adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/04e8bb1e-b445-40a6-a68a-1ce85e32d229.json

1291 lines
1.7 MiB
JSON
Raw Normal View History

chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
{
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2023-04-13",
"extends_uuid": "",
"info": "QUARTERRIG - Malware Analysis Report",
"publish_timestamp": "1682166797",
"published": true,
"threat_level_id": "1",
"timestamp": "1682166784",
"uuid": "04e8bb1e-b445-40a6-a68a-1ce85e32d229",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"QUARTERRIG\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG",
"data": "iVBORw0KGgoAAAANSUhEUgAAAlAAAAFQCAYAAABwCkDYAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3XecFFW+8P/Pqeo0eQYGmCGN5GAgC6IIskowIwYUBWR5UAEDrF6zuOqu6yKCooISBEy4imFACSpJEEEQlCB5yJNTT+pQdc7zR0+3PTC4cq/z/Lz7O+99zfZMV9U5p6pL6tsnCiml4nem1C9JCiEif5/6+x+LQikQIvSKEggBnE05pQ1CYGMAYNqABAyFMhQIEMKoPffwdUGF8g79BqL653ciVfUpKRAKFAph/LYMbNsmaAWpClQSHxuPIUxQYJrm71dATdM0TftfQNRVACWlDGVwSgASDqIMo/ZA4v87CqkslBIIJELYINwIfns5repLaUgbJRSyOloxDSNyzrUFUOHgybYlpjJBKYRThIIbAb9rBGUpQKAUKKEQ5tkFs0ophBRIpVBCVp/THy0Y1jRN07S65airhHNzc1m/fj0+n4+YmBgAgsEgDRs25LLLLgs9iOvwwaui/l+oU/IJVb1U//7LAbnZFbz11kcMuPxiuvVoH9qmQhtVOJAJxR/Vm1RkF6FCQUmgymbHlgNs/mEvxUWVJHrcZLROpc+l51MvLZFQZY9CVOevqmuYpC3JPlnIV0u/5ebbBhOb5EKKIAbOM56dUAIlasa/QtU8p9CbkRPBDkq2bdmBJ9bNuZ06gARlhncWvxwfSfaX9JUAIQVFuV5O5mXT4dw22MioGigVdWh1WpFrV122cOFqfCTqlGOq86rOXv1ycOijq75vQr+fcu7Rx2qapmlaHamzaqCUlPpYlmTSpAdp2rQ57dq1o169esyZMwfLslDVsciv/fxPSAVBbJTyo6REKhtbKgKAUhLs6loY6UdioSSUCZu3v8vjaJEPIRVSAkqhpAwlKCWquqbKUgpb2SBtbFWJlDbZx3OZ9uoH/OT1culNvRn9yE1cf88gRHpDps/+nOM7c1FShSqBlCQobCxAKkkQReb3BTz17lYK/UEUEpQTvwCFjSKIX4BEoWyFkgGUVASxQUqElKAkKBuwQscoCwiCCoKUSGz25hby+Kyv+PDrHWBYIGR16qFcVCgHbFSo+dH+5bwVfsqtIC98+A13PvUvvFYQIQxsFcpRIUFaKKqqy1J9/VQQlAVKIuzTP1mlQKogtgJsO5Rv9ekQShWpVOg8lAztzy83ilX9eaNCzZ7yd7h/NE3TNO3X1FkNlNvtonnz5ng8Htq2bUO9eimcf/75xMfH/7LTr1UT/A+fgKYC03ZimQ4MZUOVwjQUhjuAwIE0LAJ+G4cNptuJNCVNG9YjNSUVw+VEGSAMi4ByYFRKDAcINxioUJAScBJ0CZSQOGQsRbllzFywkWuHD+DC5qkYwiZolWN6kmh2SSs6tEvn/Q82MKldGtIlcCiBYdmhfkRCgKm48uKmTJ9pIhQY0gAkpjRBGKBMPNW1OUoYGMqBbdqYmASFgUvaSGGBcGBKo/riSpSykMKBwsAMKto3SaVr5w6UKT9+w4FTSkwpcIT7XCmFIIAy3NW1WwopBKZtoIQHp0txw+CefLFsG0IZmBbgCKJwIIVB0FAI5YnULiplYiBASKRQYFgIZdZoGhXVVUamCmI5JA4ZxLBdobwdCoWJqQQoB5ZpYwMmBsoIBUuhykGFLezqv8x/c3NpmqZp2v9MnQRQ4YfnLw/RUN+ZzZs306tXL3Jzc1n6+ec0bNSQHTt20KtXL/r27cuKFSvYuXMnUkpuG3YrGRkZ7Nu3j2XLljFw4EBWrVqF1+vl7rvvZtu2bXz11VcMHTqUbt26IaUkMzOT5ORkLrvsMqQATAtTwYeL1vDzwSICgSq6XdCca4f246vPv2PjzqOUllTRt2Ua144egMOhQjVKUmIh8BcG+OzjDRw8mUtMVQV/vud6ktOT+WL5Tr7beoh4l0HvC5rQ68rOvJ25nj6DOnFhiwbYtmT9V7v46eAxUhPrcWzvfv488RbSMhI4lldIRlo8y1bs5uChQqyqMm4ZcjH1WjUChxOCAUzTpLQ8wLpvtpORnIy3pIwfv9/H9cP7Yztt1n68iYx29ehzxYUoh5P8rCK2bDmIr6SY8y9oQbse7cAU+Iuq+G7tTmTQR8s26TiTY0hr3hiFjRObrC1H2LFhOxcN6kZ6m1Qqiyx+/vEgTds2Yvf3h+jzp05IJflpQxbeonK69DuH+k0a4DYsnCpAWX4Ze37YRbM2zUjv0ASQ+Isq2f/zSfwBP207tiClUTwBn+L4oeOkNUjjyL6DtO7aDtNjRvrBWQIKj5WTl51HalwSDdo3wjRABATHjxdQmFtCi1ZpxNbzYEgDWVZBpdciITmB44eP06BRKrFJMeRn5WMri4at0sHpOLsBAJqmaZp2FuqsCS8cPAUCAT755GPeeOMNXnrpJZRSlJSU8Nb8t5gxYwa5ubns3buX+fPn8+2333L33XeTlpbG7bffTkFBAdu3b+ef//wnCxcuJCkpiQ8//JAHHniAPXv2IKVk3LhxVFRUoJRixYoVbNy4ESllqC+OsMgp8TP3w/UMv2cwfYddzm6/TX5hFc+9u5lrhw3iqlsG8Nf311JcWo4SEmWAZdkY0mD6619gJCQybMRgvj0hef7Vj8ktqeL1t5Zw+7grOOeiDqw5XoavDIoDNn/q1AKhAnzw3jdkbtjHjSMHcqjC5pNth3DEmrRo3pijJ4rZ/FMOr3+4houu681x4OmX38NlC5wBkEGFbSh2Hy9k8owV/P3t7/gqr4rPT1jc+fgC3lm5jx89cYz/x+fsOVRKlQUPvvAp5Wn1KM1oxp1Pz6a0wkJagkenLCA3xYPZsS03PzSbaW+vpbDciwObrTtyeeOrHSzcXsjdT8wiaDn5YNlWbpowh8mvrWXSm2vZ8HMO06Z9xr4AbCmuYNjIaeTmlmEZBrneAA/N+ISJC7Zw5cgXWbXyRyyfyZ/v/ydrcsv5dOsJ7n5oOr6AYsnyHVxzx195ePpKhj35Lzb9tD80mACFUoqda3fx+pwlbDzpZeRDs/h65RaginffX8krC9fzxZ6j3HnvLH7afJSyyiCTnvmU0Q/NZurCjdz7zHvcfs8UVm48wv3TVzJkwius+3YPugZK0zRNq0t1FkApJREC3G4nF17Ygx49etCmTRsMw6Bjx46c26EjVw4azCvTX2bkHSOYO2cONw69keTEJG69ZRh+v59PPvmE/v37k5yczKg7RzH89tu56pqrqZdan3vGjWP8+PF4vV68Xi8Oh4MZM2bw8MMPYxhGdc8ZG1wmhcTw7GNvkHgihxEDupOQYHDXmKuxsvPYtmYrBQVVlPsCGMJCBBROw6S4vJJPv/qe3Udy+Oyzb0ltmU5Rg4ZYpsE+r4+3p7xHp5Q4hl5zAYdzvWS0aYJw2hw97GXm4m8Yf++VNPQIcnJz6Xt5T+LckkpvBbZT4EhO5LohA4gt8RL02uw6XorfoQg4JbYIYBiKbh3SyDgnnQt7tuKh0b25b2xfDhV5GTPiUp4ZdwX1mqez61gePqVo1KM1FzdPp5ktOZlbRG5RKTneSpZ8s59Lu2ZwaftGZLRM5ZzWzamXnIx0uGnXsgF/+8tV/O3JIfx0KJ+yKotrr74QI8XJdVf24P25E3A5LDbtPIydn0+My8NefxyrtxzE9oPL6eCJe4fw8fv3ceHQQbw+dxV5/gDlSc2544pOXP+nrny/p5SSiiB9Lz8fO7khF/TJYNab93Puea2QQmEriT9oM/nVpVx9+wBuH9KVXkP7s7vU4kRWJbM/Wc9/PXA1E0ZdzmVDLuXBKW/jNl2079Keo+Vwww3dmf7qRLaeFOwr8DJ16giuuPpyFi/7sa5ua03TNE0D6jCAglALitPppGnTpnTp0oUHH3ywxrB3j8eDYRiUl5eTn5cfmvJICDweD+eccw6lpaWRaQ9M0xHqJ2OamKYZ2e+XvAQulwuHwxFKXxgI5SEtxs3Ml/9MsFlL/s8zi1jxwWqwYO/a1azfe4RuAy/ClWjgMJ1IHBj4cDgEhVUW/mCQUcO6M+Hegbz89ACm3z+QJoluZk+9hy3lsQwdO42D3+wmp7
"deleted": false,
"disable_correlation": true,
"timestamp": "1681974807",
"to_ids": false,
"type": "attachment",
"uuid": "be23fc18-9ba2-41ba-b517-52b492232869",
"value": "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG.png"
},
{
"category": "External analysis",
"comment": "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG",
"data": "iVBORw0KGgoAAAANSUhEUgAAA6AAAAJJCAYAAAC0+VpPAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3Xd0VNXawOHftPTeewhJCBBKQu+9KYgooGJDUBQEQRSxAFIEEUFQFJDeOwrSQXqxUEIITWoKkEB6Quq08/0RGAgJilcFPn2fte66zNn77LPPnpl43tlNpSiKghBCCCGEEEII8Q9TP+wKCCGEEEIIIYT4b5AAVAghhBBCCCHEAyEBqBBCCCGEEEKIB0ICUCGEEEIIIYQQD4QEoEIIIYQQQgghHggJQIUQQgghhBBCPBASgAohhBBCCCGEeCAkABVCCCGEEEII8UBIACqEEEIIIYQQ4oHQPuwKCPGwpaenk5eX97CrIYQQQohyODo64u7u/rCrIYT4m6gURVEediWEeJh69erFggULHnY1hBBCCFGOvn37MmPGjIddDSHE30R6QIUAoqOjefvtt3F2dn7YVRHigTp//jwjRozggw8+ICoq6mFXRwghLLKyspg8efLDroYQ4m8mAagQgKenJ+3bt8fb2/thV0WIB+rQoUNotVoaNWpE27ZtH3Z1hBDCIjk5mUWLFj3saggh/mayCJEQQgghhBBCiAdCAlAhhBBCCCGEEA+EBKBCCCGEEEIIIR4ICUCFEEIIIYQQQjwQEoAKIYQQQgghhHggJAAVQgghhBBCCPFASAAqhBBCCCGEEOKBkABUCCGEEEIIIcQDIQGoEEIIIYQQQogHQgJQIYQQQgghhBAPhASgQgghhBBCCCEeCAlAhfiXuZGby5BBb/FC96f5btWKh10dIYQQQgghLCQAFeJfZvPGDeTn5dJ/0ACmfTkFs9n8sKskhBBCCCEEIAGoEP86tra2XE5KIjMjA5MEn0IIIYQQ4hEiAagQ/zKR1auj1VmRm5tL0xYtHnZ1hBBCCCGEsJAAVIj/5xRFwWw2oygKJpOJrZs2kpJ8Fa1Wy8YffuD8ubMAmM1mGY4rhBBCCCEeKu3DroAQ4s9TFIW8vDwuXjjPxfPnycrKxNnZBTd3d3JzsnmiyxPcuHGDWrVrcfrECRIuXSIlORmT2UxgUBBhYWEEBgWjs7J62LcihBBCCCH+QyQAFeL/AUVRSv3754MH2PDDOs6eOc31a9fQqNXY2NpiMBgsc0ANBgMA2dm55ORkU1hQgJWVFQa9AV9/P9q070DHzk8SEBBY6loqleqB3psQQgghhPjvkABUiEeQoigUFhZy+tRJUq9dJzsrE4PBiJWVjoLCAhbMnkWxXk9RYSE+vr7Y2dmj1xeTmZlJbk4u9vb2FOuL0emsSLh0EVs7Ozw9vVAUhbS0NM6fPUvCpUsc3LeXrs88R15eHgX5+bi5u+Pj64efv19JD6lO97CbQgghhBBC/ItIACrEI0ZRFA798jNrVq4g5shhzGYzRcXFqFUqjEYjapWK3NxcKoaF8dob/YioUgU7Wzv0Bj3JV68yd9ZMDv/6C46ODhQUFPJ6v/40btYMd3d3FAXS0lLZt3sXSxYu4PixYyTEx2MwGsCsYGNji1anw9nFhcZNm/HKq6/h5u7+sJtECCGEEEL8S0gAKsQjJC0tlTUrVzJ/9reoUJFfUICnlxeBgUGAwpXLl8nMzKRqZDWmz5mHj49PqfNDw8JJTEjg2NEj5ObmYm1lzQs9X8HNzc2Sp0JICHXq1iMsvBLD3n+PjPR0gkNCcHR0wqDXc/36Na5evUJaWiq7tm/jzbff5rGOT8jQXCGEEEII8ZdJACrEI6K4uJj5s2bx3eqV5ObmElG5Ci+90pvwiAg8PDywtram36u9yczIoEHDhqWCT0VRyMrMJDEhgdMnT+Du4Y5iMqPVadmxbSt169cnKCgYjbbkK69Sqahdtx5BwcFcuXKFbs88yxNPdSXvxg3SUq+zb/du1qxawcXUVKZP/QoPD0/qNWj4sJpGCCGEEEL8S0gAKsQjIi72GMuWLKKooJBOTz7J0OEj8PT0KtXzaFbMqNVqsnOyuX7tGleSEjl+/BhnTp3CbDbh5e1NUlICKODg6IDBYGDf7p2cPhlLRnoGgUEVqFWnLhXDwijIL8BoMKK5Wb6XlxdeXl5UDA2lTr36PN65M31efolLFy8wc9o0QsPCcffweEitI4QQQggh/g0kABXiEbFh3VpMJhMqtYrX+r2Jl5c3BoOB+EuXOBkXS25OLjdyc0EF+/fsBgU8vNwJrxRO4yav4ebuRmFhIYd+/QWDQY+9ozeXExPx9vWm34A3KSwsJCkxidOnTnPk8C/EX0rgWkoyZrOZ47HHWLJwPhVCKlKteg1cXF2pGlmNrs8+y/SpX3Hp0nniYo/Rsk3bh91MQgghhBDi/zEJQIV4BGRmpHPh/HmsdDoURcHR0YntWzaz88ft2DnYElktEl9/L7o+241lC5eQnZ1NZmY6PXu/jLvH7UWCNGoNPt4+XDp/kYRL8Wg0anx9fQGwtbUlonIE4ZXCOXrkKN+vXo3JZKJ6zRq07dAGjUrNieNH+X71SipVrkKTZs3x8vZBAUwGEydOxNGsZSs0Gs1DaiUhhBBCCPH/nQSgQjwCzGYFrVaDg6Mjqvx8Jk/4lIqhIbzc6yW8vG8Pw42sFklOdg4rli4nMCgAW1vbUuXorKyoEVWT/IICIqtVZemiJdRvUL9UHrVaTWhoKH7+/lxPSaHnq69Qt149AOo1bIC+WM+Rw4f5ftUKTp44gaurK2bFjEatfiBtIYQQQggh/r3kiVKIR4C9vT2eXl44u7hga2vDhQvnadysKd4+3qXmgBbkF5CUkETN6Jps2biFkydOkJ2dDYDJZGLzhg0kJiTi4+NNaFgY4eHhbN+2nWMxMSiKAkB6WhpbN2+hqKiY4JAQjh+LtaQBWFlb0bBxI2pG1+TE8eN4eXthb2+Hf0AgaglChRBCCCHEXyA9oEI8Amzt7KhVpx47t29Hr9fTpl07vLy9yuQ7c/o0aWmp2NrZ4uzizPer1qDWanju+R6kJCdz+NfDOLk4E3PkKMlXk7G2seVyUhKJCQkoZoXi4mKWLV6K0WDA3d2NvLwbpKelc+niRSqGhlqCXZVKRXStaCpUDCEpPpHwiEpUrVZdtmIRQgghhBB/iXRnCPGIeLxTJ0LDK5WsZJuYxJyZszl37hy7duzkRm4uVy5fZtniJahVarKzsnB0cqRewwYUFRWxZdNmNvywnrS0NPz9/HB2dkGlVuPt44mDowOXzl9k7Xffs+67tYSFhxEUHISdnR0Gg4GU5BRWLV9JZmYmKckpbNm4mTNnzjBl4hfY2tri6ORIoyZNCQ0Le9hNJIQQQggh/p+THlAhHhFOzi70fPU1jvzyM95+Pvx0YD/XUlIoLiril59/wUqnA1S4e7hz+tQ1TEYzsceO4erqio+PD2dOn6F6zRpkZWXh5+/HqZOnCAoOpLiomHoN63Nw3wE6PfkEMUdjMBgMFBYUYDKa8A/w5+L5C6xctpzLiZfR6/WYzCYqVYrAx9eXrKwcOj35lCw+JIQQQggh/jLpARXiEaHRaGjX4TEGDH6Xa8nXOH3iFOGVKpGfn09+Xh4///QzlatUJjAokPoNG5KVlUXF0DCee+F5iouLyc7Kxmwy4efvz+XLSRQVFpJ8NZlq1auRkJCAWqPG1s6Wl17piZOzM1qdjiZNm2Jvb4+7pwd7d+3BZDKi02kJ8A9g29at+PgG8P6wEYRHRDzs5hFCCCGEEP8C0gMqxCPExsYGGxsbunR7hitXLjN/zlwiq0XSum0bTsadoKi4mIDAAHb8uAO9Xs/CefNZvngJhUVFAOzY9iO7d+xCUcy4uLoRd+w4J2LjMBqNFOuL+XLSFKysrQEFKysrrK2tadKsKefPn8dkMvP4E52YOf1bThw/Sb0GDXiqe3ecnJwfbqMIIYQQQoh/DQlAhXhATp88wbjRo5g6YybuHh6/mzcqOprR4z7jwyGDyUhPY+WyFRQVFbFh3XpQFHQ6Kzy9PbG3t6e4uBgnZydQqTAajJiMRoqKiki9nopGq8be3h5rrHGzccdg0GM0mrC3s0dv0BNz9ChHDx8BFTg5ObFy2QpUqOj67HP0eq3PfQ
"deleted": false,
"disable_correlation": true,
"timestamp": "1681974916",
"to_ids": false,
"type": "attachment",
"uuid": "62d53d4b-3875-4440-8ce0-9a51ba56547d",
"value": "PDF containing a link to ENVYSCOUT.png"
},
{
"category": "External analysis",
"comment": "PDF containing a link to ENVYSCOUT",
"data": "iVBORw0KGgoAAAANSUhEUgAAA2kAAAJZCAYAAAAzhX2/AAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3XtYFOX7P/D3LiCHRUBFEAHFMCQJ9ZMiiKhcCqGZJ0QxzTOmfUwT7WuZZZmWdvn9ZHkoT1CSKYSHr4c8m1KZZ9E8KyioHAS1PKCoyP37g9/Oh2UXmJk9MOj9ui6vS5595tl7nrnnmXl2d2ZURERgjDHGGGOMMaYI6poOgDHGGGOMMcbYf/EkjTHGGGOMMcYUhCdpjDHGGGOMMaYgPEljjDHGGGOMMQXhSRpjjDHGGGOMKQhP0hhjjDHGGGNMQXiSxhhjjDHGGGMKwpM0xhhjjDHGGFMQnqQxxhhjjDHGmILwJI0xxhhjjDHGFIQnaYwxxhhjjDGmIDxJY4wxxhhjjDEF4UkaY4wxxhhjjCkIT9IYY4wxxhhjTEF4ksYYY4wxxhhjCsKTNMYYY4wxxhhTEOuaDqAqpaWlKC0thVqthlqtNvialZUVVCpVjcUm9v2JCE+fPoVKpYKVlZXBOvfv38fly5dx69YteHp6ws/Pr9L2pNQ1lpjYK9L2j7W1fopJjb2wsBDnzp2Do6MjWrduXWUMUtq+ffs2rly5gjt37qBx48Zo0aKFSXKppKQEAAzmxtOnT0FEQl9q+7YqFesa2h8qtm+o3xljjDHGWC1BCtanTx8CQI0bN6YnT57ovPbuu+8SANq2bZvF4tmxYwe9/fbb9Morr5C1tTUBoB9//FHUshEREQSA2rZtq/fa8ePHqVevXkKb2n/+/v60d+9e2XVNparYDXny5Ak1bdqUmjRporPdpMb+5MkTGj9+vE59Ly8v+vXXX/XqSmn78OHD5Ofnp1MPAL3wwgu0detWSX1TUXp6utDe9OnTdV4rLi4mJycnAkBdunQhIqLU1FS9OCr+69ixIxERrV+/ngDQ0KFDDb737du3Sa1Wk6enp1HrwBhjjDHGalat+Lg9NzcXmzZtQnR0dI3G8e2332Ljxo1wc3ODp6cnsrOzRS23cuVK/Pbbb5W+vmfPHuzcuRN9+/ZFeHg46tatiz///BMrVqxA9+7dsX//frRt21ZyXVOoLnZDVq9ejezsbHzzzTc63+hIjf3jjz/G4sWLERERgcmTJ+PatWt4//330bt3b5w4cQK+vr6y2i4oKIBarUZ8fDx8fX3h5OSEEydOYMmSJejduzf27duHjh07GtVvderUQUpKCmbPni2Ubd26FcXFxTr1mjdvjvHjxxts488//0R6ejq8vb0BAJGRkahTpw727NljsP6vv/6K0tJS9OzZ06jYGWOMMcZYDavpWWJVtN+kOTs7U0REhM5rNfFN2v79++nSpUtERDR9+nRR36QVFBRQgwYN6MMPP6z026ijR49Sbm6uXvncuXMJAMXExMiqaywxsVdUWlpKAQEB5OrqSkVFRTqvSYm9sLCQ7OzsyNvbmx4+fCiUJycnEwAaPXq07LafPn1qMPYffviBANCAAQOqXc/KaL9J69WrFwGgY8eOCa8NHDhQKNd+k1aZgoICcnV1JWdnZ7p+/bpQrv1W8+zZs3rLjBs3jgDQxo0bZcfPGGOMMcZqXq24cciwYcOwZ88eXLx4UVT9I0eOYNy4cYiIiEDv3r0xb9483L9/3+g4QkND0bx5c0nLxMfHw9PTE//+978rrdO2bVt4eHjolffr1w8AcO7cOVl1jSUm9oq2bNmCM2fOYMKECXBwcNB5TUrs27ZtQ3FxMYYMGQI7OzuhvH///nB2dsaGDRtQWloqq+3Krufq0qULAODatWvVrmd1/Pz80KZNG6SkpAAAHjx4gC1btiA2NlbU8hMmTMDNmzcxf/58eHp6CuXab8l2796tt8zu3btha2uLbt26GR0/Y4wxxhirObVikjZ8+HDY29tjyZIl1dZNTExEcHAwVq1aBbVajWvXrmHq1Klo27YtCgoKLBDtf+3YsQOrV6/GokWLRN9wo7wHDx4AANzc3ExaVwy5sX/55ZfQaDR45513RC9jKPZjx44BANq1a6dT19raGv/6179w+/ZtZGVlyWq7Mn/++ScAICAgQFTc1YmNjcXPP/8MANi0aRNKS0vRu3fvapfbtGkTUlJS0KNHD4wcOVLntcomaVevXkVGRgbCw8Oh0WhMEj9jjDHGGKsZtWKS5uzsjDfeeAM//PADHj58WGm93NxcvPPOO3B3d8e5c+ewc+dOpKen46uvvsLFixfx3nvvWSzmBw8eYNy4cRgyZAg6deokq42VK1cCAAYOHGjSutWRG/vvv/+O/fv3Y8yYMahfv77o5QzFrr3eT3s91oEDB5Cfnw8AwjdLYq4JrKpfCgsLsX37dqxfvx4ffvghxo4dCx8fH8yYMUN07FWJjY1FVlYWDh06JEy66tatW+Uyd+7cwdtvvw1nZ2csW7ZM7/UXX3wRL774Ivbt26dzV8hdu3YBAF+PxhhjjDH2DKgVkzQAePvtt/H3338LPx8z5Oeff8bDhw8xfvx44eQeACZOnAgvLy/8/PPPwjcr5jZjxgzcvn0b8+bNk7X8gQMHsGjRIvzrX/9CXFycyeqKITf2uXPnwsbGBpMnTxa9TGWxa3+eqtFosHbtWoSGhqJdu3YgIjg6OgIA7t27J6ttrUOHDqFHjx7o378/5syZg5deegn79+9HkyZNRMdflWbNmiEoKAjLli3Dtm3bRE2g33vvPeTm5uKrr76Cl5eXwTo9e/bE3bt3ceTIEaFM+80aT9IYY4wxxmq/WjNJa9u2LYKCgvDdd99VWuf48eMAgM6dO+uUW1lZISwsDI8ePcLZs2fNGqc2jq+//hqffvopGjVqJHn5a9euYcCAAXBxccG6deuqfOaV2LpPnjxBcXGxzj8iMlnsp06dwtatWzFkyBCdCXJVxMauvSbNwcEBKpVKiLuqZ5qJaTs4OBjbtm3Dzz//jKlTp+Ls2bMIDg6uNEfE9mF5sbGx+P7772FlZYVevXpVWXfv3r1ISEhA9+7dMWrUqErrVfzJIxHh119/hb+/P1544YUq34MxxhhjjClfrZmkAWXfph0+fFiYjFX0999/AwDc3d31XtOW3bp1y3wBouwhzmPGjIG/vz8mTJggeflbt24hKioKd+7cwS+//IJmzZqZpO7QoUNhb2+v82///v0mi/3LL7+ESqXC1KlTRdWvLnbtt2VFRUV4/fXXcenSJeE6taKiIp06UtvWatiwIbp3744BAwbgyy+/xPbt25Gbm4sxY8YYrC+mDyvSfnv22muvVXmt2IMHDzBmzBg4OTlh+fLlVbbZuXNn1K1bV7gV/19//YWCggL+Fo0xxhhj7BlRK56TpjVo0CBMmTIF3333ncETXhsbGwD/PYkvT1tma2tr1hgfPHiA48ePo27duvDx8RHKtXci/Ouvv+Dl5YU+ffpg8eLFOsvev38fr732GjIzM/HLL7+gffv2lb6PlLoAEBMTA39/f52yij/rkxt7VlYWUlJS0Lt3b7z00ktVxiE29qZNmwIo+0asffv2OnfVzMnJ0akjte3KhIWFoUWLFvjzzz9x7949vevHxPRhRd7e3jp3oazMRx99hMzMTKxYsaLSnzlq1alTBxEREfjll1/w4MED/qkjY4wxxtgzplZN0uzt7TF8+HAsW7bM4PU92onFlStX8Morr+i8dvnyZQCGT+xNycbGxuBt1ouLi7Fx40Y4OjoKk4GKr/fu3RvHjh1DamoqIiIiKn0PKXW1YmJiEBMTY5bY//d//xclJSX44IMPqo1DbOzaB08fPXoU/fv3F8pLSkqQnp6O+vXr60wkpbRdlZKSEgCodJJWXR/KcfjwYXzzzTeIiorC6NGjRS3Ts2dPbNiwAX/88Qd2794NJycnhIWFmTw2xhhjjDFWA2r0KW3V0D7MWvsAaSKi8+fPEwBycnLSe5j11q1bCQD17t1bp50rV66QWq0mX19fg++zevVq8vX1pVatWomOTezDrLXy8vIqfSD048eP6fXXXyeVSkUrV66ssh0pdU2lqtgLCgrI3t6+2oczE0mLXerDrKW0nZWVZbB8z549pFKpyN3dvdIHXldH+z
"deleted": false,
"disable_correlation": false,
"timestamp": "1681975186",
"to_ids": false,
"type": "attachment",
"uuid": "e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
"value": "PDF containing a link to ENVYSCOUT2.png"
},
{
"category": "Network activity",
"comment": "QUARTERRIG C2 URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681996406",
"to_ids": true,
"type": "url",
"uuid": "768398f7-2ecd-4752-b4d4-e22de7a17c9f",
"value": "pateke.com/auth/login.php"
},
{
"category": "Network activity",
"comment": "QUARTERRIG C2 URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681996406",
"to_ids": true,
"type": "url",
"uuid": "4f3a3552-4374-4692-be62-2dac7a60ea12",
"value": "pateke.com/index.php"
},
{
"category": "Network activity",
"comment": "COBALT STRIKE Handler URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681996406",
"to_ids": true,
"type": "url",
"uuid": "1980ede0-18fe-4e78-a433-d85419354fdf",
"value": "gatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu"
},
{
"category": "Network activity",
"comment": "COBALT STRIKE Handler URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681996406",
"to_ids": true,
"type": "url",
"uuid": "37294cb6-221f-4348-a3a6-ab46ed3adc83",
"value": "gatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8"
},
{
"category": "Network activity",
"comment": "QUARTERRIG C2 URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681996406",
"to_ids": true,
"type": "url",
"uuid": "f99cfe00-4d03-4ed2-8112-9a89d16d9251",
"value": "sharpledge.com/login.php"
},
{
"category": "Network activity",
"comment": "URL to ENYVYSCOUT used to deliver QUARTERRIG",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681996407",
"to_ids": true,
"type": "url",
"uuid": "3084badc-4ea2-4550-a683-0c6088c4b2ba",
"value": "sylvio.com.br/form.php"
},
{
"category": "Network activity",
"comment": "Domain used to host ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681996407",
"to_ids": true,
"type": "hostname",
"uuid": "df942350-ff5f-4008-ad1d-14cecf33fabd",
"value": "sylvio.com.br"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1681910172",
"uuid": "740c4b3b-f5d6-42dc-9264-c225348060f5",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1681910172",
"to_ids": false,
"type": "link",
"uuid": "4d5a0f62-4b12-4a01-93c9-f7bfd2bcf2e7",
"value": "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1681910172",
"to_ids": false,
"type": "text",
"uuid": "09ecf644-ca85-46d2-82c8-2c8071ec53dd",
"value": "QUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1681910172",
"to_ids": false,
"type": "text",
"uuid": "614630de-e0c1-47df-b8e3-bec6d33033f2",
"value": "Report"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDE1OCAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDE1NTIgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDE1NTMgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAzNi9LaWRzWyAzIDAgUiAxNSAwIFIgMjQgMCBSIDI2IDAgUiAyNyAwIFIgMzEgMCBSIDMzIDAgUiA0MCAwIFIgNDEgMCBSIDQyIDAgUiA0NCAwIFIgNDYgMCBSIDQ3IDAgUiA0OCAwIFIgNTAgMCBSIDUxIDAgUiA1MiAwIFIgNTMgMCBSIDU0IDAgUiA1NSAwIFIgNTcgMCBSIDU4IDAgUiA1OSAwIFIgNjAgMCBSIDYzIDAgUiA2NCAwIFIgNjYgMCBSIDY3IDAgUiA2OSAwIFIgNzAgMCBSIDcyIDAgUiA3NSAwIFIgNzYgMCBSIDc4IDAgUiAxNTEgMCBSIDE1MyAwIFJdID4+DQplbmRvYmoNCjMgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUi9GNCAxMyAwIFI+Pi9FeHRHU3RhdGU8PC9HUzcgNyAwIFIvR1M4IDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNTk1LjMyIDg0MS45Ml0gL0NvbnRlbnRzIDQgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAxMDYyPj4NCnN0cmVhbQ0KeJy9WEtv2zgQvgvwf+BpIRUwzeGbRVHAdbPZFhsgjb3oIehBTRTXgNdJFTeF//3OyI/KlhQ/oq4PgkkONd98M5wZsdfP55O79GbO3rzp9efz9OZbdsuue6P7hy+90eIh612m48ksnU/uZ73hj69zmvorS2+z/O1b9u79gH3vRIIL+nnvgAlmguFKMq+BB8nyrBN9fsVmnejdqBP1/gQGwIVmo7tORNKCAZPBceuYC5Y2jv5FufOhY+NHfDUbFyO/Gp13ouuYJV2ND1v+84WNPnaiM9TxqRO1gEmB5ArKmAooGwSn6UNZdnYxYKx3SYRfDD68Z6I9Ip3gXmrmrKAde0BXgMBpQCQDw4OtBSIN9/ZoILJ9IMJyfTwjqj0gSlnuArPe8uCPBqJbZ8Rax40+Gog5DYh6BogOXB2Nw7aPQ3oejsbhTsWhakEYH2pAfEoA4n8S0HE/ARNfJSDjEQ3PElDLYfH4QMPzPYh9S4ilxiMFDYj30RZOA6EZ+FraMOGZFQpujCtW83F5dFXgukinP9M8Y/1ZOl08UvWYJC5+ZFfZw32eqHj+ojpSgSeN5tocDm9vhi7Viu4SGUjp/BoQKthGON1MFNLgFQBNbm3eXloaVDizQYXEwmNLGrbErBKkDqe/daK7V2safzdapO/lcIcNrEOVde0hHGyHlMKVNAthrN1ZWtnBPdCKF371pCiRWvGA2qznOhQWWV1MaMe1L16sPLUCRhfhRhMm4ASeTmu4to3e+L+soOhuzYwmL8mKl0RQ4eBoExaEMiUDtXfW766VToehrpV1g+cO1/D1yv8aTtfrgH2kd00e+I0IifITIDaxq6pnAKyFU6NHOS1dQ/SUMyQhNIZJDAtUYbXgGmu4Bb48/kph7LAubHTKoLmRaCMGzm4aqhq1bquA/Km04c5gP6K5ckxivxYwqLDIFXme3iFo/SeldyL3efnhSt93erHlQIKeK10IKrQBPIX0rxKyBazUZh22e1OA5HbXaRRHVztjuK02ex/vJ0lXxjMqfCy9fVrWQ5x5xGLYVfGCfaXR4nWlKr4IlEZvSdkEam8NtC1zIzW31W+UCyKgIGNKj+LfPM0XbHD/Y5boeJ5h45BPSKrgj4bTbfFxliwXb7LExGyY5U/FPA5b5dPIwDEPNBiyl0/XMp8i1H1q/dGuzQpbKvycalC212bfrs0Ws46oUj84I3df0WOEYcAxbC7/bpmHAOT0BgA7PNRSsW7FqZWm08AtggFHXT0eUMy96+wXPStRyncOs7OnWwi0QBeCimGNt7oh28lSV3vI3g0V1fsPpNDTgqr5JgFV3Bb18Sw+oCfyyXR5e7Trj5dBIN3YV9ZBYFT7qOyNbq5jKaRqW7UydLdQb/3eOxdo2Qlec1+T3p+AE+2iZdup1RCNShvOwX9tHwzpDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTUyNiAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDE1MjQgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTUyNyAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxNTI4IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDE1MzIgMCBSPj4NCmVuZG9iag0KMTIgMC
"deleted": false,
"disable_correlation": false,
"object_relation": "report-file",
"timestamp": "1681910172",
"to_ids": false,
"type": "attachment",
"uuid": "02357ebb-25a1-41d6-9d4d-13f9da6885e5",
"value": "QUARTERRIG_.pdf"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1681991395",
"uuid": "4a911505-85c5-4496-8eb6-75cea522ed00",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1681991395",
"to_ids": false,
"type": "comment",
"uuid": "633cd9a2-ca79-4625-af22-b65c73d60e86",
"value": "A rule that can be used to scan for QUARTERRIG"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1681991395",
"to_ids": false,
"type": "link",
"uuid": "2b544d42-308e-47a7-8692-fb8b5f37b6ba",
"value": "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1681991395",
"to_ids": true,
"type": "yara",
"uuid": "85308947-6c2f-4f91-ad0c-fa8c2657127d",
"value": "rule apt29_QUARTERRIG {\r\nstrings:\r\n$str_dll_name = \"hijacker.dll\"\r\n$str_import_name = \"VCRUNTIME140.dll\"\r\n// 48 8B 15 39 6A 00 00\r\nmov\r\nrdx, cs:api_stuff.OpenThread\r\n// 48 8D 0D FA 68 00 00\r\nlea\r\nrcx, api_stuff\r\n// 8B D8\r\nmov\r\nebx, eax\r\n// E8 3F 25 00 00\r\ncall\r\nload_api_addr\r\n// 44 8B C3\r\nmov\r\nr8d, ebx\r\n// 33 D2\r\nxor\r\nedx, edx\r\n// B9 FF FF 1F 00\r\nmov\r\necx, 1FFFFFh\r\n// FF D0\r\ncall\r\nrax\r\n$op_resolve_and_call_openthread = { 48 [6] 48 [6] 8B D8 E8 [4] [3] 33 D2 B9 FF FF 1F 00 FF D0 }\r\n// E8 A0 25 00 00\r\ncall\r\nload_api_addr\r\n// 48 8B CB\r\nmov\r\nrcx, rbx\r\n// FF D0\r\ncall\r\nrax\r\n// 83 F8 FF\r\ncmp\r\neax, 0FFFFFFFFh\r\n$op_resolve_and_call_suspendthread = { E8 [4] 48 8B CB FF D0 83 F8 FF }\r\ncondition:\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1681991395",
"to_ids": false,
"type": "text",
"uuid": "785cb298-a86d-4427-82b6-a3eaf1b0342a",
"value": "apt29_QUARTERRIG"
}
]
},
{
"comment": "Virtual disc container\r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1682059182",
"uuid": "7d3d282a-c84f-48a1-9af5-8c0b43a0851e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "7d3d282a-c84f-48a1-9af5-8c0b43a0851e",
"referenced_uuid": "10cee96e-441a-48ea-8585-049029d4c157",
chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
"relationship_type": "contains",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"timestamp": "1681992238",
"uuid": "a672ee02-fc5a-49f1-b37d-9d14c097a648"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681991513",
"to_ids": true,
"type": "sha1",
"uuid": "362efc29-7bca-45f1-b191-60d69b535dee",
"value": "52932be0bd8e381127aab9c639e6699fd1ecf268"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681991513",
"to_ids": true,
"type": "md5",
"uuid": "0cece2d3-a8b7-4b74-adcb-b282afcbd152",
"value": "22adbffd1dbf3e13d036f936049a2e98"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681991513",
"to_ids": true,
"type": "sha256",
"uuid": "372b5e10-5c66-454b-b75c-608da87e23d8",
"value": "c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681991513",
"to_ids": true,
"type": "filename",
"uuid": "2ffe8eed-4a34-41e4-b87e-53027730c97a",
"value": "Note.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681991513",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5704e0b6-7390-4cd4-a7c5-ba08ba675eeb",
"value": "2624000"
}
]
},
{
"comment": "Legitimate executable used to load the malicious DLL",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681992221",
"uuid": "10cee96e-441a-48ea-8585-049029d4c157",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681992221",
"to_ids": true,
"type": "sha1",
"uuid": "90e43385-693b-484e-8b5b-2e4ced41b6ea",
"value": "b260d80fa81885d63565773480ca1e436ab657a0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681992221",
"to_ids": true,
"type": "md5",
"uuid": "dffb75fe-0dd0-4235-b0ba-65f0228f0b82",
"value": "b1820abc3a1ce2d32af04c18f9d2bfc3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681992221",
"to_ids": true,
"type": "sha256",
"uuid": "91c7344c-0978-41c6-8385-2cd767879d3a",
"value": "6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681992221",
"to_ids": true,
"type": "filename",
"uuid": "1b5d194b-bbf5-4d6a-a49b-cb97750d62b4",
"value": "Note.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681992221",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "d2071a01-366f-4356-8058-19882aa738d1",
"value": "1600000"
}
]
},
{
"comment": "QUARTERRIG - loader\r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681993008",
"uuid": "204c3d9f-6da0-426d-9609-db8c99dd8f8c",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681993008",
"to_ids": true,
"type": "sha1",
"uuid": "d78e679b-15f2-4c3a-aad8-654af79ab880",
"value": "ca1ef3aeed9c0c5cfa355b6255a5ab238229a051"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681993008",
"to_ids": true,
"type": "md5",
"uuid": "811d8f92-2ede-4b7d-b3fd-bc7c37b992b8",
"value": "db2d9d2704d320ecbd606a8720c22559"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681993008",
"to_ids": true,
"type": "sha256",
"uuid": "dcf6912a-38af-498e-9044-73f305e585d2",
"value": "18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681993008",
"to_ids": true,
"type": "filename",
"uuid": "ad7ebdbe-b5ff-4eaa-93de-c0479b0821f6",
"value": "AppvIsvSubsystems64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681993008",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "8d1b385d-d638-493d-84a1-4711b2592e09",
"value": "28000"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681994371",
"uuid": "7546b1a9-3633-4f46-99e2-d27bb8db276a",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681994371",
"to_ids": true,
"type": "sha1",
"uuid": "9825b370-667f-4a13-b9b0-d4640f5b9635",
"value": "02cd4148754c9337dfa2c3b0c31d9fdd064616a0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681994371",
"to_ids": true,
"type": "md5",
"uuid": "46517152-0a51-462d-abc3-393182355a4c",
"value": "166f7269c2a69d8d1294a753f9e53214"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681994371",
"to_ids": true,
"type": "sha256",
"uuid": "9b38ea28-f516-4ed8-9461-72c4ea85a158",
"value": "3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681994371",
"to_ids": true,
"type": "filename",
"uuid": "6b2c7c54-7839-4e82-bf0f-499a5d976e44",
"value": "bdcmetadataresource.xsd"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681994371",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "d73eec0c-fa3e-4c8a-a013-9f32c58f1b93",
"value": "456000"
}
]
},
{
"comment": "Virtual disc container",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681994539",
"uuid": "20d5700b-21da-4c3e-9425-c5b87b5f83aa",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681994539",
"to_ids": true,
"type": "sha1",
"uuid": "76fc036c-b16a-4472-90de-44a868a26a6e",
"value": "86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681994539",
"to_ids": true,
"type": "md5",
"uuid": "42daa2b6-666d-4ad8-a45b-82701fab7955",
"value": "1609bcb75babd9a3e823811b4329b3b9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681994539",
"to_ids": true,
"type": "sha256",
"uuid": "6d5f01e0-64b6-4bf4-ba4c-a1c31af51be4",
"value": "91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681994539",
"to_ids": true,
"type": "filename",
"uuid": "f7aa82b6-250f-4fda-9419-a37c4e1addfe",
"value": "Invite.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681994539",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "3339b0d7-542a-426e-a19a-abfd5341f2e6",
"value": "6464000"
}
]
},
{
"comment": "Legitimate executable used to load the malicious DLL",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681994789",
"uuid": "f80de271-05af-4413-8087-9d553c54805e",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681994789",
"to_ids": true,
"type": "sha1",
"uuid": "6032acd2-c6ad-4cd7-b8b9-db3c6b5ed1ab",
"value": "15511f1944d96b6b51291e3a68a2a1a560d95305"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681994789",
"to_ids": true,
"type": "md5",
"uuid": "b11fea69-a551-4265-a2c2-c93c11f46ac7",
"value": "d2027751280330559d1b42867e063a0f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681994789",
"to_ids": true,
"type": "sha256",
"uuid": "327ed2ab-8e5d-4e58-a797-d0e75cfac1c2",
"value": "35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681994789",
"to_ids": true,
"type": "filename",
"uuid": "86b6aca7-39da-4a9e-bf5a-c68792e41a88",
"value": "Invite.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681994789",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "f0dc5614-f9ec-4d2f-902b-963d0e367f2f",
"value": "5380000"
}
]
},
{
"comment": "QUATERRIG loader",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681994834",
"uuid": "0d5b228d-17ff-48e1-bb83-24e34292ea06",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681994834",
"to_ids": true,
"type": "sha1",
"uuid": "4328a381-96c4-41d4-b1ec-ed981f712341",
"value": "b91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681994834",
"to_ids": true,
"type": "md5",
"uuid": "8d0c94e4-4335-4e17-9dad-715f0f896022",
"value": "bd4cbcd9161e365067d0279b63a784ac"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681994834",
"to_ids": true,
"type": "sha256",
"uuid": "ee216de3-486a-4c0a-9fa2-9d6976f58884",
"value": "673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681994835",
"to_ids": true,
"type": "filename",
"uuid": "2b4b9249-c404-49e0-bde6-fd2e056e23e2",
"value": "winhttp.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681994835",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "39a6c2c0-3b7d-4328-be1c-4730674b5855",
"value": "32000"
}
]
},
{
"comment": "Encrypted resource containing the second stage",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681994920",
"uuid": "d940713b-8e68-4bbd-9164-ed43afc83c11",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681994920",
"to_ids": true,
"type": "sha1",
"uuid": "ac923975-efa2-4a0d-8d1a-81b28aea7769",
"value": "1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681994920",
"to_ids": true,
"type": "md5",
"uuid": "91571441-ccf1-4427-a170-abb70c77efcc",
"value": "8dcac7513d569ca41126987d876a9940"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681994920",
"to_ids": true,
"type": "sha256",
"uuid": "75fa73b5-5d6b-447b-88f2-4079e3854535",
"value": "9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681994920",
"to_ids": true,
"type": "filename",
"uuid": "414c3694-038b-4eef-aa2e-246138ae0d2e",
"value": "Stamp.aapp"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681994920",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "7afeb201-5617-47c0-9760-e80be558d356",
"value": "460000"
}
]
},
{
"comment": "Virtual disc container",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681995198",
"uuid": "21b857c6-1d55-4625-9b08-56c9fdc205da",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681995198",
"to_ids": true,
"type": "sha1",
"uuid": "ef2f20b6-fc7b-422b-a717-b6ebdfb57eeb",
"value": "bacb46d2ce5dfcaf8544125903f69f01091bc3d6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681995198",
"to_ids": true,
"type": "md5",
"uuid": "1ee4d70f-be1b-4779-befd-579cb32a9691",
"value": "3aca0abdd7ec958a539705d5a4244196"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681995198",
"to_ids": true,
"type": "sha256",
"uuid": "015c70dd-9d2f-4d84-826c-373f0780899e",
"value": "10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681995198",
"to_ids": true,
"type": "filename",
"uuid": "2dfacdb0-36e4-4f12-b508-61620dc8e5e9",
"value": "Note.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681995198",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "f0602b0c-5da8-4556-8b45-434b312116fa",
"value": "2688000"
}
]
},
{
"comment": "QUATERRIG loader",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681995316",
"uuid": "c75bccc6-e3ca-4a25-b0ff-5aea24f1c0b8",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681995316",
"to_ids": true,
"type": "sha1",
"uuid": "18f43634-4d59-4a39-b76e-4998d5fe40b2",
"value": "6382ae2061c865ddcb9337f155ae2d036e232dfe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681995316",
"to_ids": true,
"type": "md5",
"uuid": "67c70fc8-3e82-416a-bf91-cea62036025b",
"value": "9159d3c58c5d970ed25c2db9c9487d7a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681995316",
"to_ids": true,
"type": "sha256",
"uuid": "f3fb3353-f4b6-42df-80c3-13e07dab3413",
"value": "a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681995316",
"to_ids": true,
"type": "filename",
"uuid": "7a798b5b-7c39-441f-963b-2f0c1a2fad8c",
"value": "AppvIsvSubsystems64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681995316",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "6eac8432-e78c-4c9d-a6ef-50d79dfddf8f",
"value": "26000"
}
]
},
{
"comment": "Encrypted resource containing the second stage",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681996267",
"uuid": "202f9cfd-1b59-4f2d-a113-27e6822b693d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681995527",
"to_ids": true,
"type": "md5",
"uuid": "0a97819f-0625-49a8-8c4b-01f3d6b20ad7",
"value": "bc4b0bd5da76b683cc28849b1eed504d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681995527",
"to_ids": true,
"type": "sha256",
"uuid": "a805e824-66b8-4224-b048-91cd8f715325",
"value": "15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681995527",
"to_ids": true,
"type": "filename",
"uuid": "0545b6b6-b8ee-4082-9154-d0aa41024bbb",
"value": "bdcmetadataresource.xsd"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681996267",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "9357b409-877c-4409-91ee-82217978d290",
"value": "489757"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681995527",
"to_ids": true,
"type": "sha1",
"uuid": "bf5e04fe-25a2-415f-b086-50b8c1b7580f",
"value": "b3ff6376baa180cff13ae76672c669cc8f45c130"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1681996431",
"uuid": "553fd38b-e053-4632-867f-377e6746a81d",
"Attribute": [
{
"category": "Network activity",
"comment": "QUARTERRIG C2 Domain",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1681996431",
"to_ids": true,
"type": "domain",
"uuid": "4c6cd59b-dcef-4527-8835-fa521362cc1b",
"value": "sharpledge.com"
},
{
"category": "Network activity",
"comment": "QUARTERRIG server IP",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1681996431",
"to_ids": true,
"type": "ip-dst",
"uuid": "52f53f7a-dbd2-4dca-8194-e6170d7b3fba",
"value": "51.75.210.218"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1681996454",
"uuid": "b0de75d1-a729-49aa-a586-1fe80813422b",
"Attribute": [
{
"category": "Network activity",
"comment": "QUARTERRIG Domain",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1681996454",
"to_ids": true,
"type": "domain",
"uuid": "20911b2a-5d5e-4c9c-877e-1bd617c8e3f8",
"value": "pateke.com"
},
{
"category": "Network activity",
"comment": "QUARTERRIG server IP",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1681996454",
"to_ids": true,
"type": "ip-dst",
"uuid": "071d3d06-3974-41e5-b672-b8f0932e3426",
"value": "85.195.89.91"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1681996465",
"uuid": "e659ce38-dba5-438c-a7c7-900052726ad8",
"Attribute": [
{
"category": "Network activity",
"comment": "COBALT STRIKE C2 Domain",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1681996465",
"to_ids": true,
"type": "domain",
"uuid": "d53e8072-db06-4f54-ac08-20e73033cc80",
"value": "gatewan.com"
},
{
"category": "Network activity",
"comment": "COBALT STRIKE C2 IP",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1681996465",
"to_ids": true,
"type": "ip-dst",
"uuid": "18f047b9-e868-41ac-9c76-41b337cd5c43",
"value": "91.218.183.90"
}
]
}
chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
]
chg: [gen] updated
2023-12-14 14:30:15 +00:00
}
chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
}
Reference in a new issue Copy permalink