663 lines
21 KiB
JSON
663 lines
21 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2022-09-01",
|
||
|
"extends_uuid": "",
|
||
|
"info": "[OSINT] No Honor Among Thieves - Prynt Stealer\u2019s Backdoor Exposed",
|
||
|
"publish_timestamp": "1666601807",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1666601798",
|
||
|
"uuid": "b7a486af-8b67-4f58-873b-0ae25fea43e9",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"Prynt Stealer\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"WorldWind\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:stealer=\"DarkEye\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:stealer=\"Prynt Stealer\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:stealer=\"WorldWind\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"DarkEye\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00b3b3",
|
||
|
"name": "ecsirt:intrusions=\"backdoor\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00a9ce",
|
||
|
"name": "veris:action:malware:variety=\"Backdoor\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#2c0037",
|
||
|
"name": "ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#001534",
|
||
|
"name": "ms-caro-malware-full:malware-type=\"Backdoor\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Prynt Stealer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "9888e096-1341-4655-9a0c-1e53df9a6096",
|
||
|
"value": "d8469e32afc3499a04f9bcb0ca34fde63140c3b872c41e898f4e31f2a7c1f61f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Prynt Stealer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6de8e173-c0fd-4be3-b4b1-42fc8c76c8e7",
|
||
|
"value": "f15e92c34dd8adfcd471d726e88292d6698217f05f1d2bcce8193eb2536f817c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "WorldWind Stealer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "d1d5db20-15d9-4e1f-a4e6-cab7a0bdf0b5",
|
||
|
"value": "3b948a0eb0e9bbca72fc363b63ffd3a5983e23c47f14f8296e8559fd98c25094"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DarkEye Stealer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "d451551e-c177-4ed9-a989-af74bb028188",
|
||
|
"value": "bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DarkEye Stealer (old version without AsyncRAT)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a9b86903-b79c-455c-bbf0-7b488d90a3dc",
|
||
|
"value": "e48179c4629b5ab9e53ccb785ab3ee5eeb2e246e1897154a15fec8fd9237f44b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Celesty Binder payload",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "ae705dbd-6b31-41b9-9cfb-eb8ac1121210",
|
||
|
"value": "9678ca06068b705da310aa2f76713d2d59905b12b67097364160857cd1f90c58"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Builder",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "f54aa09c-1841-4826-9b28-22ef426079b6",
|
||
|
"value": "654f080d5790054f0cd1a0f9b31cd7a82a4722ff3ce5093acdc31ff154f1ae24"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "LodaRAT",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "74ed1b4c-6d5b-4d42-91fb-b642d4079067",
|
||
|
"value": "cb132691793e93ad8065f857b4b1baba92e937cfc3d3a8042ce9109e12d32b4c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Prynt Stealer Stub",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "ce2ad6bb-1747-4b74-bfce-8fb70c2051a0",
|
||
|
"value": "d37d0ae4c5ced373fe1960af5ea494a6131717d1c400da877d9daa13f55439bb"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665989801",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5ed227fe-15f1-44e9-bd7f-7fc04710ec7c",
|
||
|
"value": "c79aed9551260daf74a2af2ec5b239332f3b89764ede670106389c3078e74d1a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "DarkEye Stealer Hosting",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665992990",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "b2cce1cd-8669-4f40-8215-2f4f141c8b1d",
|
||
|
"value": "https://cdn.discordapp.com/attachments/523238636561629190/890007970207907871/vltn.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "WorldWind - Market Website (Inactive)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665993250",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "4ec5a062-377a-4d46-954f-c0e9a5c9d798",
|
||
|
"value": "http://shop.prynt.market"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Prynt Stealer - Market Website (Inactive)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665993250",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "ff207b26-10e9-41d8-a901-208460f5f1f8",
|
||
|
"value": "http://market.prynt.market"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Prynt Stealer - Market Website (Active)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665993250",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "3f959b7e-8c08-4fe2-b769-7ace9f1d3b20",
|
||
|
"value": "http://venoxxxx.xxx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Prynt Stealer builder package - Prynt stub used by the builder",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665994495",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "967a4473-5c38-421a-b44c-68d71767fec5",
|
||
|
"value": "Stub.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Prynt Stealer builder package - Builder executable",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665994495",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "b25ef0d4-7c29-4dbc-8cd5-b9619400bf65",
|
||
|
"value": "Prynt Stealer.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Prynt Stealer builder package - Unmanaged PE",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665994495",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "b176d8c2-0949-4e79-b7e7-4891a729c352",
|
||
|
"value": "Prynt sub.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Prynt Stealer builder package - Backdoor that downloads and executes DarkEye Stealer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1665994495",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "59827e8b-9dab-44b4-aab4-4ed13b02b39b",
|
||
|
"value": "Prynt.exe"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Metadata used to generate an executive level report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "report",
|
||
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1665989572",
|
||
|
"uuid": "39c86d1d-05bd-4dae-a488-360079914b64",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1665989572",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "3f4d70ad-8208-4707-afa6-0f7400f55025",
|
||
|
"value": "https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "summary",
|
||
|
"timestamp": "1665989572",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ccb48af3-8af0-428e-9c57-ba2b922f879a",
|
||
|
"value": "Technical Comparison of Prynt Stealer, WorldWind, and DarkEye Malware"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1665989572",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "6aad45d1-0674-4854-b666-4d813ffbbc1f",
|
||
|
"value": "Blog"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "WorldWind (hardcoded)",
|
||
|
"deleted": false,
|
||
|
"description": "Information related to a telegram bot",
|
||
|
"meta-category": "misc",
|
||
|
"name": "telegram-bot",
|
||
|
"template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1665990242",
|
||
|
"uuid": "32c7146e-8ac3-4543-889b-1c39754b6303",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "chat-id",
|
||
|
"timestamp": "1665990242",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "19aa10d9-e55d-4bed-b8fd-2a4e1403553b",
|
||
|
"value": "1096425866"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "token",
|
||
|
"timestamp": "1665990242",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ae8f5b64-bd3c-4c9e-896c-4c3dff3b5374",
|
||
|
"value": "1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Prynt Stealer (hardcoded)",
|
||
|
"deleted": false,
|
||
|
"description": "Information related to a telegram bot",
|
||
|
"meta-category": "misc",
|
||
|
"name": "telegram-bot",
|
||
|
"template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1665990378",
|
||
|
"uuid": "535b633e-9e74-4f90-8e28-bfbbc342fb33",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "chat-id",
|
||
|
"timestamp": "1665990378",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "29b53d36-ff5a-4e5f-8f0b-b4f072e0ab66",
|
||
|
"value": "1937717367"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "token",
|
||
|
"timestamp": "1665990378",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5a092591-61bc-436f-8dd4-be5af46783ce",
|
||
|
"value": "1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Prynt Stealer",
|
||
|
"deleted": false,
|
||
|
"description": "Information related to a telegram bot",
|
||
|
"meta-category": "misc",
|
||
|
"name": "telegram-bot",
|
||
|
"template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1665990780",
|
||
|
"uuid": "921b1fa9-a804-47ec-99fc-2b0c63517d7a",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "chat-id",
|
||
|
"timestamp": "1665990780",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "3508cefe-b0b3-4906-ab78-d73a06e0260a",
|
||
|
"value": "5038570348"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "token",
|
||
|
"timestamp": "1665990780",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b17b02c2-bc88-42bb-9de7-0106b1edf26b",
|
||
|
"value": "5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Prynt Stealer",
|
||
|
"deleted": false,
|
||
|
"description": "Information related to a telegram bot",
|
||
|
"meta-category": "misc",
|
||
|
"name": "telegram-bot",
|
||
|
"template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1665991643",
|
||
|
"uuid": "09b2266a-460d-45cd-968a-f903dcb8e938",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "chat-id",
|
||
|
"timestamp": "1665991643",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "57e39ba6-a415-4771-96c5-62ceadadc360",
|
||
|
"value": "1856525476"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "token",
|
||
|
"timestamp": "1665991643",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "7849bf84-5d84-4049-a686-8834b91323ce",
|
||
|
"value": "5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Prynt Stealer",
|
||
|
"deleted": false,
|
||
|
"description": "Information related to a telegram bot",
|
||
|
"meta-category": "misc",
|
||
|
"name": "telegram-bot",
|
||
|
"template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1665991857",
|
||
|
"uuid": "89ca0c35-28ce-4896-97ef-96a1277a042b",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "chat-id",
|
||
|
"timestamp": "1665991857",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a02fdd87-9fd4-4b74-af29-72cc7d256918",
|
||
|
"value": "849561191"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "token",
|
||
|
"timestamp": "1665991857",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5f075a20-5076-45dc-9217-90afc883968a",
|
||
|
"value": "1916193181:AAHhdcx3k6mHbnJ6JLfyWtJBMChny-la8Xs"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "DarkEye Stealer C&C ",
|
||
|
"deleted": false,
|
||
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1665993035",
|
||
|
"uuid": "ae21fd17-1261-4d84-a0ac-44d65e3a9c31",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1665993035",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "7e15ddff-abf4-4735-9138-c8d46362102d",
|
||
|
"value": "bigdaddy-service.biz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "port",
|
||
|
"timestamp": "1665993035",
|
||
|
"to_ids": false,
|
||
|
"type": "port",
|
||
|
"uuid": "0ba8c8e5-908d-427e-b942-254099cfecf1",
|
||
|
"value": "6606"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "DarkEye Stealer C&C ",
|
||
|
"deleted": false,
|
||
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1665993059",
|
||
|
"uuid": "df65f997-8718-4042-9aee-c63b8065db3d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1665993059",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e6f89a6-0333-4de5-8e43-ac78547f6034",
|
||
|
"value": "bigdaddy-service.biz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "port",
|
||
|
"timestamp": "1665993059",
|
||
|
"to_ids": false,
|
||
|
"type": "port",
|
||
|
"uuid": "7c828a5f-8e54-4860-ad06-9fc1670a78f8",
|
||
|
"value": "7707"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "DarkEye Stealer C&C ",
|
||
|
"deleted": false,
|
||
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1665993090",
|
||
|
"uuid": "fb51780b-d597-4c98-9c55-e84bea603537",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1665993090",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "e91c1f39-762e-4cae-bdd9-f5f5641f4627",
|
||
|
"value": "bigdaddy-service.biz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "port",
|
||
|
"timestamp": "1665993090",
|
||
|
"to_ids": false,
|
||
|
"type": "port",
|
||
|
"uuid": "42eb50fd-0a53-40b6-88e3-edf832ddc8e2",
|
||
|
"value": "8808"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "LodaRAT C&C",
|
||
|
"deleted": false,
|
||
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1665993149",
|
||
|
"uuid": "422c54fd-935c-4f2d-b07d-3e8701cad357",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1665993149",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "8b60fe6f-3f0a-48e5-96ce-6887a9f049b2",
|
||
|
"value": "daddy.linkpc.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "port",
|
||
|
"timestamp": "1665993149",
|
||
|
"to_ids": false,
|
||
|
"type": "port",
|
||
|
"uuid": "687aa5a5-83c2-43ce-b02f-cc5d5fb27c8e",
|
||
|
"value": "1199"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|