Information
New gamaredon sample with low rate of detection discovered targeting Ukraine with the topic DEPARTMENT OF SOCIAL PROTECTION OF THE POPULATION OF THE KYIV REGIONAL STATE ADMINISTRATION OF THE KYIV REGIONAL MILITARY ADMINISTRATION.
| Field | Value |
|---|---|
| sha256 | 032d134d145c3047f56e936431a0aefd89ba56ba2bd3101c27bb002298addc88 |
| filename | Unknown |
During the execution is going to load a remote template from the URL http://lucky.falling85.garibdo[.]ru. There is another subdomain probably to achieve the same goal with other documents council67.garibdo[.]ru.
The URL can be found in the 1table property of the .doc file as shown.
🔗 DOCx: https://www.virustotal.com/gui/file/032d134d145c3047f56e936431a0aefd89ba56ba2bd3101c27bb002298addc88
🔗 Domain: https://www.virustotal.com/gui/domain/lucky.falling85.garibdo.ru
🔗 Tweet: https://twitter.com/Joseliyo_Jstnk/status/1709488573454376975
Hunting
Some interesting hunting queries related to these behaviors:
(behavior_processes:*.ru* and behavior_processes:*DavSetCookie* and behavior_processes:*http*) and (behavior_network:*.ru* or embedded_domain:*.ru* or embedded_url:*.ru*) and (type:document)
Contact
Twitter: https://twitter.com/Joseliyo_Jstnk
LinkedIn: https://www.linkedin.com/in/joseluissm/