2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:54:13.000Z" ,
"modified" : "2023-04-17T13:54:13.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:54:13.000Z" ,
"modified" : "2023-04-17T13:54:13.000Z" ,
"name" : "SNOWYAMBER - Malware Analysis Report" ,
"published" : "2023-04-18T07:18:11Z" ,
"object_refs" : [
"observed-data--b85948e6-6b33-426d-bcd2-9917c8c876e1" ,
"file--b85948e6-6b33-426d-bcd2-9917c8c876e1" ,
"artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1" ,
"indicator--2c9097c1-7c12-419f-a80a-8ee7740a006c" ,
"indicator--9af93eb7-62c1-4284-9f68-085df52485da" ,
"indicator--931b2bf8-8273-4a00-b720-79ef2cf0197f" ,
"indicator--0a3912ce-c191-4242-a648-16471e7b22ac" ,
"indicator--a07de07e-8918-48f9-a7ed-fe224af7debb" ,
"indicator--9320ff1a-1b4f-4215-a606-fa08d722bc50" ,
"indicator--b64caea6-1cfb-41bf-8500-44c68a6a4209" ,
"indicator--6d824e3d-4f47-47a1-bb16-004fbe3f883b" ,
"indicator--735b8086-30e6-48f0-b41f-176143a0cecd" ,
"indicator--2370ce17-a271-4cb6-b6eb-f7342ffc6415" ,
"indicator--4af4ff1a-5174-463c-b3d7-a5ed83251879" ,
"indicator--d984944c-9e4d-4a17-92df-5629b25f3195" ,
"indicator--b03218e2-51f5-4f6a-b346-5e3a32ce79e0" ,
"x-misp-object--443b388e-54ed-4a9d-b628-a6b90807a495" ,
"indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca" ,
"indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a" ,
"indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed" ,
"indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920" ,
"indicator--ef951d3f-c15c-43db-ac22-67316faf4dfd" ,
"indicator--88421de8-4479-4a9c-9433-9d918795a10b" ,
"indicator--515a4264-5f6e-4690-b9b0-6eb6a31aa972" ,
"indicator--11702c83-79b9-4a02-9e48-93534a11ed08" ,
"indicator--2a667d0c-1f7f-41d4-8ba2-2e44d839b432" ,
"indicator--26da3ae3-4d28-49c3-a4d7-2b86cca4f59a" ,
2024-04-05 12:15:17 +00:00
"relationship--053d59e2-b937-4c47-91c9-7b62f1b060ee" ,
"relationship--84b70d33-8113-4cce-b182-b797f9f44427" ,
"relationship--12d982a2-18af-4456-b003-da7e83197ae2" ,
"relationship--01114424-ec69-4062-8f01-25bf1a2a4001" ,
"relationship--ba91dde8-f158-4c44-aaeb-a851ba104352" ,
"relationship--74cca6a8-01d7-4fe7-a5c1-815c00859aa9"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"tlp:clear" ,
"misp-galaxy:tool=\"SNOWYAMBER\"" ,
"misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"" ,
"misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\"" ,
"misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"" ,
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"" ,
"misp-galaxy:mitre-attack-pattern=\"Right-to-Left Override - T1036.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" ,
"misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"" ,
"misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"" ,
"misp-galaxy:mitre-attack-pattern=\"One-Way Communication - T1102.003\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--b85948e6-6b33-426d-bcd2-9917c8c876e1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T10:13:52.000Z" ,
"modified" : "2023-04-17T10:13:52.000Z" ,
"first_observed" : "2023-04-17T10:13:52Z" ,
"last_observed" : "2023-04-17T10:13:52Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--b85948e6-6b33-426d-bcd2-9917c8c876e1" ,
"artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--b85948e6-6b33-426d-bcd2-9917c8c876e1" ,
"name" : "PhishMailImpers1.png" ,
"content_ref" : "artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B G g A A A J c C A Y A A A C l s Z K x A A A A B H N C S V Q I C A g I f A h k i A A A I A B J R E F U e J z s 3 X l 8 D d f / P / D X Z L 3 Z i U g I I h E k F Q R B E K V 2 a i u N W J o P b b X 4 W G o p j d q r a F V V l Z a i t V a s F W u p 2 n e S i J 3 c r B L Z E d n 31 + + P 2 z s y u d l s 9 f t 8e56 P x 33 U n T l z z p l z Z q 7 O 25 x z J J K E I A i C I A i C I A i C I A i C 8 N r o v e 4 K C I I g C I I g C I I g C I I g / N u J A I 0 g C I I g C I I g C I I g C M J r J g I 0 g i A I g i A I g i A I g i A I r 5 k I 0 A i C I A i C I A i C I A i C I L x m I k A j C I I g C I I g C I I g C I L w m o k A j S A I g i A I g i A I g i A I w m s m A j S C I A i C I A i C I A i C I A i v m Q j Q C I I g C I I g C I I g C I I g v G Y i Q C M I g i A I g i A I g i A I g v C a i Q C N I A i C I A i C I A i C I A j C a 1 a p A E 2 n T p 0 g S R I k S c K + f f t e e i V 69 + 4 N P T 0 9 n D p 16 p m P z c z M h C R J 8 P f 3 x 61 b t y B J E i 5 c u K C T b v D g w Z A k C W v W r H k Z V V a 4 e f M m J E n C 2 b N n X 3 r e / y v C w s I g S R L + + u u v V 1 r O q + h H G x s b L F i w 4 K X l 909 K S U m B J E n Y t W v X C + U z b d o 0 u L i 4 A A A G D R q E H j 16 v I z q P Z O A k A y Y T 1 D j Y U b h P 1 r u 7 f g 8 m E 9 Q 40 J 4 d q W P G b k x A V 2 X x b 5 w 2 Q 7 T I 7 D 4 y K M X z g c A N p x / A v M J a h Q U s d L H Z O Y W 4 e f T q e i 0 N A Y 1 p o b D e l I Y G s y K x L B 18 T h + N + u l 1 E s Q B E E Q B E E Q h M q p M E C T m J i I 0 6 d P y 9937 t z 50 i t x 6 d I l T J s 2 D R 0 7 d n z m Y 0 1 N T S F J E s z N z W F u b g 4 A 8 n + 1 U l N T s W / f P j R t 2 h Q b N 258 K X U u r l a t W l i 1 a h X q 169 f q f S 3 b t 2 C o 6 P j S 68 H A N j a 2 i I q K u q F 0 1 T k V Z 5 D W V 51 P / 6 b l b x / S t 5 D w v 89 Z 9 T Z a P x F F I 7 f z c L n v a x x f a 4 j o r + u h 4 M T a s H T S Y W P N i V g 0 o 4 k s P L x H k E Q B E E Q B E E Q X k C F A Z p d u 3 a h q K g I T Z o 0 A Q D s 27 c P u b m 5 L 60 C q a m p G D R o 0 H O / w S B J E k x N T W F u b g 4 z M z M A u g E a f 39 / m J q a 4 r v v v s P 58 + c R F h b 2 w v U u r m r V q h g z Z g x q 1 K h R q f R B Q U E v t X y t + / f v I z k 5 + Y X T V M a r O o f y v O p + / D c z M z O T 75 v i f 66 s n J w c r F u 3 D p c v X 34 V 1 R N e s j 9 u Z m L Y u n i s G 14 D 20 f Z o 3 s j M 9 h a 6 M N C p Y e G d k a Y 2 K U q L k y v i 5 P 3 s r H q V O r r r u 7 / t N m z Z y M 6 O v p 1 V 0 M Q B E E Q B E H 4 H 1 B h g E b 7 x s y 4 c e P g 6 u q K t L Q 0 H D l y R N 4 f E R E B W 1 t b e Q h U R R / t U I z c 3 F z M m z c P r V q 1 w q + //gp7e3sMHjwYoaGhivLNzc0hSRIOHDhQZh0//vhjODo6wsLCAiNHjkS1atUU+zds2AAfHx907twZdevWxebNm3XyWLduHRo3bgxTU1PY2Njg3XffRWxsbKX2lxziFBMTAx8fH9jZ2cHExASNGjWSh+TMmzcPI0aMQHR0NCRJwvfffw8ACAwMRLdu3WBjYwNzc3O0bt1aMVxo1apVsLW1xaVLl+Dp6QkrKyvUq1cPv/76KwDg5MmTqFu3LgDAyckJ77zzjs45lpUmNjYWgwcPhrW1NYyNjdGkSRNs2bKlzPYu6xwAzZCz9957DxYWFrCyssLkyZNRWPh0yEpwcDB69OgBGxsbWFpaYuDAgZV+eKmoH7VtdPLkSbi7u8PMzAzu7u64du0aNm7ciIYNG8LS0hJvv/22TpCqoKAAkydPho2NDczMzDBgwAA8fPhQ3l9R/wAvdg1Vtoyff/4ZDg4OMDExgZeXF27duqXTTufOnUOHDh3kwGXnzp1x5coVef+PP/4IOzs77Nu3D3Z2dpg2bRo8PDwwcOBAAEDHjh3RrVu3SvVJfHw8Zs2ahTp16uCbb76BiYkJMnOLYD5BXepnw/knmvYuIqbsTEatz8JRY2o4PtiQgCfZRco+KSIWHXqI5l9Gw2ZKGNznR2HdmSeKNE4zIrDqVCpm7ElBw9mRqDktHIN+jkNiWuEz5VPSkj8fwW5qOK7GlB2MNtAD9l3LQLMvo2E9KQytF0Uj+H6OIs3GC2nwWKjZX8cvAh9uTEBSuu4QrpP3smA+QY1LkcrjbzzIhfkENf66oxludCUqB92/j0X1KWFwmR2JWQEpyC1QvuISlpSPLt/FoNrkMNSfGYktl9IU+5PSCzF2ayI2fVgDXVxNcSkyB12+i4HNlDA0/zIax+9moefyWPx2KQ2rhtnimyOPkF/4tIwN55+g1aJoVJ8SBofpERi2Lh4PUgvk/SkZhfh4cwJc50Si+pQwdFoagzPqp8PHZuxJKfXaaDg7EgBwL0Ez5Oy0OhtD1sbBYXoEnGZE4NOdySgsdonsDEqH1+L7sJsaDofpEfD5OQ6RKfny/nVnnsDx8wicUWejzdf3YftpGNp8fR83HuTit0tpcJ8fhRpTwzFwVRxSKhhW99ulNLRcqLl+PBZGY/NFTZtW5lq/desW6tevD29v73/1MFhBEARBEAShEliO+Ph46unpUU9Pj4mJiZw5cyYB0NfXV06jVqs5YMAAjh49mvr6+vL+iRMncuLEiZQkiQA4bNgwTpw4kSEhISTJvn37EgBtbGzo6+tLd3d3AmC1atV4//59OX8zMzMC4P79+8urapnu3LlDALxw4QJJctasWXRycmJRUZGc5vTp05QkiWvWrGFYWBgvXbrEDh06sG3btpXaf+PGDQLgmTNnSJJdunShl5cXL1++zLCwMP7000/U19fnkSNHmJmZyU8++YR16tRhcnIys7OzmZ2dzWrVqrFPnz68evUqb926xU8++YRmZmaMjY0lSa5du5ZGRkbs3bs3Y2JiWFRUxLlz59LQ0JCxsbHMy8vj9u3bCYDBwcFMS0vTaYvS0uTm5tLV1ZXu7u48deoUQ0NDOXfuXALg3r17S23T0s5BrVYTAJs1a8YVK1YwJCSE33zzDQFw27ZtJMn79+/T0tKSvXr14vXr13nlyhV26NCB9evXZ05Ozgv3o7aNhgwZwsePH/Px48d0cXFhvXr1+P777zMrK4uxsbGsXr06/fz85OOqVavGOnXqcMKECbxy5Qq3b99OS0tLDho0iCQr1T8veg1VtgwAnDJlCu/du8dDhw7Rw8ODALhz506S5L1796hSqThkyBBeu3aN165dY79+/WhhYcGYmBiS5Jo1a2hqasouXbrw0KFDjIiIKLftSxMYGEhfX18aGRnxzTff5J49e1hYWEiSLCoiw5PyFJ8J/om0+zSM6sRckuTXhx+y6kQ1N114wvCkPK49nUrX2RE0Gx/KlPQCkuRnu5NYfYqav136O82ZVFadqOaG80/kejSYFcEGsyK46cIT5hcWMfZxPp1nRHDi9kQ5TUX53IrLpdn4UJ4PyyJJ7rmazioT1TxyK6PM8/9wQzzd5kay38pYng/L4vmwLHp+Fc0WC6LkNFsvpdF8QiiXHHlIdWIuz6iz2PzLKLZfHE3tZVvHL5xfH37IoiKy8bxITtyWqChn/v4UNpgVwcIiMuphHu0+DePozQm8FJnNvSHpdJgezsk7kkiS68+l0uoTNXstj+H+axm8ej+HH2yIp9Unaj54nC/n+cX+FH64IZ4keS0mhzaT1fzqj4d8mFHAixHZbPNVNG2nhPGMWtMeb8yJ4OXIbJLkubAsmk8I5a/nUhmRnMcrUdns/n0MOy/V/GYXFpHtF0ezyReRPHkvk3fjczllRxKrTVbzVpym7x9mFCiujYsR2awxNYyf+GvOPTwpj2bjQ9nmq2hejNCUe+JuJs3Gh3J3ULrm+ovKpvmEUH6xP4X3EnIZGJXNXstj2OaraPk815/T9POI9fFMzSpkalYhm82PYuN5kRy9OYFZeUV88DifdaeHc/be5DL7OuBqOi0/CeWyvx4x+H4OVxx/TPMJodxzNb1S1zqp+f0aNWoUVSoVW7ZsyS1btjAvL6/MMgVBEARBEIR/p3IDNCtWrCAAduzYkSQZHBxMALS0tCz1gdrY2JgAePPmTXmbNmhz9epVedtff/1FANTX1+e9e/dIaoIHzZo1IwB
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2c9097c1-7c12-419f-a80a-8ee7740a006c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "ENVYSCOUT delivering SNOWYAMBER ZIP" ,
"pattern" : "[url:value = 'totalmassasje.no/schedule.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9af93eb7-62c1-4284-9f68-085df52485da" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "ENVYSCOUT delivering SNOWYAMBER ISO" ,
"pattern" : "[url:value = 'signitivelogics.com/Schedule.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--931b2bf8-8273-4a00-b720-79ef2cf0197f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "Cobalt Strike Team Server" ,
"pattern" : "[url:value = 'humanecosmetics.com/category/noteworthy/6426-7346-9789']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0a3912ce-c191-4242-a648-16471e7b22ac" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "ENVYSCOUT delivering SNOWYAMBER ISO" ,
"pattern" : "[url:value = 'signitivelogics.com/BMW.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a07de07e-8918-48f9-a7ed-fe224af7debb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "BRUTERATEL C2" ,
"pattern" : "[domain-name:value = 'badriatimimi.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9320ff1a-1b4f-4215-a606-fa08d722bc50" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "ENVYSCOUT delivering SNOWYAMBER ZIP" ,
"pattern" : "[url:value = 'literaturaelsalvador.com/Instructions.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b64caea6-1cfb-41bf-8500-44c68a6a4209" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "ENVYSCOUT delivering SNOWYAMBER ISO" ,
"pattern" : "[url:value = 'literaturaelsalvador.com/Schedule.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6d824e3d-4f47-47a1-bb16-004fbe3f883b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "ENVYSCOUT URL" ,
"pattern" : "[url:value = 'parquesanrafael.cl/note.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--735b8086-30e6-48f0-b41f-176143a0cecd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:40:35.000Z" ,
"modified" : "2023-04-17T13:40:35.000Z" ,
"description" : "ENVYSCOUT URL" ,
"pattern" : "[url:value = 'inovaoftalmologia.com.br/form.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:40:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2370ce17-a271-4cb6-b6eb-f7342ffc6415" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:43:43.000Z" ,
"modified" : "2023-04-17T13:43:43.000Z" ,
"description" : "Used to distribute phishing emails with a link to ENVYSCOUT" ,
"pattern" : "[email-message:from_ref.value = 'miodrag.sekulic@mod.gov.rs']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:43:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4af4ff1a-5174-463c-b3d7-a5ed83251879" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:43:43.000Z" ,
"modified" : "2023-04-17T13:43:43.000Z" ,
"description" : "Used to distribute phishing emails with a link to ENVYSCOUT" ,
"pattern" : "[email-message:from_ref.value = 'bohuslava.kopalova@seznam.cz']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:43:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d984944c-9e4d-4a17-92df-5629b25f3195" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:43:43.000Z" ,
"modified" : "2023-04-17T13:43:43.000Z" ,
"description" : "Used to distribute phishing emails with a link to i.php (reconnaissance?)" ,
"pattern" : "[email-message:from_ref.value = 'navratilova.lucie.etnologie@seznam.cz']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:43:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b03218e2-51f5-4f6a-b346-5e3a32ce79e0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:43:43.000Z" ,
"modified" : "2023-04-17T13:43:43.000Z" ,
"description" : "Used to distribute phishing emails with a link to ENVYSCOUT" ,
"pattern" : "[email-message:from_ref.value = 'zdenek.holych@seznam.cz']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:43:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--443b388e-54ed-4a9d-b628-a6b90807a495" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T10:10:16.000Z" ,
"modified" : "2023-04-17T10:10:16.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d" ,
"category" : "External analysis" ,
"uuid" : "b04589cb-5c03-42fc-b43f-205b9b450aeb"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "SNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls." ,
"category" : "Other" ,
"uuid" : "581fcaf2-9e37-4c87-9b3c-8d19b827bae3"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Report" ,
"category" : "Other" ,
"uuid" : "ca09fdca-c324-4a9b-a2dd-0040f07675a9"
} ,
{
"type" : "attachment" ,
"object_relation" : "report-file" ,
"value" : "SNOWYAMBER_.pdf" ,
"category" : "External analysis" ,
"uuid" : "746857c1-6069-48a8-ae9f-6e8d68f2e191" ,
"data" : " J V B E R i 0 x L j c N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D E z N S A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D E y O T c g M C B S L 1 Z p Z X d l c l B y Z W Z l c m V u Y 2 V z I D E y O T g g M C B S P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A y N C 9 L a W R z W y A z I D A g U i A x N S A w I F I g M j Q g M C B S I D I 2 I D A g U i A y O S A w I F I g M z Y g M C B S I D M 3 I D A g U i A 0 M C A w I F I g N D E g M C B S I D Q 0 I D A g U i A 0 N S A w I F I g N D c g M C B S I D Q 4 I D A g U i A 0 O S A w I F I g N T E g M C B S I D U y I D A g U i A 1 N C A w I F I g N T U g M C B S I D U 2 I D A g U i A 1 O C A w I F I g N j E g M C B S I D Y z I D A g U i A x M j Y g M C B S I D E z M C A w I F J d I D 4 + D Q p l b m R v Y m o N C j M g M C B v Y m o N C j w 8 L 1 R 5 c G U v U G F n Z S 9 Q Y X J l b n Q g M i A w I F I v U m V z b 3 V y Y 2 V z P D w v R m 9 u d D w 8 L 0 Y x I D U g M C B S L 0 Y y I D k g M C B S L 0 Y z I D E x I D A g U i 9 G N C A x M y A w I F I + P i 9 F e H R H U 3 R h d G U 8 P C 9 H U z c g N y A w I F I v R 1 M 4 I D g g M C B S P j 4 v U H J v Y 1 N l d F s v U E R G L 1 R l e H Q v S W 1 h Z 2 V C L 0 l t Y W d l Q y 9 J b W F n Z U l d I D 4 + L 0 1 l Z G l h Q m 94 W y A w I D A g N T k 1 L j M y I D g 0 M S 45 M l 0 g L 0 N v b n R l b n R z I D Q g M C B S L 0 d y b 3 V w P D w v V H l w Z S 9 H c m 91 c C 9 T L 1 R y Y W 5 z c G F y Z W 5 j e S 9 D U y 9 E Z X Z p Y 2 V S R 0 I + P i 9 U Y W J z L 1 M v U 3 R y d W N 0 U G F y Z W 50 c y A w P j 4 N C m V u Z G 9 i a g 0 K N C A w I G 9 i a g 0 K P D w v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 x l b m d 0 a C A x M D g 2 P j 4 N C n N 0 c m V h b Q 0 K e J y 9 W N t u 2 z g Q f R f g f + D T Q i p g m v f L o i j g u G m 3 x b r N x g a K R d A H N V F S A 66 d K m o K //3OyJfKlhRfwq4fCJMcac6cGc6M2OvnxeQ2vS7Iy5e9flGk11+zG3LVG8/vP/fGi/usd5HeTWZpMZnPeqMfXwpc+itLb7L81Sty9npAvnciRhn+nLOcMKK9plIQpzj1guRZJ/r0gsw60dm4E/XecMI5ZYqMbzsRSjPCifCWGkusN/jg+BvIvR1ZcvcAryZ35cytZm870VVMkq6CwVT/fCbj953oHHT804kCYJJcUMmrmEooGwSn6QNZcj4ckF4L7Wfzoph/a2f+zXxehGTeMuqEItJTHt5I0rtA84aDd68JC47ZGoZP7AFdA8JPAyII19SbRiBCU2eOBiLCA2GGquMZkeGASGmo9cQ4Q707GogKzogxlmp1NBB9GhD5BBDlqTwahwmPQzjqj8ZhT8UhG0Fo5xtAjBLO4w8Jl/HHhIv4Ew7/JlzHfRyGOD3D4RxFLvcgdoEQC2soty2I99HmTwOhCHeNtEHC0ysUVGtb7uZ31dlliWuYTn+meUb6s3S6eMASOUls/EAus/t5nsi4eFaxrMETWlGlD4e3N0NXakV3iYwLYd0aECjYRjjdLJTS3EnOcXHr4e2tpUGlM1tUCCg8pqJhS8xIhupg+Wsnun2xpvF3owX6ng931MI6r7OuHPcH2yEEsxXNjGljdrZWdlDHcccxtxoxSoSS1IM246jypUVGlQvKUuXKF0uHrYBWZbjhgvawwCHyNFWm1Rv/lxUY3cHMaPOSqHmJeekPjjZmOJO6YqBy1rjdvcrp0Niak6531MIevF66X9Ppep9Ds+xsmwd+I0Kk/ASIbezK+hngxvBTo0daJWxL9FQzJCLUmggIC1BhFKMKarjhdHn8pYTYIV2+0Sm8olqAjRA4u2mobtS6reLoT6k0tRr6EUWlJQL6NQ9BBX1jmefxHQz3f2J6R3Kflh+t9H3HF0OlREFHpSoFJdjAHYb0rxKyBazSZh329KYAie2uU0sKrrZaU1Nv9t7PJ0lXxDMsfCS9eVzWQ1h5gGLYlfGCfMHZ4s9aVXwWKAXeEqIN1N4aaAJzIxQ19W+UIRJQkjHFofxXpPmCDOY/ZomKiwwah3yCUiV/OJ1ui99lyXLzOkt0TEZZ/liuwzQon1p4CnmgxZC9fNrAfDLf9Kn1R1ibJbRU8DnVomyvzS6szQayDqtTPzhHd1/iMIYwoBA2F38H5sFzdHoLgB0eGqlYt+LYSuNpoAbAcItdPRxQyL3r7Bc9KVHJdxays8NbCLBAlYKSQI03qiXbiUpXe8izGyrq9x9AocMN2fBNwmV5JdaHs3gPnsgn0+UV2a4/ngcBdUNf2QSBYO3Dsje+vooFEzK0aqnxbqHZ+r13LjywE5yiriG9P3KKtLPAtmOrwVqVtpyD/wDS/EKiDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTI3MyAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDEyNzEgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTI3NCAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxMjc1IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDEyNzkgMCBSPj4NCmVuZG9iag0KMTIgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNER0VFK1JhamRoYW5pLV
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T11:35:13.000Z" ,
"modified" : "2023-04-17T11:35:13.000Z" ,
"pattern" : "[file:name = 'vcruntime140.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T11:35:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T11:34:34.000Z" ,
"modified" : "2023-04-17T11:34:34.000Z" ,
"pattern" : "[file:name = 'schedule.zip']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T11:34:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:09:19.000Z" ,
"modified" : "2023-04-17T13:09:19.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd0efe94196b4923eb644ec0b53d226cc' AND file:hashes.SHA1 = 'c938934c0f5304541087313382aee163e0c5239c' AND file:hashes.SHA256 = '381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c' AND file:name = '7za.dll' AND file:size = '270336']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:09:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T11:35:28.000Z" ,
"modified" : "2023-04-17T11:35:28.000Z" ,
"pattern" : "[file:name = 'november_schedulexe.pdf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T11:35:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ef951d3f-c15c-43db-ac22-67316faf4dfd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T11:55:08.000Z" ,
"modified" : "2023-04-17T11:55:08.000Z" ,
"pattern" : "[file:name = 'Instructions.lnk']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T11:55:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--88421de8-4479-4a9c-9433-9d918795a10b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:13:28.000Z" ,
"modified" : "2023-04-17T13:13:28.000Z" ,
"description" : "It seems that the adversary made a mistake while compiling this sample. Internal functions were added to exports (authored by the adversary as well as those from libraries: SysWhispers3, Nlohmann JSON, Obfuscate). While binary itself is stripped, those exported functions have names that can be demangled revealing naming, prototypes and datatypes." ,
"pattern" : "[file:hashes.MD5 = 'cf36bf564fbb7d5ec4cec9b0f185f6c9' AND file:hashes.SHA1 = '8eb64670c10505322d45f6114bc9f7de0826e3a1' AND file:hashes.SHA256 = 'e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98' AND file:name = 'BugSplatRc64.dll' AND file:size = '271360']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-02-08T00:00:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--515a4264-5f6e-4690-b9b0-6eb6a31aa972" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T12:52:58.000Z" ,
"modified" : "2023-04-17T12:52:58.000Z" ,
"name" : "APT29_SNOWYAMBER" ,
"pattern" : "rule APT29_SNOWYAMBER\r\n{\r\nmeta:\r\ndescription = \\\\\"Detects APT29-linked SNOWYAMBER dropper\\\\\"\r\nstrings:\r\n// Payload decryption loop\r\n// Custom algorithm based on XOR\r\n$op_decrypt_payload = {49 8B 45 08 48 ?? ?? ?? 48 39 ?? 76 2B 48 89 C8 31 D2 4C 8B 4C 24 ?? 48 F7 74 24 ?? 49 8B 45\r\n00 41 8A 14 11 32 54 08 10 89 C8 41 0F AF C0 31 C2 88 14 0B 48 FF C1}\r\n// Decryption routine generated by Obfuscate library\r\n$op_decrypt_string = {48 39 D0 74 19 48 89 C1 4D 89 C2 83 E1 07 48 C1 E1 03 49 D3 EA 45 30 14 01 48 FF C0 EB E2}\r\n// Hardcoded inital value used as beaconing counter\r\n$op_initialize_emoji = {C6 [3] A5 66 [4] F0 9F}\r\n// src/json.hpp - string left in binary using nlohmann JSON\r\n$str_nlohmann = {73 72 63 2F 6A 73 6F 6E 2E 68 70 70 00}\r\ncondition:\r\nuint16(0) == 0x5A4D\r\nand\r\nfilesize < 500KB\r\nand\r\n$str_nlohmann\r\nand\r\n$op_decrypt_string\r\nand\r\n($op_initialize_emoji or $op_decrypt_payload)\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2023-04-17T12:52:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--11702c83-79b9-4a02-9e48-93534a11ed08" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:23:23.000Z" ,
"modified" : "2023-04-17T13:23:23.000Z" ,
"pattern" : "[file:hashes.MD5 = '82ecb8474efe5fedcb8f57b8aafa93d2' AND file:hashes.SHA1 = '3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c' AND file:hashes.SHA256 = '4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b' AND file:name = 'BugSplatRc64.dll' AND file:size = '301056']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:23:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2a667d0c-1f7f-41d4-8ba2-2e44d839b432" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:33:33.000Z" ,
"modified" : "2023-04-17T13:33:33.000Z" ,
"description" : "2nd stage - CobaltStrike beacon (decrypted)" ,
"pattern" : "[file:hashes.MD5 = '800db035f9b6f1e86a7f446a8a8e3947' AND file:hashes.SHA1 = 'aaf973a56b17a0a82cf1b3a49ff68da1c50283d4' AND file:hashes.SHA256 = '032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e' AND file:name = 'hXaIk1725.pdf' AND file:size = '261635']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:33:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--26da3ae3-4d28-49c3-a4d7-2b86cca4f59a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-17T13:35:25.000Z" ,
"modified" : "2023-04-17T13:35:25.000Z" ,
"description" : "2nd stage \u2013 BruteRatel stageless badger (decrypted)" ,
"pattern" : "[file:hashes.MD5 = '0e594576bb36b025e80eab7c35dc885e' AND file:hashes.SHA1 = 'a8a82a7da2979b128cbeddf4e70f9d5725ef666b' AND file:hashes.SHA256 = 'ec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d' AND file:name = 'hXaIk1314.pdf' AND file:size = '347837']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-17T13:35:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--053d59e2-b937-4c47-91c9-7b62f1b060ee" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-04-17T11:35:13.000Z" ,
"modified" : "2023-04-17T11:35:13.000Z" ,
"relationship_type" : "contained-within" ,
"source_ref" : "indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca" ,
"target_ref" : "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--84b70d33-8113-4cce-b182-b797f9f44427" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-04-17T11:33:58.000Z" ,
"modified" : "2023-04-17T11:33:58.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a" ,
"target_ref" : "indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--12d982a2-18af-4456-b003-da7e83197ae2" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-04-17T11:34:12.000Z" ,
"modified" : "2023-04-17T11:34:12.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a" ,
"target_ref" : "indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--01114424-ec69-4062-8f01-25bf1a2a4001" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-04-17T11:34:34.000Z" ,
"modified" : "2023-04-17T11:34:34.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a" ,
"target_ref" : "indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--ba91dde8-f158-4c44-aaeb-a851ba104352" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-04-17T11:35:38.000Z" ,
"modified" : "2023-04-17T11:35:38.000Z" ,
"relationship_type" : "contained-within" ,
"source_ref" : "indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed" ,
"target_ref" : "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--74cca6a8-01d7-4fe7-a5c1-815c00859aa9" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-04-17T11:35:28.000Z" ,
"modified" : "2023-04-17T11:35:28.000Z" ,
"relationship_type" : "contained-within" ,
"source_ref" : "indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920" ,
"target_ref" : "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}