2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2017-12-24" ,
"extends_uuid" : "" ,
"info" : "OSINT - Repository containting orignal and decompiled files of TRISIS/TRITON/HATMAN malware" ,
"publish_timestamp" : "1621926315" ,
"published" : true ,
"threat_level_id" : "2" ,
"timestamp" : "1621849558" ,
"uuid" : "5a3faeda-9524-4a8c-a329-b4d302de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:tool=\"TRISIS\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#00839f" ,
"local" : "0" ,
"name" : "veris:asset:variety=\"S - SCADA\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#74e800" ,
"local" : "0" ,
"name" : "circl:topic=\"industry\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0fc000" ,
"local" : "0" ,
"name" : "admiralty-scale:information-credibility=\"2\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "Artifacts dropped" ,
"comment" : "Yara rules to match the known binary components of the HatMan malware targeting Triconex safety controllers. Any matching components should hit using the \"hatman\" rule in addition to a more specific \"hatman_*\" rule." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5a3faf9a-f514-4358-8ace-b1e202de0b81" ,
"value" : "/*\r\n * DESCRIPTION: Yara rules to match the known binary components of the HatMan\r\n * malware targeting Triconex safety controllers. Any matching\r\n * components should hit using the \"hatman\" rule in addition to a\r\n * more specific \"hatman_*\" rule.\r\n * AUTHOR: DHS/NCCIC/ICS-CERT\r\n */\r\n\r\n/* Globally only look at small files. */\r\n\r\nprivate global rule hatman_filesize : hatman {\r\n condition:\r\n filesize < 100KB\r\n}\r\n\r\n/* Private rules that are used at the end in the public rules. */\r\n\r\nprivate rule hatman_setstatus : hatman {\r\n strings:\r\n $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 ?? ?? 42 38 }\r\n condition:\r\n $preset\r\n}\r\nprivate rule hatman_memcpy : hatman {\r\n strings:\r\n $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01 \r\n 9c a3 00 01 42 00 ff f8 4e 80 00 20 }\r\n $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c\r\n 01 00 a3 9c f8 ff 00 42 20 00 80 4e }\r\n condition:\r\n $memcpy_be or $memcpy_le\r\n}\r\nprivate rule hatman_dividers : hatman {\r\n strings:\r\n $div1 = { 9a 78 56 00 }\r\n $div2 = { 34 12 00 00 }\r\n condition:\r\n $div1 and $div2\r\n}\r\nprivate rule hatman_nullsub : hatman {\r\n strings:\r\n $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e }\r\n condition:\r\n $nullsub\r\n}\r\nprivate rule hatman_origaddr : hatman {\r\n strings:\r\n $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 }\r\n $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e }\r\n condition:\r\n $oaddr_be or $oaddr_le\r\n}\r\nprivate rule hatman_origcode : hatman {\r\n strings:\r\n $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 }\r\n $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e }\r\n condition:\r\n $ocode_be or $ocode_le\r\n}\r\nprivate rule hatman_mftmsr : hatman {\r\n strings:\r\n $mfmsr_be = { 7c 63 00 a6 }\r\n $mfmsr_le = { a6 00 63 7c }\r\n $mtmsr_be = { 7c 63 01 24 }\r\n $mtmsr_le = { 24 01 63 7c }\r\n condition:\r\n ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)\r\n}\r\nprivate rule hatman_loadoff : hatman {\r\n strings:\r\n $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00\r\n 40 82 ?? ?? 28 03 00 00 41 82 ?? ?? }\r\n $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28 \r\n ?? ?? 82 40 00 00 03 28 ?? ?? 82 41 }\r\n condition:\r\n $loadoff_be or $loadoff_le\r\n}\r\nprivate rule hatman_injector_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origaddr and hatman_loadoff\r\n}\r\nprivate rule hatman_payload_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origcode and hatman_mftmsr\r\n}\r\n\r\n/* Actual public rules to match using the private rules. */\r\n\r\nrule hatman_compiled_python : hatman {\r\n condition:\r\n hatman_nullsub and hatman_setstatus and hatman_dividers\r\n}\r\nrule hatman_injector : hatman {\r\n condition:\r\n hatman_injector_int and not hatman_payload_int\r\n}\r\nrule hatman_payload : hatman {\r\n condition:\r\n hatman_payload_int and not hatman_injector_int\r\n}\r\nrule hatman_combined : hatman {\r\n condition:\r\n hatman_injector_int and hatman_payload_int and hatman_dividers\r\n}\r\nrule hatman : hatman {\r\n meta:\r\n author = \"DHS/NCCIC/ICS-CERT\"\r\n description = \"Matches the known samples of the HatMan malware.\" \ r \ n c o n d i t i o n : \ r \ n h a t m a n _ c o m p i l e d _ p y t h o n o r h a t m a n _ i n j e c t o r o r h a t m a n _ p a y l o a d \ r \ n o r
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "mandiant.yara" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5a3fafbc-3504-43c9-be65-4e4d02de0b81" ,
"value" : "rule TRITON_ICS_FRAMEWORK\r\n{\r\n meta:\r\n author = \"nicholas.carr @itsreallynick\"\r\n md5 = \"0face841f7b2953e7c29c064d6886523\"\r\n description = \"TRITON framework recovered during Mandiant ICS incident response\"\r\n strings:\r\n $python_compiled = \".pyc\" nocase ascii wide\r\n $python_module_01 = \"__module__\" nocase ascii wide\r\n $python_module_02 = \"<module>\" nocase ascii wide\r\n $python_script_01 = \"import Ts\" nocase ascii wide\r\n $python_script_02 = \"def ts_\" nocase ascii wide \r\n\r\n $py_cnames_01 = \"TS_cnames.py\" nocase ascii wide\r\n $py_cnames_02 = \"TRICON\" nocase ascii wide\r\n $py_cnames_03 = \"TriStation \" nocase ascii wide\r\n $py_cnames_04 = \" chassis \" nocase ascii wide \r\n\r\n $py_tslibs_01 = \"GetCpStatus\" nocase ascii wide\r\n $py_tslibs_02 = \"ts_\" ascii wide\r\n $py_tslibs_03 = \" sequence\" nocase ascii wide\r\n $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide\r\n $py_tslibs_05 = /module\\s?version/ nocase ascii wide\r\n $py_tslibs_06 = \"bad \" nocase ascii wide\r\n $py_tslibs_07 = \"prog_cnt\" nocase ascii wide \r\n\r\n $py_tsbase_01 = \"TsBase.py\" nocase ascii wide\r\n $py_tsbase_02 = \".TsBase(\" nocase ascii wide \r\n \r\n $py_tshi_01 = \"TsHi.py\" nocase ascii wide\r\n $py_tshi_02 = \"keystate\" nocase ascii wide\r\n $py_tshi_03 = \"GetProjectInfo\" nocase ascii wide\r\n $py_tshi_04 = \"GetProgramTable\" nocase ascii wide\r\n $py_tshi_05 = \"SafeAppendProgramMod\" nocase ascii wide\r\n $py_tshi_06 = \".TsHi(\" ascii nocase wide \r\n\r\n $py_tslow_01 = \"TsLow.py\" nocase ascii wide\r\n $py_tslow_02 = \"print_last_error\" ascii nocase wide\r\n $py_tslow_03 = \".TsLow(\" ascii nocase wide\r\n $py_tslow_04 = \"tcm_\" ascii wide\r\n $py_tslow_05 = \" TCM found\" nocase ascii wide \r\n\r\n $py_crc_01 = \"crc.pyc\" nocase ascii wide\r\n $py_crc_02 = \"CRC16_MODBUS\" ascii wide\r\n $py_crc_03 = \"Kotov Alaxander\" nocase ascii wide\r\n $py_crc_04 = \"CRC_CCITT_XMODEM\" ascii wide\r\n $py_crc_05 = \"crc16ret\" ascii wide\r\n $py_crc_06 = \"CRC16_CCITT_x1D0F\" ascii wide\r\n $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide \r\n\r\n $py_sh_01 = \"sh.pyc\" nocase ascii wide \r\n\r\n $py_keyword_01 = \" FAILURE\" ascii wide\r\n $py_keyword_02 = \"symbol table\" nocase ascii wide \r\n\r\n $py_TRIDENT_01 = \"inject.bin\" ascii nocase wide\r\n $py_TRIDENT_02 = \"imain.bin\" ascii nocase wide \r\n\r\n condition:\r\n 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB\r\n}"
} ,
{
"category" : "Social network" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "github-username" ,
"uuid" : "5a3faff3-8d78-430b-9d19-4cc702de0b81" ,
"value" : "ICSrepo"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a3fb014-cacc-4379-9b55-4e7102de0b81" ,
"value" : "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN/" ,
"Tag" : [
{
"colour" : "#00497f" ,
"local" : "0" ,
"name" : "osint:source-type=\"source-code-repository\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "Decompiled code" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a3fb039-5e74-435d-8157-b4d302de0b81" ,
"value" : "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN/tree/master/decompiled_code" ,
"Tag" : [
{
"colour" : "#00497f" ,
"local" : "0" ,
"name" : "osint:source-type=\"source-code-repository\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "Tarball of the git repository including decompiled code" ,
"data" : " H 4 s I A N i w P 1 o A A + w 8 C X A c 1 Z W 2 C Q W e A H E C h L C E 8 C N j W x q s m b 57 R o b Y Q h J Y 2 G M b S c a A b Y Y / 3 X 80 v e 7 p H r p 7 J A v L r C H m c D i X Y 7 G D c a 1 Z Y 2 K o B M x y e N k N w U A V L I S z i g J C w s K y h c m G L D c p Y A v 2 / d 89 l 6 T x j G y X q C z z S 7 b 6 e O + / + / 33 j 1 Z f T 3 d v d 29 r X 0 933 + J F r f P b + x L t i 6 K T D m z j o K m y T H / z q s y V / y 60 S b w o 8 K o q c o I s T e J 4 U V S F S U g + w H y M 2 f K u h x 2 E J m E 9 b + J 8 d b h a 7 / 9 K W 99 Y 9 u / p a u 9 M d E W y + o G h Q Q 2 s S F I 1 + y s 8 p 46 w v 6 S A u y D u w J D f e / u G 23 / 6 d O S 7 A I o i 3 w n g Y j 72 E t h C C W w O Y o e g H p K z X c O z n a F Q a D o g d B J X c 4 y c Z 9 h W K N S X M V z k F C G Q Z l s e N i w X 2 Y 7 R b 1 j Y R C 7 O 5 k z i I m z p S C e a n c 0 Z J t G R a + c d D R 7 b a Z Q N C G H P w 9 o q w + q H X r J Z 2 z K H U N 4 F U M N C 3 Z Y O l n I M 6 K 8 D K D i 2 i X q H X I 9 k X d T c 3 d H b g s J 9 j g G 0 y e o w 6 s V p 4 g 0 B C i D k s 8 T y o A s f G D W D p C 2 M R + j B J I 4 b Q a f Z D s r a Q N 2 w 0 r a T x V Q s B A L C e + T Z q C m 8 k G A H l A E g 4 a Z I K N S F t Q w I 148 t 40 I f W G f 6 S F G + P a q N g j j A N l W M 47 m + G B j p R j p N H O A I W T h L U L O v + q i v + K i v 9 h a f J S + D P U D H r m 3 N h h t C + 3 O R Z S O Q c X a g H 78 X 4 B o Z H n A G e K Z O H B Q u q D 4 Z q D 48 h l X S B r U J 4 y s 1 R A k U 2 W a U N T t v w h v a e 95 i F q A g g 4 a p t 4 V C w 2 g R J e y 3 Y Z T o l N F e 2 z C z G a M / D i Q g 0 1 p s q P x m 7 D Y a p C 4 k I A N + Z d r 9 E f V C y h i X k o i q k J i U x p K u 4 L j K K 3 o s D j l K E R Q d x 1 O o C E 9 W k 4 I 0 i i b G N T E t Y S 6 m i 7 o a S w s k F V d F H J d S u q r y M U b G N F I O d o Y o n W G k K u m Y p I u Y E F l M C T F Z k V V Z i 6 d l G X B i K l F R C f 5 C I x e Q 4 d J Y A 874 t J o S 4 r J I V E 2 I a 5 B b d S U W U 2 R B Z G S M L G i a C Q M Y O q + K J M b x C l H F N J c W N F 5 N y Z B q s c j z Q J i g A j y 4 b 9E2 k q i m e V F O Y V 6 N x + U 4 l m O c x A t E B k I i K C L N y G D T 9 I l Q D F l S B R I n i q 6 m t Z Q I w K I Q U 2 J q j P B p o q V j M o C 0 m w W n w y l 7 g B J u 3 b s D U B c I U S z s a B l j g C K C d 7 p E y z v g t I O G l 0E57 L q D t q O 3 o T B E L 9 E g 0 s O h U C E M S s k m q d k 6 K Y u C s j S U G / I y E E m M s 9 m F 8 P B o L K c d O 4 v C J V u H G R B L Y + E y 0 4 Q L / B X y A I 10 K i E L l M W s w 4 J i e 4 i b N 72 x A i R B g A 197 z G w F 3 + u 9 q b c v Z m 7 D i M / d y c 94 n q R 3 F A 5 D 3 k r N y R Q q J P g k i p o y C R K h e d S T x x G p z E r g l R p X 9 H B W 9 Z D E a 3 S j A W T D G E H J 518 Z U 6 i D x F 7 i J p Z 8 u l G O I s w S 0 Z 2 u g X 0 6 o F p R 6 Z X p l 7 K S r k I 7 X l Q o 1 M 7 n d R I D g w 6 C 5 Y 2 s O V F G H / D a J 7 h u Z C Q T X P I M r R V q D k R v G / x o 0 5 z W z X i F K E 75 / d G F 3 V 0 d H d E Y X h q 7 e j q 6 S t T B x 1 F l 2 W G 0 J J 8 y j T c D I g 2 F 3 W 71 i w P E j n S s d V P H D v v z g 2 F e m 3 I s z l i Q x Y v 5 G C a + v O W A Q P c I B 0 U H G y 4 v m r o A O H m g / y d K / b M 3 t Q Y g 7 N G f 8 a j 2 b 5 I O 0 K N 0 O 8 Q A M p b n m H S X l z i k 7 T s o H + N Q m X w Q G G U Y D x Y m p n X A S 1 d 8 B L g x o R x z E P e o B 3 g w c C O B 7 B h 4 h T I F T A x 22 c 8 S 7 B F + R y C c Q 5 p U I X o 9 q B l 2 l i n q j H S a J V l D 6 J B N h 7 C 6 O w S G n w R U C a g U t + A U X o 2 M J U i p k E G A l 2 U D 9 Z u N N D m Y M Y u D X K M D + j O I T A g U k J U T 0 w w p n G c w y n D p C o H G J 3 k T H u I c Q O y 0 S H a D A o X H w O b 8 E g H A T U Q i l U v I L 9 N 7 W C A L X G / H U E j a 6 Y s X k V V 5 f l 1 i I 9 o U J b o 0 F 6 y N 2 U K a 1 g n W Q M z / n 2 z Q Q J c B V U B 5 P G c Y w 9 Q i + s k T S y X a t b M M 6 E Z q o t p D n W p R z F W A M W 0 b V Z u U T p F t 4 C i y P d Q v / C h P E G s h V k Z 6 H i 0 W u h 0 Q A w X H i K U 8 b y c 2 x a N 6 u x R B L q I p i D Z R C H n u I Y b D a Y X H B / J 6 e n K T g r h g 5 p P M x z S N U R a K j o c H B y M p O E F G S J l v W Z A t 16 r Q 3 y 7 R w W Y S E R 5 I e r r H z h v 9 a 3 T a p H B V h q R / o v W t A P 1 C t V T K / D l 2 V Y k 42 X N S n a K U d r M o r a S m W J w 54 P f / f Z A F I x H 3 C j o G k N O j z J 3 j + q 2 x i p O N 5 p o 72 n l 1 V Z R F k D 6 G Q L n F 3 c z u o Q Z M W 5 G X P J r V H j u F 6 Z w 0 Y e d f k h 0 O l w G h X e y V + Z i H Q X N L S M w R M N U Z W z 9 D 4 B F b a Y o Q Y p x s q p I X A i w w u 0 W 1 N A 5 H Q O r 1 H m p O 5 c 5 H s 2 w Q C l r 0 m R i A j Y J w / j J i j X N a 0 O U 7 D w d o n l V F j u h I G N r X j P 2 W u C B Z l j s H a X 6 d U 9 j G m 0 f 25 j z / 9 I o f U C W g s a //iPLEtdY/5mIVsv+FUXQPtKosf4j84JUaX+BE3ixsf4zEY1aOVj4ScIQmDytpz3RtWxxz4LQmpBfrmaJh9tCpUIa+yX2KagJyuCMbWIY9bHjjCiPm8owsrpMwWtNXstR9NISE0UNVqaKwziMYRrMsOg8UM87tIIpVhMgBK1BDZ2uskChkIPyhxS6pitIVr9bLs6J/gQwWayJgRzMi7QmKHM1DEUUdjXDgOmmTsbAytrgFiTJ8RQtWbhNjg9ZoMgn+3c/qQ81mMT5dKHwo0VMnzs+XEYWyhfkuWMxjFCoEjmp0eUmNyDa1xvcg7Jq0i2iCoE1OxYvqh9JZEiO0ev56231Y0oUE2kZDPW0OxbeaCE9F6azBSFPJ15HjpLN19ZtEZPJyHRaE5RJBpOYC/LE0kj9JKhc0aLZm+cbwwvtweFTAbdl+Xlt2MxlcNvKaN3d0fCM+v63wp0LceWCmutHV6gUKZih1S+ASlFgutIPpvLqtEsKQArO51JZ6/K8Ah6zSsRHbB6LYglvVA8Zo0h3vlEnVYrDaK4iUOFD/V0vkhg43hLH/luied1W2q4XVSqh9kOq7KPT2npxWYqms5L2XI5YetBFwtbr7UAJFDzfaC54foBYNdDswaJewX/rVCzDEnz/MSwvCQOQlySOYztjkB0bWwxYBaJj8To2ElOup2VrxDUFZbpEfR0Jf12kvuTqaIEy4KquAchHYZro6OnglWRiceepS3v3wh5DYMIvsD17ALWbeDWMm8Spk5YU0ErCDLmvL3k2EOxK1KInBzLxikO8WsBKSRqfxmq+kzutFhbNJtEyrOXnJSH77U3bbiZQtpupouvROBDIdK05QESntXcvXNrTtRfeigjMRu5QNmWbyKsSlKPpwTDZ2bWorzDIWzQb0GX62h5bxBT88iBY399rWMLcXjfo8FpeHAl0d665UDiEW9g6klp4WHjAlj6MCwk6GYmJU0Nrv+6attHqb7XmfxXL2vtIo8b8TxVkYeT8jxcb+/8T0qLhEAqjzq7ejp7uJX3dixe1oXNK2zGejbLY0zJs3ZCuvFuILULSbX6oPi260kmzAX3tL3DS3ipacVeZLW/SqVphox65/j59xW48Xa9kJAFyVF9lRN0MW7vPGB7KF/c/mjLYy2LIc2xWS5fndT+nUUHwaNboarubI5qRNrQCcjLso0coePvSvvmLe9p88NE7OgASDYWiYXS6aafozBexMwt0VZ3uergge7DnGWGQULAMQCWI+hm4z2VAtZhD24InyJ9/j5GWy9Itz3ELIOEyHpYEnQeWoxsfVO/+yQOP6YeUdvL9fRgfuJK5cq5c4rls9jOSrVET6RNzdFHe39o8Ba1BMQ5xHJI4JGqIXsGPItCn9BncxPw3cCPAvYhUrbzsrmxz59KfmEChERQhpb6U/evLv5EEJMaqwUNbW80Qgcyg/7F0lyVZLTdUW3E+XDJFfMUB8zhOpcAKonzFJJRO0x96o4iFmxiAMU1AdVBV2DgAiQEQFROuKDoIK5HAQqCxMYQtZ8wMGAN+KFdxymHABfBGNeffAG/0BkhBt8BbTKvKVwAjUgYpO4BNnUVAzIDMoBKpRKluhJL+bKeM6SpW0Y0BKHucOhwaIPngmoofx0iNIVmh/K2tgBLKoEQJ8ULg79VZZl3TyomhV+HUypumm0/VZrQAWOAhMAfnm6
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5a3fb104-c860-4517-a674-b3a102de0b81" ,
"value" : "TRISIS-TRITON-HATMAN-repo-decompiled-code.tar.gz"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "8" ,
"timestamp" : "1514123068" ,
"uuid" : "043762e7-6aa0-4a14-83d2-81a2109b7490" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "mimetype" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf39-f56c-4a28-8ed2-4e9302de0b81" ,
"value" : "Zip archive data, at least v2.0 to extract"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a3faf39-1170-4b7b-8da7-496002de0b81" ,
"value" : "1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5a3faf39-1ab4-4b65-907f-4fa702de0b81" ,
"value" : "1708616"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a3faf39-29dc-43cc-9aa9-4d6302de0b81" ,
"value" : "library.zip"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"data" : " U E s D B B Q A C Q A I A I 11 m E s h b R b C F B M I A E g S G g A g A B w A M G Z h Y 2 U 4 N D F m N 2 I y O T U z Z T d j M j l j M D Y 0 Z D Y 4 O D Y 1 M j N V V A k A A z m v P 1 o 5 r z 9 a d X g L A A E E I Q A A A A Q h A A A A 9 C 0 j K a 5 y 2 J e W 2 r j 8 o 4 O d N o 0 X p f w s c g c 4 A v 8 h + 22 o Y m g k X i j u 7 F i V v 32 i v I W F m C 5 l A W W M j n d g 1 y F S S b b U V w 1 S 7 c g / b Y 3 l 740 v + 4 y f u A U / Y k l U X u r G 5 z C G M H G h e V E V Z n L L 7 N H T R g h Y A i 0 7 A 2 g a A h k u t 4 H V a M X z h a T 6 r Q l I f 2 j h L A L V X n H 2710 b 8 P g b k R O J 7 J / H 0 g O l K S j M S l 31 Z O l y v f F K V 3 O 9 I X B p e p T H Y 0 L 17 P m 6 P r F 7 F + r m s G S r o f R Y E / r n a 9 W M u I I 3 H f r M f g V 6 a Q e t g i N j x l / 7 v J d e y e j R 3 c H G I P 91 j L t E Y B O o G X v T e Y E E P H t V d M b H z e n t y + 9 p 5 C l 2 A h 67 Y s u j c 6 b z a a E Z n q d r A r P 7 + M D x L w O G n Z U y f J M f x d q K / u W K I u K D G 7 g W M k g O J 5 e A L e D i c r U 2 j E S D 9 g A e P N N o B o g G G B 0 C y n w t l A R 5 D J b p G C A 6 u p c u k / J F 9 P S G w S v e P V L H f n h x R u Y Z K r T 1 / Y q D / P X I F Q B l z N 7 u e C n S s r b U R j D z w y K F l L + H g s k 9 d B r I 7 p 6 I d P n p v V V p g 5 I X I 0 z G u U Z W 86 W L + I 2 + k p r o U 7 B 8 C d 0 C E X s 5 N u e t 6 o H o R X i e H W 0 i e O Q f J v V V h L D I n u f L p y h z f E 9 Q Y i W D V l f h u / m d / L D y h I C H j + c g 4 E s i X 81 U B k p R X 0 M Z 6 n g v B L + H z G E 1 Y J c 1 V A 4 o J 9 e i s K z x g u T D 5 u r k l o J E j N H 1 N A N B + w R 8 N M b s 267 t o j 2 K V v f a T h K 2 q h Z 106 W / 7 s T + e i c 9 c a 19 W W D d n D h o A a g N o h f B V T + g g j N k 2 N n b t h p / + Z z 2 W r w b N 0 o o Z w h X m 2 k h w 77 d c / k w x e j L + L n U B o f E G T Z D U 4 i 4 q n l 3 r z L l G D 4 q f 67 K 66 e r g D 0 n I i F 7 B l r d j D U u m y y 0 W m 6 r A U i s Y V O V 0 P g F E 3 U 7 J F C r f W Y H r 2 b R y h z Q O Y z I 59 Q 9 o V / s / O L V d 9 g G r J d l f z 73 v s 76 j U T 0 C 2 K P h j R s q 1 r U Y t 6 i n X d H P G H Y E f 4 v W B m 0 x X j 8 s 7 Z a i d w V W R a i R r H O g C z i a j L f d q f W E 1 Q f h N 0 L g I Z 0 q C 87 L S e K r F n 3 g 9 k / 9 n y b 5 j M W c a P K v I 3 g c w 2 P q d z Z h x V K F i 3 C P Z j q f Y W o z r D T O L j 6 w s U V U A O 7 c V c q S E j x t K t 6 m + N s X P W W l J W X v + A P e 7 t + 63 D 2 J F 0 R v X Y f 8 z j R g u T 9 m W Q Y 1 P l a w H m 0 X 3 G F / V 7 A w M s 2 Q Z 4 s r M f 0 w o P m Z D A 8 o l c 2 u j 0 8 U Y x R D 1 t Q h l d d G h 2 M b r n k C V 95 U / Z h B i L 7 g V p o 8 G k M C 2 q f Y k d 6 U I z Q i P M a I Q t V l Z n p r b l 4 D 4 G V z p k W 66 + k X L y O N J L q e s b x C p l n E 6 N E p p 2 M I 69 R Z 3 d 2 S 0 8 g S 3 o X C y x X d n W U o O 2 K A l x u o e 2 q s w f D b K a 3 I A i J P 75 O T U 63 P x j b x + i x C V L 1 R G L 5 H 7 i C b R G 6 G 3 d 7 j Q C i j / f v 7 k 2 K o M h Z Y Z / T F Q 0 8 U A r Q X S 2 s D 7 h f 4 R G 4 k 24 o u Y e a 9 G E v K H C D 3 o l j d W Z Q 8 h I o w q B H j 50 d G 7 r 2 V k u X I l H A c M c 3 M z O V l Q J 9 b J d U n 4 j Y l G 24 y n k J I M 75 B 0 3 X y 7 B q W k j 3 q z A B 7 J f P V g p 40 r O I e E f c Z C g I + v J C Q T j T s i i v w U w 8 p r x w b w H e w m k c v z A A h y H 2 N 0 6 T E o 6 N Y e x 2 l + U e W u n k o 51 i M 5 Q S 4 G a w r G E 5 I a z E J H e i C / 9 M o f 0 n Q 6 R v 0 n 42 Q y k a f u + i q b s 7 y h t h h + q P v W Z 96 O 6 E r N / T v I Z 8 l v x B y T K A t J Q p w A s B a U a G 8 D 0 7 Z T d b G F N Y 420 O W X Q K B i j 90 + c f n S Y E f p V p V e r T x l K u B i W 9 B J e h Q 91 B o q p g b G F l t c 4 Z z 0 I G G C f Y j w U g n g 65 t 5 t H h I Q T 7 L 0 7 B 4 F x f k + 5 o D B 2 u p G / D V 5 m e a + / T 56 F S e H F + S S w Y 8 z U P E C M M E f n t i Z Q V y T F t e 5 e N r I Q Y Z z u e d U 3 V f j o v 71 J u t x J 65 l w p G p D q Z L Y A U t z I D U o n f X o 61 L u w F 0 16 J r s l o f P j 0 z Z Z C S Z u q o l E z u B r N e n Y Q R k S G f U 5 D u r n j q Z h m 7 s 0 A Q e H 9 v r 1 u j W W 2 p v I C n N g O H s t Q j K q 3 R l F g N O 1 p N G I U j F O 6 k D M A t h 7 h C + F P y J z s 19 F + 2 K K i w C U m 9 q Q T i x i C M J F u 2 Z s p t Y 3 O u U j L g t c / v 4 G z J x r w I G T Z X X Q w 1 / x G + w z X T 5 J b 9 H X E c I f t h p 5 E x 34 Q 5 Q w t y g n l v y R 9 B U e F F q A v G e H Q i O G l v E o T J 65 n s X z F H 16 M 7 A m s c R D I f D J I D i A m k 3 a B H n F r V h f / b 3 t 9 p G G l 8 u l r 9 a D o y v 0 B w l H X r r 2 N o D 35 K + i d 4 Q x a d X U K I 0 Z t T L 5 f 8 D + 37 c V Z J M F f e j y + u N t 2 x e 3 Z E V g F E D t w z X B h i H n m G 182 D A 3 b Z j 5 P g V f R I 0 V c E F o r X m z d i + / 0 r t + i a t 3 W K H / p t / 7 z H E 4 r 2 e W w L 1 R 8 K e b C 7 a a j H q x Q A O 8 b y U d V 7 p T f S P 94 s 73 a m Z q M m L Q 3 q d l D U Q 9 K z j + I 0 a 64 F F 5 g v B n z g q G i R F 0 T v Z s R Q G b 5 b 9 o 0 O H u C R E L / Y x m H n 4 v S R O H z S R f Y k f b y c Y o Z U + J Y o U Y q d L z 52 I n q l u z g a s q X Q S K 5 e o 7 q A V W 2 / T m E h 8 w L N h 6 l Q d M k V 3 G f C W B e / b G 1 V M n W / S n N W 5434 x Z G E z d g l U I y z a U A o O x W y 6 C z 4 Y W 8 Z h o 4 L v 649 H q 0 R 0 + y Y 8 k + 6 P j / v E j X f R M O g 3 b y h J I T P G b 0 o q 9 A b 7 b 1 R K K r O A K h j Z e O / p Y e 8 T S 7 F 41 O c M + d u a J A + 1 x V C 2220 v h T Z f M 0 L w Y I g D q / X M i b F u p 6 M h Z D 8 V L f W p 9 x a h Z S 7 q X s p I B v 5 w o 39 a h t q H D 3 Z L g Y 3 p A K p z t S R H j Y m 35 e k V 6 m k x N 5 q U 9 S x Q O S z G r y X A G 3 d C w x 43 t o n Q 1 C R R s 5 V l Z 9 U y x k I W E C 1 e B 0 d / s s f 2 R O h / F 0 O d v a 8 b + E m o b S o 2e4 W H S 2 P z v C K 0 J 1 u M l q c 5 H Y / k E 3 m v H g y 0 o + 4 K v y W s 9 v G e R R C U d k q 3 x o t l r l 1 F v / m l 6 H p a j 2 i j 9 z X p g j K G G o d L C D g C I 52 I n 9 Z 3 R g 8 F W d e q R Y 0 7 Y 5 W j l k g v S 4 M V r H j J + + E y o h g M P N y P T p Y j U z B t 4 V y R e 0 g 7 O w 19 l A m + h 6 F R 1 z e t W r Q W V b M 8 + I X P 8 k 1 a H 1 T a J 3 x K Z 5 b 33 + Z a I O R 6 I 6 S n J w s g 17 y c a j K T l 7 v f v 3 A u T W z v H S w Y D U F 4 L s E 4 Z h 5 R 6 C f k N l Z S 8 C H U K q S 9 T X G o D A / c G B b t X 2 I d l a H N P W J R i 0 K f a Y Z 8 G 3 G L a m q r W p z K u Y I y U L e e w y X c b b f R Q Z J T i p S B J 5 a 47 W a P C K j X h n v / 2 I o 9 z M V F p T d L G 97 L / K 9 M 9 c M D l S j g o M G l 3 x A B H J 3 p T f N L 2 p B c o + U j z 3 S p C F R S L J 0 1 a S y P Q Y X z h 31 a A C s T C 7 v B f E d E 5 / s h y T I V c I A + E 2 c m f H T D 4 g k i 5 o l e / l d u g g i R K a u 7 t 8 B s M 8 H y D W h 4 / K z f R Y Y v D X c B u a n Y f g g N N l J w J O 3 G p p 5 r m 9 m N c E s E K j 6 d 7 t 0 0 r + X v m 0 B c S G / H K 4 L y 0 9 x w 27 R o D v 3 V v l y h u k G H F A N v N y O J q 1 B v W 1 w S G v 6 i y 5 p D B h w 0 G G x L M k c K W U g a g q j U K 41e9 X G y c P j 4 Y M K n Z 3 P U O / G 6 J W D 3 k f O P q w h j G p d F g Y g a R S 0 p p D 1 r 2 c Y F f M y a t S O T c z e 4 k r f v N e p s P F b Z K B k I 4 s g 6E5 Y n m O Q 4 v O 9 V r f P Y 5 X k M L C 305 b W B k S y k O P c 8 i K 9 s W 5 / X X Z f j t 4 z u T V V B / g V A g r 0 L / 0 x n 1 q K n o t M N m q w q q u N z f r n Z H v s H I f L e m X Z E x w Y A 99 e V P j F V h x 7 D b B 2 g t i g e y 3 F M U m P b k 6 d u 76 r u z a 2 E l b E a 3 B I / A e i c 9 p c I T E n 8 L i a F N X j q Y S m u f z b w r O 7 o e I I r a 6 C T W 7 q A t U 0 i E e i / k / r Z q d N 8 e c 8 U d e s b G 3 B k C 7 d w z x K 5 i v A X 12 E S G V k z X G 9 P o 2 Y X u N i J r 8 L 18 N + i R Z B k b B + U Y A J Y O K q N s R 6 D K w 7 V t k p + J y K c t 4 P J K Y M y 5 + 9 l / q l L k z O z K R x 5 g G X X N w v 4 K f X V w 9 N b A O Q T 0 w j 3 o 8 J w x K w o W 14 W y c q p I Y G U B O 8 L N Q C v A n v 6 Y v N U 5 l e B Z H 0 8 x J 0 d T p o 1 y h 7 I 2 N L D n 1 H Z G / N F g o j m A d A W x e Z G G 1 I G 8 R L H 17 G b j P j c / k 6 c w R j 1 a n E l x Y 93 B j u o D l H Z Q B 6 + Z A + R k 6
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "malware-sample" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "malware-sample" ,
"uuid" : "5a3faf39-3f18-4a01-afcb-444a02de0b81" ,
"value" : "library.zip|0face841f7b2953e7c29c064d6886523"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "5a3faf3a-7cf8-4e46-806e-4eb102de0b81" ,
"value" : "5.16152185627"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "5a3faf3a-39c8-4908-81e0-471102de0b81" ,
"value" : "12288:z4tCV9Jybp/AX2Ng4TBDHbowjbVMdX4lMBydixDoCbs+oKRpT1gLhcFAsLc4z0DL:xkAJ4TB6XIM/70txaYB57ATltTlHu"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a3faf3a-fbd8-4997-9e96-4cb502de0b81" ,
"value" : "bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "5a3faf3a-23b8-4415-97b3-4db102de0b81" ,
"value" : "8ba13408061876abd7336560cdef24c23b8a619af8c53e29e970e620b8fc79be1910fc02c2a68307c37f7d3e5502d6b14e3392cd95abaf875aa419b618435910"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a3faf3a-8d94-40df-9613-4cc502de0b81" ,
"value" : "0face841f7b2953e7c29c064d6886523"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "8" ,
"timestamp" : "1514123066" ,
"uuid" : "185d44d0-544a-4e42-839f-d6502950565c" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "mimetype" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3a-029c-4694-966a-450102de0b81" ,
"value" : "data"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a3faf3a-550c-4da0-8df9-4d4802de0b81" ,
"value" : "b47ad4840089247b058121e95732beb82e6311d0"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5a3faf3a-dbf4-4c9a-9225-43cb02de0b81" ,
"value" : "436"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a3faf3a-2d28-45d7-b930-4ec502de0b81" ,
"value" : "imain.bin"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"data" : "UEsDBBQACQAIAI11mEuAPgr4aAEAALQBAAAgABwANDM3ZjEzNWJhMTc5OTU5YTU4MDQxMmU1NjRkMzEwN2ZVVAkAAzqvP1o6rz9adXgLAAEEIQAAAAQhAAAAi9qeDRSR3JRmL4y+RbQcBKzTIVcIvvzgBQUJGxpQGo/rsCYwfRiGd6QDSo0rzBqRUwMLQygNUGRUre9SLFUIzKvHOqYz9X0AF1W6ValugkhcHYqKCztpB0yrG+nTmlGGTK/iO/N1Ik6UI6A+y/cV9YAhYZddiuDLdqLHI0VMJ0Oy3XpOkdfIg0h3hcJY0/5GgJ5d6YPV4mFb4jAfQayCi8WoAq01EniDIHzJXqcq7Os73CTqCaI55gtx2uzBacNIgJetRATkdxGvVjzjF2tDUNETabCqDZVdPuRn8z0lOiitbKg/RjbiXurQSPccHG4ELd21Wo5UU93g0fFRErU+h82ca/45279esLNp7yBGk0H9PzUGQwxqB9bkC2zEEaEfdGDf8KFU2CYh0fuD2ZrX3BWJTo8RYlSWp3nULB+Cb8cHwvxw2NHudtkNbLhsH0SoEngmREMXGEIKUVgm55q7Ty/DlG9Ns/7JUEsHCIA+CvhoAQAAtAEAAFBLAwQKAAkAAACNdZhLJh2UbBUAAAAJAAAALQAcADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmLmZpbGVuYW1lLnR4dFVUCQADOq8/WjqvP1p1eAsAAQQhAAAABCEAAAAP07aDX0AtOaGghobkL0gKKRzjLgxQSwcIJh2UbBUAAAAJAAAAUEsBAh4DFAAJAAgAjXWYS4A+CvhoAQAAtAEAACAAGAAAAAAAAAAAAKSBAAAAADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmVVQFAAM6rz9adXgLAAEEIQAAAAQhAAAAUEsBAh4DCgAJAAAAjXWYSyYdlGwVAAAACQAAAC0AGAAAAAAAAQAAAKSB0gEAADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmLmZpbGVuYW1lLnR4dFVUBQADOq8/WnV4CwABBCEAAAAEIQAAAFBLBQYAAAAAAgACANkAAABeAgAAAAA=" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "malware-sample" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "malware-sample" ,
"uuid" : "5a3faf3b-3c58-43e5-a379-43ce02de0b81" ,
"value" : "imain.bin|437f135ba179959a580412e564d3107f"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "5a3faf3b-8244-49e9-8ac9-40e302de0b81" ,
"value" : "5.44610603085"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "5a3faf3b-eb18-47b2-b147-4e0f02de0b81" ,
"value" : "12:7s5q/29Vdb5t+JuqqNvIlUBrlf+X9tZaf:Qg/0B5titsvIaBrlf+X9tkf"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a3faf3b-fb80-4326-93d2-4eb002de0b81" ,
"value" : "08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "5a3faf3b-ed10-46eb-86ed-4f0e02de0b81" ,
"value" : "9db880f9429573c2471c55f1578319bb7eeb2243b64493d79a3caa0ed964f88c2b560a862f54b7b768ce9e184a3763181e233a94ca896275a43d38bef1c6359c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a3faf3b-c64c-41c0-a03f-4a2702de0b81" ,
"value" : "437f135ba179959a580412e564d3107f"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1514123067" ,
"uuid" : "1f1c1f68-c9e7-43e0-9779-98ba4c889dbe" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a3faf3b-1f74-4a7f-bf41-4c6d02de0b81" ,
"value" : "3f1ac2364c8e06237f6f841a302f249108aeaf9b"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "name" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3b-7c44-459a-b890-46e402de0b81" ,
"value" : ".text"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5a3faf3b-00cc-4562-860b-4a1f02de0b81" ,
"value" : "8704"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "5a3faf3b-8cf4-48d1-85a6-461302de0b81" ,
"value" : "6.24017560026"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "5a3faf3b-cab0-45f9-82d5-493a02de0b81" ,
"value" : "768:W7fTBN81tL4OGpnvnRzLC5uE4LCwtbyhmjBBvpLJzpVA8NQ8oazAlo1sBG87jGrk:dlQOb7TH"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a3faf3c-2ab0-440e-afc9-4cea02de0b81" ,
"value" : "bf235b24aec5b15ea5255261dee81284137c2f31ae64e03c6311377a00ac114b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "5a3faf3c-5608-4b73-9045-4ac602de0b81" ,
"value" : "818a9eea1164f02a20207c906c0d007ec98bc589a323d9993fd0859f6b9aa59f4c85e9966afc05281bab7feddad5e25a8039d2bf7a98b0e60b3214cf89ed008f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a3faf3c-b134-453e-9d99-41ee02de0b81" ,
"value" : "1d2a14142d0e98c0ede881657be0b620"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1514123068" ,
"uuid" : "11861108-bcc4-4e10-9cb9-9d3a3acf27df" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a3faf3c-b884-46ce-9b6b-468e02de0b81" ,
"value" : "a07c2e5b0b903b4d4602474a2c3e26300cb5de71"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "name" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3c-f938-40c4-9bf8-483f02de0b81" ,
"value" : ".rdata"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5a3faf3c-9cec-450e-bced-4d0702de0b81" ,
"value" : "2560"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "5a3faf3c-3664-49e1-bc80-4b1602de0b81" ,
"value" : "5.02793750695"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "5a3faf3c-0900-4dba-bbab-486902de0b81" ,
"value" : "192:bPwY+mHo4aSgsRPwY+mHo4GF4M+7xzGtXH5dJL7VGO7tr0F:UNmxgTNm0QF"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a3faf3c-33cc-4f2f-b1c9-4c0c02de0b81" ,
"value" : "f510bee135f800f910f5987c2684c3051756e7182939b93dfddc457c4be8a005"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "5a3faf3c-bf00-4a5e-bd96-4a9302de0b81" ,
"value" : "990bd0267b536b3768fdbb768e5dd3035c0f420f807c31e54eee794144b97e2a13390e0d40b33da6d84b600bb83d8d64f207ccffc9784243fc0c54f0241df514"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a3faf3c-de90-4c8b-8ec0-444502de0b81" ,
"value" : "4959dc6a9b68e9d55b254ce76c458eed"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1514123068" ,
"uuid" : "5e60369b-411a-40af-92f1-18e01ca64a63" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a3faf3c-4cbc-49af-95a7-45d502de0b81" ,
"value" : "196e027a8328ce2ac5fa1431d501c257a9a79f1a"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "name" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3c-335c-4646-96d2-499c02de0b81" ,
"value" : ".data"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5a3faf3c-af84-470a-8d32-473c02de0b81" ,
"value" : "3072"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "5a3faf3c-87f8-4286-9f2b-44d802de0b81" ,
"value" : "4.52960066296"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "5a3faf3c-1334-4264-bbf8-46f202de0b81" ,
"value" : "96:o1uiM+CMvScnq2p20lZ+IG6Vg8xHj6tJlDiABF3Z+qd9NUjHJ2C:o1uirCmlZ+/8xHuRDzX2pB"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a3faf3c-4c3c-4587-bf34-40e702de0b81" ,
"value" : "eda3c565062b52ab2ff5cd7ec7e7a9e3198da40387d916c0e74881b4636a2d5c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "5a3faf3c-df08-42b7-a668-4f7902de0b81" ,
"value" : "fd978c87f845c632997d723ea3d1ec6d8fd61f4f30f8c3a95e71015b3ee693538ad5878d99f5111c096e22020e6363ce2642ab09a5b52e5c8de1ad0797659c63"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a3faf3c-5780-46c3-92b9-468d02de0b81" ,
"value" : "2354a2e07869f9a732f463fe084ad6c5"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1514123068" ,
"uuid" : "7dbb436b-9e54-4d16-89e8-05f54984e2d0" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a3faf3c-bab4-480c-9a98-42bb02de0b81" ,
"value" : "b9511de0a85e2bcba775228260c748ed0b9faff0"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "name" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3c-9140-4ee9-85e0-4cef02de0b81" ,
"value" : ".rsrc"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5a3faf3d-50c0-4c80-bd70-4e0d02de0b81" ,
"value" : "6144"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "5a3faf3d-2ea8-4996-9f9c-4ab202de0b81" ,
"value" : "5.06803807105"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "5a3faf3d-46d4-4580-849f-4a8702de0b81" ,
"value" : "192:cFRr2VNBK3keWukvnmsg7Lapoyl0yrKzNVOQfcdfQDnmnVY7n9:JukvnmhvEwNVOgrmi"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a3faf3d-c6a0-4765-bf0b-413002de0b81" ,
"value" : "9b8a7bec5a92a7c61abd1db2afc121c00ffa803422ee2e4e9c419bb2d2533d7a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "5a3faf3d-7400-4926-bf0f-416902de0b81" ,
"value" : "d89a6dd18dffc82c9a532d925ca1e0177d0ee6152ea3598336aa5f56804330b7dae82891828b83cc11708ce50975dfa089933124f4561ea4aca77f96ad73c320"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a3faf3d-6af0-4505-9281-4d7002de0b81" ,
"value" : "fe8374bfc19886efe88fb53c50e26e35"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe" ,
"template_uuid" : "cf7adecc-d4f0-4e88-9d90-f978ee151a07" ,
"template_version" : "2" ,
"timestamp" : "1514123071" ,
"uuid" : "157e2cb3-598b-4663-af34-28358808dd9d" ,
"ObjectReference" : [
{
"comment" : "Section 0 of PE" ,
"object_uuid" : "157e2cb3-598b-4663-af34-28358808dd9d" ,
"referenced_uuid" : "1f1c1f68-c9e7-43e0-9779-98ba4c889dbe" ,
"relationship_type" : "included-in" ,
"timestamp" : "1621849558" ,
"uuid" : "5a3faf3d-9398-4d9a-bd0d-486d02de0b81"
} ,
{
"comment" : "Section 1 of PE" ,
"object_uuid" : "157e2cb3-598b-4663-af34-28358808dd9d" ,
"referenced_uuid" : "11861108-bcc4-4e10-9cb9-9d3a3acf27df" ,
"relationship_type" : "included-in" ,
"timestamp" : "1621849558" ,
"uuid" : "5a3faf3d-5df8-49ff-a06a-4c5e02de0b81"
} ,
{
"comment" : "Section 2 of PE" ,
"object_uuid" : "157e2cb3-598b-4663-af34-28358808dd9d" ,
"referenced_uuid" : "5e60369b-411a-40af-92f1-18e01ca64a63" ,
"relationship_type" : "included-in" ,
"timestamp" : "1621849558" ,
"uuid" : "5a3faf3e-3b08-4634-9310-497402de0b81"
} ,
{
"comment" : "Section 3 of PE" ,
"object_uuid" : "157e2cb3-598b-4663-af34-28358808dd9d" ,
"referenced_uuid" : "7dbb436b-9e54-4d16-89e8-05f54984e2d0" ,
"relationship_type" : "included-in" ,
"timestamp" : "1621849558" ,
"uuid" : "5a3faf3e-63e0-47f5-9987-405102de0b81"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "compilation-timestamp" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5a3faf3d-e4e0-4f79-899f-430802de0b81" ,
"value" : "2008-11-10T09:40:34"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entrypoint-address" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3d-2c2c-4980-a897-4e3102de0b81" ,
"value" : "4205352"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3d-cd54-47e9-ab6c-4c0702de0b81" ,
"value" : "exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "number-sections" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "counter" ,
"uuid" : "5a3faf3d-297c-416b-aaed-42c202de0b81" ,
"value" : "4"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "8" ,
"timestamp" : "1514123071" ,
"uuid" : "e40170d2-b26f-424f-a788-196651e787fb" ,
"ObjectReference" : [
{
"comment" : "PE indicators" ,
"object_uuid" : "e40170d2-b26f-424f-a788-196651e787fb" ,
"referenced_uuid" : "157e2cb3-598b-4663-af34-28358808dd9d" ,
"relationship_type" : "included-in" ,
"timestamp" : "1621849558" ,
"uuid" : "5a3faf3e-e228-4fa8-bc2c-4f6202de0b81"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "mimetype" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a3faf3d-5610-4b63-89d2-4f5e02de0b81" ,
"value" : "PE32 executable (console) Intel 80386, for MS Windows"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a3faf3d-1014-4d57-9e30-4b9702de0b81" ,
"value" : "dc81f383624955e0c0441734f9f1dabfe03f373c"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5a3faf3d-e6dc-4e09-b357-4a4602de0b81" ,
"value" : "21504"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a3faf3d-0b5c-413f-ac50-492702de0b81" ,
"value" : "trilog.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"data" : " U E s D B B Q A C Q A I A I 51 m E u w U n 4 I 5 S k A A A B U A A A g A B w A N m M z O W M z Z j R h M D h k M 2 Q 3 O G Y y Z W I 5 N z N h O T R i Z D c 3 M T h V V A k A A z u v P 1 o 7 r z 9 a d X g L A A E E I Q A A A A Q h A A A A w c s V o J c m V t j i X T m F Z 8 v 2 A u 3 R 9 p l C n p 19 G O 9 c y I d X l r e / 8 Q M d J F w 0 r 6 R L 8 m Y D 7 E s H m B t E B x E Z q b u Z n t o + X X Z 2 Y 2 p l x W 0 / c f S T U 1 c O v I G y d 4 H E 8 O n I N T P T t 5 r U 2 d R Z i R J N T Y x k J 5 G B N g q f 7 g T f p w G 0 D o 1 M h N c 9 i + D V j L Y z F G E Q g h M n U Q c 6 q n L Y 2 p 6 / U 20 X 4 O p V 2 G M v 9 k 7 j z Q Z S F / O J 4 y I w t K 6 / Y S t 7 m k z M Z M 9 J x 6 + c b x 1 N n / b 0 2 d I n a 3 B B S G X f d k Z j O m p W u + U d e w 5 z n c V u a v u 5 a W 88 I X 7 W Y h I V O X J 7 O c G S r H t c 16 W j N A w y m 2 G 2 i O a Q R A / 0 N n h 8 M x i o M s 5 e H 3 b Y 0 n E X h 5 v + 0 s 1 e O 82 I 9 U J 9 V N T I 1 m 0 c x X V M p I o i C K m S c i J / Z 1 V h w 8 Z K a 6 I 4 Y b r R f v d 1 m 14 d M c 57 l r o 706 t u O C P / H 0 p R e 9 M W o B h A e g j g P D s g X h e J W P w 80 E B e Q S 2 / 8 l i h p n l h s f b p X I R k / G 4 o 8 B y i l y c y X 4 W x x T k A s H B x X V q t u X v I O w t I p F y P O Q o O x 3 b s e O A Q + p g v g 4 q U m x F W T 4 x / n 4 H v 2 J t G q A G n 2 + 9 r N n 2 P D O G u 6 Q p q O H V g g l S v P O l t W p k m l t u V Y / X Q j V B P z w o V B x H X d f B n O 1 d X Q i l 9 a y O G x A G n q F u c P X H b r S l 69 T E X 9 G / 84 R K P 7 G 9 t v w s g 6 l Y W g r R e Y 36 O s w n 8 Y y A x q i Y r p c j N o z i u 2 T r t e Z + P H N q I j R r d s / C h g C R P q z T R z w i U f D W 4 b h k t 0 p i o b o 2 F s P s 5 o z H b r 1 z x o u 2 C K B r r B V O k f D 8 k j R S r L l k j 8 r U o G r e X E Q 3 Q i w I d a V x 5 z r P I k 5 W / g f v s l k E d e p 6 n + / R F l B h v F c g z k c e X / 0 x P r u d D t i w m G 4 W z n d s D O N 7 v U J 3 q / 6 M k H 9 K E l p / 1 y P 3 / j 3 t 2 K T Y z 3 w b i Y f d B E V V N t g F g + s 2 k t j n Q / E v e I C P s m M G 3 r f m N D Z 8 d X W u H l C Z F K 8 t c y K W Y 1 G O U h 5 I u b Q d 16 r f X Z 512 b d i q U 8 P H Z N W s 4 S H T 3 B g 4 c o 85 F f Q 71 U 7 N t f h + 9 Y I 7 H s n l z s 7 O l 4 I / h k o z l X J A 9 T P e U M 17 w k p n H a Z o W 7 G n Q G Z r D r 1 z o G N / g d J e o y I 3 C u s d l D Q p h 45 R Q o 8 G G 4 P f A n z 4 D r / S v j q j B e 3 / t Q O p j U U / y F k U N r I W F D 58 y 2 E b z 64 C z k T z N k k m n h 3 Q h H 3 a y E G p 13 o W d s A G u E i c q Y o 9 W o 6 g g Y 3 j K N V D Z j g z 0 o c R h R P z O 92 W 1 I S 4 I Y m 100 h j Y 32 D k i B m W L c X 5 x U o O 3 W 6 D N g r O Z j Q g 0 n X 5 a K A H 9 x c O N 9 Y 5 k G B 9 D E N I o A Z 8 m b M / Q W O 9 h V k + O 0 x J + 0 o 0 b b e 7 P 8 t Q 71 o Q V 2 W y o d / i 9 q j A a b f q F R u y C X d s G s k e t h U y E W h C e S G 6 Z t O h 82 B q 4 B C d I N b Y + A 0 o + A + b n r w k p I i l R r 1 B 1 i e b G A 8 r V v Y Z n 8 N 5 n k 0 9 D B Y u K + I g j 7 r j k z B F H t w 8 w n M 8 H Y d p 6 g + p 6 K J K / z n 6 R M j b 5 L m J y X Q P o 9 u M Z m h 0 r e R A P B g Y f M L 1 Z b 0 0 Y Q c U Z q A w Q F B T 7 X 5 D a A H 4 k 2 o f m g / N U 0 p p L l j P w u v U p K X o o a f + k n S h C C 0 6 f O r U I 6 X s X t t c B Q 8 z 0 a U n z a M 7 g S 9 k i g O 8 t t 6 d + Y K b 5 q K g q Y 3 H M 69 X 2 b F a Y k j 76 f g T s e d n S p n e K I o X I 1 p q e P 2 F 0 Q L j a K P 3 K 5 m G V V z U P 8 b P w U y f K a v l z g 4 P P e / N l f V M 6 l g 6 J v 2 N Q 8 / m g c m G f 70 O b I M W R D 1 m t v + J y 1 j T l I n R 70 d l 2 W 8 P C B k h 1 m T f Q o U Y V 9 k A p H 4 j B e w D f O R o 8 H W s R 9 o Z a P D / Y Q o T 5 G b 6 T v 4 p a W Z D b W 3 W m V t l 2 H 1 M Y G X F o p D P 2 u W u A 1 P U A I g R 3 J 5 T K Q z q O g v r J A f + m t H q K N y M g Z H W H B 8 z k Q S m a p H a 8 l u I h / 1 x e z a p N 9 c Y 4 W 3 v t f B g 2 g X 6 Z V K D p n 4 W i x / b K I y W w N D v Y C q L 90E9 + z e I l q 9 L S U k w S Q h m G I 2 X r t t 93 i j Y A S y o B x / s c T k o 8 R / u b z d C R Y 4 b 97 y R J L W D g s W k h Y U D w V R z P O L b s a 14 r 1 G g h 92 u j C 1 N b z o Q + I m 5 b v Z Z W X I s J o z j + Q 3 i D 78 k M H u a v r / U 9 m e u K E q a i Z g D p R n 3 r T o 17 p 7 B J Y U N i w s y B A g S 0 w B T x k L 88 D v B L 9 L p d B S M r h + J V f 20 a f a r r W L L i u 9 D H h t q u f u T K m n 6 N 5 E G K N D 19 B R u 5 n h N a u 6 E b v u K I 2 k P d / X a s k l T Q k l T M Y C 5 / q N R V R / y 9 v V + a i 861 b V V 2 L V H Z 943 S E q p + S 4 e T B T W K T H 2 a L z I u / k P 4 S t o e N C p e J p D p y 2 i O w k + M O L s x k T N G 5 G L d f / A b 18 z + a 6 Y 1 K V H T A I I A w e 4 d W O m 3 w X 4 S T e u I o s / A j K 8 M 7 l X o M A K d n U t a 2 G L O M X U J o p i 5 d F z z 4 A c 2 D y / + B g X z X 4 r I h a P I C 4 c L H + N S u 4 Q 0 8 h F p F a 43 K s G P I / W 1285 C 97 R X s D T h u y Z y S l U v 1 g k o T K S b w v 8 V z / r Y 90 M 94 h u w n y b F y r 2 R 2 Y T P c A W b 6 Y u y I t Z h n q v E 2 r G u 6 H j O x H 14 Q B T b + p n l n T k v L 3 W f h I 55 b g 9E7 k r 4 B T u p u B S Z c g L U d v R Z b Y X i F H h + n j T F z + E B j 0 E U t R L l F K 2 Y I 51 R w 7 v e x P p w x + T Q 72 q c Y q 3 V t 6 h A W 5 / 6 z t K O B Y W P t b 68 d b j J N 8 U w V Z x O G A K N 518 P 5 C r 8 J s p S c N + M b l 4 q 3 t J r 2 N X h D C r R R x W E f v 2 I R i A p Y t Q L a g 9 D 1 V D I a O t T b t v k 1 z A S f j h P T J 6 n O K w z k w F x C / 5 l d S I P v 7 G r K + 4 g K D T Q j P 0 1 E p Z b c R 14 w f V C B Z 3 + q z 1 P a 3 y K U V O x p m P l A V 6 o w e 0 F H O M v F q y J l h / R r 15 G q x u 5 E y w + v b a 9 R S J d a P y U I 6 u + 6 U q X v T X S a j 5 g M Q U i v n O G w x R E 4 + o I o c + k t 0 W M k f e S v j H k n 7 f v h W H 7 o Q S z w 9 + J A a d + D v b 619 / Z + s G 2 s / X o d 0 g o t v Q 6 m h s F h 8 q o G W L g e 7 k c z Q y 8 W N 96 r c y / m W u A V R 5 y q A i 2 G P Z + U m q L v 1 / Y w R 8 r 1 N C 1 h X S f i R O f E 4 + J m S Y v E 1 G 6 o 1 M B s m H a w U 5 / E r U b z h K n 31 p L j 0 v d o l e 9 A Z h D / z 1 n / h P y p U Y p e C r n 7 / B J Y N 6 + r E B a Q O w W 0 l u B v P 4e8 s 42 v / I D K I T + J m W h N X i A x G Z 79 g K 2 a i V o q 6 N L F E w P j m b F d L w n w b K S l T 0 K F C t 4 O l H n W 1 g w 5 v g B U R I K D u W W E c o H 3 W S / W 3 F B D p U l b P c B + M Z s / l i U Q u / V + k 29826 z F / x + N X 0 C F k t E t i F h T d T f I M C Y B k 6 r Y W s w k I G N V J D H v n / N u F l Q 4 L G y h d 7 / W 8 Y g t l 4 J i y b t x X + Q P t B P f z 3 + 9 g / j y H R / K G a 1 H 1 / w 8 P V N O e o 8 r E k r 3 U 2 b 8 p 3 O O x k N S Q w o / c 2 y v w o Z C s e V / D v P w e 2 j 4 O w 1 C c S 59 h D u P X E Z N M n S t l A f I O m i a a g j y O V N Z c 255 j x S P 1 l u 77 X q 83 / r 2 O T K K l L S I a 4e5 Z U q 5 s D x l E z 6 h 9 x S X j 177 y R z d f c K S 5 q H 1 g H v + n 0 Y N p T y R d k R 6 z L T I p E 2 b 9 x L G i w J 69 g w d m M F O o K X O 7 G A D i t Y + t A a h 1 k D X J a R E f T 6 X B K w E 5 c C + K f 6 G 1 k v 1 / 4 X b 2 P 8 e + r v E V Q b k 8 K + o 4 y x y n R 295 + z o C S 7 T 8 z F Z J o D Q 4 F G z h e P W T F V T w 9 m a j j S t q f q W r R D u N d P x S d K 4 o 7 X t c 4 J O l e i E 3 + / d O q y G s v 5 t H f T 2 U 3 d D U p 4 D Q P Y a 9 Y A h z Z v A d e + V 7 g E A 1 F w C C 4 N 0 p C u C t a 6 Z d / n y o n w M T y d T k j 9 p o h K U A Y k e T a 1 d 7 A w w o W d l X I c K N C w 0 i 1 e m 5 h I S U F n 5 u 4 T k z 7 a Z e z f q t O n 5 P Q q q N B x C 3 s 70 W t 8 K 5 R t a E L 3 j Z Z i B Y E Z l o x 2052 D 21 n I M b W a 0 G G 79 K Z 55e6 o I R g q K J G H P w V O L Q z G 2 M h U V n 6 o K 0 0 m r f 909 N Z d + O B r 1 l 3 w Q N M i h z V P 5 r s C 8 m U K K z e J + 2 x 1 f O M F C k z T n j i Q 6 Q z 2 w Y Q + p A C 7 i k / k W l q h g 7 G c x r 4 Q F h W Z B Y u B b j P N w I E B G h Y L P A W c 0 e K a h 0 k F C n D 3 a A f 7 F O w n i 4 y S M D 2 C R v Z J 8 / Q 5 p J l t h U g e 4 a Z k b o X z M d 1 Z E J c n I q 2 x w n E T m f l e N m / E P X k i 53 Q 6837 N M K v C l Y h 2137 i x 4 t x
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "malware-sample" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "malware-sample" ,
"uuid" : "5a3faf3d-1b2c-4600-a58e-4a2b02de0b81" ,
"value" : "trilog.exe|6c39c3f4a08d3d78f2eb973a94bd7718"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1518454567" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "5a3faf3d-28e0-4a56-b5fc-4f8e02de0b81" ,
"value" : "5.7735612938"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "5a3faf3d-87bc-40c7-a85b-48cf02de0b81" ,
"value" : "384:eIn2vPeqUfmEZ+nUn0fJCfMdXWgugoL2RrXdUWJCXXtB:eBPeqYmEb0kUX9XdUzXv"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a3faf3d-f5d0-4581-a6b9-467102de0b81" ,
"value" : "e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "5a3faf3d-7af0-4f77-8564-4b6602de0b81" ,
"value" : "57c4aa07aede473e5b8424e4ed8173d0a6215306cf9cc44ab91e4745025a01a720929a02a25f4db24eff81b624d6d6ddfda191be06014bb319a933b9bad12eec"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1518454567" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a3faf3d-e924-43b5-a06f-4a9802de0b81" ,
"value" : "6c39c3f4a08d3d78f2eb973a94bd7718"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}