{ "type": "MD5", "indicator": "92d2204691f8ac9274b2943f88958552", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "92d2204691f8ac9274b2943f88958552", "validation": [], "base_indicator": { "id": 2142143683, "indicator": "92d2204691f8ac9274b2943f88958552", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "5da83c7c104ff3553f418443", "name": "The Dukes aren\u2019t back \u2014 they never left", "description": "It is exceptionally rare for a well-documented threat actor, previously implicated in very high-profile attacks,\nto stay completely under the radar for several years. Yet, in the last three years that is what APT group\nthe Dukes (aka APT29 and Cozy Bear) has done. Despite being well known as one of the groups to hack the\nDemocratic National Committee in the run-up to the 2016 US election, the Dukes has received little subsequent attention. The last documented campaign attributed to them is a phishing campaign against\nthe Norwegian government that dates back to January 2017", "modified": "2019-10-17T10:03:40.074000", "created": "2019-10-17T10:03:40.074000", "tags": [ "Dukes" ], "references": [ "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "public": 1, "adversary": "Dukes", "targeted_countries": [], "malware_families": [ { "id": "MiniDuke", "display_name": "MiniDuke", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1077", "name": "Windows Admin Shares", "display_name": "T1077 - Windows Admin Shares" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1084", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1084 - Windows Management Instrumentation Event Subscription" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 85, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 19, "FileHash-SHA256": 18, "URL": 18, "hostname": 2, "FileHash-MD5": 19, "FileHash-SHA1": 18 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386459, "modified_text": "2417 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "related": { "alienvault": { "adversary": [ "Dukes" ], "malware_families": [ "Miniduke" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "5da83c7c104ff3553f418443", "name": "The Dukes aren\u2019t back \u2014 they never left", "description": "It is exceptionally rare for a well-documented threat actor, previously implicated in very high-profile attacks,\nto stay completely under the radar for several years. Yet, in the last three years that is what APT group\nthe Dukes (aka APT29 and Cozy Bear) has done. Despite being well known as one of the groups to hack the\nDemocratic National Committee in the run-up to the 2016 US election, the Dukes has received little subsequent attention. The last documented campaign attributed to them is a phishing campaign against\nthe Norwegian government that dates back to January 2017", "modified": "2019-10-17T10:03:40.074000", "created": "2019-10-17T10:03:40.074000", "tags": [ "Dukes" ], "references": [ "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "public": 1, "adversary": "Dukes", "targeted_countries": [], "malware_families": [ { "id": "MiniDuke", "display_name": "MiniDuke", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1077", "name": "Windows Admin Shares", "display_name": "T1077 - Windows Admin Shares" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1084", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1084 - Windows Management Instrumentation Event Subscription" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 85, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 19, "FileHash-SHA256": 18, "URL": 18, "hostname": 2, "FileHash-MD5": 19, "FileHash-SHA1": 18 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386459, "modified_text": "2417 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "92d2204691f8ac9274b2943f88958552", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "92d2204691f8ac9274b2943f88958552", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780173297.4312034 }