2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2019-04-23" ,
"extends_uuid" : "" ,
"info" : "OSINT - FINTEAM: Trojanized TeamViewer Against Government Targets" ,
"publish_timestamp" : "1556049219" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1556049198" ,
"uuid" : "5cbf6a0e-bfa4-458c-9b40-416a02de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048432" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5cbf6a30-2d74-406a-bf99-47c702de0b81" ,
"value" : "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\n\r\nBy investigating the entire infection chain and attack infrastructure, we were able to track previous operations that share many characteristics with this attack\u00e2\u20ac\u2122s inner workings. We also came across an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack.\r\n\r\nIn this article, we will discuss the infection chain, those targeted, the tools used and a possible attribution to one of the hackers behind the attack."
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048446" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5cbf6a3e-d13c-4103-b9f1-4e1202de0b81" ,
"value" : "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/"
} ,
{
"category" : "External analysis" ,
"comment" : "The infection chain" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B Q M A A A L u C A Y A A A A a O g C I A A A A B G d B T U E A A L G P C / x h B Q A A A A l w S F l z A A A h 1 Q A A I d U B B J y 0 n Q A A / 7 J J R E F U e F 7 s n Q e Y X F X 9 s P 8 W U E A E p S r d B h Z A y o e o i F g Q B R F Q p E k R B B E E B Z U m n d B 7753 Q Q g 299 x p C E w i 9 J J A e W h I S I O V 8 + 56 d M 9 y 9 u T O 7 s z u 7 M 7 v 7 v s / z e 5 K d u X 3 O L e e 9 v 3 P O / w U R E R E R E R E R E R H p F y g D R U R E R E R E R E R E + g n K Q B E R E R E R E R E R k X 6 C M l B E R E R E R E R E R K S f o A w U E R E R E R E R E R H p J y g D R U R E R E R E R E R E + g n K Q B E R E R E R E R E R k X 6 C M l B E R E R E R E R E R K S f o A w U E R E R E R E R E R H p J / R r G T h i x I h w z z 339 J k Y M m R I m D h x Y m n v R E R E R E R E R E R E 2 t J v Z e A H H 3 w Q t t 566 / D p T 386 / N ///V+fiEUWWSScccYZcd9ERERERERERETy9FsZ+PDDD4c555yzUKr15vjGN74RBg0aVNpLERERERERERGRT+i3MpAMuiTQPvvZz4bvfve7YcMNNwwbbbRRr4l11lknzDvvvG1kIPGd73wn3H///aU9FRERERERERERaaXfysDjjjuuLM/IEPznP/8ZXnzxxfD666/3mrj77rujxMyKwBSrrbZaePLJJ0t7KyIiIiIiIiIiogyMMddcc4X99tsvfPTRR6VvewcvvfRSWGGFFdpIwBSzzTZbWHfddcPLL79cmlpERERERERERPo7ysCW6IsykJhjjjnClltuGd58880wc+bM0lwiIiIiIiIiItJfUQa2RF+VgcTcc88dm0CPHj1aISgiIiIiIiIi0s9RBrZEX5aBxAILLBAOPvjgMGHChNKcIiIiIiIiIiLSH1EGtkRfl4HE4osvHk477bQwadKk0twiIiIiIiIiItLfUAa2RH+QgcTSSy8dLr300l63nyIiIiIiIiIiUh+UgS3RX2Qgseyyy4bbbruttAQREREREREREelPKANboj/JwE996lNhpZVWCsOGDSstRURERERERERE+gvKwJboTzKQ+PSnPx1+85vfhDfffLO0JBERERERERER6Q8oA1uiv8lA4nOf+1zYdNNNw+jRo8PMmTNLSxQRERERERERkb6MMrAl+qMMJL7whS+EnXfeOYwZM6a0RBERERERERER6csoA1uiv8pAYsEFFwwDBgwIEyZMKC1VRERERERERET6KsrAlujPMpBYYoklwsknnxzee++90pJFRERERERERKQvogxsif4uA4llllkmXHzxxWHKlCmlpYuIiIiIiIiISF9DGdgSysD/C5/61Kfism699dYwbdq00hpERERERERERKQvoQxsCWVga3zmM58JP/jBD8JTTz1VWoOIiIiIiIiIiPQllIEtoQz8JBCCP/vZz8L48eNLaxERERERERERkb6CMrAllIFt49Of/nTYeOONw8SJE0trEhERERERERGRvoAysCV6qwx8+eWXw8orr9xG5NUrFlhggXDDDTeU1iQiIiIiIiIiIn0BZWBLVJKBDKRB9t1jjz0Whg4d2ql4/PHHw5NPPtmleOKJJwqXff3114dVVlmljcSrV3zpS18KF1xwQelIiIiIiIiIiIhIX0AZ2BKVZODbb78d/v73v4eNNtoobL/99uGvf/1rTbHddtuF9dZbL/zwhz/sUvzmN78J22yzzSzL/8tf/hK/QwgWBYOBLLvssuGrX/1qWHXVVcPaa68dpy+KtdZaKyy66KKxibAyUERERERERESkb6IMrCIDR48eHdZff/1w+OGHh3vvvTfcc889NcXNN98cttxyy/J6OhOf+tSn4oAe11xzTeE67r///vDAAw8UxoMPPhjOPffcsOGGG4aLLroovPjii+GFF16YJfj8mWeeCX/4wx/CbLPNFterDBQRERERERER6XsoA1uimgzcZJNNwo033lj6pDYYgGPfffctr6czgQxkMI8xY8aUllobNHEmq/Guu+4qfVLM1KlTY/bh7LPPHterDBQRERERERER6XsoA1uiPRnY2YE0mkUG0qRYGSgiIiIiIiIiIsrAllAGKgNFRERERERERPoDysCWUAYqA0VERERERERE+gPKwJaoJgMZSfiyyy6LIwtPmDChphg+fHjYbbfdyuvpTCADGcTk+eefL1xHtWCbkYDbbrutMlBERERERERERJSBRDUZuPbaa4fNNtssHHzwweHAAw+sKVjmGmusEeacc84w33zzdSq++MUvhmWXXTbsvvvu4aCDDipcT6UYMGBA2GGHHcI666wTRx6uhjJQRERERERERKTvowysIgNpmotIQ5Ide+yx4ZhjjqkpDj300CgTiRNOOKHmOP7448N2220XfvjDH4b999+/cB3txS677BJ+97vfKQNFREREREREREQZWE0Gpj4Db7zxxtIntfH+++9HIUhGX2eYPn16uO6668L2228fRo4cWfq0NuwzUEREREREREREEsrADsjAzg4gUg8ZOHjwYGWgiIiIiIiIiIjUBWWgMjCiDBQRERERERER6fsoA5WBEWWgiIiIiIiIiEjfRxnYARl4/fXXhxkzZkQ5V0u8++674ZBDDokysOj79uLjjz8O1157bZR5b775Zs3bwPRDhgxRBoqIiIiIiIiISEQZ2I4MXG+99cKAAQPCHXfcEW655ZaaAom49dZbhy233DLcfPPNnQpGEWY04ssuuyzceuuthdNUCqY/9dRTw8Ybbxzuvvvu0l4VowwUEREREREREen7KAOryMAxY8aENddcM6yxxhrhz3/+c5R6tcSf/vSnsNxyy4XPfe5z4Ytf/GKnYs4554yCbu655y78vr1g/pVXXjncd999pb0qRhkoIiIiIiIiItL3UQZWkYFkBv7xj38Ml1xySRg/fnwYO3ZsTfHGG2+Ef/3rX+X1NCqUgSIiIiIiIiIiAsrAluiuAUQmTpwY9t133/J6GhXKQBERERERERERAWVgSygDlYEiIiIiIiIiIv0BZWBLKAOVgSIiIiIiIiIi/QFlYEsoA5WBIiIiIiIiIiL9AWVgS7Q3gAhS7K233qo5XnzxxbDrrruW19OoUAaKiIiIiIiIiAgoA1uikgwcM2ZMWHPNNcPqq68eNt9887DZZpvVFGQVLrfccmH++ecPSy+9dM3xrW99KyyyyCJhnnnmCV//+tcLp2kvllhiifDjH/843HvvvaW9KkYZKCIiIiIiIiLS91EGVpGBZAaut9564cADDwy33HJLuOmmm2qKq6++Ovz5z3+Occcdd9Qct912WxgwYED47W9/GwYNGlQ4TXtx+umnRyl59913l/aqGGWgiIiIiIiIiEjfRxnYjgxEpN14442lT2rj/fffD4cddlgUep1h+vTp4brrrgt/+9vfwqhRo0qf1sbQoUPD9ttvH+66667SJ8UoA0VERERERERE+j7KwA7IwM4OIIIMPPTQQ8NBBx1U+qQ2kIGDBw+OMm/kyJGlT2vjscceC3/961+VgSIiIiIiIiIiogxUBrZSJAPPPfHU8P5VD4QJh11mGD0Th18W3jnlujDlgefCzCltz0cRERERERER6TrKQGVgpEgGnnP0iWHCMVeGtzY+xDB6LEZudlgY889Tw5SHhpVKp4iIiIiIiIjUC2VgOzJw4403jv328V2tMWHChHDwwQeHAw44oPD79mLKlClxEJLtttsuDB8+vHCa9uLhhx9WBhq9LzY5JLw/6L4w86NppRIqIiIiIiIiIvVAGVhFBo4ZMyZssMEGUZIdeeSRcTCQWgIRyEjAa6+9duH3HYmtt946/OQnPwn77LNPOPzwwwunqRRMv8suu4Q//OEP4b777ivtVTHKQKPZ4v1L7gozP/y4VEJFREREREREpB4oA6vIwMmTJ4czzjgj/Oc//wm77bZbp2LPPfeMUfRdR2KPPfYIe+21V9h9990Lv+9InHjiieH1118v7VUxlfsMvL+4bzfDqHOM3PJIZaCIiIiIiIhIN6MMrCID+xNFMtDRhKUnGf2PU5WBIiIiIiIiIt2MMlAZGFEGSqNRBoqIiIiIiIh0P8pAZWBEGS
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048744" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5cbf6b68-94b8-4d3d-ab5f-465b02de0b81" ,
"value" : "fig2-2.png"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-a6f4-4209-8988-464202de0b81" ,
"value" : "013e87b874477fcad54ada4fa0a274a2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-d258-45f6-98f7-4d7402de0b81" ,
"value" : "799ab035023b655506c0d565996579b5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-8084-4076-ae2f-4a0302de0b81" ,
"value" : "e1167cb7f3735d4edec5f7219cea64ef"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-a7ec-4978-8a41-45cf02de0b81" ,
"value" : "6cc0218d2b93a243721b088f177d8e8f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-8134-4e33-a650-442902de0b81" ,
"value" : "aad0d93a570e6230f843dcdf20041e1e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-2ad4-442c-a2e9-4f4802de0b81" ,
"value" : "1e741ebc08af09edc69f017e170b9852"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-0bec-4fce-9d79-4b2902de0b81" ,
"value" : "c6ae889f3bee42cc19a728ba66fa3d99"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-6384-4770-b866-4ba202de0b81" ,
"value" : "1675cdec4c0ff49993a1fcbdfad85e56"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-255c-43ca-b72d-4de402de0b81" ,
"value" : "72de32fa52cc2fab2b0584c26657820f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6b93-088c-4d83-9c6d-480f02de0b81" ,
"value" : "44038b936667f6ce2333af80086f877f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048806" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6ba6-9694-417a-aaec-43d402de0b81" ,
"value" : "4acf624ad87609d476180ecc4c96c355"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048806" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5cbf6ba6-07d0-4fe2-89b3-416902de0b81" ,
"value" : "4dbe9dbfb53438d9ce410535355cd973"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-24bc-42bd-9f62-461702de0b81" ,
"value" : "1c-ru.net/check/license"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-81a8-4146-a75d-4cdb02de0b81" ,
"value" : "intersys32.com/3307/"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-9fb0-4ed7-bf1f-419f02de0b81" ,
"value" : "146.0.72.180/3307/"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-56bc-4939-b104-4a2402de0b81" ,
"value" : "146.0.72.180/newcpanel_gate/gate.php"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-fae4-40e3-8c27-43d902de0b81" ,
"value" : "185.70.186.145/gate.php"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-d18c-41ee-a107-4a4002de0b81" ,
"value" : "185.70.186.145/index.php"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-963c-49d3-85d9-42fc02de0b81" ,
"value" : "193.109.69.5/3307/gate.php"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048825" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cbf6bb9-fe58-4761-8fc5-497d02de0b81" ,
"value" : "193.109.69.5/9125/gate.php"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048849" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5cbf6bd1-c00c-4b4e-a3d0-456d02de0b81" ,
"value" : "rule \"TeamViwer_backdoor\"\r\n{\r\n\r\nmeta:\r\ndate = \"2019-04-14\"\r\ndescription = \"Detects malicious TeamViewer DLLs\"\r\n\r\nstrings:\r\n\r\n// PostMessageW hook function\r\n$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}\r\n\r\ncondition:\r\nuint16(0) == 0x5a4d and $x1\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "Banks being targeted on compromised system" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048966" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5cbf6c46-0a70-4531-a13f-46a602de0b81" ,
"value" : "bankofamerica.com,pacwestbancorp.com,alipay.com,cbbank.com,firstrepublic.com,chase.com\r\ncitibank.com,bankamerica.com,wellsfargo.com,citicorp.com,pncbank.com,us.hsbc.com,bnymellon.com\r\nusbank.com,suntrust.com,statestreet.com,capitalone.com,bbt.com,tdbank.com,rbs.com,regions.com\r\n53.com,ingdirect.com,keybank.com,ntrs.com,www4.bmo.com,usa.bnpparibas.com,mufg.jp,aibgroup.com\r\ncomerica.com,zionsbank.com,mibank.com,bbvabancomerusa.com,huntington.com,bank.etrade.com,synovus.com\r\nbancopopular.com,navyfcu.org,schwab.com,rbcbankusa.com,colonialbank.com,hudsoncitysavingsbank.com,db.com\r\npeoples.com,ncsecu.org,associatedbank.com,bankofoklahoma.com,mynycb.com,firsthorizon.com,firstcitizens.com\r\nastoriafederal.com,firstbankpr.com,commercebank.com,cnb.com,websterbank.com,fbopcorporation.com\r\nfrostbank.com,guarantygroup.com,amtrust.com,nypbt.com,wbpr.com,fult.com,penfed.org,tcfbank.com,lehman.com\r\nbancorpsouthonline.com,valleynationalbank.com,thesouthgroup.com,whitneybank.com,susquehanna.net,citizensonline.com\r\nucbh.com,raymondjames.com,firstbanks.com,wilmingtontrust.com,bankunited.com,thirdfederal.com,wintrustfinancial.com\r\nsterlingsavingsbank.com,boh.com,arvest.com,eastwestbank.com,efirstbank.com,theprivatebank.com,flagstar.com\r\nbecu.org,umb.com,firstmerit.com,corusbank.com,svb.com,prosperitybanktx.com,washingtonfederal.com\r\nucbi.com,metlife.com,ibc.com,cathaybank.com,trustmark.com,centralbancompany.com,umpquabank.com\r\npcbancorp.com,schoolsfirstfcu.org,mbfinancial.com,natpennbank.com,fnbcorporation.com,fnfg.com,golden1.com\r\nhancockbank.com,firstcitizensonline.com,ubsi-wv.com,firstmidwest.com,oldnational.com,ottobremer.org\r\nfirstinterstatebank.com,northwestsavingsbank.com,easternbank.com,suncoastfcu.org,santander.com\r\neverbank.com,bostonprivate.com,firstfedca.com,english.leumi.co.il,aacreditunion.org,rabobank.com\r\nparknationalbank.com,provbank.com,alliantcreditunion.org,capitolbancorp.com,newalliancebank.com\r\njohnsonbank.com,doralbank.com,fcfbank.com,pinnaclebancorp.net,providentnj.com,oceanbank.com\r\nssfcu.org,capfed.com,iberiabank.com,sdccu.com,americafirst.com,hncbank.com,bfcfinancial.com\r\namcore.com,nbtbank.com,centralpacificbank.com,banksterling.com,bannerbank.com,firstmerchants.com,communitybankna.com\r\nhsbc.com,rbs.co.uk,bankofinternet.com,ally.com,bankofindia.co.in,boi.com.sg,unionbankofindia.co.in,bankofindia.uk.com\r\nunionbankonline.co.in,hdfcbank.com,axisbank.com,icicibank.com,paypal.com,pnm.com,wmtransfer.com,skrill.com,neteller.com\r\npayeer.com,westernunion.com,payoneer.com,capitalone.com,moneygram.com,payza.com"
} ,
{
"category" : "Other" ,
"comment" : "Bitcoin market targeted on compromised system" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556048998" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5cbf6c66-ffe0-4a8c-9824-47fe02de0b81" ,
"value" : "blockchain.info,cryptonator.com,bitpay.com,bitcoinpay.com,binance.com,bitfinex.com,okex.com\r\nhuobi.pro,bitflyer.jp,bitstamp.net,kraken.com,zb.com,upbit.com,bithumb.com,bittrex.com,bitflyer.jp\r\netherdelta.com,hitbtc.com,poloniex.com,coinone.co.kr,wex.nz,gate.io,exmo.com,exmo.me,yobit.net\r\nkorbit.co.kr,kucoin.com,livecoin.net,cex.io,c-cex.com,localbitcoins.net,localbitcoins.com,luno.com\r\nallcoin.com,anxpro.com,big.one,mercatox.com,therocktrading.com,okcoin.com,bleutrade.com,exchange.btcc.com\r\nbitkonan.com,coinbase.com,bitgo.com,greenaddress.it,strongcoin.com,xapo.com\r\nelectrum.org,etherscan.io,myetherwallet.com,bitcoin.com"
} ,
{
"category" : "Other" ,
"comment" : "Online services targeted on the compromised system" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556049035" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5cbf6c8b-a614-4dd5-8ac6-4f0302de0b81" ,
"value" : "ebay,amazon,wish.com,aliexpress,flipkart.com,rakuten.com,walmart.com\r\ntarget.com,bestbuy.com,banggood.com,tinydeal.com,dx.com,zalando,jd.com\r\njd.id,gearbest.com,lightinthebox.com,miniinthebox.co"
}
] ,
"Object" : [
{
"comment" : "The infection flow starts with an XLSM document with malicious macros, which is sent to potential victims via e-mail under the subject \u00e2\u20ac\u0153Military Financing Program\u00e2\u20ac\u009d" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "16" ,
"timestamp" : "1556048684" ,
"uuid" : "5cbf6b2c-3ab8-4c16-8a67-489a02de0b81" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1556048684" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5cbf6b2c-8020-4a74-b2b7-4f6902de0b81" ,
"value" : "Military Financing.xlsm"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048684" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5cbf6b2c-c17c-47c8-b94a-42f902de0b81" ,
"value" : "efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "file-encoding" ,
"timestamp" : "1556048684" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5cbf6b2c-a0d0-4dae-8e08-412c02de0b81" ,
"value" : "Adobe-Standard-Encoding"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1556048684" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5cbf6b2c-2024-4f15-aba4-4a2802de0b81" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049067" ,
"uuid" : "844728a6-db55-4b98-aac5-2958c52b5690" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "844728a6-db55-4b98-aac5-2958c52b5690" ,
"referenced_uuid" : "d91efdf2-3005-4924-922f-9ce8b309d20d" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-90b4-4406-89c3-4e7902de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "35bd5ebf-7dba-4906-9a25-c060c9af6d5d" ,
"value" : "1e741ebc08af09edc69f017e170b9852"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "ea2d28ae-559f-4daf-ba6c-32baed400c5f" ,
"value" : "6f7dfdcfd999c965f5f55fa96a62760f2e1821a7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "355a18ce-f148-49c8-9ea5-e2d7cfbe3b50" ,
"value" : "68f543331aee74b8da5cb4351ef46d8102e912e44f9bd602a1d6a945e65492a8"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049068" ,
"uuid" : "d91efdf2-3005-4924-922f-9ce8b309d20d" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a18a10e1-06c4-4742-a841-0e35bcbea718" ,
"value" : "2019-04-23T17:40:32"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "e355a052-de28-4864-b4a2-0c24c0bf27bc" ,
"value" : "https://www.virustotal.com/file/68f543331aee74b8da5cb4351ef46d8102e912e44f9bd602a1d6a945e65492a8/analysis/1556041232/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "909412c3-6e16-4f57-b98c-9f05c1b8c0b1" ,
"value" : "25/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049068" ,
"uuid" : "dd76b439-cce9-4957-9a55-13d1eb572e3b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "dd76b439-cce9-4957-9a55-13d1eb572e3b" ,
"referenced_uuid" : "b2ff0fe0-cf2f-4d34-8122-6dd13acc61d4" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-1f98-444f-886c-4ef902de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048806" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "d1d379bd-ee86-4a4d-a1ad-ca8208a26dbd" ,
"value" : "4dbe9dbfb53438d9ce410535355cd973"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048806" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "1a09f115-f02d-4e5e-b9ef-6493c6327a59" ,
"value" : "816b013c8be6e5708690645964b5d442c085041e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048806" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "868e095d-2a9f-4452-aa3a-d1c16210e296" ,
"value" : "efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049068" ,
"uuid" : "b2ff0fe0-cf2f-4d34-8122-6dd13acc61d4" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048806" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "3bfc3de0-329e-4230-829c-c56c374958ee" ,
"value" : "2019-04-23T16:49:44"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048806" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "83b49148-89fd-4982-93c8-5e7ec843185c" ,
"value" : "https://www.virustotal.com/file/efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12/analysis/1556038184/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Document" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048806" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "cbf9f8ae-f2ca-4ff8-a460-49bfdcd363c3" ,
"value" : "39/61"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049068" ,
"uuid" : "4a680b06-e200-4a0c-83d3-89b373ef8503" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "4a680b06-e200-4a0c-83d3-89b373ef8503" ,
"referenced_uuid" : "5ca1d1f5-8c98-41a1-b4b3-946d7cc6026e" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-ada4-4477-843c-401802de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "884e32d4-485a-421e-95fb-69f991830d20" ,
"value" : "799ab035023b655506c0d565996579b5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "a649d04d-0ab5-48cc-92ff-737d333a1ac9" ,
"value" : "43cd68e741a2207579c0f5ab4d34acd9cd9f703c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "0cd3a3ea-3567-4eef-9dd7-fe85c9c2d00a" ,
"value" : "41f749bdca8c2abed3e1c8c520b6734b819e241af370eb5921fbecaa514171fe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049068" ,
"uuid" : "5ca1d1f5-8c98-41a1-b4b3-946d7cc6026e" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "46d396cd-68ca-4399-a81c-dcd6930b4aba" ,
"value" : "2019-04-23T17:39:46"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "e07569c2-f663-4d58-b6ef-2784f32c276b" ,
"value" : "https://www.virustotal.com/file/41f749bdca8c2abed3e1c8c520b6734b819e241af370eb5921fbecaa514171fe/analysis/1556041186/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "922e99b9-ec3d-4853-8af1-b74221421dd9" ,
"value" : "34/67"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049068" ,
"uuid" : "a98ac785-a670-485e-8de9-81be78a84acd" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "a98ac785-a670-485e-8de9-81be78a84acd" ,
"referenced_uuid" : "b0818f5a-42aa-495c-a1c5-b486770e1093" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-31a8-43de-8a94-462702de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1d897430-0363-4df9-9ddd-937061121cab" ,
"value" : "72de32fa52cc2fab2b0584c26657820f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "dbc2a581-590a-4fec-ac2d-d2dd05c80120" ,
"value" : "cf7909caccc91004cbbb0289835c0bb0fb4b58d2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "91137264-aee8-4cb8-9632-f77a7edca987" ,
"value" : "3fd738d510d3f503a871d30c05a4ecda11fb7d1c63a628cdbfcc4164a8d867f4"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049069" ,
"uuid" : "b0818f5a-42aa-495c-a1c5-b486770e1093" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d3fd8a5b-69b3-49b1-921f-8e96b2c8c8ad" ,
"value" : "2019-04-23T17:39:45"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "30298f00-f942-4a01-b6f7-f542f878c1ac" ,
"value" : "https://www.virustotal.com/file/3fd738d510d3f503a871d30c05a4ecda11fb7d1c63a628cdbfcc4164a8d867f4/analysis/1556041185/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b171c6bf-8fcb-4272-8ba9-3dda7f6cf09f" ,
"value" : "30/66"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049069" ,
"uuid" : "72399b1b-24f0-4118-96a3-5ad99ec976bb" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "72399b1b-24f0-4118-96a3-5ad99ec976bb" ,
"referenced_uuid" : "d2fb9c7b-488e-4065-8473-56f9fea46380" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-1540-4e30-84e8-4bd602de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "be2ea57d-b6cf-43ab-8834-763cc9a6fb1b" ,
"value" : "1675cdec4c0ff49993a1fcbdfad85e56"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "fe9b05fc-5055-4e09-b41f-05fe645856d8" ,
"value" : "376f8936258a0c6a2f29bbf9b2a55d9d7282d348"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "bfba91d3-7fec-451b-b020-9e00f6ccb3d1" ,
"value" : "a3d0d9b1b830fcb48f312634b2ec045e2859f051a9c415a37cd5ba30b70c1224"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049069" ,
"uuid" : "d2fb9c7b-488e-4065-8473-56f9fea46380" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "86c39be1-a7e5-40c5-919d-3ae8b35c8720" ,
"value" : "2019-04-23T17:41:42"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "1c870542-6483-47cf-839a-2e1f51f8eda5" ,
"value" : "https://www.virustotal.com/file/a3d0d9b1b830fcb48f312634b2ec045e2859f051a9c415a37cd5ba30b70c1224/analysis/1556041302/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8d1105be-f922-4d67-8c93-a66c6e003a48" ,
"value" : "35/66"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049069" ,
"uuid" : "b806bdf8-c5e7-45f9-8e37-444ee7c09c2d" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "b806bdf8-c5e7-45f9-8e37-444ee7c09c2d" ,
"referenced_uuid" : "61f76b3b-866f-4009-82f3-60fb8d0d8324" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-98e0-4737-8127-428b02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "604513c9-69e7-42bb-af3d-e49920dffdf9" ,
"value" : "013e87b874477fcad54ada4fa0a274a2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "4789591b-b7ed-4c8d-a204-37d495e2d8a3" ,
"value" : "32a175ba416fec7f85c405abd58384a7f40225da"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "07238cf2-43b9-4082-a4fa-f5d0782753ca" ,
"value" : "b4b5f7d0778c7954461536bca8943d3f87a7808bc33632ca899660b0f62f43aa"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049069" ,
"uuid" : "61f76b3b-866f-4009-82f3-60fb8d0d8324" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "ab449183-8ddc-49c7-a89a-8c520ff95a37" ,
"value" : "2019-04-23T17:38:52"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "f5c45e4a-99af-4f0e-b570-3173f5b0dd8e" ,
"value" : "https://www.virustotal.com/file/b4b5f7d0778c7954461536bca8943d3f87a7808bc33632ca899660b0f62f43aa/analysis/1556041132/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "82e67755-f1b0-46a1-b464-255c94526f04" ,
"value" : "23/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049069" ,
"uuid" : "01581d8a-6268-4e99-963b-a4b8dae4f91b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "01581d8a-6268-4e99-963b-a4b8dae4f91b" ,
"referenced_uuid" : "81f1f4ef-811f-4d46-8ade-0ab42c570b53" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-464c-45de-b45d-42e502de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "f47bd07d-c2a1-43e5-97b2-fc572f86ff7b" ,
"value" : "e1167cb7f3735d4edec5f7219cea64ef"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "6174e019-b1b9-42eb-8ada-82a5056e9905" ,
"value" : "9b32cbdba2f3f40f2072dbeb61b345c910e45b39"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "7dfb5593-267e-44c5-8311-ec746a519508" ,
"value" : "b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049069" ,
"uuid" : "81f1f4ef-811f-4d46-8ade-0ab42c570b53" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "51869580-7688-4e93-820b-a649004b6b92" ,
"value" : "2019-04-23T17:38:49"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "7604ebdf-694b-4ec7-8ae1-20e92f6005f6" ,
"value" : "https://www.virustotal.com/file/b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17/analysis/1556041129/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5cda701c-25d6-4e02-b737-b5d75e6c2ebb" ,
"value" : "42/64"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049069" ,
"uuid" : "9e7b3d6a-7ea2-4cfd-865e-32d8c8f79d7a" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "9e7b3d6a-7ea2-4cfd-865e-32d8c8f79d7a" ,
"referenced_uuid" : "01589ece-7e55-4ff5-8089-0e3c79e3bc60" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049070" ,
"uuid" : "5cbf6cae-0aa4-4bf5-9d4a-482702de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1b349ee3-2339-43ff-94e9-b49458b2c86d" ,
"value" : "c6ae889f3bee42cc19a728ba66fa3d99"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "41f766d4-2a47-4cd9-a04f-e2e121a6e1b9" ,
"value" : "18cb6155efbfa3311b919ae8e10fbf35680466a8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "13d24160-0c71-4f57-858d-aad82fd237c6" ,
"value" : "8fbeaabbe09e9e2c97c49e5d9352001df044e7ce277f35d4a617add07216da07"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049069" ,
"uuid" : "01589ece-7e55-4ff5-8089-0e3c79e3bc60" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "7f532053-8e61-436f-80e6-642db2580516" ,
"value" : "2019-04-23T17:41:19"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "ffff54f9-ea34-4088-b94a-f2cd438010d2" ,
"value" : "https://www.virustotal.com/file/8fbeaabbe09e9e2c97c49e5d9352001df044e7ce277f35d4a617add07216da07/analysis/1556041279/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "77a783e8-0442-4a8c-a48a-06ee3e5afd7d" ,
"value" : "12/66"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049069" ,
"uuid" : "df884a16-5a27-4416-99db-3e9912ebca78" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "df884a16-5a27-4416-99db-3e9912ebca78" ,
"referenced_uuid" : "3b6a92d0-719d-4a15-a595-3074f0540e6c" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049071" ,
"uuid" : "5cbf6caf-e050-4ce4-abd4-49bb02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "28f0562d-8a55-4283-971e-38e8bc6ec4eb" ,
"value" : "aad0d93a570e6230f843dcdf20041e1e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "f26fc036-27d9-4a01-9d40-9fcfb2ae71eb" ,
"value" : "57fe83b6465e52198bd76b8b987601f716009033"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1bbefe07-47f9-4089-9789-c17485f4df7c" ,
"value" : "4e676f83ebb765ee3d2215b9e957b966947049fcffc251c2b2f97121a19ef4fc"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049070" ,
"uuid" : "3b6a92d0-719d-4a15-a595-3074f0540e6c" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "e233f21b-719a-474c-8b07-e588aa3d2788" ,
"value" : "2019-04-23T17:39:59"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "13cd1ac1-419f-4846-9315-77dd39ebb887" ,
"value" : "https://www.virustotal.com/file/4e676f83ebb765ee3d2215b9e957b966947049fcffc251c2b2f97121a19ef4fc/analysis/1556041199/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0584b8de-b7e3-45d9-a5b2-44c1699e1b0c" ,
"value" : "25/67"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049070" ,
"uuid" : "9e33914c-3535-460f-9164-a5708f650474" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "9e33914c-3535-460f-9164-a5708f650474" ,
"referenced_uuid" : "069666d4-4b61-4682-b4a8-15e1157809b1" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049071" ,
"uuid" : "5cbf6caf-8f4c-41da-bd00-44ac02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "d8b8537e-cdb4-4319-9577-2bf12e620350" ,
"value" : "44038b936667f6ce2333af80086f877f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "8a5b5f83-33ec-497c-ac83-159905b7f6e3" ,
"value" : "60dfcc9c2c6ec97538981dd38196607382256693"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "c9485111-6d75-4a1e-b096-491b70c8f6e5" ,
"value" : "9f262e3f57d8dbb1778b8eff2e82165719dd2cf85ce2f292c87d7080d085d0fa"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049070" ,
"uuid" : "069666d4-4b61-4682-b4a8-15e1157809b1" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "17ed0452-d09e-4583-8eb6-5be41a9ea4a8" ,
"value" : "2019-04-23T17:41:36"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "57085397-af38-489e-8aae-a67fbc224e25" ,
"value" : "https://www.virustotal.com/file/9f262e3f57d8dbb1778b8eff2e82165719dd2cf85ce2f292c87d7080d085d0fa/analysis/1556041296/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8f91b43d-3ce6-4ed3-aa2f-e748a318b36c" ,
"value" : "39/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556049070" ,
"uuid" : "a8cbfe77-303e-4ed5-a426-8eef04f8c90f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "a8cbfe77-303e-4ed5-a426-8eef04f8c90f" ,
"referenced_uuid" : "ef8f35b5-6d4c-4f8d-beaf-3aa69c27f617" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556049071" ,
"uuid" : "5cbf6caf-d514-41cb-bea3-4ac002de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "cf8135e3-2695-4af9-8cc1-e36b90825d45" ,
"value" : "6cc0218d2b93a243721b088f177d8e8f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "7fbce6e9-a3c3-4f72-a249-2b53ccdb4101" ,
"value" : "16115abc3b3ea066abcdabe64b5165b90a516cb6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556048787" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1ac38fff-440c-4fb2-8b51-bb8911b92ded" ,
"value" : "fa7aab5d6e62cd1d9d5c92d793cbd3f570d9d4c3c6b1744a25382e93c679f570"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556049070" ,
"uuid" : "ef8f35b5-6d4c-4f8d-beaf-3aa69c27f617" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "b02cfccf-7452-456d-b25a-434217cc59d6" ,
"value" : "2019-04-23T17:39:57"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "958325a3-46fe-4e63-8980-03632c66f874" ,
"value" : "https://www.virustotal.com/file/fa7aab5d6e62cd1d9d5c92d793cbd3f570d9d4c3c6b1744a25382e93c679f570/analysis/1556041197/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "DLL" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556048787" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "dcce3632-fdb9-40fd-86e6-856e9e34ea19" ,
"value" : "21/65"
}
]
}
]
}
}