Skip to main content

SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference

High
Published: Thu Apr 13 2023 (04/13/2023, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: type
Product: osint

Description

SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference

AI-Powered Analysis

AILast updated: 06/18/2025, 07:34:33 UTC

Technical Analysis

The threat identified as SNOWYAMBER, HALFRIG, and QUARTERRIG refers to a set of malware tools primarily associated with OSINT (Open Source Intelligence) activities, as indicated by the tags and categories provided. These tools appear to be used for network activity monitoring and payload delivery, suggesting capabilities for reconnaissance and potentially for delivering malicious payloads within targeted environments. The information is sourced from CIRCL and classified under a high severity level, although no specific affected software versions or patches are available, and no known exploits in the wild have been reported to date. The lack of detailed technical indicators or CVEs implies that these tools may be custom or specialized malware used in targeted campaigns rather than widespread commodity malware. The perpetual lifetime tag indicates that these tools or their signatures are considered persistent threats in the OSINT domain. The threat level is marked as '1' (likely indicating high priority), but the analysis field is '0', suggesting limited public technical analysis is available. Overall, these tools are likely part of a sophisticated threat actor's toolkit for conducting network reconnaissance, gathering intelligence, and delivering payloads to compromise systems.

Potential Impact

For European organizations, the presence of these malware tools could lead to significant risks including unauthorized network reconnaissance, data exfiltration, and potential system compromise through payload delivery. Given the high severity rating, these tools could be leveraged to breach confidentiality by gathering sensitive information, impact integrity by delivering malicious payloads that alter or corrupt data, and affect availability if payloads include destructive or disruptive components. The absence of patches and known exploits suggests that detection and mitigation rely heavily on proactive threat intelligence and network monitoring. European entities involved in critical infrastructure, government, defense, or industries with sensitive intellectual property are particularly at risk, as these tools could facilitate espionage or sabotage. The persistent nature of these tools also implies a long-term threat that could evade traditional defenses if not actively monitored.

Mitigation Recommendations

To mitigate risks from SNOWYAMBER, HALFRIG, and QUARTERRIG, European organizations should implement advanced network traffic analysis focusing on unusual reconnaissance patterns and payload delivery attempts. Deploying and tuning intrusion detection/prevention systems (IDS/IPS) with updated threat intelligence feeds that include these tools is critical. Organizations should conduct regular threat hunting exercises targeting OSINT-related malware signatures and behaviors. Network segmentation and strict access controls can limit lateral movement if initial compromise occurs. Endpoint detection and response (EDR) solutions should be configured to detect suspicious payload execution and anomalous network connections. Since no patches are available, emphasis should be placed on timely incident response and forensic capabilities to identify and contain infections early. Sharing intelligence with trusted partners and national cybersecurity centers can enhance detection and response effectiveness. Finally, employee training on recognizing phishing or social engineering attempts that could deliver these payloads remains essential.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
1
Analysis
0
Uuid
e9bf73b9-f82c-4203-ba04-deacf8d9fbd6
Original Timestamp
1681482747

Indicators of Compromise

Url

ValueDescriptionCopy
urltotalmassasje.no/schedule.php
SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP
urlsignitivelogics.com/Schedule.html
SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO
urlhumanecosmetics.com/category/noteworthy/6426-7346-9789
SNOWYAMBER - Cobalt Strike Team Server
urlsignitivelogics.com/BMW.html
SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO
urlliteraturaelsalvador.com/Instructions.html
SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP
urlparquesanrafael.cl/note.html
SNOWYAMBER - ENVYSCOUT URL
urlinovaoftalmologia.com.br/form.html
SNOWYAMBER - ENVYSCOUT URL
urlliteraturaelsalvador.com/Schedule.htm
SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO
urlsawabfoundation.net/p.php? ip=<IP>&ua=<USER_AGENT>
HALFRIG - ENVYSCOUT backend fingerprint collector
urlsawabfoundation.net/note.html
HALFRIG - ENVYSCOUT
urlpateke.com/auth/login.php
QUARTERRIG C2 URL
urlpateke.com/index.php
QUARTERRIG C2 URL
urlgatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu
QUARTERRIG - COBALT STRIKE Handler URL
urlgatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8
QUARTERRIG - COBALT STRIKE Handler URL
urlsharpledge.com/login.php
QUARTERRIG C2 URL
urlsylvio.com.br/form.php
URL to ENYVYSCOUT used to deliver QUARTERRIG

Domain

ValueDescriptionCopy
domainbadriatimimi.com
SNOWYAMBER - BRUTERATEL C2
domainsawabfoundation.net
HALFRIG - compromised hosting used for ENVYSCOUT
domaincommunitypowersports.com
HALFRIG - CobaltStrike redirector
domainsanjosemotosport.com
HALFRIG - CobaltStrike C2
domainpateke.com
QUARTERRIG Domain
domaingatewan.com
QUARTERRIG - COBALT STRIKE C2 Domain
domainsharpledge.com
QUARTERRIG C2 Domain
domainsylvio.com.br
QUARTERRIG - Domain used to host ENVYSCOUT

Hash

ValueDescriptionCopy
hashbc4b0bd5da76b683cc28849b1eed504d
hashc938934c0f5304541087313382aee163e0c5239c
hashd0efe94196b4923eb644ec0b53d226cc
hash381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c
hash8eb64670c10505322d45f6114bc9f7de0826e3a1
hashcf36bf564fbb7d5ec4cec9b0f185f6c9
hashe957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98
hash3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c
hash82ecb8474efe5fedcb8f57b8aafa93d2
hash4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b
hashaaf973a56b17a0a82cf1b3a49ff68da1c50283d4
hash800db035f9b6f1e86a7f446a8a8e3947
hash032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e
hasha8a82a7da2979b128cbeddf4e70f9d5725ef666b
hash0e594576bb36b025e80eab7c35dc885e
hashec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d
hashd9d40cb3e2fe05cf223dc0b592a592c132340042
hash83863beee3502e42ced7e4b6dacb9eac
hashcb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27
hashfbb482415f5312ed64b3a0ebee7fed5e6610c21a
hash0e5ed33778ee9c020aa067546384abcb
hashd1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9
hashf61e0d09be2fc81d6f325aa7041be6136a747c2d
hashf532c0247b683de8936982e86876093b
hashddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50
hashe418d37fdcf4c288884bfe744b416cbdb0243a9e
hashabc87df854f31725dd1d7231f6f07354
hashefeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e
hash6dff9a9f13300a5ce72a70d907ff7854599e990a
hash2ffaa8cbc7f0d21d03d3dd897d974dba
hashcfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b
hasha677b6aa958fe02cac0730d36e8123648e02884f
hash5b6d8a474c556fe327004ed8a33edcdb
hash86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c
hashb260d80fa81885d63565773480ca1e436ab657a0
hashb1820abc3a1ce2d32af04c18f9d2bfc3
hash6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3
hash52932be0bd8e381127aab9c639e6699fd1ecf268
hash22adbffd1dbf3e13d036f936049a2e98
hashc03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1
hashca1ef3aeed9c0c5cfa355b6255a5ab238229a051
hashdb2d9d2704d320ecbd606a8720c22559
hash18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a
hash02cd4148754c9337dfa2c3b0c31d9fdd064616a0
hash166f7269c2a69d8d1294a753f9e53214
hash3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a
hash86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3
hash1609bcb75babd9a3e823811b4329b3b9
hash91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0
hash15511f1944d96b6b51291e3a68a2a1a560d95305
hashd2027751280330559d1b42867e063a0f
hash35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0
hashb91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386
hashbd4cbcd9161e365067d0279b63a784ac
hash673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28
hash1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5
hash8dcac7513d569ca41126987d876a9940
hash9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14
hashbacb46d2ce5dfcaf8544125903f69f01091bc3d6
hash3aca0abdd7ec958a539705d5a4244196
hash10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d
hash6382ae2061c865ddcb9337f155ae2d036e232dfe
hash9159d3c58c5d970ed25c2db9c9487d7a
hasha42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069
hash8dcac7513d569ca41126987d876a9940
hash15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38

Ip

ValueDescriptionCopy
ip85.195.89.91
QUARTERRIG server IP
ip91.218.183.90
QUARTERRIG - COBALT STRIKE C2 IP
ip51.75.210.218
QUARTERRIG server IP

Link

ValueDescriptionCopy
linkhttps://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf

Text

ValueDescriptionCopy
textSNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference
textReport

File

ValueDescriptionCopy
fileIoC_Reference_.pdf
file7za.dll
fileBugSplatRc64.dll
fileBugSplatRc64.dll
filehXaIk1725.pdf
filehXaIk1314.pdf
fileNote.exe
fileNote.iso
fileAppvIsvSubsystems64.dll
filemsword.dll
fileenvsrv.dll
filemschost.dll
fileNote.exe
fileNote.iso
fileAppvIsvSubsystems64.dll
filebdcmetadataresource.xsd
fileInvite.iso
fileInvite.exe
filewinhttp.dll
fileStamp.aapp
fileNote.iso
fileAppvIsvSubsystems64.dll
filebdcmetadataresource.xsd

Size in-bytes

ValueDescriptionCopy
size-in-bytes270336
size-in-bytes271360
size-in-bytes301056
size-in-bytes261635
size-in-bytes347837
size-in-bytes1597000
size-in-bytes2688000
size-in-bytes27000
size-in-bytes53000
size-in-bytes56000
size-in-bytes391000
size-in-bytes1600000
size-in-bytes2624000
size-in-bytes28000
size-in-bytes456000
size-in-bytes6464000
size-in-bytes5380000
size-in-bytes32000
size-in-bytes460000
size-in-bytes2688000
size-in-bytes26000
size-in-bytes479000

Threat ID: 682acdbebbaf20d303f0f1a1

Added to database: 5/19/2025, 6:20:46 AM

Last enriched: 6/18/2025, 7:34:33 AM

Last updated: 8/16/2025, 4:08:18 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats