misp-circl-feed/feeds/circl/misp/571de51c-4f04-491f-b34a-4567950d210f.json

271 lines
130 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2016-04-25",
"extends_uuid": "",
"info": "OSINT - TWO BYTES TO $951M (SWIFT payment system abuse)",
"publish_timestamp": "1463501834",
"published": true,
"threat_level_id": "2",
"timestamp": "1463501820",
"uuid": "571de51c-4f04-491f-b34a-4567950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#6bd600",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "circl:topic=\"finance\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577051",
"to_ids": false,
"type": "link",
"uuid": "571de55b-62c4-4164-a6b8-4912950d210f",
"value": "http://baesystemsai.blogspot.lu/2016/04/two-bytes-to-951m.html"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577069",
"to_ids": false,
"type": "comment",
"uuid": "571de56d-9d20-4984-9f77-475b950d210f",
"value": "In February 2016 one of the largest cyber heists was committed and subsequently disclosed. An unknown attacker gained access to the Bangladesh Bank\u00e2\u20ac\u2122s (BB) SWIFT payment system and reportedly instructed an American bank to transfer money from BB\u00e2\u20ac\u2122s account to accounts in The Philippines. The attackers attempted to steal $951m, of which $81m is still unaccounted for. \r\n\r\nThe technical details of the attack have yet to be made public, however we\u00e2\u20ac\u2122ve recently identified tools uploaded to online malware repositories that we believe are linked to the heist. The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure. \r\n\r\nThis malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers\u00e2\u20ac\u2122 tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place. \r\n\r\nThe tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future."
},
{
"category": "Payload delivery",
"comment": "evtdiag.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577125",
"to_ids": true,
"type": "sha1",
"uuid": "571de5a5-b484-480f-bf60-4d4b950d210f",
"value": "525a8e3ae4e3df8c9c61f2a49e38541d196e9228"
},
{
"category": "Payload delivery",
"comment": "evtsys.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577125",
"to_ids": true,
"type": "sha1",
"uuid": "571de5a5-c824-4d41-a44b-43da950d210f",
"value": "76bab478dcc70f979ce62cd306e9ba50ee84e37e"
},
{
"category": "Payload delivery",
"comment": "nroff_b.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577125",
"to_ids": true,
"type": "sha1",
"uuid": "571de5a5-d18c-4a5a-b7d8-4b30950d210f",
"value": "70bf16597e375ad691f2c1efa194dbe7f60e4eeb"
},
{
"category": "Payload delivery",
"comment": "gpca.dat",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577125",
"to_ids": true,
"type": "sha1",
"uuid": "571de5a5-e3f8-46bb-a301-43ff950d210f",
"value": "6207b92842b28a438330a2bf0ee8dcab7ef0a163"
},
{
"category": "Payload delivery",
"comment": "gpca.dat - Xchecked via VT: 6207b92842b28a438330a2bf0ee8dcab7ef0a163",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577150",
"to_ids": true,
"type": "sha256",
"uuid": "571de5be-0198-4c01-a9c7-4bd002de0b81",
"value": "b07b37f0246bd436addbe5d702b12485d7bc8a9ef1475b54bff513a18e68fef7"
},
{
"category": "Payload delivery",
"comment": "gpca.dat - Xchecked via VT: 6207b92842b28a438330a2bf0ee8dcab7ef0a163",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577150",
"to_ids": true,
"type": "md5",
"uuid": "571de5be-2994-4d3e-ae5b-4aef02de0b81",
"value": "f7272bb1374bf3af193ea1d1845b27fd"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577150",
"to_ids": false,
"type": "link",
"uuid": "571de5be-97cc-48d7-b0df-432102de0b81",
"value": "https://www.virustotal.com/file/b07b37f0246bd436addbe5d702b12485d7bc8a9ef1475b54bff513a18e68fef7/analysis/1461049792/"
},
{
"category": "Payload delivery",
"comment": "nroff_b.exe - Xchecked via VT: 70bf16597e375ad691f2c1efa194dbe7f60e4eeb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577150",
"to_ids": true,
"type": "sha256",
"uuid": "571de5be-8280-488c-a1bf-437502de0b81",
"value": "5b7c970fee7ebe08d50665f278d47d0e34c04acc19a91838de6a3fc63a8e5630"
},
{
"category": "Payload delivery",
"comment": "nroff_b.exe - Xchecked via VT: 70bf16597e375ad691f2c1efa194dbe7f60e4eeb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577150",
"to_ids": true,
"type": "md5",
"uuid": "571de5be-f358-4523-b8ee-41a202de0b81",
"value": "1d0e79feb6d7ed23eb1bf7f257ce4fee"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577150",
"to_ids": false,
"type": "link",
"uuid": "571de5be-941c-4514-b651-4a9202de0b81",
"value": "https://www.virustotal.com/file/5b7c970fee7ebe08d50665f278d47d0e34c04acc19a91838de6a3fc63a8e5630/analysis/1460698377/"
},
{
"category": "Payload delivery",
"comment": "evtsys.exe - Xchecked via VT: 76bab478dcc70f979ce62cd306e9ba50ee84e37e",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577151",
"to_ids": true,
"type": "sha256",
"uuid": "571de5bf-ad68-4e97-8c1b-412702de0b81",
"value": "ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283"
},
{
"category": "Payload delivery",
"comment": "evtsys.exe - Xchecked via VT: 76bab478dcc70f979ce62cd306e9ba50ee84e37e",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577151",
"to_ids": true,
"type": "md5",
"uuid": "571de5bf-064c-4a4c-a302-4bdf02de0b81",
"value": "5d0ffbc8389f27b0649696f0ef5b3cfe"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577151",
"to_ids": false,
"type": "link",
"uuid": "571de5bf-0df4-421c-bb52-4f7c02de0b81",
"value": "https://www.virustotal.com/file/ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283/analysis/1461067332/"
},
{
"category": "Payload delivery",
"comment": "evtdiag.exe - Xchecked via VT: 525a8e3ae4e3df8c9c61f2a49e38541d196e9228",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577151",
"to_ids": true,
"type": "sha256",
"uuid": "571de5bf-f638-4ae5-820f-473002de0b81",
"value": "4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a"
},
{
"category": "Payload delivery",
"comment": "evtdiag.exe - Xchecked via VT: 525a8e3ae4e3df8c9c61f2a49e38541d196e9228",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577151",
"to_ids": true,
"type": "md5",
"uuid": "571de5bf-0b34-45ba-b14c-44fd02de0b81",
"value": "24d76abbc0a10e4c977a28b33c879248"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577151",
"to_ids": false,
"type": "link",
"uuid": "571de5bf-b9bc-48f8-9821-478602de0b81",
"value": "https://www.virustotal.com/file/4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a/analysis/1461049613/"
},
{
"category": "Network activity",
"comment": "The configuration file contains a list of transaction IDs, some additional environment information, and the following IP address to be used for command-and-control (C&C):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577199",
"to_ids": true,
"type": "ip-dst",
"uuid": "571de5ef-8fa8-4d8e-a3e1-4c79950d210f",
"value": "196.202.103.174"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463501820",
"to_ids": true,
"type": "filename",
"uuid": "571de60d-6454-4aa4-b4e7-4352950d210f",
"value": "\\Users\\Administrator\\AppData\\Local\\Allians\\gpca.dat"
},
{
"category": "External analysis",
"comment": "Imported via the freetext import.",
"data": "PCFET0NUWVBFIGh0bWw+CjxodG1sIHhtbG5zPSdodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sJyB4bWxuczpiPSdodHRwOi8vd3d3Lmdvb2dsZS5jb20vMjAwNS9nbWwvYicgeG1sbnM6ZGF0YT0naHR0cDovL3d3dy5nb29nbGUuY29tLzIwMDUvZ21sL2RhdGEnIHhtbG5zOmV4cHI9J2h0dHA6Ly93d3cuZ29vZ2xlLmNvbS8yMDA1L2dtbC9leHByJz4KPGhlYWQ+CjxsaW5rIGhyZWY9J2h0dHA6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9jc3M/ZmFtaWx5PU9wZW4rU2Fuczo3MDAsNDAwLDMwMHxWaWdhfFBUK1NlcmlmOjQwMCw3MDAsNDAwaXRhbGljLDcwMGl0YWxpYycgcmVsPSdzdHlsZXNoZWV0Jy8+CjxsaW5rIGhyZWY9J2h0dHA6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9jc3M/ZmFtaWx5PU9zd2FsZDo0MDAsNzAwLDMwMCcgcmVsPSdzdHlsZXNoZWV0JyB0eXBlPSd0ZXh0L2NzcycvPgo8bWV0YSBjaGFyc2V0PSd1dGYtOCcvPgo8bWV0YSBjb250ZW50PSd3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wJyBuYW1lPSd2aWV3cG9ydCcvPgo8bWV0YSBjb250ZW50PSdJRT1lZGdlLGNocm9tZT0xJyBodHRwLWVxdWl2PSdYLVVBLUNvbXBhdGlibGUnLz4KPG1ldGEgY29udGVudD0ndGV4dC9odG1sOyBjaGFyc2V0PVVURi04JyBodHRwLWVxdWl2PSdDb250ZW50LVR5cGUnLz4KPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPihmdW5jdGlvbigpIHsgKGZ1bmN0aW9uKCl7ZnVuY3Rpb24gYyhhKXt0aGlzLnQ9e307dGhpcy50aWNrPWZ1bmN0aW9uKGEsYyxiKXt2YXIgZD12b2lkIDAhPWI/YjoobmV3IERhdGUpLmdldFRpbWUoKTt0aGlzLnRbYV09W2QsY107aWYodm9pZCAwPT1iKXRyeXt3aW5kb3cuY29uc29sZS50aW1lU3RhbXAoIkNTSS8iK2EpfWNhdGNoKGUpe319O3RoaXMudGljaygic3RhcnQiLG51bGwsYSl9dmFyIGE7d2luZG93LnBlcmZvcm1hbmNlJiYoYT13aW5kb3cucGVyZm9ybWFuY2UudGltaW5nKTt2YXIgaD1hP25ldyBjKGEucmVzcG9uc2VTdGFydCk6bmV3IGM7d2luZG93LmpzdGltaW5nPXtUaW1lcjpjLGxvYWQ6aH07aWYoYSl7dmFyIGI9YS5uYXZpZ2F0aW9uU3RhcnQsZT1hLnJlc3BvbnNlU3RhcnQ7MDxiJiZlPj1iJiYod2luZG93LmpzdGltaW5nLnNydD1lLWIpfWlmKGEpe3ZhciBkPXdpbmRvdy5qc3RpbWluZy5sb2FkOzA8YiYmZT49YiYmKGQudGljaygiX3d0c3J0Iix2b2lkIDAsYiksZC50aWNrKCJ3dHNydF8iLAoiX3d0c3J0IixlKSxkLnRpY2soInRic2RfIiwid3RzcnRfIikpfXRyeXthPW51bGwsd2luZG93LmNocm9tZSYmd2luZG93LmNocm9tZS5jc2kmJihhPU1hdGguZmxvb3Iod2luZG93LmNocm9tZS5jc2koKS5wYWdlVCksZCYmMDxiJiYoZC50aWNrKCJfdGJuZCIsdm9pZCAwLHdpbmRvdy5jaHJvbWUuY3NpKCkuc3RhcnRFKSxkLnRpY2soInRibmRfIiwiX3RibmQiLGIpKSksbnVsbD09YSYmd2luZG93Lmd0YkV4dGVybmFsJiYoYT13aW5kb3cuZ3RiRXh0ZXJuYWwucGFnZVQoKSksbnVsbD09YSYmd2luZG93LmV4dGVybmFsJiYoYT13aW5kb3cuZXh0ZXJuYWwucGFnZVQsZCYmMDxiJiYoZC50aWNrKCJfdGJuZCIsdm9pZCAwLHdpbmRvdy5leHRlcm5hbC5zdGFydEUpLGQudGljaygidGJuZF8iLCJfdGJuZCIsYikpKSxhJiYod2luZG93LmpzdGltaW5nLnB0PWEpfWNhdGNoKGspe319KSgpO3dpbmRvdy50aWNrQWJvdmVGb2xkPWZ1bmN0aW9uKGMpe3ZhciBhPTA7aWYoYy5vZmZzZXRQYXJlbnQpe2RvIGErPWMub2Zmc2V0VG9wO3doaWxlKGM9Yy5vZmZzZXRQYXJlbnQpfWM9YTs3NTA+PWMmJndpbmRvdy5qc3RpbWluZy5sb2FkLnRpY2soImFmdCIpfTt2YXIgZj0hMTtmdW5jdGlvbiBnKCl7Znx8KGY9ITAsd2luZG93LmpzdGltaW5nLmxvYWQudGljaygiZmlyc3RTY3JvbGxUaW1lIikpfXdpbmRvdy5hZGRFdmVudExpc3RlbmVyP3dpbmRvdy5hZGRFdmVudExpc3RlbmVyKCJzY3JvbGwiLGcsITEpOndpbmRvdy5hdHRhY2hFdmVudCgib25zY3JvbGwiLGcpOwogfSkoKTs8L3NjcmlwdD4KPG1ldGEgY29udGVudD0nYmxvZ2dlcicgbmFtZT0nZ2VuZXJhdG9yJy8+CjxsaW5rIGhyZWY9J2h0dHA6Ly9iYWVzeXN0ZW1zYWkuYmxvZ3Nwb3QuY29tLmVzL2Zhdmljb24uaWNvJyByZWw9J2ljb24nIHR5cGU9J2ltYWdlL3gtaWNvbicvPgo8bGluayBocmVmPSdodHRwOi8vYmFlc3lzdGVtc2FpLmJsb2dzcG90LmNvbS8yMDE2LzA0L3R3by1ieXRlcy10by05NTFtLmh0bWwnIHJlbD0nY2Fub25pY2FsJy8+CjxsaW5rIHJlbD0iYWx0ZXJuYXRlIiB0eXBlPSJhcHBsaWNhdGlvbi9hdG9tK3htbCIgdGl0bGU9IkJBRSBTeXN0ZW1zIFRocmVhdCBSZXNlYXJjaCBCbG9nIC0gQXRvbSIgaHJlZj0iaHR0cDovL2JhZXN5c3RlbXNhaS5ibG9nc3BvdC5jb20vZmVlZHMvcG9zdHMvZGVmYXVsdCIgLz4KPGxpbmsgcmVsPSJhbHRlcm5hdGUiIHR5cGU9ImFwcGxpY2F0aW9uL3Jzcyt4bWwiIHRpdGxlPSJCQUUgU3lzdGVtcyBUaHJlYXQgUmVzZWFyY2ggQmxvZyAtIFJTUyIgaHJlZj0iaHR0cDovL2JhZXN5c3RlbXNhaS5ibG9nc3BvdC5jb20vZmVlZHMvcG9zdHMvZGVmYXVsdD9hbHQ9cnNzIiAvPgo8bGluayByZWw9InNlcnZpY2UucG9zdCIgdHlwZT0iYXBwbGljYXRpb24vYXRvbSt4bWwiIHRpdGxlPSJCQUUgU3lzdGVtcyBUaHJlYXQgUmVzZWFyY2ggQmxvZyAtIEF0b20iIGhyZWY9Imh0dHBzOi8vd3d3LmJsb2dnZXIuY29tL2ZlZWRzLzczNDU1MTUwODU4Mzg0MjI3OTkvcG9zdHMvZGVmYXVsdCIgLz4KCjxsaW5rIHJlbD0iYWx0ZXJuYXRlIiB0eXBlPSJhcHBsaWNhdGlvbi9hdG9tK3htbCIgdGl0bGU9IkJBRSBTeXN0ZW1zIFRocmVhdCBSZXNlYXJjaCBCbG9nIC0gQXRvbSIgaHJlZj0iaHR0cDovL2JhZXN5c3RlbXNhaS5ibG9nc3BvdC5jb20vZmVlZHMvMzU1NDQ2MDU2MzYwMTY4ODk4L2NvbW1lbnRzL2RlZmF1bHQiIC8+CjxsaW5rIGhyZWY9J2h0dHBzOi8vMi5icC5ibG9nc3BvdC5jb20vLWtKZzhvN2xZSHp3L1Z4aE1sMXFCQ3JJL0FBQUFBQUFBQWZBL24tVXVySUk4cTJFeXlhVWxZTXd2Z05qVmRXQTRpSzdPZ0NMY0IvczY0MC9zY2hlbWUxLn
"deleted": false,
"disable_correlation": false,
"timestamp": "1461577379",
"to_ids": false,
"type": "attachment",
"uuid": "571de6a3-4548-4238-8b4d-4396950d210f",
"value": "http://baesystemsai.blogspot.lu/2016/04/two-bytes-to-951m.html"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}