2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2018-08-17" ,
"extends_uuid" : "" ,
"info" : "Turla Outlook White Paper" ,
"publish_timestamp" : "1668553629" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1668551496" ,
"uuid" : "5b773e07-e694-458b-b99c-27f30a016219" ,
"Orgc" : {
"name" : "ESET" ,
"uuid" : "55f6ea5e-51ac-4344-bc8c-4170950d210f"
} ,
"Tag" : [
{
"colour" : "#12e200" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Turla Group\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Email Collection\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Component Object Model Hijacking - T1122\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Email Collection - T1114\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#9d6800" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:threat_targeted_sector=\"Academic and Research\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#986400" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:threat_targeted_sector=\"Gov\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#e49600" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:threat_targeted_region=\"Western Europe\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#fea700" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:enriched" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#372500" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:ioc_accuracy=\"medium\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#3c2700" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:threat_level=\"medium\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#f8a400" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cert-ist:threat_type=\"apt\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#FFC000" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:amber" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ff0000" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "BR_CTI_Investigar" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534805111" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5b773e89-9738-4bbb-90bc-2fb20a016219" ,
"value" : "%appdata%\\Microsoft\\Windows\\scawrdot.db"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534805102" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5b773e89-7e14-4280-9249-2fb20a016219" ,
"value" : "%appdata%\\Microsoft\\Windows\\flobcsnd.dat"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534541449" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5b773e89-4934-4d34-be4c-2fb20a016219" ,
"value" : "mapid.tlb"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534541449" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5b773e89-1e7c-48d3-a6cb-2fb20a016219" ,
"value" : "msmime.dll"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "COM hijacking" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534541549" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5b773eed-662c-4150-b6ef-2fb10a016219" ,
"value" : "HKCU\\Software\\Classes\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "COM hijacking" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534541549" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5b773eed-6158-4680-941f-2fb10a016219" ,
"value" : "HKCU\\Software\\Classes\\CLSID\\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Virtual File System" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534541580" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5b773f0c-07c4-4a31-b191-2fb20a016219" ,
"value" : "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Settings\\ZonePolicy\\"
} ,
{
"category" : "External analysis" ,
"comment" : "White Paper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1534881925" ,
"to_ids" : false ,
"type" : "url" ,
"uuid" : "5b7c7085-9658-46bf-afdc-59530a016219" ,
"value" : "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535462367" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5b854bdf-32a4-4f17-8bab-32abc0a8ab16" ,
"value" : "https://github.com/eset/malware-ioc/tree/master/turla"
} ,
{
"category" : "External analysis" ,
"comment" : "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" ,
"data" : " J V B E R i 0 x L j Q N J e L j z 9 M N C j E 1 M j U g M C B v Y m o N P D w v T G l u Z W F y a X p l Z C A x L 0 w g M T A z M j U y M C 9 P I D E 1 M j c v R S A 1 N z M 5 O C 9 O I D I 0 L 1 Q g M T A w M T k w M y 9 I I F s g O D k z I D E w M j h d P j 4 N Z W 5 k b 2 J q D S A g I C A g I C A g I A 14 c m V m D Q o x N T I 1 I D I 5 D Q o w M D A w M D A w M D E 2 I D A w M D A w I G 4 N C j A w M D A w M D I x M z E g M D A w M D A g b g 0 K M D A w M D A w M j I 5 N C A w M D A w M C B u D Q o w M D A w M D A y N z Q 5 I D A w M D A w I G 4 N C j A w M D A w M D M x M D Q g M D A w M D A g b g 0 K M D A w M D A w M z k 2 M i A w M D A w M C B u D Q o w M D A w M D A 0 M z c 4 I D A w M D A w I G 4 N C j A w M D A w M D Q 0 O T M g M D A w M D A g b g 0 K M D A w M D A w N D c y N y A w M D A w M C B u D Q o w M D A w M D A 1 M T A w I D A w M D A w I G 4 N C j A w M D A w M D U 4 O D g g M D A w M D A g b g 0 K M D A w M D A w N j Y y N i A w M D A w M C B u D Q o w M D A w M D A 3 M j c 2 I D A w M D A w I G 4 N C j A w M D A w M D c 4 M T k g M D A w M D A g b g 0 K M D A w M D A w O D M 1 M i A w M D A w M C B u D Q o w M D A w M D A 4 O T A 1 I D A w M D A w I G 4 N C j A w M D A w M D k 0 N T k g M D A w M D A g b g 0 K M D A w M D A x M D A 1 M S A w M D A w M C B u D Q o w M D A w M D E w N T M 4 I D A w M D A w I G 4 N C j A w M D A w M T A 5 N D E g M D A w M D A g b g 0 K M D A w M D A x M T M 4 N S A w M D A w M C B u D Q o w M D A w M D E x O T k 1 I D A w M D A w I G 4 N C j A w M D A w M T I 2 N j Q g M D A w M D A g b g 0 K M D A w M D A x N D Q 4 N i A w M D A w M C B u D Q o w M D A w M D I w N z Q 5 I D A w M D A w I G 4 N C j A w M D A w M j M z O D g g M D A w M D A g b g 0 K M D A w M D A 1 N z M 1 N y A w M D A w M C B u D Q o w M D A w M D A x O T I x I D A w M D A w I G 4 N C j A w M D A w M D A 4 O T M g M D A w M D A g b g 0 K d H J h a W x l c g 0 8 P C 9 T a X p l I D E 1 N T Q v U m 9 v d C A x N T I 2 I D A g U i 9 J b m Z v I D Q y M S A w I F I v S U R b P E Y z Q T F F N 0 V E Q 0E0 Q z Q 5 N z h C O D B D N D N D M z N E Q T A x Q z d D P j x C M T d B R D A 3 N T Y 5 R U M 0 M j g 1 O T F F N T F D Q z Z B N z k 4 Q z B B R D 5 d L 1 B y Z X Y g M T A w M T g 5 M C 9 Y U m V m U 3 R t I D E 5 M j E + P g 1 z d G F y d H h y Z W Y N M A 0 l J U V P R g 0 g I C A g I C A g I C A g I C A g I A 0 x N T U z I D A g b 2 J q D T w 8 L 0 M g M T E x M C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v S S A x M T M y L 0 x l b m d 0 a C A 5 M z c v U y A 5 M j g + P n N 0 c m V h b Q 0 K a N 5 i Y G B g Y m B g + c T A x s D A t p Z B k A E B B I F i 7 A w s D B w x D O K G w d 46 R 6 N 1 z v A x T j 2 t w + C Q 4 d l w 98 B L X 7 u F B 503 / r i + y q 9 S t 4 p X b G 37 m j 2 T r l r u O 7 q 5 J y W O O d s x T q o k a j f 3 v h k M D E J P m G o t L s c U l j 5 M Y 70 V 8 l 0 k k j U y 5 + o T J K s Y m F i Z Z B w U E n u n m q Q s c F j g 3 M H C Y 7 h p W c 8 U D p E f h Q x T B J R s X j 7 V P K f l M F F K Z d l l R a O M j Q G N 4e0 C H B w J m Y J L X X Y m M i l f m 20 U a C S 0 6 r Q U h 4 h A I U / k h g y H j q + n w 6 S N Z m w M 8 z r L w s V h 0 e J x S T V m K 1 D l 2 d U 6 L R c n r W y y 49 p i 0 e D d I S i 3 s V m s L 3 J P X s 7 J R U t n 2 p Y 83 B y e d V m 3 R k D r w C N G P Q W X K h P P I O m w 1 p f J b l 7 L O P 4 q h X g c 5 O A T z T p 6 x H 1 C 0 d 2 H m 47 G a O d c 5 V y s d 9 k K Z C 2 L B 7 / H V C l V o L V h L R s X q w Y 71 A h o K D z i 4 F f a m X U k M 0 j J b C 3 Y F C f X D w 6 L D 3 e w O C q F Z P Q u r I o A u Y W 1 S c Z B i c V 9 t k 7 K q m R H k S Y u B Z u I 9 L 4 V 9 h y N g i 9 u L v K a p L h Z t W u h i Y B O w i N G f g V X L R e P s w t N U l Y l H W R a y 6 c g Z H p i 0 p I I h 47 P W R e A Q b f B Y R N z B 6 t M o + C z s 5 I + E S s c n z h N A C p R W S m 5 u C N n k z D I D x w O A a / F d e U c u o A e M + 7 I W b V F r W e a j 4 C W w y N G Z a / O o q s t H P 0 8 P J x b U y c A D V u U 0 O j I L n C x m z n V V z J F Q B u o x J C H h 8 t S Y 9 K S h J y F w W 6 R i h w T t V Q S H N t Y F C w i e k 4 I y n 1 M u q 57 X b o k k r v t 1 K 3 d G h k n A 0 D x m p b R A a I q O h q A J H t H B y y + R U P D O y A 8 R k E h J S X 1 D j C P S U n F B S w B V C 0 o C O R U d M C 0 C A o K i n e A Q Q O Y K w T T A + I I G 4 N 1 Q c 0 w N k 5 L h 6 o D y Y R W w D U J Q s 1 z c Q e L M B s D l Q J B O p j H 4 p K W V g F V C e T A m O w Q m k l J y R y s m V F Q S d n Y J B x u p r C x s T n E Z t b Q C q h u s C 6 Y w 11 c Q 2 G u I y P b A C 1 M Y u A T m w g 0 S R K I v c B m S j M I M K 5 h 9 G C 2 Z 2 x l i G A 4 z x j F 9 J P p O F M + E w v j L y Y + J n 4 m U 8 Y z j B W M C 5 n c m Z r Y m S V i u E x a p j H w M d Y y F j D W M R k x + n N 9 Z V z A s F 4 g j f E 4 g y X j U S Y 1 h i S G Y / w M D I k M w m 7 p D C + Z t J m y G E Q Z P z P p C q k z R D C 5 M H y X v 8 M 4 l 8 E V a K 82 I y t D H s N k B j E G c S A W Y 3 j M c J k h j M k Y z B Z j W I S c o R k n M / A 9 l w A y e B g Y A m f D R Z c y 8 H s 8 B z G A e B d A g A E A K n F Y d A 1 l b m R z d H J l Y W 0 N Z W 5 k b 2 J q D T E 1 N T I g M C B v Y m o N P D w v R G V j b 2 R l U G F y b X M 8 P C 9 D b 2 x 1 b W 5 z I D Q v U H J l Z G l j d G 9 y I D E y P j 4 v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 l u Z G V 4 W z Q y M i A x M T A z X S 9 M Z W 5 n d G g g N T Y v U 2 l 6 Z S A x N T I 1 L 1 R 5 c G U v W F J l Z i 9 X W z E g M i A x X T 4 + c 3 R y Z W F t D Q p o 3 u z R o Q E A M A z D s K T / s + H 9 u i 9 G K q I D 7 J m e T J J i E b 0 a e A 7 P 4 T k 8 h + f w H J 7 D c 3 i O n 8 + f A A M A H + c U Q g 1 l b m R z d H J l Y W 0 N Z W 5 k b 2 J q D T E 1 M j Y g M C B v Y m o N P D w v T G F u Z y h l b i 1 V U y k v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D Q y M C A w I F I v U G F n Z X M g N D E 1 I D A g U i 9 T d H J 1 Y 3 R U c m V l U m 9 v d C A 0 M j I g M C B S L 1 R 5 c G U v Q 2 F 0 Y W x v Z y 9 W a W V 3 Z X J Q c m V m Z X J l b m N l c z w 8 L 0 R p c m V j d G l v b i 9 M M l I + P j 4 + D W V u Z G 9 i a g 0 x N T I 3 I D A g b 2 J q D T w 8 L 0 F y d E J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 C b G V l Z E J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 D b 250 Z W 50 c 1 s x N T M 2 I D A g U i A x N T M 3 I D A g U i A x N T M 4 I D A g U i A x N T M 5 I D A g U i A x N T Q w I D A g U i A x N T Q x I D A g U i A x N T Q 1 I D A g U i A x N T Q 2 I D A g U l 0 v Q 3 J v c E J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 N Z W R p Y U J v e F s w L j A g M C 4 w I D U 5 N S 4 y N z Y g O D Q x L j g 5 X S 9 Q Y X J l b n Q g N D E 2 I D A g U i 9 S Z X N v d X J j Z X M 8 P C 9 F e H R H U 3 R h d G U 8 P C 9 H U z A g M T U z M S A w I F I + P i 9 G b 250 P D w v V D F f M C A x N T I 4 I D A g U i 9 U M V 8 x I D E 1 M j k g M C B S L 1 Q x X z I g M T U 0 M i A w I F I + P i 9 Q c m 9 j U 2 V 0 W y 9 Q R E Y v V G V 4 d F 0 v U H J v c G V y d G l l c z w 8 L 0 1 D M C A x N T U x I D A g U j 4 + P j 4 v U m 90 Y X R l I D A v U 3 R y d W N 0 U G F y Z W 50 c y A w L 1 R y a W 1 C b 3 h b M C 4 w I D A u M C A 1 O T U u M j c 2 I D g 0 M S 44 O V 0 v V H l w Z S 9 Q Y W d l P j 4 N Z W 5 k b 2 J q D T E 1 M j g g M C B v Y m o N P D w v Q m F z Z U Z v b n Q v S V R G R k 1 R K 0 Z l Z H J h U 2 F u c 0 F s d F B y b y 1 C b 2 x k T E Y v R W 5 j b 2 R p b m c v V 2 l u Q W 5 z a U V u Y 29 k a W 5 n L 0 Z p c n N 0 Q 2 h h c i A z M i 9 G b 250 R G V z Y 3 J p c H R v c i A x N T M z I D A g U i 9 M Y X N 0 Q 2 h h c i A 4 O S 9 T d W J 0 e X B l L 1 R 5 c G U x L 1 R v V W 5 p Y 29 k Z S A x N T M w I D A g U i 9 U e X B l L 0 Z v b n Q v V 2 l k d G h z W z I z M S A w I D A g M C A w I D A g M C A w I D A g M C A w I D A g M C A w I D M w N y A w I D A g M z c 1 I D U 0 M C A 1 M T M g N T g 5 I D U z N C A w I D A g M C A w I D A g M C A w I D A g M C A w I D A g N z E 4 I D Y 4 M S A 2 N z c g N z g 3 I D Y x M S A 2 M T E g N z A 5 I D g w N i A z M z Y g M C A 3 M j M g N T Y 5 I D k 5 M y A 4 M D
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535632135" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5b87e307-7618-4378-ba96-4abb9f590eb0" ,
"value" : "Eset-Turla-Outlook-Backdoor.pdf"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Merged from event 11961" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535355608" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5b83aad8-f964-4899-9743-7267d5388438" ,
"value" : "rule turla_outlook_log { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"First bytes of the encrypted Turla Outlook logs\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Merged from event 11961" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535355614" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5b83aade-d508-4f29-9577-7267d5388438" ,
"value" : "rule outlook_misty1 { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detects the Turla MISTY1 implementation\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Merged from event 11961" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535355619" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5b83aae3-1b28-417a-90e4-7267d5388438" ,
"value" : "rule turla_outlook_gen { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Outlook\" ascii wide $s2 = \"Outlook Express\" ascii wide $s3 = \"Outlook watchdog\" ascii wide $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide $s5 = \"Mail Event Window\" ascii wide $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide $s9 = \"rctrl_renwnd32\" ascii wide $s10 = \"NetUIHWND\" ascii wide $s11 = \"homePostalAddress\" ascii wide $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide $s14 = \"IPM.Note\" ascii wide $s15 = \"MAPILogonEx\" ascii wide $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide $s17 = \"PowerShellRunner.dll\" ascii wide $s18 = \"cmd container\" ascii wide $s19 = \"mapid.tlb\" ascii wide nocase $s20 = \"Content-Type: F)*+\" ascii wide fullword condition: 5 of them }"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Merged from event 11961" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535355624" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5b83aae8-5a50-4714-b5ba-7267d5388438" ,
"value" : "import \"pe\"rule turla_outlook_exports { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Export names of Turla Outlook Malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" condition: (pe.exports(\"install\") or pe.exports(\"Install\")) and pe.exports(\"TBP_Initialize\") and pe.exports(\"TBP_Finalize\") and pe.exports(\"TBP_GetName\") and pe.exports(\"DllRegisterServer\") and pe.exports(\"DllGetClassObject\") }"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Merged from event 11961" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535355630" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5b83aaee-6008-4818-a291-7267d5388438" ,
"value" : "rule turla_outlook_filenames { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook filenames\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"mapid.tlb\" $s2 = \"msmime.dll\" $s3 = \"scawrdot.db\" condition: any of them }"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Merged from event 11961" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1535355635" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5b83aaf3-23b4-4a0e-8ceb-7267d5388438" ,
"value" : "rule turla_outlook_pdf { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detect PDF documents generated by Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Adobe PDF Library 9.0\" ascii wide nocase $s2 = \"Acrobat PDFMaker 9.0\" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = \"W5M0MpCehiHzreSzNTczkc9d\" ascii wide nocase $s6 = \"PDF-1.4\" ascii wide nocase condition: 5 of them }"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Attack name" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355825" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b83abb1-2524-4295-9eee-7268d5388438" ,
"value" : "Turla"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST External link" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355825" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5b83abb1-76b4-4b70-80bd-10f2d5388438" ,
"value" : "https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Attack Alias" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-7e1c-4cfa-8c10-10a6d5388438" ,
"value" : "Snake"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Attack Alias" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-9420-4692-aa94-10f4d5388438" ,
"value" : "Uroburos"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Attack Alias" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-6450-4242-908f-7265d5388438" ,
"value" : "Venomous Bear"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Attack Alias" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-409c-4018-bfbc-7267d5388438" ,
"value" : "KRYPTON"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Attack Alias" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-4064-4b38-b5d7-726ad5388438" ,
"value" : "Waterbug"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Attack Alias" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-90ec-47c7-8869-10a7d5388438" ,
"value" : "WhiteBear"
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Description" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-5c5c-411d-a011-726bd5388438" ,
"value" : "these IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017.\r\n\r\nThe extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer."
} ,
{
"category" : "External analysis" ,
"comment" : "Cert-IST Malware Name" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355826" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5b83abb2-45e0-4bf4-8ad2-0968d5388438" ,
"value" : "Outlook"
} ,
{
"category" : "Targeting data" ,
"comment" : "Cert-IST Targeted Country" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355827" ,
"to_ids" : false ,
"type" : "target-location" ,
"uuid" : "5b83abb3-5430-49a6-b4cb-7268d5388438" ,
"value" : "Germany"
} ,
{
"category" : "Targeting data" ,
"comment" : "Cert-IST Targeted Country" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355827" ,
"to_ids" : false ,
"type" : "target-location" ,
"uuid" : "5b83abb3-e5fc-480d-b4a6-10f2d5388438" ,
"value" : "France"
} ,
{
"category" : "Other" ,
"comment" : "Cert-IST First Seen Date" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355827" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5b83abb3-39a4-4cb2-a08f-10a6d5388438" ,
"value" : "2015-12-31T23:00:00+00:00"
} ,
{
"category" : "Other" ,
"comment" : "Cert-IST First Disclosed Date" ,
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1535355827" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5b83abb3-7e7c-4c8f-a29f-10f4d5388438" ,
"value" : "2018-08-21T22:00:00+00:00"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1536139344" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5b8fa050-e5e8-424e-9b8d-07a7d5388438" ,
"value" : "https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/"
}
] ,
"Object" : [
{
"comment" : "File 7009af646c6c3e6abc0af744152ca968" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1535632211" ,
"uuid" : "dbbfc337-d1f9-462f-aca7-ddc30563ddd9" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1535632211" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "84e013cb-ecaf-4f21-9ee8-796886e3454a" ,
"value" : "https://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1535632211" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "31d8cb43-4506-45d0-93c0-0785a2394bbe" ,
"value" : "48/65"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "comment" ,
"timestamp" : "1535632211" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "50384da0-f70b-4e0d-96cf-653a6bfe5c6d" ,
"value" : "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28222) Detection: Trojan ( 00461fd31 )\r\nK7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 )\r\nTrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17963) Detection: Win32/Turla.N\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen\r\nBitDefender (7.2) Detection: Trojan.GenericKD.1592844\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.m!c\r\nAvast (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J)\r\nEndgame (3.0.1) Detection: No detection\r\nSophos (4.98.0) Detection: Troj/Turla-F\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.27\r\nVIPRE (69182) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: No detection\r\nMcAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.H\r\nJiangmin (16.0.100) Detection: Backdoor/Turla.b\r\nWebroot (1.0.0.403) Detection: W32.Trojan.GenKD\r\nAvira (8.3.3.6) Detection: TR/Rogue.290816.12\r\nMAX (2017.11.15.1) Detection: malware (ai score=83)\r\nAntiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric\r\nKingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud)\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAd-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir\r\nYandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU\r\nIkarus (0.1.5.2) Detection: Trojan.SuspectCRC\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.N!tr\r\nAVG (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nPanda (4.6.4.2) Detection: Trj/Genetic.gen\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "last-submission" ,
"timestamp" : "1535632211" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "78651b01-2afe-40cb-b40d-a1e929df79b0" ,
"value" : "2018-08-29T14:17:42"
}
]
} ,
{
"comment" : "Backdoor DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1535632211" ,
"uuid" : "8adddb25-84d0-4480-9221-68e2d85b6cba" ,
"ObjectReference" : [
{
"comment" : "Expanded with virustotal data" ,
"object_uuid" : "8adddb25-84d0-4480-9221-68e2d85b6cba" ,
"referenced_uuid" : "dbbfc337-d1f9-462f-aca7-ddc30563ddd9" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1615290675" ,
"uuid" : "5b87e353-0e6c-4295-b5ca-4c4f9f590eb0"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1535632211" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "04ef56e8-d383-4896-b8da-38dc73c6433b" ,
"value" : "7009af646c6c3e6abc0af744152ca968"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1535632211" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "d1abb482-c179-40d6-b11c-870dbadd2ab7" ,
"value" : "8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1535632211" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "ad918b1b-4c0e-4cce-b05c-0ca7e0ec6e48" ,
"value" : "e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b"
}
]
} ,
{
"comment" : "File af8889f4705145d4390ee8d581f45436" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1535632268" ,
"uuid" : "628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1535632268" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5ca9d215-5e2a-42c3-bea4-b66b2748f54e" ,
"value" : "https://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1535632268" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ff44d53e-022b-4782-ab44-0ac4df101a82" ,
"value" : "44/65"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "comment" ,
"timestamp" : "1535632268" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "304c97d6-a81d-4b24-87b9-3b198f39a2bb" ,
"value" : "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: RDN/Generic.com\r\nCylance (2.3.1.101) Detection: Unsafe\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28228) Detection: Trojan ( 004fb2be1 )\r\nK7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 )\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.I\r\nSymantec (1.7.0.0) Detection: Trojan.Gen.2\r\nESET-NOD32 (17964) Detection: a variant of Win32/Turla.R\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak\r\nBitDefender (7.2) Detection: Trojan.Generic.21818445\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt\r\nViRobot (2014.3.20.0) Detection: No detection\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey\r\nAd-Aware (3.0.5.370) Detection: Trojan.Generic.21818445\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.111\r\nVIPRE (69200) Detection: No detection\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/AD.Turla.ckypp\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C\r\nEndgame (3.0.1) Detection: No detection\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.4!c\r\nZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445\r\nTACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: No detection\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD)\r\nYandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.AK!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "last-submission" ,
"timestamp" : "1535632268" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5adce2fa-bb3d-4a93-b348-3da8877ae372" ,
"value" : "2018-08-30T05:52:57"
}
]
} ,
{
"comment" : "Backdoor DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1535632268" ,
"uuid" : "46a74309-e65f-4fd7-b816-917ade7475c9" ,
"ObjectReference" : [
{
"comment" : "Expanded with virustotal data" ,
"object_uuid" : "46a74309-e65f-4fd7-b816-917ade7475c9" ,
"referenced_uuid" : "628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1615290675" ,
"uuid" : "5b87e38d-e34c-4ddb-866a-56449f590eb0"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1535632268" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "ee9ee1a5-ec3f-4abc-9900-84243a5466c0" ,
"value" : "af8889f4705145d4390ee8d581f45436"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1535632269" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "52f15861-f1bd-4d93-8285-09558f3438c4" ,
"value" : "cf943895684c6ff8d1e922a76b71a188cfb371d7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1535632269" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "13ba97ae-2892-41a2-ab84-536ced0401f1" ,
"value" : "6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f"
}
]
} ,
{
"comment" : "Backdoor DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1535632297" ,
"uuid" : "cba9ad80-221b-4873-af6c-3a5e678f9a3b" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1535632297" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "d0795a4d-3f92-4460-9182-0641e0d080a0" ,
"value" : "851dffa6cd611dc70c9a0d5b487ff00bc3853f30"
}
]
} ,
{
"comment" : "File ff8c3f362d7c9b9a19cfa09b4b3cfc75" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1535632321" ,
"uuid" : "1da8705f-aa50-4400-b643-5912e7beb7f6" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1535632321" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "18187d0c-367d-4bdd-903b-1535c3b6295c" ,
"value" : "https://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1535632321" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c9b90b46-8d03-4899-a721-3535cdbef578" ,
"value" : "48/67"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "comment" ,
"timestamp" : "1535632321" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "56d584fc-bfc7-424a-b4ce-d5b46c612323" ,
"value" : "Bkav (1.3.0.8876) Detection: W32.eHeur.Malware10\r\nMicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: TrojanSpy.Agent\r\nMcAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: No detection\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28216) Detection: Trojan ( 005097051 )\r\nK7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 )\r\nArcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17962) Detection: Win32/Turla.AW\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1\r\nKaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe\r\nBitDefender (7.2) Detection: Gen:Variant.Zusy.258575\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Troj.W32.Gen.lJ0K\r\nRising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD)\r\nAd-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575\r\nEmsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B)\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575\r\nDrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438\r\nVIPRE (69176) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.G\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nEndgame (3.0.1) Detection: malicious (high confidence)\r\nMicrosoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAhnLab-V3 (3.13.1.21616) Detection: No detection\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: TrojanSpy.Agent\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye\r\nYandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nCybereason (1.2.27) Detection: malicious.62d7c9\r\nPaloalto (1.0) Detection: generic.ml\r\nCrowdStrike (1.0) Detection: malicious_confidence_70% (D)\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "last-submission" ,
"timestamp" : "1535632321" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "73940c69-6556-412e-915e-d7d1a07f205b" ,
"value" : "2018-08-29T09:57:38"
}
]
} ,
{
"comment" : "Dropper" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1535632321" ,
"uuid" : "73bb4f5c-2b1c-40be-a290-1b5c585f226c" ,
"ObjectReference" : [
{
"comment" : "Expanded with virustotal data" ,
"object_uuid" : "73bb4f5c-2b1c-40be-a290-1b5c585f226c" ,
"referenced_uuid" : "1da8705f-aa50-4400-b643-5912e7beb7f6" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1615290675" ,
"uuid" : "5b87e3c1-f3c0-429c-9c70-4ab79f590eb0"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1535632321" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "186f573b-10b7-4933-9570-6ce05f358444" ,
"value" : "ff8c3f362d7c9b9a19cfa09b4b3cfc75"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1535632321" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "c82b6c8e-89bf-4738-81b8-290eb6dd52b7" ,
"value" : "f992abe8a67120667a01b88cd5bf11ca39d491a0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1535632321" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "915c97f0-9d0e-4eb2-a6f0-8a21c23d0569" ,
"value" : "881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867"
}
]
}
]
}
}