2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2019-05-02" ,
"extends_uuid" : "" ,
"info" : "OSINT - Goblin Panda continues to target Vietnam" ,
"publish_timestamp" : "1556803538" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1556803290" ,
"uuid" : "5ccaeddb-dc84-4cc2-9f73-4a70950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#10ca00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Hellsing\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"NewCore RAT\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803056" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5ccaedf0-5fd0-4f8c-a5f5-49d4950d210f" ,
"value" : "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803079" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5ccaee07-32d8-4255-9cb5-4686950d210f" ,
"value" : "Chinese actors have changed the rtf exploit following my different articles and Anomali article https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain\r\n\r\nBut In march a researcher of Anomali @aRtAGGI made a link very interesting between Icefog and an article targeting Mongelian speaker https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5ccaee32-bb50-4bc4-bdb8-4817950d210f" ,
"value" : "81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5ccaee32-5ce8-48fd-8fb0-4ff8950d210f" ,
"value" : "Shortcuts\\QcLite.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5ccaee32-b744-4e07-bd11-4f6d950d210f" ,
"value" : "207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5ccaee32-4a50-4c78-8d6f-4a8c950d210f" ,
"value" : "Shortcuts\\QcConsol.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5ccaee32-db04-4dc2-83d0-47ca950d210f" ,
"value" : "9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5ccaee32-cb00-49b9-b3cc-47bd950d210f" ,
"value" : "web.hcmuafgh.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5ccaee32-0310-4075-8920-4337950d210f" ,
"value" : "193.29.56.62"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5ccaee32-1ad0-4b57-98b5-4f6c950d210f" ,
"value" : "http://web.hcmuafgh.com:4357/link?url=maOVmKGmMDU1&enpl=OXcoVQ==&encd=XARIZTE="
} ,
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803195" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5ccaee7b-9258-45b6-9420-4bba950d210f" ,
"value" : "05d0ad2bcc1c6e2752a231bc36d07a841f075a0a32a3a62abaafddbdafd72f62"
} ,
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803195" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5ccaee7b-27b0-4803-a8e5-412e950d210f" ,
"value" : "5a592b92ffcbea75e458726cecc7f159b8f71c46b80de30bac2a48006ac1e1b3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803195" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5ccaee7b-0eb8-4058-be18-47d6950d210f" ,
"value" : "5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1556803274" ,
"to_ids" : false ,
"type" : "vulnerability" ,
"uuid" : "5ccaeeca-5668-4e48-9f70-496c950d210f" ,
"value" : "CVE-2017\u00e2\u20ac\u201c11882"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556803161" ,
"uuid" : "6af30035-5440-401a-976b-bc64ed82ad01" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "6af30035-5440-401a-976b-bc64ed82ad01" ,
"referenced_uuid" : "c6f4a078-7797-4e7f-a50a-f441a9441493" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556803161" ,
"uuid" : "5ccaee59-5a8c-4363-bebd-4bed950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "ab124dfa-92ff-485d-a669-8e365c666763" ,
"value" : "6d2e6a61eede06fa9d633ce151208831"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "106a8fdf-dffe-4228-8fa5-ada33eef0792" ,
"value" : "f764163f3912376ebcabaf1cf3a60b6bc74561be"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "60444fbf-9c77-48fe-a82a-dd321618dc9b" ,
"value" : "207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556803161" ,
"uuid" : "c6f4a078-7797-4e7f-a50a-f441a9441493" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "8a8e9657-f185-4b4a-a864-9dfd038906ce" ,
"value" : "2019-05-02T11:28:30"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "a0b8060b-4c47-4415-8ee8-481d250cdbaf" ,
"value" : "https://www.virustotal.com/file/207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3/analysis/1556796510/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8d0ecb1f-84c3-4e39-85e6-5382f49cc22c" ,
"value" : "15/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556803161" ,
"uuid" : "3ad479ea-41de-4e77-a2e2-e443cdc7e06f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "3ad479ea-41de-4e77-a2e2-e443cdc7e06f" ,
"referenced_uuid" : "61bf2686-6262-435a-9039-372f43219b6e" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556803162" ,
"uuid" : "5ccaee5a-6e70-4478-894a-4c2d950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "c0f28c2a-0d92-46be-b786-f79defa4e0b7" ,
"value" : "109d51899c832287d7ce1f70b5bd885d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "a90d29a2-35af-473b-a9b8-8c66e5fc6147" ,
"value" : "daa69d1b1abc00139b1d73d075921ab93137598d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "b259722e-416d-4590-a0e6-164a49207e4b" ,
"value" : "9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556803161" ,
"uuid" : "61bf2686-6262-435a-9039-372f43219b6e" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5e67a2b3-2334-4dd1-b4da-148e54772693" ,
"value" : "2019-04-29T23:04:06"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "2861f6a6-f61f-4226-8b1a-5552c3c1fa06" ,
"value" : "https://www.virustotal.com/file/9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770/analysis/1556579046/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f186be1f-70d3-4b2d-8f82-32aa84b64c0b" ,
"value" : "0/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556803161" ,
"uuid" : "f9c0db13-b132-48c2-bf17-631eff339a1f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "f9c0db13-b132-48c2-bf17-631eff339a1f" ,
"referenced_uuid" : "065f0f1c-08b4-4411-9d4d-300f2e0ac82e" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556803162" ,
"uuid" : "5ccaee5a-db04-4d65-b2c1-4633950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "fd6c0413-7685-4cb6-aa2e-f6dd97d0cce8" ,
"value" : "84fca27bc75f40194c95534b07838d6c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "093b8656-2505-4c48-b31e-413a7ee51b86" ,
"value" : "9520a18e9f6d4f6f014aa576b8843cdff176f701"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556803122" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a2bb8d4-5262-4f0c-8bf7-2a0945fa157f" ,
"value" : "81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556803161" ,
"uuid" : "065f0f1c-08b4-4411-9d4d-300f2e0ac82e" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "e051a82c-c83e-4283-8de4-161be247465f" ,
"value" : "2019-05-01T10:35:55"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "8a0a6690-a7e6-449b-9c8d-6afd65d8be44" ,
"value" : "https://www.virustotal.com/file/81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6/analysis/1556706955/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556803122" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "bab1b9f2-f67e-493b-912e-525dcaa79d9c" ,
"value" : "30/58"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1556803233" ,
"uuid" : "f2fb7d05-f968-4edc-8d24-24b91cf0df61" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "f2fb7d05-f968-4edc-8d24-24b91cf0df61" ,
"referenced_uuid" : "7077ee06-f4ff-4873-86f7-ba89aef8c723" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1556803234" ,
"uuid" : "5ccaeea2-cac8-4c3a-a079-4722950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1556803195" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "c495f771-242a-44d6-ba60-604f0cd9c923" ,
"value" : "1b19175c41b9a9881b23b4382cc5935f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1556803195" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "14b8e5a4-c34b-4bb2-bdba-cc9de529c924" ,
"value" : "3752656c024284ea63421d70235ec48d76a95df3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1556803195" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "a960d2df-329d-476e-98e4-388b714a781a" ,
"value" : "5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1556803234" ,
"uuid" : "7077ee06-f4ff-4873-86f7-ba89aef8c723" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1556803195" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a6e30d35-1912-4743-86bb-917b906bfc44" ,
"value" : "2019-04-29T23:04:01"
} ,
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1556803195" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "f6aba0fc-493d-46cd-809d-fb34b7ade2cb" ,
"value" : "https://www.virustotal.com/file/5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76/analysis/1556579041/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "The dll is a variant of the newcoreRAT with many similarities with" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1556803195" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "35ac479c-bae6-42e5-a362-b3477657ef04" ,
"value" : "46/70"
}
]
}
]
}
}