adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/e9bf73b9-f82c-4203-ba04-deacf8d9fbd6.json

2042 lines
340 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2023-04-13",
"extends_uuid": "",
"info": "SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference",
"publish_timestamp": "1681482760",
"published": true,
"threat_level_id": "1",
"timestamp": "1681482747",
"uuid": "e9bf73b9-f82c-4203-ba04-deacf8d9fbd6",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"SNOWYAMBER\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"HALFRIG\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"QUARTERRIG\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "url",
"uuid": "9f520974-6089-4bc0-ba9a-11703af0898f",
"value": "totalmassasje.no/schedule.php"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "url",
"uuid": "562de197-3e0b-483d-af2c-04cfba0bce91",
"value": "signitivelogics.com/Schedule.html"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - Cobalt Strike Team Server",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "url",
"uuid": "0c5341a9-472a-40b8-8977-228aaba8303c",
"value": "humanecosmetics.com/category/noteworthy/6426-7346-9789"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "url",
"uuid": "06c6b49d-dddb-4625-b38e-f89e0cbfda04",
"value": "signitivelogics.com/BMW.html"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - BRUTERATEL C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "domain",
"uuid": "b81fc0d1-1c31-4246-b49a-92538284c5fe",
"value": "badriatimimi.com"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "url",
"uuid": "54bbcc91-53f4-48ed-9cee-69e4e0b96b18",
"value": "literaturaelsalvador.com/Instructions.html"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - ENVYSCOUT URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "url",
"uuid": "3a852cbe-b663-4419-8d52-8f4f49e5ceb1",
"value": "parquesanrafael.cl/note.html"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - ENVYSCOUT URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464468",
"to_ids": true,
"type": "url",
"uuid": "9bb49ae8-9921-4464-af2a-13f0eabfe6aa",
"value": "inovaoftalmologia.com.br/form.html"
},
{
"category": "Network activity",
"comment": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681464494",
"to_ids": true,
"type": "url",
"uuid": "ae2fc1c5-a21c-4bd7-94b7-abd2f666aaa2",
"value": "literaturaelsalvador.com/Schedule.htm"
},
{
"category": "Network activity",
"comment": "HALFRIG - ENVYSCOUT backend fingerprint collector",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681476835",
"to_ids": true,
"type": "url",
"uuid": "e2a4c314-dc62-4791-8be9-c07f6ebd9627",
"value": "sawabfoundation.net/p.php? ip=<IP>&ua=<USER_AGENT>"
},
{
"category": "Network activity",
"comment": "HALFRIG - ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681476858",
"to_ids": true,
"type": "url",
"uuid": "d9a7d34e-df43-4ca9-9637-ad7b20680423",
"value": "sawabfoundation.net/note.html"
},
{
"category": "Network activity",
"comment": "HALFRIG - compromised hosting used for ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681476854",
"to_ids": true,
"type": "domain",
"uuid": "2b5638cd-1596-4e4f-a905-8b917864a264",
"value": "sawabfoundation.net"
},
{
"category": "Network activity",
"comment": "HALFRIG - CobaltStrike redirector",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681476846",
"to_ids": true,
"type": "domain",
"uuid": "20985b84-445b-4cd8-9a4e-438717131374",
"value": "communitypowersports.com"
},
{
"category": "Network activity",
"comment": "HALFRIG - CobaltStrike C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681476841",
"to_ids": true,
"type": "domain",
"uuid": "2f775c20-527b-41db-a86c-93bd41aec7d4",
"value": "sanjosemotosport.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681478675",
"to_ids": true,
"type": "md5",
"uuid": "2ff30677-8495-4288-995c-aaa072af7afc",
"value": "bc4b0bd5da76b683cc28849b1eed504d"
},
{
"category": "Network activity",
"comment": "QUARTERRIG C2 URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681478863",
"to_ids": true,
"type": "url",
"uuid": "47b0c033-bc69-42e8-a379-c7ebf4b198bb",
"value": "pateke.com/auth/login.php"
},
{
"category": "Network activity",
"comment": "QUARTERRIG C2 URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681478863",
"to_ids": true,
"type": "url",
"uuid": "693b2be5-19c4-4d78-96b1-aeeae581b3d2",
"value": "pateke.com/index.php"
},
{
"category": "Network activity",
"comment": "QUARTERRIG Domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681478863",
"to_ids": true,
"type": "domain",
"uuid": "42762f0f-da00-4fd6-88bd-df723863f89f",
"value": "pateke.com"
},
{
"category": "Network activity",
"comment": "QUARTERRIG server IP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681478863",
"to_ids": true,
"type": "ip-dst",
"uuid": "852c2f54-d64d-40e9-b77a-51c430c03616",
"value": "85.195.89.91"
},
{
"category": "Network activity",
"comment": "QUARTERRIG - COBALT STRIKE Handler URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "url",
"uuid": "4d3cbcdc-8254-4fdf-bf4b-3b6a31cc43b7",
"value": "gatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu"
},
{
"category": "Network activity",
"comment": "QUARTERRIG - COBALT STRIKE Handler URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "url",
"uuid": "0c680fdd-0f59-4cea-9c23-b20d5bde3f51",
"value": "gatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8"
},
{
"category": "Network activity",
"comment": "QUARTERRIG - COBALT STRIKE C2 Domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "domain",
"uuid": "97ca781f-93d1-4322-bbba-6c50f2b33733",
"value": "gatewan.com"
},
{
"category": "Network activity",
"comment": "QUARTERRIG - COBALT STRIKE C2 IP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "ip-dst",
"uuid": "944935b8-4dfc-47f4-8095-0b32d08d276c",
"value": "91.218.183.90"
},
{
"category": "Network activity",
"comment": "QUARTERRIG C2 URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "url",
"uuid": "3bc6c7dd-e199-4aaa-8c0d-c362959fc990",
"value": "sharpledge.com/login.php"
},
{
"category": "Network activity",
"comment": "QUARTERRIG C2 Domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "domain",
"uuid": "5136e6ff-c602-438f-8884-40f313c4bd1f",
"value": "sharpledge.com"
},
{
"category": "Network activity",
"comment": "QUARTERRIG server IP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "ip-dst",
"uuid": "844c8b61-bfaf-40f4-9cdb-559a8867323e",
"value": "51.75.210.218"
},
{
"category": "Network activity",
"comment": "URL to ENYVYSCOUT used to deliver QUARTERRIG",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "url",
"uuid": "0927d840-3cee-45af-894c-954bed55034f",
"value": "sylvio.com.br/form.php"
},
{
"category": "Network activity",
"comment": "QUARTERRIG - Domain used to host ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681479078",
"to_ids": true,
"type": "hostname",
"uuid": "ffbadd58-a7f1-4292-8c9d-825654816429",
"value": "sylvio.com.br"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1681479729",
"uuid": "cacc499d-1523-42de-990f-6ba57a4f4cc5",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1681479729",
"to_ids": false,
"type": "link",
"uuid": "2f37fc00-2762-4853-ab11-ef4ab8ad401e",
"value": "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1681479729",
"to_ids": false,
"type": "text",
"uuid": "e39a0bf4-28c2-4764-8b28-551226d11673",
"value": "SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1681479729",
"to_ids": false,
"type": "text",
"uuid": "ca00a9f2-cd8a-455d-a6e5-08a0fb0012b4",
"value": "Report"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDYzIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4vTWV0YWRhdGEgMTMwMiAwIFIvVmlld2VyUHJlZmVyZW5jZXMgMTMwMyAwIFI+Pg0KZW5kb2JqDQoyIDAgb2JqDQo8PC9UeXBlL1BhZ2VzL0NvdW50IDExL0tpZHNbIDMgMCBSIDE1IDAgUiAyNCAwIFIgMjYgMCBSIDI5IDAgUiAzMCAwIFIgMzIgMCBSIDMzIDAgUiA1NCAwIFIgNTYgMCBSIDU4IDAgUl0gPj4NCmVuZG9iag0KMyAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAwIFIvRjIgOSAwIFIvRjMgMTEgMCBSL0Y0IDEzIDAgUj4+L0V4dEdTdGF0ZTw8L0dTNyA3IDAgUi9HUzggOCAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4vTWVkaWFCb3hbIDAgMCA1OTUuMzIgODQxLjkyXSAvQ29udGVudHMgNCAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDA+Pg0KZW5kb2JqDQo0IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDExNDg+Pg0Kc3RyZWFtDQp4nL1Y227bOBB9N+B/4FMhFWuawzsXRYHETdMUzW4auygWQR/cRHENZO3UdVPk73eGjhPZkiJf1PUDYZIjzZkzFw7VPZjNx9fDyzl79ap7MJ8PL79lV+yiO5jefukO7m+z7tlwNJ4M5+PppNv/+XVOS++y4VU2e/2aHb7pse/tluCCft47YIKZYLiSzGvgQbJZ1m59fskm7dbhoN3qvgUGwIVmg+t2i6QFAyaD49YxFyw9OPgX5Y77jo1+4KvZKM78w+y43bpIWNrRONj8ny9s8L7dOkIdH9utBjApkFxBHlOE8ohgN30oy45Oe4x1z4jw097JGyaaI9IJ7qVmzgp6ogZ0AQjsBkQyMDzYUiDScG+3BiKbByIs19szopoDopTlLjDrLQ9+ayC6cUasddzorYGY3YCoZ4DowNXWOGzzOKTnYWscblccqhSE8aEERD8FSP5KQSV/pyCTzzT8k4JJDmg4pekhDUckck7//qiB7RuCLb3kASpg13EXGuZOK8KyjuIdkReJ+kD0vE1BLzg6oekxDXVswY4luoAUUFxDFdLa+rxjga4iTAfPhSvA+EiEfSKaImuRqwFNn8Irz18N5h1reTHStCXqKjDXUrdjJdcMfCl11lM1jzC4MS7uzkb52XkEdjLtsfPsOktVMssm2KlcZnu1KgVA4BRXanNAtUzljprOAhlI6fwSECpYRXjzuBClwSsAWlx5eHVrYVD0X4UKib2NzWlYEbNKkDpc/tZuXb9c0vi70SJ9+8PtV7BuiqxrD2FjO6TErHjSLISxdm3rwQ7ugXa88A8jRYmkioTaMIp0iBZZHRe049rHFytP3abRmmsTF0zABSxmFmuarfTG/2UFRXdjZlR5yRa8JIIKG0ebsCCUyRmovbN+fS+XHYYuRqwDQXAL9Hrln6Y3y32J3X5QVR74jQiJ8h0gVrHrCuwadKjaNZcxCtD1pbm8UiEJoTF4ukoOirRYLbhWzAaOlR4fUgqjh3WkUlRicUEGzY1cWBlWeS9atWy1gByqtOHOYM+ruXJM4p0g4BGJJ1ss9PQOQfu/qL4Tu8/L9x/0facXWw4k6LnSURCJA/AU009nyAqwXPu12dOPJ5BcvdkYPIEMc8ZwW7xQvJ+O045MJngAztnw6o5u7HHlx3SWdlRyz77S7P7PwrG4FyiNISJlFajaC6homBupuS3eg0+JgEjGDQ3x33w4u2e96c9JqpN5lrpkNiapyB9Nb1bFR9RZ0Cb2FSZh/Wx2F9dL2oy9DDEycCwEFYbU8gkN8ylC2XX+RbM2Kyso4SuU1dosm7XZYtERRep7R+TucxoGGAYcw+bsQ8M8BCCnVwBY46GUimX3Td0zZQPVbHB0Z8T8xNq7LH6t5wRy1c4BB0/fuTDHdRTEDthRppfXOplrajd59pGI4hc2JNDThirLA1Dxg+QBpuItOmI2vll8oFx3x34YSDn2laUYGB1+WuIN6fIikUKqpnUrQ9+vKuyvzQnTsB88liNZrO93wIl40bDx1GyISqUVifAftrp/9g0KZW5kc3RyZWFtDQplbmRvYmoNCjUgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjEvQmFzZUZvbnQvQkNERUVFK1JhamRoYW5pLVJlZ3VsYXIvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDYgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjIvV2lkdGhzIDEyODcgMCBSPj4NCmVuZG9iag0KNiAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCA5MzAvRGVzY2VudCAtMzQ2L0NhcEhlaWdodCA5MzAvQXZnV2lkdGggNDc3L01heFdpZHRoIDI0MzYvRm9udFdlaWdodCA0MDAvWEhlaWdodCAyNTAvU3RlbVYgNDcvRm9udEJCb3hbIC00MTYgLTM0NiAyMDIwIDkzMF0gL0ZvbnRGaWxlMiAxMjg1IDAgUj4+DQplbmRvYmoNCjcgMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9jYSAxPj4NCmVuZG9iag0KOCAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL0NBIDE+Pg0KZW5kb2JqDQo5IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YyL0Jhc2VGb250L0JDREZFRStWZXJkYW5hLUJvbGQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEwIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMzIvV2lkdGhzIDEyODggMCBSPj4NCmVuZG9iag0KMTAgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNERkVFK1ZlcmRhbmEtQm9sZC9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCAxMDA1L0Rlc2NlbnQgLTIwNy9DYXBIZWlnaHQgNzY1L0F2Z1dpZHRoIDU2OC9NYXhXaWR0aCAyMjU3L0ZvbnRXZWlnaHQgNzAwL1hIZWlnaHQgMjUwL1N0ZW1WIDU2L0ZvbnRCQm94WyAtNTUwIC0yMDcgMTcwNyA3NjVdIC9Gb250RmlsZTIgMTI4OSAwIFI+Pg0KZW5kb2JqDQoxMSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMy9CYXNlRm9udC9CQ0RHRUUrUmFqZGhhbmktU2VtaUJvbGQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEyIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTE2L1dpZHRocyAxMjkwIDAgUj4+DQplbmRvYmoNCjEyIDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudC
"deleted": false,
"disable_correlation": false,
"object_relation": "report-file",
"timestamp": "1681479729",
"to_ids": false,
"type": "attachment",
"uuid": "cfc505c6-f0a1-429f-abe7-2e4c4a24961b",
"value": "IoC_Reference_.pdf"
}
]
},
{
"comment": "SNOWYAMBER",
"deleted": false,
"description": "File object describing a file with meta-information",
"last_seen": "2022-10-24T00:00:00+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681462657",
"uuid": "fb5d8e74-975e-4396-b9bf-cfbd14e06cb0",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681462657",
"to_ids": true,
"type": "sha1",
"uuid": "2f2fa766-b5f5-4b3c-b1f9-9e8ad118de12",
"value": "c938934c0f5304541087313382aee163e0c5239c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681462657",
"to_ids": true,
"type": "md5",
"uuid": "b1b07f24-46ee-4738-a45d-852823961cfd",
"value": "d0efe94196b4923eb644ec0b53d226cc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681462657",
"to_ids": true,
"type": "sha256",
"uuid": "d97ad83a-8aac-4e69-9955-a5fa982eb2ea",
"value": "381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681462657",
"to_ids": true,
"type": "filename",
"uuid": "06c90783-e9bd-45e4-8ba9-523723da9ea8",
"value": "7za.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681462657",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "60e1f4a4-eff6-42f8-a9b0-85187cd9133b",
"value": "270336"
}
]
},
{
"comment": "SNOWYAMBER\r\nIt seems that the adversary made a mistake while compiling this sample. Internal functions were added to exports (authored by the adversary as well as those from libraries: SysWhispers3, Nlohmann JSON, Obfuscate). While binary itself is stripped, those exported functions have names that can be demangled revealing naming, prototypes and datatypes.",
"deleted": false,
"description": "File object describing a file with meta-information",
"last_seen": "2023-02-08T00:00:00+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681462625",
"uuid": "13f7ac43-2427-4631-8b19-4204fd4636ed",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-08T00:00:00+00:00",
"object_relation": "sha1",
"timestamp": "1681462625",
"to_ids": true,
"type": "sha1",
"uuid": "5b960982-8a40-4dda-999a-1609e4a5937f",
"value": "8eb64670c10505322d45f6114bc9f7de0826e3a1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-08T00:00:00+00:00",
"object_relation": "md5",
"timestamp": "1681462625",
"to_ids": true,
"type": "md5",
"uuid": "530e6412-6bdb-4e2f-83c3-06e3678014b4",
"value": "cf36bf564fbb7d5ec4cec9b0f185f6c9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-08T00:00:00+00:00",
"object_relation": "sha256",
"timestamp": "1681462625",
"to_ids": true,
"type": "sha256",
"uuid": "38805898-8f45-406c-9ee2-ae0b9b3490c2",
"value": "e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"last_seen": "2023-02-08T00:00:00+00:00",
"object_relation": "filename",
"timestamp": "1681462625",
"to_ids": true,
"type": "filename",
"uuid": "d73895fb-bf06-454d-842b-1d20f3d9a46f",
"value": "BugSplatRc64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"last_seen": "2023-02-08T00:00:00+00:00",
"object_relation": "size-in-bytes",
"timestamp": "1681462625",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "1cbdee03-7166-4105-aaa7-684392336768",
"value": "271360"
}
]
},
{
"comment": "SNOWYAMBER",
"deleted": false,
"description": "File object describing a file with meta-information",
"last_seen": "2023-02-07T00:00:00+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681463367",
"uuid": "54bb5140-f5d0-4478-9776-5d68204038ba",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "sha1",
"timestamp": "1681463367",
"to_ids": true,
"type": "sha1",
"uuid": "f8ee4b18-ac61-493b-8f08-2597af1a3b7d",
"value": "3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "md5",
"timestamp": "1681463367",
"to_ids": true,
"type": "md5",
"uuid": "46f42927-db76-4f9b-9457-2bf8d53c79f4",
"value": "82ecb8474efe5fedcb8f57b8aafa93d2"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "sha256",
"timestamp": "1681463367",
"to_ids": true,
"type": "sha256",
"uuid": "fed5574d-3b36-48d5-a6e1-ae8e99cb81ac",
"value": "4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "filename",
"timestamp": "1681463367",
"to_ids": true,
"type": "filename",
"uuid": "a26937bc-0896-4f45-87e8-dea667726fc8",
"value": "BugSplatRc64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "size-in-bytes",
"timestamp": "1681463367",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "ae5073c9-ad22-42ca-97d1-5df2f7330d13",
"value": "301056"
}
]
},
{
"comment": "SNOWYAMBER - 2nd stage - CobaltStrike beacon (decrypted)\r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681463822",
"uuid": "98923877-e697-4e46-be52-89926b10186a",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681463822",
"to_ids": true,
"type": "sha1",
"uuid": "a4f06cd5-babb-4b76-8d9a-15a5f7ba2eae",
"value": "aaf973a56b17a0a82cf1b3a49ff68da1c50283d4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681463822",
"to_ids": true,
"type": "md5",
"uuid": "c388a994-9389-4074-b9f1-2e619b23dfa5",
"value": "800db035f9b6f1e86a7f446a8a8e3947"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681463822",
"to_ids": true,
"type": "sha256",
"uuid": "5c6e796a-4796-401c-8998-38cf83200752",
"value": "032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681463822",
"to_ids": true,
"type": "filename",
"uuid": "99dbb00f-d5a0-4bdd-bc8e-8c7f7797382a",
"value": "hXaIk1725.pdf"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681463822",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "3d44e02b-34f3-4f3b-a2fa-6dff653a1456",
"value": "261635"
}
]
},
{
"comment": "SNOWYAMBER - 2nd stage \u2013 BruteRatel stageless badger (decrypted)",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681463931",
"uuid": "d44e1f2d-6dd6-4a1f-b648-59d690e84b70",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681463931",
"to_ids": true,
"type": "sha1",
"uuid": "89a074eb-9205-41bd-82da-8107367aad9a",
"value": "a8a82a7da2979b128cbeddf4e70f9d5725ef666b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681463931",
"to_ids": true,
"type": "md5",
"uuid": "871dc6d0-ca85-4409-90bf-4a8434da4450",
"value": "0e594576bb36b025e80eab7c35dc885e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681463931",
"to_ids": true,
"type": "sha256",
"uuid": "16364669-d667-4f1e-9e66-114e4831f5f8",
"value": "ec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681463931",
"to_ids": true,
"type": "filename",
"uuid": "1c1ab1c0-d02d-4bec-b21e-cf9732b269db",
"value": "hXaIk1314.pdf"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681463931",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "7b5c67a9-8566-4907-b967-0f0b563c3f85",
"value": "347837"
}
]
},
{
"comment": "HALFRIG - Legitimate binary used for loading malicious DLL",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681474053",
"uuid": "4a36fbd0-f4e4-4265-af09-1c860934b981",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681474053",
"to_ids": true,
"type": "sha1",
"uuid": "0a733573-c0bb-40f0-bd6f-5547258fc830",
"value": "d9d40cb3e2fe05cf223dc0b592a592c132340042"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681474053",
"to_ids": true,
"type": "md5",
"uuid": "97d25ec2-8897-4630-b3ec-39942bb6e740",
"value": "83863beee3502e42ced7e4b6dacb9eac"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681474053",
"to_ids": true,
"type": "sha256",
"uuid": "6bfdc945-8eee-47fb-bef6-0011e3ddec6c",
"value": "cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681474053",
"to_ids": true,
"type": "filename",
"uuid": "e2ee465d-fa44-4062-a299-4a18837dee8f",
"value": "Note.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681474053",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "c5e20a08-b3ab-4a15-afe0-4a18ab2b0518",
"value": "1597000"
}
]
},
{
"comment": "HALFRIG - Virtual disc container",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681474157",
"uuid": "b995157a-f9c8-4e1c-a338-e65775627ddd",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681474157",
"to_ids": true,
"type": "sha1",
"uuid": "d1126a3e-b7e7-41df-a2f6-00bdbb4003a7",
"value": "fbb482415f5312ed64b3a0ebee7fed5e6610c21a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681474157",
"to_ids": true,
"type": "md5",
"uuid": "3c2a7d7f-e6b9-4911-9ebb-974a929f6341",
"value": "0e5ed33778ee9c020aa067546384abcb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681474157",
"to_ids": true,
"type": "sha256",
"uuid": "8a75210a-bb70-4ba1-a30b-376e6f54e2e9",
"value": "d1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681474157",
"to_ids": true,
"type": "filename",
"uuid": "f2d6af30-2e3a-489c-9baa-c737af264d6b",
"value": "Note.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681474157",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "938d57ac-25d5-4446-81ef-35264ed2adcf",
"value": "2688000"
}
]
},
{
"comment": "HALFRIG - 1st module\r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681474501",
"uuid": "674e907b-7058-4613-98d0-76d938cfd6e2",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681474501",
"to_ids": true,
"type": "sha1",
"uuid": "006bd3c1-da13-44ab-ba25-43ed0e0bd40d",
"value": "f61e0d09be2fc81d6f325aa7041be6136a747c2d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681474501",
"to_ids": true,
"type": "md5",
"uuid": "f062d6a7-7b8d-487f-9f27-46db1a03b734",
"value": "f532c0247b683de8936982e86876093b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681474501",
"to_ids": true,
"type": "sha256",
"uuid": "059f9665-b53b-413f-9b49-3ab5cffcb001",
"value": "ddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681474501",
"to_ids": true,
"type": "filename",
"uuid": "d5684f57-90df-4ecd-8c9d-4ada438e5f60",
"value": "AppvIsvSubsystems64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681474501",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "72620fa7-26bc-4e3a-888c-fdc49f979bd5",
"value": "27000"
}
]
},
{
"comment": "HALFRIG - 2nd module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681474768",
"uuid": "36164b07-dc2e-458a-b3f5-b6117f239934",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681474768",
"to_ids": true,
"type": "sha1",
"uuid": "f9b2e3fc-194f-4914-b664-0887b5e45d60",
"value": "e418d37fdcf4c288884bfe744b416cbdb0243a9e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681474768",
"to_ids": true,
"type": "md5",
"uuid": "dd8a4816-88e2-4d7e-bcb0-1a13c30b7541",
"value": "abc87df854f31725dd1d7231f6f07354"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681474768",
"to_ids": true,
"type": "sha256",
"uuid": "ccd39975-d7ef-45c1-9a67-fab8899d6047",
"value": "efeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681474768",
"to_ids": true,
"type": "filename",
"uuid": "4ae05e95-159b-4892-8ade-6ccc1248da32",
"value": "msword.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681474768",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "d90e6770-f556-4b10-a2eb-008ba244778f",
"value": "53000"
}
]
},
{
"comment": "HALFRIG - 3rd module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681475778",
"uuid": "ceed65f8-1499-4487-b95f-e9acbe047956",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681475778",
"to_ids": true,
"type": "sha1",
"uuid": "638ed2c8-e324-4eb5-84ca-ea44f9e854f6",
"value": "6dff9a9f13300a5ce72a70d907ff7854599e990a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681475778",
"to_ids": true,
"type": "md5",
"uuid": "03138635-1274-49f3-8175-14ea0e4a25c8",
"value": "2ffaa8cbc7f0d21d03d3dd897d974dba"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681475778",
"to_ids": true,
"type": "sha256",
"uuid": "73e295c3-2dd4-46b0-9348-1b7b29815a33",
"value": "cfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681475779",
"to_ids": true,
"type": "filename",
"uuid": "9a443bbf-97e6-46b9-a009-51ab863ef2fb",
"value": "envsrv.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681475779",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "4175b3f2-7fa0-4e0a-b0de-c0e14f2b7799",
"value": "56000"
}
]
},
{
"comment": "HALFRIG - 4th module (shellcode stager)",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681476174",
"uuid": "fc2c7391-60a9-4f16-b09c-5dc9b0743454",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681476174",
"to_ids": true,
"type": "sha1",
"uuid": "5efce5d4-ca6c-444b-857e-4bb4e1835bce",
"value": "a677b6aa958fe02cac0730d36e8123648e02884f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681476174",
"to_ids": true,
"type": "md5",
"uuid": "8e70d9d5-2daf-455a-abdd-6b2b8f25eeca",
"value": "5b6d8a474c556fe327004ed8a33edcdb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681476174",
"to_ids": true,
"type": "sha256",
"uuid": "cc193f4e-45d8-43cd-ad79-772185431bb1",
"value": "86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681476174",
"to_ids": true,
"type": "filename",
"uuid": "3036ecde-41da-4706-90f3-578424d6e069",
"value": "mschost.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681476174",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "d2909d5d-7c63-493f-bf40-71077f9c5084",
"value": "391000"
}
]
},
{
"comment": "QUARTERRIG - Legitimate executable used to load the malicious DLL",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681476733",
"uuid": "60ed09c9-da38-4dce-b8b4-e21e8fc1933a",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681476733",
"to_ids": true,
"type": "sha1",
"uuid": "a271996a-4d68-425d-be19-29e6d19d7924",
"value": "b260d80fa81885d63565773480ca1e436ab657a0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681476733",
"to_ids": true,
"type": "md5",
"uuid": "915bf969-a544-45dd-b904-57ad01555b6b",
"value": "b1820abc3a1ce2d32af04c18f9d2bfc3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681476733",
"to_ids": true,
"type": "sha256",
"uuid": "cda553b5-2284-4430-88be-ba9d7686dd33",
"value": "6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681476733",
"to_ids": true,
"type": "filename",
"uuid": "ff800fa6-7fab-4310-b388-0c55bbac8ba2",
"value": "Note.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681476733",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "ca9ce146-bfca-4521-a33a-079e3772f704",
"value": "1600000"
}
]
},
{
"comment": "QUARTERRIG - Virtual disc container",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681476790",
"uuid": "3ae9fc2a-cfda-45c7-a247-d73f73a51930",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681476790",
"to_ids": true,
"type": "sha1",
"uuid": "b497783c-ac5a-42a6-be16-a7400ee140d9",
"value": "52932be0bd8e381127aab9c639e6699fd1ecf268"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681476790",
"to_ids": true,
"type": "md5",
"uuid": "3187dfba-3c58-42be-b788-7cc4d83c2f92",
"value": "22adbffd1dbf3e13d036f936049a2e98"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681476790",
"to_ids": true,
"type": "sha256",
"uuid": "2e786370-8c9d-4a6b-a2d3-37143ab6f83d",
"value": "c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681476790",
"to_ids": true,
"type": "filename",
"uuid": "2b1fde15-6e95-4ed6-a0ec-3f580eb5ac00",
"value": "Note.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681476790",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "4fd40647-7934-47ef-bf3c-80c313deb405",
"value": "2624000"
}
]
},
{
"comment": "QUARTERRIG - loader",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681476911",
"uuid": "69e85677-63c6-4d60-bb2c-9301d469e077",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681476911",
"to_ids": true,
"type": "sha1",
"uuid": "5e507bd8-a6d0-4224-8a9d-ae0944c8dd54",
"value": "ca1ef3aeed9c0c5cfa355b6255a5ab238229a051"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681476911",
"to_ids": true,
"type": "md5",
"uuid": "9c95d310-2c8a-4e13-a012-f5e5f12bfa0c",
"value": "db2d9d2704d320ecbd606a8720c22559"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681476911",
"to_ids": true,
"type": "sha256",
"uuid": "81bb5a50-7542-48c2-b291-1c7ef684dbf6",
"value": "18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681476911",
"to_ids": true,
"type": "filename",
"uuid": "9d8e7d25-7ec3-4dd3-b424-3742d0d130c9",
"value": "AppvIsvSubsystems64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681476911",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "fad8a1b3-3c75-4866-ab39-b258b91f7fff",
"value": "28000"
}
]
},
{
"comment": "QUARTERRIG - Encrypted resource containing the second stage",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681476970",
"uuid": "7f85f95f-7e80-49be-985f-26c62453e9ec",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681476970",
"to_ids": true,
"type": "sha1",
"uuid": "9868eae3-d3e9-4a50-ae30-d3c05992ef2f",
"value": "02cd4148754c9337dfa2c3b0c31d9fdd064616a0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681476970",
"to_ids": true,
"type": "md5",
"uuid": "2ed86428-162d-46ef-9a6a-3c40b8571282",
"value": "166f7269c2a69d8d1294a753f9e53214"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681476970",
"to_ids": true,
"type": "sha256",
"uuid": "40f2fd97-ecbc-48c2-88cf-97bd2b4c3537",
"value": "3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681476970",
"to_ids": true,
"type": "filename",
"uuid": "3ed93f83-9d69-441e-b595-bf25d7c3429c",
"value": "bdcmetadataresource.xsd"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681476970",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "29baaed1-1f42-46cc-b467-6b22580ea213",
"value": "456000"
}
]
},
{
"comment": "QUARTERRIG - Virtual disc container",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681477060",
"uuid": "2ecea181-6b4c-42f8-9db6-b84bfdab7392",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681477060",
"to_ids": true,
"type": "sha1",
"uuid": "6c03b419-0563-4ea3-8e87-13620a9c7c31",
"value": "86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681477060",
"to_ids": true,
"type": "md5",
"uuid": "980c1dfe-4b96-4766-b110-238a86d5ba52",
"value": "1609bcb75babd9a3e823811b4329b3b9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681477060",
"to_ids": true,
"type": "sha256",
"uuid": "0c83fb9b-64fb-40d0-8e55-08bda228544a",
"value": "91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681477060",
"to_ids": true,
"type": "filename",
"uuid": "6efc8b83-0622-4d33-a2a4-c64255f2a68b",
"value": "Invite.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681477060",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "521a097f-306e-402b-8b6f-ef62f51b7acf",
"value": "6464000"
}
]
},
{
"comment": "QUARTERRIG - Legitimate executable used to load the malicious DLL",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681477252",
"uuid": "f253b7db-5840-4c70-9bc9-a2880e555148",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681477252",
"to_ids": true,
"type": "sha1",
"uuid": "0fa9f316-b5eb-4e01-9a28-81e6388a74d4",
"value": "15511f1944d96b6b51291e3a68a2a1a560d95305"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681477252",
"to_ids": true,
"type": "md5",
"uuid": "59f75606-dbd8-4d8a-988b-2225b85bdbbe",
"value": "d2027751280330559d1b42867e063a0f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681477252",
"to_ids": true,
"type": "sha256",
"uuid": "bd8382d9-40da-401a-8c44-40d28c4baf54",
"value": "35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681477252",
"to_ids": true,
"type": "filename",
"uuid": "0d6043c3-df88-4fea-9e51-cb5f3d2c0543",
"value": "Invite.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681477252",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "2584127a-4f01-447f-a140-c602107fedd1",
"value": "5380000"
}
]
},
{
"comment": "QUATERRIG loader",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681477900",
"uuid": "e4bdcae2-8d1c-4fa4-9f7c-aeafa565b79e",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681477900",
"to_ids": true,
"type": "sha1",
"uuid": "1c9e4b52-ee15-4b92-a642-c2900ad02b0c",
"value": "b91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681477900",
"to_ids": true,
"type": "md5",
"uuid": "46de7f6f-4f12-4cf6-8226-49cdff2e068f",
"value": "bd4cbcd9161e365067d0279b63a784ac"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681477900",
"to_ids": true,
"type": "sha256",
"uuid": "41ab02e3-a960-4569-a3f5-ba120073ac1a",
"value": "673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681477900",
"to_ids": true,
"type": "filename",
"uuid": "6682666c-d88a-4054-93fd-d49e73abd248",
"value": "winhttp.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681477900",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "567557f7-dba2-4651-a598-b37cf7f1ed15",
"value": "32000"
}
]
},
{
"comment": "QUARTERRIG - Encrypted resource containing the second stage",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681478003",
"uuid": "72df797d-68f8-4a2e-8483-964cf53d94e5",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681478003",
"to_ids": true,
"type": "sha1",
"uuid": "4de728cb-b60b-493b-a70b-f6fa771abb46",
"value": "1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681478003",
"to_ids": true,
"type": "md5",
"uuid": "e2ae1a9c-0544-47a5-8029-408c0cefdc68",
"value": "8dcac7513d569ca41126987d876a9940"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681478003",
"to_ids": true,
"type": "sha256",
"uuid": "b532f11c-c208-49e1-bb06-5222b656881e",
"value": "9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681478003",
"to_ids": true,
"type": "filename",
"uuid": "386c4a43-655d-485d-afdb-8cc3887c2d11",
"value": "Stamp.aapp"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681478003",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "c6ab1b57-6ad1-4c5a-869b-959b39546067",
"value": "460000"
}
]
},
{
"comment": "QUARTERRIG - Virtual disc container",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681478123",
"uuid": "4423841b-a166-4a48-acf1-d0c7198907f5",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681478123",
"to_ids": true,
"type": "sha1",
"uuid": "8f405a09-5ba3-4a22-8b32-7013ca618cc3",
"value": "bacb46d2ce5dfcaf8544125903f69f01091bc3d6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681478123",
"to_ids": true,
"type": "md5",
"uuid": "7619be89-96ba-4de9-a1df-1780c639daee",
"value": "3aca0abdd7ec958a539705d5a4244196"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681478123",
"to_ids": true,
"type": "sha256",
"uuid": "d62e2fdd-4eee-4cbb-b4f0-cf4fec5e4e64",
"value": "10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681478123",
"to_ids": true,
"type": "filename",
"uuid": "d1ede274-5546-464f-bd8a-6628f21ea614",
"value": "Note.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681478123",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "15bd34d3-19ad-4ff7-a7ce-4d5b84471e30",
"value": "2688000"
}
]
},
{
"comment": "QUATERRIG loader",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681478213",
"uuid": "eb54a2c7-2b9c-4809-a253-d800821ecf38",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681478213",
"to_ids": true,
"type": "sha1",
"uuid": "fa9b1b10-b4f5-446c-8316-87b0463c3273",
"value": "6382ae2061c865ddcb9337f155ae2d036e232dfe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681478213",
"to_ids": true,
"type": "md5",
"uuid": "f709c101-59ab-4a6e-98e2-3b51bac30cff",
"value": "9159d3c58c5d970ed25c2db9c9487d7a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681478213",
"to_ids": true,
"type": "sha256",
"uuid": "6475ffa6-684b-47fa-9771-4e36597426a3",
"value": "a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681478213",
"to_ids": true,
"type": "filename",
"uuid": "f21d48ea-c6a4-4662-bfcb-bceb7e7036af",
"value": "AppvIsvSubsystems64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681478213",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "d9d74923-7005-4e8f-ae3b-293b5d7eb724",
"value": "26000"
}
]
},
{
"comment": "QUARTERRIG - Encrypted resource containing the second stage",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681478668",
"uuid": "38c908cd-2958-4021-b434-7271ec84bada",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681478668",
"to_ids": true,
"type": "md5",
"uuid": "95e5f437-8b6c-421c-b923-55d6cd19a512",
"value": "8dcac7513d569ca41126987d876a9940"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681478668",
"to_ids": true,
"type": "sha256",
"uuid": "58715af3-fab4-44ca-a41f-76523672cb98",
"value": "15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681478668",
"to_ids": true,
"type": "filename",
"uuid": "13e5b2c1-70dd-4cd6-a564-cac990f41572",
"value": "bdcmetadataresource.xsd"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681478668",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "44ecfdc9-20f9-4e30-ab0a-6e40e2581cf6",
"value": "479000"
}
]
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
chg: [gen] updated
2023-12-14 14:30:15 +00:00
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
Reference in a new issue Copy permalink