{ "id": "68acdbaa-95e4-4910-8258-6702a479bfc9", "created_at": "2026-04-06T01:28:58.755192Z", "updated_at": "2026-04-10T13:11:50.087503Z", "deleted_at": null, "sha1_hash": "19598f45461e795a2a29c2cbc2588e722ae162b5", "title": "CyberThreatIntel/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md at master · StrangerealIntel/CyberThreatIntel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 586583, "plain_text": "CyberThreatIntel/cybercriminal groups/TA505/04-10-2019/Malware\r\nAnalysis 04-10-2019.md at master · StrangerealIntel/CyberThreatIntel\r\nBy StrangerealIntel\r\nArchived: 2026-04-06 00:25:45 UTC\r\nAnalysis of the new TA505 campaign\r\nTable of Contents\r\nMalware analysis\r\nCyber Threat Intel\r\nIndicators Of Compromise (IOC)\r\nReferences MITRE ATT\u0026CK Matrix\r\nLinks\r\nOriginal Tweet\r\nLink Anyrun\r\nThe initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as\r\nprimary window). As first action, this executes the module 1.\r\nThe function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages.\r\nThe userform execute the extract and execute a different PE instead of the architecture of the victim (x86 and x64).\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 1 of 11\n\nAs anti-forensic technique, this delete the files by call of kill functions.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 2 of 11\n\nWe can note that a function is unused and seem to be a rest of the development of the macro.\r\nThe implant executed push all in memory with a call of VirtualAlloc function.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 3 of 11\n\nOnce this, this checks the system informations, the process executed on the computer and try to detect if this run in a sandbox (low size of the disk).\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 4 of 11\n\nThis sends the informations to the C2 and wait for the next instruction of the group.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 5 of 11\n\nWe can list the informations send in the following variables :\r\nVariables Description\r\n\u0026D= Name of the computer\r\n\u0026U= Name of the user\r\n\u0026OS= Version of the OS\r\n\u0026PR= List of process (separed by %7C)\r\nAnd is presented this way (extracted from the sandbox):\r\n\u0026D=User-PC\u0026U=admin\u0026OS=6.1\u0026PR=Dwm.exe%7CEXCEL.EXE%7CExplorer.EXE%7Ctaskhost.exe%7Cwindanr.exe%7C\r\nThat interesting to note that the group get only the process for see if the victim have security messures (AV, endpoint...) before launch the next step.This drop the clop\r\nransomware if we observe the latest analysis on this subject.The group change currently the trust certificate for bypass the security messures that we can see on the analysis of\r\nVK_Intel :\r\nhttps://twitter.com/VK_Intel/status/1162810558774747137\r\nhttps://twitter.com/VK_Intel/status/1157761784582983685\r\nhttps://twitter.com/VK_Intel/status/1157742218549039105\r\nhttps://twitter.com/VK_Intel/status/1155381658746589185\r\nhttps://twitter.com/VK_Intel/status/1145041163839266823\r\nhttps://twitter.com/VK_Intel/status/1136069755222335490\r\nCyber Threat Intel\r\nRecently, new domains used by the group have been spotted by Suspicious Link. On the HTML document, we can see that the fake page usurps dropbox in using external\r\nreferences and the path on the malicious excel document.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 6 of 11\n\nWe can see in more that the personal informations is like the Office of the Prime Minister of the Republic of Armenia.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 7 of 11\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 8 of 11\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 9 of 11\n\nCyber kill chain\r\nThe process graphs resume all the cyber kill chains used by the attacker.\r\nReferences MITRE ATT\u0026CK Matrix\r\nList of all the references with MITRE ATT\u0026CK Matrix\r\nEnterprise tactics Technics used Ref URL\r\nExecution Execution through Module Load https://attack.mitre.org/techniques/T1129/\r\nDiscovery Query Registry https://attack.mitre.org/techniques/T1012/\r\nIndicators Of Compromise (IOC)\r\nList of all the Indicators Of Compromise (IOC)\r\nIndicator Description\r\n147.135.204.64 IP C2\r\n18.194.14.44 IP Requested\r\n183.111.138.244 IP Requested\r\n185.33.87.27 IP Requested\r\n192.99.211.205 IP C2\r\n3ee37a570cc968ca2ad5a99f920c9332 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053\r\n44a20233b3c3b1defcd7484d241c5be6 09A887F08C7F252E642805DDFF5F1FDC390F675E603C994C3C\r\n53b2c9d906fc9075fa375295c5bdcf5b 0776289CAC9F64211D5E5DDF14973157160DDCFBE2979D2E40\r\n89c3a79864a0f0fa5a6cd3f87e8bd3271d1265b4d632bb32bb6be02425b4fe78 89C3A79864A0F0FA5A6CD3F87E8BD3271D1265B4D632BB32B\r\nC:\\Users\\admin\\AppData\\Roaming{97B34601-5B4A-40AF-8963-\r\nD8C75594998B} - 1.dll\r\n0AF713AB3D6D17CD6B96D78FAC2677FE3B5B0051CF8B67347\r\nC:\\Users\\admin\\AppData\\Roaming\\module_p1.dll 57D29E8BA4D1C0ECAD75F2B9EEBEF757D872169C3270DABA\r\nC:\\Users\\admin\\AppData\\Roaming\\module_p2.dll C16D2A23A27C1E9EAE34D01613C4BAB0FE4871F1D8A72D5C\r\nc6d17efb69bd4a7ac8f9dc11f810c30b 77D8E6C621EA96AF5A677397FE367DC60689D7F4F40B0A60A\r\nCheque.xls 375159A45823FF4EAFBA0C364209EB7C35B353E3C64B69978C\r\nchogoon.com Domain Requested\r\ndoc 6172.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F\r\ned0cde28ce66713974e339715bdde62b CBAAB49338F8F2A9F56575702D9943A3DAFD78EF7812FABFF\r\nf46e2c2925e6196fae3112fd0bcbb8c2 AD5910E44A63C0FC02376277D28D306A236CB87BCC0FA08B3\r\nhxxps://chogoon[.]com/srt/gedp4 HTTP/HTTPS requests\r\nhxxps://windows-wsus-en[.]com/version HTTP/HTTPS requests\r\nInvoice 7173.xls BAEE4D4F8838CD7107977D960E4478279E9F321D21CB15126C\r\nJ_280586 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053\r\nLET 7833.xls 544154ED4B0495EBD44210AC6EAC4B5D7B9C9BE36B61D214\r\nLetter 7711.xls E7379BB7A4B46E2378D5722FD2C8F4AE31A2AE15D5A900660\r\noffice365-update-eu.com Domain C2\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 10 of 11\n\nIndicator Description\r\nReceipt 0787.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F\r\nReceipt 4685 YJLJ.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F\r\nsample1.xls 6118EC7C0F06B45368DBD85B8F83958FC1F02F85E743F9CD82\r\nsample4.XLS 566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F2\r\nwindows-wsus-en.com Domain C2\r\nXerox Scan_84676113847687.XLS 8741346FB8D6C2F4CA80FA2B176F162AF620F86C5FFC895C84\r\nXerox.csv 566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F2\r\n162.125.66.1 IP Requested\r\n172.217.16.141 IP Requested\r\n45.63.11.216 IP Requested\r\n54.83.52.76 IP Requested\r\n96.44.166.189 IP Requested\r\na78e87d350c8cf3f6d7db126c5fadd7d837aef23df01194fc0973561cd20818e.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23DF01194F\r\nC:\\Users\\admin\\AppData\\Roaming\\libMongo1.dll 4414195087F01719270AE41F45953139CAF2F24A10C96D56EB2\r\nC:\\Users\\admin\\Downloads\\request.xls 34242C2D4A3EF625A6DA375B85B34A3FD3CAFB04442A43837\r\ndropbox-download.com Domain Requested\r\nhxxps://dropbox-download[.]com HTTP/HTTPS requests\r\nhxxps://dropbox-download[.]com/?05041770570340 HTTP/HTTPS requests\r\nhxxps://dropbox-download[.]com/?05610068412737 HTTP/HTTPS requests\r\nhxxps://dropbox-download[.]com/?35277620367160 HTTP/HTTPS requests\r\nhxxps://dropbox-download[.]com/download.php HTTP/HTTPS requests\r\nrequest.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23DF01194F\r\nwindows-msd-update.com Domain C2\r\nThis can be exported as JSON format Export in JSON\r\nLinks\r\nOriginal tweet:\r\nhttps://twitter.com/James_inthe_box/status/1179077549302829056\r\nhttps://twitter.com/KorbenD_Intel/status/1179858006584037377\r\nhttps://twitter.com/58_158_177_102/status/1177498806016823296\r\nhttps://twitter.com/killamjr/status/1181294324061003777\r\nLinks Anyrun:\r\nLetter 7711.xls\r\nREP 7072.xls\r\nSource: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-20\r\n19.md\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md\r\nPage 11 of 11\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md \nWe can note that a function is unused and seem to be a rest of the development of the macro.\nThe implant executed push all in memory with a call of VirtualAlloc function. \n Page 3 of 11\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md \nOnce this, this checks the system informations, the process executed on the computer and try to detect if this run in a sandbox (low size of the disk).\n Page 4 of 11 \n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md \nThis sends the informations to the C2 and wait for the next instruction of the group. \n Page 5 of 11\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md \nWe can see in more that the personal informations is like the Office of the Prime Minister of the Republic of Armenia.\n Page 7 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md" ], "report_names": [ "Malware%20Analysis%2004-10-2019.md" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438938, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19598f45461e795a2a29c2cbc2588e722ae162b5.pdf", "text": "https://archive.orkl.eu/19598f45461e795a2a29c2cbc2588e722ae162b5.txt", "img": "https://archive.orkl.eu/19598f45461e795a2a29c2cbc2588e722ae162b5.jpg" } }