Pulse Detail — Threat Intelligence

PULSE NAME

Sednit update: Analysis of Zebrocy

WHITE Sofacy AlienVault 2018-04-24 Modified: 2018-12-05

108

IOCs

HIGH VOLUME

The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – is a group of attackers operating since 2004, if not earlier, and whose main objective is to steal confidential information from specific targets. Toward the end of 2015, we started seeing a new component deployed by the group; a downloader for the main Sednit backdoor, Xagent. Kaspersky mentioned this component for the first time in 2017 in their APT trend report and recently wrote an article where they quickly described it under the name Zebrocy. This new component is a family of malware, comprising downloaders and backdoors written in Delphi and AutoIt. These components play the same role in the Sednit ecosystem as Seduploader; that of first-stage malware.

Indicators of Compromise (108)

All domain URL FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	rammatica.com	—	2018-04-24
URL	http://142.0.68.2/test-update-16-8852418/temp727612430/checkUpdate89732468.php	—	2018-04-24
URL	http://142.0.68.2/test-update-17-8752417/temp827612480/checkUpdate79832467.php	—	2018-04-24
URL	http://185.25.50.93/syshelp/kd8812u/protocol.php	—	2018-04-24
URL	http://185.25.50.93/tech99-04/litelib1/setwsdv4.php	—	2018-04-24
URL	http://185.25.50.93/techicalBS391-two/supptech18i/suppid.php	—	2018-04-24
URL	http://185.25.51.114/get-help-software/get-app-c/error-code-lookup.php	—	2018-04-24
URL	http://185.25.51.164/srv_upd_dest_two/destBB/en.php	—	2018-04-24
URL	http://185.25.51.198/get-data/searchId/get.php	—	2018-04-24
URL	http://185.25.51.198/stream-upd-service-two/definition/event.php	—	2018-04-24
URL	http://185.77.129.152/wWpYdSMRulkdp/arpz/MsKZrpUfe.php	—	2018-04-24
URL	http://188.241.68.121/update/dB-Release/NewBaseCheck.php	—	2018-04-24
URL	http://194.187.249.126/database-update-centre/check-system-version/id=18862.php	—	2018-04-24
URL	http://194.187.249.126/security-services-DMHA-group/info-update-version/id77820082.php	—	2018-04-24
URL	http://213.103.67.193/ghflYvz/vmwWIdx/realui.php	—	2018-04-24
URL	http://213.252.244.219/client-update-info/version-id/version333.php	—	2018-04-24
URL	http://213.252.244.219/cumulative-security-update/Summary/details.php	—	2018-04-24
URL	http://213.252.245.132/search-release/Search-Version/crmclients.php	—	2018-04-24
URL	http://213.252.245.132/setting-the-os-release/Support-OS-release/ApiMap.php	—	2018-04-24
URL	http://220.158.216.127/search-sys-update-release/base-sync/db7749sc.php	—	2018-04-24
URL	http://222.15.23.121/gft_piyes/ndhfkuryhs09/fdfd_iunb_hhert_ps.php	—	2018-04-24
URL	http://46.102.152.127/messageID/get-data/SecurityID.php	—	2018-04-24
URL	http://46.183.223.227/services-check-update/security-certificate-11-554/CheckNow864.php	—	2018-04-24
URL	http://80.255.6.5/LoG-statistic8397420934809/date-update9048353094c/StaticIpUpdateLog23741033.php	—	2018-04-24
URL	http://80.255.6.5/daily-update-certifaicates52735462534234/update-15.dat	—	2018-04-24
URL	http://86.105.18.106/apps.update/DetailsID/clientPID-118253.php	—	2018-04-24
URL	http://86.105.18.106/data-extract/timermodule/update-client.php	—	2018-04-24
URL	http://86.105.18.106/debug-info/pluginId/CLISD1934.php	—	2018-04-24
URL	http://86.105.18.106/ram-data/managerId/REM1234.php	—	2018-04-24
URL	http://86.105.18.106/versionID/Plugin0899/debug-release01119/debug-19.app	—	2018-04-24
URL	http://86.105.18.111/UpdateCertificate33-33725cnm^BB/CheckerNow-saMbA-99-36^11/CheckerSerface^8830-11.php	—	2018-04-24
URL	http://86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php	—	2018-04-24
URL	http://86.106.131.177/srvSettings/conf4421i/support.php	—	2018-04-24
URL	http://89.249.65.166/clientid-and-uniqued-r2/the-differenceU/Events76.php	—	2018-04-24
URL	http://89.249.65.166/int-release/check-user/userid.php	—	2018-04-24
URL	http://89.249.65.234/guard-service/Servers-ip4/upd-release/mdb4	—	2018-04-24
URL	http://89.40.181.126/verification-online/service.911-19/check-verification-88291.php	—	2018-04-24
URL	http://89.45.67.153/grenadLibS44-two/fIndToClose12t3/sol41.php	—	2018-04-24
URL	http://89.45.67.153/supportfsys/t863321i/func112SerErr.php	—	2018-04-24
URL	http://93.113.131.117/KB7735-9927/security-serv/opt.php	—	2018-04-24
URL	http://93.113.131.155/Verifica-El-Lanzamiento/Ayuda-Del-Sistema/obtenerId.php	—	2018-04-24
URL	http://93.115.38.132/wWpYdSMRulkdp/arpz/MsKZrpUfe.php	—	2018-04-24
URL	http://rammatica.com/QqrAzMjp/CmKjzk/EspTkzmH.php	—	2018-04-24
URL	http://rammatica.com/QqrAzMjp/CmKjzk/OspRkzmG.php	—	2018-04-24
FileHash-SHA1	00b39f2deaf1f1fc29e5acb63f4d1100e04fd701	—	2018-04-24
FileHash-SHA1	07e44b44c5f1043d16f6011a2cf0d2e7c5a52787	—	2018-04-24
FileHash-SHA1	0983d940ba42135106bf7a1e87ed5a1975fc7ead	—	2018-04-24
FileHash-SHA1	0cd61d367dd0b13000774ab77abf3d4cfb713c8e	—	2018-04-24
FileHash-SHA1	0f946f619ae8e2181a5bd76c8af03347742765c6	—	2018-04-24
FileHash-SHA1	185ab7a371b58ff367c155ec0dabe28842d340bd	—	2018-04-24
FileHash-SHA1	226083c7190f1a939d5b7b352400450690d59f65	—	2018-04-24
FileHash-SHA1	245868d6805c66181808973e93f23293d6d2f7d1	—	2018-04-24
FileHash-SHA1	267abd7105ac26d5cb6ecb96292f83708f64b994	—	2018-04-24
FileHash-SHA1	2900ed173a9f5dc99f905942a6be595cc6f03387	—	2018-04-24
FileHash-SHA1	2b5a7f4e054d0130883c8821b629121e0228bf54	—	2018-04-24
FileHash-SHA1	2c01ae417e5de213845b1ed46d4e82d45edd598d	—	2018-04-24
FileHash-SHA1	36b5e59a01e7f244d4a3bbb539e57aa468115dc8	—	2018-04-24
FileHash-SHA1	37bd951c483da057337ef8f38d6e48051cbb39d0	—	2018-04-24
FileHash-SHA1	41686703ce9e9aec64b6ad1c516746751219bc62	—	2018-04-24
FileHash-SHA1	4a6dcbccab5344388b331d543cc2260ca531c7ca	—	2018-04-24
FileHash-SHA1	4ccbe222bd97dc229b36efaf52520939da9d51c8	—	2018-04-24
FileHash-SHA1	4e6470f4a245efaa138c8c6eedb046e916706383	—	2018-04-24
FileHash-SHA1	4f07d18475601d0492cbf678ee0f0860c729910e	—	2018-04-24
FileHash-SHA1	51ae516792570bcd069a657c27859cd3fdc07d00	—	2018-04-24
FileHash-SHA1	54b14fc84f152b43c63babc46f2597b053e94627	—	2018-04-24
FileHash-SHA1	55179f0c6bce5a37311a44efe3f9845096c09668	—	2018-04-24
FileHash-SHA1	62dcf2f33ecc6014fa9a10f4e9ac9fd9bb0a6d23	—	2018-04-24
FileHash-SHA1	6fd7ce97061169b835ea77976651b5bf20aca4ef	—	2018-04-24
FileHash-SHA1	7349843e4dac1226ad6ce3e3cda8c389dd599548	—	2018-04-24
FileHash-SHA1	7b5c223a4968cc2190c1b5444cad47187d27ec50	—	2018-04-24
FileHash-SHA1	83882e13b369986b513f4aae245c112b82ec2097	—	2018-04-24
FileHash-SHA1	8aedf7a462024acf72d708c89230e4f02d94bc78	—	2018-04-24
FileHash-SHA1	8bd56b580974ae195e9f92b3aa525547d33434c1	—	2018-04-24
FileHash-SHA1	9beacd8e145fa01e16409d44d8b9470af6c7afd8	—	2018-04-24
FileHash-SHA1	a172fe6e91170f858c8ce5d734c094996bdf83d0	—	2018-04-24
FileHash-SHA1	ae93b6ec2d56512a1c7e8c053d2a6ce6fdfb7e4c	—	2018-04-24
FileHash-SHA1	afd5a60b7fff4deea15f7011339ad2cc2987a937	—	2018-04-24
FileHash-SHA1	b8b847d3d0139db68dba730b3424b29dcb40b3c7	—	2018-04-24
FileHash-SHA1	c0271dbb02636402742c390ffbeee6418f696668	—	2018-04-24
FileHash-SHA1	c08d89c7f7be69d5d705d4ac7e24e8f48e22faaf	—	2018-04-24
FileHash-SHA1	c2f3ca699aef3d226a800c2262efdca1470e00dc	—	2018-04-24
FileHash-SHA1	cdf9c24b86bc9a872035dcf3f53f380c904ed98b	—	2018-04-24
FileHash-SHA1	d379b94a3eb4fd9c9a973f64d436d7fc2e9d6762	—	2018-04-24
FileHash-SHA1	d4ab51bc5c26183771e3358d76e348943f9dd2fc	—	2018-04-24
FileHash-SHA1	d6fdc72792ee736b8d606d40d72cb89d6e8a3e18	—	2018-04-24
FileHash-SHA1	dabeadf0a9af3a8a0802f8445670806cd7671b1d	—	2018-04-24
FileHash-SHA1	f10b2c052afc07e2dec9dbe816031059fdc900ba	—	2018-04-24
FileHash-SHA1	f63e29621c8becac47ae6eac7bf9577bd0a37b73	—	2018-04-24
FileHash-SHA1	fea8752d90d2b4f0fc49ac0d58d62090782d8c5b	—	2018-04-24
FileHash-SHA256	044f8ab501090fd77ae6e9ebf57e7fba9041be7ab986ce58f38583f4839a5126	—	2018-10-29
FileHash-SHA256	1ff4e56419ad1814726ca143fc256cca4c8588605536c48dd79cfed12cb0763a	—	2018-10-29
FileHash-SHA256	297819bf06e4f7dda0de1b3c52bb59ede282aba04fe68935d8c3d065dcadab8a	—	2018-10-29
FileHash-SHA256	2b19497db8cb05cd3d22996efe5af8eac0f2ea51e80f606b7b8a79dfaa2f58e2	—	2018-10-29
FileHash-SHA256	40318f3593bca859673827b88d65c5d2f0d80a76948be936a60bda67dff27be9	—	2018-10-29
FileHash-SHA256	5223a45d8b08eb14e87a87edaa4b71593b4f9d2bdb6de1a5b6f3e77869eeca8a	—	2018-10-29
FileHash-SHA256	736dca8fdbe0a9cbf0982a5fd540d7b31eccb83ad1e63393a8c3ce6b379f6c9d	—	2018-10-29
FileHash-SHA256	7a0e678b94291e82c34d3861e14f81e5cd29b9b459d7cc85e469f2dfe90a20b1	—	2018-10-29
FileHash-SHA256	a15a4e21fe3b06870d52f7383ef45e4ac0dde727b02b3d340f0ba6346b43add1	—	2018-10-29
FileHash-SHA256	d7be92ade776e5e2d418a2f8cf20e8d862039c03dfdabd846ba267f16b052fbf	—	2018-10-29
FileHash-SHA256	dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998	—	2018-10-29
FileHash-SHA256	e2f3caade127e855fdec68faf8eea845fed9ae98ea17cd74644e57de91fb6e11	—	2018-10-29
URL	http://145.249.105.165/doc/temp/	—	2018-10-29
FileHash-SHA256	c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65	—	2018-11-14
FileHash-SHA256	074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426	—	2018-11-14
FileHash-SHA256	1851d96696d3db565c028e7fb5164d7c8428973b939b9e6185dd573e7408b194	—	2018-11-20
FileHash-SHA256	90926500594d9cdb194bd10da8b62e37591ad92ca890846594de35e952919bcb	—	2018-11-20
FileHash-SHA256	03ff895c99555f00792a41e3b014f16ef6b4bb0c74d1fa2237a6a9275e2b2109	—	2018-12-05
FileHash-SHA256	cda841969847c626f9e477b5edfb6522ebbeabe055c4a0acce570d9d2922bb94	—	2018-12-05

References (1)

↗ https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/