From 25fb76962bd3acecd32605bfbcd69015b1c51092 Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Tue, 17 Dec 2024 17:06:41 -0800 Subject: [PATCH 1/5] Added syncagentsrv.exe/qt5network.dll --- yml/3rd_party/acronis/qt5network.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 yml/3rd_party/acronis/qt5network.yml diff --git a/yml/3rd_party/acronis/qt5network.yml b/yml/3rd_party/acronis/qt5network.yml new file mode 100644 index 0000000..5aebe89 --- /dev/null +++ b/yml/3rd_party/acronis/qt5network.yml @@ -0,0 +1,18 @@ +--- +Name: qt5network.dll +Author: Micah Babinski +Created: 2024-12-17 +Vendor: The Qt Company +ExpectedLocations: + - '%PROGRAMFILES%\Acronis\CyberProtectHomeOffice' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\common files\acronis\syncagent\syncagentsrv.exe' + Type: Sideloading + SHA256: + - '6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2' +Resources: + - https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/ + - https://www.virustotal.com/gui/file/dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 + - https://www.virustotal.com/gui/file/6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2 +Acknowledgements: + - Name: Micah Babinski \ No newline at end of file From b80f26c793aac73728df86d138abef06fb916410 Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Tue, 17 Dec 2024 17:10:40 -0800 Subject: [PATCH 2/5] Prompting the workflow actions --- yml/3rd_party/acronis/qt5network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/acronis/qt5network.yml b/yml/3rd_party/acronis/qt5network.yml index 5aebe89..66989e6 100644 --- a/yml/3rd_party/acronis/qt5network.yml +++ b/yml/3rd_party/acronis/qt5network.yml @@ -11,7 +11,7 @@ VulnerableExecutables: SHA256: - '6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2' Resources: - - https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/ + - https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware - https://www.virustotal.com/gui/file/dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 - https://www.virustotal.com/gui/file/6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2 Acknowledgements: From 5b67d86c9a0a5af886b138f8d8bf465542d5e5c8 Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Tue, 17 Dec 2024 17:12:52 -0800 Subject: [PATCH 3/5] Added newline --- yml/3rd_party/acronis/qt5network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/acronis/qt5network.yml b/yml/3rd_party/acronis/qt5network.yml index 66989e6..18daf08 100644 --- a/yml/3rd_party/acronis/qt5network.yml +++ b/yml/3rd_party/acronis/qt5network.yml @@ -15,4 +15,4 @@ Resources: - https://www.virustotal.com/gui/file/dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 - https://www.virustotal.com/gui/file/6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2 Acknowledgements: - - Name: Micah Babinski \ No newline at end of file + - Name: Micah Babinski From 2e6a9150c377b645f86e4bf44f3e0820a2713415 Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Tue, 17 Dec 2024 17:14:12 -0800 Subject: [PATCH 4/5] Removed redundant VT entry --- yml/3rd_party/acronis/qt5network.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/3rd_party/acronis/qt5network.yml b/yml/3rd_party/acronis/qt5network.yml index 18daf08..93753c0 100644 --- a/yml/3rd_party/acronis/qt5network.yml +++ b/yml/3rd_party/acronis/qt5network.yml @@ -13,6 +13,5 @@ VulnerableExecutables: Resources: - https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware - https://www.virustotal.com/gui/file/dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 - - https://www.virustotal.com/gui/file/6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2 Acknowledgements: - Name: Micah Babinski From 5100ab06d4c69bcf66493f65d6f7a9813cd8134a Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Tue, 17 Dec 2024 17:18:04 -0800 Subject: [PATCH 5/5] Fixed vendor name --- yml/3rd_party/acronis/qt5network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/3rd_party/acronis/qt5network.yml b/yml/3rd_party/acronis/qt5network.yml index 93753c0..091f75b 100644 --- a/yml/3rd_party/acronis/qt5network.yml +++ b/yml/3rd_party/acronis/qt5network.yml @@ -2,7 +2,7 @@ Name: qt5network.dll Author: Micah Babinski Created: 2024-12-17 -Vendor: The Qt Company +Vendor: Acronis ExpectedLocations: - '%PROGRAMFILES%\Acronis\CyberProtectHomeOffice' VulnerableExecutables: