VayGren and Mr.Burns: Strong Ties in Finance
July 10, 2024, 10:18 a.m.
Tags
External References
Description
F.A.C.C.T experts analyzed the tools and connections of cybercriminals attacking Russian accountants. An analysis of the infection chain of the VasyGrek attacker, his forum activity and connection with the malware developer Mr.Burns is presented. The history of Mr.Burns, starting in 2010, is given, as well as a description of the current version of the BurnsRAT malware, sold on forums and used in attacks on Russian companies.
Date
Published: July 10, 2024, 9:49 a.m.
Created: July 10, 2024, 9:49 a.m.
Modified: July 10, 2024, 10:18 a.m.
Indicators
ebdce7eae3a77ed05ed6279c46a8be8c560085f82ce0f9e4de0ad8c700c16fc4
f7878a67c6de2ff26c79ab890e4a60b76c67a7583c6a24bd96cd93a5f4a0e0aa
e4a91db9e43655931fd3926ec00dbe8a063fbe0d3f0af7d902fd3b9d8281fb3d
e360674d2abf0bea085d01bc3595e19efb3ac061ab8090a32d0c579c621c46f6
d79d130aa4f0b207e741909c45be613a1e3720cb82a0578012cc508c28da6bad
c3b30120feef022d552f85b780d4c988ee82bc07e6b5948db5d32e59d44fa704
c2f97483f8a5a96fa39e8bd3d3458093ac527a8c8efd662e838d95a9bc2354fb
bf9fc94905d75ccf3640d35899d533e50c7ba8bdce396443ae2d0507657a9e81
bbad7c6e8f0d7ae94941257e7ece4d2b144aad56e25760c8876b808f3e8420e6
ba629f7ee519379f1a5a8a4683ee9a48d1b0996268bfaf1162e4bf0f2b792b77
b2193cb3f8bd13c8a5769d5ce499a36b9c44e2eb2800bcdf22320525beaf9586
af8018b310bf030f6feca0f6f23d3e65f8926114d7cd493573badae24f5da0d1
ae9df2b98a9e5561c749cc96a4e24f9d5bb0451889a3924fd7ed73436466495f
ab90f80eee37e16cb3c94f524e2fde3fe13669386512ea36b4ad6ac4d9fbf773
a5eff95e877e7e5e1b8a57e3169cb6f545ae353ed1908840dabb9554ff001500
950bdf0842e513180c42ab3809e57c0779456c51a53e41ce8e833ed36880230e
92d65e200d729beac212563a7559fbdc657a4832d462e02dab4d937b5571983c
90e6c0aed978271769f4fface9a27edbb8d72cd463cfd57b443710aa703a1f98
8e379068eb7e9f9e5635531526dacdc03bf505e67775dd186edba27b33a93805
8b7e5a040f0e468eb540211a3ac73dadd6628177dc09eaff06bfbce10c6eeab9
892a92ce83ed1c9e67c8f7ab0120d1f28e1dfd3a93146da3fde6e9226e22222b
7da756b08230bd426defeaea35588b899057228ac19f3a21625582038e405c76
7a79bb8b4c55f11b463efee0c8cbfaf24c85daac04b67f4f4c25f6851dda57df
7930b4271172eb69e63349282bfe62a111a6e0a8bc8b23ae8729ab6be006ecf5
702db5ce9f9ce7af433146796263c795dfdf065b10e914bc54fd23af5d33e793
6e463e3aafb12ec1fd7ff347038b3df15a93b3b2c506c9d670498b0937d6dce7
6a69e0ebb331aa21614ccc0c4028b5cde242f0710300fe7b441b2017c71a8e16
5f31759d1ac833df5b990b436dabb88cf3e85ba7495440a62364723bc8490907
5170542754aaa8a8585e4d7c12f77deb7fc0cb24ec6626d53e3fa9997e303e77
4c88348d1ef0ff6857f48761ac82d8455661849b34e4f4a6bc07a765818361a3
3d3cef0a4b5c9d56790dbb8c8ac838d42caac2171f5435495682a51c45160bc3
3bced24274a35cd08a3698e32623a14a319fbb60f4f9a950d41834710393c32f
3b8672b2cd5c53f3f4e823ed3873d930b5786a05cc7f2d49b07cb5bda21d933e
382031a229aad519f8d243923e504e8dedf0106f4ce274ab9640ce55542b962d
2e4d3cf89636072438deb7e690ea376e8433c5dc59d8befedc0f5b79ea9a6b7d
2ef38ea449b172cef5e1015bc4b5e37de8ece7d4be087b6bdded5a992493e7aa
2bcfbb053ec4936bded589848b8429cd37b0a7bf5bf85e5e3ace494f4512bfa9
2a82f3e9fc83a6e14c8ff13ed5d450580235981958a7bd262c7ea597e1c94078
20a77d76f250b75309e8ccaf1470d9729dc99b95168085ff30b1e46be6ce2138
1fd5a9570a894c751610c1b49b2f2f00c0c618d365be14a4980f1266a3772c90
1dbce4f525f428cfce626726209ca973f2fdb93cd905a94a1bc538f75e0a16ca
164cabc6b731b2420df8a0fa8e4a2590e45cc027d9cf72ccc74252383ec0f65b
14f5ef72472f64edee2e852d1c677ad4f61b780c3ac93649835c4cc30f5c5b2f
1304a1ec426aa4d39c255aef059bc5b2cb9fef096cd6d136c63ddf8a3b936b96
0576a15f1331d220336163510cc71deb37d1ae0b57ff6ad661c5e547086b57e2
05406c5e034be68b6514fc3ae1b31f603ec7d1865963fe0716ed48605af0fd98
03b11a7319a44c8848d239b8ce49ebb43ebe90dfb9927771a2258bbe3d0e655e
95.217.100.156
91.246.41.200
181.215.235.180
146.185.195.28
https://xak.guru/threads/23230/
https://web-whatsap.online/kopiya_skrinchot_1C.pdf.rar
https://trianglimsk.ru/optata.rar.
https://trianglimsk.ru/_Release.exe
https://sk-krona.fun/panel/uploads/Zofrj.dat
https://sk-krona.fun/panel/uploads/Xzkxso.mp3
https://sk-krona.fun/panel/uploads/Wllyqo.mp4
https://sk-krona.fun/panel/uploads/Wfbitmtjlzd.dat
https://sk-krona.fun/panel/uploads/Vgnaahn.mp3
https://sk-krona.fun/panel/uploads/Vfqegoe.dat
https://sk-krona.fun/panel/uploads/Tvmjmv.mp4
https://sk-krona.fun/panel/uploads/Seancczvbv.wav
https://sk-krona.fun/panel/uploads/Qydultut.dat
https://sk-krona.fun/panel/uploads/Oguqs.mp4
https://sk-krona.fun/panel/uploads/Nsvozql.mp4
https://sk-krona.fun/panel/uploads/Ljncj.dat
https://sk-krona.fun/panel/uploads/Fxeiroo.mp3
https://sk-krona.fun/panel/uploads/Fhzcvdiuu.wav
https://sk-krona.fun/panel/uploads/Dscxqvi.mp4
https://sk-krona.fun/panel/uploads/Dzyhmzjdtpz.wav
https://sk-krona.fun/panel/uploads/Cvevg.mp3
https://saitraif.ru/panel/uploads/Xkwjbhibh.dat
https://sk-krona.fun/panel/uploads/Awdiaz.pdf
https://saitraif.ru/panel/uploads/Qzvldxefss.mp4
https://saitraif.ru/panel/uploads/Qxudsj.mp4
https://saitraif.ru/panel/uploads/Lexhwif.pdf
https://saitraif.ru/panel/uploads/Kjpdz.mp4
https://saitraif.ru/panel/uploads/Hyfhtwkc.mp3
https://saitraif.ru/panel/uploads/Awrxzkoc.mp3
https://saitraif.ru/panel/uploads/Asvchn.wav
https://saitraif.ru/panel/uploads/Ahjhcuubue.mp3
https://saitraif.ru/22012024BUILD.exe
https://downlod-bussines.ru/panel/uploads/Yppohxqf.vdf
https://downlod-bussines.ru/koriya_akt_upd_1C.PDF.rar
https://doc2024.ru/2024bldrms.exe
https://doc-1c.fun/panel/uploads/Hnxuy.vdf
https://bussines-raff.fun/MetaKript.exe
https://bussines-raff.fun/BLD.exe
https://bussines-raff.fun/22012024BUILD.exe
http://vip23newtop.fun/framework/.
http://91.246.41.200:7702
http://91.246.41.200:58003
http://91.246.41.200:58002
http://91.246.41.200:58001
http://91.246.41.200:56003
http://91.246.41.200:56002
http://91.246.41.200:56001
http://91.246.41.200:5554
http://360mediashare.com/2/command.php.
http://360mediashare.com/2/command.php
http://360mediashare.com/1/command.php
http://vip22gr.ru/framework/
https://sk-krona.fun/panel/uploads/Etqslnpm.mp4
sonofabitch@ua.fm
mrburns@exploit.im
Attack Patterns
TeamViewer
RMS
BurnsRAT
WarzoneRAT - S0670
PureLogs
Ave Maria
MetaStealer
RedLine Stealer
PureCrypter
VasyGrek
T1217
T1569.002
T1543.003
T1552.001
T1036.004
T1573.001
T1555.003
T1027.002
T1055.002
T1497.001
T1059.003
T1566.002
T1571
T1547.001
T1095
T1113
T1071.001
T1518.001
T1036.005
T1070.004
T1204.002
T1574.001
T1005
T1574
T1082
T1105
T1566.001
T1083
T1219
T1033
T1041
Additional Informations
Finance