWARE: Ryuk": [[293, 297]], "HASH: 33af21e00813dd9554b194f7b8e5707a40c369ccedb2afd70840707b1e10e6a4": [[307, 371]], "FILEPATH: C:\\ProgramData\\VMware\\update_service.dll": [[392, 432]]}, "info": {"id": "synth_00093", "source": "synthetic_ioc"}} |
| {"text": "IOC Summary for SystemBC campaign:\n- 176.87.8.127\n- 163.47.125.55\n- 170.205.67.88\n- token-auth[.]space\n- exchange-key[.]link\n- SHA256: c7a3248802356f2909f65c31ea904a5f52d37b28920010d6b50a8f3d6ea31e3e\n- MD5: a94e1f02269e45863ee08a25c65ce4d3", "spans": {"MALWARE: SystemBC": [[16, 24]], "IP_ADDRESS: 176.87.8.127": [[37, 49]], "IP_ADDRESS: 163.47.125.55": [[52, 65]], "IP_ADDRESS: 170.205.67.88": [[68, 81]], "DOMAIN: token-auth[.]space": [[84, 102]], "DOMAIN: exchange-key[.]link": [[105, 124]], "HASH: c7a3248802356f2909f65c31ea904a5f52d37b28920010d6b50a8f3d6ea31e3e": [[135, 199]], "HASH: a94e1f02269e45863ee08a25c65ce4d3": [[207, 239]]}, "info": {"id": "synth_00094", "source": "synthetic_ioc"}} |
| {"text": "Exploitation of CVE-2023-27997 was attributed to Scattered Spider targeting VMware ESXi instances. The exploit payload was served from 91.133.243.49 and communicated with mail-relay[.]icu for command-and-control. Post-exploitation, a webshell (SHA256: 9e2befedac5abe4b2de561d634496b5b51152858af53255551e0896452463601) was deployed to /var/log/.access_log.", "spans": {"CVE_ID: CVE-2023-27997": [[16, 30]], "THREAT_ACTOR: Scattered Spider": [[49, 65]], "SYSTEM: VMware ESXi": [[76, 87]], "IP_ADDRESS: 91.133.243.49": [[135, 148]], "DOMAIN: mail-relay[.]icu": [[171, 187]], "HASH: 9e2befedac5abe4b2de561d634496b5b51152858af53255551e0896452463601": [[252, 316]], "FILEPATH: /var/log/.access_log": [[334, 354]]}, "info": {"id": "synth_00095", "source": "synthetic_ioc"}} |
| {"text": "Forensic examination of the compromised host identified NjRAT artifacts. The primary payload was located at C:\\Windows\\System32\\config\\SAM with SHA256 hash 7a8cc24b994c7c318704dd8d3bbb571c714ac7eea8d5784c53b4b995c95073ea. A secondary implant was found at /dev/shm/.payload (MD5: 1bafa6cfe9b2fe395dd1ca0684cc9557). Network logs showed outbound connections to 141.177.122.166 and DNS queries to ransom-pay[.]icu.", "spans": {"MALWARE: NjRAT": [[56, 61]], "FILEPATH: C:\\Windows\\System32\\config\\SAM": [[108, 138]], "HASH: 7a8cc24b994c7c318704dd8d3bbb571c714ac7eea8d5784c53b4b995c95073ea": [[156, 220]], "FILEPATH: /dev/shm/.payload": [[255, 272]], "HASH: 1bafa6cfe9b2fe395dd1ca0684cc9557": [[279, 311]], "IP_ADDRESS: 141.177.122.166": [[358, 373]], "DOMAIN: ransom-pay[.]icu": [[393, 409]]}, "info": {"id": "synth_00096", "source": "synthetic_ioc"}} |
| {"text": "Threat Intelligence Brief (Microsoft): TA505 has been observed deploying ShadowPad in a new campaign targeting financial institutions. Initial access is gained through spear-phishing emails from service@subscription-renew.io. Infrastructure includes 31.76.57.104, 142.79.170.149, and api-gateway[.]club. SHA1 indicator: cd4410dfed4e22664a2b531427f9c8747a95f869.", "spans": {"ORGANIZATION: Microsoft": [[27, 36]], "THREAT_ACTOR: TA505": [[39, 44]], "MALWARE: ShadowPad": [[73, 82]], "EMAIL: service@subscription-renew.io": [[195, 224]], "IP_ADDRESS: 31.76.57.104": [[250, 262]], "IP_ADDRESS: 142.79.170.149": [[264, 278]], "DOMAIN: api-gateway[.]club": [[284, 302]], "HASH: cd4410dfed4e22664a2b531427f9c8747a95f869": [[320, 360]]}, "info": {"id": "synth_00097", "source": "synthetic_ioc"}} |
| {"text": "ALERT: FormBook detected on Confluence Server endpoint. Process C:\\Windows\\System32\\wbem\\scrcons.exe (MD5: 07b886ef8000f150a2eed13a1baded0c) initiated outbound connection to 211.89.109.191 resolving collect-log[.]tech. Immediate containment recommended.", "spans": {"MALWARE: FormBook": [[7, 15]], "SYSTEM: Confluence Server": [[28, 45]], "FILEPATH: C:\\Windows\\System32\\wbem\\scrcons.exe": [[64, 100]], "HASH: 07b886ef8000f150a2eed13a1baded0c": [[107, 139]], "IP_ADDRESS: 211.89.109.191": [[174, 188]], "DOMAIN: collect-log[.]tech": [[199, 217]]}, "info": {"id": "synth_00098", "source": "synthetic_ioc"}} |
| {"text": "The Bumblebee loader contacts three staging URLs: hxxps://loader-bin[.]work/download/payload.exe, hxxp://share-files[.]biz/gate.php, and hxxps://token-auth[.]space/api/beacon. The final payload (SHA256: 0dca123ba69c7c94a793d25435d3a271d9c66b68f6a5b90b3454a57293902f5d) is downloaded and executed. Fallback C2 is at 159.65.60.31.", "spans": {"MALWARE: Bumblebee": [[4, 13]], "URL: hxxps://loader-bin[.]work/download/payload.exe": [[50, 96]], "URL: hxxp://share-files[.]biz/gate.php": [[98, 131]], "URL: hxxps://token-auth[.]space/api/beacon": [[137, 174]], "HASH: 0dca123ba69c7c94a793d25435d3a271d9c66b68f6a5b90b3454a57293902f5d": [[203, 267]], "IP_ADDRESS: 159.65.60.31": [[315, 327]]}, "info": {"id": "synth_00099", "source": "synthetic_ioc"}} |
| {"text": "The phishing campaign used sender addresses billing@invoice-payment.work and finance@wire-transfer.info. Links in the emails pointed to system-patch[.]online hosted at 213.244.196.177. The attached document dropped a payload to C:\\Temp\\mimikatz.exe with hash 17651044fe287d9c07ab69897ae5f01a42611bb669861d99542cda2c23e9d92b.", "spans": {"EMAIL: billing@invoice-payment.work": [[44, 72]], "EMAIL: finance@wire-transfer.info": [[77, 103]], "DOMAIN: system-patch[.]online": [[136, 157]], "IP_ADDRESS: 213.244.196.177": [[168, 183]], "FILEPATH: C:\\Temp\\mimikatz.exe": [[228, 248]], "HASH: 17651044fe287d9c07ab69897ae5f01a42611bb669861d99542cda2c23e9d92b": [[259, 323]]}, "info": {"id": "synth_00100", "source": "synthetic_ioc"}} |
|
|
