772 lines
1.7 MiB
JSON
772 lines
1.7 MiB
JSON
|
{
|
||
|
|
"type": "bundle",
|
||
|
|
"id": "bundle--04e8bb1e-b445-40a6-a68a-1ce85e32d229",
|
||
|
|
"objects": [
|
||
|
|
{
|
||
|
|
"type": "identity",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-22T12:33:04.000Z",
|
||
|
|
"modified": "2023-04-22T12:33:04.000Z",
|
||
|
|
"name": "CIRCL",
|
||
|
|
"identity_class": "organization"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "report",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "report--04e8bb1e-b445-40a6-a68a-1ce85e32d229",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-22T12:33:04.000Z",
|
||
|
|
"modified": "2023-04-22T12:33:04.000Z",
|
||
|
|
"name": "QUARTERRIG - Malware Analysis Report",
|
||
|
|
"published": "2023-04-22T12:33:17Z",
|
||
|
|
"object_refs": [
|
||
|
|
"observed-data--be23fc18-9ba2-41ba-b517-52b492232869",
|
||
|
|
"file--be23fc18-9ba2-41ba-b517-52b492232869",
|
||
|
|
"artifact--be23fc18-9ba2-41ba-b517-52b492232869",
|
||
|
|
"observed-data--62d53d4b-3875-4440-8ce0-9a51ba56547d",
|
||
|
|
"file--62d53d4b-3875-4440-8ce0-9a51ba56547d",
|
||
|
|
"artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d",
|
||
|
|
"observed-data--e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
|
||
|
|
"file--e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
|
||
|
|
"artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
|
||
|
|
"indicator--768398f7-2ecd-4752-b4d4-e22de7a17c9f",
|
||
|
|
"indicator--4f3a3552-4374-4692-be62-2dac7a60ea12",
|
||
|
|
"indicator--1980ede0-18fe-4e78-a433-d85419354fdf",
|
||
|
|
"indicator--37294cb6-221f-4348-a3a6-ab46ed3adc83",
|
||
|
|
"indicator--f99cfe00-4d03-4ed2-8112-9a89d16d9251",
|
||
|
|
"indicator--3084badc-4ea2-4550-a683-0c6088c4b2ba",
|
||
|
|
"indicator--df942350-ff5f-4008-ad1d-14cecf33fabd",
|
||
|
|
"x-misp-object--740c4b3b-f5d6-42dc-9264-c225348060f5",
|
||
|
|
"indicator--4a911505-85c5-4496-8eb6-75cea522ed00",
|
||
|
|
"indicator--7d3d282a-c84f-48a1-9af5-8c0b43a0851e",
|
||
|
|
"indicator--10cee96e-441a-48ea-8585-049029d4c157",
|
||
|
|
"indicator--204c3d9f-6da0-426d-9609-db8c99dd8f8c",
|
||
|
|
"indicator--7546b1a9-3633-4f46-99e2-d27bb8db276a",
|
||
|
|
"indicator--20d5700b-21da-4c3e-9425-c5b87b5f83aa",
|
||
|
|
"indicator--f80de271-05af-4413-8087-9d553c54805e",
|
||
|
|
"indicator--0d5b228d-17ff-48e1-bb83-24e34292ea06",
|
||
|
|
"indicator--d940713b-8e68-4bbd-9164-ed43afc83c11",
|
||
|
|
"indicator--21b857c6-1d55-4625-9b08-56c9fdc205da",
|
||
|
|
"indicator--c75bccc6-e3ca-4a25-b0ff-5aea24f1c0b8",
|
||
|
|
"indicator--202f9cfd-1b59-4f2d-a113-27e6822b693d",
|
||
|
|
"indicator--553fd38b-e053-4632-867f-377e6746a81d",
|
||
|
|
"indicator--b0de75d1-a729-49aa-a586-1fe80813422b",
|
||
|
|
"indicator--e659ce38-dba5-438c-a7c7-900052726ad8",
|
||
|
|
"relationship--85e69f82-19f7-4dc0-a2fb-088c6a6eac61"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"Threat-Report",
|
||
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
|
"misp-galaxy:tool=\"QUARTERRIG\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
|
||
|
|
"misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"",
|
||
|
|
"type:OSINT",
|
||
|
|
"osint:lifetime=\"perpetual\"",
|
||
|
|
"tlp:clear"
|
||
|
|
],
|
||
|
|
"object_marking_refs": [
|
||
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--be23fc18-9ba2-41ba-b517-52b492232869",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T07:13:27.000Z",
|
||
|
|
"modified": "2023-04-20T07:13:27.000Z",
|
||
|
|
"first_observed": "2023-04-20T07:13:27Z",
|
||
|
|
"last_observed": "2023-04-20T07:13:27Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"file--be23fc18-9ba2-41ba-b517-52b492232869",
|
||
|
|
"artifact--be23fc18-9ba2-41ba-b517-52b492232869"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"attachment\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "file",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "file--be23fc18-9ba2-41ba-b517-52b492232869",
|
||
|
|
"name": "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG.png",
|
||
|
|
"content_ref": "artifact--be23fc18-9ba2-41ba-b517-52b492232869"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "artifact",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "artifact--be23fc18-9ba2-41ba-b517-52b492232869",
|
||
|
|
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAAlAAAAFQCAYAAABwCkDYAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3XecFFW+8P/Pqeo0eQYGmCGN5GAgC6IIskowIwYUBWR5UAEDrF6zuOqu6yKCooISBEy4imFACSpJEEEQlCB5yJNTT+pQdc7zR0+3PTC4cq/z/Lz7O+99zfZMV9U5p6pL6tsnCiml4nem1C9JCiEif5/6+x+LQikQIvSKEggBnE05pQ1CYGMAYNqABAyFMhQIEMKoPffwdUGF8g79BqL653ciVfUpKRAKFAph/LYMbNsmaAWpClQSHxuPIUxQYJrm71dATdM0TftfQNRVACWlDGVwSgASDqIMo/ZA4v87CqkslBIIJELYINwIfns5repLaUgbJRSyOloxDSNyzrUFUOHgybYlpjJBKYRThIIbAb9rBGUpQKAUKKEQ5tkFs0ophBRIpVBCVp/THy0Y1jRN07S65airhHNzc1m/fj0+n4+YmBgAgsEgDRs25LLLLgs9iOvwwaui/l+oU/IJVb1U//7LAbnZFbz11kcMuPxiuvVoH9qmQhtVOJAJxR/Vm1RkF6FCQUmgymbHlgNs/mEvxUWVJHrcZLROpc+l51MvLZFQZY9CVOevqmuYpC3JPlnIV0u/5ebbBhOb5EKKIAbOM56dUAIlasa/QtU8p9CbkRPBDkq2bdmBJ9bNuZ06gARlhncWvxwfSfaX9JUAIQVFuV5O5mXT4dw22MioGigVdWh1WpFrV122cOFqfCTqlGOq86rOXv1ycOijq75vQr+fcu7Rx2qapmlaHamzaqCUlPpYlmTSpAdp2rQ57dq1o169esyZMwfLslDVsciv/fxPSAVBbJTyo6REKhtbKgKAUhLs6loY6UdioSSUCZu3v8vjaJEPIRVSAkqhpAwlKCWquqbKUgpb2SBtbFWJlDbZx3OZ9uoH/OT1culNvRn9yE1cf88gRHpDps/+nOM7c1FShSqBlCQobCxAKkkQReb3BTz17lYK/UEUEpQTvwCFjSKIX4BEoWyFkgGUVASxQUqElKAkKBuwQscoCwiCCoKUSGz25hby+Kyv+PDrHWBYIGR16qFcVCgHbFSo+dH+5bwVfsqtIC98+A13PvUvvFYQIQxsFcpRIUFaKKqqy1J9/VQQlAVKIuzTP1mlQKogtgJsO5Rv9ekQShWpVOg8lAztzy83ilX9eaNCzZ7yd7h/NE3TNO3X1FkNlNvtonnz5ng8Htq2bUO9eimcf/75xMfH/7LTr1UT/A+fgKYC03ZimQ4MZUOVwjQUhjuAwIE0LAJ+G4cNptuJNCVNG9YjNSUVw+VEGSAMi4ByYFRKDAcINxioUJAScBJ0CZSQOGQsRbllzFywkWuHD+DC5qkYwiZolWN6kmh2SSs6tEvn/Q82MKldGtIlcCiBYdmhfkRCgKm48uKmTJ9pIhQY0gAkpjRBGKBMPNW1OUoYGMqBbdqYmASFgUvaSGGBcGBKo/riSpSykMKBwsAMKto3SaVr5w6UKT9+w4FTSkwpcIT7XCmFIIAy3NW1WwopBKZtoIQHp0txw+CefLFsG0IZmBbgCKJwIIVB0FAI5YnULiplYiBASKRQYFgIZdZoGhXVVUamCmI5JA4ZxLBdobwdCoWJqQQoB5ZpYwMmBsoIBUuhykGFLezqv8x/c3NpmqZp2v9MnQRQ4YfnLw/RUN+ZzZs306tXL3Jzc1n6+ec0bNSQHTt20KtXL/r27cuKFSvYuXMnUkpuG3YrGRkZ7Nu3j2XLljFw4EBWrVqF1+vl7rvvZtu2bXz11VcMHTqUbt26IaUkMzOT5ORkLrvsMqQATAtTwYeL1vDzwSICgSq6XdCca4f246vPv2PjzqOUllTRt2Ua144egMOhQjVKUmIh8BcG+OzjDRw8mUtMVQV/vud6ktOT+WL5Tr7beoh4l0HvC5rQ68rOvJ25nj6DOnFhiwbYtmT9V7v46eAxUhPrcWzvfv488RbSMhI4lldIRlo8y1bs5uChQqyqMm4ZcjH1WjUChxOCAUzTpLQ8wLpvtpORnIy3pIwfv9/H9cP7Yztt1n68iYx29ehzxYUoh5P8rCK2bDmIr6SY8y9oQbse7cAU+Iuq+G7tTmTQR8s26TiTY0hr3hiFjRObrC1H2LFhOxcN6kZ6m1Qqiyx+/vEgTds2Yvf3h+jzp05IJflpQxbeonK69DuH+k0a4DYsnCpAWX4Ze37YRbM2zUjv0ASQ+Isq2f/zSfwBP207tiClUTwBn+L4oeOkNUjjyL6DtO7aDtNjRvrBWQIKj5WTl51HalwSDdo3wjRABATHjxdQmFtCi1ZpxNbzYEgDWVZBpdciITmB44eP06BRKrFJMeRn5WMri4at0sHpOLsBAJqmaZp2FuqsCS8cPAUCAT755GPeeOMNXnrpJZRSlJSU8Nb8t5gxYwa5ubns3buX+fPn8+2333L33XeTlpbG7bffTkFBAdu3b+ef//wnCxcuJCkpiQ8//JAHHniAPXv2IKVk3LhxVFRUoJRixYoVbNy4ESllqC+OsMgp8TP3w/UMv2cwfYddzm6/TX5hFc+9u5lrhw3iqlsG8Nf311JcWo4SEmWAZdkY0mD6619gJCQybMRgvj0hef7Vj8ktqeL1t5Zw+7grOOeiDqw5XoavDIoDNn/q1AKhAnzw3jdkbtjHjSMHcqjC5pNth3DEmrRo3pijJ4rZ/FMOr3+4houu681x4OmX38NlC5wBkEGFbSh2Hy9k8owV/P3t7/gqr4rPT1jc+fgC3lm5jx89cYz/x+fsOVRKlQUPvvAp5Wn1KM1oxp1Pz6a0wkJagkenLCA3xYPZsS03PzSbaW+vpbDciwObrTtyeeOrHSzcXsjdT8wiaDn5YNlWbpowh8mvrWXSm2vZ8HMO06Z9xr4AbCmuYNjIaeTmlmEZBrneAA/N+ISJC7Zw5cgXWbXyRyyfyZ/v/ydrcsv5dOsJ7n5oOr6AYsnyHVxzx195ePpKhj35Lzb9tD80mACFUoqda3fx+pwlbDzpZeRDs/h65RaginffX8krC9fzxZ6j3HnvLH7afJSyyiCTnvmU0Q/NZurCjdz7zHvcfs8UVm48wv3TVzJkwius+3YPugZK0zRNq0t1FkApJREC3G4nF17Ygx49etCmTRsMw6Bjx46c26EjVw4azCvTX2bkHSOYO2cONw69keTEJG69ZRh+v59PPvmE/v37k5yczKg7RzH89tu56pqrqZdan3vGjWP8+PF4vV68Xi8Oh4MZM2bw8MMPYxhGdc8ZG1wmhcTw7GNvkHgihxEDupOQYHDXmKuxsvPYtmYrBQVVlPsCGMJCBBROw6S4vJJPv/qe3Udy+Oyzb0ltmU5Rg4ZYpsE+r4+3p7xHp5Q4hl5zAYdzvWS0aYJw2hw97GXm4m8Yf++VNPQIcnJz6Xt5T+LckkpvBbZT4EhO5LohA4gt8RL02uw6XorfoQg4JbYIYBiKbh3SyDgnnQt7tuKh0b25b2xfDhV5GTPiUp4ZdwX1mqez61gePqVo1KM1FzdPp5ktOZlbRG5RKTneSpZ8s59Lu2ZwaftGZLRM5ZzWzamXnIx0uGnXsgF/+8tV/O3JIfx0KJ+yKotrr74QI8XJdVf24P25E3A5LDbtPIydn0+My8NefxyrtxzE9oPL6eCJe4fw8fv3ceHQQbw+dxV5/gDlSc2544pOXP+nrny/p5SSiiB9Lz8fO7khF/TJYNab93Puea2QQmEriT9oM/nVpVx9+wBuH9KVXkP7s7vU4kRWJbM/Wc9/PXA1E0ZdzmVDLuXBKW/jNl2079Keo+Vwww3dmf7qRLaeFOwr8DJ16giuuPpyFi/7sa5ua03TNE0D6jCAglALitPppGnTpnTp0oUHH3ywxrB3j8eDYRiUl5eTn5cfmvJICDweD+eccw6lpaWRaQ9M0xHqJ2OamKYZ2e+XvAQulwuHwxFKXxgI5SEtxs3Ml/9MsFlL/s8zi1jxwWqwYO/a1azfe4RuAy/ClWjgMJ1IHBj4cDgEhVUW/mCQUcO6M+Hegbz89ACm3z+QJoluZk+9hy3lsQw
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--62d53d4b-3875-4440-8ce0-9a51ba56547d",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T07:15:16.000Z",
|
||
|
|
"modified": "2023-04-20T07:15:16.000Z",
|
||
|
|
"first_observed": "2023-04-20T07:15:16Z",
|
||
|
|
"last_observed": "2023-04-20T07:15:16Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"file--62d53d4b-3875-4440-8ce0-9a51ba56547d",
|
||
|
|
"artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"attachment\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "file",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "file--62d53d4b-3875-4440-8ce0-9a51ba56547d",
|
||
|
|
"name": "PDF containing a link to ENVYSCOUT.png",
|
||
|
|
"content_ref": "artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "artifact",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d",
|
||
|
|
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAA6AAAAJJCAYAAAC0+VpPAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3Xd0VNXawOHftPTeewhJCBBKQu+9KYgooGJDUBQEQRSxAFIEEUFQFJDeOwrSQXqxUEIITWoKkEB6Quq08/0RGAgJilcFPn2fte66zNn77LPPnpl43tlNpSiKghBCCCGEEEII8Q9TP+wKCCGEEEIIIYT4b5AAVAghhBBCCCHEAyEBqBBCCCGEEEKIB0ICUCGEEEIIIYQQD4QEoEIIIYQQQgghHggJQIUQQgghhBBCPBASgAohhBBCCCGEeCAkABVCCCGEEEII8UBIACqEEEIIIYQQ4oHQPuwKCPGwpaenk5eX97CrIYQQQohyODo64u7u/rCrIYT4m6gURVEediWEeJh69erFggULHnY1hBBCCFGOvn37MmPGjIddDSHE30R6QIUAoqOjefvtt3F2dn7YVRHigTp//jwjRozggw8+ICoq6mFXRwghLLKyspg8efLDroYQ4m8mAagQgKenJ+3bt8fb2/thV0WIB+rQoUNotVoaNWpE27ZtH3Z1hBDCIjk5mUWLFj3saggh/mayCJEQQgghhBBCiAdCAlAhhBBCCCGEEA+EBKBCCCGEEEIIIR4ICUCFEEIIIYQQQjwQEoAKIYQQQgghhHggJAAVQgghhBBCCPFASAAqhBBCCCGEEOKBkABUCCGEEEIIIcQDIQGoEEIIIYQQQogHQgJQIYQQQgghhBAPhASgQgghhBBCCCEeCAlAhfiXuZGby5BBb/FC96f5btWKh10dIYQQQgghLCQAFeJfZvPGDeTn5dJ/0ACmfTkFs9n8sKskhBBCCCEEIAGoEP86tra2XE5KIjMjA5MEn0IIIYQQ4hEiAagQ/zKR1auj1VmRm5tL0xYtHnZ1hBBCCCGEsJAAVIj/5xRFwWw2oygKJpOJrZs2kpJ8Fa1Wy8YffuD8ubMAmM1mGY4rhBBCCCEeKu3DroAQ4s9TFIW8vDwuXjjPxfPnycrKxNnZBTd3d3JzsnmiyxPcuHGDWrVrcfrECRIuXSIlORmT2UxgUBBhYWEEBgWjs7J62LcihBBCCCH+QyQAFeL/AUVRSv3754MH2PDDOs6eOc31a9fQqNXY2NpiMBgsc0ANBgMA2dm55ORkU1hQgJWVFQa9AV9/P9q070DHzk8SEBBY6loqleqB3psQQgghhPjvkABUiEeQoigUFhZy+tRJUq9dJzsrE4PBiJWVjoLCAhbMnkWxXk9RYSE+vr7Y2dmj1xeTmZlJbk4u9vb2FOuL0emsSLh0EVs7Ozw9vVAUhbS0NM6fPUvCpUsc3LeXrs88R15eHgX5+bi5u+Pj64efv19JD6lO97CbQgghhBBC/ItIACrEI0ZRFA798jNrVq4g5shhzGYzRcXFqFUqjEYjapWK3NxcKoaF8dob/YioUgU7Wzv0Bj3JV68yd9ZMDv/6C46ODhQUFPJ6v/40btYMd3d3FAXS0lLZt3sXSxYu4PixYyTEx2MwGsCsYGNji1anw9nFhcZNm/HKq6/h5u7+sJtECCGEEEL8S0gAKsQjJC0tlTUrVzJ/9reoUJFfUICnlxeBgUGAwpXLl8nMzKRqZDWmz5mHj49PqfNDw8JJTEjg2NEj5ObmYm1lzQs9X8HNzc2Sp0JICHXq1iMsvBLD3n+PjPR0gkNCcHR0wqDXc/36Na5evUJaWiq7tm/jzbff5rGOT8jQXCGEEEII8ZdJACrEI6K4uJj5s2bx3eqV5ObmElG5Ci+90pvwiAg8PDywtram36u9yczIoEHDhqWCT0VRyMrMJDEhgdMnT+Du4Y5iMqPVadmxbSt169cnKCgYjbbkK69Sqahdtx5BwcFcuXKFbs88yxNPdSXvxg3SUq+zb/du1qxawcXUVKZP/QoPD0/qNWj4sJpGCCGEEEL8S0gAKsQjIi72GMuWLKKooJBOTz7J0OEj8PT0KtXzaFbMqNVqsnOyuX7tGleSEjl+/BhnTp3CbDbh5e1NUlICKODg6IDBYGDf7p2cPhlLRnoGgUEVqFWnLhXDwijIL8BoMKK5Wb6XlxdeXl5UDA2lTr36PN65M31efolLFy8wc9o0QsPCcffweEitI4QQQggh/g0kABXiEbFh3VpMJhMqtYrX+r2Jl5c3BoOB+EuXOBkXS25OLjdyc0EF+/fsBgU8vNwJrxRO4yav4ebuRmFhIYd+/QWDQY+9ozeXExPx9vWm34A3KSwsJCkxidOnTnPk8C/EX0rgWkoyZrOZ47HHWLJwPhVCKlKteg1cXF2pGlmNrs8+y/SpX3Hp0nniYo/Rsk3bh91MQgghhBDi/zEJQIV4BGRmpHPh/HmsdDoURcHR0YntWzaz88ft2DnYElktEl9/L7o+241lC5eQnZ1NZmY6PXu/jLvH7UWCNGoNPt4+XDp/kYRL8Wg0anx9fQGwtbUlonIE4ZXCOXrkKN+vXo3JZKJ6zRq07dAGjUrNieNH+X71SipVrkKTZs3x8vZBAUwGEydOxNGsZSs0Gs1DaiUhhBBCCPH/nQSgQjwCzGYFrVaDg6Mjqvx8Jk/4lIqhIbzc6yW8vG8Pw42sFklOdg4rli4nMCgAW1vbUuXorKyoEVWT/IICIqtVZemiJdRvUL9UHrVaTWhoKH7+/lxPSaHnq69Qt149AOo1bIC+WM+Rw4f5ftUKTp44gaurK2bFjEatfiBtIYQQQggh/r3kiVKIR4C9vT2eXl44u7hga2vDhQvnadysKd4+3qXmgBbkF5CUkETN6Jps2biFkydOkJ2dDYDJZGLzhg0kJiTi4+NNaFgY4eHhbN+2nWMxMSiKAkB6WhpbN2+hqKiY4JAQjh+LtaQBWFlb0bBxI2pG1+TE8eN4eXthb2+Hf0AgaglChRBCCCHEXyA9oEI8Amzt7KhVpx47t29Hr9fTpl07vLy9yuQ7c/o0aWmp2NrZ4uzizPer1qDWanju+R6kJCdz+NfDOLk4E3PkKMlXk7G2seVyUhKJCQkoZoXi4mKWLV6K0WDA3d2NvLwbpKelc+niRSqGhlqCXZVKRXStaCpUDCEpPpHwiEpUrVZdtmIRQgghhBB/iXRnCPGIeLxTJ0LDK5WsZJuYxJyZszl37hy7duzkRm4uVy5fZtniJahVarKzsnB0cqRewwYUFRWxZdNmNvywnrS0NPz9/HB2dkGlVuPt44mDowOXzl9k7Xffs+67tYSFhxEUHISdnR0Gg4GU5BRWLV9JZmYmKckpbNm4mTNnzjBl4hfY2tri6ORIoyZNCQ0Le9hNJIQQQggh/p+THlAhHhFOzi70fPU1jvzyM95+Pvx0YD/XUlIoLiril59/wUqnA1S4e7hz+tQ1TEYzsceO4erqio+PD2dOn6F6zRpkZWXh5+/HqZOnCAoOpLiomHoN63Nw3wE6PfkEMUdjMBgMFBYUYDKa8A/w5+L5C6xctpzLiZfR6/WYzCYqVYrAx9eXrKwcOj35lCw+JIQQQggh/jLpARXiEaHRaGjX4TEGDH6Xa8nXOH3iFOGVKpGfn09+Xh4///QzlatUJjAokPoNG5KVlUXF0DCee+F5iouLyc7Kxmwy4efvz+XLSRQVFpJ8NZlq1auRkJCAWqPG1s6Wl17piZOzM1qdjiZNm2Jvb4+7pwd7d+3BZDKi02kJ8A9g29at+PgG8P6wEYRHRDzs5hFCCCGEEP8C0gMqxCPExsYGGxsbunR7hitXLjN/zlwiq0XSum0bTsadoKi4mIDAAHb8uAO9Xs/CefNZvngJhUVFAOzY9iO7d+xCUcy4uLoRd+w4J2LjMBqNFOuL+XLSFKysrQEFKysrrK2tadKsKefPn8dkMvP4E52YOf1bThw/Sb0GDXiqe3ecnJwfbqMIIYQQQoh/DQlAhXhATp88wbjRo5g6YybuHh6/mzcqOprR4z7jwyGDyUhPY+WyFRQVFbFh3XpQFHQ6Kzy9PbG3t6e4uBgnZydQqTAajJiMRoqKiki9nopGq8be3h5rrHGzccdg0GM0mrC3s0dv0BNz9ChHDx8BFTg5ObFy2QpUqOj
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T07:19:46.000Z",
|
||
|
|
"modified": "2023-04-20T07:19:46.000Z",
|
||
|
|
"first_observed": "2023-04-20T07:19:46Z",
|
||
|
|
"last_observed": "2023-04-20T07:19:46Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"file--e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
|
||
|
|
"artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"attachment\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "file",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "file--e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
|
||
|
|
"name": "PDF containing a link to ENVYSCOUT2.png",
|
||
|
|
"content_ref": "artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "artifact",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09",
|
||
|
|
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAA2kAAAJZCAYAAAAzhX2/AAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3XtYFOX7P/D3LiCHRUBFEAHFMCQJ9ZMiiKhcCqGZJ0QxzTOmfUwT7WuZZZmWdvn9ZHkoT1CSKYSHr4c8m1KZZ9E8KyioHAS1PKCoyP37g9/Oh2UXmJk9MOj9ui6vS5595tl7nrnnmXl2d2ZURERgjDHGGGOMMaYI6poOgDHGGGOMMcbYf/EkjTHGGGOMMcYUhCdpjDHGGGOMMaYgPEljjDHGGGOMMQXhSRpjjDHGGGOMKQhP0hhjjDHGGGNMQXiSxhhjjDHGGGMKwpM0xhhjjDHGGFMQnqQxxhhjjDHGmILwJI0xxhhjjDHGFIQnaYwxxhhjjDGmIDxJY4wxxhhjjDEF4UkaY4wxxhhjjCkIT9IYY4wxxhhjTEF4ksYYY4wxxhhjCsKTNMYYY4wxxhhTEOuaDqAqpaWlKC0thVqthlqtNvialZUVVCpVjcUm9v2JCE+fPoVKpYKVlZXBOvfv38fly5dx69YteHp6ws/Pr9L2pNQ1lpjYK9L2j7W1fopJjb2wsBDnzp2Do6MjWrduXWUMUtq+ffs2rly5gjt37qBx48Zo0aKFSXKppKQEAAzmxtOnT0FEQl9q+7YqFesa2h8qtm+o3xljjDHGWC1BCtanTx8CQI0bN6YnT57ovPbuu+8SANq2bZvF4tmxYwe9/fbb9Morr5C1tTUBoB9//FHUshEREQSA2rZtq/fa8ePHqVevXkKb2n/+/v60d+9e2XVNparYDXny5Ak1bdqUmjRporPdpMb+5MkTGj9+vE59Ly8v+vXXX/XqSmn78OHD5Ofnp1MPAL3wwgu0detWSX1TUXp6utDe9OnTdV4rLi4mJycnAkBdunQhIqLU1FS9OCr+69ixIxERrV+/ngDQ0KFDDb737du3Sa1Wk6enp1HrwBhjjDHGalat+Lg9NzcXmzZtQnR0dI3G8e2332Ljxo1wc3ODp6cnsrOzRS23cuVK/Pbbb5W+vmfPHuzcuRN9+/ZFeHg46tatiz///BMrVqxA9+7dsX//frRt21ZyXVOoLnZDVq9ejezsbHzzzTc63+hIjf3jjz/G4sWLERERgcmTJ+PatWt4//330bt3b5w4cQK+vr6y2i4oKIBarUZ8fDx8fX3h5OSEEydOYMmSJejduzf27duHjh07GtVvderUQUpKCmbPni2Ubd26FcXFxTr1mjdvjvHjxxts488//0R6ejq8vb0BAJGRkahTpw727NljsP6vv/6K0tJS9OzZ06jYGWOMMcZYDavpWWJVtN+kOTs7U0REhM5rNfFN2v79++nSpUtERDR9+nRR36QVFBRQgwYN6MMPP6z026ijR49Sbm6uXvncuXMJAMXExMiqaywxsVdUWlpKAQEB5OrqSkVFRTqvSYm9sLCQ7OzsyNvbmx4+fCiUJycnEwAaPXq07LafPn1qMPYffviBANCAAQOqXc/KaL9J69WrFwGgY8eOCa8NHDhQKNd+k1aZgoICcnV1JWdnZ7p+/bpQrv1W8+zZs3rLjBs3jgDQxo0bZcfPGGOMMcZqXq24cciwYcOwZ88eXLx4UVT9I0eOYNy4cYiIiEDv3r0xb9483L9/3+g4QkND0bx5c0nLxMfHw9PTE//+978rrdO2bVt4eHjolffr1w8AcO7cOVl1jSUm9oq2bNmCM2fOYMKECXBwcNB5TUrs27ZtQ3FxMYYMGQI7OzuhvH///nB2dsaGDRtQWloqq+3Krufq0qULAODatWvVrmd1/Pz80KZNG6SkpAAAHjx4gC1btiA2NlbU8hMmTMDNmzcxf/58eHp6CuXab8l2796tt8zu3btha2uLbt26GR0/Y4wxxhirObVikjZ8+HDY29tjyZIl1dZNTExEcHAwVq1aBbVajWvXrmHq1Klo27YtCgoKLBDtf+3YsQOrV6/GokWLRN9wo7wHDx4AANzc3ExaVwy5sX/55ZfQaDR45513RC9jKPZjx44BANq1a6dT19raGv/6179w+/ZtZGVlyWq7Mn/++ScAICAgQFTc1YmNjcXPP/8MANi0aRNKS0vRu3fvapfbtGkTUlJS0KNHD4wcOVLntcomaVevXkVGRgbCw8Oh0WhMEj9jjDHGGKsZtWKS5uzsjDfeeAM//PADHj58WGm93NxcvPPOO3B3d8e5c+ewc+dOpKen46uvvsLFixfx3nvvWSzmBw8eYNy4cRgyZAg6deokq42VK1cCAAYOHGjSutWRG/vvv/+O/fv3Y8yYMahfv77o5QzFrr3eT3s91oEDB5Cfnw8AwjdLYq4JrKpfCgsLsX37dqxfvx4ffvghxo4dCx8fH8yYMUN07FWJjY1FVlYWDh06JEy66tatW+Uyd+7cwdtvvw1nZ2csW7ZM7/UXX3wRL774Ivbt26dzV8hdu3YBAF+PxhhjjDH2DKgVkzQAePvtt/H3338LPx8z5Oeff8bDhw8xfvx44eQeACZOnAgvLy/8/PPPwjcr5jZjxgzcvn0b8+bNk7X8gQMHsGjRIvzrX/9CXFycyeqKITf2uXPnwsbGBpMnTxa9TGWxa3+eqtFosHbtWoSGhqJdu3YgIjg6OgIA7t27J6ttrUOHDqFHjx7o378/5syZg5deegn79+9HkyZNRMdflWbNmiEoKAjLli3Dtm3bRE2g33vvPeTm5uKrr76Cl5eXwTo9e/bE3bt3ceTIEaFM+80aT9IYY4wxxmq/WjNJa9u2LYKCgvDdd99VWuf48eMAgM6dO+uUW1lZISwsDI8ePcLZs2fNGqc2jq+//hqffvopGjVqJHn5a9euYcCAAXBxccG6deuqfOaV2LpPnjxBcXGxzj8iMlnsp06dwtatWzFkyBCdCXJVxMauvSbNwcEBKpVKiLuqZ5qJaTs4OBjbtm3Dzz//jKlTp+Ls2bMIDg6uNEfE9mF5sbGx+P7772FlZYVevXpVWXfv3r1ISEhA9+7dMWrUqErrVfzJIxHh119/hb+/P1544YUq34MxxhhjjClfrZmkAWXfph0+fFiYjFX0999/AwDc3d31XtOW3bp1y3wBouwhzmPGjIG/vz8mTJggeflbt24hKioKd+7cwS+//IJmzZqZpO7QoUNhb2+v82///v0mi/3LL7+ESqXC1KlTRdWvLnbtt2VFRUV4/fXXcenSJeE6taKiIp06UtvWatiwIbp3744BAwbgyy+/xPbt25Gbm4sxY8YYrC+mDyvSfnv22muvVXmt2IMHDzBmzBg4OTlh+fLlVbbZuXNn1K1bV7gV/19//YWCggL+Fo0xxhhj7BlRK56TpjVo0CBMmTIF3333ncETXhsbGwD/PYkvT1tma2tr1hgfPHiA48ePo27duvDx8RHKtXci/Ouvv+Dl5YU+ffpg8eLFOsvev38fr732GjIzM/HLL7+gffv2lb6PlLoAEBMTA39/f52yij/rkxt7VlYWUlJS0Lt3b7z00ktVxiE29qZNmwIo+0asffv2OnfVzMnJ0akjte3KhIWFoUWLFvjzzz9x7949vevHxPRhRd7e3jp3oazMRx99hMzMTKxYsaLSnzlq1alTBxEREfjll1/w4MED/qkjY4wxxtgzplZN0uzt7TF8+HAsW7bM4PU92onFlStX8Morr+i8dvnyZQCGT+xNycbGxuBt1ouLi7Fx40Y4OjoKk4GKr/fu3RvHjh1DamoqIiIiKn0PKXW1YmJiEBMTY5bY//d//xclJSX44IMPqo1DbOzaB08fPXoU/fv3F8pLSkqQnp6O+vXr60wkpbRdlZKSEgCodJJWXR/KcfjwYXzzzTeIiorC6NGjRS3Ts2dPbNiwAX/88Qd2794NJycnhIWFmTw2xhhjjDFWA2r0KW3V0D7MWvsAaSKi8+fPEwBycnLSe5j11q1bCQD17t1bp50rV66QWq0mX19fg++zevVq8vX1pVatWomOTezDrLXy8vIqfSD048eP6fXXXyeVSkUrV66ssh0pdU2lqtgLCgrI3t6+2oczE0mLXerDrKW0nZWVZbB8z549pFKpyN3
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--768398f7-2ecd-4752-b4d4-e22de7a17c9f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:26.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:26.000Z",
|
||
|
|
"description": "QUARTERRIG C2 URL",
|
||
|
|
"pattern": "[url:value = 'pateke.com/auth/login.php']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:26Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--4f3a3552-4374-4692-be62-2dac7a60ea12",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:26.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:26.000Z",
|
||
|
|
"description": "QUARTERRIG C2 URL",
|
||
|
|
"pattern": "[url:value = 'pateke.com/index.php']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:26Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--1980ede0-18fe-4e78-a433-d85419354fdf",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:26.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:26.000Z",
|
||
|
|
"description": "COBALT STRIKE Handler URL",
|
||
|
|
"pattern": "[url:value = 'gatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:26Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--37294cb6-221f-4348-a3a6-ab46ed3adc83",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:26.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:26.000Z",
|
||
|
|
"description": "COBALT STRIKE Handler URL",
|
||
|
|
"pattern": "[url:value = 'gatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:26Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--f99cfe00-4d03-4ed2-8112-9a89d16d9251",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:26.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:26.000Z",
|
||
|
|
"description": "QUARTERRIG C2 URL",
|
||
|
|
"pattern": "[url:value = 'sharpledge.com/login.php']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:26Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--3084badc-4ea2-4550-a683-0c6088c4b2ba",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:27.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:27.000Z",
|
||
|
|
"description": "URL to ENYVYSCOUT used to deliver QUARTERRIG",
|
||
|
|
"pattern": "[url:value = 'sylvio.com.br/form.php']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:27Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--df942350-ff5f-4008-ad1d-14cecf33fabd",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:27.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:27.000Z",
|
||
|
|
"description": "Domain used to host ENVYSCOUT",
|
||
|
|
"pattern": "[domain-name:value = 'sylvio.com.br']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:27Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"hostname\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "x-misp-object",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "x-misp-object--740c4b3b-f5d6-42dc-9264-c225348060f5",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-19T13:16:12.000Z",
|
||
|
|
"modified": "2023-04-19T13:16:12.000Z",
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"report\"",
|
||
|
|
"misp:meta-category=\"misc\""
|
||
|
|
],
|
||
|
|
"x_misp_attributes": [
|
||
|
|
{
|
||
|
|
"type": "link",
|
||
|
|
"object_relation": "link",
|
||
|
|
"value": "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77",
|
||
|
|
"category": "External analysis",
|
||
|
|
"uuid": "4d5a0f62-4b12-4a01-93c9-f7bfd2bcf2e7"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "summary",
|
||
|
|
"value": "QUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries.",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "09ecf644-ca85-46d2-82c8-2c8071ec53dd"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "type",
|
||
|
|
"value": "Report",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "614630de-e0c1-47df-b8e3-bec6d33033f2"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "attachment",
|
||
|
|
"object_relation": "report-file",
|
||
|
|
"value": "QUARTERRIG_.pdf",
|
||
|
|
"category": "External analysis",
|
||
|
|
"uuid": "02357ebb-25a1-41d6-9d4d-13f9da6885e5",
|
||
|
|
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDE1OCAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDE1NTIgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDE1NTMgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAzNi9LaWRzWyAzIDAgUiAxNSAwIFIgMjQgMCBSIDI2IDAgUiAyNyAwIFIgMzEgMCBSIDMzIDAgUiA0MCAwIFIgNDEgMCBSIDQyIDAgUiA0NCAwIFIgNDYgMCBSIDQ3IDAgUiA0OCAwIFIgNTAgMCBSIDUxIDAgUiA1MiAwIFIgNTMgMCBSIDU0IDAgUiA1NSAwIFIgNTcgMCBSIDU4IDAgUiA1OSAwIFIgNjAgMCBSIDYzIDAgUiA2NCAwIFIgNjYgMCBSIDY3IDAgUiA2OSAwIFIgNzAgMCBSIDcyIDAgUiA3NSAwIFIgNzYgMCBSIDc4IDAgUiAxNTEgMCBSIDE1MyAwIFJdID4+DQplbmRvYmoNCjMgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUi9GNCAxMyAwIFI+Pi9FeHRHU3RhdGU8PC9HUzcgNyAwIFIvR1M4IDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNTk1LjMyIDg0MS45Ml0gL0NvbnRlbnRzIDQgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAxMDYyPj4NCnN0cmVhbQ0KeJy9WEtv2zgQvgvwf+BpIRUwzeGbRVHAdbPZFhsgjb3oIehBTRTXgNdJFTeF//3OyI/KlhQ/oq4PgkkONd98M5wZsdfP55O79GbO3rzp9efz9OZbdsuue6P7hy+90eIh612m48ksnU/uZ73hj69zmvorS2+z/O1b9u79gH3vRIIL+nnvgAlmguFKMq+BB8nyrBN9fsVmnejdqBP1/gQGwIVmo7tORNKCAZPBceuYC5Y2jv5FufOhY+NHfDUbFyO/Gp13ouuYJV2ND1v+84WNPnaiM9TxqRO1gEmB5ArKmAooGwSn6UNZdnYxYKx3SYRfDD68Z6I9Ip3gXmrmrKAde0BXgMBpQCQDw4OtBSIN9/ZoILJ9IMJyfTwjqj0gSlnuArPe8uCPBqJbZ8Rax40+Gog5DYh6BogOXB2Nw7aPQ3oejsbhTsWhakEYH2pAfEoA4n8S0HE/ARNfJSDjEQ3PElDLYfH4QMPzPYh9S4ilxiMFDYj30RZOA6EZ+FraMOGZFQpujCtW83F5dFXgukinP9M8Y/1ZOl08UvWYJC5+ZFfZw32eqHj+ojpSgSeN5tocDm9vhi7Viu4SGUjp/BoQKthGON1MFNLgFQBNbm3eXloaVDizQYXEwmNLGrbErBKkDqe/daK7V2safzdapO/lcIcNrEOVde0hHGyHlMKVNAthrN1ZWtnBPdCKF371pCiRWvGA2qznOhQWWV1MaMe1L16sPLUCRhfhRhMm4ASeTmu4to3e+L+soOhuzYwmL8mKl0RQ4eBoExaEMiUDtXfW766VToehrpV1g+cO1/D1yv8aTtfrgH2kd00e+I0IifITIDaxq6pnAKyFU6NHOS1dQ/SUMyQhNIZJDAtUYbXgGmu4Bb48/kph7LAubHTKoLmRaCMGzm4aqhq1bquA/Km04c5gP6K5ckxivxYwqLDIFXme3iFo/SeldyL3efnhSt93erHlQIKeK10IKrQBPIX0rxKyBazUZh22e1OA5HbXaRRHVztjuK02ex/vJ0lXxjMqfCy9fVrWQ5x5xGLYVfGCfaXR4nWlKr4IlEZvSdkEam8NtC1zIzW31W+UCyKgIGNKj+LfPM0XbHD/Y5boeJ5h45BPSKrgj4bTbfFxliwXb7LExGyY5U/FPA5b5dPIwDEPNBiyl0/XMp8i1H1q/dGuzQpbKvycalC212bfrs0Ws46oUj84I3df0WOEYcAxbC7/bpmHAOT0BgA7PNRSsW7FqZWm08AtggFHXT0eUMy96+wXPStRyncOs7OnWwi0QBeCimGNt7oh28lSV3vI3g0V1fsPpNDTgqr5JgFV3Bb18Sw+oCfyyXR5e7Trj5dBIN3YV9ZBYFT7qOyNbq5jKaRqW7UydLdQb/3eOxdo2Qlec1+T3p+AE+2iZdup1RCNShvOwX9tHwzpDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTUyNiAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDE1MjQgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTUyNyAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxNTI4IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDE1MzIgMCBSPj4NCmVuZG9iag
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"x_misp_meta_category": "misc",
|
||
|
|
"x_misp_name": "report"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--4a911505-85c5-4496-8eb6-75cea522ed00",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T11:49:55.000Z",
|
||
|
|
"modified": "2023-04-20T11:49:55.000Z",
|
||
|
|
"name": "apt29_QUARTERRIG",
|
||
|
|
"description": "A rule that can be used to scan for QUARTERRIG",
|
||
|
|
"pattern": "rule apt29_QUARTERRIG {\r\nstrings:\r\n$str_dll_name = \\\\\"hijacker.dll\\\\\"\r\n$str_import_name = \\\\\"VCRUNTIME140.dll\\\\\"\r\n// 48 8B 15 39 6A 00 00\r\nmov\r\nrdx, cs:api_stuff.OpenThread\r\n// 48 8D 0D FA 68 00 00\r\nlea\r\nrcx, api_stuff\r\n// 8B D8\r\nmov\r\nebx, eax\r\n// E8 3F 25 00 00\r\ncall\r\nload_api_addr\r\n// 44 8B C3\r\nmov\r\nr8d, ebx\r\n// 33 D2\r\nxor\r\nedx, edx\r\n// B9 FF FF 1F 00\r\nmov\r\necx, 1FFFFFh\r\n// FF D0\r\ncall\r\nrax\r\n$op_resolve_and_call_openthread = { 48 [6] 48 [6] 8B D8 E8 [4] [3] 33 D2 B9 FF FF 1F 00 FF D0 }\r\n// E8 A0 25 00 00\r\ncall\r\nload_api_addr\r\n// 48 8B CB\r\nmov\r\nrcx, rbx\r\n// FF D0\r\ncall\r\nrax\r\n// 83 F8 FF\r\ncmp\r\neax, 0FFFFFFFFh\r\n$op_resolve_and_call_suspendthread = { E8 [4] 48 8B CB FF D0 83 F8 FF }\r\ncondition:\r\nall of them\r\n}",
|
||
|
|
"pattern_type": "yara",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T11:49:55Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "misc"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"yara\"",
|
||
|
|
"misp:meta-category=\"misc\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
],
|
||
|
|
"x_misp_reference": "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--7d3d282a-c84f-48a1-9af5-8c0b43a0851e",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-21T06:39:42.000Z",
|
||
|
|
"modified": "2023-04-21T06:39:42.000Z",
|
||
|
|
"description": "Virtual disc container\r\n",
|
||
|
|
"pattern": "[file:hashes.MD5 = '22adbffd1dbf3e13d036f936049a2e98' AND file:hashes.SHA1 = '52932be0bd8e381127aab9c639e6699fd1ecf268' AND file:hashes.SHA256 = 'c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1' AND file:name = 'Note.iso' AND file:size = '2624000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-21T06:39:42Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--10cee96e-441a-48ea-8585-049029d4c157",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:03:41.000Z",
|
||
|
|
"modified": "2023-04-20T12:03:41.000Z",
|
||
|
|
"description": "Legitimate executable used to load the malicious DLL",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'b1820abc3a1ce2d32af04c18f9d2bfc3' AND file:hashes.SHA1 = 'b260d80fa81885d63565773480ca1e436ab657a0' AND file:hashes.SHA256 = '6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3' AND file:name = 'Note.exe' AND file:size = '1600000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:03:41Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--204c3d9f-6da0-426d-9609-db8c99dd8f8c",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:16:48.000Z",
|
||
|
|
"modified": "2023-04-20T12:16:48.000Z",
|
||
|
|
"description": "QUARTERRIG - loader\r\n",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'db2d9d2704d320ecbd606a8720c22559' AND file:hashes.SHA1 = 'ca1ef3aeed9c0c5cfa355b6255a5ab238229a051' AND file:hashes.SHA256 = '18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '28000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:16:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--7546b1a9-3633-4f46-99e2-d27bb8db276a",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:39:31.000Z",
|
||
|
|
"modified": "2023-04-20T12:39:31.000Z",
|
||
|
|
"pattern": "[file:hashes.MD5 = '166f7269c2a69d8d1294a753f9e53214' AND file:hashes.SHA1 = '02cd4148754c9337dfa2c3b0c31d9fdd064616a0' AND file:hashes.SHA256 = '3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a' AND file:name = 'bdcmetadataresource.xsd' AND file:size = '456000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:39:31Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--20d5700b-21da-4c3e-9425-c5b87b5f83aa",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:42:19.000Z",
|
||
|
|
"modified": "2023-04-20T12:42:19.000Z",
|
||
|
|
"description": "Virtual disc container",
|
||
|
|
"pattern": "[file:hashes.MD5 = '1609bcb75babd9a3e823811b4329b3b9' AND file:hashes.SHA1 = '86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3' AND file:hashes.SHA256 = '91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0' AND file:name = 'Invite.iso' AND file:size = '6464000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:42:19Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--f80de271-05af-4413-8087-9d553c54805e",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:46:29.000Z",
|
||
|
|
"modified": "2023-04-20T12:46:29.000Z",
|
||
|
|
"description": "Legitimate executable used to load the malicious DLL",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'd2027751280330559d1b42867e063a0f' AND file:hashes.SHA1 = '15511f1944d96b6b51291e3a68a2a1a560d95305' AND file:hashes.SHA256 = '35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0' AND file:name = 'Invite.exe' AND file:size = '5380000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:46:29Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--0d5b228d-17ff-48e1-bb83-24e34292ea06",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:47:14.000Z",
|
||
|
|
"modified": "2023-04-20T12:47:14.000Z",
|
||
|
|
"description": "QUATERRIG loader",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'bd4cbcd9161e365067d0279b63a784ac' AND file:hashes.SHA1 = 'b91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386' AND file:hashes.SHA256 = '673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28' AND file:name = 'winhttp.dll' AND file:size = '32000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:47:14Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--d940713b-8e68-4bbd-9164-ed43afc83c11",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:48:40.000Z",
|
||
|
|
"modified": "2023-04-20T12:48:40.000Z",
|
||
|
|
"description": "Encrypted resource containing the second stage",
|
||
|
|
"pattern": "[file:hashes.MD5 = '8dcac7513d569ca41126987d876a9940' AND file:hashes.SHA1 = '1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5' AND file:hashes.SHA256 = '9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14' AND file:name = 'Stamp.aapp' AND file:size = '460000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:48:40Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--21b857c6-1d55-4625-9b08-56c9fdc205da",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:53:18.000Z",
|
||
|
|
"modified": "2023-04-20T12:53:18.000Z",
|
||
|
|
"description": "Virtual disc container",
|
||
|
|
"pattern": "[file:hashes.MD5 = '3aca0abdd7ec958a539705d5a4244196' AND file:hashes.SHA1 = 'bacb46d2ce5dfcaf8544125903f69f01091bc3d6' AND file:hashes.SHA256 = '10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d' AND file:name = 'Note.iso' AND file:size = '2688000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:53:18Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--c75bccc6-e3ca-4a25-b0ff-5aea24f1c0b8",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T12:55:16.000Z",
|
||
|
|
"modified": "2023-04-20T12:55:16.000Z",
|
||
|
|
"description": "QUATERRIG loader",
|
||
|
|
"pattern": "[file:hashes.MD5 = '9159d3c58c5d970ed25c2db9c9487d7a' AND file:hashes.SHA1 = '6382ae2061c865ddcb9337f155ae2d036e232dfe' AND file:hashes.SHA256 = 'a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '26000']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T12:55:16Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--202f9cfd-1b59-4f2d-a113-27e6822b693d",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:11:07.000Z",
|
||
|
|
"modified": "2023-04-20T13:11:07.000Z",
|
||
|
|
"description": "Encrypted resource containing the second stage",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'bc4b0bd5da76b683cc28849b1eed504d' AND file:hashes.SHA1 = 'b3ff6376baa180cff13ae76672c669cc8f45c130' AND file:hashes.SHA256 = '15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38' AND file:name = 'bdcmetadataresource.xsd' AND file:size = '489757']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:11:07Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--553fd38b-e053-4632-867f-377e6746a81d",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:13:51.000Z",
|
||
|
|
"modified": "2023-04-20T13:13:51.000Z",
|
||
|
|
"pattern": "[domain-name:value = 'sharpledge.com' AND domain-name:resolves_to_refs[*].value = '51.75.210.218']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:13:51Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "network"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"domain-ip\"",
|
||
|
|
"misp:meta-category=\"network\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--b0de75d1-a729-49aa-a586-1fe80813422b",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:14:14.000Z",
|
||
|
|
"modified": "2023-04-20T13:14:14.000Z",
|
||
|
|
"pattern": "[domain-name:value = 'pateke.com' AND domain-name:resolves_to_refs[*].value = '85.195.89.91']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:14:14Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "network"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"domain-ip\"",
|
||
|
|
"misp:meta-category=\"network\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--e659ce38-dba5-438c-a7c7-900052726ad8",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2023-04-20T13:14:25.000Z",
|
||
|
|
"modified": "2023-04-20T13:14:25.000Z",
|
||
|
|
"pattern": "[domain-name:value = 'gatewan.com' AND domain-name:resolves_to_refs[*].value = '91.218.183.90']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2023-04-20T13:14:25Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "network"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"domain-ip\"",
|
||
|
|
"misp:meta-category=\"network\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "relationship",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "relationship--85e69f82-19f7-4dc0-a2fb-088c6a6eac61",
|
||
|
|
"created": "2023-04-20T12:03:58.000Z",
|
||
|
|
"modified": "2023-04-20T12:03:58.000Z",
|
||
|
|
"relationship_type": "contains",
|
||
|
|
"source_ref": "indicator--7d3d282a-c84f-48a1-9af5-8c0b43a0851e",
|
||
|
|
"target_ref": "indicator--10cee96e-441a-48ea-8585-049029d4c157"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "marking-definition",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
|
"definition_type": "tlp",
|
||
|
|
"name": "TLP:WHITE",
|
||
|
|
"definition": {
|
||
|
|
"tlp": "white"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|