VayGren and Mr.Burns: Strong Ties in Finance

July 10, 2024, 10:18 a.m.

Description

F.A.C.C.T experts analyzed the tools and connections of cybercriminals attacking Russian accountants. An analysis of the infection chain of the VasyGrek attacker, his forum activity and connection with the malware developer Mr.Burns is presented. The history of Mr.Burns, starting in 2010, is given, as well as a description of the current version of the BurnsRAT malware, sold on forums and used in attacks on Russian companies.

Date

  • Created: July 10, 2024, 9:49 a.m.
  • Published: July 10, 2024, 9:49 a.m.
  • Modified: July 10, 2024, 10:18 a.m.

Indicators

  • ebdce7eae3a77ed05ed6279c46a8be8c560085f82ce0f9e4de0ad8c700c16fc4
  • f7878a67c6de2ff26c79ab890e4a60b76c67a7583c6a24bd96cd93a5f4a0e0aa
  • e4a91db9e43655931fd3926ec00dbe8a063fbe0d3f0af7d902fd3b9d8281fb3d
  • e360674d2abf0bea085d01bc3595e19efb3ac061ab8090a32d0c579c621c46f6
  • d79d130aa4f0b207e741909c45be613a1e3720cb82a0578012cc508c28da6bad
  • c3b30120feef022d552f85b780d4c988ee82bc07e6b5948db5d32e59d44fa704
  • c2f97483f8a5a96fa39e8bd3d3458093ac527a8c8efd662e838d95a9bc2354fb
  • bf9fc94905d75ccf3640d35899d533e50c7ba8bdce396443ae2d0507657a9e81
  • bbad7c6e8f0d7ae94941257e7ece4d2b144aad56e25760c8876b808f3e8420e6
  • ba629f7ee519379f1a5a8a4683ee9a48d1b0996268bfaf1162e4bf0f2b792b77
  • b2193cb3f8bd13c8a5769d5ce499a36b9c44e2eb2800bcdf22320525beaf9586
  • af8018b310bf030f6feca0f6f23d3e65f8926114d7cd493573badae24f5da0d1
  • ae9df2b98a9e5561c749cc96a4e24f9d5bb0451889a3924fd7ed73436466495f
  • ab90f80eee37e16cb3c94f524e2fde3fe13669386512ea36b4ad6ac4d9fbf773
  • a5eff95e877e7e5e1b8a57e3169cb6f545ae353ed1908840dabb9554ff001500
  • 950bdf0842e513180c42ab3809e57c0779456c51a53e41ce8e833ed36880230e
  • 92d65e200d729beac212563a7559fbdc657a4832d462e02dab4d937b5571983c
  • 90e6c0aed978271769f4fface9a27edbb8d72cd463cfd57b443710aa703a1f98
  • 8e379068eb7e9f9e5635531526dacdc03bf505e67775dd186edba27b33a93805
  • 8b7e5a040f0e468eb540211a3ac73dadd6628177dc09eaff06bfbce10c6eeab9
  • 892a92ce83ed1c9e67c8f7ab0120d1f28e1dfd3a93146da3fde6e9226e22222b
  • 7da756b08230bd426defeaea35588b899057228ac19f3a21625582038e405c76
  • 7a79bb8b4c55f11b463efee0c8cbfaf24c85daac04b67f4f4c25f6851dda57df
  • 7930b4271172eb69e63349282bfe62a111a6e0a8bc8b23ae8729ab6be006ecf5
  • 702db5ce9f9ce7af433146796263c795dfdf065b10e914bc54fd23af5d33e793
  • 6e463e3aafb12ec1fd7ff347038b3df15a93b3b2c506c9d670498b0937d6dce7
  • 6a69e0ebb331aa21614ccc0c4028b5cde242f0710300fe7b441b2017c71a8e16
  • 5f31759d1ac833df5b990b436dabb88cf3e85ba7495440a62364723bc8490907
  • 5170542754aaa8a8585e4d7c12f77deb7fc0cb24ec6626d53e3fa9997e303e77
  • 4c88348d1ef0ff6857f48761ac82d8455661849b34e4f4a6bc07a765818361a3
  • 3d3cef0a4b5c9d56790dbb8c8ac838d42caac2171f5435495682a51c45160bc3
  • 3bced24274a35cd08a3698e32623a14a319fbb60f4f9a950d41834710393c32f
  • 3b8672b2cd5c53f3f4e823ed3873d930b5786a05cc7f2d49b07cb5bda21d933e
  • 382031a229aad519f8d243923e504e8dedf0106f4ce274ab9640ce55542b962d
  • 2e4d3cf89636072438deb7e690ea376e8433c5dc59d8befedc0f5b79ea9a6b7d
  • 2ef38ea449b172cef5e1015bc4b5e37de8ece7d4be087b6bdded5a992493e7aa
  • 2bcfbb053ec4936bded589848b8429cd37b0a7bf5bf85e5e3ace494f4512bfa9
  • 2a82f3e9fc83a6e14c8ff13ed5d450580235981958a7bd262c7ea597e1c94078
  • 20a77d76f250b75309e8ccaf1470d9729dc99b95168085ff30b1e46be6ce2138
  • 1fd5a9570a894c751610c1b49b2f2f00c0c618d365be14a4980f1266a3772c90
  • 1dbce4f525f428cfce626726209ca973f2fdb93cd905a94a1bc538f75e0a16ca
  • 164cabc6b731b2420df8a0fa8e4a2590e45cc027d9cf72ccc74252383ec0f65b
  • 14f5ef72472f64edee2e852d1c677ad4f61b780c3ac93649835c4cc30f5c5b2f
  • 1304a1ec426aa4d39c255aef059bc5b2cb9fef096cd6d136c63ddf8a3b936b96
  • 0576a15f1331d220336163510cc71deb37d1ae0b57ff6ad661c5e547086b57e2
  • 05406c5e034be68b6514fc3ae1b31f603ec7d1865963fe0716ed48605af0fd98
  • 03b11a7319a44c8848d239b8ce49ebb43ebe90dfb9927771a2258bbe3d0e655e
  • 95.217.100.156
  • 91.246.41.200
  • 181.215.235.180
  • 146.185.195.28
  • https://xak.guru/threads/23230/
  • https://web-whatsap.online/kopiya_skrinchot_1C.pdf.rar
  • https://trianglimsk.ru/optata.rar.
  • https://trianglimsk.ru/_Release.exe
  • https://sk-krona.fun/panel/uploads/Zofrj.dat
  • https://sk-krona.fun/panel/uploads/Xzkxso.mp3
  • https://sk-krona.fun/panel/uploads/Wllyqo.mp4
  • https://sk-krona.fun/panel/uploads/Wfbitmtjlzd.dat
  • https://sk-krona.fun/panel/uploads/Vgnaahn.mp3
  • https://sk-krona.fun/panel/uploads/Vfqegoe.dat
  • https://sk-krona.fun/panel/uploads/Tvmjmv.mp4
  • https://sk-krona.fun/panel/uploads/Seancczvbv.wav
  • https://sk-krona.fun/panel/uploads/Qydultut.dat
  • https://sk-krona.fun/panel/uploads/Oguqs.mp4
  • https://sk-krona.fun/panel/uploads/Nsvozql.mp4
  • https://sk-krona.fun/panel/uploads/Ljncj.dat
  • https://sk-krona.fun/panel/uploads/Fxeiroo.mp3
  • https://sk-krona.fun/panel/uploads/Fhzcvdiuu.wav
  • https://sk-krona.fun/panel/uploads/Dscxqvi.mp4
  • https://sk-krona.fun/panel/uploads/Dzyhmzjdtpz.wav
  • https://sk-krona.fun/panel/uploads/Cvevg.mp3
  • https://saitraif.ru/panel/uploads/Xkwjbhibh.dat
  • https://sk-krona.fun/panel/uploads/Awdiaz.pdf
  • https://saitraif.ru/panel/uploads/Qzvldxefss.mp4
  • https://saitraif.ru/panel/uploads/Qxudsj.mp4
  • https://saitraif.ru/panel/uploads/Lexhwif.pdf
  • https://saitraif.ru/panel/uploads/Kjpdz.mp4
  • https://saitraif.ru/panel/uploads/Hyfhtwkc.mp3
  • https://saitraif.ru/panel/uploads/Awrxzkoc.mp3
  • https://saitraif.ru/panel/uploads/Asvchn.wav
  • https://saitraif.ru/panel/uploads/Ahjhcuubue.mp3
  • https://saitraif.ru/22012024BUILD.exe
  • https://downlod-bussines.ru/panel/uploads/Yppohxqf.vdf
  • https://downlod-bussines.ru/koriya_akt_upd_1C.PDF.rar
  • https://doc2024.ru/2024bldrms.exe
  • https://doc-1c.fun/panel/uploads/Hnxuy.vdf
  • https://bussines-raff.fun/MetaKript.exe
  • https://bussines-raff.fun/BLD.exe
  • https://bussines-raff.fun/22012024BUILD.exe
  • http://vip23newtop.fun/framework/.
  • http://91.246.41.200:7702
  • http://91.246.41.200:58003
  • http://91.246.41.200:58002
  • http://91.246.41.200:58001
  • http://91.246.41.200:56003
  • http://91.246.41.200:56002
  • http://91.246.41.200:56001
  • http://91.246.41.200:5554
  • http://360mediashare.com/2/command.php.
  • http://360mediashare.com/2/command.php
  • http://360mediashare.com/1/command.php
  • http://vip22gr.ru/framework/
  • https://sk-krona.fun/panel/uploads/Etqslnpm.mp4
  • sonofabitch@ua.fm
  • mrburns@exploit.im
  • oplata.pdf.com
  • doc20032024.pdf.com
  • 2024.pdf.com
  • 1c.pdf.com
  • xaker.name
  • windowsactivate.link
  • vip23newtop.fun
  • vip22gr.ru
  • trianglimsk.ru
  • sk-krona.fun
  • saitraif.ru
  • prologic.su
  • office360share.com
  • office360.icu
  • natgeo.pro
  • mts2015stm.ru
  • msupdate.icu
  • liveupdate.online
  • downlod-bussines.ru
  • doc2024.ru
  • doc-1c.fun
  • bussines-raff.fun
  • 98347r483df2grg5tg.com
  • 360mediashare.com
  • 047856232.com

Attack Patterns

  • TeamViewer
  • RMS
  • BurnsRAT
  • WarzoneRAT - S0670
  • PureLogs
  • Ave Maria
  • MetaStealer
  • RedLine Stealer
  • PureCrypter
  • VasyGrek
  • T1217
  • T1569.002
  • T1543.003
  • T1552.001
  • T1036.004
  • T1573.001
  • T1555.003
  • T1027.002
  • T1055.002
  • T1497.001
  • T1059.003
  • T1566.002
  • T1571
  • T1547.001
  • T1095
  • T1113
  • T1071.001
  • T1518.001
  • T1036.005
  • T1070.004
  • T1204.002
  • T1574.001
  • T1005
  • T1574
  • T1082
  • T1105
  • T1566.001
  • T1083
  • T1219
  • T1033
  • T1041

Additional Informations

  • Finance