adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9.json

2114 lines
764 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2020-12-30",
"extends_uuid": "",
"info": "RegretLocker - compiled information, activity and samples",
"publish_timestamp": "1609343566",
"published": true,
"threat_level_id": "2",
"timestamp": "1609337868",
"uuid": "ffb85ca7-6a43-4b9f-a759-b6a7ea2235f9",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:ransomware=\"RegretLocker\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Attribution",
"comment": "The malware writter has 2 weird checks to check for a particular user name and PC name(WIN-295748OMAKG). If the user name or the PC name matches, the malware will exit immediately.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609334140",
"to_ids": true,
"type": "text",
"uuid": "6dbfc982-fc1f-4c82-ac73-0d9a407d6684",
"value": "WIN-295748OMAKG"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609335756",
"to_ids": false,
"type": "link",
"uuid": "42f702b7-229b-4399-a2fe-8b693af95dd8",
"value": "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609336047",
"to_ids": false,
"type": "link",
"uuid": "b6916923-3724-4874-9bae-3ca7306971eb",
"value": "https://twitter.com/VK_Intel/status/1323693700371914753"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609336048",
"to_ids": false,
"type": "link",
"uuid": "b690c46e-0cac-4feb-8b99-db3b7bba4f99",
"value": "https://twitter.com/malwrhunterteam/status/1321375502179905536"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609336048",
"to_ids": false,
"type": "link",
"uuid": "c84562fb-02e8-4ab8-936e-2795dd238613",
"value": "https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609336126",
"to_ids": false,
"type": "link",
"uuid": "aadc3450-a27d-4298-8f5a-4044ce6944c1",
"value": "https://app.any.run/tasks/e19eff7c-6d0f-4b09-95da-23f6ab465bb1/"
},
{
"category": "Network activity",
"comment": "Source url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609336184",
"to_ids": true,
"type": "url",
"uuid": "8627f24c-f338-44f2-87dc-893c17f11e46",
"value": "http://344744.cloud4box.ru/files/locker/locker.exe"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609336202",
"to_ids": true,
"type": "ip-dst",
"uuid": "30cea38a-9c7b-4857-a681-18dea3ca092f",
"value": "109.248.203.209"
},
{
"category": "Artifacts dropped",
"comment": "Next, it also schedules the malware as a task every minite using this Schtasks.exe command, which is run from cmd.exe using ShellExecuteA.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1609337674",
"to_ids": true,
"type": "windows-scheduled-task",
"uuid": "3ababeaf-c5dd-4760-bf5b-cb76cb4ecd20",
"value": "Mouse Application"
}
],
"Object": [
{
"comment": "the malware will first reach out to C&C at http://regretzjibibtcgb.onion/input with get_key in the query to request the RSA key.",
"deleted": false,
"description": "Tor hidden service (onion service) object.",
"meta-category": "misc",
"name": "tor-hiddenservice",
"template_uuid": "cbac07d6-fbe9-43b8-8d91-d515812ce330",
"template_version": "1",
"timestamp": "1609334206",
"uuid": "004bcecb-dfdb-4e60-94a2-53e6a7c7e65e",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "description",
"timestamp": "1609334206",
"to_ids": false,
"type": "text",
"uuid": "93d56bb5-d6d7-4c3a-9b13-ba6a03a91c19",
"value": "http://regretzjibibtcgb.onion/input"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "address",
"timestamp": "1609334206",
"to_ids": false,
"type": "text",
"uuid": "770098e3-5b69-4254-a2ce-6a5102b11704",
"value": "regretzjibibtcgb.onion"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "8",
"timestamp": "1609334251",
"uuid": "d485ac66-e0e8-47cb-ad29-b8bdc8340d4e",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1609334251",
"to_ids": true,
chg: [feed] added
2023-04-21 13:25:09 +00:00
"type": "url",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"uuid": "ea53af10-331f-4a5a-9581-a83f4e90e29c",
"value": "http://regretzjibibtcgb.onion/input"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1609334251",
"to_ids": false,
"type": "text",
"uuid": "9c631808-d69a-4c89-bdda-82275ff6bc9a",
"value": "http"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1609334251",
"to_ids": true,
"type": "domain",
"uuid": "6f2f8e80-28f6-45f0-9340-32b38091abf4",
"value": "regretzjibibtcgb.onion"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "host",
"timestamp": "1609334251",
"to_ids": true,
"type": "hostname",
"uuid": "f72c545a-4d92-4ddb-8187-9851bb21d160",
"value": "regretzjibibtcgb.onion"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Cryptographic materials such as public or/and private keys.",
"meta-category": "misc",
"name": "crypto-material",
"template_uuid": "50677f82-ec9c-4484-bb29-2519cfe56823",
"template_version": "4",
"timestamp": "1609335730",
"uuid": "4c2a0d50-bf8d-4e94-9396-31303bc82625",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1609335730",
"to_ids": false,
"type": "text",
"uuid": "c0be054c-863c-4cac-991d-0d03fd0bbcb6",
"value": "RSA"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "public",
"timestamp": "1609335730",
"to_ids": false,
"type": "text",
"uuid": "38503a70-0c58-42ca-8e54-ead2934234f6",
"value": "-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1ZQInrnhxXCtAN/LsOX2GmgbvBxMsO49lc1/qodshkUvRQLazWv61UbMLKx2gaRQrCYuVrR1Cgd7LxY4ueGo50TqZioAJbCcfzdiXlEkJqLlz4RTU9RFZ/wFjWxChek2NsU6vLLSowPPTw+JhwTooI+QPAIYeoxCf4xz7Kvu9CQIDAQAB\r\n-----END PUBLIC KEY-----"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "origin",
"timestamp": "1609335730",
"to_ids": false,
"type": "text",
"uuid": "76f26a7c-27ba-45d5-b54e-e05bc46803f4",
"value": "malware-extraction"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "4",
"timestamp": "1609335852",
"uuid": "7f83f602-a73e-4eda-8fb9-f1e85be3451b",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1609335852",
"to_ids": true,
"type": "yara",
"uuid": "90c4a320-6dd4-4c15-a33e-c2363f68c506",
"value": "rule regretlocker {\r\n\tmeta:\r\n\t\tdescription = \"YARA rule for RegretLocker\"\r\n\t\treference = \"http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/\"\r\n\t\tauthor = \"@cPeterr\"\r\n\t\ttlp = \"white\"\r\n\tstrings:\r\n\t\t$str1 = \"tor-lib.dll\"\r\n\t\t$str2 = \"http://regretzjibibtcgb.onion/input\"\r\n\t\t$str3 = \".mouse\"\r\n\t\t$cmd1 = \"taskkill /F /IM \\\\\"\r\n\t\t$cmd2 = \"wmic SHADOWCOPY DELETE\"\r\n\t\t$cmd3 = \"wbadmin DELETE SYSTEMSTATEBACKUP\"\r\n\t\t$cmd4 = \"bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures\"\r\n\t\t$cmd5 = \"bcdedit.exe / set{ default } recoveryenabled No\"\r\n\t\t$func1 = \"open_virtual_drive()\"\r\n\t\t$func2 = \"smb_scanner()\"\r\n\t\t$checklarge = { 81 fe 00 00 40 06 }\r\n\tcondition:\r\n\t\tall of ($str*) and any of ($cmd*) and any of ($func*) and $checklarge\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "version",
"timestamp": "1609335852",
"to_ids": false,
"type": "text",
"uuid": "96485339-2ba6-435b-87ad-305dda6be84e",
"value": "3.7.1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "context",
"timestamp": "1609335852",
"to_ids": false,
"type": "text",
"uuid": "eab56135-5716-4b4e-a6e4-86eb55d22c27",
"value": "all"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337219",
"uuid": "d78f50d8-cd5d-4dcd-94de-e079b92bdaa7",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "5867540f-afce-4b90-bb96-8610f1ccb100",
"value": ".text"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337219",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "19b6e184-1122-4ab3-92a8-f23c1f30d3f1",
"value": "320000"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337219",
"to_ids": false,
"type": "float",
"uuid": "cf595dae-5672-4faa-a147-3ae76945d7b2",
"value": "6.6348495531091"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337219",
"to_ids": true,
"type": "md5",
"uuid": "5d6c0cff-a240-4a3e-8659-01417144cef4",
"value": "1e4f92167c3ab2dc2c01650e939055f9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha1",
"uuid": "131a23c4-8285-4c06-a0ff-3f33bd91aacf",
"value": "4d18b6c125b4668ed00358c002c8a0dfae23db7a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha256",
"uuid": "c54f0f55-74ec-4965-8676-04326faeafab",
"value": "3ea51233fc585fcd6772cf677512cb9b06f8a6c971fd5c39b591a2a2d0357fee"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha512",
"uuid": "c7962ae8-2219-4bcb-b830-95129fe54afd",
"value": "9627bc232692d7589b54d2b0ffc9bca17535bbb67e35da303e4ed9dd24a9a8dc8ea65f6d0bdc3d01cf5976aec2b306d56cecbb47d285e5bff7c108c678be622f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337219",
"to_ids": true,
"type": "ssdeep",
"uuid": "a5bce10e-6abc-4be6-935e-b2d8279834a3",
"value": "6144:8rvDx+dR25Cb1GjTiRsKKs5wYfOXGr6ckXDjkiW5EEyyq8MeCt10zXzcVP:aF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYP"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337219",
"uuid": "9b5a1501-69e1-4ba7-a44a-c66fbf773aff",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "cb95eb25-7ea3-4e47-8488-626ed5f2c5ed",
"value": ".rdata"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337219",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "28ef0d79-f5ff-4192-8c31-56438bbaeee7",
"value": "103936"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337219",
"to_ids": false,
"type": "float",
"uuid": "e517d43a-0843-492e-b541-ee80fe28b4bf",
"value": "5.3139379645706"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337219",
"to_ids": true,
"type": "md5",
"uuid": "ad073074-ef7d-4cb9-9562-904a27af7f39",
"value": "d4267ed23f4b852d028f443cb4aad133"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha1",
"uuid": "152d979e-46c1-4619-b3fa-e764465df30c",
"value": "e15c846060a20f089f14869bc16992023cd431b7"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha256",
"uuid": "ba23b932-edb6-4f9a-95b8-f45c3da32b1b",
"value": "3a64bac9f63b3a6aa3ee4e1ac7c038248dcf2283712c64f740866f0597008735"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha512",
"uuid": "2bde2a19-16f1-4dc3-a843-d1cbd3560e60",
"value": "82d142ba284bd9534032e830d4f56ad7a8162f6bfa49fd63985bbe9d80c560d3e9500ed13cab54506bc62d86a890fa0a88a9906e232da0b48bdda804752411d7"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337219",
"to_ids": true,
"type": "ssdeep",
"uuid": "9cf6b9ba-f946-4347-9515-f156060987b4",
"value": "1536:pM9MP1i6fkKxs8jsdrPQF7X8HZ4XhgPCa7fksWPcdEvtmgMbFubmJXz9/7FbXuyf:pi6sLxZRFrXOAg0FubmJj97Fb+yNd"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337219",
"uuid": "30abb88a-cbc5-4960-9b49-2b11904f6354",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "041e23c4-b957-42ea-a748-22c097201bdb",
"value": ".data"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337219",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "039f8aed-a617-4825-9984-16f7cb6ab18b",
"value": "10752"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337219",
"to_ids": false,
"type": "float",
"uuid": "87979ee8-e837-421d-89e8-69ec4da563c4",
"value": "4.5643514844553"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337219",
"to_ids": true,
"type": "md5",
"uuid": "df3005a9-b33d-439e-9a64-485f191b1b9b",
"value": "bdac7b3caf4a2640a848c52d56263d6f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha1",
"uuid": "14e1cde5-15f3-4ff9-af52-0bb64767196a",
"value": "4074eac2c7cb8f54042d7753fddf79d41e6ba1da"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha256",
"uuid": "1734e90c-2ffb-413a-8bf4-db6126dda15d",
"value": "0664109a211df95098544312f455035e79988bfbbe7b63dcbba01dfbf88351d3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha512",
"uuid": "57b7756f-5ed2-44e0-9872-ecd92a5ca822",
"value": "9bec434d1685538df9205af3077e47f380729edb640d1c591c8cd4cc3d2d510ece40b039b31ea34d52742de8e58eef24308b269241810e4409aadfece39645f7"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337219",
"to_ids": true,
"type": "ssdeep",
"uuid": "d3300ccb-baaa-4892-8907-4d051c147970",
"value": "192:uwiPy9D8pZIRxTRjRkRtRaN0NN0JbgcUC3h4+/1M:uwJ1IXu41"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337219",
"uuid": "23df8d28-7dc8-4524-a1a6-9585c30be9d5",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "3d2f4a77-6a74-4688-9669-7f4034bc78be",
"value": ".rsrc"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337219",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "7791d0ac-53c0-4b06-a689-b873f6e3f429",
"value": "39424"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337219",
"to_ids": false,
"type": "float",
"uuid": "006780c5-82eb-4187-893c-7179f993b734",
"value": "6.3888085830938"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337219",
"to_ids": true,
"type": "md5",
"uuid": "20352748-4678-496d-b604-cc1dbc63a842",
"value": "0182033254ebc8d0593f391d8dc7e6d2"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha1",
"uuid": "204b1a09-f49d-400b-8d01-15ec3cd82bb8",
"value": "7805b24719deb34dd098be5bc8ca6a0a4f6ea53b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha256",
"uuid": "be489986-36bb-4636-93c1-96b76924b049",
"value": "8ee03e790e04d573a1e2f2c494823c7f5e5892c58ae2b68afd6d635bee4bb58d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha512",
"uuid": "7cebc20c-c422-49c5-94b0-6ca64a5a9bdc",
"value": "41a162ef03942c7643acb6af31a9c4edb8e2022095c87853ea96741835ce465cc0c426808d5f1d7ef67a601859c46d1cf2e4944dfac50532948cbd3a16940b8b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337219",
"to_ids": true,
"type": "ssdeep",
"uuid": "9ca8c334-4672-4d05-92c6-bf3641669a07",
"value": "768:lzC4MphX0qphDmlRUoPLs2IgHi3QcD2vZc22BGkiAi2:lzC4MpvhCRto5gCxyy22gAV"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337219",
"uuid": "a96d75ef-7797-4f2a-82ba-754da2ffa4e1",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "40fb6fd7-8c49-48cc-bcd8-cf847340c66f",
"value": ".reloc"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337219",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "79650495-4f82-4f09-a317-9e31f3dd8209",
"value": "19456"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337219",
"to_ids": false,
"type": "float",
"uuid": "fcea76c7-b14e-4d76-838b-f040391d1ec1",
"value": "6.6017444852914"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337219",
"to_ids": true,
"type": "md5",
"uuid": "48ae48db-796a-42e2-898e-8d3de1fbcd68",
"value": "9836d373e3e5b2732261fd23de92e9cc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha1",
"uuid": "6469dead-29b7-4d2a-a2fc-f3fcb1708a7c",
"value": "a02930ef7a4abc95f485dd906b41c9f1b3b4089f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha256",
"uuid": "c89b1980-c47c-4b39-bc36-f40e3c5567a9",
"value": "c044f90946b93915da65196d16dcc4f342273f369630fb419fe0e719ac83f073"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha512",
"uuid": "c9fb71f8-c053-4be8-bcaa-6311bec0bf1d",
"value": "8903b89f3e1f5d9c7f388f943b687df9ae2d506b6dff83aa349c95bb50a55a4a06ed5f696d496c7078228ed30cf5ddcf63875f7e2c92b7b53b907ad371ed461c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337219",
"to_ids": true,
"type": "ssdeep",
"uuid": "bb175b13-ff08-4d69-bb0f-843fb68accb8",
"value": "192:UoXZpZ/peUCpKNaBksXNJzFL/0ztmARyzlHlndnKEs6FnKTKnbBwaSbEbw814lUP:tZUU8yGDDAwzlFdK96FcKHwLrFgx9fl"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "5",
"timestamp": "1609337220",
"uuid": "369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"ObjectReference": [
{
"comment": "Section 0 of PE",
"object_uuid": "369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"referenced_uuid": "d78f50d8-cd5d-4dcd-94de-e079b92bdaa7",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "f3fd9d8e-1674-4888-850f-5e7358770625"
},
{
"comment": "Section 1 of PE",
"object_uuid": "369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"referenced_uuid": "9b5a1501-69e1-4ba7-a44a-c66fbf773aff",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "2dd8c244-4cd5-4723-8cc2-2c09babb215d"
},
{
"comment": "Section 2 of PE",
"object_uuid": "369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"referenced_uuid": "30abb88a-cbc5-4960-9b49-2b11904f6354",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "458401f4-07ac-4268-b029-c618975f1055"
},
{
"comment": "Section 3 of PE",
"object_uuid": "369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"referenced_uuid": "23df8d28-7dc8-4524-a1a6-9585c30be9d5",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "53685c09-4954-455f-9f86-8718910cd2a8"
},
{
"comment": "Section 4 of PE",
"object_uuid": "369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"referenced_uuid": "a96d75ef-7797-4f2a-82ba-754da2ffa4e1",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "a9f19419-9060-48ef-978f-8a682aedc153"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "ab23d077-008e-411d-9348-91598dc84a36",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entrypoint-address",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "a214e71e-94ee-44fd-969d-e47c2ce09b3c",
"value": "4296533"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1609337219",
"to_ids": false,
"type": "datetime",
"uuid": "1bca081d-9fb5-42fb-9248-af480bda7d5f",
"value": "2020-10-23T09:56:46+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "number-sections",
"timestamp": "1609337219",
"to_ids": false,
"type": "counter",
"uuid": "81a78d0f-a20f-45b4-9156-9a5b065690ba",
"value": "5"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "20",
"timestamp": "1609337783",
"uuid": "a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"ObjectReference": [
{
"comment": "PE indicators",
"object_uuid": "a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"referenced_uuid": "369a74a5-3e03-47c5-9cd0-4b2aad23e16a",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "d8cb3825-57f0-48a4-a011-c3219fb3eca0"
},
{
"comment": "",
"object_uuid": "a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"referenced_uuid": "312d40f7-2562-4852-88f1-8af1c0f3355c",
chg: [feed] added
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"timestamp": "0",
"uuid": "34a55e37-6d9a-4450-b53a-e1782ba5e26e"
},
{
"comment": "",
"object_uuid": "a6c63e2d-7552-4baf-93e3-65d6721bd91c",
"referenced_uuid": "07c951a1-18c3-457a-be67-fd355f832a73",
chg: [feed] added
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"timestamp": "0",
"uuid": "039f4282-8616-49d3-845a-a41e8d18c195"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1609337219",
"to_ids": true,
"type": "filename",
"uuid": "97a451ed-6beb-4da0-a85a-272b53273c91",
"value": "a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337219",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "270f36d3-1b20-4fb8-84a1-7f8b334d0501",
"value": "494592"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337219",
"to_ids": false,
"type": "float",
"uuid": "986614cb-52b4-4644-8bdd-ded1005bedf1",
"value": "6.58346583069"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337219",
"to_ids": true,
"type": "md5",
"uuid": "0814fbb2-0686-46b8-86fb-9803fb68da54",
"value": "3265b2b0afc6d2ad0bdd55af8edb9b37"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha1",
"uuid": "f2b5db79-739c-46c5-bc51-0eaee29e9c63",
"value": "24272beb676d956ec8a65b95a2615c9075fa9869"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha256",
"uuid": "b6fc1d7d-fd9a-454f-950c-986e38966328",
"value": "a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337219",
"to_ids": true,
"type": "sha512",
"uuid": "be617874-da10-4809-b115-ccd2f2908ba6",
"value": "28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94"
},
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAOBwnlGigyjmIBMEAACMBwAgABwAMzI2NWIyYjBhZmM2ZDJhZDBiZGQ1NWFmOGVkYjliMzdVVAkAA4OJ7F+DiexfdXgLAAEEIQAAAAQhAAAA4w+qV2TVumgBExPgSmSziQD1hlGzokecyM6/1l00L73neqsFavY/mfDEdOQstErnproOaXa0tzfN7YJX47AEplrTFCdDjKCcIno58p8bWpW0e8c/0LYnWAm5MxwjW+tSgYLSMFs9FGgYSKfuedknRrMEVuBtqQq2s49nnovVWualfFWMwLASUj+/bZdXbw+S7/J/tvnPUQO7XflwchhdyNrc8SLQsB0JGo3QQ0YY4LZc5O8FUwMoCteLgSIb96b1wtThn6fHP4L/HDtbjVmqu+hV2VkLmGOBDEBawLE0SxctgzkSe7b6nG2+BfdnyoLMBHlLh/crG385oMKuXbpkK8ilEr8Sq4TsZBksU4ftr678KbpqM6/Ur//IBYp2OyUCyrbAHpsGYFRw0a+IDKPhBuOm3BI7MAcsPFQx5h/mGISouTPh7pFIN7tfO/+WLo33qj6+EZgxMSznNJ8iPrmMNhqGS9qfKhUAnh5KKbSvXf+7irxKDUXK+xG+BVsVs/wdmtrBVebojNww8zNHuUI2UKo3r2nTCat3LOS8oW+4cuWyWHq05xOzCh8/G3QqJJJS5uLaT77KbsuTg7ly69s47qNLrzZy9aaWEx98t45tr3ywEnQpLUa1oamQWqdqOLxVkghuVvI14ISwf1o2c0thUluAzf/n3dBwBvweqPBWAjAyo3TyKiUtQtuzum/fIqpaiawKfhd0TPPFEEDRN1QygD8FkwJ46L6HP1/d3/Jd52j/8ULM+mp0XYN0WTO1uUwFS3mK9+0cFXe2USHLG9hmbq1Rtk/c+fGQmhCjIndE12whLkjpzv1nC3JvyGOYHdX3VnB8dEzgewLCM+0RQELtbsnNILU6tW+JCq6wMZInUykcV7z0BHtEqqIT5BhJUvRpFsAQ5zm/uvzuoc726+BDsLNLmg20P1wDWlsPSEwFa5FEPhii0uPMmofLd1DcYMrpB5y9VglUTAAmjTS7OljBV9G+JPx2xRzmxtTpW+pnYQ0ELGHI4xS8CTuN6grUWt+YK/87rqerC/7McY2yu9/jZc/gWCz97fdmPVRnAovHNQEdqf3qX2+ar3eG2MkYQbKIeCUGGd00Y+4j3uhpKg1h+I3Uj8qL/FWBVDLzsI53kHQmlewL9KViOJ7OZ34ICBbNGLJOBliXbra7RnGCasLB+9XLqku04PS1fuRZSfXHUybsmY22IVW/IFGLVzmDTgK8rJXCMl5DzmBTE9HdDK2xfb3S3zlxayRw9ga/f4LPQTuBLekbziDL+LTTyy2y8gIujVZ2Yn0S57k2kI+jHwe70+b7zNr6LA0TEnRJYj8GZRj2tlOwz8ebuemI8Q7cL/oaJrjKSfzRgq7yufEjxG/qXLEGT7O2KLG9nUE4g3wY50l9MDpM/QIS2mFKUdnAHnWX4nm+BGeJ+92TioyLWOigkdB5F6M2LD6n5R0Z49gbXG+byMt0AExt0vD2CbtZf5SZA//ljgm/zYEIyytd0Bb7UEn4S1VlrCqnLKHEluXx7SHQbhKwvkbo0I9y9XxPcnfCYuWflCd6y2SoRwUNN2AjPx2Dh7hhcPyF3XvQ8TomvOMvHtzf/CxzUrZqqCTaNuS0EpmjLtD1IL93UPETMgAPCNRClbKpICbcTr8/04T2JJIEPrG/gdfSh+ox0vTHSFvDCdW0qCeQbf75baOdP9eQ0w/qPiLDtOVX8OdQVH66sMa2yWRx4aQR5MgWu9ieNer+crvDIaAwIZarHDNf0EDQv+ejDtSJkT83EMGpB8x73i3FHbr53PQOgOMb+F7BzLCvf98go6Sn4Mg7+iUndxKHeCuP+oyqWtyXRBjhmcqBZkc3SsyEtr3wwD410g4dH0/P0b80m/Qa9HlfMqybg210OqTpfiFcCuZpDo1z3cZJtfDytEGsn7hsvkkA+dDxInUCQTyDusr0w7GY1DLQl7gpKcGwvx2GshnqoPYvLQObbWSVzspvmnNg9wwCtB7bG71MIYkdYdjrEFX8547O/vvfOKViB4YgPMfFtNR4SxSnPT2jajuZiaBZlzkpdu6LI3/v0M4WffhfgGdWoKFWqe1hWyeT3t5PhO9QTEHSPeLkRGKS/UlQ0CybZ/jjomY29sDhcbh35MyyjGUeWJBCFSuv56ci1ScehEaj8nMMSDLtKAbIAxJ0PAa/6fJbvUC6rGzvzFnXk39mTJZ8z5zKr9+p4YgTxg//BB2futxB/k90fJuUkoYIz2zCxCdXJdvMqtwHX8yPpSdngNrQ6ZqTXXJJzbl05GLTuXdVhzzyWTCBgIQVGgnwi6t85R3KqfqgRUZK/91Kj0v4GE8iulctz1zQfFDSjVRY+YFVHYfsD1yllNORl0e/mH1HD2QhA2YhX7GVbwrOdkJyjeXP0rgMrfvU1zMjNagKIoStzgmRXbBwNW815rKChiHuSMN27xfPI45v6yoOjSrX9zkR4A63tAI3O+K95P2xQuupk4H1FBkLiO7k/eN4puXl/RZInPzMQykZPCd1edlQHa9aHdjNNCeVviG56836RPMphy7nR7gbh1iAtD6NrSjhG1mYTrv4kOuOqYvdDbtWbyurlXuKY0BUF+KEKphNDNwG/ccNg/NNukAezh0p17m7A6yHNvxsrfYhLPOAePh7V06BgiGUA4jErnJ5ohvxIJfX8wFF/AvRnZO487TzRipn2Rhw5osLumVCZtVaVkaaQ2xiFkfeMw8a15z/sHLzESghrwB+KHb83DYrCj4SYibZPHkQdhg0VB73piyRku+sV5Gp9OaCF+LxHRYnYdebRgxYFtDh6Ow82vtyYiC1TOpJ1151Ym9WT0r3ruNr1w51p95vchOfe7Wd80dhexpZ5yOsxxCUAZF7nDyHKKD3CzlD+vXrRu+COz2gnuADDfcc3RB0T6w0B7SBPIDFYozgEXlPVyacWxN/qa39I+3VYkInc+xPIxloOmvNb/xQ1QrdcA9tq9M0zFkDz9931ycK2i/NEFz/WLd1XS1okDboNqxHQqyNwnkm0GYtbFDAAceKWUzMIHCPs8ACXB1FVNpUtKIsDp7Xfp35nsvHDLVqw2BW6hGTgZi8EFDn1Eng0/bnS9ZS8aJcxixHfoHngyqaN8iWP0zO0x9uKAeVnQlUOfLtZAxVXkjgxb4r5h9Pxu6bvfba5tbAI5HWcqCdJqbo1jIJgoM6jU3DJbQGT8WpLjFBXV/80omA9GfYQNd6r9W4hHfsMN1rBLShvJpB6B5ujNz3o6FAXuLud45KeN2eYJbTnxGBkSv3wLc6K/N0mIpRmlNpHKiDghkQATXZMrMXvz1wRpevP28E0dHpPYtkJ551L7jD9q95/K++IVCMK6yNqk9IVqbM/WtStiGoIk9JeTmHuEBJ0sjoPFnrrFlDGW6s1fdxpuA4lKDZtxi7UxYZ9D6ImL6PP53E48RjpB2er7mwDS3zWWAqp3ciQmrME/WRW8oiBAVIuAyOAoT35hy+cCdT6ze/n//4M6Tkk3rMAd3Du+kzDnMrUQyaagusASus7CGYOkuBCGefdfbd6rKoXBuazkFHH/r5976MVyB7BC5bgJVt/svz1y2JDWTOvzEy0sm9EJb6Ixdcgaic8BwGmux94JlT5djKcyewow1nesGAp7rOiEOfGOTO/iISOQUf6uQlDECG1cTp3NYID6UXX+nq1xZ7WepGL8XGyRJzBF/fjg/ltrR9SkRuFiMciq/5vopGLZ2ncqddyT2V5UcpjjSiYegNHRCvcZ/NI1Ua6kxN3OsVXiyNUjGQh8QQN8gRlWGS9GJk29yh512+M3q8E+K1t0dA3HiOeH671WSGJtD7bww3QhWFCGZGdJL2v7AFpX3ZScI5o4B8P/VcjwOjdCJ2zVGBgUqiZceyG+7ziUBJbEFLaKNewVWYi39pWYboO0jZzvMUoJxk8QnAQD9u81sr1+szpu46XoDktBM0qVrz/wDM74XtpLxUdWg4Ed
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1609337220",
"to_ids": true,
"type": "malware-sample",
"uuid": "bbf88e98-62e7-4b71-ac94-3402740b8316",
"value": "a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4|3265b2b0afc6d2ad0bdd55af8edb9b37"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "mimetype",
"timestamp": "1609337220",
"to_ids": false,
"type": "mime-type",
"uuid": "b55cf7a4-5d2f-4953-ae67-6ae9a5261321",
"value": "PE32 executable (GUI) Intel 80386, for MS Windows"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337220",
"to_ids": true,
"type": "ssdeep",
"uuid": "672f6e11-6287-4b43-a92d-6b85c5502d08",
"value": "12288:JF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYB3IvClBTn:JF+deC2+d5AZLde0KcBU4BT"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1609337344",
"uuid": "312d40f7-2562-4852-88f1-8af1c0f3355c",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1609337219",
"to_ids": false,
"type": "datetime",
"uuid": "8df1ad0c-2fe9-4db3-a0a0-a383d8f3dbb3",
"value": "2020-12-10T18:07:01+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1609337219",
"to_ids": false,
"type": "link",
"uuid": "73d0a4b0-8a60-4a18-8406-108501e8353f",
"value": "https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection/f-a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4-1607623621"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "235fc20b-5747-4e39-bb6c-62c361853244",
"value": "63/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337500",
"uuid": "f19826b2-8b7c-4826-8575-863438b660ec",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337500",
"to_ids": false,
"type": "text",
"uuid": "5fd0952b-78a9-497c-9fc7-d77c1f14ca2a",
"value": ".text"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337500",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "0a3cb98a-7792-4a72-9ce9-c09592fd8307",
"value": "298496"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337500",
"to_ids": false,
"type": "float",
"uuid": "4621b1bf-a853-4b32-a151-4a92b9531837",
"value": "6.6475524649073"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337500",
"to_ids": true,
"type": "md5",
"uuid": "e3a3ef6e-b5db-4d7c-8758-961266c79ade",
"value": "3872b37a6fbcbb27f80b9639008a708e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha1",
"uuid": "a33b990d-0cde-41ac-99cd-b4799a6b869e",
"value": "af031fe59567d0fe50d6d047bc0ca7c2869d341f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha256",
"uuid": "c9d14d1f-d0ae-479c-b79f-0c233b0dcff7",
"value": "38bcb58a3bf5ead5cf760efb23d404f2f3344bf28d870eb2da94e90bbf2fc77e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha512",
"uuid": "53c4c31e-174b-4351-8f88-5427ff7cb011",
"value": "511911a3319406aff5bdbb2843547ffcb9584a663974a1315fd1111035051329888290bde3fb5dcab49cd955f404fc99060d922bb72265d576fcc7e0c2ce727b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337500",
"to_ids": true,
"type": "ssdeep",
"uuid": "55fe8a96-c659-413f-b11d-e56df6703e5a",
"value": "6144:lf0ryFWUY6V0eU82Tvvase6Jqrm7mi+HH38rnb9Fn41+nVszCxoj58T9O4:lf0GWQ0TvvNdem7m9H0n41+nVs+x05Z4"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337500",
"uuid": "66a147e0-b788-4de3-ade4-c97530981c46",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337500",
"to_ids": false,
"type": "text",
"uuid": "9428539e-41eb-426e-b9dd-2c0c8b54e387",
"value": ".rdata"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337500",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "f2a5d63a-3af2-4bd6-bdc2-3444adca0a6b",
"value": "93696"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337500",
"to_ids": false,
"type": "float",
"uuid": "2fe8470e-8943-4d9d-b94f-1bb4fdbe5d08",
"value": "5.4415893542669"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337500",
"to_ids": true,
"type": "md5",
"uuid": "9b1df8a2-20fa-4639-ad16-967caefee682",
"value": "3c027f23d1cc821ccef3334303834905"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha1",
"uuid": "fe621958-a1a1-4970-8df5-2c1ee7fc32c5",
"value": "97b2bcbb75096510580cfa3eb09ca9f5f99343fe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha256",
"uuid": "cd52f3b1-c5cb-4514-897d-45472e558d01",
"value": "ff797adfe7c6c249e809f08493ec5c0bdbebe042acb2b7971987d0301c084240"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha512",
"uuid": "c2bfa67b-a37a-40eb-8336-074d07ee09d6",
"value": "a76b76acca4386452924f789f4b7ff801064042f4513081e000ff0e2edd84411ee68c2a678d270e593b9fa6874a90a4e4aac82a99bbebfd3016c240356a4d8d9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337500",
"to_ids": true,
"type": "ssdeep",
"uuid": "485b7cc9-eaae-42ac-bef0-87b8ab834c78",
"value": "1536:QZL1M6liPlQtc/s8jsdVx6nwL4XhgvRsWAcd0vtmgMbFuzmxyttyN7:QBNYz6bLxFeAg0FuzmkbyN7"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337500",
"uuid": "465f9a97-b302-4abe-a54a-a52022e473dc",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337500",
"to_ids": false,
"type": "text",
"uuid": "d09407cf-0884-49d2-9b93-1d2876ee319e",
"value": ".data"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337500",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "15c3b7c6-04cd-4dd7-8cb1-063791aa181c",
"value": "10240"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337500",
"to_ids": false,
"type": "float",
"uuid": "d6c83c84-34b9-425d-b7ec-bdefded320f9",
"value": "4.5555134237561"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337500",
"to_ids": true,
"type": "md5",
"uuid": "c6e1a5c0-5333-4d2b-a2fa-c14a13381a4b",
"value": "b59be920c1c434664945d142276186b4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha1",
"uuid": "91f3029b-c100-4707-bf1b-e637f9b674f6",
"value": "416438c1a7fd81ee9d69873597d35bd59856e90e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha256",
"uuid": "389ee7a7-2eb4-4f0d-8566-1dd0669affe8",
"value": "60e47720c483c8a6067c98f8cb300aa1ae5c9e6ccded044ef365e459dc2c61ff"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha512",
"uuid": "7f3f664f-f229-4ae9-9551-87dc9aa7a766",
"value": "00160f9d9361ddebdded0156ee1c2ed60575e60281ceb3794044d9036febf6a25f3858fdfcbc13c0050ac6f6e2f37cd1463127c863883373b3dcf594bc48933a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337500",
"to_ids": true,
"type": "ssdeep",
"uuid": "aafcb62a-0237-438e-a9e2-98d65d3d1373",
"value": "96:AMPlvM5V16Ka4t6k7+x5WRwWRyN0NN0v3CxuOH6Ah8q+VOid:Dy6Ka4t6k7+xARjRyN0NN0v3sTH6Ag"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337500",
"uuid": "36023bd1-e08a-4d80-8666-f974049fce9b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337500",
"to_ids": false,
"type": "text",
"uuid": "4ef3e8e2-ffcd-417b-929c-b654410acc02",
"value": ".rsrc"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337500",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "0b429ce0-f3c6-4fea-a26f-8973e64daff6",
"value": "39424"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337500",
"to_ids": false,
"type": "float",
"uuid": "02f9eb68-9114-4db7-a24a-ce4c87955774",
"value": "6.3887459421453"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337500",
"to_ids": true,
"type": "md5",
"uuid": "c34a938b-c1e8-4856-a61a-a24942c9df24",
"value": "e9fb469d281b99eb663d16de3582a879"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha1",
"uuid": "b7d2e21f-1365-4a33-9f76-21f7bda43b84",
"value": "7ccdea45c0fa4f3929e9602a53aa9b4bb25b85e4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha256",
"uuid": "049c4384-b8cf-4195-89ab-898ebacbb9b2",
"value": "57a185a9643272ce1564c3c82e2bf020872558f1a78f2144406e28f9c6a43f61"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha512",
"uuid": "9249a704-7ec7-4d1e-8a49-f51256c3bbdb",
"value": "705091d713591aecf32e6faae05c01061bd3cbead7a0a08f639f1bb36cda3eb38c4a9f4c317c25fb80541077e42d81cb3f6beadca11bf6fe2c309fcb1896ec31"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337500",
"to_ids": true,
"type": "ssdeep",
"uuid": "557399a7-8f54-4ef6-8b50-dc75b8c735af",
"value": "768:1zC4MphX0qphDmlRUoPLs2IgHi3QcD2vZc22BGkiAi2:1zC4MpvhCRto5gCxyy22gAV"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "3",
"timestamp": "1609337500",
"uuid": "af6451da-ae31-4b1f-ae44-fd5e5bd45eed",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1609337500",
"to_ids": false,
"type": "text",
"uuid": "e5d867ba-94db-44b8-bf06-d18b4ac5f611",
"value": ".reloc"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337500",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "9536f844-79fd-4c12-ac64-dc8ee1d0f6d0",
"value": "16896"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337500",
"to_ids": false,
"type": "float",
"uuid": "15b92bcf-3e08-4b8b-9578-f53728aa855a",
"value": "6.622890870612"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337500",
"to_ids": true,
"type": "md5",
"uuid": "a434104d-4e1c-4e61-a2fc-76f611fcf416",
"value": "b2936a508681fdbe1f2d049cb2408c6b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha1",
"uuid": "33eff2f9-ebc6-4f84-a89b-b03a164d8ab8",
"value": "3947b42a90beabb11a40581a93b1409bd8167983"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha256",
"uuid": "5d2d0f94-f8c9-41cc-a584-9156aa7b73c7",
"value": "1b4cc01e63dac842f80de7e005cbe45d0e1ef7dc66392c80e9ec57c47be20421"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337500",
"to_ids": true,
"type": "sha512",
"uuid": "a5d61cc0-b740-4d2c-9d3b-0a12a2990a00",
"value": "b1b15f8629f6b6a31f10b53d04acb606d0ce7caf4018ea00df60fe0eabd6d603ca3ad848f477c6a13b90e79399cb1d9bdd23087ba607773422ba10a098395d08"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337500",
"to_ids": true,
"type": "ssdeep",
"uuid": "11a9355d-1711-43b6-9722-6945dd2b8a5a",
"value": "384:H7GGBN3/QP0rH6Pu+5UCDV6k5YWksOG54Fzda+lkq5e+sctn:HL/z6GK1Uk5FO04FhDkStsctn"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "5",
"timestamp": "1609337501",
"uuid": "fcb9011a-2d16-4550-a05c-1921de1c107d",
"ObjectReference": [
{
"comment": "Section 0 of PE",
"object_uuid": "fcb9011a-2d16-4550-a05c-1921de1c107d",
"referenced_uuid": "f19826b2-8b7c-4826-8575-863438b660ec",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "8d9349df-7a6c-4999-8278-e6f9a6889020"
},
{
"comment": "Section 1 of PE",
"object_uuid": "fcb9011a-2d16-4550-a05c-1921de1c107d",
"referenced_uuid": "66a147e0-b788-4de3-ade4-c97530981c46",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "9e77c3f9-7576-49c6-989f-d1990dad30cb"
},
{
"comment": "Section 2 of PE",
"object_uuid": "fcb9011a-2d16-4550-a05c-1921de1c107d",
"referenced_uuid": "465f9a97-b302-4abe-a54a-a52022e473dc",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "988d4ea3-ff8d-4b7f-841c-3b49e6a12328"
},
{
"comment": "Section 3 of PE",
"object_uuid": "fcb9011a-2d16-4550-a05c-1921de1c107d",
"referenced_uuid": "36023bd1-e08a-4d80-8666-f974049fce9b",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "b73dc54e-f9d2-44f1-b722-6cd07eeb61e5"
},
{
"comment": "Section 4 of PE",
"object_uuid": "fcb9011a-2d16-4550-a05c-1921de1c107d",
"referenced_uuid": "af6451da-ae31-4b1f-ae44-fd5e5bd45eed",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "a99f9b12-9e0f-490e-a353-511f268161b4"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1609337500",
"to_ids": false,
"type": "text",
"uuid": "aa99b431-aa6d-49c0-bf2f-4f4634da5d80",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entrypoint-address",
"timestamp": "1609337500",
"to_ids": false,
"type": "text",
"uuid": "4dd62155-eb97-440d-bd56-f3975e1620da",
"value": "4281237"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1609337500",
"to_ids": false,
"type": "datetime",
"uuid": "d11a3278-c95d-4d27-b629-f2a9439c9252",
"value": "2020-11-11T09:22:22+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "number-sections",
"timestamp": "1609337500",
"to_ids": false,
"type": "counter",
"uuid": "3e37a13f-6289-4c37-88d4-77dbec50bee3",
"value": "5"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "20",
"timestamp": "1609337783",
"uuid": "0cc053ba-50b3-4a56-b809-b7b5a3346a30",
"ObjectReference": [
{
"comment": "PE indicators",
"object_uuid": "0cc053ba-50b3-4a56-b809-b7b5a3346a30",
"referenced_uuid": "fcb9011a-2d16-4550-a05c-1921de1c107d",
"relationship_type": "includes",
"timestamp": "0",
"uuid": "249a77dd-8be7-485b-9874-714faecd975d"
},
{
"comment": "",
"object_uuid": "0cc053ba-50b3-4a56-b809-b7b5a3346a30",
"referenced_uuid": "84b99a25-ffe4-49c9-8e06-211bf977b936",
chg: [feed] added
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"timestamp": "0",
"uuid": "ec5fbc2c-c1a1-4cba-9979-ae3dee076119"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1609337501",
"to_ids": true,
"type": "filename",
"uuid": "2a780c2e-b74c-47ab-94b7-09aa22436db4",
"value": "c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1609337501",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "7a4c1209-f5aa-44fc-a0b3-291341675e4d",
"value": "459776"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1609337501",
"to_ids": false,
"type": "float",
"uuid": "1658c49b-a9bf-4e0e-8f7f-a215966206f3",
"value": "6.6161412344098"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1609337501",
"to_ids": true,
"type": "md5",
"uuid": "b2c66c92-927a-4cc5-aff2-88396ee42fac",
"value": "83153f8ca7f872a1b4abd40a5bd58094"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1609337501",
"to_ids": true,
"type": "sha1",
"uuid": "d92d41f0-d797-4204-b553-ef72838fd753",
"value": "6dc183ed1c644dd550207a34ac9e57c6f4b8d350"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1609337501",
"to_ids": true,
"type": "sha256",
"uuid": "78350ce6-058e-4e4a-b086-9f08830c6fb5",
"value": "c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1609337501",
"to_ids": true,
"type": "sha512",
"uuid": "52199db8-899e-4064-89d0-37a945d6d52e",
"value": "cf02eef8d7c4756b1cea7949e7543d8f38109c09178e25ecbf155bd45e96fc486cab5dc533208ff39c58d94e220de53bf4fe2120a593d5cefbd15ef57757df2c"
},
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAHVxnlFd6kNhvdMDAAAEBwAgABwAODMxNTNmOGNhN2Y4NzJhMWI0YWJkNDBhNWJkNTgwOTRVVAkAA52K7F+diuxfdXgLAAEEIQAAAAQhAAAAHiQ4jT9taTUmkauEQVBQ2muo6M094sNGpYu5tTwA5gi9jpr8gf+RtgzYt5l7V8q3mUQxfgPP6hB4LAhv64zFb6puuvgM4K+DdSBy45ZSbIW/MZ177h+kBVwqsFvNJsd79NX0EVHfb/mdrx/CPdDFWREz5wRARNzToM/c8WALe5fA81/yzHVuQYLvEgZO4Y2oLcDSVqnmzzf9EfjdDZQA94agVVEM9sETnureJ34Tfgz4U8rVCCsExooUVSwNfzu/2bgOaOiPVV0SnubASi8Ky7kV5zY6fwrIIIGCweb/t3jp1qJv1krZWIBT517UwkhLBtZYrroXPW2uA5PpLpcocFR+SL6IpLZ+6/N/TEM/SYzWLK0oUy+CeAXFUVeQtamHZZhCQvtsCEAX0Ppzco8WLnHKHj5N3AuYwMcUKGEXFkn4xUY1/G54H33x9uZPCgwi1gIjZycjdPL3fHPBcg3xZgCyI5vs9tlSvOyg/KqTyhOsIO0cURTIbs/7JwdfhryT3eP3MnTAR2A3otMzxi3fx+wpAasDqR1mBSFFzSF+p1M2F0rKxvGJ7FooFP4uo1tMY6Sbx6/h8VWHFO8ujPiH/w14lWKQGe8MwaS4CuDfGRHwzEPrLvl+tIQBfxbetwlWAVMDwyrSupjwbqOkECY7aQegvW7AnCYGTDM98oHv3bX6j4QIfdwbxHGbqOCK9zbxrVRxCsTfPhQ0gWDkHVT+OdGgskOb273Y025b6zXkjuyOBKQKyEGz9lPKSuU7HQigCNjK3VlYQnSJbZIE8NjK+Lg8CS6u/s0AqMqo2tFr/x1uqudQh9nsg048XGoTUjsvh5vORzh9tPBJZ4gXy/0YaVw6Dy0ZsrFdvfuGH19MRPdLuOc4rSoeNLToeHxv//r9SlaFEWCr0wWy54R2n49mIZC0F9KHYCqf47VnPOYO0LdbhZ1zf+L9W/dOgsCbXTapI4Jb3jgDDWcjjajXG7HbV8viKqDSKYrfL4CO9/ItTlJS4iiost+L9h9Q68lzljh09uBYV+EjsJNiO8CpINUZ1VmbRfWLunFyPsjOMccEw3F3b97e6tj9J7Twv/Ogk52LsIG/5ZorjzjaXj9YgPbeZs/PkFc3RDd0JcCtlff8E/v/NlruuIaT9e0jpdu+s2BnG/r8vK+Pm9Q3AMjb4ebzv1T/IGUEW4XG3jAnC7RJ3daoXJ0X531mKGiGBMUkyvMgaeqH+AZyvPCl2b2HhMOuM04SI+lWlh9ORQmc/obMiGaD7jd8qZfzVUKNAjKqROucucDO4MOC32Mroqrk3dslAAGfRk4jW/1i09m4jn2dWC0cdUcK1IqzsvJ1s6rnE1nUM3hVNk2cLIgOr7ot6M7X21az6OJwmYSx3n2kJdwghAeuDxNEh+XrVygoBpNPGDGJAscOJs1To/ZRzcW5CIpyL8dtJosj6wrLXawrQRcVqDGskXMJlgN5eOaiZGL+wsYqVxC/DDfCqgJyq/gXlrhST/36vPJ2I0ayo6M53iC/ge8dkh7iHleOZWcLM/WUJZ2Hb1rfpCME9tiRF+L8zAtIzMcb7YCoO/LLXialdxUGZC4k5gdiRqum8qBHfLTrPYcqiSrBDhqZec6reAN8+/BZd5+ljADpQSVeD4ue6sHI5BtLtkSzxx535IPD74m6+F6SqfxlrugqfzH91zfU9Mqvd7vi5XCRb8H3dCI2sJDFX5kRIKXRxDUhwSIt2V5Rb0/UpE+AWeCj/sNCvAVAHcSJYYiCrvEg0Z+bGMWim9j+n5ksEHmu1tXNuBeLhV5atsy14eamhQ7ASBA9kyqujCh66dEPEW3giI3qknZEWDzS2NJRmlTEPdALBXpqbbkvlr36sfy6817dnHjrY/mpcHMEm4ZOb+m+zHtjttOeLA+sQ/pUmr4L3F5DuhqgpTGWdHsZklECoP0Ngm8JpehneALAMMZIcVTlefYj/cvuE1AsdjhTN9yrUW1cfmGS52hPYFFu6LkV+rNj4h3DWshLitxwe6oCaSF/xGkQHkbPBXuPStaeE/+ut6oFEOP56cuFJcQnHFMDzpecs20cd0WDJV/kMoUoXVuqM5AE1dhD2Zi7wBp8eWdRpMPKn5Mdqy9BInTo5nfklniqCd1Tx/CfpYXz8S/r3h3sYn1nB8oLwHiqSaCeKlAgr5Ly4wKFgv9UvlFm2QqaE1OmYxhpOhg8HsaZr7r4ZL8FQ8FRMOWux9VAv1hBCzcn63Vbf6ki4wFnPiuuYQj2T0J7lLpfdlta7oYGx0knRtp1znnD+b5HVJLt7FC/R2WxQNGCVu7NGKZrlb5zju3hers0WiyDwpL3fEmzOU6w5djppcVlaaVd25Q2YpE/AhPE1L5/ypCDts6caRDWRHfR0vu8V/9z97gANZTZQBu9se6DaCCnB3GMgt3vVCZEWALyV3Z0L48htAsLYrdPc5X9zh/HuJAJELohx4yazUSm2sAHL6VXiYygRt3XcIt+cD8MWSEXylDbO1jkgkapbT/stePCLskO8BqDugS6vxsy1GR9+ixTZ7hx1FpADahKE8SrvKXAJHX/ELNk4wrvni+ZYNXPGGWTWbia840xuY1Ta1FswWqDWfH+FQmLCifEYteVBBzlIQWSRIPN/V2FIcEZDg0esmKTGS/u8nPwXUNEF2w6Cp+xLjsn3MY8xg0voNmZ0FFyOSluX5zuD5dbPc7V9QZSWHxAFCQxuFT+Hod9MwDB3baalmqWR0nEUBTeBpGKmTyshsbThYP1jMvlWPJPcEHl0P4li25+ZPZPXSBqkcqAJex2NabUGYDWAKPVzVal8WpMdoAr5uCFTIDeGYZVwYx4f/Q078mpn98mwOxMzqwb8HIHH0o31oAmfOurjFVDlbzdrexUT9+kY01DadNg1Xyr2QCi4avqIAWEx7+QrJzZqw6Xabrb0cTuZHU1/V4rfMXiEmZv3Yb3A8zuO1P87MvXZkd924G3GvruqWMH0QURXQiEPKMc59jHqUiHT2MF+bx76xxtNmMwNlOX1cO62QJ5EHU99P8CMAkwqTRqmSvryxJ4EX6FrqGucDMN4GW1MwO5BfwB+ZUGQAAkFNDvRy/6ngQuEoAhAWGuz0O29h2DLHTG1mmgs+EBjrxVEfkiijEoKPRk/0OQTwBMAaZgCDtYgR6hyVjeUz6CP1zOoWMCX9HnTKeFaogi50Myw4TmGkX3U+kGSDayVcn2LJbIEXdQq1Rt5dqLIW0A8D48Kw/J4rGrQqMyZs4j+VdeTWiKN6lFRNj5qbFwOlwyKAYBYpWTVRbrJLausvO47mQb5UVfS/+CJH126Mjhg+dppM9hkxOG/Pp26mbn7xM5OOa4cvNF139+7DpmuR1+g/Ah01XgTwXC0EzYPf2dGNtAcz0dnU6J8ROjxGza7zIEQikR+TDU+3FZDv/xfOkCf+QFXBE2lX9MLwkP4+G6VYs6NZsP4y/3xHjyVfq65esJU2vW9rbi9pOlnL2O/Q8y6m4Zn4wLRREoUdJ8K5AGtN0zXh8MYy8ObD5yYAQf0DTNpT2yTI+pF2HBLxnpqQEpcabqlNxAU4DdloXyvVBP7em23E/LdavlMB8BzTa15cS3h9eoiKZqlXg6JIKGt8x94CHvTU/uZV4MWXZ9DXLSWq33jzKHTqGdyMF01cdxQ2UcSSRx+RIMJMWRBTtNUDtMgmZwdlCxM6If0huySSsOEGSjrUrGGcXlN+FeYCwfk7CQWXSBZAEzot4f1FoJlBXbVfkz1rNI1P+ttHwvRaPe5cqSLsTnlCxUSndETksgHGBujDhfydW5obIrUAT2z5bNCGtzIISEQ5GmxnRG+X4EqsO5Yr1z/jbWjsHmlk2RGA87jFCDu+n9/w+V+YSVcNVtNgIxOixF04ymRRkttPxjHHM7fy1j4hpTsa4ABDj2ac289/0mAgvRNBCLT7M+675NPM/A649eKJb1nrqmIV49b84EtmkG5R
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1609337501",
"to_ids": true,
"type": "malware-sample",
"uuid": "e577f82e-1615-488c-90e0-dd4c46f76b20",
"value": "c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa|83153f8ca7f872a1b4abd40a5bd58094"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "mimetype",
"timestamp": "1609337501",
"to_ids": false,
"type": "mime-type",
"uuid": "19696cde-42b0-417d-82b6-fa9dbbb72107",
"value": "PE32 executable (GUI) Intel 80386, for MS Windows"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1609337501",
"to_ids": true,
"type": "ssdeep",
"uuid": "dc169eab-c102-47d7-a25d-2590a53bc055",
"value": "12288:Tf0GWQ0TvvNdem7m9H0n41+nVs+x05ZxBi953uFh:TfbWQ0LF604MnNx0nxe3uF"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1609337783",
"uuid": "84b99a25-ffe4-49c9-8e06-211bf977b936",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1609337501",
"to_ids": false,
"type": "datetime",
"uuid": "228666f7-2318-4427-b564-5916d928c2d3",
"value": "2020-11-11T09:43:20+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1609337501",
"to_ids": false,
"type": "link",
"uuid": "5a663a99-38c9-42da-9db7-29e55419384a",
"value": "https://www.virustotal.com/gui/file/c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa/detection/f-c5c7e4f126099586670346024bd37eccf0cce6dd1eb8cfcafbb24530e1c582fa-1605087800"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1609337501",
"to_ids": false,
"type": "text",
"uuid": "9b0ec61f-7a29-4291-a019-d4fe1a219b48",
"value": "39/71"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1609337783",
"uuid": "07c951a1-18c3-457a-be67-fd355f832a73",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1609337219",
"to_ids": false,
"type": "datetime",
"uuid": "75139155-c8bf-44a5-ae0c-76072c196a48",
"value": "2020-12-10T18:07:01+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1609337219",
"to_ids": false,
"type": "link",
"uuid": "d45325fa-f3e5-4fc4-9c4c-f471e154f71c",
"value": "https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection/f-a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4-1607623621"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1609337219",
"to_ids": false,
"type": "text",
"uuid": "977af219-3ee3-4ba0-8419-7c27c44710a5",
"value": "63/70"
}
]
}
],
"EventReport": [
{
"name": "Report from - http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/ (1609337868)",
"content": "html Global site tag (gtag.js) - Google Analytics Reverse Engineering \u00b7 17 Nov 2020 # RegretLocker\n\n ## Summary\n\n ***RegretLocker*** is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for ***VHD*** files, mount them using ***Windows Virtual Storage API***, and then encrypt all the files it finds inside of those ***VHD*** files.\n\n Typically, ***VHD*** files are huge in size with a max size of nearly 2TB because it\u2019s mainly ussed to store the contents of a hard disk of a VM which includes disk particitions and file systems. This makes it unrealistic for ransomware to waste time encrypting simply because it\u2019s too big.\n\n However, through mounting these virtual disks as physical disks, ***RegretLocker*** can go through and encrypt the individual files inside, which significantly increases encryption speed overall.\n\n For encryption, ***RegretLocker*** reaches out to the C&C server for a ***RSA*** key in order to encrypt and produce a unique ***AES*** key. This ***AES*** key will be used to encrypt all of the files on the disks. However, if the machine is offline or it can\u2019t reach C&C, it will just uses the hard-coded ***RSA*** key in memory, which makes it simple to write a decryption tool for!\n\n All of the encrypted files have the extension ***.mouse***.\n\n Huge shout-outs to Vitali Kremez and MalwareHunterTeam for bringing this ransomware to my attention!\n\n ## IOCS\n\n ***RegretLocker*** comes in the form of a 32-bit PE file.\n\n ***MD5***: 3265b2b0afc6d2ad0bdd55af8edb9b37\n\n ***SHA256***: a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4\n\n ## Dependencies\n\n ***Advapi32.dll and Crypt32.dll***: Main crypto functionalities such as RSA and AES encryption\n\n ***VirtDisk.dll***: Mounting virtual disk functionalities\n\n ***tor-lib.dll***: DLL dropped by ***RegretLocker*** that is used to contact C&C through Tor\n\n ## Networking\n\n ***RegretLocker*** contacts the C&C server at ***http://regretzjibibtcgb.onion/input*** through Tor 3 times:\n\n - Retrieve RSA key from server - Sending information such as the computer's IP, name, volume of the disks,.. - Signalling when it finishes encrypting Before contacting C&C, it sends a GET request to ***http://api.ipify.org/*** to retrieve the PC\u2019s public IP address. If this fails, the malware can assume that it\u2019s running offline and will use the hard-coded RSA key.\n\n ## Ransom Note\n\n ***RegretLocker*** drops a ransom note in every folder that it encrypts. This is the content if you run the malware with Internet connection. The hash is used to identify which RSA key is used to generate the AES key on your machine.\n\n You can find malware log here on my Github\n\n ## Code Analysis\n\n ### Only One Process Running\n\n ***RegretLocker*** first check if there is only one version of itself running by looping through all of the running processes using ***CreateToolhelp32Snapshot, Process32First, and Process32Next***.\n\n For each of the running processes, it compares the name against its own name to make sure that there is no process with the same name.\n\n If there is one with the same name, the ransomware exits immediately.\n\n ### Dropping tor-lib.dll\n\n The malware extracts the path to the current directory it is located in through ***GetModuleFileNameA*** and concats ***\u201d\\tor-lib.dll\u201d*** to it, which means that it drops this dll in the same directory of the malware.\n\n It then calls a function to extract the dll from its resource section through ***FindResourceA, LoadResource, and LockResource***. As we can see in ***Resource Hacker***, the dll is stored unencrypted in the resource section. After extracting the dll, it calls ***LoadLibrary*** to get a handle to the dll. This handle will be used for the malware to contact C&C.\n\n ### Development Check\n\n The malware writter has 2 weird checks to check for a particular u
"id": "32",
"event_id": "81762",
"timestamp": "1609337868",
"uuid": "0d5ea620-4f7d-43a0-afd9-8b21a5de1095",
"deleted": false
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
chg: [gen] updated
2023-12-14 14:30:15 +00:00
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
Reference in a new issue Copy permalink