Operation TeleBot
Sandworm TeleBots group destructive KillDisk attacks against Ukrainian financial sector, predecessor to NotPetya.
Start date
1 January 2016
End date
—
Techniques
21
Indicators of compromise
95
40 sha119 sha25619 md513 ip4 domain
Attributed actors
Techniques (21)
command-and-control2
T1105Ingress Tool Transfer
T1071.001Web Protocols
credential-access1
T1003.001LSASS Memory
defense-impairment1
T1070.001Clear Windows Event Logs
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution3
T1059.003Windows Command Shell
T1059.001PowerShell
T1053.005Scheduled Task
exfiltration1
T1041Exfiltration Over C2 Channel
impact4
T1486Data Encrypted for Impact
T1485Data Destruction
T1561.001Disk Content Wipe
T1561.002Disk Structure Wipe
initial-access2
T1078Valid Accounts
T1566.001Spearphishing Attachment
lateral-movement1
T1021.002SMB/Windows Admin Shares
persistence3
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1053.005Scheduled Task
privilege-escalation4
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1055Process Injection
T1053.005Scheduled Task
stealth4
T1078Valid Accounts
T1140Deobfuscate/Decode Files or Information
T1055Process Injection
T1027Obfuscated Files or Information
Indicators of compromise (95)
SHA25619
97b317afa02cd35db40c197fea3a6ef8cdc8c01ca73523983850f323a47d0c2econfirmed
b2edc9351b389f1cbcdf0ac52b9d0b3bd982a077e5a3df8cebebc32c450ffeecconfirmed
26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890econfirmed
904df5d6b900fcdac44c002f03ab1fbc698b8d421a22639819b3b208aaa6ea2cconfirmed
2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277confirmed
48dcb183ff97a05fd3e466f76f385543480abb62c9adcae24d1bdbbfc26f9e5aconfirmed
5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118confirmed
eb31a918ccc1643d069cf08b7958e2760e8551ba3b88ea9e5d496e07437273b2confirmed
f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740confirmed
e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68econfirmed
a260320bb52eb0fe767d7e30e069492ab063b65a26969dd78d10d8141b850bc8confirmed
d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3acconfirmed
ea57a45dda5b735fc2a982700a21363cbee138de2605d1df06103a5d94c539daconfirmed
50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26confirmed
dcdc4c72c6e0867e74790a882e8e8c20e8a38416e9b10ed64fbf0f64f4e2567cconfirmed
1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddbconfirmed
8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16dconfirmed
a35951855503188a66c94019bd419cd97208291f05e382151fd3c2a9d1848857confirmed
2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2confirmed
SHA140
9512a8280214674e6b16b07be281bb9f0255004bconfirmed
7b051e7e7a82f07873fa360958acc6492e4385ddconfirmed
8eb8527562dda552fc6b8827c0ebf50968848f1aconfirmed
c473ccb92581a803c1f1540be2193bc8b9599bfeconfirmed
7582de9e93e2f35f9a63b59317eba48846eea4c7confirmed
26da35564d04bb308d57f645f353d1de1fb76677confirmed
7b87ad4a25e80000ff1011b51f03e48e8ea6c23dconfirmed
c361a06e51d2e2cd560f43d4cc9dabe765536179confirmed
1dc1660677a41b6622b795a1eb5aa5e5118d8f18confirmed
f00f632749418b2b75ca9ece73a02c485621c3b4confirmed
7c822f0fdb5ec14dd335cbe0238448c14015f495confirmed
fffc20567da4656059860ed06c53fd4e5ad664c2confirmed
fe4c1c6b3d8fdc9e562c57849e8094393075bc93confirmed
385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7confirmed
f1bf54186c2c64cd104755f247867238c8472504confirmed
16c206d9cfd4c82d6652afb1eebb589a927b041bconfirmed
68377a993e5a85eb39aded400755a22eb7273ca0confirmed
3567434e2e49358e8210674641a20b147e0bd23cconfirmed
57dad9cda501bc8f1d0496ef010146d9a1d3734fconfirmed
64cb897acc37e12e4f49c4da4dfad606b3976225confirmed
b0ba3405bb2b0fa5ba34b57c2cc7e5c184d86991confirmed
ad2d3d00c7573733b70d9780ae3b89eeb8c62c76confirmed
58a45ef055b287bad7b81033e17446ee6b682e2dconfirmed
597cecc7dcd3c2f01d094a05160a3423565c18b6confirmed
bf3cb98dc668e455188ebb4c311bd19cd9f46667confirmed
30d2da7caf740baaa8a1300ee48220b3043a327dconfirmed
77d7ea627f645219cf6b8454459baef1e5192467confirmed
7f3b1c56c180369ae7891483675bec61f3182f27confirmed
b2e9d964c304fc91dcaf39ff44e3c38132c94655confirmed
a0b9a35675153f4933c3e55418b6566e1a5dbf8aconfirmed
71a2b3f48828e4552637fa9753f0324b7146f3afconfirmed
f22cea7bc080e712e85549848d35e7d5908d9b49confirmed
86abbf8a4cf9828381dde9fd09e55446e7533e78confirmed
d8614bc1d428ebabccbfae76a81037ff908a8f79confirmed
35d71de3e665cf9d6a685ae02c3876b7d56b1687confirmed
06e1f816cbaf45bd6ee55f74f0261a674e805f86confirmed
4d5023f9f9d0ba7a7328a8ee341dbbca244f72c5confirmed
4b692e2597683354e106dfb9b90677c9311972a1confirmed
81f73c76fbf4ab3487d5e6e8629e83c0568de713confirmed
7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9fconfirmed
MD519
4919569cd19164c1f123f97c5b44b03bconfirmed
1e98d810141f8e0fab4630b7302b2af5confirmed
389ae3a4589e355e173e9b077d6f1a0aconfirmed
8f5718be4ba2c6e4f8ce1597248bb03fconfirmed
75ee947e31a40ab4b5cde9f4a767310bconfirmed
b75c869561e014f4d384773427c879a6confirmed
bde6c0dac3e594a4a859b490aaaf1217confirmed
5bd6b79a4443afd27f7ed1fbf66060eaconfirmed
87db6af04613f4bd70467720239117e5confirmed
3efe62f6cb7285153114f888900a0962confirmed
7d4fc63f2096a485d2da3db1150e6d34confirmed
ffb1e8babaecc4a8cb3d763412294469confirmed
1019c101fc1ae71e5c1687e34f0628e6confirmed
24313581bbbffa9a784b48075b525810confirmed
2d7866989d659c1f8ae795e5cab40bf3confirmed
c404b959b51ad0425f1789f03e2c6ecfconfirmed
fd0fd58b20b1476e8f67d6a05307e9bcconfirmed
0fce93cd9beeea30a7f0e2a819d2b968confirmed
76691c58103431624d26f2b8384a57b0confirmed
IP13
188.214.135.174confirmed
178.159.37.113confirmed
93.190.137.212confirmed
194.63.143.226confirmed
65.55.176.126confirmed
188.165.14.185confirmed
149.154.167.197confirmed
149.154.167.199confirmed
149.154.167.198confirmed
95.141.37.3confirmed
80.233.134.147confirmed
217.147.169.179confirmed
149.154.167.200confirmed
DOMAIN4
upd.me-doc.com.uaconfirmed
srv70.putdrive.comconfirmed
api.telegram.orgconfirmed
smtp-mail.outlook.comconfirmed