{ "id": "189ee7db-feba-4029-97d2-4d7659797d27", "created_at": "2026-04-06T00:13:51.991351Z", "updated_at": "2026-04-10T03:34:41.42661Z", "deleted_at": null, "sha1_hash": "320ae521bb48461ede103aa84bdaddd3c4d60889", "title": "Rewterz Threat Alert - Common Raven - IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35264, "plain_text": "Rewterz Threat Alert - Common Raven - IOCs - Rewterz\r\nPublished: 2020-11-19 · Archived: 2026-04-05 14:31:10 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nThreat actor Common Raven have been active and methods used to perform reconnaissance activities related to\r\nfinancial messages are influenced by the messaging solution. This is done via SQL statements, observing files on\r\ndisk, browsing the messaging interface’s GUI or even as complex as hooking into legitimate software to intercept\r\nfunction calls. Common Raven methodology to harvest information from the client that uses AutoClient. Threat\r\nactor deploys malware to the point where it copies data from the emission and reception folders to a staging folder\r\nfrom where they can read or retrieve the messages.\r\nImpact\r\nInformation theft\r\nExposure of sensitive data\r\nIndicators of Compromise\r\nFilename\r\nsvschost[.]exe\r\nMD5\r\n6f5be0ae39a7acc5bce45e53a9a5a0cb\r\n3e65c53da93202024480c0071104dd5f\r\nSHA-256\r\n57e6e8afb83fe29962ebd9a164d8bac6155d825897d08d94eb7cd5c71eb9d184\r\n3da155bcee7727b04f3715a85e7beaa3ff55bbecd100457b2a6dcbc3a6850fed\r\nSHA1\r\n65b7fff2d3917d0b7dc807a3430e7efc888e7240\r\nc9ee6ae1d15f7fb4c5e11956a7e8120d8ee8e85f\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs\r\nPage 1 of 2\n\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for IOCs in your environment.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs" ], "report_names": [ "rewterz-threat-alert-common-raven-iocs" ], "threat_actors": [ { "id": "11c69e3d-a740-4a70-abd3-158ac0375452", "created_at": "2023-01-06T13:46:39.29608Z", "updated_at": "2026-04-10T02:00:03.27813Z", "deleted_at": null, "main_name": "Common Raven", "aliases": [ "NXSMS", "DESKTOP-GROUP", "OPERA1ER" ], "source_name": "MISPGALAXY:Common Raven", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0", "created_at": "2023-02-18T02:04:24.365926Z", "updated_at": "2026-04-10T02:00:04.792271Z", "deleted_at": null, "main_name": "OPERA1ER", "aliases": [ "Common Raven", "DESKTOP-GROUP", "NXSMS", "Operation Nervone" ], "source_name": "ETDA:OPERA1ER", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Agentemis", "BitRAT", "BlackNET RAT", "Cobalt Strike", "CobaltStrike", "Kasidet", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neutrino Bot", "Neutrino Exploit Kit", "Ngrok", "Origin Logger", "PsExec", "RDPWrap", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revealer Keylogger", "Socmer", "VenomRAT", "ZPAQ", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434431, "ts_updated_at": 1775792081, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/320ae521bb48461ede103aa84bdaddd3c4d60889.pdf", "text": "https://archive.orkl.eu/320ae521bb48461ede103aa84bdaddd3c4d60889.txt", "img": "https://archive.orkl.eu/320ae521bb48461ede103aa84bdaddd3c4d60889.jpg" } }