adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5a69fdaf-0350-429a-b961-062f02de0b81.json

620 lines
2.4 MiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2018-01-25",
"extends_uuid": "",
"info": "OSINT - RTF files for Hancitor utilize exploit for CVE-2017-11882",
"publish_timestamp": "1518771135",
"published": true,
"threat_level_id": "3",
"timestamp": "1516935686",
"uuid": "5a69fdaf-0350-429a-b961-062f02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0c9200",
"name": "misp-galaxy:tool=\"Hancitor\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896343",
"to_ids": false,
"type": "link",
"uuid": "5a69fdbc-171c-4a58-906e-062f02de0b81",
"value": "https://isc.sans.edu/forums/diary/RTF+files+for+Hancitor+utilize+exploit+for+CVE201711882/23271/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896343",
"to_ids": false,
"type": "text",
"uuid": "5a69fdcd-f7cc-48c4-8293-485602de0b81",
"value": "Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) has been somewhat quiet since its last wave of 2017 on December 21st. During the holidays, Hancitor took a break. And in the first three weeks of 2018, I only saw one wave of Hancitor malspam that occurred on Wednesday 2018-01-10.\r\n\r\nBut on Tuesday 2018-01-23, we saw a new wave of Hancitor malspam. This time, links in the emails returned an RTF file that exploits CVE-2017-11882.\r\n\r\nAs usual, these waves of malspam are most often caught by spam filters, so few people will actually see the messages. And best security practices can easily prevent these infections from happening.\r\n\r\nBut we continue to see this malspam, so today's diary examines the infection traffic in my lab environment."
},
{
"category": "External analysis",
"comment": "",
"data": "/9j/4AAQSkZJRgABAQAASABIAAD/4QBARXhpZgAATU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAACbaADAAQAAAABAAAB1QAAAAD/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUAAAAAABDUHYzZjwCyBOmACZjs+EJ+/+IPQElDQ19QUk9GSUxFAAEBAAAPMGFwcGwCEAAAbW50clJHQiBYWVogB+EABQAFAAkAHgAoYWNzcEFQUEwAAAAAQVBQTAAAAAAAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0y1hcHBsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARZGVzYwAAAVAAAABiZHNjbQAAAbQAAAQYY3BydAAABcwAAAAjd3RwdAAABfAAAAAUclhZWgAABgQAAAAUZ1hZWgAABhgAAAAUYlhZWgAABiwAAAAUclRSQwAABkAAAAgMYWFyZwAADkwAAAAgdmNndAAADmwAAAAwbmRpbgAADpwAAAA+Y2hhZAAADtwAAAAsbW1vZAAADwgAAAAoYlRSQwAABkAAAAgMZ1RSQwAABkAAAAgMYWFiZwAADkwAAAAgYWFnZwAADkwAAAAgZGVzYwAAAAAAAAAIRGlzcGxheQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAG1sdWMAAAAAAAAAIgAAAAxockhSAAAAFAAAAahrb0tSAAAADAAAAbxuYk5PAAAAEgAAAchpZAAAAAAAEgAAAdpodUhVAAAAFAAAAexjc0NaAAAAFgAAAgBkYURLAAAAHAAAAhZ1a1VBAAAAHAAAAjJhcgAAAAAAFAAAAk5pdElUAAAAFAAAAmJyb1JPAAAAEgAAAnZubE5MAAAAFgAAAohoZUlMAAAAFgAAAp5lc0VTAAAAEgAAAnZmaUZJAAAAEAAAArR6aFRXAAAADAAAAsR2aVZOAAAADgAAAtBza1NLAAAAFgAAAt56aENOAAAADAAAAsRydVJVAAAAJAAAAvRmckZSAAAAFgAAAxhtcwAAAAAAEgAAAy5jYUVTAAAAGAAAA0B0aFRIAAAADAAAA1hlc1hMAAAAEgAAAnZkZURFAAAAEAAAA2RlblVTAAAAEgAAA3RwdEJSAAAAGAAAA4ZwbFBMAAAAEgAAA55lbEdSAAAAIgAAA7BzdlNFAAAAEAAAA9J0clRSAAAAFAAAA+JqYUpQAAAADAAAA/ZwdFBUAAAAFgAABAIATABDAEQAIAB1ACAAYgBvAGoAac7st+wAIABMAEMARABGAGEAcgBnAGUALQBMAEMARABMAEMARAAgAFcAYQByAG4AYQBTAHoA7QBuAGUAcwAgAEwAQwBEAEIAYQByAGUAdgBuAP0AIABMAEMARABMAEMARAAtAGYAYQByAHYAZQBzAGsA5gByAG0EGgQ+BDsETAQ+BEAEPgQyBDgEOQAgAEwAQwBEIA8ATABDAEQAIAZFBkQGSAZGBikATABDAEQAIABjAG8AbABvAHIAaQBMAEMARAAgAGMAbwBsAG8AcgBLAGwAZQB1AHIAZQBuAC0ATABDAEQgDwBMAEMARAAgBeYF0QXiBdUF4AXZAFYA5AByAGkALQBMAEMARF9pgnIAIABMAEMARABMAEMARAAgAE0A4AB1AEYAYQByAGUAYgBuAP0AIABMAEMARAQmBDIENQRCBD0EPgQ5ACAEFgQaAC0ENAQ4BEEEPwQ7BDUEOQBMAEMARAAgAGMAbwB1AGwAZQB1AHIAVwBhAHIAbgBhACAATABDAEQATABDAEQAIABlAG4AIABjAG8AbABvAHIATABDAEQAIA4qDjUARgBhAHIAYgAtAEwAQwBEAEMAbwBsAG8AcgAgAEwAQwBEAEwAQwBEACAAQwBvAGwAbwByAGkAZABvAEsAbwBsAG8AcgAgAEwAQwBEA4gDswPHA8EDyQO8A7cAIAO/A7gDzAO9A7cAIABMAEMARABGAOQAcgBnAC0ATABDAEQAUgBlAG4AawBsAGkAIABMAEMARDCrMOkw/ABMAEMARABMAEMARAAgAGEAIABDAG8AcgBlAHN0ZXh0AAAAAENvcHlyaWdodCBBcHBsZSBJbmMuLCAyMDE3AABYWVogAAAAAAAA8xYAAQAAAAEWylhZWiAAAAAAAABxwAAAOYoAAAFnWFlaIAAAAAAAAGEjAAC55gAAE/ZYWVogAAAAAAAAI/IAAAyQAAC90GN1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIANgA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCjAKgArQCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ7BowGnQavBsAG0QbjBvUHBwcZBysHPQdPB2EHdAeGB5kHrAe/B9IH5Qf4CAsIHwgyCEYIWghuCIIIlgiqCL4I0gjnCPsJEAklCToJTwlkCXkJjwmkCboJzwnlCfsKEQonCj0KVApqCoEKmAquCsUK3ArzCwsLIgs5C1ELaQuAC5gLsAvIC+EL+QwSDCoMQwxcDHUMjgynDMAM2QzzDQ0NJg1ADVoNdA2ODakNww3eDfgOEw4uDkkOZA5/DpsOtg7SDu4PCQ8lD0EPXg96D5YPsw/PD+wQCRAmEEMQYRB+EJsQuRDXEPURExExEU8RbRGMEaoRyRHoEgcSJhJFEmQShBKjEsMS4xMDEyMTQxNjE4MTpBPFE+UUBhQnFEkUahSLFK0UzhTwFRIVNBVWFXgVmxW9FeAWAxYmFkkWbBaPFrIW1hb6Fx0XQRdlF4kXrhfSF/cYGxhAGGUYihivGNUY+hkgGUUZaxmRGbcZ3RoEGioaURp3Gp4axRrsGxQbOxtjG4obshvaHAIcKhxSHHscoxzMHPUdHh1HHXAdmR3DHeweFh5AHmoelB6+HukfEx8+H2kflB+/H+ogFSBBIGwgmCDEIPAhHCFIIXUhoSHOIfsiJyJVIoIiryLdIwojOCNmI5QjwiPwJB8kTSR8JKsk2iUJJTglaCWXJccl9yYnJlcmhya3JugnGCdJJ3onqyfcKA0oPyhxKKIo1CkGKTgpaymdKdAqAio1KmgqmyrPKwIrNitpK50r0SwFLDksbiyiLNctDC1BLXYtqy3hLhYuTC6CLrcu7i8kL1ovkS/HL/4wNTBsMKQw2zESMUoxgjG6MfIyKjJjMpsy1DMNM0YzfzO4M/E0KzRlNJ402DUTNU01hzXCNf02NzZyNq426TckN2A3nDfXOBQ4UDiMOMg5BTlCOX85vDn5OjY6dDqyOu87LTtrO6o76DwnPGU8pDzjPSI9YT2hPeA+ID5gPqA+4D8hP2E/oj/iQCNAZECmQOdBKUFqQaxB7kIwQnJCtUL3QzpDfUPARANER0SKRM5FEkVVRZpF3kYiRmdGq0bwRzVHe0fASAVIS0iRSNdJHUljSalJ8Eo3Sn1KxEsMS1NLmkviTCpMcky6TQJNSk2TTdxOJU5uTrdPAE9JT5NP3VAnUHFQu1EGUVBRm1HmUjFSfFLHUxNTX1OqU/ZUQlSPVNtVKFV1VcJWD1ZcVqlW91dEV5JX4FgvWH1Yy1kaWWlZuF
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896343",
"to_ids": false,
"type": "attachment",
"uuid": "5a69fe51-9a00-4f72-929f-4fde02de0b81",
"value": "2018-01-23-hancitor-malspam-image-01.jpg"
},
{
"category": "Payload delivery",
"comment": "But on Tuesday 2018-01-23, we saw a new wave of Hancitor malspam. This time, links in the emails returned an RTF file that exploits CVE-2017-11882.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896344",
"to_ids": false,
"type": "vulnerability",
"uuid": "5a69fe81-cbb0-45e5-819f-063302de0b81",
"value": "CVE-2017-11882"
},
{
"category": "Network activity",
"comment": "The Hancitor binary was encoded as a base64 string in script returned from ofthi.com. (compromised machine)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896344",
"to_ids": true,
"type": "domain",
"uuid": "5a69febe-be34-4b88-8334-032c02de0b81",
"value": "ofthi.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896242",
"to_ids": true,
"type": "sha256",
"uuid": "5a69fff2-f0d8-494a-bd10-411e02de0b81",
"value": "6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896345",
"to_ids": true,
"type": "filename",
"uuid": "5a69fff2-1f78-461d-a2f1-4dbd02de0b81",
"value": "fax_518506.doc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896243",
"to_ids": true,
"type": "sha256",
"uuid": "5a69fff3-3f20-4e0d-bde1-43b502de0b81",
"value": "2c506742267dd9d41dc62f2614f6306458da185230fb46cb467c98a8f48317a4"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896345",
"to_ids": true,
"type": "url",
"uuid": "5a69fff3-7390-42d5-a6d6-4a1d02de0b81",
"value": "http://ofthi.com/1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896244",
"to_ids": true,
"type": "sha256",
"uuid": "5a69fff4-8e84-4696-b451-4ca402de0b81",
"value": "8418887655f69ab5a61915bad2af633462760b128d38f53911da020d70e4862e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896244",
"to_ids": true,
"type": "sha256",
"uuid": "5a69fff4-133c-4d88-8181-495602de0b81",
"value": "42b02d621696ec33e9140fedcf8b48695059595f9469dbf28daf4667ac0d214f"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896346",
"to_ids": true,
"type": "url",
"uuid": "5a69fff5-f430-4def-9cbe-459902de0b81",
"value": "http://yoyostudy.com.au/62a.exe"
},
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAEJRN0w5FKTdGiMAAD+xAAAtABwAMjAxOC0wMS0yMy1IYW5jaXRvci1SVEYtc2FtcGxlLWZheF81MTg1MDYuZG9jVVQJAANcXmdaEeFnWnV4CwABBBfpmSIEYC93C3U46ykJ9ctVWwaIKJ9sbCmTZWy+f/JEY38JFe2U+l1jUy9Ivu2ScfxijSBanXLCR8cu1/MLyECXQKP/oCHdr7hLoPOTxs+VKfudVi4blLZhs5hV0QGmPHMwDFcQorc/3nRUHmtdLWbzb/Tw4Xj4sX1YTXRLZmWrM/zACdYngLY13YTWt/UKteTJokhJxe0zCMMtq0Q6WSESwRRjgVizlYY5fsqZXiBzyFRnbp41t1J1odYR4Zqd96n3eOtPBTSbRVI1zRK6GhTMXNpmqBlYCLK5jvv0BsoP9I5GTAV9t+GovqSDFCy1OFCheYVEl4y/JNkE2WX34kzpYua/m7ioj2Oqv1DP+zuKuIQAcDF5lLaMksDGIfGL74GvUI6DMnMt0ij1yMmqOkqGqKQitvHtwYCojkGyB+ShR+j4sTM+7giRMJMUTcWqEDKl7RTJaaYkCRdUuW7MF9clHrUbNirRfCUDfQBmrHT5xLQXQxaBDpySDAzvpjGXGoPO4faCwUfoR8y9y+JDE9qt2ym9cZhvz+D9MLNT3jMGTJm5G4z21KstvwnF7iKyeh4MDh6+gn8fB08LPvw3hymFG21RxArLCBHa5Fs1WS3X6puFAWNMTLb8gY39PeRYKs7uQDQD9kmO++e13Kq5V5N0c0L8MJ6Y3fhIycLl6wRRaiaeMe3M6qGPDHFV1A51fv5VCoaoMQ6T2uJe9pIM9EDMw0FY3gBUHq3VT340C46cf0wSJdsrMDwS6qPZ6ZsrE5dr62YCQq9u4qFxVQs2/Y+wvhPc17EDa3GCzAFr39fOFIYMTv5/Njck5aRTnTuMVDFgjWaPDMUDAnkPNrUmIHvy61Jx5fN4nxrP9bnqwe9i2ATx+PzzQ5QUfpKmmIPpLtpl5+Gc0xvQ2I6U6+w+eUkMGiVwyvrRb2HU2PAT73Jn84GmOg3gUNUDTNBXgkMDm/El9WwaZlFACNvT4I9Wd6mAIIiMcNqKX2/rpu2yFZI1HFF7hsJ+SSgqgsXWkf8dOjizzlgnCyu6hQbOfsg3CjPpl6neyFHHwuke/tsu+Q8aIuf8wSCRVRvcM1AuCK4hSZHaMPCNNL+jWKlv2wMW8rqo1Zwse3Crm1chvSHSR4CCcH0NbcMcrliwYwi7E5kki6t6pYlZ+AONWbz51Fha8Vyz5KGpHdIIqMLv7yZ3kMpzW8mJh9rkj7+MbCpa0ibNk/MJZqEq4ybzWDnGP/kGcdFeeZlfQvaqU7d+S8O/RXvZ403uFXeVtnzxwFCik370lMgr6XpFfhARxNWnNsTrfs6JuzH+IBp1RdGDaSl9OOOlFoHDsqB2IWUn0+qQYOL/u2h9uDngoXkURzgiKNOJGTNBL0ckuZ6eF9J+U6gP7dlU+ftv+BgvSkr0eBGuKnWfQD4iDWGEcxUTyd4YmGlY9LAjLw1HYWlFopmaLnwwGG3os64r/6O/3zHfaXTdc7CGDvcFahAeK2bMjHnvL7dLCV8MfE4p3jD+zCHHJm9TENkPB0bKa6BZNGoqIw0zIXxBBupu/a4By4kTD25TeXcBQE1rEgJHzs7W+nED6UfTu2H4yuqpWy5Y460162O6VbNFh94PG30XlgE8mhCZic7rb2MDWPAvB1syruX5JqNvggZcrP5plGL+gZ7NmoayT6ie5krQQgZsrxhXzF5lhRbkYOBWdm9v6lcfMJwDkNIomhvxUUzk8YeYu0ElK15vnucY7YHpaAIwMxs0pmcEz2oft+3ZXXeLokYCIWoOK1du7Ni2mrEjf0TJ7wltaPgrdCgN7LV2zXs2XbYjAVBbpSkyKYdKl5fAJcy1pd5w5ye3lBA5rttfdPQ0tkrWJqMiyH5inZzcYhYga4dn59guyMdKkfV2g2oEpK0/ffcdj+tOWcjr6SkkywxjzT+NwwKCfIs/+N0d/My5jGafqdWZ7Q5ufed+oQMD8koL3lG5Ahu+aBqtlqY9/FPiJP+SE275pS+3TKIu8Pr3MWupddeU93c9a94yn+exVfvjr/+hgCbR0kF3F1Kprxn3kb4URtXs7jY52PtBk/rv2NZXKXQ5oHjF5rMluF0Swdfgv4dblHNCZ2fW8c6cni8qgR6zMtKzaRrbmY3TEgBwBtsBUYsHvDYDG5QnzS0Vm+hxvdHX+BZmzRYkqnPOL4Ix5/GCWigMce6cNB/AkUhdT0AXJKLxXoFOKcI0VHgNJGdOOyPv20hMQQ169eQCMAsSgSmzV9l/QswVlw/bQeOEy6U5MksSP4IRGiD1RlP2KjjXF0z0R04Mu0bJWDMKtZFIG6Ng+HjpuScx1JBUm+gTPuH34wndH09VMKx0lwWfcEtQzgCOew3O3uZePVtUAJERuZbRujDcUK2JOy/NKSkcM6BUUTX/mLK+i/PB906kn9Rfe1wHnt05NDcrETbHRRQi+zVPUYSzTZ8X7/meJ+tbSjYFzc6DY6aJ+LfSnW1nfjkMFZGVoWUsBKrsYGgjD1uqFaSFGVGYG0MVweDuiHifYK8CO0kPTkA+Lecvlp+/EKIVeoYAGHNTKvei5Z2KCq8jOLsjyOSmLKuvty2VxXgRiq+CbxRoJ8P3U+W6rUrYNKaoVWbEOFZBqphGJ0nIICcff8QzKfhAEhIkOx7x+qKfSkWSWjtwOjHtytccQecGbvpR02DwD/3q8dMdj8yibnS1ZBmNBx+ftru4YsL6RW111HJjGQszYVCXuwA8nwHoPILOh5PYpJau0VsAy1BesAA1DVf5TyQxzAPYNrHxvk4tS6v7eCY7RAgkWitcTARc9BfMtNhrm2zpiNCNxjdMqPrqj2PNGg53P2k+TIYimHgYvrScGtWB3dZ7wsXf0guGgjvnDJXknEwAudIdBS2VRGXEePEDDG8ib33XdQtiBnY9yQx7hDQC2oIfahYDEVFK7c3o0ScSL4jMqBvnh40zc9FlXHNejbNxHOBCkEE/OlFEQHsG+eQaM5IsjNroaBwrQ5mJ5hebITxgtFRvl/8G260SjYDQ4VUNjUk8Ct7QjHfaC6k2WCwh+sXCmeTFfYtHuVTAn9sQ0NajSUra5YMkw9rr9dsCOPeXKdEwD0lNBOkitDgLpLxIQ8rW4C/tgX1DIBzU8QNCyGlIGzgBzHXcTX6Hv+P/e2QDoaUCWT9s11x1PRibkuDMgyQtaV2DvJwDbowULLzHijPWpbCWcW7NmTRkb6hq+LbEKEjANX/ZiibdFGGhC4W6LSWpYWmpHGsMCRMznqHlTlCnBL/bskvaOL+cKLRRIYffNe+M2FFlBdG8TEjuW8+d2tUS1wVEWuQ1yekvHSggiJK+TrnbzPrrP7QSuN98gUmxD/u1I0aik4aajxCEIXWp1EFah8PMlwHdmb5YoGSUsZBI6cdPNAHGIR+QN28DK4vySIbvr2wUFTgAPedDrgt0Av7bL3v7DaLHaJKUgyIEo63a7Bqq4lxA83Ar28zg8lOMiqYO/FSa1Or5ITdrpf6gGMbskr+qoEnIb43B486V/YzhB3OP/TcKwvkVpEwvUhtk4M4xvzU3pm3l7b66LW8pf6EIrD4nPHmXPTO8M/4Z6gZx1D37Zmz7OfX1G8iHjEDIIOLKcHxZW9lrlSPJjPW2Sip+zI6LGXC8W/+Jd8BpPd3k3uzAw0lPYBRc0NbioYYS+8LbGv8bOf9wDVtKBTXComikqW6Y9Ahgg4JojfMLHvsoxZm4C58V8Xni028yBy4ciRm4rFwujqxpojilhAEp1wuIcSWSM5yZp8Y97lI1J5+njZY9MD5grVE1wkoIphnJ8D/38nU7pFJ3tm36ofzNmekAN9xfbeqka7MSv4NGSwb2nn8wpp0I+VtNxqPlL1gtzOA3v4EMIsX/8yKJWxjku+amRCicpCjRSNZq07Nw4sD38QRIITJAxv7zGkx8gOkvd9nPD9O4Tg+XV+kTb8HsP7XV8u3sPu4lKyaMOvYWyKGSxIylNwHqu6
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896639",
"to_ids": false,
"type": "attachment",
"uuid": "5a6a017f-25c4-4a22-83f7-032c02de0b81",
"value": "2018-01-23-Hancitor-infection-malware-and-artifacts.zip"
},
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAPSCN0y+UgtwQg8AAHV3AQApABwAMjAxOC0wMS0yMy1IYW5jaXRvci1tYWxzcGFtLTMwLWVtYWlscy50eHRVVAkAA+u1Z1rr32dadXgLAAEEF+mZIgRgL3cLdkM2RpBGFFvCP44+bc9GZfXJkoxJ7FKmgtTaa6vTRxNJ9XFpG9fEt4iFPpjcCLGkL8RnYyJa1iLUB2maQ0STOFMMHGchJgfxGEsb2jIQahl2TSdgx4+jjirgFP+0TtnzBmjAg5taSQNh/YMOQXs31CkwXIYQ+hYACsU43VRbpiiurNOl+gO1BVpVqXVp7vR/zuv3iaUai1km41WmrWheoSFtYP/uFV4gqx/GQBGilCtAT/6GEksNRUAAIAhBYGEMD7fS/s012ZLwvvy/V932tc0Ql/UyxJxz1wMn2ydhA1I03QkJhEmds5sX25dUUKa9cB8EPhy53Expw6JJnsyIVkEMQb14BwXrUicovfUJLsWeCIBv7VRbM94VHAgPD/CNZ2XnMWY13f8kgSApR8ETfLlf3Z1kXL2aoFMFK8lajEfAgWK5+7qy/YkKIObn2MOTU0yYuPXPXn2sOuOch0Ts/FxhGuCmC2r3tsoc0mwpNY4nT+c2IJFBgb6B6Ss7pG95qHuHdabad6MZYnWE3g3VTsLvJ7eN4E+fRC9P1mGGzSHRg4B3A7fHaNU/5JUiIIUXkmuvfguBGVOkERpccDKsWuG68SWgug0YQ0lEx2i+5nQS3XmghS8aqfLhFVXDQW7khH6MPVLaMIDPh6aPg27BocaTC7kXrcQEDKg7BkXMP8gFmsQJsfMuLX3GwTZq81EvZXUX+p04n5cNGeSz81dCZW8oAI+4jJwRKgo1R/unjzt4tmpGvQ6itmEfFy1VlsWj7L2rCum+mVWKEOLnPK6lSsgTgb+qacXYCiKKWVqOo6gZdUMw1kGyvqxt9s5qv/bzp2yQoNFPT7Tx98dLNqJxs6f06hpXjFGcAQWsNy4eotrM1pJruCBCh8ITulEb8DQgSvgFGwSaSMp5I0xK9ETHzruf+uv/rY85Lsps3LCB3npYvXkNoOgOVjnv440V/9pFj+z3ymG2vqLf1Dd1B1rwd9VlSs2s6tlrV3XUzUS5X34QCHaw111LsEZOWmFe1cf109quYCFCXsOS2Z1RMP6SckZKHiBK0EiIbrVr3Vqj6OiYgaD7z5GOhL6Qhe7QkwJw/r6AbJLbEFOH4A2QtA3jjr9Rp5Oo6pGoicFTrPyXbTumipcdmDyiXBw6wC5VxUhcQUsCbfv8O/vHb3z55YmubJ3HIHlwtN6njD8H1olAmbo7JsAwfk3PTHaxiJwPb73olfED2a7ZG69fluWNcxv9lF/eOZ6dsE0wv+K8QC7Dw80ARfKe2FKWLgTv5OC95g0cru45d4Y9XLjKTKSoU2gGTlk2ZtAH9oNl3qCrNkzX9YW3+s7MNMqhZcEkeXzWRBh4TTLAwQ4H8YXSZEE6RfdP1erW+K4xFOkzJXZXR7c21WESds/hasUU0tXYCKQHh40beqPmMYaeDSO6gtlIO7YF8GGiI1YgFBa1LXTEGk4KM6ayvKBR65SfD9mj/BJThz3CQjSAxwVWGHseV9bx1cW3N+vwAIWPZIIQ+ZgYyIrah3kZ4/zWAuSGyWF4xJ54CPZk7XKhbuL0Duofwwh1hyrbyR0pr1z0eH/u0H5YiWb3VZSfDv+zSnqpObgTFs0utoojgn/+sCGHq3KmLi/tO7xmQdVf1cFKvhVvKVjlGwDRWnvoqXCKhOH/ROaJ9c6TPQCACLs8iCZD1KGl3JQEX+q/TNbawaRjb+zBx7v9em6PqnmQHmDIFkBESHWGS2Ibh40ogYC9+SaL31a6Ql82whS6fCS/MiA8CAT+ZkM5hiYfP9j9OAq/sGZIwkNl4wYKQlp5JY+ssfTSWNlrNnLTiPOJ9RvfyjhnLWAf3Mfw0s71whTkzmeUSGQ64M002SnRbGoEKe2U6YLExdWfQhh5JfCtf9Cpn2+VtD14swTEZgOtllg4DukBYxLlWup+IZNSI8Qg8sN2WK9N06zuC45ur+UDG/AqdRCpmIPhpq1/zWR+LKtLlSNgB+LYGIrbOcJA51Xq3+RFQuGhFUCwgQROc6afikvqXRf7V8jgSU7ORIqen4psSPrj5e39c0BYz1PyIwYTjnZpJ+mLG140mtQY6F3DrhBQZh/hv4O44DJwqnIIy1+ejwkjMC8X83tVgDabuidbf5ayd2IIWL5GMz5vNLfSzdxKCbVQJYsu8qcNTK0VXl4Rxnsuy98onEmsngTxYh2xQm1k6cOMExtPfhT4GG1g/Io8lTrL3i6RNuW2OMEsjdS5/RkKcqkn9e3+i7Wubz5eF3St7ioUUTgJKAAlDGgLvlxlY3pBV1cCUdWQOmtJaCvapHfxuh8j6TVP8mbLdoIbkHVzAmd9CTOPyizGW+DV0Qn7aUU5gk/bped8DQsSIoRLzxCbfRj9fo6nMdRKDzqBsNwxnIce/ChF7HE5d7kg+JA88hAiiRU+duMvYqhDYhxToVOTU5+lJUlccRKeJIQrnfzWCQlvwfGOOFY9+JmG0W/jMIpnyfuOSy2SZsgSGlVny1j9O5lvBnnkTWH8Fc6d3Pra+3Ru9pjCnuToJ25ydYzpFiUMBbUY5QqBZ/VrVh0qwkxW3tbqhVJWWE4BkcvOJw8gE1Do3uoA1HGeDovM6nUWP4nRz14t8P8IDubxO+IOvBwFJxjen07hc4i8wX3bw3n6DsUgV5QRd9OZlHmuiKarTf5+O9S6I2snoO3duMthNrTA42d5/LAtFdYEl3nvl2nORje+FAnp0mWSeEsvsuIP9qaKcOv65xbTzqh0DQ+CY1GGsW+rpQ2iIezh8UZ5C3/27cDSKpL3iRTWHbR2YSu4HBJWVNGqjwgkpMuD9zQhqKUJ5IEG25pAjV5xexi5bvSwpZsbxheoxHJvl0mw9C6NwNS9MY1OfgLN55Z6CSzJBqrDLcwQDup+qu4yhPHG2/58mwTSoGztKh9STsOnPbwQR8+zGZy8tuUQzohYsbwe/cES+p+q1feBS8wj9X4NDtbmkcZ51LvF8B8/LE/o26PVVvAKgPznDPtIB2ryqq0/X+0W1poMfDV7pTCd/u+ZG9zWSlXu21GBuu41goFBwXd3JblOPyDQyRR6zwdF0sdwvmradRcrZW7AxaBHbv0AxW8Fq5QtpPCiWU1E3WB+VEwYLxCJpolTLqmeqwSLLOx1paVkycClbEZGkKGjuTYtGp3fmFiHL6hWeINxmKFcb4Ix78KJs+DloWUKhYPKcm9GbrTDtxPwzmusle+VtAivxjWWBQpaWK02URxEYbK99c6v3T1IklYpqw4Jj0DxhJcedBzeQBPWNvv/fBWHTyA+Ai8IqwFgD+PytdYNgmUiWEAFOWDZFAzzLt2O98RnxlRL3LfJx6ZB3e9rSIm7SKtbpPDJuIR0bXS/CfRMyo4tdPMmX/kUhaPoh3zV6TaDFjdyDBXsI9WmZ9afZh+fL2ObjBpRWI9d5YojAHJpJSiuAN/6mzww0Nyi99Q24popDX7Y+6E6ehRbVMlpcRGHqRqtvZ8u4R8yU3mkZ3PovfR/ibOzbLMf1xvIgj/xNspY6+G95PLLyLjEeYmQYd0n+3VTL65kUChj4GqXdBHk+RXP2DRvn1KGhXdE3xzgKTf9RSoHlrpW7Pi91xdhmTe+BauFuW+bFbTsk3tl1+Olb4DiMNDOwyl71SPjZKDLCbx11fLEf/WAHhBY/z4wzrcqQEdTBUIADA7mBPHJjZCqDuPCue15yM90GAAYzDxl3vdSjDkULgzHTcRVN+FFrRStMurrezrgllA70Jygmom5oG7UXSfOJ8xZL014xbGdx7E3vIItD44943isFnhPZHsAlbS+pYaL9ZcbjVzvujnbBKkK25y06q2Kj9BDWVyA5n9rnoa/v+b8mIuUWLNXYeNfqqwKNph9uetmVuJlrlY+YqeaOyjh7BR5F2jYsn0tT3W/+eTDRbHgA0Rb3BGBVo4Gfbg5xZF9vR7arZ95Qddpzhh4fcw2c6mijs9hd7SIVYIEvs
"deleted": false,
"disable_correlation": false,
"timestamp": "1516896655",
"to_ids": false,
"type": "attachment",
"uuid": "5a6a018f-5418-4a92-b282-446502de0b81",
"value": "2018-01-23-Hancitor-malspam-30-emails.txt.zip"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516896349",
"uuid": "81094cbe-8289-4cb0-9a8b-87878aee444b",
"ObjectReference": [
{
"comment": "",
"object_uuid": "81094cbe-8289-4cb0-9a8b-87878aee444b",
"referenced_uuid": "1d635d3a-b3f0-426b-a2bc-9e4e23aee183",
"relationship_type": "analysed-with",
"timestamp": "1518771134",
"uuid": "5a6a0067-dd18-4c72-a46d-4fa702de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516896347",
"to_ids": true,
"type": "sha1",
"uuid": "5a6a005b-8e90-4267-9240-47f602de0b81",
"value": "71b00ac82d7e6ed48197c21d62bf55ab8e6535d6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516896348",
"to_ids": true,
"type": "md5",
"uuid": "5a6a005c-4428-4f11-8e12-460b02de0b81",
"value": "773937dec274c21dc962ad3f8d37c08f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516896348",
"to_ids": true,
"type": "sha256",
"uuid": "5a6a005c-afcc-4ec6-8a23-4f4002de0b81",
"value": "2c506742267dd9d41dc62f2614f6306458da185230fb46cb467c98a8f48317a4"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516896348",
"uuid": "1d635d3a-b3f0-426b-a2bc-9e4e23aee183",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516896348",
"to_ids": false,
"type": "link",
"uuid": "5a6a005d-b9f0-489c-a256-4ae502de0b81",
"value": "https://www.virustotal.com/file/2c506742267dd9d41dc62f2614f6306458da185230fb46cb467c98a8f48317a4/analysis/1516839729/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516896349",
"to_ids": false,
"type": "text",
"uuid": "5a6a005d-da38-436a-9f4f-4ca602de0b81",
"value": "31/64"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516896349",
"to_ids": false,
"type": "datetime",
"uuid": "5a6a005d-8fd8-41c9-8a20-477e02de0b81",
"value": "2018-01-25T00:22:09"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516896353",
"uuid": "5bc79f93-8d40-4dbb-90e0-ae79c6a3a0fe",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5bc79f93-8d40-4dbb-90e0-ae79c6a3a0fe",
"referenced_uuid": "9992e4e0-7cb8-4a20-94d3-59fdc388f9a8",
"relationship_type": "analysed-with",
"timestamp": "1518771134",
"uuid": "5a6a0067-c07c-49f1-b9f2-4a2c02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516896350",
"to_ids": true,
"type": "sha1",
"uuid": "5a6a005e-0ec4-41d4-aac4-4af702de0b81",
"value": "8c3030f403e00e680de749ccdb0628724c5335dd"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516896350",
"to_ids": true,
"type": "md5",
"uuid": "5a6a005e-f57c-4d75-af8f-403002de0b81",
"value": "17292469799cbbba73122ab21a292ddb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516896351",
"to_ids": true,
"type": "sha256",
"uuid": "5a6a005f-b23c-4ff0-8075-4fd202de0b81",
"value": "42b02d621696ec33e9140fedcf8b48695059595f9469dbf28daf4667ac0d214f"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516896352",
"uuid": "9992e4e0-7cb8-4a20-94d3-59fdc388f9a8",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516896352",
"to_ids": false,
"type": "link",
"uuid": "5a6a0060-7d78-4d2d-bb88-48ac02de0b81",
"value": "https://www.virustotal.com/file/42b02d621696ec33e9140fedcf8b48695059595f9469dbf28daf4667ac0d214f/analysis/1516873074/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516896352",
"to_ids": false,
"type": "text",
"uuid": "5a6a0060-8ac8-48cc-a42e-4fb302de0b81",
"value": "37/63"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516896352",
"to_ids": false,
"type": "datetime",
"uuid": "5a6a0060-8dd0-4563-9c60-4c4f02de0b81",
"value": "2018-01-25T09:37:54"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516896356",
"uuid": "b9ff84f5-2a18-417e-b486-d8ed3980d8c6",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b9ff84f5-2a18-417e-b486-d8ed3980d8c6",
"referenced_uuid": "89a56b37-1e0e-4b89-9ece-2f720ffdb8e8",
"relationship_type": "analysed-with",
"timestamp": "1518771134",
"uuid": "5a6a0067-45b4-408b-89af-402a02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516896353",
"to_ids": true,
"type": "sha1",
"uuid": "5a6a0061-baf8-4407-a7bb-412702de0b81",
"value": "09e6215f684b5ea268d55d5fe1c0ccddc4efa685"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516896353",
"to_ids": true,
"type": "md5",
"uuid": "5a6a0061-7474-4d5a-a4e5-449002de0b81",
"value": "800edbb09259000697b201ff25d54bd5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516896354",
"to_ids": true,
"type": "sha256",
"uuid": "5a6a0062-5d90-469d-a7b0-43a902de0b81",
"value": "8418887655f69ab5a61915bad2af633462760b128d38f53911da020d70e4862e"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516896354",
"uuid": "89a56b37-1e0e-4b89-9ece-2f720ffdb8e8",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516896354",
"to_ids": false,
"type": "link",
"uuid": "5a6a0062-3c74-4549-b6a1-45fa02de0b81",
"value": "https://www.virustotal.com/file/8418887655f69ab5a61915bad2af633462760b128d38f53911da020d70e4862e/analysis/1516839688/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516896355",
"to_ids": false,
"type": "text",
"uuid": "5a6a0063-e8c8-492f-973b-485f02de0b81",
"value": "34/65"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516896355",
"to_ids": false,
"type": "datetime",
"uuid": "5a6a0063-8da8-4492-a288-4e4402de0b81",
"value": "2018-01-25T00:21:28"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516896358",
"uuid": "baa167f7-1035-40c1-9754-d076ef5e23fc",
"ObjectReference": [
{
"comment": "",
"object_uuid": "baa167f7-1035-40c1-9754-d076ef5e23fc",
"referenced_uuid": "60e1fd7b-6daf-46b7-920c-6e50b9093afb",
"relationship_type": "analysed-with",
"timestamp": "1518771135",
"uuid": "5a6a0067-9af8-4080-83ba-4dc002de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516896356",
"to_ids": true,
"type": "sha1",
"uuid": "5a6a0064-f648-4989-bbef-467102de0b81",
"value": "7d7c28b3a679e5763ff1b71b4f0a28394b3b2281"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516896356",
"to_ids": true,
"type": "md5",
"uuid": "5a6a0064-7290-4a7e-964d-405102de0b81",
"value": "f03bea1ab5ce09c23c147f838b4e8b8d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516896357",
"to_ids": true,
"type": "sha256",
"uuid": "5a6a0065-afa8-42ec-a11b-4cb602de0b81",
"value": "6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516896357",
"uuid": "60e1fd7b-6daf-46b7-920c-6e50b9093afb",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516896358",
"to_ids": false,
"type": "link",
"uuid": "5a6a0066-480c-4d9f-9543-464102de0b81",
"value": "https://www.virustotal.com/file/6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297/analysis/1516827505/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516896358",
"to_ids": false,
"type": "text",
"uuid": "5a6a0066-9090-4157-9e7f-427b02de0b81",
"value": "20/57"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516896358",
"to_ids": false,
"type": "datetime",
"uuid": "5a6a0066-d318-4dd5-ab16-40c202de0b81",
"value": "2018-01-24T20:58:25"
}
]
}
]
}
}
Reference in a new issue Copy permalink