misp-circl-feed/feeds/circl/misp/ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9.json

1446 lines
754 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:17:48.000Z",
"modified": "2020-12-30T14:17:48.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:17:48.000Z",
"modified": "2020-12-30T14:17:48.000Z",
"name": "RegretLocker - compiled information, activity and samples",
"published": "2020-12-30T15:52:46Z",
"object_refs": [
"x-misp-attribute--6dbfc982-fc1f-4c82-ac73-0d9a407d6684",
"observed-data--42f702b7-229b-4399-a2fe-8b693af95dd8",
"url--42f702b7-229b-4399-a2fe-8b693af95dd8",
"observed-data--b6916923-3724-4874-9bae-3ca7306971eb",
"url--b6916923-3724-4874-9bae-3ca7306971eb",
"observed-data--b690c46e-0cac-4feb-8b99-db3b7bba4f99",
"url--b690c46e-0cac-4feb-8b99-db3b7bba4f99",
"observed-data--c84562fb-02e8-4ab8-936e-2795dd238613",
"url--c84562fb-02e8-4ab8-936e-2795dd238613",
"observed-data--aadc3450-a27d-4298-8f5a-4044ce6944c1",
"url--aadc3450-a27d-4298-8f5a-4044ce6944c1",
"indicator--8627f24c-f338-44f2-87dc-893c17f11e46",
"indicator--30cea38a-9c7b-4857-a681-18dea3ca092f",
"x-misp-attribute--3ababeaf-c5dd-4760-bf5b-cb76cb4ecd20",
"x-misp-object--004bcecb-dfdb-4e60-94a2-53e6a7c7e65e",
"indicator--d485ac66-e0e8-47cb-ad29-b8bdc8340d4e",
"x-misp-object--4c2a0d50-bf8d-4e94-9396-31303bc82625",
"indicator--7f83f602-a73e-4eda-8fb9-f1e85be3451b",
"indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"x-misp-object--312d40f7-2562-4852-88f1-8af1c0f3355c",
"indicator--0cc053ba-50b3-4a56-b809-b7b5a3346a30",
"x-misp-object--84b99a25-ffe4-49c9-8e06-211bf977b936",
"x-misp-object--07c951a1-18c3-457a-be67-fd355f832a73",
"observed-data--369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"file--d88a8992-7c4c-58a0-b1b0-0237117d35c2",
"observed-data--fcb9011a-2d16-4550-a05c-1921de1c107d",
"file--561f7abb-f7a9-5165-842f-9f8571bc74cf",
"x-misp-object--d78f50d8-cd5d-4dcd-94de-e079b92bdaa7",
"x-misp-object--9b5a1501-69e1-4ba7-a44a-c66fbf773aff",
"x-misp-object--30abb88a-cbc5-4960-9b49-2b11904f6354",
"x-misp-object--23df8d28-7dc8-4524-a1a6-9585c30be9d5",
"x-misp-object--a96d75ef-7797-4f2a-82ba-754da2ffa4e1",
"x-misp-object--f19826b2-8b7c-4826-8575-863438b660ec",
"x-misp-object--66a147e0-b788-4de3-ade4-c97530981c46",
"x-misp-object--465f9a97-b302-4abe-a54a-a52022e473dc",
"x-misp-object--36023bd1-e08a-4d80-8666-f974049fce9b",
"x-misp-object--af6451da-ae31-4b1f-ae44-fd5e5bd45eed",
"note--0d5ea620-4f7d-43a0-afd9-8b21a5de1095",
2023-12-14 13:47:04 +00:00
"relationship--c1929fc8-dad8-40c8-813a-64c3a4618aae",
"relationship--b7f5d24b-8f4e-4533-b098-8893bffaa53c",
"relationship--f88a41b9-a392-4351-819a-0fc6988733c4"
2023-06-14 17:31:25 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"RegretLocker\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--6dbfc982-fc1f-4c82-ac73-0d9a407d6684",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:15:40.000Z",
"modified": "2020-12-30T13:15:40.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Attribution\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Attribution",
"x_misp_comment": "The malware writter has 2 weird checks to check for a particular user name and PC name(WIN-295748OMAKG). If the user name or the PC name matches, the malware will exit immediately.",
"x_misp_type": "text",
"x_misp_value": "WIN-295748OMAKG"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--42f702b7-229b-4399-a2fe-8b693af95dd8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:42:36.000Z",
"modified": "2020-12-30T13:42:36.000Z",
"first_observed": "2020-12-30T13:42:36Z",
"last_observed": "2020-12-30T13:42:36Z",
"number_observed": 1,
"object_refs": [
"url--42f702b7-229b-4399-a2fe-8b693af95dd8"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
2023-04-21 13:25:09 +00:00
"type": "url",
2023-06-14 17:31:25 +00:00
"spec_version": "2.1",
"id": "url--42f702b7-229b-4399-a2fe-8b693af95dd8",
"value": "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--b6916923-3724-4874-9bae-3ca7306971eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:47:27.000Z",
"modified": "2020-12-30T13:47:27.000Z",
"first_observed": "2020-12-30T13:47:27Z",
"last_observed": "2020-12-30T13:47:27Z",
"number_observed": 1,
"object_refs": [
"url--b6916923-3724-4874-9bae-3ca7306971eb"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--b6916923-3724-4874-9bae-3ca7306971eb",
"value": "https://twitter.com/VK_Intel/status/1323693700371914753"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--b690c46e-0cac-4feb-8b99-db3b7bba4f99",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:47:28.000Z",
"modified": "2020-12-30T13:47:28.000Z",
"first_observed": "2020-12-30T13:47:28Z",
"last_observed": "2020-12-30T13:47:28Z",
"number_observed": 1,
"object_refs": [
"url--b690c46e-0cac-4feb-8b99-db3b7bba4f99"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--b690c46e-0cac-4feb-8b99-db3b7bba4f99",
"value": "https://twitter.com/malwrhunterteam/status/1321375502179905536"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--c84562fb-02e8-4ab8-936e-2795dd238613",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:47:28.000Z",
"modified": "2020-12-30T13:47:28.000Z",
"first_observed": "2020-12-30T13:47:28Z",
"last_observed": "2020-12-30T13:47:28Z",
"number_observed": 1,
"object_refs": [
"url--c84562fb-02e8-4ab8-936e-2795dd238613"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--c84562fb-02e8-4ab8-936e-2795dd238613",
"value": "https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--aadc3450-a27d-4298-8f5a-4044ce6944c1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:48:46.000Z",
"modified": "2020-12-30T13:48:46.000Z",
"first_observed": "2020-12-30T13:48:46Z",
"last_observed": "2020-12-30T13:48:46Z",
"number_observed": 1,
"object_refs": [
"url--aadc3450-a27d-4298-8f5a-4044ce6944c1"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--aadc3450-a27d-4298-8f5a-4044ce6944c1",
"value": "https://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8627f24c-f338-44f2-87dc-893c17f11e46",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:49:44.000Z",
"modified": "2020-12-30T13:49:44.000Z",
"description": "Source url",
"pattern": "[url:value = 'http://344744.cloud4box.ru/files/locker/locker.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-12-30T13:49:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--30cea38a-9c7b-4857-a681-18dea3ca092f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:50:02.000Z",
"modified": "2020-12-30T13:50:02.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.248.203.209']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-12-30T13:50:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--3ababeaf-c5dd-4760-bf5b-cb76cb4ecd20",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:14:34.000Z",
"modified": "2020-12-30T14:14:34.000Z",
"labels": [
"misp:type=\"windows-scheduled-task\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "Next, it also schedules the malware as a task every minite using this Schtasks.exe command, which is run from cmd.exe using ShellExecuteA.",
"x_misp_type": "windows-scheduled-task",
"x_misp_value": "Mouse Application"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--004bcecb-dfdb-4e60-94a2-53e6a7c7e65e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:16:46.000Z",
"modified": "2020-12-30T13:16:46.000Z",
"labels": [
"misp:name=\"tor-hiddenservice\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "http://regretzjibibtcgb.onion/input",
"category": "Other",
"uuid": "93d56bb5-d6d7-4c3a-9b13-ba6a03a91c19"
},
{
"type": "text",
"object_relation": "address",
"value": "regretzjibibtcgb.onion",
"category": "Other",
"uuid": "770098e3-5b69-4254-a2ce-6a5102b11704"
}
],
"x_misp_comment": "the malware will first reach out to C&C at http://regretzjibibtcgb.onion/input with get_key in the query to request the RSA key.",
"x_misp_meta_category": "misc",
"x_misp_name": "tor-hiddenservice"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d485ac66-e0e8-47cb-ad29-b8bdc8340d4e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:17:31.000Z",
"modified": "2020-12-30T13:17:31.000Z",
"pattern": "[url:value = 'http://regretzjibibtcgb.onion/input' AND url:x_misp_scheme = 'http' AND url:x_misp_domain = 'regretzjibibtcgb.onion' AND url:x_misp_host = 'regretzjibibtcgb.onion']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-12-30T13:17:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4c2a0d50-bf8d-4e94-9396-31303bc82625",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:42:10.000Z",
"modified": "2020-12-30T13:42:10.000Z",
"labels": [
"misp:name=\"crypto-material\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "type",
"value": "RSA",
"category": "Other",
"uuid": "c0be054c-863c-4cac-991d-0d03fd0bbcb6"
},
{
"type": "text",
"object_relation": "public",
"value": "-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1ZQInrnhxXCtAN/LsOX2GmgbvBxMsO49lc1/qodshkUvRQLazWv61UbMLKx2gaRQrCYuVrR1Cgd7LxY4ueGo50TqZioAJbCcfzdiXlEkJqLlz4RTU9RFZ/wFjWxChek2NsU6vLLSowPPTw+JhwTooI+QPAIYeoxCf4xz7Kvu9CQIDAQAB\r\n-----END PUBLIC KEY-----",
"category": "Other",
"uuid": "38503a70-0c58-42ca-8e54-ead2934234f6"
},
{
"type": "text",
"object_relation": "origin",
"value": "malware-extraction",
"category": "Other",
"uuid": "76f26a7c-27ba-45d5-b54e-e05bc46803f4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "crypto-material"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7f83f602-a73e-4eda-8fb9-f1e85be3451b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T13:44:12.000Z",
"modified": "2020-12-30T13:44:12.000Z",
"pattern": "rule regretlocker {\r\n\tmeta:\r\n\t\tdescription = \\\\\"YARA rule for RegretLocker\\\\\"\r\n\t\treference = \\\\\"http://chuongdong.com/reverse\\\\%20engineering/2020/11/17/RegretLocker/\\\\\"\r\n\t\tauthor = \\\\\"@cPeterr\\\\\"\r\n\t\ttlp = \\\\\"white\\\\\"\r\n\tstrings:\r\n\t\t$str1 = \\\\\"tor-lib.dll\\\\\"\r\n\t\t$str2 = \\\\\"http://regretzjibibtcgb.onion/input\\\\\"\r\n\t\t$str3 = \\\\\".mouse\\\\\"\r\n\t\t$cmd1 = \\\\\"taskkill /F /IM \\\\\\\\\\\\\"\r\n\t\t$cmd2 = \\\\\"wmic SHADOWCOPY DELETE\\\\\"\r\n\t\t$cmd3 = \\\\\"wbadmin DELETE SYSTEMSTATEBACKUP\\\\\"\r\n\t\t$cmd4 = \\\\\"bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures\\\\\"\r\n\t\t$cmd5 = \\\\\"bcdedit.exe / set{ default } recoveryenabled No\\\\\"\r\n\t\t$func1 = \\\\\"open_virtual_drive()\\\\\"\r\n\t\t$func2 = \\\\\"smb_scanner()\\\\\"\r\n\t\t$checklarge = { 81 fe 00 00 40 06 }\r\n\tcondition:\r\n\t\tall of ($str*) and any of ($cmd*) and any of ($func*) and $checklarge\r\n}",
"pattern_type": "yara",
"pattern_version": "3.7.1",
"valid_from": "2020-12-30T13:44:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:16:23.000Z",
"modified": "2020-12-30T14:16:23.000Z",
"pattern": "[file:hashes.MD5 = '3265b2b0afc6d2ad0bdd55af8edb9b37' AND file:hashes.SHA1 = '24272beb676d956ec8a65b95a2615c9075fa9869' AND file:hashes.SHA256 = 'a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4' AND file:hashes.SHA512 = '28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94' AND file:hashes.SSDEEP = '12288:JF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYB3IvClBTn:JF+deC2+d5AZLde0KcBU4BT' AND file:name = 'a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4' AND file:size = '494592' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAOBwnlGigyjmIBMEAACMBwAgABwAMzI2NWIyYjBhZmM2ZDJhZDBiZGQ1NWFmOGVkYjliMzdVVAkAA4OJ7F+DiexfdXgLAAEEIQAAAAQhAAAA4w+qV2TVumgBExPgSmSziQD1hlGzokecyM6/1l00L73neqsFavY/mfDEdOQstErnproOaXa0tzfN7YJX47AEplrTFCdDjKCcIno58p8bWpW0e8c/0LYnWAm5MxwjW+tSgYLSMFs9FGgYSKfuedknRrMEVuBtqQq2s49nnovVWualfFWMwLASUj+/bZdXbw+S7/J/tvnPUQO7XflwchhdyNrc8SLQsB0JGo3QQ0YY4LZc5O8FUwMoCteLgSIb96b1wtThn6fHP4L/HDtbjVmqu+hV2VkLmGOBDEBawLE0SxctgzkSe7b6nG2+BfdnyoLMBHlLh/crG385oMKuXbpkK8ilEr8Sq4TsZBksU4ftr678KbpqM6/Ur//IBYp2OyUCyrbAHpsGYFRw0a+IDKPhBuOm3BI7MAcsPFQx5h/mGISouTPh7pFIN7tfO/+WLo33qj6+EZgxMSznNJ8iPrmMNhqGS9qfKhUAnh5KKbSvXf+7irxKDUXK+xG+BVsVs/wdmtrBVebojNww8zNHuUI2UKo3r2nTCat3LOS8oW+4cuWyWHq05xOzCh8/G3QqJJJS5uLaT77KbsuTg7ly69s47qNLrzZy9aaWEx98t45tr3ywEnQpLUa1oamQWqdqOLxVkghuVvI14ISwf1o2c0thUluAzf/n3dBwBvweqPBWAjAyo3TyKiUtQtuzum/fIqpaiawKfhd0TPPFEEDRN1QygD8FkwJ46L6HP1/d3/Jd52j/8ULM+mp0XYN0WTO1uUwFS3mK9+0cFXe2USHLG9hmbq1Rtk/c+fGQmhCjIndE12whLkjpzv1nC3JvyGOYHdX3VnB8dEzgewLCM+0RQELtbsnNILU6tW+JCq6wMZInUykcV7z0BHtEqqIT5BhJUvRpFsAQ5zm/uvzuoc726+BDsLNLmg20P1wDWlsPSEwFa5FEPhii0uPMmofLd1DcYMrpB5y9VglUTAAmjTS7OljBV9G+JPx2xRzmxtTpW+pnYQ0ELGHI4xS8CTuN6grUWt+YK/87rqerC/7McY2yu9/jZc/gWCz97fdmPVRnAovHNQEdqf3qX2+ar3eG2MkYQbKIeCUGGd00Y+4j3uhpKg1h+I3Uj8qL/FWBVDLzsI53kHQmlewL9KViOJ7OZ34ICBbNGLJOBliXbra7RnGCasLB+9XLqku04PS1fuRZSfXHUybsmY22IVW/IFGLVzmDTgK8rJXCMl5DzmBTE9HdDK2xfb3S3zlxayRw9ga/f4LPQTuBLekbziDL+LTTyy2y8gIujVZ2Yn0S57k2kI+jHwe70+b7zNr6LA0TEnRJYj8GZRj2tlOwz8ebuemI8Q7cL/oaJrjKSfzRgq7yufEjxG/qXLEGT7O2KLG9nUE4g3wY50l9MDpM/QIS2mFKUdnAHnWX4nm+BGeJ+92TioyLWOigkdB5F6M2LD6n5R0Z49gbXG+byMt0AExt0vD2CbtZf5SZA//ljgm/zYEIyytd0Bb7UEn4S1VlrCqnLKHEluXx7SHQbhKwvkbo0I9y9XxPcnfCYuWflCd6y2SoRwUNN2AjPx2Dh7hhcPyF3XvQ8TomvOMvHtzf/CxzUrZqqCTaNuS0EpmjLtD1IL93UPETMgAPCNRClbKpICbcTr8/04T2JJIEPrG/gdfSh+ox0vTHSFvDCdW0qCeQbf75baOdP9eQ0w/qPiLDtOVX8OdQVH66sMa2yWRx4aQR5MgWu9ieNer+crvDIaAwIZarHDNf0EDQv+ejDtSJkT83EMGpB8x73i3FHbr53PQOgOMb+F7BzLCvf98go6Sn4Mg7+iUndxKHeCuP+oyqWtyXRBjhmcqBZkc3SsyEtr3wwD410g4dH0/P0b80m/Qa9HlfMqybg210OqTpfiFcCuZpDo1z3cZJtfDytEGsn7hsvkkA+dDxInUCQTyDusr0w7GY1DLQl7gpKcGwvx2GshnqoPYvLQObbWSVzspvmnNg9wwCtB7bG71MIYkdYdjrEFX8547O/vvfOKViB4YgPMfFtNR4SxSnPT2jajuZiaBZlzkpdu6LI3/v0M4WffhfgGdWoKFWqe1hWyeT3t5PhO9QTEHSPeLkRGKS/UlQ0CybZ/jjomY29sDhcbh35MyyjGUeWJBCFSuv56ci1ScehEaj8nMMSDLtKAbIAxJ0PAa/6fJbvUC6rGzvzFnXk39mTJZ8z5zKr9+p4YgTxg//BB2futxB/k90fJuUkoYIz2zCxCdXJdvMqtwHX8yPpSdngNrQ6ZqTXXJJzbl05GLTuXdVhzzyWTCBgIQVGgnwi6t85R3KqfqgRUZK/91Kj0v4GE8iulctz1zQfFDSjVRY+YFVHYfsD1yllNORl0e/mH1HD2QhA2YhX7GVbwrOdkJyjeXP0rgMrfvU1zMjNagKIoStzgmRXbBwNW815rKChiHuSMN27xfPI45v6yoOjSrX9zkR4A63tAI3O+K95P2xQuupk4H1FBkLiO7k/eN4puXl/RZInPzMQykZPCd1edlQHa9aHdjNNCeVviG56836RPMphy7nR7gbh1iAtD6NrSjhG1mYTrv4kOuOqYvdDbtWbyurlXuKY0BUF+KEKphNDNwG/ccNg/NNukAezh0p17m7A6yHNvxsrfYhLPOAePh7V06BgiGUA4jErnJ5ohvxIJfX8wFF/AvRnZO487TzRipn2Rhw5osLumVCZtVaVkaaQ2xiFkfeMw8a15z/sHLzESghrwB+KHb83DYrCj4SYibZPHkQdhg0VB73piyRku+sV5Gp9OaCF+LxHRYnYdebRgxYFtDh6Ow82vtyYiC1TOpJ1151Ym9WT0r3ruNr1w51p95vchOfe7Wd80dhexpZ5yOsxxCUAZF7nDyHKKD3CzlD+vXrRu+COz2gnuADDfcc3RB0T6w0B7SBPIDFYozgEXlPVyacWxN/qa39I+3VYkInc+xPIxloOmvNb/xQ1QrdcA9tq9M0zFkDz9931ycK2i/NEFz/WLd1XS1okDboNqxHQqyNwnkm0GYtbFDAAceKWUzMIHCPs8ACXB1FVNpUtKIsDp7Xfp35nsvHDLVqw2BW6hGTgZi8EFDn1Eng0/bnS9ZS8aJcxixHfoHngyqaN8iWP0zO0x9uKAeVnQlUOfLtZAxVXkjgxb4r5h9Pxu6bvfba5tbAI5HWcqCdJqbo1jIJgoM6jU3DJbQGT8WpLjFBXV/80omA9GfYQNd6r9W4hHfsMN1rBLShvJpB6B5ujNz3o6FAXuLud45KeN2eYJbTnxGBkSv3wLc6K/N0mIpRmlNpHKiDghkQATXZMrMXvz1wRpevP28E0dHpPYtkJ551L7jD9q95/K++IVCMK6yNqk9IVq
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-12-30T14:16:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--312d40f7-2562-4852-88f1-8af1c0f3355c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:09:04.000Z",
"modified": "2020-12-30T14:09:04.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2020-12-10T18:07:01+00:00",
"category": "Other",
"uuid": "8df1ad0c-2fe9-4db3-a0a0-a383d8f3dbb3"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection/f-a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4-1607623621",
"category": "Payload delivery",
"uuid": "73d0a4b0-8a60-4a18-8406-108501e8353f"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "63/70",
"category": "Payload delivery",
"uuid": "235fc20b-5747-4e39-bb6c-62c361853244"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0cc053ba-50b3-4a56-b809-b7b5a3346a30",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:16:23.000Z",
"modified": "2020-12-30T14:16:23.000Z",
"pattern": "[file:hashes.MD5 = '83153f8ca7f872a1b4abd40a5bd58094' AND file:hashes.SHA1 = '6dc183ed1c644dd550207a34ac9e57c6f4b8d350' AND file:hashes.SHA256 = 'c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa' AND file:hashes.SHA512 = 'cf02eef8d7c4756b1cea7949e7543d8f38109c09178e25ecbf155bd45e96fc486cab5dc533208ff39c58d94e220de53bf4fe2120a593d5cefbd15ef57757df2c' AND file:hashes.SSDEEP = '12288:Tf0GWQ0TvvNdem7m9H0n41+nVs+x05ZxBi953uFh:TfbWQ0LF604MnNx0nxe3uF' AND file:name = 'c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa' AND file:size = '459776' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAHVxnlFd6kNhvdMDAAAEBwAgABwAODMxNTNmOGNhN2Y4NzJhMWI0YWJkNDBhNWJkNTgwOTRVVAkAA52K7F+diuxfdXgLAAEEIQAAAAQhAAAAHiQ4jT9taTUmkauEQVBQ2muo6M094sNGpYu5tTwA5gi9jpr8gf+RtgzYt5l7V8q3mUQxfgPP6hB4LAhv64zFb6puuvgM4K+DdSBy45ZSbIW/MZ177h+kBVwqsFvNJsd79NX0EVHfb/mdrx/CPdDFWREz5wRARNzToM/c8WALe5fA81/yzHVuQYLvEgZO4Y2oLcDSVqnmzzf9EfjdDZQA94agVVEM9sETnureJ34Tfgz4U8rVCCsExooUVSwNfzu/2bgOaOiPVV0SnubASi8Ky7kV5zY6fwrIIIGCweb/t3jp1qJv1krZWIBT517UwkhLBtZYrroXPW2uA5PpLpcocFR+SL6IpLZ+6/N/TEM/SYzWLK0oUy+CeAXFUVeQtamHZZhCQvtsCEAX0Ppzco8WLnHKHj5N3AuYwMcUKGEXFkn4xUY1/G54H33x9uZPCgwi1gIjZycjdPL3fHPBcg3xZgCyI5vs9tlSvOyg/KqTyhOsIO0cURTIbs/7JwdfhryT3eP3MnTAR2A3otMzxi3fx+wpAasDqR1mBSFFzSF+p1M2F0rKxvGJ7FooFP4uo1tMY6Sbx6/h8VWHFO8ujPiH/w14lWKQGe8MwaS4CuDfGRHwzEPrLvl+tIQBfxbetwlWAVMDwyrSupjwbqOkECY7aQegvW7AnCYGTDM98oHv3bX6j4QIfdwbxHGbqOCK9zbxrVRxCsTfPhQ0gWDkHVT+OdGgskOb273Y025b6zXkjuyOBKQKyEGz9lPKSuU7HQigCNjK3VlYQnSJbZIE8NjK+Lg8CS6u/s0AqMqo2tFr/x1uqudQh9nsg048XGoTUjsvh5vORzh9tPBJZ4gXy/0YaVw6Dy0ZsrFdvfuGH19MRPdLuOc4rSoeNLToeHxv//r9SlaFEWCr0wWy54R2n49mIZC0F9KHYCqf47VnPOYO0LdbhZ1zf+L9W/dOgsCbXTapI4Jb3jgDDWcjjajXG7HbV8viKqDSKYrfL4CO9/ItTlJS4iiost+L9h9Q68lzljh09uBYV+EjsJNiO8CpINUZ1VmbRfWLunFyPsjOMccEw3F3b97e6tj9J7Twv/Ogk52LsIG/5ZorjzjaXj9YgPbeZs/PkFc3RDd0JcCtlff8E/v/NlruuIaT9e0jpdu+s2BnG/r8vK+Pm9Q3AMjb4ebzv1T/IGUEW4XG3jAnC7RJ3daoXJ0X531mKGiGBMUkyvMgaeqH+AZyvPCl2b2HhMOuM04SI+lWlh9ORQmc/obMiGaD7jd8qZfzVUKNAjKqROucucDO4MOC32Mroqrk3dslAAGfRk4jW/1i09m4jn2dWC0cdUcK1IqzsvJ1s6rnE1nUM3hVNk2cLIgOr7ot6M7X21az6OJwmYSx3n2kJdwghAeuDxNEh+XrVygoBpNPGDGJAscOJs1To/ZRzcW5CIpyL8dtJosj6wrLXawrQRcVqDGskXMJlgN5eOaiZGL+wsYqVxC/DDfCqgJyq/gXlrhST/36vPJ2I0ayo6M53iC/ge8dkh7iHleOZWcLM/WUJZ2Hb1rfpCME9tiRF+L8zAtIzMcb7YCoO/LLXialdxUGZC4k5gdiRqum8qBHfLTrPYcqiSrBDhqZec6reAN8+/BZd5+ljADpQSVeD4ue6sHI5BtLtkSzxx535IPD74m6+F6SqfxlrugqfzH91zfU9Mqvd7vi5XCRb8H3dCI2sJDFX5kRIKXRxDUhwSIt2V5Rb0/UpE+AWeCj/sNCvAVAHcSJYYiCrvEg0Z+bGMWim9j+n5ksEHmu1tXNuBeLhV5atsy14eamhQ7ASBA9kyqujCh66dEPEW3giI3qknZEWDzS2NJRmlTEPdALBXpqbbkvlr36sfy6817dnHjrY/mpcHMEm4ZOb+m+zHtjttOeLA+sQ/pUmr4L3F5DuhqgpTGWdHsZklECoP0Ngm8JpehneALAMMZIcVTlefYj/cvuE1AsdjhTN9yrUW1cfmGS52hPYFFu6LkV+rNj4h3DWshLitxwe6oCaSF/xGkQHkbPBXuPStaeE/+ut6oFEOP56cuFJcQnHFMDzpecs20cd0WDJV/kMoUoXVuqM5AE1dhD2Zi7wBp8eWdRpMPKn5Mdqy9BInTo5nfklniqCd1Tx/CfpYXz8S/r3h3sYn1nB8oLwHiqSaCeKlAgr5Ly4wKFgv9UvlFm2QqaE1OmYxhpOhg8HsaZr7r4ZL8FQ8FRMOWux9VAv1hBCzcn63Vbf6ki4wFnPiuuYQj2T0J7lLpfdlta7oYGx0knRtp1znnD+b5HVJLt7FC/R2WxQNGCVu7NGKZrlb5zju3hers0WiyDwpL3fEmzOU6w5djppcVlaaVd25Q2YpE/AhPE1L5/ypCDts6caRDWRHfR0vu8V/9z97gANZTZQBu9se6DaCCnB3GMgt3vVCZEWALyV3Z0L48htAsLYrdPc5X9zh/HuJAJELohx4yazUSm2sAHL6VXiYygRt3XcIt+cD8MWSEXylDbO1jkgkapbT/stePCLskO8BqDugS6vxsy1GR9+ixTZ7hx1FpADahKE8SrvKXAJHX/ELNk4wrvni+ZYNXPGGWTWbia840xuY1Ta1FswWqDWfH+FQmLCifEYteVBBzlIQWSRIPN/V2FIcEZDg0esmKTGS/u8nPwXUNEF2w6Cp+xLjsn3MY8xg0voNmZ0FFyOSluX5zuD5dbPc7V9QZSWHxAFCQxuFT+Hod9MwDB3baalmqWR0nEUBTeBpGKmTyshsbThYP1jMvlWPJPcEHl0P4li25+ZPZPXSBqkcqAJex2NabUGYDWAKPVzVal8WpMdoAr5uCFTIDeGYZVwYx4f/Q078mpn98mwOxMzqwb8HIHH0o31oAmfOurjFVDlbzdrexUT9+kY01DadNg1Xyr2QCi4avqIAWEx7+QrJzZqw6Xabrb0cTuZHU1/V4rfMXiEmZv3Yb3A8zuO1P87MvXZkd924G3GvruqWMH0QURXQiEPKMc59jHqUiHT2MF+bx76xxtNmMwNlOX1cO62QJ5EHU99P8CMAkwqTRqmSvryxJ4EX6FrqGucDMN4GW1MwO5BfwB+ZUGQAAkFNDvRy/6ngQuEoAhAWGuz0O29h2DLHTG1mmgs+EBjrxVEfkiijEoKPRk/0OQTwBMAaZgCDtYgR6hyVjeUz6CP1zOoWMCX9HnTKeFaogi50Myw4TmGkX3U+kGSDayVcn2LJbIEXdQq1Rt5dqLIW0A8D48Kw/J4rGrQqMyZs4j+VdeTWiKN6lFRNj5qbFwOlwyKAYBYpWTVRbrJLausvO47mQb5UVfS/+CJH126Mjhg+dppM9hkxOG/Pp26mbn7xM5OOa4cvNF139+7
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-12-30T14:16:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--84b99a25-ffe4-49c9-8e06-211bf977b936",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:16:23.000Z",
"modified": "2020-12-30T14:16:23.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2020-11-11T09:43:20+00:00",
"category": "Other",
"uuid": "228666f7-2318-4427-b564-5916d928c2d3"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa/detection/f-c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa-1605087800",
"category": "Payload delivery",
"uuid": "5a663a99-38c9-42da-9db7-29e55419384a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "39/71",
"category": "Payload delivery",
"uuid": "9b0ec61f-7a29-4291-a019-d4fe1a219b48"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--07c951a1-18c3-457a-be67-fd355f832a73",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:16:23.000Z",
"modified": "2020-12-30T14:16:23.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2020-12-10T18:07:01+00:00",
"category": "Other",
"uuid": "75139155-c8bf-44a5-ae0c-76072c196a48"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection/f-a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4-1607623621",
"category": "Payload delivery",
"uuid": "d45325fa-f3e5-4fc4-9c4c-f471e154f71c"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "63/70",
"category": "Payload delivery",
"uuid": "977af219-3ee3-4ba0-8419-7c27c44710a5"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:07:00.000Z",
"modified": "2020-12-30T14:07:00.000Z",
"first_observed": "2020-12-30T14:07:00Z",
"last_observed": "2020-12-30T14:07:00Z",
"number_observed": 1,
"object_refs": [
"file--d88a8992-7c4c-58a0-b1b0-0237117d35c2"
],
"labels": [
"misp:name=\"pe\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"False\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--d88a8992-7c4c-58a0-b1b0-0237117d35c2",
"name": "",
"extensions": {
"windows-pebinary-ext": {
"pe_type": "exe",
"number_of_sections": 5,
"optional_header": {
"address_of_entry_point": 4296533
},
"x_misp_compilation_timestamp": "2020-10-23T09:56:46+00:00"
}
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--fcb9011a-2d16-4550-a05c-1921de1c107d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:11:41.000Z",
"modified": "2020-12-30T14:11:41.000Z",
"first_observed": "2020-12-30T14:11:41Z",
"last_observed": "2020-12-30T14:11:41Z",
"number_observed": 1,
"object_refs": [
"file--561f7abb-f7a9-5165-842f-9f8571bc74cf"
],
"labels": [
"misp:name=\"pe\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"False\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--561f7abb-f7a9-5165-842f-9f8571bc74cf",
"name": "",
"extensions": {
"windows-pebinary-ext": {
"pe_type": "exe",
"number_of_sections": 5,
"optional_header": {
"address_of_entry_point": 4281237
},
"x_misp_compilation_timestamp": "2020-11-11T09:22:22+00:00"
}
}
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d78f50d8-cd5d-4dcd-94de-e079b92bdaa7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:06:59.000Z",
"modified": "2020-12-30T14:06:59.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".text",
"category": "Other",
"uuid": "5867540f-afce-4b90-bb96-8610f1ccb100"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "320000",
"category": "Other",
"uuid": "19b6e184-1122-4ab3-92a8-f23c1f30d3f1"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.6348495531091",
"category": "Other",
"uuid": "cf595dae-5672-4faa-a147-3ae76945d7b2"
},
{
"type": "md5",
"object_relation": "md5",
"value": "1e4f92167c3ab2dc2c01650e939055f9",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5d6c0cff-a240-4a3e-8659-01417144cef4"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "4d18b6c125b4668ed00358c002c8a0dfae23db7a",
"category": "Payload delivery",
"to_ids": true,
"uuid": "131a23c4-8285-4c06-a0ff-3f33bd91aacf"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "3ea51233fc585fcd6772cf677512cb9b06f8a6c971fd5c39b591a2a2d0357fee",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c54f0f55-74ec-4965-8676-04326faeafab"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "9627bc232692d7589b54d2b0ffc9bca17535bbb67e35da303e4ed9dd24a9a8dc8ea65f6d0bdc3d01cf5976aec2b306d56cecbb47d285e5bff7c108c678be622f",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c7962ae8-2219-4bcb-b830-95129fe54afd"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "6144:8rvDx+dR25Cb1GjTiRsKKs5wYfOXGr6ckXDjkiW5EEyyq8MeCt10zXzcVP:aF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYP",
"category": "Payload delivery",
"to_ids": true,
"uuid": "a5bce10e-6abc-4be6-935e-b2d8279834a3"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9b5a1501-69e1-4ba7-a44a-c66fbf773aff",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:06:59.000Z",
"modified": "2020-12-30T14:06:59.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".rdata",
"category": "Other",
"uuid": "cb95eb25-7ea3-4e47-8488-626ed5f2c5ed"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "103936",
"category": "Other",
"uuid": "28ef0d79-f5ff-4192-8c31-56438bbaeee7"
},
{
"type": "float",
"object_relation": "entropy",
"value": "5.3139379645706",
"category": "Other",
"uuid": "e517d43a-0843-492e-b541-ee80fe28b4bf"
},
{
"type": "md5",
"object_relation": "md5",
"value": "d4267ed23f4b852d028f443cb4aad133",
"category": "Payload delivery",
"to_ids": true,
"uuid": "ad073074-ef7d-4cb9-9562-904a27af7f39"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "e15c846060a20f089f14869bc16992023cd431b7",
"category": "Payload delivery",
"to_ids": true,
"uuid": "152d979e-46c1-4619-b3fa-e764465df30c"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "3a64bac9f63b3a6aa3ee4e1ac7c038248dcf2283712c64f740866f0597008735",
"category": "Payload delivery",
"to_ids": true,
"uuid": "ba23b932-edb6-4f9a-95b8-f45c3da32b1b"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "82d142ba284bd9534032e830d4f56ad7a8162f6bfa49fd63985bbe9d80c560d3e9500ed13cab54506bc62d86a890fa0a88a9906e232da0b48bdda804752411d7",
"category": "Payload delivery",
"to_ids": true,
"uuid": "2bde2a19-16f1-4dc3-a843-d1cbd3560e60"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "1536:pM9MP1i6fkKxs8jsdrPQF7X8HZ4XhgPCa7fksWPcdEvtmgMbFubmJXz9/7FbXuyf:pi6sLxZRFrXOAg0FubmJj97Fb+yNd",
"category": "Payload delivery",
"to_ids": true,
"uuid": "9cf6b9ba-f946-4347-9515-f156060987b4"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--30abb88a-cbc5-4960-9b49-2b11904f6354",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:06:59.000Z",
"modified": "2020-12-30T14:06:59.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".data",
"category": "Other",
"uuid": "041e23c4-b957-42ea-a748-22c097201bdb"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "10752",
"category": "Other",
"uuid": "039f8aed-a617-4825-9984-16f7cb6ab18b"
},
{
"type": "float",
"object_relation": "entropy",
"value": "4.5643514844553",
"category": "Other",
"uuid": "87979ee8-e837-421d-89e8-69ec4da563c4"
},
{
"type": "md5",
"object_relation": "md5",
"value": "bdac7b3caf4a2640a848c52d56263d6f",
"category": "Payload delivery",
"to_ids": true,
"uuid": "df3005a9-b33d-439e-9a64-485f191b1b9b"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "4074eac2c7cb8f54042d7753fddf79d41e6ba1da",
"category": "Payload delivery",
"to_ids": true,
"uuid": "14e1cde5-15f3-4ff9-af52-0bb64767196a"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "0664109a211df95098544312f455035e79988bfbbe7b63dcbba01dfbf88351d3",
"category": "Payload delivery",
"to_ids": true,
"uuid": "1734e90c-2ffb-413a-8bf4-db6126dda15d"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "9bec434d1685538df9205af3077e47f380729edb640d1c591c8cd4cc3d2d510ece40b039b31ea34d52742de8e58eef24308b269241810e4409aadfece39645f7",
"category": "Payload delivery",
"to_ids": true,
"uuid": "57b7756f-5ed2-44e0-9872-ecd92a5ca822"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "192:uwiPy9D8pZIRxTRjRkRtRaN0NN0JbgcUC3h4+/1M:uwJ1IXu41",
"category": "Payload delivery",
"to_ids": true,
"uuid": "d3300ccb-baaa-4892-8907-4d051c147970"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--23df8d28-7dc8-4524-a1a6-9585c30be9d5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:06:59.000Z",
"modified": "2020-12-30T14:06:59.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".rsrc",
"category": "Other",
"uuid": "3d2f4a77-6a74-4688-9669-7f4034bc78be"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "39424",
"category": "Other",
"uuid": "7791d0ac-53c0-4b06-a689-b873f6e3f429"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.3888085830938",
"category": "Other",
"uuid": "006780c5-82eb-4187-893c-7179f993b734"
},
{
"type": "md5",
"object_relation": "md5",
"value": "0182033254ebc8d0593f391d8dc7e6d2",
"category": "Payload delivery",
"to_ids": true,
"uuid": "20352748-4678-496d-b604-cc1dbc63a842"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "7805b24719deb34dd098be5bc8ca6a0a4f6ea53b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "204b1a09-f49d-400b-8d01-15ec3cd82bb8"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "8ee03e790e04d573a1e2f2c494823c7f5e5892c58ae2b68afd6d635bee4bb58d",
"category": "Payload delivery",
"to_ids": true,
"uuid": "be489986-36bb-4636-93c1-96b76924b049"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "41a162ef03942c7643acb6af31a9c4edb8e2022095c87853ea96741835ce465cc0c426808d5f1d7ef67a601859c46d1cf2e4944dfac50532948cbd3a16940b8b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "7cebc20c-c422-49c5-94b0-6ca64a5a9bdc"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "768:lzC4MphX0qphDmlRUoPLs2IgHi3QcD2vZc22BGkiAi2:lzC4MpvhCRto5gCxyy22gAV",
"category": "Payload delivery",
"to_ids": true,
"uuid": "9ca8c334-4672-4d05-92c6-bf3641669a07"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a96d75ef-7797-4f2a-82ba-754da2ffa4e1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:06:59.000Z",
"modified": "2020-12-30T14:06:59.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".reloc",
"category": "Other",
"uuid": "40fb6fd7-8c49-48cc-bcd8-cf847340c66f"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "19456",
"category": "Other",
"uuid": "79650495-4f82-4f09-a317-9e31f3dd8209"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.6017444852914",
"category": "Other",
"uuid": "fcea76c7-b14e-4d76-838b-f040391d1ec1"
},
{
"type": "md5",
"object_relation": "md5",
"value": "9836d373e3e5b2732261fd23de92e9cc",
"category": "Payload delivery",
"to_ids": true,
"uuid": "48ae48db-796a-42e2-898e-8d3de1fbcd68"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "a02930ef7a4abc95f485dd906b41c9f1b3b4089f",
"category": "Payload delivery",
"to_ids": true,
"uuid": "6469dead-29b7-4d2a-a2fc-f3fcb1708a7c"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "c044f90946b93915da65196d16dcc4f342273f369630fb419fe0e719ac83f073",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c89b1980-c47c-4b39-bc36-f40e3c5567a9"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "8903b89f3e1f5d9c7f388f943b687df9ae2d506b6dff83aa349c95bb50a55a4a06ed5f696d496c7078228ed30cf5ddcf63875f7e2c92b7b53b907ad371ed461c",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c9fb71f8-c053-4be8-bcaa-6311bec0bf1d"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "192:UoXZpZ/peUCpKNaBksXNJzFL/0ztmARyzlHlndnKEs6FnKTKnbBwaSbEbw814lUP:tZUU8yGDDAwzlFdK96FcKHwLrFgx9fl",
"category": "Payload delivery",
"to_ids": true,
"uuid": "bb175b13-ff08-4d69-bb0f-843fb68accb8"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f19826b2-8b7c-4826-8575-863438b660ec",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:11:40.000Z",
"modified": "2020-12-30T14:11:40.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".text",
"category": "Other",
"uuid": "5fd0952b-78a9-497c-9fc7-d77c1f14ca2a"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "298496",
"category": "Other",
"uuid": "0a3cb98a-7792-4a72-9ce9-c09592fd8307"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.6475524649073",
"category": "Other",
"uuid": "4621b1bf-a853-4b32-a151-4a92b9531837"
},
{
"type": "md5",
"object_relation": "md5",
"value": "3872b37a6fbcbb27f80b9639008a708e",
"category": "Payload delivery",
"to_ids": true,
"uuid": "e3a3ef6e-b5db-4d7c-8758-961266c79ade"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "af031fe59567d0fe50d6d047bc0ca7c2869d341f",
"category": "Payload delivery",
"to_ids": true,
"uuid": "a33b990d-0cde-41ac-99cd-b4799a6b869e"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "38bcb58a3bf5ead5cf760efb23d404f2f3344bf28d870eb2da94e90bbf2fc77e",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c9d14d1f-d0ae-479c-b79f-0c233b0dcff7"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "511911a3319406aff5bdbb2843547ffcb9584a663974a1315fd1111035051329888290bde3fb5dcab49cd955f404fc99060d922bb72265d576fcc7e0c2ce727b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "53c4c31e-174b-4351-8f88-5427ff7cb011"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "6144:lf0ryFWUY6V0eU82Tvvase6Jqrm7mi+HH38rnb9Fn41+nVszCxoj58T9O4:lf0GWQ0TvvNdem7m9H0n41+nVs+x05Z4",
"category": "Payload delivery",
"to_ids": true,
"uuid": "55fe8a96-c659-413f-b11d-e56df6703e5a"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--66a147e0-b788-4de3-ade4-c97530981c46",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:11:40.000Z",
"modified": "2020-12-30T14:11:40.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".rdata",
"category": "Other",
"uuid": "9428539e-41eb-426e-b9dd-2c0c8b54e387"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "93696",
"category": "Other",
"uuid": "f2a5d63a-3af2-4bd6-bdc2-3444adca0a6b"
},
{
"type": "float",
"object_relation": "entropy",
"value": "5.4415893542669",
"category": "Other",
"uuid": "2fe8470e-8943-4d9d-b94f-1bb4fdbe5d08"
},
{
"type": "md5",
"object_relation": "md5",
"value": "3c027f23d1cc821ccef3334303834905",
"category": "Payload delivery",
"to_ids": true,
"uuid": "9b1df8a2-20fa-4639-ad16-967caefee682"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "97b2bcbb75096510580cfa3eb09ca9f5f99343fe",
"category": "Payload delivery",
"to_ids": true,
"uuid": "fe621958-a1a1-4970-8df5-2c1ee7fc32c5"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "ff797adfe7c6c249e809f08493ec5c0bdbebe042acb2b7971987d0301c084240",
"category": "Payload delivery",
"to_ids": true,
"uuid": "cd52f3b1-c5cb-4514-897d-45472e558d01"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "a76b76acca4386452924f789f4b7ff801064042f4513081e000ff0e2edd84411ee68c2a678d270e593b9fa6874a90a4e4aac82a99bbebfd3016c240356a4d8d9",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c2bfa67b-a37a-40eb-8336-074d07ee09d6"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "1536:QZL1M6liPlQtc/s8jsdVx6nwL4XhgvRsWAcd0vtmgMbFuzmxyttyN7:QBNYz6bLxFeAg0FuzmkbyN7",
"category": "Payload delivery",
"to_ids": true,
"uuid": "485b7cc9-eaae-42ac-bef0-87b8ab834c78"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--465f9a97-b302-4abe-a54a-a52022e473dc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:11:40.000Z",
"modified": "2020-12-30T14:11:40.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".data",
"category": "Other",
"uuid": "d09407cf-0884-49d2-9b93-1d2876ee319e"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "10240",
"category": "Other",
"uuid": "15c3b7c6-04cd-4dd7-8cb1-063791aa181c"
},
{
"type": "float",
"object_relation": "entropy",
"value": "4.5555134237561",
"category": "Other",
"uuid": "d6c83c84-34b9-425d-b7ec-bdefded320f9"
},
{
"type": "md5",
"object_relation": "md5",
"value": "b59be920c1c434664945d142276186b4",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c6e1a5c0-5333-4d2b-a2fa-c14a13381a4b"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "416438c1a7fd81ee9d69873597d35bd59856e90e",
"category": "Payload delivery",
"to_ids": true,
"uuid": "91f3029b-c100-4707-bf1b-e637f9b674f6"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "60e47720c483c8a6067c98f8cb300aa1ae5c9e6ccded044ef365e459dc2c61ff",
"category": "Payload delivery",
"to_ids": true,
"uuid": "389ee7a7-2eb4-4f0d-8566-1dd0669affe8"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "00160f9d9361ddebdded0156ee1c2ed60575e60281ceb3794044d9036febf6a25f3858fdfcbc13c0050ac6f6e2f37cd1463127c863883373b3dcf594bc48933a",
"category": "Payload delivery",
"to_ids": true,
"uuid": "7f3f664f-f229-4ae9-9551-87dc9aa7a766"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "96:AMPlvM5V16Ka4t6k7+x5WRwWRyN0NN0v3CxuOH6Ah8q+VOid:Dy6Ka4t6k7+xARjRyN0NN0v3sTH6Ag",
"category": "Payload delivery",
"to_ids": true,
"uuid": "aafcb62a-0237-438e-a9e2-98d65d3d1373"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--36023bd1-e08a-4d80-8666-f974049fce9b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:11:40.000Z",
"modified": "2020-12-30T14:11:40.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".rsrc",
"category": "Other",
"uuid": "4ef3e8e2-ffcd-417b-929c-b654410acc02"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "39424",
"category": "Other",
"uuid": "0b429ce0-f3c6-4fea-a26f-8973e64daff6"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.3887459421453",
"category": "Other",
"uuid": "02f9eb68-9114-4db7-a24a-ce4c87955774"
},
{
"type": "md5",
"object_relation": "md5",
"value": "e9fb469d281b99eb663d16de3582a879",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c34a938b-c1e8-4856-a61a-a24942c9df24"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "7ccdea45c0fa4f3929e9602a53aa9b4bb25b85e4",
"category": "Payload delivery",
"to_ids": true,
"uuid": "b7d2e21f-1365-4a33-9f76-21f7bda43b84"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "57a185a9643272ce1564c3c82e2bf020872558f1a78f2144406e28f9c6a43f61",
"category": "Payload delivery",
"to_ids": true,
"uuid": "049c4384-b8cf-4195-89ab-898ebacbb9b2"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "705091d713591aecf32e6faae05c01061bd3cbead7a0a08f639f1bb36cda3eb38c4a9f4c317c25fb80541077e42d81cb3f6beadca11bf6fe2c309fcb1896ec31",
"category": "Payload delivery",
"to_ids": true,
"uuid": "9249a704-7ec7-4d1e-8a49-f51256c3bbdb"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "768:1zC4MphX0qphDmlRUoPLs2IgHi3QcD2vZc22BGkiAi2:1zC4MpvhCRto5gCxyy22gAV",
"category": "Payload delivery",
"to_ids": true,
"uuid": "557399a7-8f54-4ef6-8b50-dc75b8c735af"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--af6451da-ae31-4b1f-ae44-fd5e5bd45eed",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:11:40.000Z",
"modified": "2020-12-30T14:11:40.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".reloc",
"category": "Other",
"uuid": "e5d867ba-94db-44b8-bf06-d18b4ac5f611"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "16896",
"category": "Other",
"uuid": "9536f844-79fd-4c12-ac64-dc8ee1d0f6d0"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.622890870612",
"category": "Other",
"uuid": "15b92bcf-3e08-4b8b-9578-f53728aa855a"
},
{
"type": "md5",
"object_relation": "md5",
"value": "b2936a508681fdbe1f2d049cb2408c6b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "a434104d-4e1c-4e61-a2fc-76f611fcf416"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "3947b42a90beabb11a40581a93b1409bd8167983",
"category": "Payload delivery",
"to_ids": true,
"uuid": "33eff2f9-ebc6-4f84-a89b-b03a164d8ab8"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "1b4cc01e63dac842f80de7e005cbe45d0e1ef7dc66392c80e9ec57c47be20421",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5d2d0f94-f8c9-41cc-a584-9156aa7b73c7"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "b1b15f8629f6b6a31f10b53d04acb606d0ce7caf4018ea00df60fe0eabd6d603ca3ad848f477c6a13b90e79399cb1d9bdd23087ba607773422ba10a098395d08",
"category": "Payload delivery",
"to_ids": true,
"uuid": "a5d61cc0-b740-4d2c-9d3b-0a12a2990a00"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "384:H7GGBN3/QP0rH6Pu+5UCDV6k5YWksOG54Fzda+lkq5e+sctn:HL/z6GK1Uk5FO04FhDkStsctn",
"category": "Payload delivery",
"to_ids": true,
"uuid": "11a9355d-1711-43b6-9722-6945dd2b8a5a"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--0d5ea620-4f7d-43a0-afd9-8b21a5de1095",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-12-30T14:17:48.000Z",
"modified": "2020-12-30T14:17:48.000Z",
"abstract": "Report from - http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/ (1609337868)",
"content": "html Global site tag (gtag.js) - Google Analytics Reverse Engineering \u00b7 17 Nov 2020 # RegretLocker\n\n ## Summary\n\n ***RegretLocker*** is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for ***VHD*** files, mount them using ***Windows Virtual Storage API***, and then encrypt all the files it finds inside of those ***VHD*** files.\n\n Typically, ***VHD*** files are huge in size with a max size of nearly 2TB because it\u2019s mainly ussed to store the contents of a hard disk of a VM which includes disk particitions and file systems. This makes it unrealistic for ransomware to waste time encrypting simply because it\u2019s too big.\n\n However, through mounting these virtual disks as physical disks, ***RegretLocker*** can go through and encrypt the individual files inside, which significantly increases encryption speed overall.\n\n For encryption, ***RegretLocker*** reaches out to the C&C server for a ***RSA*** key in order to encrypt and produce a unique ***AES*** key. This ***AES*** key will be used to encrypt all of the files on the disks. However, if the machine is offline or it can\u2019t reach C&C, it will just uses the hard-coded ***RSA*** key in memory, which makes it simple to write a decryption tool for!\n\n All of the encrypted files have the extension ***.mouse***.\n\n Huge shout-outs to Vitali Kremez and MalwareHunterTeam for bringing this ransomware to my attention!\n\n ## IOCS\n\n ***RegretLocker*** comes in the form of a 32-bit PE file.\n\n ***MD5***: 3265b2b0afc6d2ad0bdd55af8edb9b37\n\n ***SHA256***: a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4\n\n ## Dependencies\n\n ***Advapi32.dll and Crypt32.dll***: Main crypto functionalities such as RSA and AES encryption\n\n ***VirtDisk.dll***: Mounting virtual disk functionalities\n\n ***tor-lib.dll***: DLL dropped by ***RegretLocker*** that is used to contact C&C through Tor\n\n ## Networking\n\n ***RegretLocker*** contacts the C&C server at ***http://regretzjibibtcgb.onion/input*** through Tor 3 times:\n\n - Retrieve RSA key from server - Sending information such as the computer's IP, name, volume of the disks,.. - Signalling when it finishes encrypting Before contacting C&C, it sends a GET request to ***http://api.ipify.org/*** to retrieve the PC\u2019s public IP address. If this fails, the malware can assume that it\u2019s running offline and will use the hard-coded RSA key.\n\n ## Ransom Note\n\n ***RegretLocker*** drops a ransom note in every folder that it encrypts. This is the content if you run the malware with Internet connection. The hash is used to identify which RSA key is used to generate the AES key on your machine.\n\n You can find malware log here on my Github\n\n ## Code Analysis\n\n ### Only One Process Running\n\n ***RegretLocker*** first check if there is only one version of itself running by looping through all of the running processes using ***CreateToolhelp32Snapshot, Process32First, and Process32Next***.\n\n For each of the running processes, it compares the name against its own name to make sure that there is no process with the same name.\n\n If there is one with the same name, the ransomware exits immediately.\n\n ### Dropping tor-lib.dll\n\n The malware extracts the path to the current directory it is located in through ***GetModuleFileNameA*** and concats ***\u201d\\tor-lib.dll\u201d*** to it, which means that it drops this dll in the same directory of the malware.\n\n It then calls a function to extract the dll from its resource section through ***FindResourceA, LoadResource, and LockResource***. As we can see in ***Resource Hacker***, the dll is stored unencrypted in the resource section. After extracting the dll, it calls ***LoadLibrary*** to get a handle to the dll. This handle will be used for the malware to contact C&C.\n\n ### Development Check\n\n The malware writter has 2 weird checks to check for a particul
"object_refs": [
"report--ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9"
]
},
{
"type": "relationship",
"spec_version": "2.1",
2023-12-14 13:47:04 +00:00
"id": "relationship--c1929fc8-dad8-40c8-813a-64c3a4618aae",
2023-06-14 17:31:25 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"target_ref": "x-misp-object--312d40f7-2562-4852-88f1-8af1c0f3355c"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-12-14 13:47:04 +00:00
"id": "relationship--b7f5d24b-8f4e-4533-b098-8893bffaa53c",
2023-06-14 17:31:25 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"target_ref": "x-misp-object--07c951a1-18c3-457a-be67-fd355f832a73"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-12-14 13:47:04 +00:00
"id": "relationship--f88a41b9-a392-4351-819a-0fc6988733c4",
2023-06-14 17:31:25 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--0cc053ba-50b3-4a56-b809-b7b5a3346a30",
"target_ref": "x-misp-object--84b99a25-ffe4-49c9-8e06-211bf977b936"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
2023-04-21 13:25:09 +00:00
]
}