Pulse Detail — Threat Intelligence

PULSE NAME

When Threat Actors Fly Under the Radar: Vatet, PyXie, and Defray777

WHITE AlienVault 2020-11-10 Modified: 2020-12-09

169

IOCs

HIGH VOLUME

We first noticed that there may be a relationship between the Vatet loader, PyXie Remote Access Tool (RAT) and Defray777 ransomware when there were remnants and/or detections of all three in various Incident Response and Managed Threat Hunting engagements. After digging deep into each malware family, it became apparent that Vatet, PyXie and Defray777 are all associated with the same financially motivated threat group that has been operating since as early as 2018. That threat group, sometimes referred to as PyXie by BlackBerry Cylance and GOLD DUPONT by SecureWorks, has been actively conducting successful ransomware operations that have impacted organizations in a number of sectors including healthcare, education, government and technology while remaining under the radar.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1497.001 T1083 T1057 T1012 T1082 T1033 T1129 T1543.003 T1115 T1056.001 T1005 T1055 T1497.002 T1010 T1547.001 T1486

MALWARE FAMILIES

PyXie RAT Backdoor:Win32/Vatet Trojan:Win32/Vatet Defray777 Ransomware Cobalt Strike - S0154 IcedID TrickBot - S0266

Indicators of Compromise (42 / 169 total)

All FileHash-SHA256 FileHash-MD5 FileHash-SHA1 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	41ec57139e036ccbc7feb2d6485bc4456317cd7e	SHA1 of 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e	2020-11-10
FileHash-SHA1	e01af7b18c432fa352fea4a166e56c60e6895d0a	SHA1 of e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd	2020-11-10
FileHash-SHA1	a0c913a04254c65154013904d99ea90d574ab3a2	SHA1 of e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e	2020-11-10
FileHash-SHA1	e137f0cc055555aa6ac5bc3694df174705cfc94b	SHA1 of 37268f0ade3050fa2008b546920c4f2052732c092de04a6e108257f5de22ff48	2020-11-10
FileHash-SHA1	ed495940c14db3067e841b1e1cd29724b4f8989c	SHA1 of a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623	2020-11-10
FileHash-SHA1	1aad813f52a7627c94e236f15d2ac3b1d090c15a	SHA1 of de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e	2020-11-10
FileHash-SHA1	c42bb245cddbaaeb80fe1b178600ca353161b9f0	SHA1 of d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00	2020-11-10
FileHash-SHA1	2e489ff43e12c708430f3ea07024970a4d1ba737	SHA1 of 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192	2020-11-10
FileHash-SHA1	3a196669ea458c4e9e3bc4272c7046c688fd63b3	SHA1 of 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845	2020-11-10
FileHash-SHA1	2418b3bb9690ff1f3b0ffbe3a7895800ba335903	SHA1 of bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd	2020-11-10
FileHash-SHA1	c8d6cbd8101c33ebb6444f1cf7b53cf87d015bf7	SHA1 of f9da4d61344457c3d68ef0525139c2cf6ee28d3f09220168ba2be601b5c54d6f	2020-11-10
FileHash-SHA1	6599794ea40f54656c8ac0d7c2efe1362ec8414d	SHA1 of ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc	2020-11-10
FileHash-SHA1	c200aa1be244d21c02e9300fb06d63c4dbdbc6cf	SHA1 of 5d26300ad2fc008fe278f17f98f173236c8bd7eeb6382062d677d1d6fd37c5b5	2020-11-10
FileHash-SHA1	15c3985c14c98de4a7eabba3495b474f753923b7	SHA1 of 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32	2020-11-10
FileHash-SHA1	62493be40396091164113e76c289df62ffeec90b	SHA1 of f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f	2020-11-10
FileHash-SHA1	c1b9b376a54b08d5eae491f951b57d6bb04afa5a	SHA1 of a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd	2020-11-10
FileHash-SHA1	89372b60bcee0329e442e601a81766f88baf89e9	SHA1 of 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b	2020-11-10
FileHash-SHA1	8af3c65be1563747a526e9b223a776a2b484329f	SHA1 of e5ce1c1b69bd12640c604971be311f9544adb3797df15199bd754d3aefe0a955	2020-11-10
FileHash-SHA1	d940407a48bc4e0481b2790e89e58aa020b8887f	SHA1 of a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234	2020-11-10
FileHash-SHA1	65ba21a4207e1e89ebdb3e79b3f7bf8dbe080432	SHA1 of 5937746fc1a511d9a8404294b0caa2aedae2f86b5b5be8159385b6c7a4d6fb40	2020-11-10
FileHash-SHA1	0abaa05da2a05977e0baf68838cff1712f1789e0	SHA1 of 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458	2020-11-10
FileHash-SHA1	3b4b1a692a20c7375b4196110955624c98f8b2ab	SHA1 of 0ad10472f7aedfd241ecb65a53d5cafdeb94672d92883d161cb37f769e60f013	2020-11-10
FileHash-SHA1	427c91fe58a5b05e0c1e164e0c1cddff651f96da	SHA1 of c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b	2020-11-10
FileHash-SHA1	0f0966c832dcb143be60ce1f296f8b177e4f0220	SHA1 of 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6	2020-11-10
FileHash-SHA1	08868d9b1a31b59ab8e3f4ac38f210ac8e080106	SHA1 of edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89	2020-11-10
FileHash-SHA1	90851164d3452929fd2567de72153d1c018de994	SHA1 of e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc	2020-11-10
FileHash-SHA1	fe14ed259e1125d6bec4d920af804cf0f6acf94b	SHA1 of 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886	2020-11-10
FileHash-SHA1	fb49d70aa78dae091a7fdf31d28a83d270e377bd	SHA1 of edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5	2020-11-10
FileHash-SHA1	682e5f116a0aea2b097f05c9a6009d6d499b71bc	SHA1 of 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69	2020-11-10
FileHash-SHA1	f0f9bd7a786f3ea78ceada0749d36d802b20298f	SHA1 of a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca	2020-11-10
FileHash-SHA1	721827322bf552798d933760b630a886a6282a22	SHA1 of 6c1b17c8d8eca38b9926b40637cb793d0997a6183156d9e6353b53d7b3955f20	2020-11-10
FileHash-SHA1	08a6b196e3a2d140314225ef8c88228aaea09ac5	SHA1 of e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367	2020-11-10
FileHash-SHA1	3e6868e7359df4bddfdbd7575052431360c57dd9	SHA1 of 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb	2020-11-10
FileHash-SHA1	c7e544de0ca082cb13e68265914dc3bd7d22ed55	SHA1 of 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b	2020-11-10
FileHash-SHA1	d2aca69c9060161cfa20c4e3aa92d3633f1cf8ba	SHA1 of 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366	2020-11-10
FileHash-SHA1	5405c3e33bf704cad0b57cd423481d4e9ac3b64b	SHA1 of e2d4aa8662b3db2f3857dbacada1ff0da0ceaf75bbba579bc5ef1a555c065206	2020-11-10
FileHash-SHA1	5fee6bc7d63dbc2eb538b919431c98abc956c7d3	SHA1 of 10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525	2020-11-10
FileHash-SHA1	74ab88499a9b8d77cd9a8820e2884e617fa9245a	SHA1 of c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497	2020-11-10
FileHash-SHA1	dc53f9f9f7dac4fa1ba748b2fa7e6819187f2f8e	SHA1 of f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7	2020-11-10
FileHash-SHA1	aaed6ef09b54137cb62bb55ec20f73407739537f	SHA1 of c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0	2020-11-10
FileHash-SHA1	69111b86feb35bc38f22f9cd3797144c3a154d2a	SHA1 of ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab	2020-11-10
FileHash-SHA1	74b9f153234306a4e0f5c0cfa7bebb68eb0d3890	SHA1 of c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518	2020-11-10

References (2)

↗ https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ ↗ https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/