{"Event":{"info":"OSINT - Cobian RAT \u2013 A backdoored RAT","Tag":[{"colour":"#ffffff","exportable":true,"name":"tlp:white"},{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:rat=\"Cobian RAT\""}],"publish_timestamp":"1504550908","timestamp":"1504707557","analysis":"2","Attribute":[{"comment":"","category":"External analysis","uuid":"59ad9e86-6050-40f3-b339-81f602de0b81","timestamp":"1504550774","to_ids":false,"value":"https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat","Tag":[{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""}],"disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"","category":"External analysis","uuid":"59ad9e9e-58d8-425d-978a-261f02de0b81","timestamp":"1504550774","to_ids":false,"value":"The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family, which we analyzed in this report.","Tag":[{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""}],"disable_correlation":false,"object_relation":null,"type":"text"},{"comment":"","category":"Payload delivery","uuid":"59ad9eee-b230-4355-9883-4eef02de0b81","timestamp":"1504550774","to_ids":true,"value":"94911666a61beb59d2988c4fc7003e5a","disable_correlation":false,"object_relation":null,"type":"md5"},{"comment":"","category":"Payload delivery","uuid":"59ad9eee-9c8c-4013-92b2-426002de0b81","timestamp":"1504550774","to_ids":true,"value":"7eede7047d3d785db248df0870783637","disable_correlation":false,"object_relation":null,"type":"md5"},{"comment":"","category":"Network activity","uuid":"59ad9eee-8ebc-45bc-a052-4dac02de0b81","timestamp":"1504550774","to_ids":true,"value":"belkomsolutions.com/t/guangzhou%20sonicstar%20electronics%20co%20ltd.zip","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"C&C: swez111.ddns[.]net:20000","category":"Network activity","uuid":"59ad9eff-507c-4da9-9daa-467c02de0b81","timestamp":"1504550774","to_ids":true,"value":"173.254.223.81","disable_correlation":false,"object_relation":null,"type":"ip-dst"},{"comment":"On port 20000","category":"Network activity","uuid":"59ad9f44-33bc-4df3-a06f-498002de0b81","timestamp":"1504550774","to_ids":true,"value":"swez111.ddns.net","disable_correlation":false,"object_relation":null,"type":"hostname"},{"comment":"- Xchecked via VT: 7eede7047d3d785db248df0870783637","category":"Payload delivery","uuid":"59ad9f76-95b4-4e02-8e1b-46da02de0b81","timestamp":"1504550774","to_ids":true,"value":"020a17a3e3e932f4870152379863b0c19a6a07b04bcffcb65670300c69a5cc28","disable_correlation":false,"object_relation":null,"type":"sha256"},{"comment":"- Xchecked via VT: 7eede7047d3d785db248df0870783637","category":"Payload delivery","uuid":"59ad9f76-71c8-476c-a411-465502de0b81","timestamp":"1504550774","to_ids":true,"value":"48e44f342d6a89bf56776c8356ca9a7377fa8d4b","disable_correlation":false,"object_relation":null,"type":"sha1"},{"comment":"- Xchecked via VT: 7eede7047d3d785db248df0870783637","category":"External analysis","uuid":"59ad9f76-02dc-4241-bee7-415402de0b81","timestamp":"1504550774","to_ids":false,"value":"https://www.virustotal.com/file/020a17a3e3e932f4870152379863b0c19a6a07b04bcffcb65670300c69a5cc28/analysis/1504274179/","disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"- Xchecked via VT: 94911666a61beb59d2988c4fc7003e5a","category":"Payload delivery","uuid":"59ad9f76-537c-48ec-8e7a-4f1c02de0b81","timestamp":
