VayGren and Mr.Burns: Strong Ties in Finance
July 10, 2024, 10:18 a.m.
Description
F.A.C.C.T experts analyzed the tools and connections of cybercriminals attacking Russian accountants. An analysis of the infection chain of the VasyGrek attacker, his forum activity and connection with the malware developer Mr.Burns is presented. The history of Mr.Burns, starting in 2010, is given, as well as a description of the current version of the BurnsRAT malware, sold on forums and used in attacks on Russian companies.
Tags
Date
- Created: July 10, 2024, 9:49 a.m.
- Published: July 10, 2024, 9:49 a.m.
- Modified: July 10, 2024, 10:18 a.m.
Indicators
- ebdce7eae3a77ed05ed6279c46a8be8c560085f82ce0f9e4de0ad8c700c16fc4
- f7878a67c6de2ff26c79ab890e4a60b76c67a7583c6a24bd96cd93a5f4a0e0aa
- e4a91db9e43655931fd3926ec00dbe8a063fbe0d3f0af7d902fd3b9d8281fb3d
- e360674d2abf0bea085d01bc3595e19efb3ac061ab8090a32d0c579c621c46f6
- d79d130aa4f0b207e741909c45be613a1e3720cb82a0578012cc508c28da6bad
- c3b30120feef022d552f85b780d4c988ee82bc07e6b5948db5d32e59d44fa704
- c2f97483f8a5a96fa39e8bd3d3458093ac527a8c8efd662e838d95a9bc2354fb
- bf9fc94905d75ccf3640d35899d533e50c7ba8bdce396443ae2d0507657a9e81
- bbad7c6e8f0d7ae94941257e7ece4d2b144aad56e25760c8876b808f3e8420e6
- ba629f7ee519379f1a5a8a4683ee9a48d1b0996268bfaf1162e4bf0f2b792b77
- b2193cb3f8bd13c8a5769d5ce499a36b9c44e2eb2800bcdf22320525beaf9586
- af8018b310bf030f6feca0f6f23d3e65f8926114d7cd493573badae24f5da0d1
- ae9df2b98a9e5561c749cc96a4e24f9d5bb0451889a3924fd7ed73436466495f
- ab90f80eee37e16cb3c94f524e2fde3fe13669386512ea36b4ad6ac4d9fbf773
- a5eff95e877e7e5e1b8a57e3169cb6f545ae353ed1908840dabb9554ff001500
- 950bdf0842e513180c42ab3809e57c0779456c51a53e41ce8e833ed36880230e
- 92d65e200d729beac212563a7559fbdc657a4832d462e02dab4d937b5571983c
- 90e6c0aed978271769f4fface9a27edbb8d72cd463cfd57b443710aa703a1f98
- 8e379068eb7e9f9e5635531526dacdc03bf505e67775dd186edba27b33a93805
- 8b7e5a040f0e468eb540211a3ac73dadd6628177dc09eaff06bfbce10c6eeab9
- 892a92ce83ed1c9e67c8f7ab0120d1f28e1dfd3a93146da3fde6e9226e22222b
- 7da756b08230bd426defeaea35588b899057228ac19f3a21625582038e405c76
- 7a79bb8b4c55f11b463efee0c8cbfaf24c85daac04b67f4f4c25f6851dda57df
- 7930b4271172eb69e63349282bfe62a111a6e0a8bc8b23ae8729ab6be006ecf5
- 702db5ce9f9ce7af433146796263c795dfdf065b10e914bc54fd23af5d33e793
- 6e463e3aafb12ec1fd7ff347038b3df15a93b3b2c506c9d670498b0937d6dce7
- 6a69e0ebb331aa21614ccc0c4028b5cde242f0710300fe7b441b2017c71a8e16
- 5f31759d1ac833df5b990b436dabb88cf3e85ba7495440a62364723bc8490907
- 5170542754aaa8a8585e4d7c12f77deb7fc0cb24ec6626d53e3fa9997e303e77
- 4c88348d1ef0ff6857f48761ac82d8455661849b34e4f4a6bc07a765818361a3
- 3d3cef0a4b5c9d56790dbb8c8ac838d42caac2171f5435495682a51c45160bc3
- 3bced24274a35cd08a3698e32623a14a319fbb60f4f9a950d41834710393c32f
- 3b8672b2cd5c53f3f4e823ed3873d930b5786a05cc7f2d49b07cb5bda21d933e
- 382031a229aad519f8d243923e504e8dedf0106f4ce274ab9640ce55542b962d
- 2e4d3cf89636072438deb7e690ea376e8433c5dc59d8befedc0f5b79ea9a6b7d
- 2ef38ea449b172cef5e1015bc4b5e37de8ece7d4be087b6bdded5a992493e7aa
- 2bcfbb053ec4936bded589848b8429cd37b0a7bf5bf85e5e3ace494f4512bfa9
- 2a82f3e9fc83a6e14c8ff13ed5d450580235981958a7bd262c7ea597e1c94078
- 20a77d76f250b75309e8ccaf1470d9729dc99b95168085ff30b1e46be6ce2138
- 1fd5a9570a894c751610c1b49b2f2f00c0c618d365be14a4980f1266a3772c90
- 1dbce4f525f428cfce626726209ca973f2fdb93cd905a94a1bc538f75e0a16ca
- 164cabc6b731b2420df8a0fa8e4a2590e45cc027d9cf72ccc74252383ec0f65b
- 14f5ef72472f64edee2e852d1c677ad4f61b780c3ac93649835c4cc30f5c5b2f
- 1304a1ec426aa4d39c255aef059bc5b2cb9fef096cd6d136c63ddf8a3b936b96
- 0576a15f1331d220336163510cc71deb37d1ae0b57ff6ad661c5e547086b57e2
- 05406c5e034be68b6514fc3ae1b31f603ec7d1865963fe0716ed48605af0fd98
- 03b11a7319a44c8848d239b8ce49ebb43ebe90dfb9927771a2258bbe3d0e655e
- 95.217.100.156
- 91.246.41.200
- 181.215.235.180
- 146.185.195.28
- https://xak.guru/threads/23230/
- https://web-whatsap.online/kopiya_skrinchot_1C.pdf.rar
- https://trianglimsk.ru/optata.rar.
- https://trianglimsk.ru/_Release.exe
- https://sk-krona.fun/panel/uploads/Zofrj.dat
- https://sk-krona.fun/panel/uploads/Xzkxso.mp3
- https://sk-krona.fun/panel/uploads/Wllyqo.mp4
- https://sk-krona.fun/panel/uploads/Wfbitmtjlzd.dat
- https://sk-krona.fun/panel/uploads/Vgnaahn.mp3
- https://sk-krona.fun/panel/uploads/Vfqegoe.dat
- https://sk-krona.fun/panel/uploads/Tvmjmv.mp4
- https://sk-krona.fun/panel/uploads/Seancczvbv.wav
- https://sk-krona.fun/panel/uploads/Qydultut.dat
- https://sk-krona.fun/panel/uploads/Oguqs.mp4
- https://sk-krona.fun/panel/uploads/Nsvozql.mp4
- https://sk-krona.fun/panel/uploads/Ljncj.dat
- https://sk-krona.fun/panel/uploads/Fxeiroo.mp3
- https://sk-krona.fun/panel/uploads/Fhzcvdiuu.wav
- https://sk-krona.fun/panel/uploads/Dscxqvi.mp4
- https://sk-krona.fun/panel/uploads/Dzyhmzjdtpz.wav
- https://sk-krona.fun/panel/uploads/Cvevg.mp3
- https://saitraif.ru/panel/uploads/Xkwjbhibh.dat
- https://sk-krona.fun/panel/uploads/Awdiaz.pdf
- https://saitraif.ru/panel/uploads/Qzvldxefss.mp4
- https://saitraif.ru/panel/uploads/Qxudsj.mp4
- https://saitraif.ru/panel/uploads/Lexhwif.pdf
- https://saitraif.ru/panel/uploads/Kjpdz.mp4
- https://saitraif.ru/panel/uploads/Hyfhtwkc.mp3
- https://saitraif.ru/panel/uploads/Awrxzkoc.mp3
- https://saitraif.ru/panel/uploads/Asvchn.wav
- https://saitraif.ru/panel/uploads/Ahjhcuubue.mp3
- https://saitraif.ru/22012024BUILD.exe
- https://downlod-bussines.ru/panel/uploads/Yppohxqf.vdf
- https://downlod-bussines.ru/koriya_akt_upd_1C.PDF.rar
- https://doc2024.ru/2024bldrms.exe
- https://doc-1c.fun/panel/uploads/Hnxuy.vdf
- https://bussines-raff.fun/MetaKript.exe
- https://bussines-raff.fun/BLD.exe
- https://bussines-raff.fun/22012024BUILD.exe
- http://vip23newtop.fun/framework/.
- http://91.246.41.200:7702
- http://91.246.41.200:58003
- http://91.246.41.200:58002
- http://91.246.41.200:58001
- http://91.246.41.200:56003
- http://91.246.41.200:56002
- http://91.246.41.200:56001
- http://91.246.41.200:5554
- http://360mediashare.com/2/command.php.
- http://360mediashare.com/2/command.php
- http://360mediashare.com/1/command.php
- http://vip22gr.ru/framework/
- https://sk-krona.fun/panel/uploads/Etqslnpm.mp4
- sonofabitch@ua.fm
- mrburns@exploit.im
- oplata.pdf.com
- doc20032024.pdf.com
- 2024.pdf.com
- 1c.pdf.com
- xaker.name
- windowsactivate.link
- vip23newtop.fun
- vip22gr.ru
- trianglimsk.ru
- sk-krona.fun
- saitraif.ru
- prologic.su
- office360share.com
- office360.icu
- natgeo.pro
- mts2015stm.ru
- msupdate.icu
- liveupdate.online
- downlod-bussines.ru
- doc2024.ru
- doc-1c.fun
- bussines-raff.fun
- 98347r483df2grg5tg.com
- 360mediashare.com
- 047856232.com
Attack Patterns
- TeamViewer
- RMS
- BurnsRAT
- WarzoneRAT - S0670
- PureLogs
- Ave Maria
- MetaStealer
- RedLine Stealer
- PureCrypter
- VasyGrek
- T1217
- T1569.002
- T1543.003
- T1552.001
- T1036.004
- T1573.001
- T1555.003
- T1027.002
- T1055.002
- T1497.001
- T1059.003
- T1566.002
- T1571
- T1547.001
- T1095
- T1113
- T1071.001
- T1518.001
- T1036.005
- T1070.004
- T1204.002
- T1574.001
- T1005
- T1574
- T1082
- T1105
- T1566.001
- T1083
- T1219
- T1033
- T1041
Additional Informations
- Finance