2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:17:48.000Z" ,
"modified" : "2020-12-30T14:17:48.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:17:48.000Z" ,
"modified" : "2020-12-30T14:17:48.000Z" ,
"name" : "RegretLocker - compiled information, activity and samples" ,
"published" : "2020-12-30T15:52:46Z" ,
"object_refs" : [
"x-misp-attribute--6dbfc982-fc1f-4c82-ac73-0d9a407d6684" ,
"observed-data--42f702b7-229b-4399-a2fe-8b693af95dd8" ,
"url--42f702b7-229b-4399-a2fe-8b693af95dd8" ,
"observed-data--b6916923-3724-4874-9bae-3ca7306971eb" ,
"url--b6916923-3724-4874-9bae-3ca7306971eb" ,
"observed-data--b690c46e-0cac-4feb-8b99-db3b7bba4f99" ,
"url--b690c46e-0cac-4feb-8b99-db3b7bba4f99" ,
"observed-data--c84562fb-02e8-4ab8-936e-2795dd238613" ,
"url--c84562fb-02e8-4ab8-936e-2795dd238613" ,
"observed-data--aadc3450-a27d-4298-8f5a-4044ce6944c1" ,
"url--aadc3450-a27d-4298-8f5a-4044ce6944c1" ,
"indicator--8627f24c-f338-44f2-87dc-893c17f11e46" ,
"indicator--30cea38a-9c7b-4857-a681-18dea3ca092f" ,
"x-misp-attribute--3ababeaf-c5dd-4760-bf5b-cb76cb4ecd20" ,
"x-misp-object--004bcecb-dfdb-4e60-94a2-53e6a7c7e65e" ,
"indicator--d485ac66-e0e8-47cb-ad29-b8bdc8340d4e" ,
"x-misp-object--4c2a0d50-bf8d-4e94-9396-31303bc82625" ,
"indicator--7f83f602-a73e-4eda-8fb9-f1e85be3451b" ,
"indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c" ,
"x-misp-object--312d40f7-2562-4852-88f1-8af1c0f3355c" ,
"indicator--0cc053ba-50b3-4a56-b809-b7b5a3346a30" ,
"x-misp-object--84b99a25-ffe4-49c9-8e06-211bf977b936" ,
"x-misp-object--07c951a1-18c3-457a-be67-fd355f832a73" ,
"observed-data--369a74a5-3e03-47c5-9cd0-4b2aad23e16a" ,
"file--d88a8992-7c4c-58a0-b1b0-0237117d35c2" ,
"observed-data--fcb9011a-2d16-4550-a05c-1921de1c107d" ,
"file--561f7abb-f7a9-5165-842f-9f8571bc74cf" ,
"x-misp-object--d78f50d8-cd5d-4dcd-94de-e079b92bdaa7" ,
"x-misp-object--9b5a1501-69e1-4ba7-a44a-c66fbf773aff" ,
"x-misp-object--30abb88a-cbc5-4960-9b49-2b11904f6354" ,
"x-misp-object--23df8d28-7dc8-4524-a1a6-9585c30be9d5" ,
"x-misp-object--a96d75ef-7797-4f2a-82ba-754da2ffa4e1" ,
"x-misp-object--f19826b2-8b7c-4826-8575-863438b660ec" ,
"x-misp-object--66a147e0-b788-4de3-ade4-c97530981c46" ,
"x-misp-object--465f9a97-b302-4abe-a54a-a52022e473dc" ,
"x-misp-object--36023bd1-e08a-4d80-8666-f974049fce9b" ,
"x-misp-object--af6451da-ae31-4b1f-ae44-fd5e5bd45eed" ,
"note--0d5ea620-4f7d-43a0-afd9-8b21a5de1095" ,
2023-12-14 13:47:04 +00:00
"relationship--c1929fc8-dad8-40c8-813a-64c3a4618aae" ,
"relationship--b7f5d24b-8f4e-4533-b098-8893bffaa53c" ,
"relationship--f88a41b9-a392-4351-819a-0fc6988733c4"
2023-06-14 17:31:25 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:ransomware=\"RegretLocker\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--6dbfc982-fc1f-4c82-ac73-0d9a407d6684" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:15:40.000Z" ,
"modified" : "2020-12-30T13:15:40.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Attribution\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Attribution" ,
"x_misp_comment" : "The malware writter has 2 weird checks to check for a particular user name and PC name(WIN-295748OMAKG). If the user name or the PC name matches, the malware will exit immediately." ,
"x_misp_type" : "text" ,
"x_misp_value" : "WIN-295748OMAKG"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--42f702b7-229b-4399-a2fe-8b693af95dd8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:42:36.000Z" ,
"modified" : "2020-12-30T13:42:36.000Z" ,
"first_observed" : "2020-12-30T13:42:36Z" ,
"last_observed" : "2020-12-30T13:42:36Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--42f702b7-229b-4399-a2fe-8b693af95dd8"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
2023-04-21 13:25:09 +00:00
"type" : "url" ,
2023-06-14 17:31:25 +00:00
"spec_version" : "2.1" ,
"id" : "url--42f702b7-229b-4399-a2fe-8b693af95dd8" ,
"value" : "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--b6916923-3724-4874-9bae-3ca7306971eb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:47:27.000Z" ,
"modified" : "2020-12-30T13:47:27.000Z" ,
"first_observed" : "2020-12-30T13:47:27Z" ,
"last_observed" : "2020-12-30T13:47:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--b6916923-3724-4874-9bae-3ca7306971eb"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--b6916923-3724-4874-9bae-3ca7306971eb" ,
"value" : "https://twitter.com/VK_Intel/status/1323693700371914753"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--b690c46e-0cac-4feb-8b99-db3b7bba4f99" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:47:28.000Z" ,
"modified" : "2020-12-30T13:47:28.000Z" ,
"first_observed" : "2020-12-30T13:47:28Z" ,
"last_observed" : "2020-12-30T13:47:28Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--b690c46e-0cac-4feb-8b99-db3b7bba4f99"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--b690c46e-0cac-4feb-8b99-db3b7bba4f99" ,
"value" : "https://twitter.com/malwrhunterteam/status/1321375502179905536"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--c84562fb-02e8-4ab8-936e-2795dd238613" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:47:28.000Z" ,
"modified" : "2020-12-30T13:47:28.000Z" ,
"first_observed" : "2020-12-30T13:47:28Z" ,
"last_observed" : "2020-12-30T13:47:28Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--c84562fb-02e8-4ab8-936e-2795dd238613"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--c84562fb-02e8-4ab8-936e-2795dd238613" ,
"value" : "https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--aadc3450-a27d-4298-8f5a-4044ce6944c1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:48:46.000Z" ,
"modified" : "2020-12-30T13:48:46.000Z" ,
"first_observed" : "2020-12-30T13:48:46Z" ,
"last_observed" : "2020-12-30T13:48:46Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--aadc3450-a27d-4298-8f5a-4044ce6944c1"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--aadc3450-a27d-4298-8f5a-4044ce6944c1" ,
"value" : "https://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8627f24c-f338-44f2-87dc-893c17f11e46" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:49:44.000Z" ,
"modified" : "2020-12-30T13:49:44.000Z" ,
"description" : "Source url" ,
"pattern" : "[url:value = 'http://344744.cloud4box.ru/files/locker/locker.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2020-12-30T13:49:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--30cea38a-9c7b-4857-a681-18dea3ca092f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:50:02.000Z" ,
"modified" : "2020-12-30T13:50:02.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.248.203.209']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2020-12-30T13:50:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--3ababeaf-c5dd-4760-bf5b-cb76cb4ecd20" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:14:34.000Z" ,
"modified" : "2020-12-30T14:14:34.000Z" ,
"labels" : [
"misp:type=\"windows-scheduled-task\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_comment" : "Next, it also schedules the malware as a task every minite using this Schtasks.exe command, which is run from cmd.exe using ShellExecuteA." ,
"x_misp_type" : "windows-scheduled-task" ,
"x_misp_value" : "Mouse Application"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--004bcecb-dfdb-4e60-94a2-53e6a7c7e65e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:16:46.000Z" ,
"modified" : "2020-12-30T13:16:46.000Z" ,
"labels" : [
"misp:name=\"tor-hiddenservice\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "http://regretzjibibtcgb.onion/input" ,
"category" : "Other" ,
"uuid" : "93d56bb5-d6d7-4c3a-9b13-ba6a03a91c19"
} ,
{
"type" : "text" ,
"object_relation" : "address" ,
"value" : "regretzjibibtcgb.onion" ,
"category" : "Other" ,
"uuid" : "770098e3-5b69-4254-a2ce-6a5102b11704"
}
] ,
"x_misp_comment" : "the malware will first reach out to C&C at http://regretzjibibtcgb.onion/input with get_key in the query to request the RSA key." ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "tor-hiddenservice"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d485ac66-e0e8-47cb-ad29-b8bdc8340d4e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:17:31.000Z" ,
"modified" : "2020-12-30T13:17:31.000Z" ,
"pattern" : "[url:value = 'http://regretzjibibtcgb.onion/input' AND url:x_misp_scheme = 'http' AND url:x_misp_domain = 'regretzjibibtcgb.onion' AND url:x_misp_host = 'regretzjibibtcgb.onion']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2020-12-30T13:17:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--4c2a0d50-bf8d-4e94-9396-31303bc82625" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:42:10.000Z" ,
"modified" : "2020-12-30T13:42:10.000Z" ,
"labels" : [
"misp:name=\"crypto-material\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "RSA" ,
"category" : "Other" ,
"uuid" : "c0be054c-863c-4cac-991d-0d03fd0bbcb6"
} ,
{
"type" : "text" ,
"object_relation" : "public" ,
"value" : "-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1ZQInrnhxXCtAN/LsOX2GmgbvBxMsO49lc1/qodshkUvRQLazWv61UbMLKx2gaRQrCYuVrR1Cgd7LxY4ueGo50TqZioAJbCcfzdiXlEkJqLlz4RTU9RFZ/wFjWxChek2NsU6vLLSowPPTw+JhwTooI+QPAIYeoxCf4xz7Kvu9CQIDAQAB\r\n-----END PUBLIC KEY-----" ,
"category" : "Other" ,
"uuid" : "38503a70-0c58-42ca-8e54-ead2934234f6"
} ,
{
"type" : "text" ,
"object_relation" : "origin" ,
"value" : "malware-extraction" ,
"category" : "Other" ,
"uuid" : "76f26a7c-27ba-45d5-b54e-e05bc46803f4"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "crypto-material"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--7f83f602-a73e-4eda-8fb9-f1e85be3451b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T13:44:12.000Z" ,
"modified" : "2020-12-30T13:44:12.000Z" ,
"pattern" : "rule regretlocker {\r\n\tmeta:\r\n\t\tdescription = \\\\\"YARA rule for RegretLocker\\\\\"\r\n\t\treference = \\\\\"http://chuongdong.com/reverse\\\\%20engineering/2020/11/17/RegretLocker/\\\\\"\r\n\t\tauthor = \\\\\"@cPeterr\\\\\"\r\n\t\ttlp = \\\\\"white\\\\\"\r\n\tstrings:\r\n\t\t$str1 = \\\\\"tor-lib.dll\\\\\"\r\n\t\t$str2 = \\\\\"http://regretzjibibtcgb.onion/input\\\\\"\r\n\t\t$str3 = \\\\\".mouse\\\\\"\r\n\t\t$cmd1 = \\\\\"taskkill /F /IM \\\\\\\\\\\\\"\r\n\t\t$cmd2 = \\\\\"wmic SHADOWCOPY DELETE\\\\\"\r\n\t\t$cmd3 = \\\\\"wbadmin DELETE SYSTEMSTATEBACKUP\\\\\"\r\n\t\t$cmd4 = \\\\\"bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures\\\\\"\r\n\t\t$cmd5 = \\\\\"bcdedit.exe / set{ default } recoveryenabled No\\\\\"\r\n\t\t$func1 = \\\\\"open_virtual_drive()\\\\\"\r\n\t\t$func2 = \\\\\"smb_scanner()\\\\\"\r\n\t\t$checklarge = { 81 fe 00 00 40 06 }\r\n\tcondition:\r\n\t\tall of ($str*) and any of ($cmd*) and any of ($func*) and $checklarge\r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "3.7.1" ,
"valid_from" : "2020-12-30T13:44:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_context" : "all"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:16:23.000Z" ,
"modified" : "2020-12-30T14:16:23.000Z" ,
"pattern" : " [ f i l e : h a s h e s . M D 5 = ' 3265 b 2 b 0 a f c 6 d 2 a d 0 b d d 55 a f 8 e d b 9 b 37 ' A N D f i l e : h a s h e s . S H A 1 = ' 24272 b e b 676 d 956 e c 8 a 65 b 95 a 2615 c 9075 f a 9869 ' A N D f i l e : h a s h e s . S H A 256 = ' a 188e147 b a 147455 c e 5e3 a 6 e b 8 a c 1 a 46 b d d 58588 d e 7 a f 53 d 4 a d 542 c 6986491 f 4 ' A N D f i l e : h a s h e s . S H A 512 = ' 28 f 99 d a 799 b 43 a 5 f d 0 60 b 5 c a b 411911 b 54 c e e b 51e612 e c 6213 c 2 b 8003 e e 6 d e 29 b c 46683 b a 0 4507 c 0e8 a 92e9 f b e c 4 b e 5 c e c b c 8918618 d b 9 c 15 f 231 a 5 b e 806 c b 94 ' A N D f i l e : h a s h e s . S S D E E P = ' 12288 : J F + d R k C G j z K d 5 I k 6 Z D E y y q 8 M e 0 K z Y B 3 I v C l B T n : J F + d e C 2 + d 5 A Z L d e 0 K c B U 4 B T ' A N D f i l e : n a m e = ' a 188e147 b a 147455 c e 5e3 a 6 e b 8 a c 1 a 46 b d d 58588 d e 7 a f 53 d 4 a d 542 c 6986491 f 4 ' A N D f i l e : s i z e = ' 494592 ' A N D ( f i l e : c o n t e n t _ r e f . p a y l o a d _ b i n = ' U E s D B B Q A C Q A I A O B w n l G i g y j m I B M E A A C M B w A g A B w A M z I 2 N W I y Y j B h Z m M 2 Z D J h Z D B i Z G Q 1 N W F m O G V k Y j l i M z d V V A k A A 4 O J 7 F + D i e x f d X g L A A E E I Q A A A A Q h A A A A 4 w + q V 2 T V u m g B E x P g S m S z i Q D 1 h l G z o k e c y M 6 / 1 l 0 0 L 73 n e q s F a v Y / m f D E d O Q s t E r n p r o O a X a 0 t z f N 7 Y J X 47 A E p l r T F C d D j K C c I n o 58 p 8 b W p W 0e8 c / 0 L Y n W A m 5 M x w j W + t S g Y L S M F s 9 F G g Y S K f u e d k n R r M E V u B t q Q q 2 s 49 n n o v V W u a l f F W M w L A S U j + / b Z d X b w + S 7 / J / t v n P U Q O 7 X f l w c h h d y N r c 8 S L Q s B 0 J G o 3 Q Q 0 Y Y 4 L Z c 5 O 8 F U w M o C t e L g S I b 96 b 1 w t T h n 6 f H P 4 L / H D t b j V m q u + h V 2 V k L m G O B D E B a w L E 0 S x c t g z k S e 7 b 6 n G 2 + B f d n y o L M B H l L h / c r G 385 o M K u X b p k K 8 i l E r 8 S q 4 T s Z B k s U 4 f t r 678 K b p q M 6 / U r //IBYp2OyUCyrbAHpsGYFRw0a+IDKPhBuOm3BI7MAcsPFQx5h/mGISouTPh7pFIN7tfO/+WLo33qj6+EZgxMSznNJ8iPrmMNhqGS9qfKhUAnh5KKbSvXf+7irxKDUXK+xG+BVsVs/wdmtrBVebojNww8zNHuUI2UKo3r2nTCat3LOS8oW+4cuWyWHq05xOzCh8/G3QqJJJS5uLaT77KbsuTg7ly69s47qNLrzZy9aaWEx98t45tr3ywEnQpLUa1oamQWqdqOLxVkghuVvI14ISwf1o2c0thUluAzf/n3dBwBvweqPBWAjAyo3TyKiUtQtuzum/fIqpaiawKfhd0TPPFEEDRN1QygD8FkwJ46L6HP1/d3/Jd52j/8ULM+mp0XYN0WTO1uUwFS3mK9+0cFXe2USHLG9hmbq1Rtk/c+fGQmhCjIndE12whLkjpzv1nC3JvyGOYHdX3VnB8dEzgewLCM+0RQELtbsnNILU6tW+JCq6wMZInUykcV7z0BHtEqqIT5BhJUvRpFsAQ5zm/uvzuoc726+BDsLNLmg20P1wDWlsPSEwFa5FEPhii0uPMmofLd1DcYMrpB5y9VglUTAAmjTS7OljBV9G+JPx2xRzmxtTpW+pnYQ0ELGHI4xS8CTuN6grUWt+YK/87rqerC/7McY2yu9/jZc/gWCz97fdmPVRnAovHNQEdqf3qX2+ar3eG2MkYQbKIeCUGGd00Y+4j3uhpKg1h+I3Uj8qL/FWBVDLzsI53kHQmlewL9KViOJ7OZ34ICBbNGLJOBliXbra7RnGCasLB+9XLqku04PS1fuRZSfXHUybsmY22IVW/IFGLVzmDTgK8rJXCMl5DzmBTE9HdDK2xfb3S3zlxayRw9ga/f4LPQTuBLekbziDL+LTTyy2y8gIujVZ2Yn0S57k2kI+jHwe70+b7zNr6LA0TEnRJYj8GZRj2tlOwz8ebuemI8Q7cL/oaJrjKSfzRgq7yufEjxG/qXLEGT7O2KLG9nUE4g3wY50l9MDpM/QIS2mFKUdnAHnWX4nm+BGeJ+92TioyLWOigkdB5F6M2LD6n5R0Z49gbXG+byMt0AExt0vD2CbtZf5SZA//ljgm/zYEIyytd0Bb7UEn4S1VlrCqnLKHEluXx7SHQbhKwvkbo0I9y9XxPcnfCYuWflCd6y2SoRwUNN2AjPx2Dh7hhcPyF3XvQ8TomvOMvHtzf/CxzUrZqqCTaNuS0EpmjLtD1IL93UPETMgAPCNRClbKpICbcTr8/04T2JJIEPrG/gdfSh+ox0vTHSFvDCdW0qCeQbf75baOdP9eQ0w/qPiLDtOVX8OdQVH66sMa2yWRx4aQR5MgWu9ieNer+crvDIaAwIZarHDNf0EDQv+ejDtSJkT83EMGpB8x73i3FHbr53PQOgOMb+F7BzLCvf98go6Sn4Mg7+iUndxKHeCuP+oyqWtyXRBjhmcqBZkc3SsyEtr3wwD410g4dH0/P0b80m/Qa9HlfMqybg210OqTpfiFcCuZpDo1z3cZJtfDytEGsn7hsvkkA+dDxInUCQTyDusr0w7GY1DLQl7gpKcGwvx2GshnqoPYvLQObbWSVzspvmnNg9wwCtB7bG71MIYkdYdjrEFX8547O/vvfOKViB4YgPMfFtNR4SxSnPT2jajuZiaBZlzkpdu6LI3/v0M4WffhfgGdWoKFWqe1hWyeT3t5PhO9QTEHSPeLkRGKS/UlQ0CybZ/jjomY29sDhcbh35MyyjGUeWJBCFSuv56ci1ScehEaj8nMMSDLtKAbIAxJ0PAa/6fJbvUC6rGzvzFnXk39mTJZ8z5zKr9+p4YgTxg//BB2futxB/k90fJuUkoYIz2zCxCdXJdvMqtwHX8yPpSdngNrQ6ZqTXXJJzbl05GLTuXdVhzzyWTCBgIQVGgnwi6t85R3KqfqgRUZK/91Kj0v4GE8iulctz1zQfFDSjVRY+YFVHYfsD1yllNORl0e/mH1HD2QhA2YhX7GVbwrOdkJyjeXP0rgMrfvU1zMjNagKIoStzgmRXbBwNW815rKChiHuSMN27xfPI45v6yoOjSrX9zkR4A63tAI3O+K95P2xQuupk4H1FBkLiO7k/eN4puXl/RZInPzMQykZPCd1edlQHa9aHdjNNCeVviG56836RPMphy7nR7gbh1iAtD6NrSjhG1mYTrv4kOuOqYvdDbtWbyurlXuKY0BUF+KEKphNDNwG/ccNg/NNukAezh0p17m7A6yHNvxsrfYhLPOAePh7V06BgiGUA4jErnJ5ohvxIJfX8wFF/AvRnZO487TzRipn2Rhw5osLumVCZtVaVkaaQ2xiFkfeMw8a15z/sHLzESghrwB+KHb83DYrCj4SYibZPHkQdhg0VB73piyRku+sV5Gp9OaCF+LxHRYnYdebRgxYFtDh6Ow82vtyYiC1TOpJ1151Ym9WT0r3ruNr1w51p95vchOfe7Wd80dhexpZ5yOsxxCUAZF7nDyHKKD3CzlD+vXrRu+COz2gnuADDfcc3RB0T6w0B7SBPIDFYozgEXlPVyacWxN/qa39I+3VYkInc+xPIxloOmvNb/xQ1QrdcA9tq9M0zFkDz9931ycK2i/NEFz/WLd1XS1okDboNqxHQqyNwnkm0GYtbFDAAceKWUzMIHCPs8ACXB1FVNpUtKIsDp7Xfp35nsvHDLVqw2BW6hGTgZi8EFDn1Eng0/bnS9ZS8aJcxixHfoHngyqaN8iWP0zO0x9uKAeVnQlUOfLtZAxVXkjgxb4r5h9Pxu6bvfba5tbAI5HWcqCdJqbo1jIJgoM6jU3DJbQGT8WpLjFBXV/80omA9GfYQNd6r9W4hHfsMN1rBLShvJpB6B5ujNz3o6FAXuLud45KeN2eYJbTnxGBkSv3wLc6K/N0mIpRmlNpHKiDghkQATXZMrMXvz1wRpevP28E0dHpPYtkJ551L7jD9q95/K++IVCMK6yNqk9IVq
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2020-12-30T14:16:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--312d40f7-2562-4852-88f1-8af1c0f3355c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:09:04.000Z" ,
"modified" : "2020-12-30T14:09:04.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2020-12-10T18:07:01+00:00" ,
"category" : "Other" ,
"uuid" : "8df1ad0c-2fe9-4db3-a0a0-a383d8f3dbb3"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection/f-a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4-1607623621" ,
"category" : "Payload delivery" ,
"uuid" : "73d0a4b0-8a60-4a18-8406-108501e8353f"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "63/70" ,
"category" : "Payload delivery" ,
"uuid" : "235fc20b-5747-4e39-bb6c-62c361853244"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0cc053ba-50b3-4a56-b809-b7b5a3346a30" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:16:23.000Z" ,
"modified" : "2020-12-30T14:16:23.000Z" ,
"pattern" : " [ f i l e : h a s h e s . M D 5 = ' 83153 f 8 c a 7 f 872 a 1 b 4 a b d 40 a 5 b d 58094 ' A N D f i l e : h a s h e s . S H A 1 = ' 6 d c 183 e d 1 c 644 d d 550207 a 34 a c 9e57 c 6 f 4 b 8 d 350 ' A N D f i l e : h a s h e s . S H A 256 = ' c 5 c 7e4 f 126099586670346024 b d 37 e c c f 0 c c e 6 d d 1 e b 8 c f c a f b b 24530e1 c 582 f a ' A N D f i l e : h a s h e s . S H A 512 = ' c f 0 2 e e f 8 d 7 c 4756 b 1 c e a 7949e7543 d 8 f 38109 c 0 9178e25 e c b f 155 b d 45e96 f c 486 c a b 5 d c 533208 f f 39 c 58 d 94e220 d e 53 b f 4 f e 2120 a 593 d 5 c e f b d 15 e f 57757 d f 2 c ' A N D f i l e : h a s h e s . S S D E E P = ' 12288 : T f 0 G W Q 0 T v v N d e m 7 m 9 H 0 n 41 + n V s + x 0 5 Z x B i 953 u F h : T f b W Q 0 L F 604 M n N x 0 n x e 3 u F ' A N D f i l e : n a m e = ' c 5 c 7e4 f 126099586670346024 b d 37 e c c f 0 c c e 6 d d 1 e b 8 c f c a f b b 24530e1 c 582 f a ' A N D f i l e : s i z e = ' 459776 ' A N D ( f i l e : c o n t e n t _ r e f . p a y l o a d _ b i n = ' U E s D B B Q A C Q A I A H V x n l F d 6 k N h v d M D A A A E B w A g A B w A O D M x N T N m O G N h N 2 Y 4 N z J h M W I 0 Y W J k N D B h N W J k N T g w O T R V V A k A A 52 K 7 F + d i u x f d X g L A A E E I Q A A A A Q h A A A A H i Q 4 j T 9 t a T U m k a u E Q V B Q 2 m u o 6 M 0 94 s N G p Y u 5 t T w A 5 g i 9 j p r 8 g f + R t g z Y t 5 l 7 V 8 q 3 m U Q x f g P P 6 h B 4 L A h v 64 z F b 6 p u u v g M 4 K + D d S B y 45 Z S b I W / M Z 177 h + k B V w q s F v N J s d 79 N X 0 E V H f b / m d r x / C P d D F W R E z 5 w R A R N z T o M / c 8 W A L e 5 f A 81 / y z H V u Q Y L v E g Z O 4 Y 2 o L c D S V q n m z z f 9 E f j d D Z Q A 94 a g V V E M 9 s E T n u r e J 34 T f g z 4 U 8 r V C C s E x o o U V S w N f z u / 2 b g O a O i P V V 0 S n u b A S i 8 K y 7 k V 5 z Y 6 f w r I I I G C w e b / t 3 j p 1 q J v 1 k r Z W I B T 517 U w k h L B t Z Y r r o X P W 2 u A 5 P p L p c o c F R + S L 6 I p L Z + 6 / N / T E M / S Y z W L K 0 o U y + C e A X F U V e Q t a m H Z Z h C Q v t s C E A X 0 P p z c o 8 W L n H K H j 5 N 3 A u Y w M c U K G E X F k n 4 x U Y 1 / G 54 H 33 x 9 u Z P C g w i 1 g I j Z y c j d P L 3 f H P B c g 3 x Z g C y I 5 v s 9 t l S v O y g / K q T y h O s I O 0 c U R T I b s / 7 J w d f h r y T 3 e P 3 M n T A R 2 A 3 o t M z x i 3 f x + w p A a s D q R 1 m B S F F z S F + p 1 M 2 F 0 r K x v G J 7 F o o F P 4 u o 1 t M Y 6 S b x 6 / h 8 V W H F O 8 u j P i H / w 14 l W K Q G e 8 M w a S 4 C u D f G R H w z E P r L v l + t I Q B f x b e t w l W A V M D w y r S u p j w b q O k E C Y 7 a Q e g v W 7 A n C Y G T D M 98 o H v 3 b X 6 j 4 Q I f d w b x H G b q O C K 9 z b x r V R x C s T f P h Q 0 g W D k H V T + O d G g s k O b 273 Y 0 25 b 6 z X k j u y O B K Q K y E G z 9 l P K S u U 7 H Q i g C N j K 3 V l Y Q n S J b Z I E 8 N j K + L g 8 C S 6 u / s 0 A q M q o 2 t F r / x 1 u q u d Q h 9 n s g 0 48 X G o T U j s v h 5 v O R z h 9 t P B J Z 4 g X y / 0 Y a V w 6 D y 0 Z s r F d v f u G H 19 M R P d L u O c 4 r S o e N L T o e H x v //r9SlaFEWCr0wWy54R2n49mIZC0F9KHYCqf47VnPOYO0LdbhZ1zf+L9W/dOgsCbXTapI4Jb3jgDDWcjjajXG7HbV8viKqDSKYrfL4CO9/ItTlJS4iiost+L9h9Q68lzljh09uBYV+EjsJNiO8CpINUZ1VmbRfWLunFyPsjOMccEw3F3b97e6tj9J7Twv/Ogk52LsIG/5ZorjzjaXj9YgPbeZs/PkFc3RDd0JcCtlff8E/v/NlruuIaT9e0jpdu+s2BnG/r8vK+Pm9Q3AMjb4ebzv1T/IGUEW4XG3jAnC7RJ3daoXJ0X531mKGiGBMUkyvMgaeqH+AZyvPCl2b2HhMOuM04SI+lWlh9ORQmc/obMiGaD7jd8qZfzVUKNAjKqROucucDO4MOC32Mroqrk3dslAAGfRk4jW/1i09m4jn2dWC0cdUcK1IqzsvJ1s6rnE1nUM3hVNk2cLIgOr7ot6M7X21az6OJwmYSx3n2kJdwghAeuDxNEh+XrVygoBpNPGDGJAscOJs1To/ZRzcW5CIpyL8dtJosj6wrLXawrQRcVqDGskXMJlgN5eOaiZGL+wsYqVxC/DDfCqgJyq/gXlrhST/36vPJ2I0ayo6M53iC/ge8dkh7iHleOZWcLM/WUJZ2Hb1rfpCME9tiRF+L8zAtIzMcb7YCoO/LLXialdxUGZC4k5gdiRqum8qBHfLTrPYcqiSrBDhqZec6reAN8+/BZd5+ljADpQSVeD4ue6sHI5BtLtkSzxx535IPD74m6+F6SqfxlrugqfzH91zfU9Mqvd7vi5XCRb8H3dCI2sJDFX5kRIKXRxDUhwSIt2V5Rb0/UpE+AWeCj/sNCvAVAHcSJYYiCrvEg0Z+bGMWim9j+n5ksEHmu1tXNuBeLhV5atsy14eamhQ7ASBA9kyqujCh66dEPEW3giI3qknZEWDzS2NJRmlTEPdALBXpqbbkvlr36sfy6817dnHjrY/mpcHMEm4ZOb+m+zHtjttOeLA+sQ/pUmr4L3F5DuhqgpTGWdHsZklECoP0Ngm8JpehneALAMMZIcVTlefYj/cvuE1AsdjhTN9yrUW1cfmGS52hPYFFu6LkV+rNj4h3DWshLitxwe6oCaSF/xGkQHkbPBXuPStaeE/+ut6oFEOP56cuFJcQnHFMDzpecs20cd0WDJV/kMoUoXVuqM5AE1dhD2Zi7wBp8eWdRpMPKn5Mdqy9BInTo5nfklniqCd1Tx/CfpYXz8S/r3h3sYn1nB8oLwHiqSaCeKlAgr5Ly4wKFgv9UvlFm2QqaE1OmYxhpOhg8HsaZr7r4ZL8FQ8FRMOWux9VAv1hBCzcn63Vbf6ki4wFnPiuuYQj2T0J7lLpfdlta7oYGx0knRtp1znnD+b5HVJLt7FC/R2WxQNGCVu7NGKZrlb5zju3hers0WiyDwpL3fEmzOU6w5djppcVlaaVd25Q2YpE/AhPE1L5/ypCDts6caRDWRHfR0vu8V/9z97gANZTZQBu9se6DaCCnB3GMgt3vVCZEWALyV3Z0L48htAsLYrdPc5X9zh/HuJAJELohx4yazUSm2sAHL6VXiYygRt3XcIt+cD8MWSEXylDbO1jkgkapbT/stePCLskO8BqDugS6vxsy1GR9+ixTZ7hx1FpADahKE8SrvKXAJHX/ELNk4wrvni+ZYNXPGGWTWbia840xuY1Ta1FswWqDWfH+FQmLCifEYteVBBzlIQWSRIPN/V2FIcEZDg0esmKTGS/u8nPwXUNEF2w6Cp+xLjsn3MY8xg0voNmZ0FFyOSluX5zuD5dbPc7V9QZSWHxAFCQxuFT+Hod9MwDB3baalmqWR0nEUBTeBpGKmTyshsbThYP1jMvlWPJPcEHl0P4li25+ZPZPXSBqkcqAJex2NabUGYDWAKPVzVal8WpMdoAr5uCFTIDeGYZVwYx4f/Q078mpn98mwOxMzqwb8HIHH0o31oAmfOurjFVDlbzdrexUT9+kY01DadNg1Xyr2QCi4avqIAWEx7+QrJzZqw6Xabrb0cTuZHU1/V4rfMXiEmZv3Yb3A8zuO1P87MvXZkd924G3GvruqWMH0QURXQiEPKMc59jHqUiHT2MF+bx76xxtNmMwNlOX1cO62QJ5EHU99P8CMAkwqTRqmSvryxJ4EX6FrqGucDMN4GW1MwO5BfwB+ZUGQAAkFNDvRy/6ngQuEoAhAWGuz0O29h2DLHTG1mmgs+EBjrxVEfkiijEoKPRk/0OQTwBMAaZgCDtYgR6hyVjeUz6CP1zOoWMCX9HnTKeFaogi50Myw4TmGkX3U+kGSDayVcn2LJbIEXdQq1Rt5dqLIW0A8D48Kw/J4rGrQqMyZs4j+VdeTWiKN6lFRNj5qbFwOlwyKAYBYpWTVRbrJLausvO47mQb5UVfS/+CJH126Mjhg+dppM9hkxOG/Pp26mbn7xM5OOa4cvNF139+7
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2020-12-30T14:16:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--84b99a25-ffe4-49c9-8e06-211bf977b936" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:16:23.000Z" ,
"modified" : "2020-12-30T14:16:23.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2020-11-11T09:43:20+00:00" ,
"category" : "Other" ,
"uuid" : "228666f7-2318-4427-b564-5916d928c2d3"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/file/c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa/detection/f-c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa-1605087800" ,
"category" : "Payload delivery" ,
"uuid" : "5a663a99-38c9-42da-9db7-29e55419384a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "39/71" ,
"category" : "Payload delivery" ,
"uuid" : "9b0ec61f-7a29-4291-a019-d4fe1a219b48"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--07c951a1-18c3-457a-be67-fd355f832a73" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:16:23.000Z" ,
"modified" : "2020-12-30T14:16:23.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2020-12-10T18:07:01+00:00" ,
"category" : "Other" ,
"uuid" : "75139155-c8bf-44a5-ae0c-76072c196a48"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection/f-a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4-1607623621" ,
"category" : "Payload delivery" ,
"uuid" : "d45325fa-f3e5-4fc4-9c4c-f471e154f71c"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "63/70" ,
"category" : "Payload delivery" ,
"uuid" : "977af219-3ee3-4ba0-8419-7c27c44710a5"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--369a74a5-3e03-47c5-9cd0-4b2aad23e16a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:07:00.000Z" ,
"modified" : "2020-12-30T14:07:00.000Z" ,
"first_observed" : "2020-12-30T14:07:00Z" ,
"last_observed" : "2020-12-30T14:07:00Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--d88a8992-7c4c-58a0-b1b0-0237117d35c2"
] ,
"labels" : [
"misp:name=\"pe\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"False\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--d88a8992-7c4c-58a0-b1b0-0237117d35c2" ,
"name" : "" ,
"extensions" : {
"windows-pebinary-ext" : {
"pe_type" : "exe" ,
"number_of_sections" : 5 ,
"optional_header" : {
"address_of_entry_point" : 4296533
} ,
"x_misp_compilation_timestamp" : "2020-10-23T09:56:46+00:00"
}
}
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--fcb9011a-2d16-4550-a05c-1921de1c107d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:11:41.000Z" ,
"modified" : "2020-12-30T14:11:41.000Z" ,
"first_observed" : "2020-12-30T14:11:41Z" ,
"last_observed" : "2020-12-30T14:11:41Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--561f7abb-f7a9-5165-842f-9f8571bc74cf"
] ,
"labels" : [
"misp:name=\"pe\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"False\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--561f7abb-f7a9-5165-842f-9f8571bc74cf" ,
"name" : "" ,
"extensions" : {
"windows-pebinary-ext" : {
"pe_type" : "exe" ,
"number_of_sections" : 5 ,
"optional_header" : {
"address_of_entry_point" : 4281237
} ,
"x_misp_compilation_timestamp" : "2020-11-11T09:22:22+00:00"
}
}
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d78f50d8-cd5d-4dcd-94de-e079b92bdaa7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:06:59.000Z" ,
"modified" : "2020-12-30T14:06:59.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".text" ,
"category" : "Other" ,
"uuid" : "5867540f-afce-4b90-bb96-8610f1ccb100"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "320000" ,
"category" : "Other" ,
"uuid" : "19b6e184-1122-4ab3-92a8-f23c1f30d3f1"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.6348495531091" ,
"category" : "Other" ,
"uuid" : "cf595dae-5672-4faa-a147-3ae76945d7b2"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "1e4f92167c3ab2dc2c01650e939055f9" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "5d6c0cff-a240-4a3e-8659-01417144cef4"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "4d18b6c125b4668ed00358c002c8a0dfae23db7a" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "131a23c4-8285-4c06-a0ff-3f33bd91aacf"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "3ea51233fc585fcd6772cf677512cb9b06f8a6c971fd5c39b591a2a2d0357fee" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c54f0f55-74ec-4965-8676-04326faeafab"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "9627bc232692d7589b54d2b0ffc9bca17535bbb67e35da303e4ed9dd24a9a8dc8ea65f6d0bdc3d01cf5976aec2b306d56cecbb47d285e5bff7c108c678be622f" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c7962ae8-2219-4bcb-b830-95129fe54afd"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "6144:8rvDx+dR25Cb1GjTiRsKKs5wYfOXGr6ckXDjkiW5EEyyq8MeCt10zXzcVP:aF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYP" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "a5bce10e-6abc-4be6-935e-b2d8279834a3"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--9b5a1501-69e1-4ba7-a44a-c66fbf773aff" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:06:59.000Z" ,
"modified" : "2020-12-30T14:06:59.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".rdata" ,
"category" : "Other" ,
"uuid" : "cb95eb25-7ea3-4e47-8488-626ed5f2c5ed"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "103936" ,
"category" : "Other" ,
"uuid" : "28ef0d79-f5ff-4192-8c31-56438bbaeee7"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "5.3139379645706" ,
"category" : "Other" ,
"uuid" : "e517d43a-0843-492e-b541-ee80fe28b4bf"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "d4267ed23f4b852d028f443cb4aad133" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "ad073074-ef7d-4cb9-9562-904a27af7f39"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "e15c846060a20f089f14869bc16992023cd431b7" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "152d979e-46c1-4619-b3fa-e764465df30c"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "3a64bac9f63b3a6aa3ee4e1ac7c038248dcf2283712c64f740866f0597008735" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "ba23b932-edb6-4f9a-95b8-f45c3da32b1b"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "82d142ba284bd9534032e830d4f56ad7a8162f6bfa49fd63985bbe9d80c560d3e9500ed13cab54506bc62d86a890fa0a88a9906e232da0b48bdda804752411d7" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "2bde2a19-16f1-4dc3-a843-d1cbd3560e60"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "1536:pM9MP1i6fkKxs8jsdrPQF7X8HZ4XhgPCa7fksWPcdEvtmgMbFubmJXz9/7FbXuyf:pi6sLxZRFrXOAg0FubmJj97Fb+yNd" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "9cf6b9ba-f946-4347-9515-f156060987b4"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--30abb88a-cbc5-4960-9b49-2b11904f6354" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:06:59.000Z" ,
"modified" : "2020-12-30T14:06:59.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".data" ,
"category" : "Other" ,
"uuid" : "041e23c4-b957-42ea-a748-22c097201bdb"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "10752" ,
"category" : "Other" ,
"uuid" : "039f8aed-a617-4825-9984-16f7cb6ab18b"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "4.5643514844553" ,
"category" : "Other" ,
"uuid" : "87979ee8-e837-421d-89e8-69ec4da563c4"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "bdac7b3caf4a2640a848c52d56263d6f" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "df3005a9-b33d-439e-9a64-485f191b1b9b"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "4074eac2c7cb8f54042d7753fddf79d41e6ba1da" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "14e1cde5-15f3-4ff9-af52-0bb64767196a"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "0664109a211df95098544312f455035e79988bfbbe7b63dcbba01dfbf88351d3" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "1734e90c-2ffb-413a-8bf4-db6126dda15d"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "9bec434d1685538df9205af3077e47f380729edb640d1c591c8cd4cc3d2d510ece40b039b31ea34d52742de8e58eef24308b269241810e4409aadfece39645f7" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "57b7756f-5ed2-44e0-9872-ecd92a5ca822"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "192:uwiPy9D8pZIRxTRjRkRtRaN0NN0JbgcUC3h4+/1M:uwJ1IXu41" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "d3300ccb-baaa-4892-8907-4d051c147970"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--23df8d28-7dc8-4524-a1a6-9585c30be9d5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:06:59.000Z" ,
"modified" : "2020-12-30T14:06:59.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".rsrc" ,
"category" : "Other" ,
"uuid" : "3d2f4a77-6a74-4688-9669-7f4034bc78be"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "39424" ,
"category" : "Other" ,
"uuid" : "7791d0ac-53c0-4b06-a689-b873f6e3f429"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.3888085830938" ,
"category" : "Other" ,
"uuid" : "006780c5-82eb-4187-893c-7179f993b734"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "0182033254ebc8d0593f391d8dc7e6d2" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "20352748-4678-496d-b604-cc1dbc63a842"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "7805b24719deb34dd098be5bc8ca6a0a4f6ea53b" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "204b1a09-f49d-400b-8d01-15ec3cd82bb8"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "8ee03e790e04d573a1e2f2c494823c7f5e5892c58ae2b68afd6d635bee4bb58d" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "be489986-36bb-4636-93c1-96b76924b049"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "41a162ef03942c7643acb6af31a9c4edb8e2022095c87853ea96741835ce465cc0c426808d5f1d7ef67a601859c46d1cf2e4944dfac50532948cbd3a16940b8b" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "7cebc20c-c422-49c5-94b0-6ca64a5a9bdc"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "768:lzC4MphX0qphDmlRUoPLs2IgHi3QcD2vZc22BGkiAi2:lzC4MpvhCRto5gCxyy22gAV" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "9ca8c334-4672-4d05-92c6-bf3641669a07"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a96d75ef-7797-4f2a-82ba-754da2ffa4e1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:06:59.000Z" ,
"modified" : "2020-12-30T14:06:59.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".reloc" ,
"category" : "Other" ,
"uuid" : "40fb6fd7-8c49-48cc-bcd8-cf847340c66f"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "19456" ,
"category" : "Other" ,
"uuid" : "79650495-4f82-4f09-a317-9e31f3dd8209"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.6017444852914" ,
"category" : "Other" ,
"uuid" : "fcea76c7-b14e-4d76-838b-f040391d1ec1"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "9836d373e3e5b2732261fd23de92e9cc" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "48ae48db-796a-42e2-898e-8d3de1fbcd68"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "a02930ef7a4abc95f485dd906b41c9f1b3b4089f" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "6469dead-29b7-4d2a-a2fc-f3fcb1708a7c"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "c044f90946b93915da65196d16dcc4f342273f369630fb419fe0e719ac83f073" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c89b1980-c47c-4b39-bc36-f40e3c5567a9"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "8903b89f3e1f5d9c7f388f943b687df9ae2d506b6dff83aa349c95bb50a55a4a06ed5f696d496c7078228ed30cf5ddcf63875f7e2c92b7b53b907ad371ed461c" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c9fb71f8-c053-4be8-bcaa-6311bec0bf1d"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "192:UoXZpZ/peUCpKNaBksXNJzFL/0ztmARyzlHlndnKEs6FnKTKnbBwaSbEbw814lUP:tZUU8yGDDAwzlFdK96FcKHwLrFgx9fl" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "bb175b13-ff08-4d69-bb0f-843fb68accb8"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--f19826b2-8b7c-4826-8575-863438b660ec" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:11:40.000Z" ,
"modified" : "2020-12-30T14:11:40.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".text" ,
"category" : "Other" ,
"uuid" : "5fd0952b-78a9-497c-9fc7-d77c1f14ca2a"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "298496" ,
"category" : "Other" ,
"uuid" : "0a3cb98a-7792-4a72-9ce9-c09592fd8307"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.6475524649073" ,
"category" : "Other" ,
"uuid" : "4621b1bf-a853-4b32-a151-4a92b9531837"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "3872b37a6fbcbb27f80b9639008a708e" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "e3a3ef6e-b5db-4d7c-8758-961266c79ade"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "af031fe59567d0fe50d6d047bc0ca7c2869d341f" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "a33b990d-0cde-41ac-99cd-b4799a6b869e"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "38bcb58a3bf5ead5cf760efb23d404f2f3344bf28d870eb2da94e90bbf2fc77e" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c9d14d1f-d0ae-479c-b79f-0c233b0dcff7"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "511911a3319406aff5bdbb2843547ffcb9584a663974a1315fd1111035051329888290bde3fb5dcab49cd955f404fc99060d922bb72265d576fcc7e0c2ce727b" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "53c4c31e-174b-4351-8f88-5427ff7cb011"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "6144:lf0ryFWUY6V0eU82Tvvase6Jqrm7mi+HH38rnb9Fn41+nVszCxoj58T9O4:lf0GWQ0TvvNdem7m9H0n41+nVs+x05Z4" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "55fe8a96-c659-413f-b11d-e56df6703e5a"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--66a147e0-b788-4de3-ade4-c97530981c46" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:11:40.000Z" ,
"modified" : "2020-12-30T14:11:40.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".rdata" ,
"category" : "Other" ,
"uuid" : "9428539e-41eb-426e-b9dd-2c0c8b54e387"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "93696" ,
"category" : "Other" ,
"uuid" : "f2a5d63a-3af2-4bd6-bdc2-3444adca0a6b"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "5.4415893542669" ,
"category" : "Other" ,
"uuid" : "2fe8470e-8943-4d9d-b94f-1bb4fdbe5d08"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "3c027f23d1cc821ccef3334303834905" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "9b1df8a2-20fa-4639-ad16-967caefee682"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "97b2bcbb75096510580cfa3eb09ca9f5f99343fe" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "fe621958-a1a1-4970-8df5-2c1ee7fc32c5"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "ff797adfe7c6c249e809f08493ec5c0bdbebe042acb2b7971987d0301c084240" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "cd52f3b1-c5cb-4514-897d-45472e558d01"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "a76b76acca4386452924f789f4b7ff801064042f4513081e000ff0e2edd84411ee68c2a678d270e593b9fa6874a90a4e4aac82a99bbebfd3016c240356a4d8d9" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c2bfa67b-a37a-40eb-8336-074d07ee09d6"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "1536:QZL1M6liPlQtc/s8jsdVx6nwL4XhgvRsWAcd0vtmgMbFuzmxyttyN7:QBNYz6bLxFeAg0FuzmkbyN7" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "485b7cc9-eaae-42ac-bef0-87b8ab834c78"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--465f9a97-b302-4abe-a54a-a52022e473dc" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:11:40.000Z" ,
"modified" : "2020-12-30T14:11:40.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".data" ,
"category" : "Other" ,
"uuid" : "d09407cf-0884-49d2-9b93-1d2876ee319e"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "10240" ,
"category" : "Other" ,
"uuid" : "15c3b7c6-04cd-4dd7-8cb1-063791aa181c"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "4.5555134237561" ,
"category" : "Other" ,
"uuid" : "d6c83c84-34b9-425d-b7ec-bdefded320f9"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "b59be920c1c434664945d142276186b4" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c6e1a5c0-5333-4d2b-a2fa-c14a13381a4b"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "416438c1a7fd81ee9d69873597d35bd59856e90e" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "91f3029b-c100-4707-bf1b-e637f9b674f6"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "60e47720c483c8a6067c98f8cb300aa1ae5c9e6ccded044ef365e459dc2c61ff" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "389ee7a7-2eb4-4f0d-8566-1dd0669affe8"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "00160f9d9361ddebdded0156ee1c2ed60575e60281ceb3794044d9036febf6a25f3858fdfcbc13c0050ac6f6e2f37cd1463127c863883373b3dcf594bc48933a" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "7f3f664f-f229-4ae9-9551-87dc9aa7a766"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "96:AMPlvM5V16Ka4t6k7+x5WRwWRyN0NN0v3CxuOH6Ah8q+VOid:Dy6Ka4t6k7+xARjRyN0NN0v3sTH6Ag" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "aafcb62a-0237-438e-a9e2-98d65d3d1373"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--36023bd1-e08a-4d80-8666-f974049fce9b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:11:40.000Z" ,
"modified" : "2020-12-30T14:11:40.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".rsrc" ,
"category" : "Other" ,
"uuid" : "4ef3e8e2-ffcd-417b-929c-b654410acc02"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "39424" ,
"category" : "Other" ,
"uuid" : "0b429ce0-f3c6-4fea-a26f-8973e64daff6"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.3887459421453" ,
"category" : "Other" ,
"uuid" : "02f9eb68-9114-4db7-a24a-ce4c87955774"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "e9fb469d281b99eb663d16de3582a879" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c34a938b-c1e8-4856-a61a-a24942c9df24"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "7ccdea45c0fa4f3929e9602a53aa9b4bb25b85e4" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "b7d2e21f-1365-4a33-9f76-21f7bda43b84"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "57a185a9643272ce1564c3c82e2bf020872558f1a78f2144406e28f9c6a43f61" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "049c4384-b8cf-4195-89ab-898ebacbb9b2"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "705091d713591aecf32e6faae05c01061bd3cbead7a0a08f639f1bb36cda3eb38c4a9f4c317c25fb80541077e42d81cb3f6beadca11bf6fe2c309fcb1896ec31" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "9249a704-7ec7-4d1e-8a49-f51256c3bbdb"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "768:1zC4MphX0qphDmlRUoPLs2IgHi3QcD2vZc22BGkiAi2:1zC4MpvhCRto5gCxyy22gAV" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "557399a7-8f54-4ef6-8b50-dc75b8c735af"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--af6451da-ae31-4b1f-ae44-fd5e5bd45eed" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:11:40.000Z" ,
"modified" : "2020-12-30T14:11:40.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".reloc" ,
"category" : "Other" ,
"uuid" : "e5d867ba-94db-44b8-bf06-d18b4ac5f611"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "16896" ,
"category" : "Other" ,
"uuid" : "9536f844-79fd-4c12-ac64-dc8ee1d0f6d0"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.622890870612" ,
"category" : "Other" ,
"uuid" : "15b92bcf-3e08-4b8b-9578-f53728aa855a"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "b2936a508681fdbe1f2d049cb2408c6b" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "a434104d-4e1c-4e61-a2fc-76f611fcf416"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "3947b42a90beabb11a40581a93b1409bd8167983" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "33eff2f9-ebc6-4f84-a89b-b03a164d8ab8"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "1b4cc01e63dac842f80de7e005cbe45d0e1ef7dc66392c80e9ec57c47be20421" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "5d2d0f94-f8c9-41cc-a584-9156aa7b73c7"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "b1b15f8629f6b6a31f10b53d04acb606d0ce7caf4018ea00df60fe0eabd6d603ca3ad848f477c6a13b90e79399cb1d9bdd23087ba607773422ba10a098395d08" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "a5d61cc0-b740-4d2c-9d3b-0a12a2990a00"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "384:H7GGBN3/QP0rH6Pu+5UCDV6k5YWksOG54Fzda+lkq5e+sctn:HL/z6GK1Uk5FO04FhDkStsctn" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "11a9355d-1711-43b6-9722-6945dd2b8a5a"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "note" ,
"spec_version" : "2.1" ,
"id" : "note--0d5ea620-4f7d-43a0-afd9-8b21a5de1095" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2020-12-30T14:17:48.000Z" ,
"modified" : "2020-12-30T14:17:48.000Z" ,
"abstract" : "Report from - http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/ (1609337868)" ,
"content" : " h t m l G l o b a l s i t e t a g ( g t a g . j s ) - G o o g l e A n a l y t i c s R e v e r s e E n g i n e e r i n g \ u 0 0 b 7 17 N o v 2020 # R e g r e t L o c k e r \ n \ n # # S u m m a r y \ n \ n * * * R e g r e t L o c k e r * * * i s a n e w r a n s o m w a r e t h a t h a s b e e n f o u n d i n t h e w i l d i n t h e l a s t m o n t h t h a t d o e s n o t o n l y e n c r y p t n o r m a l f i l e s o n d i s k l i k e o t h e r r a n s o m w a r e s . W h e n r u n n i n g , i t w i l l p a r t i c u l a r l y s e a r c h f o r * * * V H D * * * f i l e s , m o u n t t h e m u s i n g * * * W i n d o w s V i r t u a l S t o r a g e A P I * * * , a n d t h e n e n c r y p t a l l t h e f i l e s i t f i n d s i n s i d e o f t h o s e * * * V H D * * * f i l e s . \ n \ n T y p i c a l l y , * * * V H D * * * f i l e s a r e h u g e i n s i z e w i t h a m a x s i z e o f n e a r l y 2 T B b e c a u s e i t \ u 2019 s m a i n l y u s s e d t o s t o r e t h e c o n t e n t s o f a h a r d d i s k o f a V M w h i c h i n c l u d e s d i s k p a r t i c i t i o n s a n d f i l e s y s t e m s . T h i s m a k e s i t u n r e a l i s t i c f o r r a n s o m w a r e t o w a s t e t i m e e n c r y p t i n g s i m p l y b e c a u s e i t \ u 2019 s t o o b i g . \ n \ n H o w e v e r , t h r o u g h m o u n t i n g t h e s e v i r t u a l d i s k s a s p h y s i c a l d i s k s , * * * R e g r e t L o c k e r * * * c a n g o t h r o u g h a n d e n c r y p t t h e i n d i v i d u a l f i l e s i n s i d e , w h i c h s i g n i f i c a n t l y i n c r e a s e s e n c r y p t i o n s p e e d o v e r a l l . \ n \ n F o r e n c r y p t i o n , * * * R e g r e t L o c k e r * * * r e a c h e s o u t t o t h e C & C s e r v e r f o r a * * * R S A * * * k e y i n o r d e r t o e n c r y p t a n d p r o d u c e a u n i q u e * * * A E S * * * k e y . T h i s * * * A E S * * * k e y w i l l b e u s e d t o e n c r y p t a l l o f t h e f i l e s o n t h e d i s k s . H o w e v e r , i f t h e m a c h i n e i s o f f l i n e o r i t c a n \ u 2019 t r e a c h C & C , i t w i l l j u s t u s e s t h e h a r d - c o d e d * * * R S A * * * k e y i n m e m o r y , w h i c h m a k e s i t s i m p l e t o w r i t e a d e c r y p t i o n t o o l f o r ! \ n \ n A l l o f t h e e n c r y p t e d f i l e s h a v e t h e e x t e n s i o n * * * . m o u s e * * * . \ n \ n H u g e s h o u t - o u t s t o V i t a l i K r e m e z a n d M a l w a r e H u n t e r T e a m f o r b r i n g i n g t h i s r a n s o m w a r e t o m y a t t e n t i o n ! \ n \ n # # I O C S \ n \ n * * * R e g r e t L o c k e r * * * c o m e s i n t h e f o r m o f a 32 - b i t P E f i l e . \ n \ n * * * M D 5 * * * : 3265 b 2 b 0 a f c 6 d 2 a d 0 b d d 55 a f 8 e d b 9 b 37 \ n \ n * * * S H A 256 * * * : a 188e147 b a 147455 c e 5e3 a 6 e b 8 a c 1 a 46 b d d 58588 d e 7 a f 53 d 4 a d 542 c 6986491 f 4 \ n \ n # # D e p e n d e n c i e s \ n \ n * * * A d v a p i 32 . d l l a n d C r y p t 32 . d l l * * * : M a i n c r y p t o f u n c t i o n a l i t i e s s u c h a s R S A a n d A E S e n c r y p t i o n \ n \ n * * * V i r t D i s k . d l l * * * : M o u n t i n g v i r t u a l d i s k f u n c t i o n a l i t i e s \ n \ n * * * t o r - l i b . d l l * * * : D L L d r o p p e d b y * * * R e g r e t L o c k e r * * * t h a t i s u s e d t o c o n t a c t C & C t h r o u g h T o r \ n \ n # # N e t w o r k i n g \ n \ n * * * R e g r e t L o c k e r * * * c o n t a c t s t h e C & C s e r v e r a t * * * h t t p : //regretzjibibtcgb.onion/input*** through Tor 3 times:\n\n - Retrieve RSA key from server - Sending information such as the computer's IP, name, volume of the disks,.. - Signalling when it finishes encrypting Before contacting C&C, it sends a GET request to ***http://api.ipify.org/*** to retrieve the PC\u2019s public IP address. If this fails, the malware can assume that it\u2019s running offline and will use the hard-coded RSA key.\n\n ## Ransom Note\n\n ***RegretLocker*** drops a ransom note in every folder that it encrypts. This is the content if you run the malware with Internet connection. The hash is used to identify which RSA key is used to generate the AES key on your machine.\n\n You can find malware log here on my Github\n\n ## Code Analysis\n\n ### Only One Process Running\n\n ***RegretLocker*** first check if there is only one version of itself running by looping through all of the running processes using ***CreateToolhelp32Snapshot, Process32First, and Process32Next***.\n\n For each of the running processes, it compares the name against its own name to make sure that there is no process with the same name.\n\n If there is one with the same name, the ransomware exits immediately.\n\n ### Dropping tor-lib.dll\n\n The malware extracts the path to the current directory it is located in through ***GetModuleFileNameA*** and concats ***\u201d\\tor-lib.dll\u201d*** to it, which means that it drops this dll in the same directory of the malware.\n\n It then calls a function to extract the dll from its resource section through ***FindResourceA, LoadResource, and LockResource***. As we can see in ***Resource Hacker***, the dll is stored unencrypted in the resource section. After extracting the dll, it calls ***LoadLibrary*** to get a handle to the dll. This handle will be used for the malware to contact C&C.\n\n ### Development Check\n\n The malware writter has 2 weird checks to check for a particul
"object_refs" : [
"report--ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9"
]
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 13:47:04 +00:00
"id" : "relationship--c1929fc8-dad8-40c8-813a-64c3a4618aae" ,
2023-06-14 17:31:25 +00:00
"created" : "1970-01-01T00:00:00.000Z" ,
"modified" : "1970-01-01T00:00:00.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c" ,
"target_ref" : "x-misp-object--312d40f7-2562-4852-88f1-8af1c0f3355c"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 13:47:04 +00:00
"id" : "relationship--b7f5d24b-8f4e-4533-b098-8893bffaa53c" ,
2023-06-14 17:31:25 +00:00
"created" : "1970-01-01T00:00:00.000Z" ,
"modified" : "1970-01-01T00:00:00.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--a6c63e2d-7552-4baf-93e3-65d6721bd91c" ,
"target_ref" : "x-misp-object--07c951a1-18c3-457a-be67-fd355f832a73"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 13:47:04 +00:00
"id" : "relationship--f88a41b9-a392-4351-819a-0fc6988733c4" ,
2023-06-14 17:31:25 +00:00
"created" : "1970-01-01T00:00:00.000Z" ,
"modified" : "1970-01-01T00:00:00.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--0cc053ba-50b3-4a56-b809-b7b5a3346a30" ,
"target_ref" : "x-misp-object--84b99a25-ffe4-49c9-8e06-211bf977b936"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}