2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2016-06-09" ,
"extends_uuid" : "" ,
"info" : "OSINT - LinkedIn information used to spread banking malware in the Netherlands" ,
"publish_timestamp" : "1465477834" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1465477825" ,
"uuid" : "57595892-e5f4-4419-b6dc-48df950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#3b7500" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:incident-classification=\"malware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "Zeus Panda, in this case, always connects to the following domain & IP using SSL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465473194" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "575958aa-0250-4ce1-93b9-4346950d210f" ,
"value" : "107.171.187.182"
} ,
{
"category" : "Network activity" ,
"comment" : "Zeus Panda, in this case, always connects to the following domain & IP using SSL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465473218" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "575958c2-439c-45ee-ba76-41ff950d210f" ,
"value" : "skorianial.com"
} ,
{
"category" : "Network activity" ,
"comment" : "The Macro retrieves a binary from the following (likely compromised) website" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465473251" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "575958e3-1e48-4b17-b606-407d950d210f" ,
"value" : "ledpronto.com/app/office.bin"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "The Macro retrieves a binary from the following (likely compromised) website" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465473759" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "57595adf-0100-458e-b7c5-47d5950d210f" ,
"value" : "c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "The Macro retrieves a binary from the following (likely compromised) website - Xchecked via VT: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465473811" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "57595b13-325c-4544-bfdc-4c7502de0b81" ,
"value" : "b6d32b488e2b778bd8414a4241a74883f01452fe"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "The Macro retrieves a binary from the following (likely compromised) website - Xchecked via VT: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465473812" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "57595b14-9248-4eb6-b4c2-477302de0b81" ,
"value" : "8582db69683290be0381bd1485013435"
} ,
{
"category" : "External analysis" ,
"comment" : "The Macro retrieves a binary from the following (likely compromised) website - Xchecked via VT: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465473812" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "57595b14-c6e8-47f5-8835-471a02de0b81" ,
"value" : "https://www.virustotal.com/file/c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d/analysis/1465384661/"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465474041" ,
"to_ids" : false ,
"type" : "user-agent" ,
"uuid" : "57595bf9-9468-43c7-8e9b-4f31950d210f" ,
"value" : "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)"
} ,
{
"category" : "Payload delivery" ,
"comment" : "downloaded malware" ,
"data" : " U E s D B B Q A C Q A I A A B p y U g x / V O z t R A C A A B g A w A g A B w A O D U 4 M m R i N j k 2 O D M y O T B i Z T A z O D F i Z D E 0 O D U w M T M 0 M z V V V A k A A z B q W V c w a l l X d X g L A A E E I Q A A A A Q h A A A A d F A N g y C Z K p / E Q C B p 5 R E b A O 0 o 75 D P 1 D N P P 6 l r F S M V Y Q 8 q l v i v s 3 h j c D z 5 T r D U 5 t + 60 G 9 g g O s b e 117 Q L S i b g g 6 k s 0 J m V s H M t 1 O j 3 c o A A / g V x p d Y y z g o O Z 8 Q c x n / p h C f p m l / Y 0 s D T T U 1 p c m T F x / U i m w I Q 340 G Y i w W V t k U I i S h J W k d 3 z G 74 S A h + U i p / J n e r i l 0 Z N 9 L h y f G u T u c O u V n V J I J v L 4 Y N y g E W e 2 V u + x K f o H o l j 24 X U J Y P u o T b Q 5 s 2 K f + 2 A x M 6 v d m b M V A v D V k Q A T k L + r + 3 Q 0 K U B N + B N 4 / C a 47 z L 5 U M G b S l R F F m B 47 G V G D B 1 t / v i O N 4 V B s q g C L I Y C y n y H N c u B t 3 f N b 3 j V r 9 D 29 v d V 2 y O 3 X s U p e H z c C 3 z q Z a t v D j F l T e g c I w w O + Q M M 7 p K W T k K y 95 b 2 M M v n z Y 2 c d X T E R 72 g p 2 W I 9 O y E M T Z B L k 9 i U D R r 12 m w h Z D E m x e N r D 3 E L w z 9 H 9 O G A F I + Y L h r O G i h O T / o B p y v T E j s C 2 x a E h f 8 s 7 / 9 E f 7 W 9 U n + M h R k Z 615 J q P k f o o W X Z x c d b Y c g U m r j Y q a / k A k / j h 4 S d G G 7 t g E q 8 + N I 2 l o 8 O d L t z X y o e G f J J j n K q r K J k p m v K g A o F c g / N S C w m V f T v q f w 0 Q l c 3 C s A r M P k 6 I Y M x k L P y n Z Y 4 s g 7 z F y Z G P P m H y w C Z + G q B z m j s s x n m + C K e y 1 c W t L H 2 / l G O k M b y 5 H Q y E O l G T K 1 g Q Q g U 7 m j e B n p e I U Z l w B 3 d k E l r M N k q / 7 s j P 4E1 p A 8 t f N u l F d k / W V m G Z p Y g g O c d b U c E 8 a q i R 6 E m z v V X Y L v z Y w P p h L z V c g s z y S 2 p S O X R u X o f 4 Y G w A h b 7 l C 6 k A c a R Y e x m m I o 5 r o F W 2 j a q n c r Q s y 6 R h F r u E Z z U 42 N 8 + b h i c E K q Y s N D 6 w F l H X O 2 z h 0 i D + 6 R p r j Y / 6 b n E 2 V c q d t X z O u n T P j m K A F G n x c / Z Z v R s k i E n W 0 D E k 2 P x m I 5 e L I T U 1 N L 2 E I 8 F U j p a s i X N 5 g E K T y Y m r i D Q V Y B l q t h H b A t q + V G 8 m J z z N o X n s h k f 6 u K z p s k M 4 g P a X 9 c V 7 b E N Q O L u b h f A p p E P 0 g Q / l 3 b m R V t D s F n J K W G q B e 8 I 7 y L 2403 Q F M H T F t a e 3 V J d M K B X 0E43 a r 8 i N f k g + t Y h f 7 + s N L j 8 + o w P X G L G C J 1 q O z k U 8 s 3 Q o c w q 0 t M Q x u t f j O N j X 2 r Q M q 50 M d r Z j 2 / E 4 v X u S F R + t g J a t Q T h c K i f M U c F F b I 9 s N Z V + 4 Q 5 q A 9 n 0 i p 2 c p N N R a E D Q c P D 96 z l / k X C a e 4 O I q v c 6 D 9 Y q j 6 Y h B S C 531 h f S H o i 3 J V 0 j l 0 n U O 5 N v n 6 x S I r s j v n f t 0 Y f c 55 / 91 O f e c H v z D N N 9 p X 0 L 0 A s T 4 f S G 7 g e D / w a l B 1 Q g l j T o 1 g 0 B Q 3 Q y q Y K X z V X o P Q J L h S q a n d 9 q n + A b C 8 K 0 / t y j M k I M 2 o n P a r A x Y A W g t 6 D E y V V L h t O m a r 26 b a i a A e 7 p e S o y e g P W I r 0 B N 3 L j n m R w p p R u O E 8 T e h Q W s / 4 W 4 Z p 9 s w U 8 p n / M z Q a 2 + V e O 8 J u s / j K / + / i z i r T Y 7 N v Q W v e e l y p S R w k 8 O v G m E Z W E 34 j M o T U L s o w N 91 Q r B E x m L s 3 O K 1 j l J g U o O + J M V M F d P j c y A C Y + I 9 x a 0 k 5 O v o 1 L P z I J T n E T 8 j V H p N 1 R 8 e N J q Z w / i m A 9 g Y l q T L w p x M 4 f 9 D 9 V v O C b 7 t q t U A P W B i 0 i r S c F j 2 j e 5 V N l U D 2 B M 6 w z I k g P E h h M P q h O x h 48 S 6 H l M V O u / L M N Y v v K j B Q 6 T p m 6 G N n / p y j w x 7 F Y 9 y S s T q 46 / z p c L S x G b W z W x t n O F G c o h A 8 N + o n t e G b i d 0 1 l h d S 6 n K C M E o z k 9 q 0 0 0 73 w U M l n i d Y Q A J R Y E 2 N i d 9 L i 3 M d U d e Q j F p X L 9 l 2 b 60 M / N s h x T P I T B o z Q J s r e c 5 x U M L 7 w W B 4 T 9 V L x D z c / a I N T L d Z S Z y x i w t 9 V 6 Y O B W j L 83 X m T f X I O U 4 I J M J P / o V L d D 8 i n Z 7 b 6 U 1 G + A K O r C c f T 2 / + f m G W F v 6 k 8 g O R A G v M r / 2 n y 7 D N H w H 9 K a K r 8 M B W V D x / G n m x A l 12 a f a R E Q x I I p 9 T 0 b 9 e w i I T A s t E 6 C c I y i D r h 63 v F X R X T j F q 2 J M 7 q k F f 2 t 0 w q 4 b N f 9 f L C j k q F 70 i B s x y E P v a n j / Y a l r j 0 1 Y P H a O A v U j 7 v 3 U j Z w w J c W F t Z 2 J V i E 9 b 4 s s a i p i c x L B H 0 I u 2 a L e h Z t w q o e u I T A + E Z p 5 e W 56 z 25 e o g U I n Z A e F i 7 h W r B y T e 3 U q 1 / B i B X g F S G L 8 z b B v O p q 3E11 A J l C + G s L 7 q e V K l M Z 3 Y 6 j S e w y S a c 7 D R L U h J 2 S f X U j 8 t g f 3 j f 6 E g G 8 t m N F S l 5 H x n Q O y g m / O w e k O I m S 6 w b w 75 i T B 3 K K G K R 6 P n n L T W u W p q q g J T p K d g n U F A v B f t q 1 m f C l M y H d z 2 r f D g z H h 1 N n Y 2 k 69 r h 1 l a f g N u a M 8 J o i J U j y / u i I m a / H C 8 S z 3 W T f j / R i n X n i Z u s 1 O R 4 z m 1 H M x 8 I I u 9 V s H B 97 s k 41 S 0 y K N f 4 L n q 6 g z m R j c V H O 0 W E 27 P t C M G X w Y 1 M 9 s F W J p 4 g o d v S l E 0 L Z 1 X k / f 9 H W G L S Z T / 3 z u 13 I E j D Q N n B T g 4 W 6 Y F 1 T E a z 5 + G r 775 p B N o g y X q G U E T E 23 O 35 r P + B 5 V Q S w A z F o I u 0 F d C N D w + 0 + X //75dvwHF2j2yovqjA9Yz7TMkK2a89yvIxTKuuB1Y/+b/DTsmktKmmjhpbfAd7ochnSIfK1iHa3iVFdw7AeEZqd/eRhhDpyM/BxiYJNif1FkUB96LBaKJbGtpzQMfULQ1IsaL3DR9NAba1PGql0HHn8+3uu96ZUOpkzqwC5LV1x7GdqHdNQjQ749uaCu0j4AUv2alc2LPcEaAon1qI5yr/CWgDpkkh5ndpB1ugGMQfXFMk7/o8L/LZ2ESiq8N9Wez9zNc4D1PmWakOTc+S5n5c3MS6pnhApoBvMMCPVNjriQxhhHFy74Z6ss8+EskkqKzNERFLGTKydx7EnEDdKVNxv/HINZSUFA2s4eKTNmD0IoGbxZ7y3AUjPtnjADfGT0zFNY/Xhk/8PqpoUBGxetkj/VdkBQpXOd9fsFXdSEfj8hPu+JrJiTZY4I92u+wifRWd7x1fyN5oi+Yl+JE5F3eg0vZs7ZIZ9PuHu5K1JdKRQ7x5ju2LJtD/kVZx9etkeAuAutuLsIaVf5JXlnetuOia/M8MMvDGwTYtasTk9pkejl12yk2NGsytShN7VvDFyXIC2mGt5ZG4zN1YCGvcPq1zXxBD2yWHkeDzr8tBF9VZhBHxbeO9to1NsV3fElYf4EcsSYXG1+Lgg1Bs2H2mQzTgxnEN0I1qFkZtF6yKv0MkNOGMvcEBchYPT6QqHWyyp1BkdBLr2FmDvmg3bBJnyWdGu3eJ37wKmMTGyPyIpYNvsAGIuRz3sD10XgtsSA9S0/ULNmqhcw1nV+GPDhdJ+kzKRj6A/PBSecl5msmjmOvLcf98YIBBXrRz7pydo7rnYQ+qWLJ8GlZn8k1SRwyjbW5lTPdIfzQl29aPHi9RlkdrmzrolKWGmFMNlDQM0dKjHAnkhU7FwaUvqKzYYgZLFL4EaZJVNs+yLDFk7Q+faKdDP78kNwPRcnHtPc8QnEtJ3z6K4eGxQlodH04ugiPBrgqo5eF4oGZz0t23GTUeGrj+e6zaMZo5ErzSelZQ3V6V6pjEnNU6TpoWIA5KhSJFsf8hn1B6Mg3ZtBH8qaXvt2WWkoabbht/HeTsVgDHMA5NJB/JuwHxYsTAfebr2hoYsDI5H9fyyXPt/RzJt1uw2ivzrTnMc+DTrso6LUuDQUfDitgxLT/VVnPp2y5bzcXCLfsh1pKrts3g/iQmujp7e5pzOzdiBWRX+tprkSOvWlUwlCBE4NMtPufzd++NcKJTP69IrzWWTYkrnCpk1+Ex8pzgKPQRyimj2RNwBug83b61OgUbkp3VL6hBgW4e5Qjx4fJQip8hXwcpZZxEMP/ACIWs0bH/wtsQG1at/49HodikgD9lMWMzGo66QhXLVxmj+zo7S7g2bntxoQxs/td48uSv6SsRjLzj5jthZjSz/01Esv7ngyahzfNrt9WwDDFmQXK5kxNx9Y+c2yRCfaDiWGwAQC6xa5S76H
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465477680" ,
"to_ids" : true ,
"type" : "malware-sample" ,
"uuid" : "57596a30-835c-498d-84b5-44c1950d210f" ,
"value" : "office.bin|8582db69683290be0381bd1485013435"
} ,
{
"category" : "Payload delivery" ,
"comment" : "downloaded malware" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465477681" ,
"to_ids" : true ,
"type" : "filename|sha1" ,
"uuid" : "57596a31-53c4-45de-a59e-4289950d210f" ,
"value" : "office.bin|b6d32b488e2b778bd8414a4241a74883f01452fe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "downloaded malware" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465477682" ,
"to_ids" : true ,
"type" : "filename|sha256" ,
"uuid" : "57596a32-bcd4-46d2-b224-4409950d210f" ,
"value" : "office.bin|c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d"
} ,
{
"category" : "External analysis" ,
"comment" : "downloaded malware - Xchecked via VT: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1465477825" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "57596ac1-3280-4256-8bfc-434502de0b81" ,
"value" : "https://www.virustotal.com/file/c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d/analysis/1465474372/"
}
]
}
}