2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5b773e07-e694-458b-b99c-27f30a016219" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-05-22T21:15:47.000Z" ,
"modified" : "2023-05-22T21:15:47.000Z" ,
2023-04-21 14:44:17 +00:00
"name" : "ESET" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5b773e07-e694-458b-b99c-27f30a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-05-22T21:15:47.000Z" ,
"modified" : "2023-05-22T21:15:47.000Z" ,
2023-04-21 14:44:17 +00:00
"name" : "Turla Outlook White Paper" ,
2023-12-14 14:30:15 +00:00
"published" : "2023-05-25T08:18:54Z" ,
2023-04-21 14:44:17 +00:00
"object_refs" : [
"observed-data--5b773e89-9738-4bbb-90bc-2fb20a016219" ,
"file--5b773e89-9738-4bbb-90bc-2fb20a016219" ,
"observed-data--5b773e89-7e14-4280-9249-2fb20a016219" ,
"file--5b773e89-7e14-4280-9249-2fb20a016219" ,
"observed-data--5b773e89-4934-4d34-be4c-2fb20a016219" ,
"file--5b773e89-4934-4d34-be4c-2fb20a016219" ,
"observed-data--5b773e89-1e7c-48d3-a6cb-2fb20a016219" ,
"file--5b773e89-1e7c-48d3-a6cb-2fb20a016219" ,
"observed-data--5b773eed-662c-4150-b6ef-2fb10a016219" ,
"windows-registry-key--5b773eed-662c-4150-b6ef-2fb10a016219" ,
"observed-data--5b773eed-6158-4680-941f-2fb10a016219" ,
"windows-registry-key--5b773eed-6158-4680-941f-2fb10a016219" ,
"observed-data--5b773f0c-07c4-4a31-b191-2fb20a016219" ,
"windows-registry-key--5b773f0c-07c4-4a31-b191-2fb20a016219" ,
"observed-data--5b7c7085-9658-46bf-afdc-59530a016219" ,
"url--5b7c7085-9658-46bf-afdc-59530a016219" ,
"observed-data--5b854bdf-32a4-4f17-8bab-32abc0a8ab16" ,
"url--5b854bdf-32a4-4f17-8bab-32abc0a8ab16" ,
"observed-data--5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"file--5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"artifact--5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"indicator--5b83aad8-f964-4899-9743-7267d5388438" ,
"indicator--5b83aade-d508-4f29-9577-7267d5388438" ,
"indicator--5b83aae3-1b28-417a-90e4-7267d5388438" ,
"indicator--5b83aae8-5a50-4714-b5ba-7267d5388438" ,
"indicator--5b83aaee-6008-4818-a291-7267d5388438" ,
"indicator--5b83aaf3-23b4-4a0e-8ceb-7267d5388438" ,
"x-misp-attribute--5b83abb1-2524-4295-9eee-7268d5388438" ,
"observed-data--5b83abb1-76b4-4b70-80bd-10f2d5388438" ,
"url--5b83abb1-76b4-4b70-80bd-10f2d5388438" ,
"x-misp-attribute--5b83abb2-7e1c-4cfa-8c10-10a6d5388438" ,
"x-misp-attribute--5b83abb2-9420-4692-aa94-10f4d5388438" ,
"x-misp-attribute--5b83abb2-6450-4242-908f-7265d5388438" ,
"x-misp-attribute--5b83abb2-409c-4018-bfbc-7267d5388438" ,
"x-misp-attribute--5b83abb2-4064-4b38-b5d7-726ad5388438" ,
"x-misp-attribute--5b83abb2-90ec-47c7-8869-10a7d5388438" ,
"x-misp-attribute--5b83abb2-5c5c-411d-a011-726bd5388438" ,
"x-misp-attribute--5b83abb2-45e0-4bf4-8ad2-0968d5388438" ,
"x-misp-attribute--5b83abb3-5430-49a6-b4cb-7268d5388438" ,
"x-misp-attribute--5b83abb3-e5fc-480d-b4a6-10f2d5388438" ,
"x-misp-attribute--5b83abb3-39a4-4cb2-a08f-10a6d5388438" ,
"x-misp-attribute--5b83abb3-7e7c-4c8f-a29f-10f4d5388438" ,
"observed-data--5b8fa050-e5e8-424e-9b8d-07a7d5388438" ,
"url--5b8fa050-e5e8-424e-9b8d-07a7d5388438" ,
"x-misp-object--dbbfc337-d1f9-462f-aca7-ddc30563ddd9" ,
"indicator--8adddb25-84d0-4480-9221-68e2d85b6cba" ,
"x-misp-object--628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd" ,
"indicator--46a74309-e65f-4fd7-b816-917ade7475c9" ,
"indicator--cba9ad80-221b-4873-af6c-3a5e678f9a3b" ,
"x-misp-object--1da8705f-aa50-4400-b643-5912e7beb7f6" ,
"indicator--73bb4f5c-2b1c-40be-a290-1b5c585f226c" ,
2024-04-05 12:15:17 +00:00
"relationship--149e7c2a-e5a8-4aa2-9b31-8f19d5f42c6d" ,
"relationship--8874b545-599d-4fde-ba4d-b16156593698" ,
"relationship--6c9ec985-f47c-4706-b736-cc1c71536805"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:threat-actor=\"Turla Group\"" ,
"misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking\"" ,
"misp-galaxy:mitre-attack-pattern=\"Email Collection\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Component Object Model Hijacking - T1122\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Email Collection - T1114\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"cert-ist:threat_targeted_sector=\"Academic and Research\"" ,
"cert-ist:threat_targeted_sector=\"Gov\"" ,
"cert-ist:threat_targeted_region=\"Western Europe\"" ,
"cert-ist:enriched" ,
"cert-ist:ioc_accuracy=\"medium\"" ,
"cert-ist:threat_level=\"medium\"" ,
"cert-ist:threat_type=\"apt\"" ,
"BR_CTI_Investigar"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b773e89-9738-4bbb-90bc-2fb20a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-20T22:45:11.000Z" ,
"modified" : "2018-08-20T22:45:11.000Z" ,
"first_observed" : "2018-08-20T22:45:11Z" ,
"last_observed" : "2018-08-20T22:45:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5b773e89-9738-4bbb-90bc-2fb20a016219"
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5b773e89-9738-4bbb-90bc-2fb20a016219" ,
"name" : "%appdata%\\Microsoft\\Windows\\scawrdot.db"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b773e89-7e14-4280-9249-2fb20a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-20T22:45:02.000Z" ,
"modified" : "2018-08-20T22:45:02.000Z" ,
"first_observed" : "2018-08-20T22:45:02Z" ,
"last_observed" : "2018-08-20T22:45:02Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5b773e89-7e14-4280-9249-2fb20a016219"
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5b773e89-7e14-4280-9249-2fb20a016219" ,
"name" : "%appdata%\\Microsoft\\Windows\\flobcsnd.dat"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b773e89-4934-4d34-be4c-2fb20a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-17T21:30:49.000Z" ,
"modified" : "2018-08-17T21:30:49.000Z" ,
"first_observed" : "2018-08-17T21:30:49Z" ,
"last_observed" : "2018-08-17T21:30:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5b773e89-4934-4d34-be4c-2fb20a016219"
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5b773e89-4934-4d34-be4c-2fb20a016219" ,
"name" : "mapid.tlb"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b773e89-1e7c-48d3-a6cb-2fb20a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-17T21:30:49.000Z" ,
"modified" : "2018-08-17T21:30:49.000Z" ,
"first_observed" : "2018-08-17T21:30:49Z" ,
"last_observed" : "2018-08-17T21:30:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5b773e89-1e7c-48d3-a6cb-2fb20a016219"
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5b773e89-1e7c-48d3-a6cb-2fb20a016219" ,
"name" : "msmime.dll"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b773eed-662c-4150-b6ef-2fb10a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-17T21:32:29.000Z" ,
"modified" : "2018-08-17T21:32:29.000Z" ,
"first_observed" : "2018-08-17T21:32:29Z" ,
"last_observed" : "2018-08-17T21:32:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--5b773eed-662c-4150-b6ef-2fb10a016219"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--5b773eed-662c-4150-b6ef-2fb10a016219" ,
"key" : "HKCU\\Software\\Classes\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b773eed-6158-4680-941f-2fb10a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-17T21:32:29.000Z" ,
"modified" : "2018-08-17T21:32:29.000Z" ,
"first_observed" : "2018-08-17T21:32:29Z" ,
"last_observed" : "2018-08-17T21:32:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--5b773eed-6158-4680-941f-2fb10a016219"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--5b773eed-6158-4680-941f-2fb10a016219" ,
"key" : "HKCU\\Software\\Classes\\CLSID\\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b773f0c-07c4-4a31-b191-2fb20a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-17T21:33:00.000Z" ,
"modified" : "2018-08-17T21:33:00.000Z" ,
"first_observed" : "2018-08-17T21:33:00Z" ,
"last_observed" : "2018-08-17T21:33:00Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--5b773f0c-07c4-4a31-b191-2fb20a016219"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--5b773f0c-07c4-4a31-b191-2fb20a016219" ,
"key" : "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Settings\\ZonePolicy\\"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b7c7085-9658-46bf-afdc-59530a016219" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-21T20:05:25.000Z" ,
"modified" : "2018-08-21T20:05:25.000Z" ,
"first_observed" : "2018-08-21T20:05:25Z" ,
"last_observed" : "2018-08-21T20:05:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b7c7085-9658-46bf-afdc-59530a016219"
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b7c7085-9658-46bf-afdc-59530a016219" ,
"value" : "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b854bdf-32a4-4f17-8bab-32abc0a8ab16" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-28T13:19:27.000Z" ,
"modified" : "2018-08-28T13:19:27.000Z" ,
"first_observed" : "2018-08-28T13:19:27Z" ,
"last_observed" : "2018-08-28T13:19:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b854bdf-32a4-4f17-8bab-32abc0a8ab16"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b854bdf-32a4-4f17-8bab-32abc0a8ab16" ,
"value" : "https://github.com/eset/malware-ioc/tree/master/turla"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:28:55.000Z" ,
"modified" : "2018-08-30T12:28:55.000Z" ,
"first_observed" : "2018-08-30T12:28:55Z" ,
"last_observed" : "2018-08-30T12:28:55Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"artifact--5b87e307-7618-4378-ba96-4abb9f590eb0"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"name" : "Eset-Turla-Outlook-Backdoor.pdf" ,
"content_ref" : "artifact--5b87e307-7618-4378-ba96-4abb9f590eb0"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"payload_bin" : " J V B E R i 0 x L j Q N J e L j z 9 M N C j E 1 M j U g M C B v Y m o N P D w v T G l u Z W F y a X p l Z C A x L 0 w g M T A z M j U y M C 9 P I D E 1 M j c v R S A 1 N z M 5 O C 9 O I D I 0 L 1 Q g M T A w M T k w M y 9 I I F s g O D k z I D E w M j h d P j 4 N Z W 5 k b 2 J q D S A g I C A g I C A g I A 14 c m V m D Q o x N T I 1 I D I 5 D Q o w M D A w M D A w M D E 2 I D A w M D A w I G 4 N C j A w M D A w M D I x M z E g M D A w M D A g b g 0 K M D A w M D A w M j I 5 N C A w M D A w M C B u D Q o w M D A w M D A y N z Q 5 I D A w M D A w I G 4 N C j A w M D A w M D M x M D Q g M D A w M D A g b g 0 K M D A w M D A w M z k 2 M i A w M D A w M C B u D Q o w M D A w M D A 0 M z c 4 I D A w M D A w I G 4 N C j A w M D A w M D Q 0 O T M g M D A w M D A g b g 0 K M D A w M D A w N D c y N y A w M D A w M C B u D Q o w M D A w M D A 1 M T A w I D A w M D A w I G 4 N C j A w M D A w M D U 4 O D g g M D A w M D A g b g 0 K M D A w M D A w N j Y y N i A w M D A w M C B u D Q o w M D A w M D A 3 M j c 2 I D A w M D A w I G 4 N C j A w M D A w M D c 4 M T k g M D A w M D A g b g 0 K M D A w M D A w O D M 1 M i A w M D A w M C B u D Q o w M D A w M D A 4 O T A 1 I D A w M D A w I G 4 N C j A w M D A w M D k 0 N T k g M D A w M D A g b g 0 K M D A w M D A x M D A 1 M S A w M D A w M C B u D Q o w M D A w M D E w N T M 4 I D A w M D A w I G 4 N C j A w M D A w M T A 5 N D E g M D A w M D A g b g 0 K M D A w M D A x M T M 4 N S A w M D A w M C B u D Q o w M D A w M D E x O T k 1 I D A w M D A w I G 4 N C j A w M D A w M T I 2 N j Q g M D A w M D A g b g 0 K M D A w M D A x N D Q 4 N i A w M D A w M C B u D Q o w M D A w M D I w N z Q 5 I D A w M D A w I G 4 N C j A w M D A w M j M z O D g g M D A w M D A g b g 0 K M D A w M D A 1 N z M 1 N y A w M D A w M C B u D Q o w M D A w M D A x O T I x I D A w M D A w I G 4 N C j A w M D A w M D A 4 O T M g M D A w M D A g b g 0 K d H J h a W x l c g 0 8 P C 9 T a X p l I D E 1 N T Q v U m 9 v d C A x N T I 2 I D A g U i 9 J b m Z v I D Q y M S A w I F I v S U R b P E Y z Q T F F N 0 V E Q 0E0 Q z Q 5 N z h C O D B D N D N D M z N E Q T A x Q z d D P j x C M T d B R D A 3 N T Y 5 R U M 0 M j g 1 O T F F N T F D Q z Z B N z k 4 Q z B B R D 5 d L 1 B y Z X Y g M T A w M T g 5 M C 9 Y U m V m U 3 R t I D E 5 M j E + P g 1 z d G F y d H h y Z W Y N M A 0 l J U V P R g 0 g I C A g I C A g I C A g I C A g I A 0 x N T U z I D A g b 2 J q D T w 8 L 0 M g M T E x M C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v S S A x M T M y L 0 x l b m d 0 a C A 5 M z c v U y A 5 M j g + P n N 0 c m V h b Q 0 K a N 5 i Y G B g Y m B g + c T A x s D A t p Z B k A E B B I F i 7 A w s D B w x D O K G w d 46 R 6 N 1 z v A x T j 2 t w + C Q 4 d l w 98 B L X 7 u F B 503 / r i + y q 9 S t 4 p X b G 37 m j 2 T r l r u O 7 q 5 J y W O O d s x T q o k a j f 3 v h k M D E J P m G o t L s c U l j 5 M Y 70 V 8 l 0 k k j U y 5 + o T J K s Y m F i Z Z B w U E n u n m q Q s c F j g 3 M H C Y 7 h p W c 8 U D p E f h Q x T B J R s X j 7 V P K f l M F F K Z d l l R a O M j Q G N 4e0 C H B w J m Y J L X X Y m M i l f m 20 U a C S 0 6 r Q U h 4 h A I U / k h g y H j q + n w 6 S N Z m w M 8 z r L w s V h 0 e J x S T V m K 1 D l 2 d U 6 L R c n r W y y 49 p i 0 e D d I S i 3 s V m s L 3 J P X s 7 J R U t n 2 p Y 83 B y e d V m 3 R k D r w C N G P Q W X K h P P I O m w 1 p f J b l 7 L O P 4 q h X g c 5 O A T z T p 6 x H 1 C 0 d 2 H m 47 G a O d c 5 V y s d 9 k K Z C 2 L B 7 / H V C l V o L V h L R s X q w Y 71 A h o K D z i 4 F f a m X U k M 0 j J b C 3 Y F C f X D w 6 L D 3 e w O C q F Z P Q u r I o A u Y W 1 S c Z B i c V 9 t k 7 K q m R H k S Y u B Z u I 9 L 4 V 9 h y N g i 9 u L v K a p L h Z t W u h i Y B O w i N G f g V X L R e P s w t N U l Y l H W R a y 6 c g Z H p i 0 p I I h 47 P W R e A Q b f B Y R N z B 6 t M o + C z s 5 I + E S s c n z h N A C p R W S m 5 u C N n k z D I D x w O A a / F d e U c u o A e M + 7 I W b V F r W e a j 4 C W w y N G Z a / O o q s t H P 0 8 P J x b U y c A D V u U 0 O j I L n C x m z n V V z J F Q B u o x J C H h 8 t S Y 9 K S h J y F w W 6 R i h w T t V Q S H N t Y F C w i e k 4 I y n 1 M u q 57 X b o k k r v t 1 K 3 d G h k n A 0 D x m p b R A a I q O h q A J H t H B y y + R U P D O y A 8 R k E h J S X 1 D j C P S U n F B S w B V C 0 o C O R U d M C 0 C A o K i n e A Q Q O Y K w T T A + I I G 4 N 1 Q c 0 w N k 5 L h 6 o D y Y R W w D U J Q s 1 z c Q e L M B s D l Q J B O p j H 4 p K W V g F V C e T A m O w Q m k l J y R y s m V F Q S d n Y J B x u p r C x s T n E Z t b Q C q h u s C 6 Y w 11 c Q 2 G u I y P b A C 1 M Y u A T m w g 0 S R K I v c B m S j M I M K 5 h 9 G C 2 Z 2 x l i G A 4 z x j F 9 J P p O F M + E w v j L y Y + J n 4 m U 8 Y z j B W M C 5 n c m Z r Y m S V i u E x a p j H w M d Y y F j D W M R k x + n N 9 Z V z A s F 4 g j f E 4 g y X j U S Y 1 h i S G Y / w M D I k M w m 7 p D C + Z t J m y G E Q Z P z P p C q k z R D C 5 M H y X v 8 M 4 l 8 E V a K 82 I y t D H s N k B j E G c S A W Y 3 j M c J k h j M k Y z B Z j W I S c o R k n M / A 9 l w A y e B g Y A m f D R Z c y 8 H s 8 B z G A e B d A g A E A K n F Y d A 1 l b m R z d H J l Y W 0 N Z W 5 k b 2 J q D T E 1 N T I g M C B v Y m o N P D w v R G V j b 2 R l U G F y b X M 8 P C 9 D b 2 x 1 b W 5 z I D Q v U H J l Z G l j d G 9 y I D E y P j 4 v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 l u Z G V 4 W z Q y M i A x M T A z X S 9 M Z W 5 n d G g g N T Y v U 2 l 6 Z S A x N T I 1 L 1 R 5 c G U v W F J l Z i 9 X W z E g M i A x X T 4 + c 3 R y Z W F t D Q p o 3 u z R o Q E A M A z D s K T / s + H 9 u i 9 G K q I D 7 J m e T J J i E b 0 a e A 7 P 4 T k 8 h + f w H J 7 D c 3 i O n 8 + f A A M A H + c U Q g 1 l b m R z d H J l Y W 0 N Z W 5 k b 2 J q D T E 1 M j Y g M C B v Y m o N P D w v T G F u Z y h l b i 1 V U y k v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D Q y M C A w I F I v U G F n Z X M g N D E 1 I D A g U i 9 T d H J 1 Y 3 R U c m V l U m 9 v d C A 0 M j I g M C B S L 1 R 5 c G U v Q 2 F 0 Y W x v Z y 9 W a W V 3 Z X J Q c m V m Z X J l b m N l c z w 8 L 0 R p c m V j d G l v b i 9 M M l I + P j 4 + D W V u Z G 9 i a g 0 x N T I 3 I D A g b 2 J q D T w 8 L 0 F y d E J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 C b G V l Z E J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 D b 250 Z W 50 c 1 s x N T M 2 I D A g U i A x N T M 3 I D A g U i A x N T M 4 I D A g U i A x N T M 5 I D A g U i A x N T Q w I D A g U i A x N T Q x I D A g U i A x N T Q 1 I D A g U i A x N T Q 2 I D A g U l 0 v Q 3 J v c E J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 N Z W R p Y U J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 Q Y X J l b n Q g N D E 2 I D A g U i 9 S Z X N v d X J j Z X M 8 P C 9 F e H R H U 3 R h d G U 8 P C 9 H U z A g M T U z M S A w I F I + P i 9 G b 250 P D w v V D F f M C A x N T I 4 I D A g U i 9 U M V 8 x I D E 1 M j k g M C B S L 1 Q x X z I g M T U 0 M i A w I F I + P i 9 Q c m 9 j U 2 V 0 W y 9 Q R E Y v V G V 4 d F 0 v U H J v c G V y d G l l c z w 8 L 0 1 D M C A x N T U x I D A g U j 4 + P j 4 v U m 90 Y X R l I D A v U 3 R y d W N 0 U G F y Z W 50 c y A w L 1 R y a W 1 C b 3 h b M C 4 w I D A u M C A 1 O T U u M j c 2 I D g 0 M S 44 O V 0 v V H l w Z S 9 Q Y W d l P j 4 N Z W 5 k b 2 J q D T E 1 M j g g M C B v Y m o N P D w v Q m F z Z U Z v b n Q v S V R G R k 1 R K 0 Z l Z H J h U 2 F u c 0 F s d F B y b y 1 C b 2 x k T E Y v R W 5 j b 2 R p b m c v V 2 l u Q W 5 z a U V u Y 29 k a W 5 n L 0 Z p c n N 0 Q 2 h h c i A z M i 9 G b 250 R G V z Y 3 J p c H R v c i A x N T M z I D A g U i 9 M Y X N 0 Q 2 h h c i A 4 O S 9 T d W J 0 e X B l L 1 R 5 c G U x L 1 R v V W 5 p Y 29 k Z S A x N T M w I D A g U i 9 U e X B l L 0 Z v b n Q v V 2 l k d G h z W z I z M S A w I D A g M C A w I D A g M C A w I D A g M C A w I D A g M C A w I D M w N y A w I D A g M z c 1 I D U 0 M C A 1 M T M g N T g 5 I D U z N C A w I D A g M C A w I D A g M C A w I D A g M C A w I D A g N z E 4 I D Y 4 M S A 2 N z c g N z g 3 I D Y x M S A 2 M T E g N z A 5 I D g w N i A z M z Y g M C A 3 M j M g N T Y
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b83aad8-f964-4899-9743-7267d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:40:08.000Z" ,
"modified" : "2018-08-27T07:40:08.000Z" ,
"description" : "Merged from event 11961" ,
"pattern" : "[rule turla_outlook_log { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"First bytes of the encrypted Turla Outlook logs\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2018-08-27T07:40:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b83aade-d508-4f29-9577-7267d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:40:14.000Z" ,
"modified" : "2018-08-27T07:40:14.000Z" ,
"description" : "Merged from event 11961" ,
"pattern" : "[rule outlook_misty1 { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detects the Turla MISTY1 implementation\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2018-08-27T07:40:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b83aae3-1b28-417a-90e4-7267d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:40:19.000Z" ,
"modified" : "2018-08-27T07:40:19.000Z" ,
"description" : "Merged from event 11961" ,
"pattern" : "[rule turla_outlook_gen { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Outlook\" ascii wide $s2 = \"Outlook Express\" ascii wide $s3 = \"Outlook watchdog\" ascii wide $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide $s5 = \"Mail Event Window\" ascii wide $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide $s9 = \"rctrl_renwnd32\" ascii wide $s10 = \"NetUIHWND\" ascii wide $s11 = \"homePostalAddress\" ascii wide $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide $s14 = \"IPM.Note\" ascii wide $s15 = \"MAPILogonEx\" ascii wide $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide $s17 = \"PowerShellRunner.dll\" ascii wide $s18 = \"cmd container\" ascii wide $s19 = \"mapid.tlb\" ascii wide nocase $s20 = \"Content-Type: F)*+\" ascii wide fullword condition: 5 of them }]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2018-08-27T07:40:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b83aae8-5a50-4714-b5ba-7267d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:40:24.000Z" ,
"modified" : "2018-08-27T07:40:24.000Z" ,
"description" : "Merged from event 11961" ,
"pattern" : "[import \"pe\"rule turla_outlook_exports { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Export names of Turla Outlook Malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" condition: (pe.exports(\"install\") or pe.exports(\"Install\")) and pe.exports(\"TBP_Initialize\") and pe.exports(\"TBP_Finalize\") and pe.exports(\"TBP_GetName\") and pe.exports(\"DllRegisterServer\") and pe.exports(\"DllGetClassObject\") }]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2018-08-27T07:40:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b83aaee-6008-4818-a291-7267d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:40:30.000Z" ,
"modified" : "2018-08-27T07:40:30.000Z" ,
"description" : "Merged from event 11961" ,
"pattern" : "[rule turla_outlook_filenames { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook filenames\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"mapid.tlb\" $s2 = \"msmime.dll\" $s3 = \"scawrdot.db\" condition: any of them }]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2018-08-27T07:40:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b83aaf3-23b4-4a0e-8ceb-7267d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:40:35.000Z" ,
"modified" : "2018-08-27T07:40:35.000Z" ,
"description" : "Merged from event 11961" ,
"pattern" : "[rule turla_outlook_pdf { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detect PDF documents generated by Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Adobe PDF Library 9.0\" ascii wide nocase $s2 = \"Acrobat PDFMaker 9.0\" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = \"W5M0MpCehiHzreSzNTczkc9d\" ascii wide nocase $s6 = \"PDF-1.4\" ascii wide nocase condition: 5 of them }]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2018-08-27T07:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb1-2524-4295-9eee-7268d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:45.000Z" ,
"modified" : "2018-08-27T07:43:45.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Attack name" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Turla"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b83abb1-76b4-4b70-80bd-10f2d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:45.000Z" ,
"modified" : "2018-08-27T07:43:45.000Z" ,
"first_observed" : "2018-08-27T07:43:45Z" ,
"last_observed" : "2018-08-27T07:43:45Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b83abb1-76b4-4b70-80bd-10f2d5388438"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b83abb1-76b4-4b70-80bd-10f2d5388438" ,
"value" : "https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-7e1c-4cfa-8c10-10a6d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Attack Alias" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Snake"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-9420-4692-aa94-10f4d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Attack Alias" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Uroburos"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-6450-4242-908f-7265d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Attack Alias" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Venomous Bear"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-409c-4018-bfbc-7267d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Attack Alias" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "KRYPTON"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-4064-4b38-b5d7-726ad5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Attack Alias" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Waterbug"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-90ec-47c7-8869-10a7d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Attack Alias" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "WhiteBear"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-5c5c-411d-a011-726bd5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Description" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "these IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017.\r\n\r\nThe extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer."
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb2-45e0-4bf4-8ad2-0968d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:46.000Z" ,
"modified" : "2018-08-27T07:43:46.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_comment" : "Cert-IST Malware Name" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Outlook"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb3-5430-49a6-b4cb-7268d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:47.000Z" ,
"modified" : "2018-08-27T07:43:47.000Z" ,
"labels" : [
"misp:type=\"target-location\"" ,
"misp:category=\"Targeting data\""
] ,
"x_misp_category" : "Targeting data" ,
"x_misp_comment" : "Cert-IST Targeted Country" ,
"x_misp_type" : "target-location" ,
"x_misp_value" : "Germany"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb3-e5fc-480d-b4a6-10f2d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:47.000Z" ,
"modified" : "2018-08-27T07:43:47.000Z" ,
"labels" : [
"misp:type=\"target-location\"" ,
"misp:category=\"Targeting data\""
] ,
"x_misp_category" : "Targeting data" ,
"x_misp_comment" : "Cert-IST Targeted Country" ,
"x_misp_type" : "target-location" ,
"x_misp_value" : "France"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb3-39a4-4cb2-a08f-10a6d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:47.000Z" ,
"modified" : "2018-08-27T07:43:47.000Z" ,
"labels" : [
"misp:type=\"datetime\"" ,
"misp:category=\"Other\""
] ,
"x_misp_category" : "Other" ,
"x_misp_comment" : "Cert-IST First Seen Date" ,
"x_misp_type" : "datetime" ,
"x_misp_value" : "2015-12-31T23:00:00+00:00"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b83abb3-7e7c-4c8f-a29f-10f4d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-27T07:43:47.000Z" ,
"modified" : "2018-08-27T07:43:47.000Z" ,
"labels" : [
"misp:type=\"datetime\"" ,
"misp:category=\"Other\""
] ,
"x_misp_category" : "Other" ,
"x_misp_comment" : "Cert-IST First Disclosed Date" ,
"x_misp_type" : "datetime" ,
"x_misp_value" : "2018-08-21T22:00:00+00:00"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b8fa050-e5e8-424e-9b8d-07a7d5388438" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-09-05T09:22:24.000Z" ,
"modified" : "2018-09-05T09:22:24.000Z" ,
"first_observed" : "2018-09-05T09:22:24Z" ,
"last_observed" : "2018-09-05T09:22:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b8fa050-e5e8-424e-9b8d-07a7d5388438"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b8fa050-e5e8-424e-9b8d-07a7d5388438" ,
"value" : "https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--dbbfc337-d1f9-462f-aca7-ddc30563ddd9" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:30:11.000Z" ,
"modified" : "2018-08-30T12:30:11.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/" ,
"category" : "External analysis" ,
"uuid" : "84e013cb-ecaf-4f21-9ee8-796886e3454a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "48/65" ,
"category" : "Other" ,
"uuid" : "31d8cb43-4506-45d0-93c0-0785a2394bbe"
} ,
{
"type" : "text" ,
"object_relation" : "comment" ,
"value" : "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28222) Detection: Trojan ( 00461fd31 )\r\nK7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 )\r\nTrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17963) Detection: Win32/Turla.N\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen\r\nBitDefender (7.2) Detection: Trojan.GenericKD.1592844\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.m!c\r\nAvast (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J)\r\nEndgame (3.0.1) Detection: No detection\r\nSophos (4.98.0) Detection: Troj/Turla-F\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.27\r\nVIPRE (69182) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: No detection\r\nMcAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.H\r\nJiangmin (16.0.100) Detection: Backdoor/Turla.b\r\nWebroot (1.0.0.403) Detection: W32.Trojan.GenKD\r\nAvira (8.3.3.6) Detection: TR/Rogue.290816.12\r\nMAX (2017.11.15.1) Detection: malware (ai score=83)\r\nAntiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric\r\nKingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud)\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAd-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir\r\nYandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU\r\nIkarus (0.1.5.2) Detection: Trojan.SuspectCRC\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.N!tr\r\nAVG (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nPanda (4.6.4.2) Detection: Trj/Genetic.gen\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9" ,
"category" : "Other" ,
"uuid" : "50384da0-f70b-4e0d-96cf-653a6bfe5c6d"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-08-29T14:17:42" ,
"category" : "Other" ,
"uuid" : "78651b01-2afe-40cb-b40d-a1e929df79b0"
}
] ,
"x_misp_comment" : "File 7009af646c6c3e6abc0af744152ca968" ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8adddb25-84d0-4480-9221-68e2d85b6cba" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:30:11.000Z" ,
"modified" : "2018-08-30T12:30:11.000Z" ,
"description" : "Backdoor DLL" ,
"pattern" : "[file:hashes.MD5 = '7009af646c6c3e6abc0af744152ca968' AND file:hashes.SHA1 = '8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2' AND file:hashes.SHA256 = 'e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-30T12:30:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:31:08.000Z" ,
"modified" : "2018-08-30T12:31:08.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/" ,
"category" : "External analysis" ,
"uuid" : "5ca9d215-5e2a-42c3-bea4-b66b2748f54e"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "44/65" ,
"category" : "Other" ,
"uuid" : "ff44d53e-022b-4782-ab44-0ac4df101a82"
} ,
{
"type" : "text" ,
"object_relation" : "comment" ,
"value" : "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: RDN/Generic.com\r\nCylance (2.3.1.101) Detection: Unsafe\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28228) Detection: Trojan ( 004fb2be1 )\r\nK7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 )\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.I\r\nSymantec (1.7.0.0) Detection: Trojan.Gen.2\r\nESET-NOD32 (17964) Detection: a variant of Win32/Turla.R\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak\r\nBitDefender (7.2) Detection: Trojan.Generic.21818445\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt\r\nViRobot (2014.3.20.0) Detection: No detection\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey\r\nAd-Aware (3.0.5.370) Detection: Trojan.Generic.21818445\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.111\r\nVIPRE (69200) Detection: No detection\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/AD.Turla.ckypp\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C\r\nEndgame (3.0.1) Detection: No detection\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.4!c\r\nZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445\r\nTACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: No detection\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD)\r\nYandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.AK!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0" ,
"category" : "Other" ,
"uuid" : "304c97d6-a81d-4b24-87b9-3b198f39a2bb"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-08-30T05:52:57" ,
"category" : "Other" ,
"uuid" : "5adce2fa-bb3d-4a93-b348-3da8877ae372"
}
] ,
"x_misp_comment" : "File af8889f4705145d4390ee8d581f45436" ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--46a74309-e65f-4fd7-b816-917ade7475c9" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:31:08.000Z" ,
"modified" : "2018-08-30T12:31:08.000Z" ,
"description" : "Backdoor DLL" ,
"pattern" : "[file:hashes.MD5 = 'af8889f4705145d4390ee8d581f45436' AND file:hashes.SHA1 = 'cf943895684c6ff8d1e922a76b71a188cfb371d7' AND file:hashes.SHA256 = '6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-30T12:31:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--cba9ad80-221b-4873-af6c-3a5e678f9a3b" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:31:37.000Z" ,
"modified" : "2018-08-30T12:31:37.000Z" ,
"description" : "Backdoor DLL" ,
"pattern" : "[file:hashes.SHA1 = '851dffa6cd611dc70c9a0d5b487ff00bc3853f30']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-30T12:31:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--1da8705f-aa50-4400-b643-5912e7beb7f6" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:32:01.000Z" ,
"modified" : "2018-08-30T12:32:01.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/" ,
"category" : "External analysis" ,
"uuid" : "18187d0c-367d-4bdd-903b-1535c3b6295c"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "48/67" ,
"category" : "Other" ,
"uuid" : "c9b90b46-8d03-4899-a721-3535cdbef578"
} ,
{
"type" : "text" ,
"object_relation" : "comment" ,
"value" : "Bkav (1.3.0.8876) Detection: W32.eHeur.Malware10\r\nMicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: TrojanSpy.Agent\r\nMcAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: No detection\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28216) Detection: Trojan ( 005097051 )\r\nK7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 )\r\nArcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17962) Detection: Win32/Turla.AW\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1\r\nKaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe\r\nBitDefender (7.2) Detection: Gen:Variant.Zusy.258575\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Troj.W32.Gen.lJ0K\r\nRising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD)\r\nAd-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575\r\nEmsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B)\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575\r\nDrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438\r\nVIPRE (69176) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.G\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nEndgame (3.0.1) Detection: malicious (high confidence)\r\nMicrosoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAhnLab-V3 (3.13.1.21616) Detection: No detection\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: TrojanSpy.Agent\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye\r\nYandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nCybereason (1.2.27) Detection: malicious.62d7c9\r\nPaloalto (1.0) Detection: generic.ml\r\nCrowdStrike (1.0) Detection: malicious_confidence_70% (D)\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45" ,
"category" : "Other" ,
"uuid" : "56d584fc-bfc7-424a-b4ce-d5b46c612323"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-08-29T09:57:38" ,
"category" : "Other" ,
"uuid" : "73940c69-6556-412e-915e-d7d1a07f205b"
}
] ,
"x_misp_comment" : "File ff8c3f362d7c9b9a19cfa09b4b3cfc75" ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--73bb4f5c-2b1c-40be-a290-1b5c585f226c" ,
"created_by_ref" : "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f" ,
"created" : "2018-08-30T12:32:01.000Z" ,
"modified" : "2018-08-30T12:32:01.000Z" ,
"description" : "Dropper" ,
"pattern" : "[file:hashes.MD5 = 'ff8c3f362d7c9b9a19cfa09b4b3cfc75' AND file:hashes.SHA1 = 'f992abe8a67120667a01b88cd5bf11ca39d491a0' AND file:hashes.SHA256 = '881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-30T12:32:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--149e7c2a-e5a8-4aa2-9b31-8f19d5f42c6d" ,
2023-04-21 14:44:17 +00:00
"created" : "2021-03-09T11:51:15.000Z" ,
"modified" : "2021-03-09T11:51:15.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--8adddb25-84d0-4480-9221-68e2d85b6cba" ,
"target_ref" : "x-misp-object--dbbfc337-d1f9-462f-aca7-ddc30563ddd9"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--8874b545-599d-4fde-ba4d-b16156593698" ,
2023-04-21 14:44:17 +00:00
"created" : "2021-03-09T11:51:15.000Z" ,
"modified" : "2021-03-09T11:51:15.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--46a74309-e65f-4fd7-b816-917ade7475c9" ,
"target_ref" : "x-misp-object--628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--6c9ec985-f47c-4706-b736-cc1c71536805" ,
2023-04-21 14:44:17 +00:00
"created" : "2021-03-09T11:51:15.000Z" ,
"modified" : "2021-03-09T11:51:15.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--73bb4f5c-2b1c-40be-a290-1b5c585f226c" ,
"target_ref" : "x-misp-object--1da8705f-aa50-4400-b643-5912e7beb7f6"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:AMBER" ,
"definition" : {
"tlp" : "amber"
}
}
]
}