← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Gamaredon APT targets Ukrainian government agencies in new campaign
WHITE Gamaredon Group AlienVault 2022-09-19 Modified: 2022-10-19
53
IOCs
HIGH VOLUME
Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.
GamaredonPhishingLnk FilesPowershellVBS ScriptExfil
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (53)
All hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
hostname a0700343.xsph.ru 2022-09-19
hostname a0700462.xsph.ru 2022-09-19
hostname a0701919.xsph.ru 2022-09-19
hostname a0704093.xsph.ru 2022-09-19
hostname a0705076.xsph.ru 2022-09-19
hostname a0705269.xsph.ru 2022-09-19
hostname a0705581.xsph.ru 2022-09-19
hostname a0705880.xsph.ru 2022-09-19
hostname a0706248.xsph.ru 2022-09-19
hostname a0707763.xsph.ru 2022-09-19
hostname a0698649.xsph.ru 2022-09-19
FileHash-MD5 56375a0f076613740dac512ffe502c8f MD5 of 750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3 2022-09-19
FileHash-MD5 5ae91dc5c2f16efbed5548f489f87b93 MD5 of 1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c 2022-09-19
FileHash-MD5 68781941893f72c8f29ae3d3c5318d67 MD5 of ff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2 2022-09-19
FileHash-MD5 6cb12a8f64f6186f7f92ab69ad1ad6f5 MD5 of 4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650 2022-09-19
FileHash-MD5 890104bff9ce28d79eac2b86745609d7 MD5 of 581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a 2022-09-19
FileHash-MD5 a56d1a1a42aa75ff52412668bf64f5c9 MD5 of be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7 2022-09-19
FileHash-MD5 b34760b85a6cfd9f31a05e76fa8589a6 MD5 of 139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a 2022-09-19
FileHash-MD5 d3a4c5191834fb47fb49ab6c0b59d71b MD5 of 34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02 2022-09-19
FileHash-MD5 f46a6211920dd75729aaee4ac9cd0856 MD5 of a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7 2022-09-19
FileHash-MD5 fa8009ec4b46e0469fb42a58032fcdf7 MD5 of 1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447 2022-09-19
FileHash-SHA1 210792de3df6477a07b3b910290a22ac7beb4294 SHA1 of 750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3 2022-09-19
FileHash-SHA1 31fd5776155c6332f23e5114abf52bab85ca4f11 SHA1 of 4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650 2022-09-19
FileHash-SHA1 50edf11dd9a5394a353a205571b409d47d15ed59 SHA1 of ff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2 2022-09-19
FileHash-SHA1 714cd57e5a9ee053774d322ff936d906c8e4172e SHA1 of 1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447 2022-09-19
FileHash-SHA1 8ac09bb48650919ad12253e5e43d56835ce12700 SHA1 of be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7 2022-09-19
FileHash-SHA1 cf903697aaeccd769b061db52af53889b631fa45 SHA1 of 139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a 2022-09-19
FileHash-SHA1 d70aaf5dd29196ec165dcc091bbaa0f2a3dae18b SHA1 of 1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c 2022-09-19
FileHash-SHA1 defabb7ed2459ed9a0e3c22fdbbd2b34287e45f8 SHA1 of 581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a 2022-09-19
FileHash-SHA1 e51a25df05886b8d52703c890911d886b5d1658b SHA1 of 34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02 2022-09-19
FileHash-SHA1 ff73c02c31e4930c5567ad049cfdf7f7c2ca49ab SHA1 of a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7 2022-09-19
FileHash-SHA256 139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a 2022-09-19
FileHash-SHA256 1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447 2022-09-19
FileHash-SHA256 1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c 2022-09-19
FileHash-SHA256 34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02 2022-09-19
FileHash-SHA256 4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650 2022-09-19
FileHash-SHA256 5264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbb 2022-09-19
FileHash-SHA256 581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a 2022-09-19
FileHash-SHA256 750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3 2022-09-19
FileHash-SHA256 78c6b489ac6cebf846aab3687bbe64801fdf924f36f312802c6bb815ed6400ba 2022-09-19
FileHash-SHA256 8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a 2022-09-19
FileHash-SHA256 a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7 2022-09-19
FileHash-SHA256 be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7 2022-09-19
FileHash-SHA256 ff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2 2022-09-19
URL http://155.138.252.221/get.php 2022-09-19
URL http://45.77.237.252/get.php 2022-09-19
URL http://heato.ru/index.php 2022-09-19
URL http://motoristo.ru/get.php 2022-09-19
domain celticso.ru 2022-09-19
domain heato.ru 2022-09-19
domain kuckuduk.ru 2022-09-19
domain motoristo.ru 2022-09-19
domain pasamart.ru 2022-09-19
References (1)
↗ https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html