← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Maha Grass, aka Patchwork, White Elephant, Hangover, Dropping Elephant Analysis
WHITE PetrP.73 2025-05-26 Modified: 2025-05-28
32
IOCs
MEDIUM VOLUME
The group is widely believed to have a background in South Asia, with its earliest attacks dating back to November 2009 and has been active for more than 10 years. The group mainly targets countries in the Asian region to carry out cyber espionage activities, and the targets include organizations in the government, military, electric power, industry, scientific research and education, diplomacy and economic fields. Brain worm, aka Donot, Qianxin internal tracking number APT-Q-38. The organization mainly targets countries in South Asia such as Pakistan, Bangladesh, and Sri Lanka, and carries out cyber espionage activities and steals sensitive information from government agencies, defense and military, foreign affairs departments, and important people in the business field. The Brain Worm group has both Windows and Android attack capabilities, and has often spread malicious code through spear emails and Android APKs carrying Office vulnerabilities or malicious macro documents in previous attack campaigns.
spyderlocalappdatajsonctf iotchamd5donot aptq38windowsandroidofficehttpsspoolalphasilentstory
Indicators of Compromise (32)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 2f1c58c7214471c28283b9e161ceed1c 2025-05-26
FileHash-MD5 4dfbc90129c9700bab397a59e0640648 2025-05-26
FileHash-MD5 6cf72a23f23f2f35106ed9db63df3474 2025-05-26
FileHash-MD5 8157be7acc05f719dc125d677133ca40 2025-05-26
FileHash-MD5 893561ff6d17f1e95897b894dde29a2a 2025-05-26
FileHash-MD5 c13dfd03cbdd66c0d6d53eb55ba9d551 2025-05-26
FileHash-MD5 e39413d9a67acbc5df2d8b8c0a170f4b 2025-05-26
FileHash-MD5 f8e30dad9130bbc04164dda4f31a1b23 2025-05-26
FileHash-SHA1 080c635fa1fb8e46faa1aaa9aa23952d7c9f8cb4 SHA1 of 4dfbc90129c9700bab397a59e0640648 2025-05-26
FileHash-SHA1 59269cc2d0c169205ceea420b2b6a1a4dedc1700 SHA1 of 893561ff6d17f1e95897b894dde29a2a 2025-05-26
FileHash-SHA1 885f0682d57f6c9fe96d970f7b4735d2dc7f96f7 SHA1 of 2f1c58c7214471c28283b9e161ceed1c 2025-05-26
FileHash-SHA1 8cc955f6a24b9cbbb028924da165f4a3ab763455 SHA1 of 8157be7acc05f719dc125d677133ca40 2025-05-26
FileHash-SHA1 a909090d5f32429756d9a505ba9b12403dcb0d6c SHA1 of e39413d9a67acbc5df2d8b8c0a170f4b 2025-05-26
FileHash-SHA1 abcba09eec8099a161998dc967cc68043f90b6c8 SHA1 of f8e30dad9130bbc04164dda4f31a1b23 2025-05-26
FileHash-SHA256 496d93b684d9932b5e3d8b2f9a96d72fdf6ea5ddf8ff5749a50ab03add7bc815 SHA256 of e39413d9a67acbc5df2d8b8c0a170f4b 2025-05-26
FileHash-SHA256 4d036e0a517774ba8bd31df522a8d9e327202548a5753e5de068190582758680 SHA256 of 893561ff6d17f1e95897b894dde29a2a 2025-05-26
FileHash-SHA256 809487ac191920f2cce2dc7b69acd136220505decab1d49cd24edad45942dd79 SHA256 of f8e30dad9130bbc04164dda4f31a1b23 2025-05-26
FileHash-SHA256 95c141f74d453f331bdc515b0f3318c731d80902c1e158bacd7b61ece1958dee SHA256 of 4dfbc90129c9700bab397a59e0640648 2025-05-26
FileHash-SHA256 b4e3200beb7da880299270c487bcb75e72705cb1c10a65a251f8ccd4579326fe SHA256 of 2f1c58c7214471c28283b9e161ceed1c 2025-05-26
FileHash-SHA256 c259d9fc53b7d3492bd20b42ef36924a615bf2562c3d6d00228ecbe863a916a7 SHA256 of 8157be7acc05f719dc125d677133ca40 2025-05-26
URL http://apps-house.com/gandalf/cane.php 2025-05-26
URL http://apps-house.com/gandalf/download.php?mname= 2025-05-26
URL http://couldmailauth.com/gxL5EumWANH46T3tjskyFB/download.php?mname= 2025-05-26
URL http://couldmailauth.com/gxL5EumWANH46T3tjskyFB/pencil.php 2025-05-26
URL http://couldmailauth.com/zhq93e8hsj93793892378hhxhb/Reghjok_64.dll 2025-05-26
URL http://couldmailauth.com/zhq93e8hsj93793892378hhxhb/Reghjok_64.dll” 2025-05-26
URL https://viperdenx.info/2025/filezz/uploadz/ltr-2024055.ppt 2025-05-26
URL https://viperdenx.info/2025/filezz/uploadz/ltr-2024055.xn--ppt-9o0a.PPT 2025-05-26
domain apps-house.com 2025-05-26
domain couldmailauth.com 2025-05-26
domain totalservices.info 2025-05-26
domain viperdenx.info 2025-05-26
References (1)
↗ https://www.ctfiot.com/249166.html