Pulse Detail — Threat Intelligence

PULSE NAME

Regin

WHITE Regin AlienVault 2014-11-24 Modified: 2019-01-23

IOCs

HIGH VOLUME

Regin is a multi-purpose data collection tool which dates back several years. Symantec first began looking into this threat in the fall of 2013. Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals. Regin has a wide range of standard capabilities, particularly around monitoring targets and stealing data. It also has the ability to load custom features tailored to individual targets. Some of Regin’s custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of the developers.

Indicators of Compromise (60)

All FileHash-MD5 YARA FileHash-SHA256 FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	ba7bb65634ce1e30c1e5415be3d1db1d	—	2017-08-23
FileHash-MD5	1c024e599ac055312a4ab75b3950040a	—	2017-08-23
FileHash-MD5	e63422e458afdfe111bd0b87c1e9772c	—	2017-08-23
FileHash-MD5	c053a0a3f1edcbbfc9b51bc640e808ce	—	2017-08-23
FileHash-MD5	47d0e8f9d7a6429920329207a32ecc2e	—	2017-08-23
FileHash-MD5	4b6b86c7fec1c574706cecedf44abded	—	2017-08-23
FileHash-MD5	b9e4f9d32ce59e7c4daf6b237c330e25	—	2017-08-23
FileHash-MD5	885dcd517faf9fac655b8da66315462d	—	2017-08-23
FileHash-MD5	b505d65721bb2453d5039a389113b566	—	2017-08-23
FileHash-MD5	de3547375fbf5f4cb4b14d53f413c503	—	2017-08-23
FileHash-MD5	db405ad775ac887a337b02ea8b07fddc	—	2017-08-23
FileHash-MD5	a1d727340158ec0af81a845abd3963c1	—	2017-08-23
FileHash-MD5	06665b96e293b23acc80451abb413e50	—	2017-08-23
FileHash-MD5	18d4898d82fcb290dfed2a9f70d66833	—	2017-08-23
FileHash-MD5	b269894f434657db2b15949641a67532	—	2017-08-23
FileHash-MD5	d240f06e98c8d3e647cbf4d442d79475	—	2017-08-23
FileHash-MD5	bfbe8c3ee78750c3a520480700e440f8	—	2017-08-23
FileHash-MD5	1e4076caa08e41a5befc52efd74819ea	—	2017-08-23
FileHash-MD5	ffb0b9b5b610191051a7bdf0806e1e47	—	2017-08-23
FileHash-MD5	68297fde98e9c0c29cecc0ebf38bde95	—	2017-08-23
FileHash-MD5	bddf5afbea2d0eed77f2ad4e9a4f044d	—	2017-08-23
FileHash-MD5	da03648948475b2d0e3e2345d7a9bbbb	—	2017-08-23
FileHash-MD5	d446b1ed24dad48311f287f3c65aeb80	—	2017-08-23
FileHash-MD5	01c2f321b6bfdb9473c079b0797567ba	—	2017-08-23
FileHash-MD5	8486ec3112e322f9f468bdea3005d7b5	—	2017-08-23
FileHash-MD5	2c8b9d2885543d7ade3cae98225e263b	—	2017-08-23
FileHash-MD5	187044596bc1328efa0ed636d8aa4a5c	—	2017-08-23
FileHash-MD5	744c07e886497f7b68f6f7fe57b7ab54	—	2017-08-23
FileHash-MD5	6662c390b2bbbd291ec7987388fc75d7	—	2017-08-23
FileHash-MD5	6cf5dc32e1f6959e7354e85101ec219a	—	2017-08-23
FileHash-MD5	b29ca4f22ae7b7b25f79c1d4a421139d	—	2017-08-23
FileHash-MD5	26297dc3cd0b688de3b846983c5385e5	—	2017-08-23
YARA	faf4eb87e9e4ecb2a924ce3aa31f486995fe01da	—	2017-08-23
YARA	56cf5ea6f79923b021acdae40bd4eeb80df9d8c2	—	2017-08-23
YARA	314650529c9fbde8d9c215054ff2d02fa8b6d35a	—	2017-08-23
YARA	990a4596724ed6939af90d209c20ead40d7c91a7	—	2017-08-23
YARA	883499249de4259a30453113a09dbd0b7ffd63c8	—	2017-08-23
YARA	302760187ee77952c6f14f1e98f9bfdf8948adc6	—	2017-08-23
YARA	db3319416a238aafe28fb3ac1a7028df7b08ff93	—	2017-08-23
YARA	ef0c4afdcd17f4150b8bdc92e524cfae7905ba78	—	2017-08-23
YARA	19c97f98c315c68782d980c76a944a0260f61a92	—	2017-08-23
YARA	480f70c4858995bb55566eb6cff3ffb51b09b568	—	2017-08-23
YARA	4ee233f27137086de33814d1fce4e0b8fb94ec80	—	2017-08-23
YARA	353ae6a4252465295bee8a0efdc77f733cc9abbf	—	2017-08-23
YARA	21f6dbfce85d8e903560d19c56caf6ca20eac435	—	2017-08-23
YARA	00f636808f97e6788191754bcb1c3f1ea5be23ca	—	2017-08-23
YARA	3a12a0db67ed295e5331558b7fa84f1f4eee13ee	—	2017-08-23
YARA	6d3a7566ce588d9e231c835486875aee9f121b4e	—	2017-08-23
FileHash-SHA256	4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be	—	2017-08-23
FileHash-SHA256	e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935	—	2017-08-23
FileHash-SHA256	fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129	—	2017-08-23
FileHash-MD5	29105f46e4d33f66fee346cfd099d1cc	—	2017-08-23
FileHash-MD5	6c34031d7a5fc2b091b623981a8ae61c	—	2017-08-23
FileHash-SHA1	5164edc1d54f10b7cb00a266a1b52c623ab005e2	—	2017-08-23
FileHash-SHA1	732298fa025ed48179a3a2555b45be96f7079712	—	2017-08-23
FileHash-SHA1	773d7fab06807b5b1bc2d74fa80343e83593caf2	—	2017-08-23
FileHash-SHA1	8487a961c8244004c9276979bb4b0c14392fc3b8	—	2017-08-23
FileHash-SHA1	a7b285d4b896b66fce0ebfcd15db53b3a74a0400	—	2017-08-23
FileHash-SHA1	bcf3461d67b39a427c83f9e39b9833cfec977c61	—	2017-08-23
FileHash-SHA1	e0895336617e0b45b312383814ec6783556d7635	—	2017-08-23

References (3)

↗ https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf ↗ https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/ ↗ https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf