Merge branch 'main' of https://github.com/curated-intel/Ukraine-Cyber-Operations

2022-04-07 21:40:29 +05:30 · 2022-04-07 21:40:29 +05:30 · 02a01f352c
--- a/ETAC_IOCs/CERT-UA_IOCs.csv
+++ b/ETAC_IOCs/CERT-UA_IOCs.csv
@ -22,64 +22,64 @@ URL,hxxp://consumerspanel[.]frge.io/,Phishing page targeting Ukraine,hxxps://www
 Domain,consumerspanel[.]frge.io,Phishing page targeting Ukraine,hxxps://www.facebook[.]com/UACERT/posts/317482093744389,
 MD5,65237e705e842da0a891c222e57fe095,microbackdoor.dll (MicroBackdoor),hxxps://cert.gov.ua/article/37626,
 URL,hxxps://cdn.discordapp.com/attachments/947916997713358890/949948174636830761/one.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37704,
-URL,hxxps://cdn.discordapp.com/attachments/947916997713358890/949948174838165524/dropper.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37705,
+URL,hxxps://cdn.discordapp.com/attachments/947916997713358890/949948174838165524/dropper.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37704,
-URL,hxxps://cdn.discordapp.com/attachments/947916997713358890/949978571680673802/cesdf.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37706,
+URL,hxxps://cdn.discordapp.com/attachments/947916997713358890/949978571680673802/cesdf.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37704,
-IPv4,156.146.50.5,UAC-0056 group,hxxps://cert.gov.ua/article/37707,
+IPv4,156.146.50.5,UAC-0056 group,hxxps://cert.gov.ua/article/37704,
 MD5,15c525b74b7251cfa1f7c471975f3f95,(Go downloader) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,2fdf9f3a25e039a41e743e19550d4040,(Discord downloader) UAC-0056 group,hxxps://cert.gov.ua/article/37709,
+MD5,2fdf9f3a25e039a41e743e19550d4040,(Discord downloader) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,4f11abdb96be36e3806bada5b8b2b8f8,(GrimPlant) UAC-0056 group,hxxps://cert.gov.ua/article/37710,
+MD5,4f11abdb96be36e3806bada5b8b2b8f8,(GrimPlant) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,9ad4a2dfd4cb49ef55f2acd320659b83,(Discord downloader) UAC-0056 group,hxxps://cert.gov.ua/article/37711,
+MD5,9ad4a2dfd4cb49ef55f2acd320659b83,(Discord downloader) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,9ea3aaaeb15a074cd617ee1dfdda2c26,(GraphSteel) UAC-0056 group,hxxps://cert.gov.ua/article/37712,
+MD5,9ea3aaaeb15a074cd617ee1dfdda2c26,(GraphSteel) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,aa5e8268e741346c76ebfd1f27941a14,(Cobalt Strike Beacon) UAC-0056 group,hxxps://cert.gov.ua/article/37713,
+MD5,aa5e8268e741346c76ebfd1f27941a14,(Cobalt Strike Beacon) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,b8b7a10dcc0dad157191620b5d4e5312,UAC-0056 group,hxxps://cert.gov.ua/article/37714,
+MD5,b8b7a10dcc0dad157191620b5d4e5312,UAC-0056 group,hxxps://cert.gov.ua/article/377108,
-MD5,c8bf238641621212901517570e96fae7,(Go downloader) UAC-0056 group,hxxps://cert.gov.ua/article/37715,
+MD5,c8bf238641621212901517570e96fae7,(Go downloader) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,ca9290709843584aecbd6564fb978bd6,(bait document) UAC-0056 group,hxxps://cert.gov.ua/article/37716,
+MD5,ca9290709843584aecbd6564fb978bd6,(bait document) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-MD5,cf204319f7397a6a31ecf76c9531a549,(bait document) UAC-0056 group,hxxps://cert.gov.ua/article/37717,
+MD5,cf204319f7397a6a31ecf76c9531a549,(bait document) UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-IPv4,45.84.0.116,UAC-0056 group,hxxps://cert.gov.ua/article/37718,
+IPv4,45.84.0.116,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxp://45.84.0.116:443/c,UAC-0056 group,hxxps://cert.gov.ua/article/37719,
+URL,hxxp://45.84.0.116:443/c,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxp://45.84.0.116:443/i,UAC-0056 group,hxxps://cert.gov.ua/article/37720,
+URL,hxxp://45.84.0.116:443/i,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxp://45.84.0.116:443/m,UAC-0056 group,hxxps://cert.gov.ua/article/37721,
+URL,hxxp://45.84.0.116:443/m,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxp://45.84.0.116:443/p,UAC-0056 group,hxxps://cert.gov.ua/article/37722,
+URL,hxxp://45.84.0.116:443/p,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxps://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37723,
+URL,hxxps://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxps://forkscenter.fr/Sdghrt_umrj6/wisw.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37724,
+URL,hxxps://forkscenter.fr/Sdghrt_umrj6/wisw.exe,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxps://nirsoft.me/nEDFzTtoCbUfp9BtSZlaq6ql8v6yYb/avp/amznussraps/,UAC-0056 group,hxxps://cert.gov.ua/article/37725,
+URL,hxxps://nirsoft.me/nEDFzTtoCbUfp9BtSZlaq6ql8v6yYb/avp/amznussraps/,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-URL,hxxps://nirsoft.me/s/2MYmbwpSJLZRAtXRgNTAUjJSH6SSoicLPIrQl/field-keywords/,UAC-0056 group,hxxps://cert.gov.ua/article/37726,
+URL,hxxps://nirsoft.me/s/2MYmbwpSJLZRAtXRgNTAUjJSH6SSoicLPIrQl/field-keywords/,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-domain,forkscenter.fr,UAC-0056 group,hxxps://cert.gov.ua/article/37727,
+domain,forkscenter.fr,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
-domain,nirsoft.me,UAC-0056 group,hxxps://cert.gov.ua/article/37728,
+domain,nirsoft.me,UAC-0056 group,hxxps://cert.gov.ua/article/37708,
 URL,hxxps://tinyurl[.]com/2p8kpb9v,UAC-0028 group,hxxps://cert.gov.ua/article/37788,
 Hostname,panelunregistertle-348.frge[.]io,UAC-0028 group,hxxps://cert.gov.ua/article/37788,
 Hostname,eo9p1d2bfmioiot.m.pipedream[.]net,UAC-0028 group,hxxps://cert.gov.ua/article/37788,
 Hostname,eoiw8lhjwuc3sh2.m.pipedream[.]net,UAC-0028 group,hxxps://cert.gov.ua/article/37788,
 MD5,00a54a6496734d87dab6685aa90588f8,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,1c2c41a5a5f89eccafea6e34183d5db9,UAC-0020 group,hxxps://cert.gov.ua/article/37819,
+MD5,1c2c41a5a5f89eccafea6e34183d5db9,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,32343f2a6b8ac9b6587e2e07989362ab,UAC-0020 group,hxxps://cert.gov.ua/article/37820,
+MD5,32343f2a6b8ac9b6587e2e07989362ab,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,3ed8263abe009c19c4af8706d52060f8,UAC-0020 group,hxxps://cert.gov.ua/article/37821,
+MD5,3ed8263abe009c19c4af8706d52060f8,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,5db4313b8dbb9204f8f98f2c129fd734,UAC-0020 group,hxxps://cert.gov.ua/article/37822,
+MD5,5db4313b8dbb9204f8f98f2c129fd734,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,67274bdd5c9537affbd51567f4ba8d5f,UAC-0020 group,hxxps://cert.gov.ua/article/37823,
+MD5,67274bdd5c9537affbd51567f4ba8d5f,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,75e1ce42e0892ed04a43e3b68afdbc07,UAC-0020 group,hxxps://cert.gov.ua/article/37824,
+MD5,75e1ce42e0892ed04a43e3b68afdbc07,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,993415425b61183dd3f900d9b81ac57f,UAC-0020 group,hxxps://cert.gov.ua/article/37825,
+MD5,993415425b61183dd3f900d9b81ac57f,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,adebdc32ef35209fb142d44050928083,UAC-0020 group,hxxps://cert.gov.ua/article/37826,
+MD5,adebdc32ef35209fb142d44050928083,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,baf502b4b823b6806cc91e2c1dd07613,UAC-0020 group,hxxps://cert.gov.ua/article/37827,
+MD5,baf502b4b823b6806cc91e2c1dd07613,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,d0632ef34514bbb0f675c59e6ecca717,UAC-0020 group,hxxps://cert.gov.ua/article/37828,
+MD5,d0632ef34514bbb0f675c59e6ecca717,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,d34dbbd28775b2c3a0b55d86d418f293,UAC-0020 group,hxxps://cert.gov.ua/article/37829,
+MD5,d34dbbd28775b2c3a0b55d86d418f293,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,e08d7c4daa45beca5079870251e50236,UAC-0020 group,hxxps://cert.gov.ua/article/37830,
+MD5,e08d7c4daa45beca5079870251e50236,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,ecc7bb2e4672b958bd82fe9ec9cfab14,UAC-0020 group,hxxps://cert.gov.ua/article/37831,
+MD5,ecc7bb2e4672b958bd82fe9ec9cfab14,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-MD5,f0197bbb56465b5e2f1f17876c0da5ba,UAC-0020 group,hxxps://cert.gov.ua/article/37832,
+MD5,f0197bbb56465b5e2f1f17876c0da5ba,UAC-0020 group,hxxps://cert.gov.ua/article/37818,
-IPv4,176.119.2.212,UAC-0020 group,hxxps://cert.gov.ua/article/37817,
+IPv4,176.119.2.212,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-IPv4,176.119.2.214,UAC-0020 group,hxxps://cert.gov.ua/article/37833,
+IPv4,176.119.2.214,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-IPv4,176.119.5.194,UAC-0020 group,hxxps://cert.gov.ua/article/37834,
+IPv4,176.119.5.194,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-IPv4,176.119.5.195,UAC-0020 group,hxxps://cert.gov.ua/article/37835,
+IPv4,176.119.5.195,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-URL,http://176.119.2.212/web/t/data.out,UAC-0020 group,hxxps://cert.gov.ua/article/37836,
+URL,http://176.119.2.212/web/t/data.out,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-URL,http://176.119.5.195/k9otb49xq,UAC-0020 group,hxxps://cert.gov.ua/article/37816,
+URL,http://176.119.5.195/k9otb49xq,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-URL,http://getmod.host/DSGb3Y3X,UAC-0020 group,hxxps://cert.gov.ua/article/37837,
+URL,http://getmod.host/DSGb3Y3X,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-URL,http://getmod.host/OcthdaLm,UAC-0020 group,hxxps://cert.gov.ua/article/37838,
+URL,http://getmod.host/OcthdaLm,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-URL,http://getmod.host/ThlAHy3S,UAC-0020 group,hxxps://cert.gov.ua/article/37839,
+URL,http://getmod.host/ThlAHy3S,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
 URL,http://getmod.host/25s2mh,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-domain,getmod.host,UAC-0020 group,hxxps://cert.gov.ua/article/37840,
+domain,getmod.host,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-domain,meteolink.host,UAC-0020 group,hxxps://cert.gov.ua/article/37841,
+domain,meteolink.host,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-domain,netbin.host,UAC-0020 group,hxxps://cert.gov.ua/article/37842,
+domain,netbin.host,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-domain,stormpredictor.host,UAC-0020 group,hxxps://cert.gov.ua/article/37843,
+domain,stormpredictor.host,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
-domain,syncapp.host,UAC-0020 group,hxxps://cert.gov.ua/article/37844,
+domain,syncapp.host,UAC-0020 group,hxxps://cert.gov.ua/article/37815,
 URL,hxxp://45.95.11.34:88/get.php,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 FileHash-MD5,03f12262a2846ebbce989aca5cec74a7,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 FileHash-MD5,5fb6202b8273a6a4cda73cee3f88ce1a,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
@ -95,3 +95,57 @@ IPv4,45.95.11.34,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 URL,hxxp://45.95.11.34:3000/test,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 URL,hxxp://45.95.11.34:88/_[A-Z0-9],UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 URL,hxxp://45.95.11.34:88/get.php?a=We4Qu6,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 FileHash-MD5,36dc2a5bab2665c88ce407d270954d04,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-MD5,7d20fa01a703afa8907e50417d27b0a4,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-MD5,989c5de8ce5ca07cc2903098031c7134,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-MD5,b4f0ca61ab0c55a542f32bd4e66a7dc2,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,d897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 URL,hxxps://product2020.mrbasic.com:8080,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 hostname,product2020.mrbasic[.]com,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,13612c99a38b2b07575688c9758b72cc,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,1aba36f72685c12e60fb0922b606417c,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,1af894a5f23713b557c23078809ed01c,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,3293ba0e2eaefbe5a7c3d26d0752326e,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,4fb630f9c5422271bdd4deb94a1e74f4,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,9c22548f843221cc35de96d475148ecf,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,042271aadf2191749876fc99997d0e6bdd3b89159e7ab8cd11a9f13ae65fa6b1,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,830c6ead1d972f0f41362f89a50f41d869e8c22ea95804003d2811c3a09c3160,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,839e968aa5a6691929b4d65a539c2261f4ecd1c504a8ba52abbfbac0774d6fa3,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,a2ffd62a500abbd157e46f4caeb91217738297709362ca2c23b0c2d117c7df38,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,c0962437a293b1e1c2702b98d935e929456ab841193da8b257bd4ab891bf9f69,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 URL,hxxp://ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 URL,hxxp://ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works/update,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 URL,hxxp://ao3[.]hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 URL,hxxps://ao3[.]hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,1365b82e7da0968e97c095d8bd9166dd,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,18e73cc3d5eda742530ba3fef59e3943,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,3303286735a07ae5d14db9c12843d44e,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,4a78df33d4f987103dc0c0f3a302b8cb,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,b5525108912ee8d5f1519f1b552723e8,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,b724ff750dff495e6634ddf0f1263844,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,bcdab4ae622811f699765bfb9cb909d2,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,e4b54ee2f0068762179e7e514d90bf16,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,37e644deee0add76bac9c5121355a03a459b1a97917383765bf3df94e9af7e29,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,59ed536e1955e310f321435d43ca8b60cb3746514f3c3ea951d43633cacbe7bc,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,6149680c8541980d46c17681e37e4751e2baca1d13ee648b8188dfb24bf56f7c,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,7cf3f758b2abb303dec89736dfd55c38309a21aec2d83d3d4e590f9538fc5f15,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,c14fce93183dc4173be02b2a48d1ed06b43656c7b6d5a290d9948b6947df9033,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,d324d7f30984931176ff878a81c7c1f4f979ad3d759c7f33427bba10d9deb1f6,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,f98e1e61c84a5ed098e7481ab339e2881195f4d1b101c92b81113eb7ff56e63d,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,fbabc4e5a6470606fc64c39c182b5a7a71f8fa96f50c67725d52abf184f75fd4,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 domain,dhdhk0k34[.]com,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 domain,hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 hostname,ao3[.]hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 hostname,webdavml07[.]bplaced[.]net,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-MD5,55cafceba527c3e68852b1af071929c0,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-MD5,5d29da2285390164a0a7d80e6ed23da7,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-MD5,878c30bdefb1b76ea10823a6d5a32f89,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-MD5,eda76ae28628c64d9e12a86adef6dc69,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-SHA256,13eaa638d071e7dc124cf982b8777c6ef50a3d9dc8c57d22d23abe1bae5560f5,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-SHA256,78b492e211e91b1ef9a4bcd5ba80c9572545d5f3f63d3071e3253dcec3a5d97c,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-SHA256,bab351b5f19ecaa24eaa438dd93decd5587e0b441fc43b78893ca2e207b2cb2f,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
 FileHash-SHA256,c50972c11ffd1da9e0ed670b99296f75ec52933699790285d050c0654c21fda3,UAC-0010 (Gamaredon),hxxps://cert.gov.ua/article/38371,
--- a/ETAC_IOCs/ETAC_Vetted_UkraineRussiaWar_IOCs.csv
+++ b/ETAC_IOCs/ETAC_Vetted_UkraineRussiaWar_IOCs.csv
@ -2180,3 +2180,48 @@ IPv4,45.95.11.34,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 URL,hxxp://45.95.11.34:3000/test,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 URL,hxxp://45.95.11.34:88/_[A-Z0-9],UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 URL,hxxp://45.95.11.34:88/get.php?a=We4Qu6,UAC-0035 (InvisiMole),hxxps://cert.gov.ua/article/37829,
 FileHash-MD5,36dc2a5bab2665c88ce407d270954d04,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-MD5,7d20fa01a703afa8907e50417d27b0a4,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-MD5,989c5de8ce5ca07cc2903098031c7134,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-MD5,b4f0ca61ab0c55a542f32bd4e66a7dc2,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 FileHash-SHA256,d897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53,UAC-0088 DoubleZero,hxxps://cert.gov.ua/article/38088,
 URL,hxxps://product2020.mrbasic.com:8080,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 hostname,product2020.mrbasic[.]com,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,13612c99a38b2b07575688c9758b72cc,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,1aba36f72685c12e60fb0922b606417c,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,1af894a5f23713b557c23078809ed01c,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,3293ba0e2eaefbe5a7c3d26d0752326e,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,4fb630f9c5422271bdd4deb94a1e74f4,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-MD5,9c22548f843221cc35de96d475148ecf,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,042271aadf2191749876fc99997d0e6bdd3b89159e7ab8cd11a9f13ae65fa6b1,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,830c6ead1d972f0f41362f89a50f41d869e8c22ea95804003d2811c3a09c3160,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,839e968aa5a6691929b4d65a539c2261f4ecd1c504a8ba52abbfbac0774d6fa3,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,a2ffd62a500abbd157e46f4caeb91217738297709362ca2c23b0c2d117c7df38,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 FileHash-SHA256,c0962437a293b1e1c2702b98d935e929456ab841193da8b257bd4ab891bf9f69,UAC-0026 HeaderTip,hxxps://cert.gov.ua/article/38097,
 URL,hxxp://ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 URL,hxxp://ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works/update,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 URL,hxxp://ao3[.]hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 URL,hxxps://ao3[.]hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,1365b82e7da0968e97c095d8bd9166dd,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,18e73cc3d5eda742530ba3fef59e3943,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,3303286735a07ae5d14db9c12843d44e,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,4a78df33d4f987103dc0c0f3a302b8cb,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,b5525108912ee8d5f1519f1b552723e8,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,b724ff750dff495e6634ddf0f1263844,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,bcdab4ae622811f699765bfb9cb909d2,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-MD5,e4b54ee2f0068762179e7e514d90bf16,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,37e644deee0add76bac9c5121355a03a459b1a97917383765bf3df94e9af7e29,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,59ed536e1955e310f321435d43ca8b60cb3746514f3c3ea951d43633cacbe7bc,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,6149680c8541980d46c17681e37e4751e2baca1d13ee648b8188dfb24bf56f7c,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,7cf3f758b2abb303dec89736dfd55c38309a21aec2d83d3d4e590f9538fc5f15,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,c14fce93183dc4173be02b2a48d1ed06b43656c7b6d5a290d9948b6947df9033,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,d324d7f30984931176ff878a81c7c1f4f979ad3d759c7f33427bba10d9deb1f6,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,f98e1e61c84a5ed098e7481ab339e2881195f4d1b101c92b81113eb7ff56e63d,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 FileHash-SHA256,fbabc4e5a6470606fc64c39c182b5a7a71f8fa96f50c67725d52abf184f75fd4,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 domain,dhdhk0k34[.]com,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 domain,hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
 hostname,ao3[.]hmgo[.]pw,UAC-0051 (UNC1151),hxxps://cert.gov.ua/article/38155,
--- a/README.md
+++ b/README.md
@ -1,11 +1,11 @@
-![logo](https://github.com/curated-intel/Ukraine-Cyber-Operations/blob/main/ci-logo.png)
+![logo](ci-logo.png)
 # Ukraine-Cyber-Operations
 Curated Intelligence is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine. ([Blog](https://www.curatedintel.org/2021/08/welcome.html) | [Twitter](https://twitter.com/CuratedIntel) | [LinkedIn](https://www.linkedin.com/company/curatedintelligence/))
-![timeline](https://github.com/curated-intel/Ukraine-Cyber-Operations/blob/main/UkraineTimelineUpdated.png)
+![timeline](UkraineTimelineUpdated.png)
-![cyberwar](https://github.com/curated-intel/Ukraine-Cyber-Operations/blob/main/Russia-Ukraine%20Cyberwar.png)
+![cyberwar](Russia-Ukraine%20Cyberwar.png)
 ### Analyst Comments:
@ -68,9 +68,30 @@ Curated Intelligence is working with analysts from around the world to provide u
  - A new CSV for CERT-UA IOCs specifically has been created - see [here](https://github.com/curated-intel/Ukraine-Cyber-Operations/blob/main/ETAC_IOCs/CERT-UA_IOCs.csv)
 - 2022-03-19
  - Additional Threat Reports have been added
-  - Additional IOCs have been added to the master CSV file
+  - Additional IOCs have been added
 - 2022-03-20
  - Additional YARA rules have been added (h/t [Arkbird_SOLG](https://twitter.com/Arkbird_SOLG))
 - 2022-03-21
  - An Additional Threat Report has been added
  - Additional YARA rules have been added
 - 2022-03-23
  - Additional Threat Reports have been added
  - Additional IOCs have been added
 - 2022-03-25
  - Additional Threat Reports have been added
  - Additional IOCs have been added
 - 2022-03-28
  - Additional Threat Reports have been added
  - Additional IOCs have been added
 - 2022-03-30
  - Additional Threat Reports have been added
  - Additional YARA rules have been added
 - 2022-04-01
  - Additional Threat Reports have been added
  - Additional Vendor Support have been added
 - 2022-04-04
  - Additional Threat Reports have been added
  - Additional YARA rules have been added
 #### `Threat Reports`
 | Date | Source | Threat(s) | URL |
@ -156,6 +177,7 @@ Curated Intelligence is working with analysts from around the world to provide u
 | 7 MAR | CERT-UA | UAC-0051 (aka UNC1151), MicroBackdoor, CVE-2019-0541 | [cert.gov.ua](https://cert.gov.ua/article/37626) |
 | 8 MAR | Cluster25 | UNC1151/Ghostwriter (Belarus MoD) | [cluster25.io](https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/) |
 | 8 MAR | Trend Micro | RURansom - a data wiper targeting Russian organizations | [trendmicro.com](https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html) |
 | 9 MAR | ReversingLabs | HermeticWiper and IsaacWiper | [blog.reversinglabs.com](https://blog.reversinglabs.com/blog/wiper-malware-targeting-ukraine-evidence-of-planning-and-haste) |
 | 11 MAR | CERT-UA | UAC-0056 (aka Lorec53, EmberBear) push fake antivirus updates containing Cobalt Strike Beacons, GrimImplant, and GraphSteel malspam against state authorities of Ukraine | [cert.gov.ua](https://cert.gov.ua/article/37704) |
 | 11 MAR | Infosec Magazine | pro-Ukrainian actors should be wary of downloading DDoS tools to attack Russia, as they may be booby-trapped with info-stealing malware | [infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/ukrainian-it-army-hijacked-malware/) |
 | 11 MAR | @cyberknow20 | "Xahnet" shared a video they allegedly left a message and defaced the main page of Ukraine's capital bank [unvalidated] | [twitter.com/cyberknow20](https://twitter.com/cyberknow20/status/1502166591466659840?s=21) |
@ -168,6 +190,33 @@ Curated Intelligence is working with analysts from around the world to provide u
 | 16 MAR | CERT-UA | QR code phishing posing as UKR.NET linked to UAC-0028 group (APT28/FancyBear/GRU) | [cert.gov.ua](https://cert.gov.ua/article/37788) |
 | 17 MAR | CERT-UA | UAC-0020 (Vermin) cyberattack on Ukrainian state organizations using the SPECTR malware, whose activities are associated with the so-called security agencies of the so-called "Luhansk People's Republic" | [cert.gov.ua](https://cert.gov.ua/article/37815) |
 | 18 MAR | CERT-UA | UAC-0035 (InvisiMole) cyberattack on State Organizations of Ukraine | [cert.gov.ua](https://cert.gov.ua/article/37829) |
 | 22 MAR | CERT-UA | UAC-0088 deploys DoubleZero wiper | [cert.gov.ua](https://cert.gov.ua/article/38088) |
 | 22 MAR | CERT-UA | UAC-0026 cyberattack using HeaderTip malware, linked to [Scarab APT](https://twitter.com/aRtAGGI/status/1506010831221248002) | [cert.gov.ua](https://cert.gov.ua/article/38097) |
 | 23 MAR | Interfax UA | Datagroup, a provider of fiber-optic infrastructure and digital services, resolved more than 350 DDoS attacks on the country's telecommunications network during the month of the war. The largest attack was 103.6 Gbps, 28.0 Mpps; the most powerful attack was 27.6 Gbps, 43.0 Mpps; the longest attack was 24 days. | [interfax.com.ua](https://en.interfax.com.ua/news/telecom/817143.html) |
 | 23 MAR | BalkanInsight | Croatian police are probing the hacking of the ‘Slobodna Dalmacija’ website, where hackers replaced content with pro-Russian articles on Ukraine. “Western Deception Machine”, “Which Side Are You On?”, and “The United States of America Admitted They Have Hidden Laboratories in Ukraine”, are just some of the fake articles that the hackers posted online. | [balkaninsight.com](https://balkaninsight.com/2022/03/23/hackers-attack-croatian-daily-post-kremlin-propaganda/) |
 | 23 MAR | CERT-UA | UAC-0051 group (UNC1151/GhostWriter), Cobalt Strike Beacons | [cert.gov.ua](https://cert.gov.ua/article/38155) |
 | 24 MAR | SentinelOne | Ukraine CERT (CERT-UA) has released new details on UAC-0026, which SentinelLabs confirms is associated with the suspected Chinese threat actor known as Scarab. Scarab has conducted a number of campaigns over the years, making use of a custom backdoor originally known as Scieron, which may be the predecessor to HeaderTip. | [sentinelone.com](https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/) |
 | 24 MAR | Lab52 | Quasar RAT spear-phishing campaign | [lab52.io](https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/) |
 | 25 MAR | SSSCIP Ukraine | Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22 | [cip.gov.ua](https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya) |
 | 25 MAR | SSSCIP Ukraine | Statistics of Cyber Attacks on Ukrainian Critical Information Infrastructure: 15-22 March | [cip.gov.ua](https://cip.gov.ua/en/news/statistika-kiberatak-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-15-22-bereznya) |
 | 26 MAR | @_n0p_ | Analysis of a Caddy Wiper Sample | [n0p.me](https://n0p.me/2022/03/2022-03-26-caddywiper/) |
 | 28 MAR | CERT-UA | Cyberattack on Ukrainian state authorities using pseudoSteel malware linked to UAC-0010 (Armageddon/Gamaredon) | [cert.gov.ua](https://cert.gov.ua/article/38371) |
 | 28 MAR | Cyber, etc | Ukraine's largest fix-line telecommunications operator hit by cyber attack | [Cyber, etc](https://twitter.com/cyber_etc/status/1508498145831010315) |
 | 28 MAR | SSSCIP Ukraine | Cyberattack against Ukrtelecom IT-infrastructure and recovery | [twitter.com/ dsszzi](https://twitter.com/dsszzi/status/1508528209075257347) |
 | 28 MAR | CERT-UA | GraphSteel and GrimPlant, UAC-0056 | [cert.gov.ua](https://cert.gov.ua/article/38374) |
 | 29 MAR | Newsweek | U.S. Airport hit with Cyberattack over Ukraine | [Newsweek](https://www.newsweek.com/us-airport-hit-cyberattack-over-ukraine-no-one-afraid-you-1692903) |
 | 29 MAR | ZDnet | The Security Service of Ukraine (SBU) has destroyed five "enemy" bot farms engaged in activities to frighten Ukrainian citizens. In a March 28 release, the SBU said that the bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia's invasion of Ukraine | [zdnet.com](https://www.zdnet.com/article/ukraine-takes-out-five-bot-farms-spreading-panic-among-citizens/) |
 | 30 MAR | Viasat | Viasat is providing an overview and incident report on the cyber-attack against the KA-SAT network, which occurred on 24 February 2022, and resulted in a partial interruption of KA-SAT's consumer-oriented satellite broadband service. | [viasat.com](https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/) |
 | 30 MAR | CrowdStrike | EMBER BEAR (aka UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) | [crowdstrike.com](https://www.crowdstrike.com/blog/who-is-ember-bear/) |
 | 30 MAR | CERT-UA | MarsStealer, UAC-0041 | [cert.gov.ua](https://cert.gov.ua/article/38606) |
 | 30 MAR | Google TAG | Curious Gorge (APT from China), COLDRIVER (APT from Russia), Ghostwriter (APT from Belarus) | [blog.google](https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/) |
 | 30 MAR | Viasat | KA-SAT Network cyber attack overview | [viasat.com](https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/) |
 | 30 MAR | InQuest | CloudAtlas APT group linked to a maldoc impersonating the United States Securities and Exchange Commission | [inquest.net](https://inquest.net/blog/2022/03/30/cloud-atlas-maldoc) |
 | 31 MAR | ReverseMode | VIASAT incident: from speculation to technical details | [reversemode.com](https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html) |
 | 31 MAR | SentinelLabs | [AcidRain](https://bazaar.abuse.ch/sample/9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a/) IoT Wiper (ELF MIPS), connected to the [VPNFilter](https://bazaar.abuse.ch/sample/47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6/) stage 3 destructive plugin | [sentinelone.com](https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/) |
 | 1 APR | Malwarebytes | UAC-0056 (aka SaintBear, UNC2589 and TA471) is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia | [blog.malwarebytes.com](https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/) |
 | 3 APR | me | Low-detect BlackGuard infostealer uploaded to AnyRun from Ukraine | [twitter.com/BushidoToken](https://twitter.com/BushidoToken/status/1510619652946378754) |
 | 4 APR | CERT-UA | UAC-0010 (Armageddon) cyberattack on Ukrainian state organizations, phishing w/ RAR -> HTA -> VBS | [cert.gov.ua](https://cert.gov.ua/article/39138) |
 #### `Access Brokers`
 | Date | Threat(s) | Source |
@ -290,7 +339,8 @@ Curated Intelligence is working with analysts from around the world to provide u
 | Avast | Free decryptor for PartyTicket ransomware | [decoded.avast.io](https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/) |
 | Recorded Future | Insikt Group’s list of indicators of compromise associated with threat actors and malware related to the Russian cyber actions against Ukraine | [recordedfuture.com](https://www.recordedfuture.com/ukraine/) |
 | CybelAngel | CybelAngel offers its services to interested NGOs active in the war at no cost, to minimize the risks of their missions being interrupted by cyber attacks. CybelAngel also offers Ukrainian companies an assessment of their digital exposure in the region at no charge. | [cybelangel.com](https://cybelangel.com/blog/message-on-ukraine/) |
-| Malware Patrol | Free 6 months DNS Firewall service subscription for Ukraine-based companies and goverment entities | [www.linkedin.com](https://www.linkedin.com/feed/update/urn:li:activity:6903059206522712064/)
+| Malware Patrol | Free 6 months DNS Firewall service subscription for Ukraine-based companies and goverment entities | [www.linkedin.com](https://www.linkedin.com/feed/update/urn:li:activity:6903059206522712064/) |
 | UnderDefense | UnderDefense is providing Managed Detection & Response services and incident repsonse support for Ukrainian critical infrastructure & government consulting in cybersecurity | [underdefense.com](https://underdefense.com/) |
 #### `Vetted OSINT Sources`
 | Handle | Affiliation |
--- a/yara/MAL_Mars_Stealer_Apr_2022_1.yar
+++ b/yara/MAL_Mars_Stealer_Apr_2022_1.yar
@ -0,0 +1,23 @@
 import "pe"
 rule MAL_Mars_Stealer_Apr_2022_1 : infostealer mars
 {
   meta:
        description = "Detect Mars infostealer (possible cracked version)"
        author = "Arkbird_SOLG"
        reference = "https://cert.gov.ua/article/38606"
        date = "2022-04-03"
        hash1 = "afa0662aa8eac0e607a9ffc85aa0bdfc570198dcb82dccdb40d0a459e12769dc"
        hash2 = "f67ff70f862cdcb001763c69e88434d335b185a216e2944698f20807df28bdf2"
        tlp = "white"
        adversary = "MAAS"
   strings:
        $s1 = { 8d 83 d1 01 00 00 50 e8 c4 ff ff ff 83 c4 04 50 8d 83 d1 01 00 00 50 8d 83 d1 02 00 00 50 ff d6 83 c4 0c 89 87 00 a8 01 00 8d 83 51 02 00 00 50 e8 9b ff ff ff 83 c4 04 50 8d 83 51 02 00 00 50 8d 83 d1 02 00 00 50 ff d6 83 c4 0c }
        $s2 = { 94 a1 d8 09 36 67 94 c5 f3 24 51 82 af df 0e 3d 6a 9b ca fa 27 58 85 b6 e3 15 42 73 a0 d1 fe 2e df 10 3d 6e 9b cc fa 2b 58 87 b6 e5 13 44 71 a2 cf 00 2e 5f 8c bd ea 1a 47 7a a5 d6 03 35 62 93 c0 f1 1e 4e 7d ac db 0c 3a 69 96 c7 f4 25 53 82 b1 e2 0f 3e 6c 9d ca fb 28 59 87 b8 e5 16 43 73 a0 d1 fe 2f 5c 8e bb ec 19 4a 77 a7 d4 05 32 63 91 c0 ef 1e 4d 7e ac db 0a 39 68 97 c5 f6 23 54 }
        $s3 = { 51 31 c0 8b 4c 24 08 8d 40 01 8d 49 01 80 39 00 75 f5 59 c3 60 64 a1 30 00 00 00 8b 40 0c }
        $s4 = { 27 71 79 69 6d 36 34 25 3e 00 46 57 49 4a 44 50 38 4e 56 54 34 30 32 51 43 58 59 56 33 59 37 42 30 42 33 5a 4b 00 05 6d 15 1d 2d 3e 5c 21 21 27 68 63 4b 22 37 3d 34 65 01 05 54 2f 54 6c 56 22 2e 00 55 4e 4b 00 68 74 74 70 00 00 00 00 68 74 74 70 73 00 00 00 32 30 30 00 68 74 74 70 73 3a 2f 2f }
   condition:
        uint16(0) == 0x5A4D and filesize > 40KB and all of ($s*) and 
        for any section in pe.sections : ( section.name == "LLCPPC") //YARA 4.0 +
        // legacy version
        //for any i in (0..pe.number_of_sections-1) : ( pe.sections[i].name == "LLCPPC")
 }
--- a/yara/Win32.Trojan.CaddyWiper.yar
+++ b/yara/Win32.Trojan.CaddyWiper.yar
@ -0,0 +1,95 @@
 rule Win32_Trojan_CaddyWiper : tc_detection malicious
 {
    meta:
        author              = "ReversingLabs"
        source              = "ReversingLabs"
        status              = "RELEASED"
        sharing             = "TLP:WHITE"
        category            = "MALWARE"
        malware             = "CADDYWIPER"
        description         = "Yara rule that detects CaddyWiper trojan."
        tc_detection_type   = "Trojan"
        tc_detection_name   = "CaddyWiper"
        tc_detection_factor = 5
    strings:
        $destroy_if_not_controller = {
            50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 83 39 ?? 75 ?? EB ?? 8D 55 ?? 52 FF 55 ??
            C6 45 ?? 43 C6 45 ?? 3A C6 45 ?? 5C C6 45 ?? 55 C6 45 ?? 73 C6 45 ?? 65 C6 45 ?? 72
            C6 45 ?? 73 C6 45 ?? 00 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? C6 45 ?? ??
            C6 45 ?? ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 4D ?? 83 C1 ?? 89 4D ?? 83 7D
            ?? ?? 73 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8A 45 ?? 04 ?? 88 45 ?? EB ?? E8 ??
            ?? ?? ?? 8B E5 5D C3
        }
        $erase_drive_data = {
            C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8D 4D ?? 89 8D ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ??
            6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 89 45 ?? 83
            7D ?? ?? 74 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ??
            ?? 51 68 ?? ?? ?? ?? 8B 55 ?? 52 FF 55 ?? 8B 45 ?? 50 FF 55 ?? 8A 4D ?? 88 4D ?? 8A
            55 ?? 80 EA ?? 88 55 ?? 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 E9 ?? 89 8D ?? ?? ??
            ?? 85 C0 0F 85 ?? ?? ?? ?? 8B E5 5D C3
        }
        $erase_drives_recursively_1 = {
            55 8B EC 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF C6 85 ?? ?? ?? ?? 2A C6 85 
            ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 5C C6 85 ?? ?? ?? ?? 00 8D 85 ?? ?? ?? ?? 50 8B 4D 
            ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? 
            ?? ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 
            C6 85 ?? ?? ?? ?? 46 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 64 
            C6 85 ?? ?? ?? ?? 46 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 73 
            C6 85 ?? ?? ?? ?? 74 C6 85 ?? ?? ?? ?? 46 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 6C 
            C6 85 ?? ?? ?? ?? 65 C6 85 ?? ?? ?? ?? 41 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6B 
            C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 65 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 72 
            C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 65 
            C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6C C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 33 
            C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 32 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 2E 
            C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6C 
            C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6C C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 00 
            C6 85 ?? ?? ?? ?? 00 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 E8
        }
        $erase_drives_recursively_2_p1 = {
            8D 45 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 8D 95 ??
            ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ??
            ?? ?? 75 ?? E9 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 E1 ?? 0F 84 ?? ?? ?? ?? 0F BE 95 ??
            ?? ?? ?? 83 FA ?? 75 ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? 0F BE 8D ?? ?? ?? ?? 83 F9
            ?? 75 ?? E9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 E2 ?? 75 ?? 8B 85 ?? ?? ?? ?? 83 E0 ??
            74 ?? E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ??
            ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ??
            ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52
            E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 8D 95 ?? ??
            ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8D 95 ??
            ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85
        }
        $erase_drives_recursively_2_p2 = {
            C0 75 ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D
            ?? ?? ?? ?? 51 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? E9 ??
            ?? ?? ?? 6A ?? 8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ??
            ?? ?? ?? 73 ?? E9 ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 76 ?? C7 85 ?? ?? ?? ??
            ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 6A ?? FF 95 ?? ?? ??
            ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4
            ?? 6A ?? 6A ?? 6A ?? 8B 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ??
            51 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 95 ?? ?? ?? ??
            8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 55 ?? 8D 8D ?? ?? ??
            ?? 51 8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ??
            ?? 50 FF 95 ?? ?? ?? ?? 8B E5 5D C3
        }
    condition:
        uint16(0) == 0x5A4D and
        (
            $destroy_if_not_controller
        ) and
        (
            $erase_drive_data
        ) and
        (
            all of ($erase_drives_recursively_*)
        )
 }
--- a/yara/caddywiper.yara
+++ b/yara/caddywiper.yara
@ -0,0 +1,21 @@
 rule caddywiper {
  meta:
  author = "Ali Mosajjal"
  email = "hi@n0p.me"
  license = "Apache 2.0"
  description = "Caddy Wiper Stack String Detection"
  strings:
    $s1 = /F.{6}i.{6}n.{6}d.{6}F.{6}i.{6}r.{6}s.{6}t.{6}F.{6}i.{6}l.{6}e.{6}A/      // FindFirstFileA
    $s2 = /F.{6}i.{6}n.{6}d.{6}N.{6}e.{6}x.{6}t.{6}F.{6}i.{6}l.{6}e.{6}A/           // FindNextFileA
    $s3 = /C.{6}r.{6}e.{6}a.{6}t.{6}e.{6}F.{6}i.{6}l.{6}e.{6}A/                     // CreateFileA
    $s4 = /G.{6}e.{6}t.{6}F.{6}i.{6}l.{6}e.{6}S.{6}i.{6}z.{6}e/                     // GetFileSize
    $s5 = /L.{6}o.{6}c.{6}a.{6}l.{6}A.{6}l.{6}l.{6}o.{6}c/                          // LocalAlloc
    $s6 = /S.{6}e.{6}t.{6}F.{6}i.{6}l.{6}e.{6}P.{6}o.{6}i.{6}n.{6}t.{6}e.{6}r/      // SetFilePointer
    $s7 = /W.{3}r.{3}i.{3}t.{3}e.{3}F.{3}i.{3}l.{3}e/                               // WriteFile
    $s8 = /L.{6}o.{6}c.{6}a.{6}l.{6}F.{6}r.{6}e.{6}e/                               // LocalFree
    $s9 = /C.{6}l.{6}o.{6}s.{6}e.{6}H.{6}a.{6}n.{6}d.{6}l.{6}e/                     // CloseHandle
    $s10 = /F.{3}i.{3}n.{3}d.{3}C.{3}l.{3}o.{3}s.{3}e/                              // FindClose
  condition:
    all of ($s*) and filesize < 100KB
 }