AA23-136A StopRansomware BianLian Ransomware Group
Indicators
On May 16, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Australian Cyber Security Centre (ACSC) published this joint Cybersecurity Advisory. The advisory aims to disseminate the latest information on the known BianLian ransomware and data extortion group IOCs and TTPs, which were identified through FBI and ACSC investigations as of March 2023.
BianLian is a ransomware operation that first appeared in the wild in July 2022, successfully breaching multiple high-profile organizations. The group has also targeted multiple American as well as Australian critical infrastructure sectors.
This STIX file provides indicators of compromise (IOCs) associated with malicious activity reported in CISA Joint Cybersecurity Advisory, "AA23-136A StopRansomware BianLian Ransomware Group."
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2023-05-15T00:00:00Z
Malicious File Indicator
File Hash Watchlist
exp.exe
SHA256
0C1EB11DE3A533689267BA075E49D93D55308525C04D6AFF0D2C54D1F52F5500
Malicious URL Indicator
URL Watchlist
http://bianlianlbc5an4kgnay3opdemgcryg2gnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion
Malicious E-mail Indicator
Malicious E-mail
xxx@mail2tor.com
Malicious E-mail Indicator
Malicious E-mail
swikipedia@onionmail.org
Malicious File Indicator
File Hash Watchlist
system.exe
MD5
E245F8D129E8EADB00E165C569A14B71
SHA1
86447D6BCC862EBFA2366F751CE57DE8B5948C9C
SHA256
40126AE71B857DD22DB39611C25D3D5DD0E60316B72830E930FBA9BAF23973CE
Malicious File Indicator
File Hash Watchlist
def.exe
MD5
AD5FBD52096E8BDC76D4052A5D8975A2
SHA1
67F25F899228A52C6668A7663FF8CF3F9E4DFF22
SHA256
7B15F570A23A5C5CE8FF942DA60834A9D0549EA3EA9F34F900A09331325DF893
Malicious File Indicator
File Hash Watchlist
encryptor.exe
MD5
08E76DD242E64BB31AEC09DB8464B28F
SHA1
3F3F62C33030CFD64DBA2D4ECB1634A9042BA292
SHA256
1FD07B8D1728E416F897BEF4F1471126F9B18EF108EB952F4B75050DA22E8E43
Resource Development - Develop Capabilities: Malware [T1587.001]
Initial Access - Phishing [T1566]
Execution - Command and Scripting Interpreter: PowerShell [T1059.001]
Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]
Execution - Scheduled Task/Job: Scheduled Task [T1053.005]
Persistence - Account Manipulation [T1098]
Persistence - Create Account: Local Account [T1136.001]
Privilege Escalation - Valid Accounts [T1078]
Defense Evasion - Impair Defenses: Disable or Modify System Firewall [T1562.004]
Defense Evasion - Impair Defenses: Disable or Modify Tools [T1562.001]
Defense Evasion - Modify Registry [T1112]
Credential Access - OS Credential Dumping: LSASS Memory [T1003.001]
Credential Access - OS Credential Dumping: NTDS [T1003.003]
Credential Access - Unsecured Credentials: Credentials In Files [T1552.001]
Discovery - Account Discovery: Domain Account [T1087.002]
Discovery - Domain Trust Discovery [T1482]
Discovery - File and Directory Discovery [T1083]
Discovery - Network Service Discovery[T1046]
Discovery - Network Share Discovery [T1135]
Discovery - Permission Groups Discovery: Domain Groups [T1069.002]
Discovery - Query Registry [T1012]
Discovery - Remote System Discovery [T1018]
Discovery - System Owner/User Discovery [T1033]
Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]
Collection - Clipboard Data [T1115]
Command and Control - Remote Access Software [T1219]
Command and Control - Remote File Copy [T1105]
Exfiltration - Exfiltration Over Alternative Protocol [T1048]
Exfiltration - Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Exfiltration - Transfer Data to Cloud Account [T1537]
Impact - Data Encrypted for Impact [T1486]