Related IoCs to https://cert.gov.ua/article/39708 - Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon (CERT-UA # 4490)
Related IoCs to https://cert.gov.ua/article/39708 - Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon (CERT-UA # 4490)
AI Analysis
Technical Summary
This threat pertains to a cyberattack campaign targeting Ukrainian state organizations, leveraging the topic "Azovstal" as a social engineering lure and deploying the Cobalt Strike Beacon malware. Cobalt Strike Beacon is a well-known post-exploitation tool used by threat actors to establish persistent command and control (C2) channels, enabling lateral movement, data exfiltration, and further payload deployment within compromised networks. The campaign also references TrickBot, a modular malware family often used as a delivery mechanism or to facilitate initial access and credential theft. The attack appears to be a targeted campaign, exploiting geopolitical tensions related to the Azovstal steel plant, a symbolically significant site in Ukraine. The campaign's indicators of compromise (IoCs) are linked to CERT-UA advisories, suggesting active monitoring and response by Ukrainian cybersecurity authorities. Although no specific affected software versions or vulnerabilities are detailed, the use of Cobalt Strike Beacon implies that the attackers have already gained initial access, possibly through phishing or exploitation of unpatched systems, and are now conducting post-compromise activities. The campaign's technical details indicate a high threat level and moderate analysis confidence, with no known exploits in the wild beyond the use of these tools. The lack of patch links suggests that the attack relies on social engineering and existing malware frameworks rather than zero-day vulnerabilities.
Potential Impact
For European organizations, particularly those with close ties or operational links to Ukrainian entities, this campaign poses a significant risk. The use of Cobalt Strike Beacon enables attackers to maintain stealthy persistence, move laterally within networks, and exfiltrate sensitive data, potentially compromising confidentiality, integrity, and availability of critical systems. Given the geopolitical context, European governmental bodies, critical infrastructure operators, and organizations involved in defense, energy, and logistics sectors may be targeted for espionage or disruption. The campaign's social engineering angle, leveraging topical geopolitical events, increases the likelihood of successful phishing attacks. Additionally, the presence of TrickBot suggests potential for initial compromise via credential theft or malware delivery, which could be leveraged against European organizations sharing infrastructure or supply chains with Ukrainian counterparts. The campaign could also serve as a precursor or component of broader hybrid warfare tactics impacting European cybersecurity posture.
Mitigation Recommendations
European organizations should implement targeted detection and response strategies focusing on Cobalt Strike Beacon and TrickBot activity. This includes deploying network and endpoint detection tools capable of identifying Cobalt Strike's characteristic C2 traffic patterns, such as beaconing intervals and encrypted communications. Organizations should conduct threat hunting exercises using IoCs published by CERT-UA and CIRCL, focusing on indicators related to Azovstal-themed phishing campaigns. Email security should be enhanced with advanced anti-phishing controls, including URL rewriting, attachment sandboxing, and user awareness training emphasizing geopolitical-themed lures. Network segmentation and strict access controls can limit lateral movement if initial compromise occurs. Multi-factor authentication (MFA) should be enforced to mitigate credential theft risks associated with TrickBot. Incident response plans must be updated to include procedures for detecting and eradicating Cobalt Strike implants. Finally, collaboration with national cybersecurity agencies and sharing of threat intelligence within European CERT communities will improve situational awareness and collective defense.
Affected Countries
Ukraine, Poland, Germany, France, Italy, United Kingdom, Estonia, Lithuania, Latvia
Indicators of Compromise
- hash: 1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
- hash: 6f0ddfe6b68ea68b5e450e30b131137b6f01c60cc8383f3c48bea0c8acb6ef1c
- hash: 9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1
- hash: df58100f881e2bfa694e00dd06bdb326b272a51ff9b75114819498a26bf6504c
- hash: ea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a
- url: https://e5qo83-fedex.us/wzlco?VLakox?80934612
- url: http://138.68.229.0/pe.dll
- url: https://138.68.229.0/
- url: https://dezword.com/apiv8/getStatus
- url: http://138.68.229.0/
- url: https://dezword.com/apiv8/updateConfig
- url: https://dezword.com/
- url: http://84.32.188.29/
- url: http://dezword.com/
- url: http://dezword.com/apiv8/getstatus
- domain: dezword.com
- domain: kitchenbath.mckillican.com
- domain: www.15ns84-fedex.us
- domain: www.ba4x83-fedex.us
- domain: www.c1tf83-fedex.us
- domain: www.enzj84-fedex.us
- domain: www.fx7u83-fedex.us
- domain: www.fx7u84-fedex.us
- domain: www.glsc83-fedex.us
- domain: www.igik83-fedex.us
- domain: www.jfws84-fedex.us
- domain: www.k9yr83-fedex.us
- domain: www.koda83-fedex.us
- domain: www.mqqo83-fedex.us
- domain: www.mqqo84-fedex.us
- domain: www.nktc83-fedex.us
- domain: www.nktc84-fedex.us
- domain: www.nqe383-fedex.us
- domain: www.rl6s84-fedex.us
- domain: www.wdhx83-fedex.us
- domain: www.wubl84-fedex.us
- domain: www.www.dezword.com
- ip: 84.32.188.29
- ip: 138.68.229.0
- ip: 139.60.161.225
- ip: 139.60.161.74
- ip: 139.60.161.62
- ip: 139.60.161.99
- ip: 139.60.161.57
- ip: 139.60.161.75
- ip: 139.60.161.24
- ip: 139.60.161.89
- ip: 139.60.161.209
- ip: 139.60.161.85
- ip: 139.60.160.51
- ip: 139.60.161.226
- ip: 139.60.161.216
- ip: 139.60.161.163
- ip: 139.60.160.8
- ip: 139.60.161.32
- ip: 139.60.161.45
- ip: 139.60.161.60
- ip: 139.60.160.17
- domain: agreminj.com
- domain: akaluij.com
- domain: anidoz.com
- domain: apeduze.com
- domain: apokil.com
- domain: arentuk.com
- domain: axikok.com
- domain: azimurs.com
- domain: baidencult.com
- domain: billiopa.com
- domain: blinkij.com
- domain: blopik.com
- domain: borizhog.com
- domain: britxec.com
- domain: drimzis.com
- domain: fluoxi.com
- domain: shikjil.com
- domain: shormanz.com
- domain: verofes.com
- link: https://pandora.circl.lu/analysis/d71d610b-0bae-4666-9a92-a5e0ea7084f1/seed-d4fz5w8r8y3HHLx-tVbbaioJfkNnwk1DOkXG3Y4s9xg
- file: ea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a
- size-in-bytes: 33280
- float: 4.6277744940017
- hash: 877f834e8788d05b625ba639b9318512
- hash: 96bde83f4d3f29fb2801cd357c1abea827487e37
- hash: ea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a
- hash: cf72096dee679bce8cde6eacf922b5559dbac9b77367a7f2a3fba5022fd2b1303aa1c5805167c3cb8fb774e7390fab86eb3d16585fc72c31497a08bdf2b26518
- malware-sample: ea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a|877f834e8788d05b625ba639b9318512
- mime-type: Composite Document File V2 Document, Little Endian, O%WINDIR%\ Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Apr 18 10:52:06 2022, Last Saved Time/Date: Mon Apr 18 10:52:06 2022, Security: 0
- ssdeep: 768:pdzHDjCxD6czZ8K1PjOoDl8SZbKsLRGKpb8rGYrMPelwhKmFV5xtezEs/48/dgAX:pVHDjCxD6czZ8K1PjOoDl8SZbKsLRGKM
- text: .text
- size-in-bytes: 2008064
- float: 6.2176796284423
- hash: 684289bf351c44dc953528df2ffef87c
- hash: df9128eb022b80bb078d48ecaac28e1327b2f586
- hash: 0ca1d82653e91144890ac93e172224d99808ac2df995711f1939a7df6775c88b
- hash: b1e4ac70996884d7a47eae933490e72b78ef4a74918d9fc71c554def1e6d386cbcda7020eb33b5dcfdb692df396fd1382116c615931480e482f18b684bab2334
- ssdeep: 49152:+S74RWcCACn04hdGniZH33waehC6CJCRpfBk0IIW9S+cCst03WIbfEWv+tD1lFTN:+S74gcCA94LyFT9
- text: .rdata
- size-in-bytes: 189440
- float: 5.6118093937406
- hash: c1133122422cad249fc0b6d824ffeb06
- hash: ec10f523d0c96cd4fa8ebec9251b7e6dcab9adde
- hash: cc19333d67022727a01821e0d6cb5c5f0d93e5ff808befc4f20064f9cf9471ee
- hash: 9dd84db6c9a036d3fbacc467a26c4313cb669a736e1bb68cc264157b01a87ca5fdcc51fbd883aa51e4eb888c1be4ce19c1856f77e0a2040a4105ef6308175423
- ssdeep: 1536:g4uXN+5cluOmrydhN67qWJq906twHoWJ4/9dlZesW9ddXwl/zFbvaprJMF49AlU8:giyuZrVk906yoY4/EdkvapAMq80IGn
- text: .data
- size-in-bytes: 193024
- float: 4.8844151329756
- hash: 23f1d1488d4b6b072f1fe3504723dae0
- hash: 4cca8cdcb351b80cbe979eb56bab1823928be4bf
- hash: c9ee88150311891892c813cfbe143283f97e0bf3cd72749719114f3ac7329186
- hash: c35fcb393ca38ba8e8f76a7b6ba3edd4b80a195f7332202a93e9b35751f5e8983752f19ad99a6b9606b71e19301f1c9ea8f1712d08a3986354b2b46c86ce342e
- ssdeep: 3072:rG1F4Ac9ct4pWUDJ/d9Ml1GZ3u3GS33T+LXC7EltdfzVyZGraMQUgZXLUWSgg:S4pllV86iZ7Umg
- text: .pdata
- size-in-bytes: 47616
- float: 6.073585196443
- hash: fb7a1d64a3a58302f7c4700aad3e40bb
- hash: ce6e8eb73b5204c0162af5af2b71ac2f8ed64b99
- hash: d1977b67ba6a3dfd54a3676ff395aaeaac76e16412bfb5036c470a1213e713d7
- hash: f8376a0b75912b4d0bb330200d4f202eaf2d774f4aa98a575f7bb782d1b8b094980109ad60d3cd3be3a22e524409855de000393030fcfd1de4df2ee07e1d76aa
- ssdeep: 768:rQMuxLdBpdlZSsF9Mx0Rln5oV8lcqd4KqLLw70txwixyvu444Je+lXYh0Wb5U:0lN7ZSsIxZQmKg60txwiT4Je+lBWlU
- text: _RDATA
- size-in-bytes: 512
- float: 4.0548649085224
- hash: e102dd2a53e435be3b5cb44aaf810a93
- hash: ab13c0eaba8db274c9e9d9a74c4d82454f0eb3d7
- hash: 3dcf2a5e725b4bf794505698566a17cd54e142996fb76cf10c4c17b00dff1707
- hash: d51fea97c18cde17926868833d6bea736554f694cb92cb2fefcf807ff0a9cd4cac055a992d72555e4aff4205cf21a31c3c8be0cb31f10e978a0bb62aa71fc298
- ssdeep: 6:KIp+glWlEM63tL7duVGWBSQuUYU581iL23737XQv7wk:Kh7lIo3C1G67cck
- text: .reloc
- size-in-bytes: 8704
- float: 5.4578968121665
- hash: 83796fd40aa9446c00d898dbd22fcd56
- hash: 04a4795a102c7cc4b9eeed7d6fe12711a1176741
- hash: 22fb7e4ac5be03cd3bbc962313d0e2470acc96b7c60b84ae57a5966192e8b036
- hash: 6674ab2bd147138808cab67f2c57449ff1b475dda6c2af86c5f8abdb7dfe572d355f0f9ba846ce1df40e8789bef8d3ba25fb14caf8762dec3b15f2a629ec8c30
- ssdeep: 192:kdnfUHskn39nwVisGngSsbcM1gnVoX8UoNYEXTfHnVks8EXCJN2t7IQ:MfON9wfGv41gVoXkYE7HVks8ESJ0th
- text: dll
- text: 6444291376
- datetime: 2022-04-15T14:06:15+00:00
- counter: 6
- file: 9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1
- size-in-bytes: 2448384
- float: 6.3457310383479
- hash: e28ac0f94df75519a60ecc860475e6b3
- hash: 34bd51533865fe03756e7dc00f21e1d5f477db6f
- hash: 9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1
- hash: be5171cadd8f1881bb1a9de006082ee003810979c11b503c511c8994acf31ceb002239eae6af8a910d84a7ab672f257f607ef11ad00bbbec8700823d88cdb093
- malware-sample: 9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1|e28ac0f94df75519a60ecc860475e6b3
- mime-type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- ssdeep: 49152:YS74RWcCACn04hdGniZH33waehC6CJCRpfBk0IIW9S+cCst03WIbfEWv+tD1lFTd:YS74gcCA94LyFT
- file: 1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
- size-in-bytes: 60992
- float: 7.994637486922
- hash: 637481df32351129e60560d5a5c100b5
- hash: a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae
- hash: 1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
- hash: 604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3
- malware-sample: 1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052|637481df32351129e60560d5a5c100b5
- mime-type: Microsoft Cabinet archive data, Windows 2000/XP setup, 60992 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 5 datablocks, 0x1 compression
- ssdeep: 1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4
- text: Original page from CERT-UA
- file: CERT-UA.html
- file: CERT-UA_files.zip
Related IoCs to https://cert.gov.ua/article/39708 - Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon (CERT-UA # 4490)
Description
Related IoCs to https://cert.gov.ua/article/39708 - Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon (CERT-UA # 4490)
AI-Powered Analysis
Technical Analysis
This threat pertains to a cyberattack campaign targeting Ukrainian state organizations, leveraging the topic "Azovstal" as a social engineering lure and deploying the Cobalt Strike Beacon malware. Cobalt Strike Beacon is a well-known post-exploitation tool used by threat actors to establish persistent command and control (C2) channels, enabling lateral movement, data exfiltration, and further payload deployment within compromised networks. The campaign also references TrickBot, a modular malware family often used as a delivery mechanism or to facilitate initial access and credential theft. The attack appears to be a targeted campaign, exploiting geopolitical tensions related to the Azovstal steel plant, a symbolically significant site in Ukraine. The campaign's indicators of compromise (IoCs) are linked to CERT-UA advisories, suggesting active monitoring and response by Ukrainian cybersecurity authorities. Although no specific affected software versions or vulnerabilities are detailed, the use of Cobalt Strike Beacon implies that the attackers have already gained initial access, possibly through phishing or exploitation of unpatched systems, and are now conducting post-compromise activities. The campaign's technical details indicate a high threat level and moderate analysis confidence, with no known exploits in the wild beyond the use of these tools. The lack of patch links suggests that the attack relies on social engineering and existing malware frameworks rather than zero-day vulnerabilities.
Potential Impact
For European organizations, particularly those with close ties or operational links to Ukrainian entities, this campaign poses a significant risk. The use of Cobalt Strike Beacon enables attackers to maintain stealthy persistence, move laterally within networks, and exfiltrate sensitive data, potentially compromising confidentiality, integrity, and availability of critical systems. Given the geopolitical context, European governmental bodies, critical infrastructure operators, and organizations involved in defense, energy, and logistics sectors may be targeted for espionage or disruption. The campaign's social engineering angle, leveraging topical geopolitical events, increases the likelihood of successful phishing attacks. Additionally, the presence of TrickBot suggests potential for initial compromise via credential theft or malware delivery, which could be leveraged against European organizations sharing infrastructure or supply chains with Ukrainian counterparts. The campaign could also serve as a precursor or component of broader hybrid warfare tactics impacting European cybersecurity posture.
Mitigation Recommendations
European organizations should implement targeted detection and response strategies focusing on Cobalt Strike Beacon and TrickBot activity. This includes deploying network and endpoint detection tools capable of identifying Cobalt Strike's characteristic C2 traffic patterns, such as beaconing intervals and encrypted communications. Organizations should conduct threat hunting exercises using IoCs published by CERT-UA and CIRCL, focusing on indicators related to Azovstal-themed phishing campaigns. Email security should be enhanced with advanced anti-phishing controls, including URL rewriting, attachment sandboxing, and user awareness training emphasizing geopolitical-themed lures. Network segmentation and strict access controls can limit lateral movement if initial compromise occurs. Multi-factor authentication (MFA) should be enforced to mitigate credential theft risks associated with TrickBot. Incident response plans must be updated to include procedures for detecting and eradicating Cobalt Strike implants. Finally, collaboration with national cybersecurity agencies and sharing of threat intelligence within European CERT communities will improve situational awareness and collective defense.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 1
- Analysis
- 2
- Uuid
- 1b2b6e15-3655-4648-afcb-c93214187736
- Original Timestamp
- 1650435745
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052 | — | |
hash6f0ddfe6b68ea68b5e450e30b131137b6f01c60cc8383f3c48bea0c8acb6ef1c | — | |
hash9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1 | — | |
hashdf58100f881e2bfa694e00dd06bdb326b272a51ff9b75114819498a26bf6504c | — | |
hashea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a | — | |
hash877f834e8788d05b625ba639b9318512 | — | |
hash96bde83f4d3f29fb2801cd357c1abea827487e37 | — | |
hashea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a | — | |
hashcf72096dee679bce8cde6eacf922b5559dbac9b77367a7f2a3fba5022fd2b1303aa1c5805167c3cb8fb774e7390fab86eb3d16585fc72c31497a08bdf2b26518 | — | |
hash684289bf351c44dc953528df2ffef87c | — | |
hashdf9128eb022b80bb078d48ecaac28e1327b2f586 | — | |
hash0ca1d82653e91144890ac93e172224d99808ac2df995711f1939a7df6775c88b | — | |
hashb1e4ac70996884d7a47eae933490e72b78ef4a74918d9fc71c554def1e6d386cbcda7020eb33b5dcfdb692df396fd1382116c615931480e482f18b684bab2334 | — | |
hashc1133122422cad249fc0b6d824ffeb06 | — | |
hashec10f523d0c96cd4fa8ebec9251b7e6dcab9adde | — | |
hashcc19333d67022727a01821e0d6cb5c5f0d93e5ff808befc4f20064f9cf9471ee | — | |
hash9dd84db6c9a036d3fbacc467a26c4313cb669a736e1bb68cc264157b01a87ca5fdcc51fbd883aa51e4eb888c1be4ce19c1856f77e0a2040a4105ef6308175423 | — | |
hash23f1d1488d4b6b072f1fe3504723dae0 | — | |
hash4cca8cdcb351b80cbe979eb56bab1823928be4bf | — | |
hashc9ee88150311891892c813cfbe143283f97e0bf3cd72749719114f3ac7329186 | — | |
hashc35fcb393ca38ba8e8f76a7b6ba3edd4b80a195f7332202a93e9b35751f5e8983752f19ad99a6b9606b71e19301f1c9ea8f1712d08a3986354b2b46c86ce342e | — | |
hashfb7a1d64a3a58302f7c4700aad3e40bb | — | |
hashce6e8eb73b5204c0162af5af2b71ac2f8ed64b99 | — | |
hashd1977b67ba6a3dfd54a3676ff395aaeaac76e16412bfb5036c470a1213e713d7 | — | |
hashf8376a0b75912b4d0bb330200d4f202eaf2d774f4aa98a575f7bb782d1b8b094980109ad60d3cd3be3a22e524409855de000393030fcfd1de4df2ee07e1d76aa | — | |
hashe102dd2a53e435be3b5cb44aaf810a93 | — | |
hashab13c0eaba8db274c9e9d9a74c4d82454f0eb3d7 | — | |
hash3dcf2a5e725b4bf794505698566a17cd54e142996fb76cf10c4c17b00dff1707 | — | |
hashd51fea97c18cde17926868833d6bea736554f694cb92cb2fefcf807ff0a9cd4cac055a992d72555e4aff4205cf21a31c3c8be0cb31f10e978a0bb62aa71fc298 | — | |
hash83796fd40aa9446c00d898dbd22fcd56 | — | |
hash04a4795a102c7cc4b9eeed7d6fe12711a1176741 | — | |
hash22fb7e4ac5be03cd3bbc962313d0e2470acc96b7c60b84ae57a5966192e8b036 | — | |
hash6674ab2bd147138808cab67f2c57449ff1b475dda6c2af86c5f8abdb7dfe572d355f0f9ba846ce1df40e8789bef8d3ba25fb14caf8762dec3b15f2a629ec8c30 | — | |
hashe28ac0f94df75519a60ecc860475e6b3 | — | |
hash34bd51533865fe03756e7dc00f21e1d5f477db6f | — | |
hash9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1 | — | |
hashbe5171cadd8f1881bb1a9de006082ee003810979c11b503c511c8994acf31ceb002239eae6af8a910d84a7ab672f257f607ef11ad00bbbec8700823d88cdb093 | — | |
hash637481df32351129e60560d5a5c100b5 | — | |
hasha46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae | — | |
hash1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052 | — | |
hash604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3 | — |
Url
Value | Description | Copy |
---|---|---|
urlhttps://e5qo83-fedex.us/wzlco?VLakox?80934612 | — | |
urlhttp://138.68.229.0/pe.dll | — | |
urlhttps://138.68.229.0/ | — | |
urlhttps://dezword.com/apiv8/getStatus | — | |
urlhttp://138.68.229.0/ | — | |
urlhttps://dezword.com/apiv8/updateConfig | — | |
urlhttps://dezword.com/ | — | |
urlhttp://84.32.188.29/ | — | |
urlhttp://dezword.com/ | — | |
urlhttp://dezword.com/apiv8/getstatus | — |
Domain
Value | Description | Copy |
---|---|---|
domaindezword.com | — | |
domainkitchenbath.mckillican.com | — | |
domainwww.15ns84-fedex.us | — | |
domainwww.ba4x83-fedex.us | — | |
domainwww.c1tf83-fedex.us | — | |
domainwww.enzj84-fedex.us | — | |
domainwww.fx7u83-fedex.us | — | |
domainwww.fx7u84-fedex.us | — | |
domainwww.glsc83-fedex.us | — | |
domainwww.igik83-fedex.us | — | |
domainwww.jfws84-fedex.us | — | |
domainwww.k9yr83-fedex.us | — | |
domainwww.koda83-fedex.us | — | |
domainwww.mqqo83-fedex.us | — | |
domainwww.mqqo84-fedex.us | — | |
domainwww.nktc83-fedex.us | — | |
domainwww.nktc84-fedex.us | — | |
domainwww.nqe383-fedex.us | — | |
domainwww.rl6s84-fedex.us | — | |
domainwww.wdhx83-fedex.us | — | |
domainwww.wubl84-fedex.us | — | |
domainwww.www.dezword.com | — | |
domainagreminj.com | — | |
domainakaluij.com | — | |
domainanidoz.com | — | |
domainapeduze.com | — | |
domainapokil.com | — | |
domainarentuk.com | — | |
domainaxikok.com | — | |
domainazimurs.com | — | |
domainbaidencult.com | — | |
domainbilliopa.com | — | |
domainblinkij.com | — | |
domainblopik.com | — | |
domainborizhog.com | — | |
domainbritxec.com | — | |
domaindrimzis.com | — | |
domainfluoxi.com | — | |
domainshikjil.com | — | |
domainshormanz.com | — | |
domainverofes.com | — |
Ip
Value | Description | Copy |
---|---|---|
ip84.32.188.29 | — | |
ip138.68.229.0 | — | |
ip139.60.161.225 | — | |
ip139.60.161.74 | — | |
ip139.60.161.62 | — | |
ip139.60.161.99 | — | |
ip139.60.161.57 | — | |
ip139.60.161.75 | — | |
ip139.60.161.24 | — | |
ip139.60.161.89 | — | |
ip139.60.161.209 | — | |
ip139.60.161.85 | — | |
ip139.60.160.51 | — | |
ip139.60.161.226 | — | |
ip139.60.161.216 | — | |
ip139.60.161.163 | — | |
ip139.60.160.8 | — | |
ip139.60.161.32 | — | |
ip139.60.161.45 | — | |
ip139.60.161.60 | — | |
ip139.60.160.17 | — |
Link
Value | Description | Copy |
---|---|---|
linkhttps://pandora.circl.lu/analysis/d71d610b-0bae-4666-9a92-a5e0ea7084f1/seed-d4fz5w8r8y3HHLx-tVbbaioJfkNnwk1DOkXG3Y4s9xg | — |
File
Value | Description | Copy |
---|---|---|
fileea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a | — | |
file9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1 | — | |
file1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052 | — | |
fileCERT-UA.html | — | |
fileCERT-UA_files.zip | — |
Size in-bytes
Value | Description | Copy |
---|---|---|
size-in-bytes33280 | — | |
size-in-bytes2008064 | — | |
size-in-bytes189440 | — | |
size-in-bytes193024 | — | |
size-in-bytes47616 | — | |
size-in-bytes512 | — | |
size-in-bytes8704 | — | |
size-in-bytes2448384 | — | |
size-in-bytes60992 | — |
Float
Value | Description | Copy |
---|---|---|
float4.6277744940017 | — | |
float6.2176796284423 | — | |
float5.6118093937406 | — | |
float4.8844151329756 | — | |
float6.073585196443 | — | |
float4.0548649085224 | — | |
float5.4578968121665 | — | |
float6.3457310383479 | — | |
float7.994637486922 | — |
Malware sample
Value | Description | Copy |
---|---|---|
malware-sampleea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a|877f834e8788d05b625ba639b9318512 | — | |
malware-sample9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1|e28ac0f94df75519a60ecc860475e6b3 | — | |
malware-sample1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052|637481df32351129e60560d5a5c100b5 | — |
Mime type
Value | Description | Copy |
---|---|---|
mime-typeComposite Document File V2 Document, Little Endian, O%WINDIR%\ Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Apr 18 10:52:06 2022, Last Saved Time/Date: Mon Apr 18 10:52:06 2022, Security: 0 | — | |
mime-typePE32+ executable (DLL) (GUI) x86-64, for MS Windows | — | |
mime-typeMicrosoft Cabinet archive data, Windows 2000/XP setup, 60992 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 5 datablocks, 0x1 compression | — |
Ssdeep
Value | Description | Copy |
---|---|---|
ssdeep768:pdzHDjCxD6czZ8K1PjOoDl8SZbKsLRGKpb8rGYrMPelwhKmFV5xtezEs/48/dgAX:pVHDjCxD6czZ8K1PjOoDl8SZbKsLRGKM | — | |
ssdeep49152:+S74RWcCACn04hdGniZH33waehC6CJCRpfBk0IIW9S+cCst03WIbfEWv+tD1lFTN:+S74gcCA94LyFT9 | — | |
ssdeep1536:g4uXN+5cluOmrydhN67qWJq906twHoWJ4/9dlZesW9ddXwl/zFbvaprJMF49AlU8:giyuZrVk906yoY4/EdkvapAMq80IGn | — | |
ssdeep3072:rG1F4Ac9ct4pWUDJ/d9Ml1GZ3u3GS33T+LXC7EltdfzVyZGraMQUgZXLUWSgg:S4pllV86iZ7Umg | — | |
ssdeep768:rQMuxLdBpdlZSsF9Mx0Rln5oV8lcqd4KqLLw70txwixyvu444Je+lXYh0Wb5U:0lN7ZSsIxZQmKg60txwiT4Je+lBWlU | — | |
ssdeep6:KIp+glWlEM63tL7duVGWBSQuUYU581iL23737XQv7wk:Kh7lIo3C1G67cck | — | |
ssdeep192:kdnfUHskn39nwVisGngSsbcM1gnVoX8UoNYEXTfHnVks8EXCJN2t7IQ:MfON9wfGv41gVoXkYE7HVks8ESJ0th | — | |
ssdeep49152:YS74RWcCACn04hdGniZH33waehC6CJCRpfBk0IIW9S+cCst03WIbfEWv+tD1lFTd:YS74gcCA94LyFT | — | |
ssdeep1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4 | — |
Text
Value | Description | Copy |
---|---|---|
text.text | — | |
text.rdata | — | |
text.data | — | |
text.pdata | — | |
text_RDATA | — | |
text.reloc | — | |
textdll | — | |
text6444291376 | — | |
textOriginal page from CERT-UA | — |
Datetime
Value | Description | Copy |
---|---|---|
datetime2022-04-15T14:06:15+00:00 | — |
Counter
Value | Description | Copy |
---|---|---|
counter6 | — |
Threat ID: 682b7bacd3ddd8cef2eb4df4
Added to database: 5/19/2025, 6:42:52 PM
Last enriched: 6/18/2025, 7:18:20 PM
Last updated: 8/18/2025, 11:37:07 AM
Views: 13
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.