adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/1edd5ee1-7c91-4233-840a-6c419d6afc62.json

1589 lines
85 KiB
JSON
Raw Permalink Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2021-02-20",
"extends_uuid": "",
"info": "OSINT - IronNetInjector: Turla\u2019s New Malware Loading Tool",
"publish_timestamp": "1613840000",
"published": true,
"threat_level_id": "2",
"timestamp": "1613811965",
"uuid": "1edd5ee1-7c91-4233-840a-6c419d6afc62",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [export] updated
2023-05-19 09:05:37 +00:00
"name": "type:OSINT",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [export] updated
2023-05-19 09:05:37 +00:00
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0087e8",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [export] updated
2023-05-19 09:05:37 +00:00
"name": "osint:certainty=\"50\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [export] updated
2023-05-19 09:05:37 +00:00
"name": "tlp:white",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613811034",
"to_ids": true,
"type": "pdb",
"uuid": "191d97b2-d7ea-49cb-a19a-2f560bc94b3b",
"value": "%USERPROFILE%\\source\\repos\\c4\\agent\\build\\_tools\\agent\\_dll\\_to\\_Python\\_loader\\NetInjector\\NetInjector\\obj\\Release\\NetInjector.pdb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "d9c8070f-ea2b-47e8-ae78-30a1f85a788c",
"value": "a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "f4642726-7d3a-4f77-ac23-59c220678eb0",
"value": "63d7695dabefb97aa30cbe522647c95395b44321e1a3b08b8028e4000d1be15e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "7218aec5-416f-438e-936a-1ba1f92ab346",
"value": "b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "25def1c1-4edf-46dd-b831-d21ae46b1a48",
"value": "3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "3e136590-6d34-418c-9896-78defc1c3f1c",
"value": "a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "8c99b060-e98f-4903-a660-9b179da4f06b",
"value": "c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "103f647f-76fc-4698-8193-2c29df55f26e",
"value": "c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "00f2f454-0978-43f9-9dd8-55d407f1c190",
"value": "82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "8389a593-98d2-4ae2-ae3a-3efbe519672a",
"value": "ba17af72a9d90822eed447b8526fb68963f0cde78df07c16902dc5a0c44536c4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c803c285-7b5e-41a2-8039-4cf867cc0cd3",
"value": "8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "eeeffb3a-b92e-43d8-a954-60e99fd478d4",
"value": "18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "490b1de9-53aa-4776-81fb-3ddd8f226dbf",
"value": "a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "61288f48-9193-4986-942d-8186dc5832c3",
"value": "c430ebab4bf827303bc4ad95d40eecc7988bdc17cc139c8f88466bc536755d4e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c01c2b14-2df0-48be-a8b9-151d1eb6cabb",
"value": "b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "ee49fa56-c0d1-4cf6-bd09-2a7c41e82812",
"value": "b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613811114",
"to_ids": true,
"type": "pdb",
"uuid": "1af7dfc6-d905-4932-aa29-6e8b580c1419",
"value": "F:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper\\_Win32.pdb"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613811020",
"to_ids": true,
"type": "pdb",
"uuid": "f77b67e3-040f-43c6-b27f-7b3adb17acbc",
"value": "F:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper\\_x64.pdb"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "2",
"timestamp": "1613810873",
"uuid": "b380f86c-fab0-4725-9f44-75c0066c3443",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1613810873",
"to_ids": false,
"type": "link",
"uuid": "4f7c4a75-b3d0-4141-a0d5-1ab8216f1ff7",
"value": "https://unit42.paloaltonetworks.com/ironnetinjector/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1613810873",
"to_ids": false,
"type": "text",
"uuid": "5e9d4958-9976-4f9d-a7e6-25b1268356d3",
"value": "In recent years, more and more ready-made malware is released on software development hosting sites available for everybody to use \u2013 including threat actors. This not only saves the bad guys development time, but also makes it much easier for them to find new ideas to prevent detection of their malware.\r\n\r\nUnit 42 researchers have found several malicious IronPython scripts whose purpose is to load and run Turla\u2019s malware tools on a victim\u2019s system. The use of IronPython for malicious purposes isn\u2019t new, but the way Turla uses it is new. The overall method is known as Bring Your Own Interpreter (BYOI). It describes the use of an interpreter, not present on a system by default, to run malicious code of an interpreted programming or scripting language.\r\n\r\nThe first malicious IronPython scripts of the tool we describe here were discovered last year by a security researcher from FireEye. At the beginning of this year, another security researcher from Dragos pointed out some new scripts of the same threat actor uploaded to VirusTotal from two different submitters. We found that one of the submitters also uploaded two other samples, which are most likely embedded payloads of one of the IronPython scripts. These samples helped us to understand how this tool works, what malware it loads and which threat actor uses it.\r\n\r\nWhile the IronPython scripts are only the first part of the tool, the main task of loading malware is done by an embedded process injector. We dubbed this toolchain IronNetInjector, the blend of IronPython and the injector\u2019s internal project name NetInjector. In this blog, we describe the IronPython scripts and how they\u2019re used to load one or more payloads with the help of an injector.\r\n\r\nPalo Alto Networks customers are protected from this threat through WildFire and Cortex XDR. AutoFocus customers can investigate this activity with the tag \u201cIronNetInjector\u201d."
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811963",
"uuid": "b98e2b87-92d7-423a-ab0c-c2b959ed1531",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b98e2b87-92d7-423a-ab0c-c2b959ed1531",
"referenced_uuid": "c344702e-a806-4c8f-b775-73df55233630",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "09806fa8-53a9-464d-857b-73dd70ebe3a5"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "113fce15-61f2-49fa-bfbb-26aaa77a2aad",
"value": "0674e34d0b01e1c71e4666da1f3b589f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "40c270cc-ff02-47d6-8bff-b1657cc680eb",
"value": "0133512142805b89b5a86dfa67a82aaedbbab69c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "3bef1341-4c92-441a-8817-1dc4d148e8eb",
"value": "b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "c344702e-a806-4c8f-b775-73df55233630",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "953df01c-4d2e-450a-afd9-d31ece971d4f",
"value": "2021-02-19T19:36:11+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "bbfdefe0-60e7-4bfc-a6fa-8491930fd0f8",
"value": "https://www.virustotal.com/gui/file/b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040/detection/f-b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040-1613763371"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "c6daa0ea-94a8-4656-88a2-9385e163db80",
"value": "7/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "bb6d2897-d966-484f-a16e-ef0d4883382c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "bb6d2897-d966-484f-a16e-ef0d4883382c",
"referenced_uuid": "0999e1c5-edb5-4951-bb60-8439a93b7d1f",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "905906a9-8e41-4f0a-9585-db1c1a31ef05"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "8fc9329d-1f61-4609-abe1-a240a5d0919c",
"value": "48f52e0c7aa72c2ccc5f5fcbd8e1290b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "dfffdfed-59f9-4cf2-95b6-14183d075222",
"value": "347f31769431ad70147e68fbb6bfa1e17fe283e9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "58c2aa6f-202a-4909-9511-3b7f8a18bcd4",
"value": "b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "0999e1c5-edb5-4951-bb60-8439a93b7d1f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "a72d5d15-a703-44ee-85a8-3944ca8c30ee",
"value": "2021-02-19T18:04:13+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "d35f9f97-e4fd-47fb-bb91-0b848af5ed4c",
"value": "https://www.virustotal.com/gui/file/b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d/detection/f-b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d-1613757853"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "2d866758-093e-4856-bf2a-e758ce033f7c",
"value": "26/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "9f5dc2c2-3bfc-4447-b9d6-01d1ece470b1",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9f5dc2c2-3bfc-4447-b9d6-01d1ece470b1",
"referenced_uuid": "b267c9dd-a93a-485d-8669-f183f000e830",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "daf3264d-27a3-4182-b6e3-f3cd4d90da1c"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "2015a9a1-f8c1-4dfd-9aa4-64e72c7e9878",
"value": "f376bc51b1220e5fc520ce60762ac6ce"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "ea85804d-5418-4724-86d9-c439b75f8745",
"value": "3e65b2df40001253ad8d9a3430a597c7b028bae9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "1244faf6-1cb0-4adc-af30-b3bdbbfbb84a",
"value": "a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "b267c9dd-a93a-485d-8669-f183f000e830",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "27d7b061-8f1c-45c8-a1e3-0664f11916e7",
"value": "2021-02-20T03:39:41+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "3370b374-bfa9-433e-b062-6c64666954d1",
"value": "https://www.virustotal.com/gui/file/a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061/detection/f-a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061-1613792381"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "ac3a1514-866c-4895-8133-d003a148510f",
"value": "48/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "fd84b821-3908-4308-82c5-3e80414485c0",
"ObjectReference": [
{
"comment": "",
"object_uuid": "fd84b821-3908-4308-82c5-3e80414485c0",
"referenced_uuid": "8952247a-923b-45d0-aeb2-e205c1471a97",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "0d3bc751-2b79-4cde-9e02-f0a9d1d836c1"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "8ea94f5f-2ad3-4088-b588-a71f6325b7da",
"value": "9446059710c1869fc8aa9f0ef75d82f4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "e23a718e-a396-4b99-a011-908f38fcb11d",
"value": "a91612cadaccc19d101710b0ae77151a7a1b043b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "209aab73-4653-4c6e-bfae-63426de9ba8d",
"value": "8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "8952247a-923b-45d0-aeb2-e205c1471a97",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "a81ae9f3-97d4-4ace-8e64-c8e7e7370af4",
"value": "2021-02-19T18:04:19+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "30a8de8e-8eb2-4ace-855d-e74fcb54608d",
"value": "https://www.virustotal.com/gui/file/8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72/detection/f-8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72-1613757859"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "f099139a-13f7-46ba-918e-0492e4ca4340",
"value": "22/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "ed5dc5f9-19a2-4c52-b860-6e397828864c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ed5dc5f9-19a2-4c52-b860-6e397828864c",
"referenced_uuid": "0628a0ba-1c51-4611-973f-127abfcbd35d",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "17472a77-bafd-4f5e-82ef-9f401e0bcff2"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "70a52887-9a96-451a-8682-984cf6468f65",
"value": "7fcd8d3fde761de1d894dcf87827dde3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "23672d95-c2a4-476e-9e7d-44a0e882e09e",
"value": "f2284d4777d2b5d2faf33844084b94c9552d5294"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "b94364d4-c6e1-4444-842a-6edfdef13d0b",
"value": "a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "0628a0ba-1c51-4611-973f-127abfcbd35d",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "67b46cdc-27d2-4d07-9be9-e932cbbcde01",
"value": "2021-02-20T03:38:42+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "0091c69d-d04c-4879-aa0c-44616bf64e5a",
"value": "https://www.virustotal.com/gui/file/a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56/detection/f-a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56-1613792322"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "803cccf0-f675-4664-80b4-f907076d9238",
"value": "47/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "f844e12e-96a5-4275-9a6a-4fb3f6ab5a1e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f844e12e-96a5-4275-9a6a-4fb3f6ab5a1e",
"referenced_uuid": "ad644c7f-4026-413d-b7fd-c7d9b092715c",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "b4b90211-ad2a-420b-918a-73bd06085094"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "8a55c305-c59c-421c-8695-6edb137982f3",
"value": "1777b81f3f87648b2344ea480bbcba65"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "098e3b1a-00c4-41d0-b6a4-1ad4d05057f8",
"value": "ae76df8def138b6d4c82984f7172ed5bba737e1b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c1037107-2a6c-4c29-8880-89fdb18538fa",
"value": "c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "ad644c7f-4026-413d-b7fd-c7d9b092715c",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "8b32b042-1ddb-443b-a4a7-0679753f79d1",
"value": "2021-02-20T09:03:32+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "ee58a958-335f-43e6-a69e-cd4a46551abc",
"value": "https://www.virustotal.com/gui/file/c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9/detection/f-c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9-1613811812"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "1ca876a3-9ff0-4392-84df-11ee11f2c491",
"value": "3/69"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "9429ddde-5558-4980-b168-6adae4f881ee",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9429ddde-5558-4980-b168-6adae4f881ee",
"referenced_uuid": "75ee7887-867a-44c9-99fa-c69874e6c3d2",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "8f864090-0997-4822-9827-4fa3418b9445"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "9ee8e1c3-5d9a-4697-9b15-97f93a69263b",
"value": "eff5881b4bf83386e26c451ff7c34a90"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "4be7aca8-1982-472f-b5c2-f778eff9b207",
"value": "d7a18413d8c2b2525a0c90aaa392bdaef377e2ec"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "4efeefd3-d530-49be-a6d7-70a6414fc5e2",
"value": "18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "75ee7887-867a-44c9-99fa-c69874e6c3d2",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "69cb8722-3339-4367-9f5f-19af913184b0",
"value": "2021-02-19T18:13:50+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "b864d0d7-71ef-4c0c-97a2-96d45559960f",
"value": "https://www.virustotal.com/gui/file/18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746/detection/f-18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746-1613758430"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "2e321a84-f066-4515-bc1e-ce0ddd84e98f",
"value": "43/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "f4dd150b-bc46-4ca3-bfd4-6e9bbdf57a75",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f4dd150b-bc46-4ca3-bfd4-6e9bbdf57a75",
"referenced_uuid": "d6e00d51-3e6b-4568-9cec-dd77c1c0de47",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "fd8106da-0f36-4818-8c3f-32a48d2cac1d"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "7f3babc3-9f0b-4041-9317-c5110ec1553a",
"value": "0ebe822e8c7ebb803ae5b6b74601c36f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "35b5a373-675f-48cf-acf3-ba15def8922c",
"value": "86681c0c9b171f1afef5b06104abe8abcf0c992e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "98231e9e-8ba2-4b84-8960-ace7615cdb63",
"value": "3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "d6e00d51-3e6b-4568-9cec-dd77c1c0de47",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "fb9530c3-4758-49cb-a9e9-55a039df9dd8",
"value": "2021-02-19T18:02:33+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "a5e137aa-eb61-4524-9b88-4113cbe136bb",
"value": "https://www.virustotal.com/gui/file/3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6/detection/f-3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6-1613757753"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "324b299c-0c8c-4430-97b2-9fc02b095f97",
"value": "30/60"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "cd640421-1b74-4819-80e6-1c92cf4344e4",
"ObjectReference": [
{
"comment": "",
"object_uuid": "cd640421-1b74-4819-80e6-1c92cf4344e4",
"referenced_uuid": "521e7905-f504-432c-ad34-54b87b7896b3",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "4d60404e-514f-43b7-b55c-ce3d0b35c0d8"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "2acf5157-a4b7-4d73-a8ac-b7b30e3c723d",
"value": "d672139849f9855bfb703fcaec020a2f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "25ffd605-b39e-4230-9bc4-eea7711a34f7",
"value": "7e138c1337a29868fddfa99f52dfe1de38e46c9e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "72717563-3369-40b9-a04c-fa61773d3cfe",
"value": "c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "521e7905-f504-432c-ad34-54b87b7896b3",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "78473fdb-7413-479d-89f9-eaf44270cad9",
"value": "2021-02-19T19:37:27+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "e92bfb2d-804e-46e9-a1db-bea4af8058b4",
"value": "https://www.virustotal.com/gui/file/c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad/detection/f-c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad-1613763447"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "3809e013-1036-475c-b671-47e8a0b84008",
"value": "4/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "0c0447cb-deb3-4606-b74e-5d016a305472",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0c0447cb-deb3-4606-b74e-5d016a305472",
"referenced_uuid": "d03967cc-5531-4f85-9fd7-c89057ee0c22",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "64663b63-0c63-4aa3-af31-badc2acc92b7"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "a856cfa0-c225-4225-94be-405cf2cd4f6f",
"value": "b11d85844af9fa84bf84ff746557f0b5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "3ba7094a-54fe-4376-9909-de8888a82a39",
"value": "44efacb89badadb486839165aba4d1ecdf3f047e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "0c942d0f-54f0-4bed-8bea-1d82cf6f21ae",
"value": "b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "d03967cc-5531-4f85-9fd7-c89057ee0c22",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "5d7a76b9-f6f8-4e46-95ed-0b198b71976f",
"value": "2021-02-19T18:04:36+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "c1e70c66-59bc-4f40-a8cf-4564237a915d",
"value": "https://www.virustotal.com/gui/file/b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3/detection/f-b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3-1613757876"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "102ea680-2071-42f6-a95e-52d9a87163b0",
"value": "22/58"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "0ad792f3-1b7b-4510-a584-a113276453bc",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0ad792f3-1b7b-4510-a584-a113276453bc",
"referenced_uuid": "98cec741-7605-4ec0-8d35-7a8fa6037977",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "9dae3dcf-b5f8-4bc5-94d1-33862198bb9e"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "fce44e72-82c0-4707-bf3c-dc000ac26bad",
"value": "e46da9ab2096ebb33279a808f5a7ee77"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "56bab591-b146-4fc0-bf53-f8aca7fcda9b",
"value": "ad81f2f00f25cd0e45151d42d63c46db3ae39bed"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "579dfbfe-4194-439b-ab69-555dfbaef643",
"value": "a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "98cec741-7605-4ec0-8d35-7a8fa6037977",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "ca73ed83-05f6-4bad-be26-36e0433048df",
"value": "2021-02-20T09:04:22+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "a4a46491-8771-4a52-8bd6-9bbc4477ae82",
"value": "https://www.virustotal.com/gui/file/a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc/detection/f-a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc-1613811862"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "9158f2ab-9d6c-48a9-b1d3-37e76f1d6c67",
"value": "40/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811965",
"uuid": "76c0248c-4198-4bea-b5d0-d33e7d28a020",
"ObjectReference": [
{
"comment": "",
"object_uuid": "76c0248c-4198-4bea-b5d0-d33e7d28a020",
"referenced_uuid": "ee307c62-c260-4da8-9d74-ceff7b11ea45",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "677bd01b-6520-46a1-8756-4dbbcac28dc8"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "0d76897f-f845-4111-b7c0-e3ef91f1b365",
"value": "98ce8c41188fcc1a92d0a23569c3765c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "9de52289-4101-4d81-a4f7-3ecc22536b14",
"value": "2920d5e6c579fce772e5506caf03af65579088bd"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c82f7295-3a96-4c4a-965a-75a342037240",
"value": "82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811965",
"uuid": "ee307c62-c260-4da8-9d74-ceff7b11ea45",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "85f958ed-446d-454f-8b88-4e47a82c063f",
"value": "2021-02-19T18:04:28+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "f10b6f7e-a1ec-4fb5-8f03-16c6e00c9bf9",
"value": "https://www.virustotal.com/gui/file/82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93/detection/f-82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93-1613757868"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "1c366e4f-fd00-453f-9f3b-c6cf51c09e3e",
"value": "18/59"
}
]
}
chg: [export] updated
2023-05-19 09:05:37 +00:00
],
"EventReport": [
{
"name": "Report from - \r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/ (1613810890)",
"content": "html [if IE]> <div class=\"alert alert-warning\"> You are using an <strong>outd@[tag](misp-galaxy:tool=\"at\")ed</strong> browser. Please <a href=\"@[attribute](a96c2f20-d186-4106-8303-f6e4cba88012)\">upgrade your browser</a> to improve your experience. </div> <![endif] \n* Tools\n * ATOMs\n * About Us\n \n By Dominik Reichel \n\n February 19, 2021 @[tag](misp-galaxy:tool=\"at\") 6:00 AM\n\n C@[tag](misp-galaxy:tool=\"at\")egory: Unit 42\n\n Tags: .NET Framework, @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\"), IronNetInjector, Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"), malware, RPC Backdoor, @[tag](Turla)\n\n This post is also available in: \u65e5\u672c\u8a9e (Japanese)\n\n## Executive Summary\n\n In recent years, more and more ready-made malware is released on software development hosting sites available for everybody to use \u2013 including thre@[tag](misp-galaxy:tool=\"at\") actors. This not only saves the bad guys development time, but also makes it much easier for them to find new ideas to prevent detection of their malware.\n\n Unit 42 researchers have found several malicious Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts whose purpose is to load and run @[tag](Turla)\u2019s malware tools on a victim\u2019s system. The use of Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") for malicious purposes isn\u2019t new, but the way @[tag](Turla) uses it *is* new. The overall method is known as Bring Your Own Interpreter (BYOI). It describes the use of an interpreter, not present on a system by default, to run malicious code of an interpreted programming or scripting language.\n\n The first malicious Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts of the tool we describe here were discovered last year by a security researcher from FireEye. At the beginning of this year, another security researcher from Dragos pointed out some new scripts of the same thre@[tag](misp-galaxy:tool=\"at\") actor uploaded to VirusTotal from two different submitters. We found th@[tag](misp-galaxy:tool=\"at\") one of the submitters also uploaded two other samples, which are most likely embedded payloads of one of the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts. These samples helped us to understand how this tool works, wh@[tag](misp-galaxy:tool=\"at\") malware it loads and which thre@[tag](misp-galaxy:tool=\"at\") actor uses it.\n\n While the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts are only the first part of the tool, the main task of loading malware is done by an embedded process injector. We dubbed this toolchain IronNetInjector, the blend of Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") and the injector\u2019s internal project name NetInjector. In this blog, we describe the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts and how they\u2019re used to load one or more payloads with the help of an injector.\n\n Palo Alto Networks customers are protected from this thre@[tag](misp-galaxy:tool=\"at\") through @[tag](misp-galaxy:malpedia=\"WildFire\") and Cortex XDR. AutoFocus customers can investig@[tag](misp-galaxy:tool=\"at\")e this activity with the tag \u201cIronNetInjector\u201d.\n\n ## Wh@[tag](misp-galaxy:tool=\"at\") Is Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")?\n\n First, let\u2019s take a look @[tag](misp-galaxy:tool=\"at\") wh@[tag](misp-galaxy:tool=\"at\") Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") is and why it was chosen as a loading vector. In the words of the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") team:\n\n Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") is an open-source implement@[tag](misp-galaxy:tool=\"at\")ion of the @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") programming language which is tightly integr@[tag](misp-galaxy:tool=\"at\")ed
"id": "41",
"event_id": "82503",
"timestamp": "1613810910",
"uuid": "93647699-1a3e-44fa-9bd4-c00725e0fd11",
"deleted": false
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
}
}
Reference in a new issue Copy permalink