{ "type": "MD5", "indicator": "f8e92d8b5488ea76c40601c8f1a08790", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "f8e92d8b5488ea76c40601c8f1a08790", "validation": [], "base_indicator": { "id": 11667961, "indicator": "f8e92d8b5488ea76c40601c8f1a08790", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "5a8c8b889e7d6c1288e3b570", "name": "A Slice of 2017 Sofacy Activity", "description": "Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard.", "modified": "2018-02-20T20:56:40.717000", "created": "2018-02-20T20:56:40.717000", "tags": [ "sofacy", "nato", "zebrocy", "central asia", "gamefish", "apt28", "xagent", "delphi", "ukraine", "coreshell", "western union", "asia", "fancy bear", "apt", "kaspersky" ], "references": [ "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "government", "military", "ngo", "energy", "engineering" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 39, "FileHash-MD5": 55, "CVE": 2 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 376811, "modified_text": "2975 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "5911ff9cdbd6ea04445af363", "name": "EPS Processing Zero-Days Exploited by Multiple Threat Actors", "description": "Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently patched vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 Turla and an unknown financially motivated actor \u2013 were using the first EPS zero-day (CVE-2017-0261), and APT28 was using the second EPS zero-day (CVE-2017-0262) along with a new Escalation of Privilege (EOP) zero-day (CVE-2017-0263). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East.", "modified": "2017-07-21T22:04:29.680000", "created": "2017-05-09T17:42:52.742000", "tags": [ "office", "0day", "NETWIRE", "GAMEFISH", "turla", "sofacy", "apt28", "fireeye" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "https://repo.quicksand.io/ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c.html", "https://www.hybrid-analysis.com/sample/6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490?environmentId=100", "https://www.hybrid-analysis.com/sample/91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9?environmentId=100", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/" ], "public": 1, "adversary": "Turla Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 79, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 1, "hostname": 1, "FileHash-MD5": 5, "IPv4": 3, "CVE": 5, "FileHash-SHA1": 5, "Mutex": 1, "YARA": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 376777, "modified_text": "3189 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "65707cfd7deec618b32401ae", "name": "yarex_APTMalware", "description": "", "modified": "2023-12-06T13:54:05.062000", "created": "2023-12-06T13:54:05.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1429, "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "hostname": 48, "URL": 146, "domain": 85, "YARA": 965, "email": 2 }, "indicator_count": 7699, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "860 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "644b124399f55d7db8da4358", "name": "Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign", "description": "", "modified": "2023-04-28T00:24:35.992000", "created": "2023-04-28T00:24:35.992000", "tags": [], "references": [ "April 28th, 2023 - CryptoGen Cyber Threat Intelligence - Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "FileHash-MD5": 89, "FileHash-SHA1": 62, "FileHash-SHA256": 62, "URL": 6, "domain": 52 }, "indicator_count": 288, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "1083 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "61ebb686fb654ea04bf28cd4", "name": "yarex_APTMalware", "description": "yarex/APTMalware\n\nhttps://github.com/resteex0/yarex", "modified": "2022-04-27T00:03:12.448000", "created": "2022-01-22T07:47:18.162000", "tags": [ "clsid", "quvtohr", "yara rule", "set author", "identifier", "aptmalwareapt28", "rule", "nblockuse", "start", "dbcsbuffer", "nbsp", "name", "ithesaurusword", "namespace3http", "wdcecfchgigjg", "address", "aptmalwareapt21", "ainfbf", "dekmcugcl", "dltuntu", "edbfa", "zyxzedbfa", "path", "newwindow", "aptmalwareapt1", "j5feq1a", "yljl8wk29gvu", "assoc", "aptmalwareapt29", "b8b4b0b", "closehandle", "matchlen", "finishmsg", "feedback", "error", "cimagemanager", "getimage", "ccmdtarget", "getdata", "p6gpav2", "getruntimeclass", "aptmalwareapt19", "enpi", "vmrqs", "mmnmbivesahl", "dvirev", "failed", "ctrll", "lookup", "ctrlshiftr", "ascii ctrla", "rule set", "vgkjbmcqvepmkjw", "ihjw9", "shellmainthread", "initfirst", "filesexcalibur", "filemg1", "entry", "socket", "concurrency", "shell", "aptmalwareapt30", "okbps", "plcqtobyjf" ], "references": [ "APT 30.yar", "Equation Group.yar", "Winnti.yar", "Energetic Bear.yar", "Dark Hotel.yar", "APT 19.yar", "APT 10.yar", "APT 29.yar", "APT 1.yar", "APT 21.yar", "Gorgon Group.yar", "APT 28.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "resteex0", "id": "175858", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "FileHash-SHA256": 1429, "YARA": 979, "URL": 146, "domain": 85, "hostname": 48, "email": 2 }, "indicator_count": 7713, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "APT 19.yar", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "APT 28.yar", "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "Gorgon Group.yar", "April 28th, 2023 - CryptoGen Cyber Threat Intelligence - Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign.pdf", "APT 10.yar", "APT 29.yar", "https://www.hybrid-analysis.com/sample/91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9?environmentId=100", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "APT 21.yar", "Winnti.yar", "APT 30.yar", "Equation Group.yar", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261", "Energetic Bear.yar", "https://www.hybrid-analysis.com/sample/6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490?environmentId=100", "Dark Hotel.yar", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://repo.quicksand.io/ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c.html", "APT 1.yar" ], "related": { "alienvault": { "adversary": [ "Sofacy", "Turla Group" ], "malware_families": [], "industries": [ "Government", "Energy", "Engineering", "Military", "Ngo" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "5a8c8b889e7d6c1288e3b570", "name": "A Slice of 2017 Sofacy Activity", "description": "Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard.", "modified": "2018-02-20T20:56:40.717000", "created": "2018-02-20T20:56:40.717000", "tags": [ "sofacy", "nato", "zebrocy", "central asia", "gamefish", "apt28", "xagent", "delphi", "ukraine", "coreshell", "western union", "asia", "fancy bear", "apt", "kaspersky" ], "references": [ "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "government", "military", "ngo", "energy", "engineering" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 39, "FileHash-MD5": 55, "CVE": 2 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 376811, "modified_text": "2975 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "5911ff9cdbd6ea04445af363", "name": "EPS Processing Zero-Days Exploited by Multiple Threat Actors", "description": "Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently patched vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 Turla and an unknown financially motivated actor \u2013 were using the first EPS zero-day (CVE-2017-0261), and APT28 was using the second EPS zero-day (CVE-2017-0262) along with a new Escalation of Privilege (EOP) zero-day (CVE-2017-0263). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East.", "modified": "2017-07-21T22:04:29.680000", "created": "2017-05-09T17:42:52.742000", "tags": [ "office", "0day", "NETWIRE", "GAMEFISH", "turla", "sofacy", "apt28", "fireeye" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "https://repo.quicksand.io/ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c.html", "https://www.hybrid-analysis.com/sample/6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490?environmentId=100", "https://www.hybrid-analysis.com/sample/91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9?environmentId=100", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/" ], "public": 1, "adversary": "Turla Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 79, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 1, "hostname": 1, "FileHash-MD5": 5, "IPv4": 3, "CVE": 5, "FileHash-SHA1": 5, "Mutex": 1, "YARA": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 376777, "modified_text": "3189 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "65707cfd7deec618b32401ae", "name": "yarex_APTMalware", "description": "", "modified": "2023-12-06T13:54:05.062000", "created": "2023-12-06T13:54:05.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1429, "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "hostname": 48, "URL": 146, "domain": 85, "YARA": 965, "email": 2 }, "indicator_count": 7699, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "860 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "644b124399f55d7db8da4358", "name": "Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign", "description": "", "modified": "2023-04-28T00:24:35.992000", "created": "2023-04-28T00:24:35.992000", "tags": [], "references": [ "April 28th, 2023 - CryptoGen Cyber Threat Intelligence - Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "FileHash-MD5": 89, "FileHash-SHA1": 62, "FileHash-SHA256": 62, "URL": 6, "domain": 52 }, "indicator_count": 288, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "1083 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "61ebb686fb654ea04bf28cd4", "name": "yarex_APTMalware", "description": "yarex/APTMalware\n\nhttps://github.com/resteex0/yarex", "modified": "2022-04-27T00:03:12.448000", "created": "2022-01-22T07:47:18.162000", "tags": [ "clsid", "quvtohr", "yara rule", "set author", "identifier", "aptmalwareapt28", "rule", "nblockuse", "start", "dbcsbuffer", "nbsp", "name", "ithesaurusword", "namespace3http", "wdcecfchgigjg", "address", "aptmalwareapt21", "ainfbf", "dekmcugcl", "dltuntu", "edbfa", "zyxzedbfa", "path", "newwindow", "aptmalwareapt1", "j5feq1a", "yljl8wk29gvu", "assoc", "aptmalwareapt29", "b8b4b0b", "closehandle", "matchlen", "finishmsg", "feedback", "error", "cimagemanager", "getimage", "ccmdtarget", "getdata", "p6gpav2", "getruntimeclass", "aptmalwareapt19", "enpi", "vmrqs", "mmnmbivesahl", "dvirev", "failed", "ctrll", "lookup", "ctrlshiftr", "ascii ctrla", "rule set", "vgkjbmcqvepmkjw", "ihjw9", "shellmainthread", "initfirst", "filesexcalibur", "filemg1", "entry", "socket", "concurrency", "shell", "aptmalwareapt30", "okbps", "plcqtobyjf" ], "references": [ "APT 30.yar", "Equation Group.yar", "Winnti.yar", "Energetic Bear.yar", "Dark Hotel.yar", "APT 19.yar", "APT 10.yar", "APT 29.yar", "APT 1.yar", "APT 21.yar", "Gorgon Group.yar", "APT 28.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "resteex0", "id": "175858", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "FileHash-SHA256": 1429, "YARA": 979, "URL": 146, "domain": 85, "hostname": 48, "email": 2 }, "indicator_count": 7713, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "f8e92d8b5488ea76c40601c8f1a08790", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "f8e92d8b5488ea76c40601c8f1a08790", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776229030.6285007 }