Pulse Detail — Threat Intelligence

PULSE NAME

When Threat Actors Fly Under the Radar: Vatet, PyXie, and Defray777

WHITE AlienVault 2020-11-10 Modified: 2020-12-09

169

IOCs

HIGH VOLUME

We first noticed that there may be a relationship between the Vatet loader, PyXie Remote Access Tool (RAT) and Defray777 ransomware when there were remnants and/or detections of all three in various Incident Response and Managed Threat Hunting engagements. After digging deep into each malware family, it became apparent that Vatet, PyXie and Defray777 are all associated with the same financially motivated threat group that has been operating since as early as 2018. That threat group, sometimes referred to as PyXie by BlackBerry Cylance and GOLD DUPONT by SecureWorks, has been actively conducting successful ransomware operations that have impacted organizations in a number of sectors including healthcare, education, government and technology while remaining under the radar.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1497.001 T1083 T1057 T1012 T1082 T1033 T1129 T1543.003 T1115 T1056.001 T1005 T1055 T1497.002 T1010 T1547.001 T1486

MALWARE FAMILIES

PyXie RAT Backdoor:Win32/Vatet Trojan:Win32/Vatet Defray777 Ransomware Cobalt Strike - S0154 IcedID TrickBot - S0266

Indicators of Compromise (42 / 169 total)

All FileHash-SHA256 FileHash-MD5 FileHash-SHA1 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	9d3e12893fae7eb6c33682b5bbea6d93	MD5 of edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89	2020-11-10
FileHash-MD5	acd76ac830ef61c30274bba66bbb6e2f	MD5 of 5937746fc1a511d9a8404294b0caa2aedae2f86b5b5be8159385b6c7a4d6fb40	2020-11-10
FileHash-MD5	25e8d46d27e0a1034804aba00ba75d38	MD5 of d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00	2020-11-10
FileHash-MD5	d76837f88a8d62351e2d551be2fe9893	MD5 of de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e	2020-11-10
FileHash-MD5	4ef817562dc042e616ae26a2c8773f23	MD5 of a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd	2020-11-10
FileHash-MD5	cf1ad0f6c0f7dfe7b5940008ed27bc28	MD5 of ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc	2020-11-10
FileHash-MD5	1d191d54cdd3adb4621b5c3a13d1ea91	MD5 of 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb	2020-11-10
FileHash-MD5	a40f5c5438f7da071b0df586b7329438	MD5 of 6c1b17c8d8eca38b9926b40637cb793d0997a6183156d9e6353b53d7b3955f20	2020-11-10
FileHash-MD5	b5a22f43252b89db6eab109c6ccf9962	MD5 of e5ce1c1b69bd12640c604971be311f9544adb3797df15199bd754d3aefe0a955	2020-11-10
FileHash-MD5	161e055ad7bae25a48906c0d777db348	MD5 of 5d26300ad2fc008fe278f17f98f173236c8bd7eeb6382062d677d1d6fd37c5b5	2020-11-10
FileHash-MD5	088d29b4a238a650e12f5ce97ec58289	MD5 of e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367	2020-11-10
FileHash-MD5	e4a15bf88200eebd417912f9dcfb9a16	MD5 of 10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525	2020-11-10
FileHash-MD5	fa8a1311b6488e40de471cc183ce50eb	MD5 of 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b	2020-11-10
FileHash-MD5	78038fcb760ec0d4a446e243f496f026	MD5 of c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b	2020-11-10
FileHash-MD5	aa03fbbd932b6f57d26c53cf7a01ef1b	MD5 of a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623	2020-11-10
FileHash-MD5	e4940335c81b5bcd4713ad929027077e	MD5 of a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca	2020-11-10
FileHash-MD5	6363cba1430bf8a617d789b49e275975	MD5 of 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6	2020-11-10
FileHash-MD5	9d4c4af4b600bb90e92a5c0b86551507	MD5 of edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5	2020-11-10
FileHash-MD5	c58f5839c2c0bacaef0311f374803862	MD5 of e2d4aa8662b3db2f3857dbacada1ff0da0ceaf75bbba579bc5ef1a555c065206	2020-11-10
FileHash-MD5	31dc5267d3daf057baaa37f8d5d59229	MD5 of 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32	2020-11-10
FileHash-MD5	ae07f0b180bc52b39000f50353e4e97d	MD5 of 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69	2020-11-10
FileHash-MD5	54c11dcb706996a76976211c3685153d	MD5 of c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497	2020-11-10
FileHash-MD5	e0d2c9aac9a8489a2154aff6e0abcb6e	MD5 of 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192	2020-11-10
FileHash-MD5	ca4682a32cdaaf2c0357a2a79e32ee9b	MD5 of bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd	2020-11-10
FileHash-MD5	36ae75fd0c0afc7d6503f66880d6acf8	MD5 of 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366	2020-11-10
FileHash-MD5	2aac141539e4bac0320ce3992e632d97	MD5 of f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7	2020-11-10
FileHash-MD5	23dae47577cda08dfc82e65e1217cbee	MD5 of 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b	2020-11-10
FileHash-MD5	13cc74a4168aab6c63b5e44358f47604	MD5 of c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518	2020-11-10
FileHash-MD5	e5b622b9864d3a2e31a4edac46c1cb0c	MD5 of e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd	2020-11-10
FileHash-MD5	039e75cdd8787394789d11ca6d2c7711	MD5 of a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234	2020-11-10
FileHash-MD5	7031a1138e1892fb09bfbdf518dba07b	MD5 of 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886	2020-11-10
FileHash-MD5	38bb2a242823592548a6c6539d69e72a	MD5 of c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0	2020-11-10
FileHash-MD5	fcd21c6fca3b9378961aa1865bee7ecb	MD5 of 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458	2020-11-10
FileHash-MD5	4bee85530d15be0a9e6c8672e355ddc6	MD5 of ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab	2020-11-10
FileHash-MD5	6d6282b066fd7eb9172d39681327afbc	MD5 of 37268f0ade3050fa2008b546920c4f2052732c092de04a6e108257f5de22ff48	2020-11-10
FileHash-MD5	23594ad0ba8ec37ad5eaec84aee9cecd	MD5 of 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e	2020-11-10
FileHash-MD5	86d297b262fb1e9f8c1cee271ceea40e	MD5 of f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f	2020-11-10
FileHash-MD5	837dda0135b0aa7628874b451c66b50f	MD5 of 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845	2020-11-10
FileHash-MD5	fb843a9d063e2396499ca16dfe9fe363	MD5 of 0ad10472f7aedfd241ecb65a53d5cafdeb94672d92883d161cb37f769e60f013	2020-11-10
FileHash-MD5	eb885e485049ee4516bbdf6d9c5f202d	MD5 of e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc	2020-11-10
FileHash-MD5	e7eb41437cd037e06d502cb4785881df	MD5 of f9da4d61344457c3d68ef0525139c2cf6ee28d3f09220168ba2be601b5c54d6f	2020-11-10
FileHash-MD5	a7da167512ae0077122e349e1cf54085	MD5 of e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e	2020-11-10

References (2)

↗ https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ ↗ https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/