[ { "id": 3446972661, "indicator": "59b043a913014a1f03258c695b9333af", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "Zpevdo", "description": "MD5 of 3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3", "expiration": null, "is_active": 1 }, { "id": 3445296369, "indicator": "b9025eca96614a473e204e9e8a873e1d", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "Zpevdo", "description": "MD5 of fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92", "expiration": null, "is_active": 1 }, { "id": 3445296371, "indicator": "2360e4cff14fbfb2af6c80dbd7028d682fe2634e", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "Zpevdo", "description": "SHA1 of fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92", "expiration": null, "is_active": 1 }, { "id": 3446972663, "indicator": "2af2dcd9482a281228d987723640203e08ff93c9", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "Zpevdo", "description": "SHA1 of 3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3", "expiration": null, "is_active": 1 }, { "id": 3445296391, "indicator": "3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "Zpevdo", "description": "", "expiration": null, "is_active": 1 }, { "id": 3445296374, "indicator": "fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "Zpevdo", "description": "", "expiration": null, "is_active": 1 }, { "id": 2118008307, "indicator": "CVE-2018-0798", "type": "CVE", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3460782566, "indicator": "1bf615946ad9ea7b5a282a8529641bf6", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "MD5 of 358867f105b517624806c3315c5426803f7c42a7", "expiration": null, "is_active": 1 }, { "id": 3445296375, "indicator": "2454a5b5f7793d372c96fd572c1de2cc", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "MD5 of 90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787", "expiration": null, "is_active": 1 }, { "id": 3445296376, "indicator": "2c8ed4045b76a1eca8c8d0161a4b65ec", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "MD5 of 69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61", "expiration": null, "is_active": 1 }, { "id": 3460782565, "indicator": "6e4b4eb701f3410ebfb5925db32b25dc", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "MD5 of c330ef43bbee001296c6c120cf68e4c90d078d9c", "expiration": null, "is_active": 1 }, { "id": 3469741672, "indicator": "71e1cfb5e5a515cea2c3537b78325abf", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "ConventionEngine_Term_Desktop", "description": "MD5 of bcc9e35c28430264575831e851182eca7219116f", "expiration": null, "is_active": 1 }, { "id": 3460782564, "indicator": "a1d9e1dccfbba118d52f95ec6cc7c943", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3504558961, "indicator": "d58e6f93bd1eb81eacc965d530709246", "type": "FileHash-MD5", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3504558875, "indicator": "358867f105b517624806c3315c5426803f7c42a7", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "", "expiration": null, "is_active": 1 }, { "id": 3504559422, "indicator": "8efa4d5574a0c80733e9824ec146521385a68424", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3504558962, "indicator": "a47aec515f303ae7f427d98fc69fe828fa9c6ec6", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3445296389, "indicator": "b17f0381fc7e4c4c6bb15dfcc0c37d2945266c6e", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "SHA1 of 69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61", "expiration": null, "is_active": 1 }, { "id": 3469741687, "indicator": "bcc9e35c28430264575831e851182eca7219116f", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "ConventionEngine_Term_Desktop", "description": "", "expiration": null, "is_active": 1 }, { "id": 3445296390, "indicator": "bcd7a2191af9ddb1bd627e36a55fc55680e36f51", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "SHA1 of 90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787", "expiration": null, "is_active": 1 }, { "id": 3469741688, "indicator": "c330ef43bbee001296c6c120cf68e4c90d078d9c", "type": "FileHash-SHA1", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "", "expiration": null, "is_active": 1 }, { "id": 3460792861, "indicator": "0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3506176569, "indicator": "3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3469741693, "indicator": "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "ConventionEngine_Term_Desktop", "description": "SHA256 of bcc9e35c28430264575831e851182eca7219116f", "expiration": null, "is_active": 1 }, { "id": 3445296393, "indicator": "69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "", "expiration": null, "is_active": 1 }, { "id": 3445296394, "indicator": "90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "", "expiration": null, "is_active": 1 }, { "id": 3460792860, "indicator": "91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "SHA256 of c330ef43bbee001296c6c120cf68e4c90d078d9c", "expiration": null, "is_active": 1 }, { "id": 3460792862, "indicator": "bc03923e3cc2895893571068fd20dd0bc626764d06a009b91dac27982e40a085", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "Bitter", "description": "SHA256 of 358867f105b517624806c3315c5426803f7c42a7", "expiration": null, "is_active": 1 }, { "id": 3506176570, "indicator": "bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3504558963, "indicator": "d83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691", "type": "FileHash-SHA256", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3506176572, "indicator": "http://emshedulersvc.com/vc/vc", "type": "URL", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3506176573, "indicator": "http://m.huandocimama.com/JvQKLsTYuMe/xAexyBbnDxW/profiles.php?profiles=", "type": "URL", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3506176574, "indicator": "051e0f8d4471172309e6dd11ff6642bd6f903e51", "type": "YARA", "created": "2022-07-06T08:42:27", "content": "rule APT_Bitter_PDB_Paths { meta: \n description = \"Detects Bitter (T-APT-17) PDB Paths\" \n author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" \n tlp = \"WHITE\" \n reference = \"https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\" \n date = \"2022-06-22\" \n hash0 = \"55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396\" strings: \n // Almond RAT \n $pdbPath0 = \"C:\\\\Users\\\\Window 10 C\\\\Desktop\\\\COMPLETED WORK\\\\\" ascii \n $pdbPath1 = \"stdrcl\\\\stdrcl\\\\obj\\\\Release\\\\stdrcl.pdb\" // found by Qi Anxin Threat Intellingence Center \n // reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg \n $pdbPath2 = \"g:\\\\Projects\\\\cn_stinker_34318\\\\\" \n $pdbPath3 = \"renewedstink\\\\renewedstink\\\\obj\\\\Release\\\\stimulies.pdb\" condition: \n uint16(0) == 0x5a4d \n and any of ($pdbPath*) \n }", "title": "", "description": "Detects Bitter (T-APT-17) PDB Paths", "expiration": null, "is_active": 1 }, { "id": 3506176575, "indicator": "3b404215bfcdecab3497feddcb820b7aabf587c5", "type": "YARA", "created": "2022-07-06T08:42:27", "content": "import \"dotnet\"\nrule APT_Bitter_Almond_RAT { meta: \n description = \"Detects Bitter (T-APT-17) Almond RAT (.NET)\" \n author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" \n tlp = \"WHITE\" reference = \" https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\" \n date = \"2022-06-01\" hash = \"55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396\" strings: \n $function0 = \"GetMacid\" ascii \n $function1 = \"StartCommWithServer\" ascii \n $function2 = \"sendingSysInfo\" ascii \n $dbg0 = \"*|END|*\" wide \n $dbg1 = \"FILE>\" wide \n $dbg2 = \"[Command Executed Successfully]\" wide condition: \n uint16(0) == 0x5a4d \n and dotnet.version == \"v4.0.30319\" \n and filesize > 12KB // Size on Disk/1.5 \n and filesize < 68KB // Size of Image*1.5 \n and any of ($function*) \n and any of ($dbg*) \n }", "title": "", "description": "Detects Bitter (T-APT-17) Almond RAT (.NET)", "expiration": null, "is_active": 1 }, { "id": 3506176576, "indicator": "dd1c6d6276efba12eff01052033aa3a3717f3af9", "type": "YARA", "created": "2022-07-06T08:42:27", "content": "rule APT_Bitter_Maldoc_Verify { meta: \n description = \"Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)\" \n author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" \n tlp = \"WHITE\" \n reference = \"https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\" \n date = \"2022-06-01\" \n hash0 = \"0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450\" \n hash1 = \"bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d\" \n hash2 = \"3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6\" strings: \n // This rule is meant to be used for verification of a Bitter Maldoc \n // rather than a hunting rule since the oleObject it is matching is \n // compressed in the doc zip $xor_string0 = \"LoadLibraryA\" xor \n $xor_string1 = \"urlmon.dll\" xor \n $xor_string2 = \"Shell32.dll\" xor \n $xor_string3 = \"ShellExecuteA\" xor \n $xor_string4 = \"MoveFileA\" xor \n $xor_string5 = \"CreateDirectoryA\" xor \n $xor_string6 = \"C:\\\\Windows\\\\explorer\" xor \n $padding = {000001128341000001128341000001128342000001128342} condition: \n 3 of ($xor_string*) \n and $padding \n }", "title": "", "description": "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)", "expiration": null, "is_active": 1 }, { "id": 3460764002, "indicator": "diyefosterfeeds.com", "type": "domain", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3460764001, "indicator": "emshedulersvc.com", "type": "domain", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3200549311, "indicator": "huandocimama.com", "type": "domain", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3462567199, "indicator": "spurshipbroker.com", "type": "domain", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3504888667, "indicator": "m.huandocimama.com", "type": "hostname", "created": "2022-07-06T08:42:27", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 } ]