2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2018-07-18" ,
"extends_uuid" : "" ,
"info" : "OVH Phishing" ,
"publish_timestamp" : "1532095390" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1532095371" ,
"uuid" : "5b4f5308-42c0-434a-a8c5-48ae950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1532095368" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "d64b0aa2-2712-440f-ae2d-405b02afe37f" ,
"value" : "https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame." ,
"meta-category" : "network" ,
"name" : "ip-port" ,
"template_uuid" : "9f8cea74-16fe-4968-a2b4-026676949ac6" ,
"template_version" : "7" ,
"timestamp" : "1531925260" ,
"uuid" : "8a483d15-8731-46eb-802a-4dad004e29ad" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "hostname" ,
"timestamp" : "1532095368" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "11d55dd3-0574-492d-b330-2086770d3995" ,
"value" : "xyu7564.phpnet.org"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "ip-dst" ,
"uuid" : "9e69ba41-08f3-43bb-b2b6-5e81162ab394" ,
"value" : "195.144.11.40"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Email object describing an email with meta-information" ,
"meta-category" : "network" ,
"name" : "email" ,
"template_uuid" : "a0c666e0-fc65-4be8-b48f-3423d788b552" ,
"template_version" : "11" ,
"timestamp" : "1531925264" ,
"uuid" : "f5cfa131-4703-426c-a7b5-cbe616e76ea7" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "f5cfa131-4703-426c-a7b5-cbe616e76ea7" ,
"referenced_uuid" : "d64b0aa2-2712-440f-ae2d-405b02afe37f" ,
"relationship_type" : "contains" ,
"timestamp" : "1531925263" ,
"uuid" : "5b4f530f-027c-464b-bd45-4e94950d210f"
} ,
{
"comment" : "" ,
"object_uuid" : "f5cfa131-4703-426c-a7b5-cbe616e76ea7" ,
"referenced_uuid" : "8a483d15-8731-46eb-802a-4dad004e29ad" ,
"relationship_type" : "contains" ,
"timestamp" : "1531925264" ,
"uuid" : "5b4f5310-55b4-43f6-9dc1-41c4950d210f"
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " U m V 0 d X J u L V B h d G g 6 I D x z d X B w b 3 J 0 Q G 92 a C 5 j b 20 + C l g t T 3 J p Z 2 l u Y W w t V G 86 I G N v b n R h Y 3 R A c m F m a T B 0 L m Z y C k R l b G l 2 Z X J l Z C 1 U b z o g c 3 B h b U B y Y W Z p M H Q u Z n I K W C 1 H c m V 5 b G l z d D o g Z G V s Y X l l Z C A 2 M D A g c 2 V j b 25 k c y B i e S B w b 3 N 0 Z 3 J l e S 0 x L j M 1 I G F 0 I H N 0 Z X J s a W 5 n O y B X Z W Q s I D E 4 I E p 1 b C A y M D E 4 C i A x N j o z M z o w M i B D R V N U C l J l Y 2 V p d m V k O i B m c m 9 t I H J k b n M w L m F u b m F t Y W V 0 L m Z y I C h 1 b m t u b 3 d u I F s 4 O S 4 z O C 4 x N D g u N z V d K Q o J Y n k g c 3 R l c m x p b m c u Z m 9 v L m J l I C h Q b 3 N 0 Z m l 4 K S B 3 a X R o I E V T T V R Q U y B p Z C A y Q 0 Q 1 O T U w M D B D Q g o J Z m 9 y I D x j b 250 Y W N 0 Q H J h Z m k w d C 5 m c j 47 I F d l Z C w g M T g g S n V s I D I w M T g g M T Y 6 M z M 6 M D I g K z A y M D A g K E N F U 1 Q p C k Z y b 206 I C I 9 P 3 V 0 Z i 0 4 P 0 I / Y z N W d 2 N H O X l k R U J 2 Z G 1 n d V k y O X Q / P S I g P H N 1 c H B v c n R A b 3 Z o L m N v b T 4 K V G 86 I G N v b n R h Y 3 R A c m F m a T B 0 L m Z y C l N 1 Y m p l Y 3 Q 6 I F t P V k g t V 0 V C X S B T d X N w Z W 5 z a W 9 u I G R 1 I G 5 v b S B k Z S B k b 21 h a W 5 l I H J h Z m k w d C 5 m c g p E Y X R l O i B X Z W Q s I D E 4 I E p 1 b C A y M D E 4 I D E 0 O j A 3 O j E 5 I C s w M j A w C k 1 J T U U t V m V y c 2 l v b j o g M S 4 w C k 1 l c 3 N h Z 2 U t S U Q 6 I D w x N T M x O T E w N T Y 2 M W Q 5 M W E 1 M D g 5 N j Z k Y 2 M 1 Z j Y w M m M 3 M 2 I 0 Z j k 3 Z m E z O T J f N T Q w N D U 1 Q G 92 a C 5 j b 20 + C l J l c G x 5 L V R v O i B z d X B w b 3 J 0 Q G 92 a C 5 j b 20 K Q 29 u d G V u d C 1 U e X B l O i B 0 Z X h 0 L 2 h 0 b W w 7 I G N o Y X J z Z X Q 9 I n V 0 Z i 0 4 I g p D b 250 Z W 50 L V R y Y W 5 z Z m V y L U V u Y 29 k a W 5 n O i B x d W 90 Z W Q t c H J p b n R h Y m x l C g o 8 I U R P Q 1 R Z U E U g S F R N T C B Q V U J M S U M g I i 0 v L 1 c z Q y 8 v R F R E I E h U T U w g N C 4 w I F R y Y W 5 z a X R p b 25 h b C 8 v R U 4 i P g o 8 S F R N T D 48 S E V B R D 48 T U V U Q S B o d H R w L W V x d W l 2 P T N E I k N v b n R l b n Q t V H l w Z S I g Y 29 u d G V u d D 0 z R C J 0 Z X h 0 L 2 h 0 b W w 7 I G N o Y X J z Z X Q 9 C j 0 z R H V 0 Z i 0 4 I j 4 K P C 9 I R U F E P g o 8 Q k 9 E W T 4 K P E R J V j 48 R k 9 O V C B z a X p l P T N E M i B m Y W N l P T N E V G F o b 21 h P l N B U y B P V k g g L S A 8 L 0 Z P T l Q + P E E K a H J l Z j 0 z R C J o d H R w O i 8 v d 3 d 3 L m 92 a C 5 j b 20 v I j 48 R k 9 O V C B z a X p l P T N E M g p m Y W N l P T N E V G F o b 21 h P m h 0 d H A 6 L y 93 d 3 c u b 3 Z o L m N v b T w v R k 9 O V D 48 L 0 E + P E J S P j x G T 0 5 U I H N p e m U 9 M 0 Q y I G Z h Y 2 U 9 M 0 R U Y W h v b W E + M j 0 K I H J 1 Z Q p L Z W x s Z X J t Y W 5 u P E J S P k J Q I D g w M T U 3 P E J S P j U 5 M T A w I F J v d W J h a X g 8 L 0 Z P T l Q + P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + P E Z P T l Q g c 2 l 6 Z T 0 z R D I g Z m F j Z T 0 z R F R h a G 9 t Y T 5 D a G V y K G U p I E N s a W V u d C h l K S w 8 L 0 Z P T l Q + P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + P E Z P T l Q g c 2 l 6 Z T 0 z R D I g Z m F j Z T 0 z R F R h a G 9 t Y T 5 W b 3 R y Z S B u b 20 g Z G U g Z G 9 t Y W l u Z S B y Y W Z p M H Q u Z n I g Z X N 0 P Q o g Y W N 0 d W V s b G V t Z W 50 C m V u c m V n a X N 0 c j 1 D M z 1 B O S B j a G V 6 I E 9 W S C 48 Q l I + T m 90 c m U g c 3 l z d D 1 D M z 1 B O G 1 l I G R l I G Z h Y 3 R 1 c m F 0 a W 9 u I G E g Z D 1 D M z 1 B O X R l Y 3 Q 9 C j 1 D M z 1 B O S B x d W U g Y 2 U g c 2 V y d m l j Z Q p l c 3 Q g Z X h w a X I 9 Q z M 9 Q T k s I G 5 v b i B y Z W 5 v d X Z l b D 1 D M z 1 B O S 48 L 0 Z P T l Q + P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + P E Z P T l Q g c 2 l 6 Z T 0 z R D I g Z m F j Z T 0 z R F R h a G 9 t Y T 5 W b 3 R y Z S B u b 20 g Z G U g Z G 9 t Y W l u Z S B y Y W Z p M H Q u Z n I g Y S B k b 25 j I D 1 D M z 0 K P U E 5 d D 1 D M z 1 B O Q p z d X N w Z W 5 k d S 48 L 0 Z P T l Q + P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + P E J S P j x G T 0 5 U I H N p e m U 9 M 0 Q y I G Z h Y 2 U 9 M 0 R U Y W h v b W E + U G 91 c i B s Z S B y P U M z P U E 5 Y W N 0 a X Z l c i w g a W w g d m 91 c y B z d W Z m a X Q 9 C i B k Z S B 2 b 3 V z C n J l b m R y Z S B z d X I g b m 90 c m U g c 2 l 0 Z S w g Z X Q g Z H V 0 a W x p c 2 V y I D x C U j 5 s Y S B j b 21 t Y W 5 k Z S B k Z S B y Z W 5 v d X Z l b G x l b W V u d C A 6 C j w v R k 9 O V D 48 L 0 R J V j 4 K P E R J V j 4 m b m J z c D s 8 L 0 R J V j 4 K P E R J V j 48 Q Q p o c m V m P T N E I m h 0 d H B z O i 8 v e H l 1 N z U 2 N C 5 w a H B u Z X Q u b 3 J n L z 9 w Y W d l M D 0 K P T N E c m F m a T B 0 L m Z y I 2 h 0 d H B z O i 8 v d 3 d 3 L m 92 a C 5 j b 20 v Z n I v Y 2 d p L W J p b i 9 v c m R l c i 9 y Z W 5 l d y 5 j Z 2 k i P j x G T 0 5 U C n N p e m U 9 M 0 Q y I G Z h Y 2 U 9 C j 0 z R F R h a G 9 t Y T 5 o d H R w c z o v L 3 d 3 d y 5 v d m g u Y 29 t L 2 Z y L 2 N n a S 1 i a W 4 v b 3 J k Z X I v c m V u Z X c u Y 2 d p P C 9 G T 0 5 U P j w v Q T 4 K P C 9 E S V Y + C j x E S V Y + P E J S P j x G T 0 5 U I H N p e m U 9 M 0 Q y I G Z h Y 2 U 9 M 0 R U Y W h v b W E + T G U g c j 1 D M z 1 B O G d s Z W 1 l b n Q g c G V 1 d C B z Z S B m Y W l y Z S B 2 a W E 9 C i B s J 3 V u I G R l c y B t b 3 l l b n M K Z G U g c G F p Z W 1 l b n Q g c H J v c G 9 z P U M z P U E 5 c y 4 g T W F p c y B u b 3 V z I D x C U j 5 y Z W N v b W 1 h b m R v b n M g Z G U g c j 1 D M z 1 B O W d s Z X I g c G F y P Q o g Q 2 F y d G U g Q m F u Y 2 F p c m U K c G 91 c i B h Y 2 M 9 Q z M 9 Q T l s P U M z P U E 5 c m V y I G x l I H R y Y W l 0 Z W 1 l b n Q g Z X Q g Z G 9 u Y y A 8 Q l I + b G E g c j 1 D M z 1 B O W 91 d m V y d H V y Z S B k Z T 0 K I H Z v d H J l C n N l c n Z p Y 2 U u P C 9 G T 0 5 U P j w v R E l W P g o 8 R E l W P i Z u Y n N w O z w v R E l W P g o 8 R E l W P j x G T 0 5 U I H N p e m U 9 M 0 Q y I G Z h Y 2 U 9 M 0 R U Y W h v b W E + T G E g Z m F j d H V y Z S B h Y 3 F 1 a X R 0 P U M z P U E 5 Z S B 2 b 3 V z I H B h c n Z p Z W 5 k c m E 9 C i B w Z X U g Y X B y P U M z P U E 4 c w p 2 Y W x p Z G F 0 a W 9 u I G R l I G x h I G N v b W 1 h b m R l L C B j b 25 m a X J t Y W 50 I D x C U j 5 s Z S B y Z W 5 v d X Z l b G x l b W V u d C B k Z S B 2 b 3 R y Z T 0 K I H J l Z G V 2 Y W 5 j Z Q p w b 3 V y I G x h I H A 9 Q z M 9 Q T l y a W 9 k Z S B j a G 9 p c 2 l l L j w v R k 9 O V D 48 L 0 R J V j 4 K P E R J V j 4 m b m J z c D s 8 L 0 R J V j 4 K P E R J V j 48 Q l I + P E Z P T l Q g c 2 l 6 Z T 0 z R D I g Z m F j Z T 0 z R F R h a G 9 t Y T 5 J T V B P U l R B T l Q g O i B F b i B j Y X M g Z G U g b m 9 u I H I 9 Q z M 9 C j 1 B O G d s Z W 1 l b n Q g c 291 c y A y N C B I L A p 2 b 3 R y Z S B k b 21 h a W 5 l I H B v d X J y Y W l 0 I D 1 D M z 1 B Q X R y Z S B E R U Z J T k l U S V Z F T U V O V C B l Z m Z h Y z 1 D M z 1 B O S 48 L 0 Z P T l Q + P C 9 E S V Y + C j x E S V Y + J m 5 i c 3 A 7 P C 9 E S V Y + C j x E S V Y + P E Z P T l Q g c 2 l 6 Z T 0 z R D I g Z m F j Z T 0 z R F R h a G 9 t Y T 5 Q b 3 V y I H R v d X R l I G l u Z m 9 y b W F 0 a W 9 u I G N v b X B s P U M z P U E 5 b W V u d G F p c m U s P Q o g b m 90 c m U K c 3 V w c G 9 y d C B y Z X N 0 Z S A 9 Q z M 9 Q T A g d m 90 c m U g Z G l z c G 9 z a X R p b 24 u P C 9 G T 0 5 U P j w v R E l W P g o 8 R E l W P i Z u Y n N w O z w v R E l W P g o 8 R E l W P j x G T 0 5 U I H N p e m U 9 M 0 Q y I G Z h Y 2 U 9 M 0 R U Y W h v b W E + T W V y Y 2 k g Z G U g d m 90 c m U g Y 29 t c H I 9 Q z M 9 C j 1 B O W h l b n N p b 24 u P C 9 G T 0 5 U P j w v R E l W P g o 8 R E l W P i Z u Y n
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "eml" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "6fad44d5-1eb8-4cd4-8c2a-85d411cf50ca" ,
"value" : "Full email.eml"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "email-body" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "email-body" ,
"uuid" : "c8c233d6-a647-4f41-ad4e-9d2b08af045b" ,
"value" : "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n<HTML><HEAD><META http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">\n</HEAD>\n<BODY>\n<DIV><FONT size=2 face=Tahoma>SAS OVH - </FONT><A\nhref=\"http://www.ovh.com/\"><FONT size=2\nface=Tahoma>http://www.ovh.com</FONT></A><BR><FONT size=2 face=Tahoma>2 rue\nKellermann<BR>BP 80157<BR>59100 Roubaix</FONT></DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Cher(e) Client(e),</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr est actuellement\nenregistr\u00c3\u00a9 chez OVH.<BR>Notre syst\u00c3\u00a8me de facturation a d\u00c3\u00a9tect\u00c3\u00a9 que ce service\nest expir\u00c3\u00a9, non renouvel\u00c3\u00a9.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr a donc \u00c3\u00a9t\u00c3\u00a9\nsuspendu.</FONT></DIV>\n<DIV> </DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Pour le r\u00c3\u00a9activer, il vous suffit de vous\nrendre sur notre site, et dutiliser <BR>la commande de renouvellement :\n</FONT></DIV>\n<DIV> </DIV>\n<DIV><A\nhref=\"https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi\"><FONT\nsize=2 face=Tahoma>https://www.ovh.com/fr/cgi-bin/order/renew.cgi</FONT></A>\n</DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Le r\u00c3\u00a8glement peut se faire via l'un des moyens\nde paiement propos\u00c3\u00a9s. Mais nous <BR>recommandons de r\u00c3\u00a9gler par Carte Bancaire\npour acc\u00c3\u00a9l\u00c3\u00a9rer le traitement et donc <BR>la r\u00c3\u00a9ouverture de votre\nservice.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>La facture acquitt\u00c3\u00a9e vous parviendra peu apr\u00c3\u00a8s\nvalidation de la commande, confirmant <BR>le renouvellement de votre redevance\npour la p\u00c3\u00a9riode choisie.</FONT></DIV>\n<DIV> </DIV>\n<DIV><BR><FONT size=2 face=Tahoma>IMPORTANT : En cas de non r\u00c3\u00a8glement sous 24 H,\nvotre domaine pourrait \u00c3\u00aatre DEFINITIVEMENT effac\u00c3\u00a9.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Pour toute information compl\u00c3\u00a9mentaire, notre\nsupport reste \u00c3\u00a0 votre disposition.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Merci de votre compr\u00c3\u00a9hension.</FONT></DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Cordialement,</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre Service Client OVH<BR>Lun - Vend : 8h - 20h\n| Samedi : 9h \u00c3\u00a0 17h<BR>1007<BR>Num\u00c3\u00a9ro unique gratuit depuis un poste fixe, hors\nsurco\u00c3\u00bbt \u00c3\u00a9ventuel selon op\u00c3\u00a9rateur depuis une ligne\nmobile</FONT></DIV></BODY></HTML>"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reply-to" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "email-reply-to" ,
"uuid" : "51d315b4-595f-43fd-bc43-23c5f155ed88" ,
"value" : "support@ovh.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "message-id" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "email-message-id" ,
"uuid" : "c0cae490-8619-453a-9ca0-10e1ffa78f30" ,
"value" : "<15319105661d91a508966dcc5f602c73b4f97fa392_540455@ovh.com>"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "to" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "email-dst" ,
"uuid" : "334cb4ea-384c-43f2-ab65-de6c244bbe55" ,
"value" : "contact@rafi0t.fr"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "subject" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "email-subject" ,
"uuid" : "faf7eabc-c367-4456-95be-dadbd90b1aa2" ,
"value" : "[OVH-WEB] Suspension du nom de domaine rafi0t.fr"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "from" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "email-src" ,
"uuid" : "76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9" ,
"value" : "\"support@ovh.com\" <support@ovh.com>"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "return-path" ,
"timestamp" : "1532095368" ,
"to_ids" : false ,
"type" : "email-src" ,
"uuid" : "8ae92ecb-ea5e-4674-9bd7-de2cdc2e05e8" ,
"value" : "<support@ovh.com>"
}
]
}
]
}
}