Pulse Detail — Threat Intelligence

PULSE NAME

Rattling the cage of a Sidewinder

WHITE Sidewinder AlienVault 2024-04-05 Modified: 2024-04-08

193

IOCs

HIGH VOLUME

This detailed analysis delves into the techniques employed by the cybersecurity researchers to track and detect infrastructure associated with the Sidewinder threat group. It outlines a comprehensive framework involving multiple search queries across various data sources, aimed at identifying indicators and artifacts related to the adversary's operations. The approach encompasses scanning for specific strings, encoded payloads, network fingerprints, and leveraging intelligence feeds to uncover new domains, IPs, and potential command-and-control infrastructure utilized by the group.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1547 T1137 T1071 T1195 T1190 T1219 T1010 T1107 T1112 T1193 T1059 T1568 T1204 T1027 T1588 T1189 T1221 T1018 T1105 T1216

MALWARE FAMILIES

Sidewinder

Indicators of Compromise (193)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	056d1dc3032d04d7638c02056d5146c9	—	2024-04-05
FileHash-MD5	15e0ac5a80a5849fab40cfac221c4ce4	—	2024-04-05
FileHash-MD5	251ff44ae978e2140dd02f00b3f093a0	—	2024-04-05
FileHash-MD5	356f30ba570428a6d0896e3960de8b70	—	2024-04-05
FileHash-MD5	43d35b5b20f491be219ab2eaa172ec55	—	2024-04-05
FileHash-MD5	54b1157ce8045f2e83340dc5d756f412	—	2024-04-05
FileHash-MD5	5efddbdcf40ba01f1571140bad72dccb	—	2024-04-05
FileHash-MD5	6af17fdbf7974c1a9a08a38b755d363b	—	2024-04-05
FileHash-MD5	6c7d24b90f3c6b4383bd7d08374a0c6f	—	2024-04-05
FileHash-MD5	9b1d0537d0734f1ddb53c5567f5d7ab5	—	2024-04-05
FileHash-MD5	b67bbb2a9fdfc3e89e2ed4c32ef9eb54	—	2024-04-05
FileHash-MD5	b7e63b7247be18cdfb36c1f3200c1dba	—	2024-04-05
FileHash-MD5	d37e71880beb8f453553c778aa07718a	—	2024-04-05
FileHash-MD5	d576cebe9f6cfd1d6e238e3540120dca	—	2024-04-05
FileHash-MD5	eb029e7b6d75ba082d539a4646efa55d	—	2024-04-05
FileHash-MD5	ef00004a1ebc262ffe0fb89aa5524d42	—	2024-04-05
FileHash-MD5	ef8cd5327c3cedb8a5ad8fb6b4706851	—	2024-04-05
FileHash-SHA1	05ebfd620475269c1228f87048c237a276745f1f	—	2024-04-05
FileHash-SHA1	1327f20512762a533c22fe181be3fcdd29ab76fe	—	2024-04-05
FileHash-SHA1	230911dbeaab0631c9df32fdfd8b726977866fd9	—	2024-04-05
FileHash-SHA1	33657ac7b0b7793c21a5a1ea6a78c72fa48857e1	—	2024-04-05
FileHash-SHA1	45ecc1c56886dd29cdc7557dd8f5954f999f56a8	—	2024-04-05
FileHash-SHA1	48b9d48847ad58a55f1a8dfc5872962358dedc6e	—	2024-04-05
FileHash-SHA1	5120621ec0a2eecb692f8042d1f6789a8bb182d8	—	2024-04-05
FileHash-SHA1	53a1b84d67b8be077f6d1dd244159262f7d1a0f9	—	2024-04-05
FileHash-SHA1	59f1d4657244353a156ef8899b817404fd7fedad	—	2024-04-05
FileHash-SHA1	832b42c85c885f66d32a02114ada50c24926f3a2	—	2024-04-05
FileHash-SHA1	8e650ecbbcd710f32b859aa34feb340768ea04cb	—	2024-04-05
FileHash-SHA1	c9a9160e6c03a5debc9f1947a74215d52c7a1af6	—	2024-04-05
FileHash-SHA1	cc59e275491ab440577079d555fa215895845e8e	—	2024-04-05
FileHash-SHA1	df0a9f12a51c88171ad1b65a462b83b2ef44c236	—	2024-04-05
FileHash-SHA1	e127a783870701cdd20a7fc750cad4dae775d362	—	2024-04-05
FileHash-SHA1	e4a8e4673ebfba0cea2d9755535bc93896b44183	—	2024-04-05
FileHash-SHA256	022dc10314a82fd5a21c6ef916f53bae4fa37e5478ae439f6d610eb3508720a9	—	2024-04-05
FileHash-SHA256	0826f532664b25a60d6ff5f98f82b2a618b86dda21f7badd6b5ea7165f5ed44d	—	2024-04-05
FileHash-SHA256	0e51c4f52b63e7ce231959168dbc4270b4fa451c58e3bd2081441e7d83915361	—	2024-04-05
FileHash-SHA256	121648be6641269d626d4d2ad79d234c99b121e0e0588909c05ba870308d9bc9	—	2024-04-05
FileHash-SHA256	15ce7d3c879975ca81777cf58f47409283e34ec1fe8e966fde608bc7eda16646	—	2024-04-05
FileHash-SHA256	170ccf1225154fa0cd92a14219f0b912479cc4095203646c38a31bb78baafe9f	—	2024-04-05
FileHash-SHA256	1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a	—	2024-04-05
FileHash-SHA256	1a88ef58675971eb18eeb267b1be90594cd6c7ebddf1c67d66729fa3e68de323	—	2024-04-05
FileHash-SHA256	1f8e6838604b4221afe5f4af0b1e0d022357cbe5b52bb0a74e257af0a7fdade3	—	2024-04-05
FileHash-SHA256	4db0a2d4d011f43952615ece8734ca4fc889e7ec958acd803a6c68b3e0f94eea	—	2024-04-05
FileHash-SHA256	4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588	—	2024-04-05
FileHash-SHA256	53cc8f46f10e4b3958834d75b15db3aa0d8c86a63b8bd3e6ac180c05ce27d748	—	2024-04-05
FileHash-SHA256	542fb0e314df639a7eef7ff077ddfd9574e70fb5ed5cbaf31c44d97f77e0c43c	—	2024-04-05
FileHash-SHA256	55a0bbde3e32c559715cdc9c7d30d003b9e14725a6369d30edef20c1ed6dd994	—	2024-04-05
FileHash-SHA256	60017e193cfd0df017eb8d0cc5f4bfc49593d90430a3e89a287f6afb83672236	—	2024-04-05
FileHash-SHA256	613068422c214b944c7b2e3fb60412ed99d35c9e18d53d45b16965c5a36f734a	—	2024-04-05
FileHash-SHA256	62f40035834c9811b5dcbfa3cbe0fd4e51d8678f3aca8fb0644b0a3043a1a362	—	2024-04-05
FileHash-SHA256	7dca552bc38f54716c80eb2c4f1f35cf6e5b12a78a5cec8bf335453c1b433cfd	—	2024-04-05
FileHash-SHA256	7dcf935a24039dff2d084f41ab8ca318b28c53c01f9de069f087b3be15457ba9	—	2024-04-05
FileHash-SHA256	89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e	—	2024-04-05
FileHash-SHA256	8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad	—	2024-04-05
FileHash-SHA256	8b4259cb1619bcbf3f6760f0982d0a1d3c67aa26738a3d6f6788bf6c2a5410e5	—	2024-04-05
FileHash-SHA256	921496822997485059ad137e7cd25060cbe6abc9466f2e33c1d7df01630737f4	—	2024-04-05
FileHash-SHA256	931aee9ba0e51804cb354a3a41830721e41a0fab6758aa19a43eaf1abe621b4d	—	2024-04-05
FileHash-SHA256	998f8d2ecce9de702326349b2d57a72fdc5282c81d876a1279b89f03e6cc2272	—	2024-04-05
FileHash-SHA256	9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a	—	2024-04-05
FileHash-SHA256	9d02bf092fdcf44a51ae6e264ec3e3e57afbe79622c92a797e33fb62ed495cda	—	2024-04-05
FileHash-SHA256	a11fab6de2c5111833e9e4a6f69ce5dded17085a3d8ae21c7fcfa00d7e113c9b	—	2024-04-05
FileHash-SHA256	a3283520e04d7343ce9884948c5d23423499fa61cee332a006db73e2b98d08c3	—	2024-04-05
FileHash-SHA256	a45258389a3c0d4615f3414472c390a0aabe77315663398ebdea270b59b82a5c	—	2024-04-05
FileHash-SHA256	a703c6772e8bcf7cd0aef05ecbee4c7f7f39371d45b42bf1030df2be5261717c	—	2024-04-05
FileHash-SHA256	acbfbf6fd00fa347a52657e5ca0f5cc6cbcf197a04e2d3fd5dc9235926b319d7	—	2024-04-05
FileHash-SHA256	b565bd60e9182746de76feeebe7f85902e22ee3a22d5d55a278be7340923806e	—	2024-04-05
FileHash-SHA256	e1ae44d26899969d520789e23c777d6c07785da23454664ad12b2783946a617c	—	2024-04-05
FileHash-SHA256	e21396bf5f9936310b4f53273db330a9620d78c1c744277b0e9126f0afdbc29d	—	2024-04-05
FileHash-SHA256	f1cdd47f7a2502902d15adf3ac79c0f86348ba09f4a482ab9108ad98258edb55	—	2024-04-05
domain	afmat.tech	—	2024-04-05
domain	aliyumm.tech	—	2024-04-05
domain	ausibedu.org	—	2024-04-05
domain	boket.tech	—	2024-04-05
domain	btud.live	—	2024-04-05
domain	comptes.tech	—	2024-04-05
domain	dafpak.org	—	2024-04-05
domain	defenec.net	—	2024-04-05
domain	download-file.net	—	2024-04-05
domain	dynat.tech	—	2024-04-05
domain	fia-gov.net	—	2024-04-05
domain	gebre.tech	—	2024-04-05
domain	govpk.info	—	2024-04-05
domain	hyat.tech	—	2024-04-05
domain	jotse.info	—	2024-04-05
domain	leron.info	—	2024-04-05
domain	mfa-govt.net	—	2024-04-05
domain	mfacom.org	—	2024-04-05
domain	moittpk.org	—	2024-04-05
domain	nbcot.info	—	2024-04-05
domain	neger.site	—	2024-04-05
domain	newoutlook.live	—	2024-04-05
domain	ntcpk.info	—	2024-04-05
domain	numpy.info	—	2024-04-05
domain	oprad.top	—	2024-04-05
domain	paknavy-gov.org	—	2024-04-05
domain	paknavy-govpk.net	—	2024-04-05
domain	pnscpk.com	—	2024-04-05
domain	semain.tech	—	2024-04-05
domain	sezti.org	—	2024-04-05
domain	shrtny.live	—	2024-04-05
domain	silvon.site	—	2024-04-05
domain	slic.live	—	2024-04-05
domain	tni-mil.com	—	2024-04-05
domain	tni-mil.org	—	2024-04-05
domain	tnial-mil.net	—	2024-04-05
domain	tref.tech	—	2024-04-05
hostname	apps.fia-gov.net	—	2024-04-05
hostname	bdmil.alit.live	—	2024-04-05
hostname	cabinet-division-pk.fia-gov.com	—	2024-04-05
hostname	cabinet-gov-pk.ministry-pk.net	—	2024-04-05
hostname	careitservices.paknvay-pk.net	—	2024-04-05
hostname	cirt-gov-mm.fia-gov.net	—	2024-04-05
hostname	cluster.jotse.info	—	2024-04-05
hostname	commerce-gov-pk.directt888.com	—	2024-04-05
hostname	cpanel.govpk.info	—	2024-04-05
hostname	cstc-spares-vip-163.dowmload.net	—	2024-04-05
hostname	defencelk.cvix.live	—	2024-04-05
hostname	dev.govpk.info	—	2024-04-05
hostname	dgmp-paknavy.mod-pk.com	—	2024-04-05
hostname	dgms.paknavy-gov.com	—	2024-04-05
hostname	dgpr.paknvay-pk.net	—	2024-04-05
hostname	endofmission.govpk.info	—	2024-04-05
hostname	focus.semain.tech	—	2024-04-05
hostname	forecast.comsats-net.com	—	2024-04-05
hostname	found.neger.site	—	2024-04-05
hostname	intdtebangladesh.govpk.info	—	2024-04-05
hostname	invitation-letter.govpk.info	—	2024-04-05
hostname	jester.hyat.tech	—	2024-04-05
hostname	ksew.kpt-gov.org	—	2024-04-05
hostname	livo.silvon.site	—	2024-04-05
hostname	mail-dmp-navy-pk.dytt88.org	—	2024-04-05
hostname	mailaplf.cvix.live	—	2024-04-05
hostname	mailmfa.mofa-gov.info	—	2024-04-05
hostname	mailmofagovmm.mofa.email	—	2024-04-05
hostname	mailnavybd.govpk.net	—	2024-04-05
hostname	mailrta.mfagov.org	—	2024-04-05
hostname	maritimepakistan.kpt-pk.net	—	2024-04-05
hostname	ministryofforeignaffairs-mofa-gov-pk.dytt88.org	—	2024-04-05
hostname	moemaldives.pmd-office.com	—	2024-04-05
hostname	mofa-gov-bd.fia-gov.net	—	2024-04-05
hostname	mofa-gov-np.direct888.net	—	2024-04-05
hostname	mofa-gov-np.fia-gov.net	—	2024-04-05
hostname	mofa-gov-pk.directt888.com	—	2024-04-05
hostname	mofa-gov-pk.donwloaded.com	—	2024-04-05
hostname	mofa-gov-sa.direct888.net	—	2024-04-05
hostname	mofa-gov.interior-pk.org	—	2024-04-05
hostname	mofa.govpk.info	—	2024-04-05
hostname	mofabn.ksewpk.com	—	2024-04-05
hostname	mofadividion.ptcl-gov.com	—	2024-04-05
hostname	mohgovsg.bahariafoundation.live	—	2024-04-05
hostname	moitt-gov-pk.fia-gov.net	—	2024-04-05
hostname	moitt.paknavy-govpk.info	—	2024-04-05
hostname	moma.comsats-net.com	—	2024-04-05
hostname	moon.tfrend.org	—	2024-04-05
hostname	mopf-gov-mm.direct888.net	—	2024-04-05
hostname	msacn.ntcpk.net	—	2024-04-05
hostname	mtss.bol-south.org	—	2024-04-05
hostname	myanmar-gov-mm.fia-gov.net	—	2024-04-05
hostname	myoffice.fia-gov.net	—	2024-04-05
hostname	navy-lk.direct888.net	—	2024-04-05
hostname	navy-mil-bd.jmicc.xyz	—	2024-04-05
hostname	note1582023.govpk.info	—	2024-04-05
hostname	offshore.leron.info	—	2024-04-05
hostname	opmcm-gov-np.fia-gov.net	—	2024-04-05
hostname	paknavy-gov-pk.downld.net	—	2024-04-05
hostname	paknavy.comsats.xyz	—	2024-04-05
hostname	paknavy.defpak.org	—	2024-04-05
hostname	paknavy.jmicc.xyz	—	2024-04-05
hostname	paknavy.paknavy.live	—	2024-04-05
hostname	pnwc.bol-north.com	—	2024-04-05
hostname	police-circular-gov-bd.fia-gov.net	—	2024-04-05
hostname	police-gov-bd.donwloaded.com	—	2024-04-05
hostname	police-gov-bd.fia-gov.net	—	2024-04-05
hostname	president-gov-lk.donwloaded.net	—	2024-04-05
hostname	promotionlist.comsats-net.com	—	2024-04-05
hostname	sarabanmithnavy.tni-mil.com	—	2024-04-05
hostname	sl-navy.office-drive.live	—	2024-04-05
hostname	spark.126-com.live	—	2024-04-05
hostname	sppc.moma-pk.org	—	2024-04-05
hostname	square.oprad.top	—	2024-04-05
hostname	srilanka-navy.lforvk.com	—	2024-04-05
hostname	srilankanavy.ksew.org	—	2024-04-05
hostname	training.detru.info	—	2024-04-05
hostname	webdisk.govpk.info	—	2024-04-05
hostname	webmail.govpk.info	—	2024-04-05
hostname	ww1.govpk.info	—	2024-04-05
hostname	ww25.govpk.info	—	2024-04-05
hostname	ww38.govpk.info	—	2024-04-05
hostname	www-moha-gov-lk.direct888.net	—	2024-04-05
hostname	www-police-gov-bd.direct888.net	—	2024-04-05
hostname	www-punjabpolice-gov-pk-sopforsecurityofforeignersandchinese.trans-aws.net	—	2024-04-05
hostname	www.sd1-bin.net	—	2024-04-05
hostname	zed.shrtny.live	—	2024-04-05

References (1)

↗ https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder