███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

QuietSieve

stealer1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

QuietSieve

CATEGORY:

STEALER

DESCRIPTION:

QuietSieve is an information-stealing malware used by the Gamaredon threat group (also known as Primitive Bear or Trident Ursa). The malware is designed to steal sensitive information from compromised systems including credentials, browser data, and other valuable information. It has been observed targeting Ukraine and employs sophisticated techniques to evade detection.

ALIASES:

QuietSieve Stealer

TAGS:

information_stealercredential_theftbrowser_theftgamaredonukraine_targetingapt

[MUTEX_SIGNATURES](1)

[MUTEX_01]

Global\lCHBaUZcohRgQcOfdIFaf

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojanspy.msil.quietsieve.lsa

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Gamaredon

⚠Primitive Bear

⚠Trident Ursa

FIRST_OBSERVED:

2021

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:3

ALIASES:1

TAGS:6

CATEGORY:STEALER

Malware profile loaded successfully