438 lines
1 MiB
JSON
438 lines
1 MiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-08-19",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - EngineBox Malware Supports 10+ Brazilian Banks",
|
||
|
"publish_timestamp": "1503137633",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1503128009",
|
||
|
"uuid": "5997e84c-58b8-4652-a5cc-7d9602de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#007c97",
|
||
|
"name": "veris:actor:motive=\"Financial\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#6edb00",
|
||
|
"name": "circl:topic=\"finance\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5997e865-cb68-4ee4-8af9-7da502de0b81",
|
||
|
"value": "After receiving quite a big amount of malspam with similar messages in my honeypots this week, I decided to dedicate some time to analyze what it was about. To my surprise, after peeling multiple encoding layers protecting the malware\u00e2\u20ac\u2122s core (felt like peeling an onion), I could finally find a sophisticated and well structured banker malware capable of stealing victims' credentials of at least 10 of the biggest Brazilian public and private banks and other financial institutions. Additionally, it can also steal browser, SSH and FTP local stored credentials.\r\n\r\nThe main malware capabilities include a privilege escalation attempt using MS16\u00e2\u20ac\u201c032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a \"Generic Trojan\" by most of VirusTotal (VT) engines, let's name it \"EngineBox\"\u00e2\u20ac\u201d the core malware class I saw after reverse engineering it.\r\n\r\nIn today's diary, I'm going to describe the main technical aspects of EngineBox. Let's start with the fluxogram in Figure 1, which illustrates the malware's behavior since the infection vector to the malicious actions. Follow the numbers in blue.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#001cad",
|
||
|
"name": "estimative-language:likelihood-probability=\"very-likely\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e872-99a8-420d-bd26-7da502de0b81",
|
||
|
"value": "https://isc.sans.edu/diary/22736",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#001cad",
|
||
|
"name": "estimative-language:likelihood-probability=\"very-likely\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Overview",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAAA3YAAASwCAYAAAC3u9iqAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nMS9d5hV1fU+/p5bZu70XmgzdESayCBqLMQSJCpgVEAsoBFbRCTGlpAQYpJPvvZubLFgAQsYk2ADAYciIB1B2gAzwzCF6e3Obef3x3hPzt2z1t77DOT57efh4d5z1l7rXWuvts8594xhmqYJYZimCcMw2GNOz6u+68g/lTKiKov00WN2k8h0Vg2VnXTmUVj/V4Ozr4iBso+M18ngUPFz4pfiMad+qJKlo4fT407W366X7hwZHidDl4cTuujgYvJUyFHNVeURux91d610fPBk8sCpyl0qempwfh49191aQtF0B7OMhw5fVX5xYoPu+p3smH04yUXUec4elL5cvJ5sjuPkcedleLsjX8cGnH4yGaqY4HBwn1U2EGkp2ao65dRudlrduJetsY5s3V5KZU8dvU5FLu+ub8pwdKefFLFSc5z6jw5P2TxdrE57O6d9nYqfji6q2uKkDpF2NYXs3x0lnSYine8ng0cHW3caJdWc7i6uar5KlhMnVvEE+ADtbgPVXVy69lTNPVm8qiLUXR7dpXfaAOrKA+Tx4KToOM0d3W0WZHhOVVxQ9CeTG3WKX3eH07zWHfndzT3djUlZ4dZpBk/Wxk6KsV3u/2roNGqirUQa3eaPm2s/7yRPyeKcixVKltNY5/BQ51W+pVsXdWJD1EG0iWo4jT8d/t3tQ0QZumtM8dTFaac7mT5LFtunsldU1TknPaR9vi5+zmejNJyeTmq/7nDqjzq1RKWPrr4y+TprJIuDzq8mTAAhMwJ/OITWUBBtoSACkTAiMOGCgTi3B4luD5I8XiS4PXAbLhgADKOThwyDEYlETFWCPhXDaXPc3cbwVOHUTYinOkmo5soSlVMb65yX6WgfOnJPxZp2tynTmSuj1eXTHX/sjg+dbGP5v4pHp/S6DaZ4vrv8neLrrlwnQ1WEVBi4ZuFkseoWMNVnmT5RvN3Fqir6Ml24xtp+TMXDCTbdZo5qCjhMnCyRrxNdnTSXsnxh50/VC1VdFelVw0mdlvmebtOsspPuOp6KnNZdjDqDspWscVXh5nxRZcuT1Y/jpVv3VcdUOnC0unmC4ue0JnC2kOnG6cfpFR1ObKqS5zRXyNZWhpPjI8Ou8lFxXsQ00REOoTHYgdK2JuxuqMHR1kZUd7ShNRxEOBKB23AhxRuPrLgEFCSlYFR6HgqTUpHqjUO8y6PuE8zOcdKNomrInIBzQCoZOnU86phuYRVl6+ilwqjLS+ZQThqu7iQJHV46fKNDp2jpyNbFSfF1UshU+FTHVQ2PbgHUxQXoPeKiE88qe51M86E7dH3fSRyI57qD72TX7lTqoSO/uzHjZKhsHR0qm4g5VzaHksXJ5HKXyr90GjUOs8oHKB25uOUwyPhyuVqUJx6z89JpqER6nWbsVDRGKlw6tCqZlL/o0Miw6fqdjr2iQ5WrqSGzMUejE9vd8Xv7eR3flPHVqVsyHCq/011XDqdTX5XlIp265kSmrk46PqHi7QQHx1eXjxM9nOZbp3wBIAITbaEgdjVU418Vh7Cn8QQaAx3oiIQQNjvv4kWHCwZcBhDnciM9zoczMnJxSV5fjMzIQ7LbC5dNvrj20kcxnQ5dAzlxJF16J8lAhd/Ozwmv7jjY/3I4tbP9vG7hlDVMTuTq0qjoZM2BExyA/OqQE/mqJkrGj8KtSohObK27ZjpFr7vFwgkup7p2t+nsro2dFsRTva5O6JziPhl+4rqqmiQnjQo3l8LSXT27k9uc6szxtg9Z/nCCQ8Sj28DacejmBBlvnVyrq59MVxlvuwyKp0yeDIOIh5Ml4yPS68jm6HXWRqfP0sld3DGVbCd2pL6rZOucd5Jn7Ti6k6tl9Lq9gYpeFR+iDrpxFh2yNZThc+ofMltwfiFbG51aQ8WtDhbqnD8UxKGWevzr2EF8U1OO2oAfkehW7keeHsOAx+WCAQPBSAQhs5PCMAy4DQNpnjhcmFeAKT0HYUByBrwulyXLrkOXjZ0OQBndqWgqTiYoRZqTKZoqWd1dYBkPXSfkZOjScVh1C4NMlkpHFQanQ1dXWfK04/tfrLluwaISmW6idILHCV4R56mgl9Ho+pVKJyeFgdJBR4buvO74qNPPOvJPRYxxPiubK9LJGkGu2aB4UHSqNedyHFcPRDniZzu9TnPF2UjVbNixyGzhZMiaGkompxuFR8VXhVuHL/W/HafKf1TYZGug8ksRg0w3zvc5Gid5Tcb/ZGu7zjiZ3KtTb53wVuUMGW+ZjaKDWxed+u/UN+0yVb4hxrB4XJWvdHyaGrK44ugpPE7m69RGVX6SxbxMXpQm1t4GApEQttZX4qPSfdhaX4mwaSI9zodkTxwAoD0cRKLbg96JqciNT4TLMFDpb8GR1kZUtLfCHwkBJmAYQILbg7GZPXFtwWkYmZYDn9vTBZu1setOAOsaWGYIp82ODp7u8JHN1U1ypyIJ6vB2op9O4YyOk8HenUDXsacMl07S0LWVLEmf6qFjq+7E1snK1m0iVby602R2V6dT1YCcqhxzMjKc8O5ObJwsxpP125Od54S3U35OP8tkOW0udHhzDbmMvjv1QoWZoo3isn+PDrHptNPqyNXtI0S+TvOcLk6uZp6KZlPkr9t4d6dmUY0+N19HZ1kjrINPVx8VnaomiZi6myNktLqxJ8Ot4qE6poqP7gyn/ZbMJ3RkUUPWm4t0XF7Q5cPlNKc6hCIR7Gk6gddLdmBrXRXiXC6MzeyBC/MKkBefBBNAY9CPJE8ccuMT4THcCJsRtEdCKG1rxFeVh3GwpQH+UAjt4SD8kQgS3B6MycjHdYVDMSojD17DFWt3U0CtE1ROmxvVAne3mZAtEqUDlWy4z+J8WaBQzqyykSwJOEnmOolGdczJeV0anfndbSz+l+edYpPRO20QZfNkCVSXhw4doH+3gYsV3dHduKdodOntQ8eeJ9v8dsem3cmp1PHu2sdp42MfqtgRh24jTeVK+xxVHtXJ8TKZqtxMDZ340GlodZpDnZqsYyOdJk3W/KhykjhU9U6XVsToFCfX2OnmR/E4d0zHnrIejNKZotXxGR1aHXuqeHG2VdF3B7OOTNlwgjFKo+oJZP4hyuF4/i91VOUMEaNOP8LFug6tzH+c9AQyPWRzVPZ0kmciMHG4tRGvH9yBtTXl8Lpc+Fl+X1xbcBp6JaQgbJpoD4cQjETgNgw0BP3Y3ViL2o42ZMcnYEhKJhI9XjQFO1Dpb8W2+ipsrDuO4+0t8BounJvdC7cOOAP9k9Is2YYhPIqp21RQ9DJjyALTaeOqKiA653XPOXEoJzi6k7hUASazY3SeTiOgG+Q6SYgrik6TA1dgKXuozquSoSqJOx3d8Z1TyUvlHyq67uLvThLWLeAUNicNhgrLyeCy0znxc90GoTuF3I5NRw+VjrI8E+Wvs0acPKd0OvT2cSowOB3dseWp8EGO7lTp4SQ3qnywO3Eiq0NOcp4dkyp3OKl9On3AqfJ7VQw68Tcnw6ltnPDsbh1x4k9O+ehgjw6qV4p+ttPq5HUdf6bm6+J32q+p+Khwqs45yducHiIekc/J+j4nEwAikQhOdLTj/dK9+Pz4IeT5klCUmY9L8/uhf1I6ajrasKuhBhX+FvjDYbgNA/5IEAOTM9A3MQ1H25pQ0tKAMZn5GJmWC6/LhaAZwc6GavyjZAd2NZyAx3DhmoIhuLFwODLifZaeHjsQnUaIM5rMMNS56DGqYVEZ2aksO2YnC8gVTR0cTjGIRUWk4b6LAaTio8KiorfTqZK4/btOwdKdz9lP1Ms0zS64KDtRMlXJQHftqYSt4+cqe4p0HCZRX06mzB+cNOcyrLL5MvyqNaT4yGyhwkvFkOhLOvx1baqKRer/7jRNKswynqItdPKTk0ZAhVMWMzq+xsU7R6fC2x2MXE6hsHE+Ypcv8uTWkqtjslzENXlcbOjYyEnu0ckTMjtSvqqbR6jaJsrXrQs6eVM3Vpycp2oht8acjtxQ+YyYK0+mlsps46T/sH/n8HMYdWuZWHuidq
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
|
||
|
"value": "EB-Figure1.png",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#001cad",
|
||
|
"name": "estimative-language:likelihood-probability=\"very-likely\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "W7.zip",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5997e93e-9454-4c92-8799-60ed02de0b81",
|
||
|
"value": "f9f6bc998dcb8a3f04dffcc6b81dcfc3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "W7.dll",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5997e93e-fafc-4871-984d-60ed02de0b81",
|
||
|
"value": "e99d3c9d3ee9c8a8448aa3d427c04f0e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "1508201700016067882247230289631.vbs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5997e93e-7adc-4b92-bcc6-60ed02de0b81",
|
||
|
"value": "78b86206541debb3819e51b7e9c48434"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "aw7.tiff",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5997e93e-81f4-4d46-93c3-60ed02de0b81",
|
||
|
"value": "bb6756c97ab58fdfeecfe8c75b4bb81e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "aw7.dll",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5997e93e-8f28-4958-83b4-60ed02de0b81",
|
||
|
"value": "90ce84d389eabf96b4ad2f3bb083dada"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware-binary.exe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5997e93e-4b80-46b5-bf97-60ed02de0b81",
|
||
|
"value": "eb32c070e658937aa9fa9f3ae629b2b8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "westeros-x.ps",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5997e93e-aa10-4c55-8f73-60ed02de0b81",
|
||
|
"value": "f476db89c2f6621cc36c4a7a11e1e7a3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5997e953-299c-4c2b-8de4-60f402de0b81",
|
||
|
"value": "http://vimfvl6s.bslah3d1ajofjeatqu1qlkiurm0iyzwd.xyz/vzcD8L.php?vzcD8L=vIMfVL6sSUPORTE"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5997e954-3d74-4175-aa53-60f402de0b81",
|
||
|
"value": "http://170.254.236.10/westeros/x"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "On port 443 but (the connection is not over SSL)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst|port",
|
||
|
"uuid": "5997e96b-73c8-4618-8b98-7e3202de0b81",
|
||
|
"value": "54.232.207.222|443"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Additional references",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9a7-6f04-429d-8699-7d9c02de0b81",
|
||
|
"value": "https://technet.microsoft.com/en-us/library/security/ms16-032.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Additional references",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9a7-9b24-4d19-9d85-7d9c02de0b81",
|
||
|
"value": "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Additional references",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9a7-9d7c-412c-b2bc-7d9c02de0b81",
|
||
|
"value": "http://www.ilspy.net/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "westeros-x.ps - Xchecked via VT: f476db89c2f6621cc36c4a7a11e1e7a3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5997e9c9-e970-4309-8d37-7da702de0b81",
|
||
|
"value": "e3fe4546a5930d584f9a1ccd0ab0cb8eac041821cc238010f18190cfc25f845a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "westeros-x.ps - Xchecked via VT: f476db89c2f6621cc36c4a7a11e1e7a3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5997e9c9-368c-427d-89d1-7da702de0b81",
|
||
|
"value": "da18ecbf61875bab1e71fc13ce2c7ec7e3ebee6a"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "westeros-x.ps - Xchecked via VT: f476db89c2f6621cc36c4a7a11e1e7a3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9c9-d700-442a-a40d-7da702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e3fe4546a5930d584f9a1ccd0ab0cb8eac041821cc238010f18190cfc25f845a/analysis/1503114310/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware-binary.exe - Xchecked via VT: eb32c070e658937aa9fa9f3ae629b2b8",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5997e9c9-29f8-472d-b78b-7da702de0b81",
|
||
|
"value": "70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware-binary.exe - Xchecked via VT: eb32c070e658937aa9fa9f3ae629b2b8",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5997e9c9-a80c-4323-991f-7da702de0b81",
|
||
|
"value": "f393d7b531cd44ce418647fe95715adc3e3c61d2"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "malware-binary.exe - Xchecked via VT: eb32c070e658937aa9fa9f3ae629b2b8",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9c9-0cbc-4b02-a06c-7da702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce/analysis/1503098248/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "aw7.dll - Xchecked via VT: 90ce84d389eabf96b4ad2f3bb083dada",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5997e9c9-8408-4f50-af82-7da702de0b81",
|
||
|
"value": "7e476e43a56a56420b5ca05db29979332b327b1c2ccd79f86943a10714afd730"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "aw7.dll - Xchecked via VT: 90ce84d389eabf96b4ad2f3bb083dada",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5997e9c9-1cac-4f1f-a95b-7da702de0b81",
|
||
|
"value": "918a80d5c982ba2f3b51c92949b15b1fc8caf2e9"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "aw7.dll - Xchecked via VT: 90ce84d389eabf96b4ad2f3bb083dada",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9c9-9de0-4e62-b0f7-7da702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7e476e43a56a56420b5ca05db29979332b327b1c2ccd79f86943a10714afd730/analysis/1503123304/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "aw7.tiff - Xchecked via VT: bb6756c97ab58fdfeecfe8c75b4bb81e",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5997e9c9-caf4-4fc1-a13f-7da702de0b81",
|
||
|
"value": "9663e164be742893c6d1b4586796bff9b778d695823a09cfada18bec0106414a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "aw7.tiff - Xchecked via VT: bb6756c97ab58fdfeecfe8c75b4bb81e",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5997e9c9-c798-40df-b634-7da702de0b81",
|
||
|
"value": "edac27ccb0191bd0726af39b13226f073452cde7"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "aw7.tiff - Xchecked via VT: bb6756c97ab58fdfeecfe8c75b4bb81e",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9c9-ee6c-46bd-907f-7da702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9663e164be742893c6d1b4586796bff9b778d695823a09cfada18bec0106414a/analysis/1502992532/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "1508201700016067882247230289631.vbs - Xchecked via VT: 78b86206541debb3819e51b7e9c48434",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5997e9c9-2990-4673-98ae-7da702de0b81",
|
||
|
"value": "c05836c76d0e462bb817742f1c4a9ea2db523161c5b9c8506cfb8c7335060e57"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "1508201700016067882247230289631.vbs - Xchecked via VT: 78b86206541debb3819e51b7e9c48434",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5997e9c9-0cd0-4d39-98e0-7da702de0b81",
|
||
|
"value": "f6c940072ce82b7f58a6a86e49d57e2c9a92c154"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "1508201700016067882247230289631.vbs - Xchecked via VT: 78b86206541debb3819e51b7e9c48434",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9c9-ca90-4196-b336-7da702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c05836c76d0e462bb817742f1c4a9ea2db523161c5b9c8506cfb8c7335060e57/analysis/1503123770/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "W7.zip - Xchecked via VT: f9f6bc998dcb8a3f04dffcc6b81dcfc3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5997e9c9-739c-4dba-9067-7da702de0b81",
|
||
|
"value": "66c3cae1464231a801b0388a5ea858883118b9ef529fa7071146fae0bdb93565"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "W7.zip - Xchecked via VT: f9f6bc998dcb8a3f04dffcc6b81dcfc3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5997e9c9-12e4-411c-ba6f-7da702de0b81",
|
||
|
"value": "1812647fafd4f086614c950cfc8c6b405cfc1fac"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "W7.zip - Xchecked via VT: f9f6bc998dcb8a3f04dffcc6b81dcfc3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503128009",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5997e9c9-d4f0-4951-b710-7da702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/66c3cae1464231a801b0388a5ea858883118b9ef529fa7071146fae0bdb93565/analysis/1502994328/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|