misp-circl-feed/feeds/circl/misp/5ccaeddb-dc84-4cc2-9f73-4a70950d210f.json

645 lines
22 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2019-05-02",
"extends_uuid": "",
"info": "OSINT - Goblin Panda continues to target Vietnam",
"publish_timestamp": "1556803538",
"published": true,
"threat_level_id": "3",
"timestamp": "1556803290",
"uuid": "5ccaeddb-dc84-4cc2-9f73-4a70950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#10ca00",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:threat-actor=\"Hellsing\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:malpedia=\"NewCore RAT\"",
"relationship_type": ""
},
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803056",
"to_ids": false,
"type": "link",
"uuid": "5ccaedf0-5fd0-4f8c-a5f5-49d4950d210f",
"value": "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803079",
"to_ids": false,
"type": "text",
"uuid": "5ccaee07-32d8-4255-9cb5-4686950d210f",
"value": "Chinese actors have changed the rtf exploit following my different articles and Anomali article https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain\r\n\r\nBut In march a researcher of Anomali @aRtAGGI made a link very interesting between Icefog and an article targeting Mongelian speaker https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "sha256",
"uuid": "5ccaee32-bb50-4bc4-bdb8-4817950d210f",
"value": "81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "filename",
"uuid": "5ccaee32-5ce8-48fd-8fb0-4ff8950d210f",
"value": "Shortcuts\\QcLite.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "sha256",
"uuid": "5ccaee32-b744-4e07-bd11-4f6d950d210f",
"value": "207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "filename",
"uuid": "5ccaee32-4a50-4c78-8d6f-4a8c950d210f",
"value": "Shortcuts\\QcConsol.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "sha256",
"uuid": "5ccaee32-db04-4dc2-83d0-47ca950d210f",
"value": "9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "hostname",
"uuid": "5ccaee32-cb00-49b9-b3cc-47bd950d210f",
"value": "web.hcmuafgh.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "ip-dst",
"uuid": "5ccaee32-0310-4075-8920-4337950d210f",
"value": "193.29.56.62"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803122",
"to_ids": true,
"type": "url",
"uuid": "5ccaee32-1ad0-4b57-98b5-4f6c950d210f",
"value": "http://web.hcmuafgh.com:4357/link?url=maOVmKGmMDU1&enpl=OXcoVQ==&encd=XARIZTE="
},
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803195",
"to_ids": true,
"type": "sha256",
"uuid": "5ccaee7b-9258-45b6-9420-4bba950d210f",
"value": "05d0ad2bcc1c6e2752a231bc36d07a841f075a0a32a3a62abaafddbdafd72f62"
},
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803195",
"to_ids": true,
"type": "sha256",
"uuid": "5ccaee7b-27b0-4803-a8e5-412e950d210f",
"value": "5a592b92ffcbea75e458726cecc7f159b8f71c46b80de30bac2a48006ac1e1b3"
},
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803195",
"to_ids": true,
"type": "sha256",
"uuid": "5ccaee7b-0eb8-4058-be18-47d6950d210f",
"value": "5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556803274",
"to_ids": false,
"type": "vulnerability",
"uuid": "5ccaeeca-5668-4e48-9f70-496c950d210f",
"value": "CVE-2017\u00e2\u20ac\u201c11882"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556803161",
"uuid": "6af30035-5440-401a-976b-bc64ed82ad01",
"ObjectReference": [
{
"comment": "",
"object_uuid": "6af30035-5440-401a-976b-bc64ed82ad01",
"referenced_uuid": "c6f4a078-7797-4e7f-a50a-f441a9441493",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1556803161",
"uuid": "5ccaee59-5a8c-4363-bebd-4bed950d210f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556803122",
"to_ids": true,
"type": "md5",
"uuid": "ab124dfa-92ff-485d-a669-8e365c666763",
"value": "6d2e6a61eede06fa9d633ce151208831"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556803122",
"to_ids": true,
"type": "sha1",
"uuid": "106a8fdf-dffe-4228-8fa5-ada33eef0792",
"value": "f764163f3912376ebcabaf1cf3a60b6bc74561be"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556803122",
"to_ids": true,
"type": "sha256",
"uuid": "60444fbf-9c77-48fe-a82a-dd321618dc9b",
"value": "207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556803161",
"uuid": "c6f4a078-7797-4e7f-a50a-f441a9441493",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556803122",
"to_ids": false,
"type": "datetime",
"uuid": "8a8e9657-f185-4b4a-a864-9dfd038906ce",
"value": "2019-05-02T11:28:30"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556803122",
"to_ids": false,
"type": "link",
"uuid": "a0b8060b-4c47-4415-8ee8-481d250cdbaf",
"value": "https://www.virustotal.com/file/207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3/analysis/1556796510/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556803122",
"to_ids": false,
"type": "text",
"uuid": "8d0ecb1f-84c3-4e39-85e6-5382f49cc22c",
"value": "15/69"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556803161",
"uuid": "3ad479ea-41de-4e77-a2e2-e443cdc7e06f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "3ad479ea-41de-4e77-a2e2-e443cdc7e06f",
"referenced_uuid": "61bf2686-6262-435a-9039-372f43219b6e",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1556803162",
"uuid": "5ccaee5a-6e70-4478-894a-4c2d950d210f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556803122",
"to_ids": true,
"type": "md5",
"uuid": "c0f28c2a-0d92-46be-b786-f79defa4e0b7",
"value": "109d51899c832287d7ce1f70b5bd885d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556803122",
"to_ids": true,
"type": "sha1",
"uuid": "a90d29a2-35af-473b-a9b8-8c66e5fc6147",
"value": "daa69d1b1abc00139b1d73d075921ab93137598d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556803122",
"to_ids": true,
"type": "sha256",
"uuid": "b259722e-416d-4590-a0e6-164a49207e4b",
"value": "9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556803161",
"uuid": "61bf2686-6262-435a-9039-372f43219b6e",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556803122",
"to_ids": false,
"type": "datetime",
"uuid": "5e67a2b3-2334-4dd1-b4da-148e54772693",
"value": "2019-04-29T23:04:06"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556803122",
"to_ids": false,
"type": "link",
"uuid": "2861f6a6-f61f-4226-8b1a-5552c3c1fa06",
"value": "https://www.virustotal.com/file/9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770/analysis/1556579046/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556803122",
"to_ids": false,
"type": "text",
"uuid": "f186be1f-70d3-4b2d-8f82-32aa84b64c0b",
"value": "0/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556803161",
"uuid": "f9c0db13-b132-48c2-bf17-631eff339a1f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f9c0db13-b132-48c2-bf17-631eff339a1f",
"referenced_uuid": "065f0f1c-08b4-4411-9d4d-300f2e0ac82e",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1556803162",
"uuid": "5ccaee5a-db04-4d65-b2c1-4633950d210f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556803122",
"to_ids": true,
"type": "md5",
"uuid": "fd6c0413-7685-4cb6-aa2e-f6dd97d0cce8",
"value": "84fca27bc75f40194c95534b07838d6c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556803122",
"to_ids": true,
"type": "sha1",
"uuid": "093b8656-2505-4c48-b31e-413a7ee51b86",
"value": "9520a18e9f6d4f6f014aa576b8843cdff176f701"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556803122",
"to_ids": true,
"type": "sha256",
"uuid": "5a2bb8d4-5262-4f0c-8bf7-2a0945fa157f",
"value": "81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556803161",
"uuid": "065f0f1c-08b4-4411-9d4d-300f2e0ac82e",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556803122",
"to_ids": false,
"type": "datetime",
"uuid": "e051a82c-c83e-4283-8de4-161be247465f",
"value": "2019-05-01T10:35:55"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556803122",
"to_ids": false,
"type": "link",
"uuid": "8a0a6690-a7e6-449b-9c8d-6afd65d8be44",
"value": "https://www.virustotal.com/file/81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6/analysis/1556706955/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556803122",
"to_ids": false,
"type": "text",
"uuid": "bab1b9f2-f67e-493b-912e-525dcaa79d9c",
"value": "30/58"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556803233",
"uuid": "f2fb7d05-f968-4edc-8d24-24b91cf0df61",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f2fb7d05-f968-4edc-8d24-24b91cf0df61",
"referenced_uuid": "7077ee06-f4ff-4873-86f7-ba89aef8c723",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1556803234",
"uuid": "5ccaeea2-cac8-4c3a-a079-4722950d210f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556803195",
"to_ids": true,
"type": "md5",
"uuid": "c495f771-242a-44d6-ba60-604f0cd9c923",
"value": "1b19175c41b9a9881b23b4382cc5935f"
},
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556803195",
"to_ids": true,
"type": "sha1",
"uuid": "14b8e5a4-c34b-4bb2-bdba-cc9de529c924",
"value": "3752656c024284ea63421d70235ec48d76a95df3"
},
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556803195",
"to_ids": true,
"type": "sha256",
"uuid": "a960d2df-329d-476e-98e4-388b714a781a",
"value": "5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556803234",
"uuid": "7077ee06-f4ff-4873-86f7-ba89aef8c723",
"Attribute": [
{
"category": "Other",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556803195",
"to_ids": false,
"type": "datetime",
"uuid": "a6e30d35-1912-4743-86bb-917b906bfc44",
"value": "2019-04-29T23:04:01"
},
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556803195",
"to_ids": false,
"type": "link",
"uuid": "f6aba0fc-493d-46cd-809d-fb34b7ade2cb",
"value": "https://www.virustotal.com/file/5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76/analysis/1556579041/"
},
{
"category": "Payload delivery",
"comment": "The dll is a variant of the newcoreRAT with many similarities with",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556803195",
"to_ids": false,
"type": "text",
"uuid": "35ac479c-bae6-42e5-a362-b3477657ef04",
"value": "46/70"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}