← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Continued activity by APT28
WHITE Sofacy AlienVault 2019-05-30 Modified: 2019-10-02
30
IOCs
MEDIUM VOLUME
Upon execution, nbmssl.dll (MD5: d51d485f98810ab1278df4e41b692761) decrypts strings and URLs utilizing two observed encryption keys. One for string decryption and another for URL decryption. Strings are decrypted and then concatenated to build URLs which may be backup C2 nodes. Additionally, three URLs are decrypted to test for network connectivity. First, google.com is decrypted followed by yahoo.com. A DNS request is then generated for google.com, if that fails it attempts to reach yahoo.com. If an attempt succeeds, the file calls out to what appears to be a C2 node named maylaytravelgroup.com with multiple GET requests.
apt28fancy bear
Indicators of Compromise (30)
All domain FileHash-SHA256 FileHash-MD5 FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
domain reasonwithusefulpolicy.com 2019-05-30
domain systembeforeniceparent.com 2019-05-30
domain maylaytravelgroup.com 2019-05-30
domain streetunderrelevantpeople.com 2019-05-30
domain experiencewithweakkid.com 2019-05-30
domain schooltillhungryprocess.com 2019-05-30
FileHash-SHA256 b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44 2019-05-30
FileHash-MD5 d51d485f98810ab1278df4e41b692761 2019-05-30
FileHash-SHA1 0b28de2c2b0913cc5684461812d294f50fea6105 2019-05-30
domain guytillintelligentposition.com 2019-07-22
domain fatherinfriendlyroad.com 2019-07-22
domain networkcentrals.com 2019-07-22
domain newstyleradio.net 2019-07-22
domain transparencyinternational-my-sharepoint.com 2019-10-02
domain my-sharepoints.com 2019-10-02
domain soros-my-sharepoint.com 2019-10-02
domain session-users-activities.com 2019-10-02
domain msofficelab.com 2019-10-02
domain customer-certificate.com 2019-10-02
domain verify-linke.com 2019-10-02
domain com-mailbox.com 2019-10-02
domain accounts-web-mail.com 2019-10-02
domain onedrv-live.com 2019-10-02
domain microsoft-onthehub.com 2019-10-02
domain support-servics.net 2019-10-02
domain transparencyinternational-my-sharepoints.com 2019-10-02
domain user-profile-credentials.com 2019-10-02
domain irf.services 2019-10-02
domain onedrive-sharedfile.com 2019-10-02
domain my-sharefile.com 2019-10-02
References (3)
↗ https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community ↗ https://twitter.com/ClearskySec/status/1139160272755744774 ↗ https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StrontiumIOCs.yaml