100 lines
575 KiB
JSON
100 lines
575 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2018-05-24",
|
||
|
"extends_uuid": "",
|
||
|
"info": "Wells Fargo Phish",
|
||
|
"publish_timestamp": "1527259906",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1527194901",
|
||
|
"uuid": "5b072226-9b38-47c4-a948-0a8d0acd0835",
|
||
|
"Orgc": {
|
||
|
"name": "Synovus Financial",
|
||
|
"uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00b2d9",
|
||
|
"name": "veris:action:social:variety=\"Phishing\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Support Tool",
|
||
|
"comment": "",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAAA3kAAAKsCAYAAABRdHT9AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+lSURBVHhe7L0HnB/Fff4vN8AGbDAd9UbH2E51ev4pv8SJW7pLXLAdJ8Yt7pgmIQSiC5BASAj1eip3ut5777338r379n5dz/95Zu8rHUKUYMBSsnuv57bM7LSdnfm8vzO7u6C4sQ+2bNmyZcuWLVu2bNmydb6oqKEXBXXdp7ZTixsQl16CA0mFOGhUxO3T2m9UjH1SsrXWsfl+TvlNLMTRjAqkFTejpHEQJ3JrcSS1HIdPlBodPFGMg4mWDjEsxbf7WLaJ/2BKIQ5z/wjDOJyQT/8F2HcsB0eSSxCXynPp/0RuHcNuQV51L9JLWhl2GQ4nlzKsMsZfigOJ5UxbKfbT7+H0UuxKyGaac7EvMQtx3D6ckIO4pHwcOJFj4jtAHUpT3otwPKsK2WXtWFDS1A9btmzZsmXLli1btmzZOp8kuCttHkB2ZRt2HstEcmEdsivakVvZaZTzKnXRbxeyqixln9VPJ/JrepCUX4+9hLRc+ttFSEstbEJeebdRbkXXKWWVtiKnvA0ZJU1ILWpAfFYFUvJqkZpTgwyGkVvagtyyVp7XYfzmMv7UomYcJtilFbdi55EcZJe3I53Ql1najsyyTmSVdXPN9FUwH9WdSC1tRF5tO7LKG5DP7SLmN7+S8Va0IL+2CxnlLciu7iAwtiAhuxrH0iqwoKxlELZs2bJly5YtW7Zs2bJ1PkmgV9E2TBDqwIsHklBY30Mo6yQcdby+KtsJSGc5TgnyBHaZZW3YE5+H0qYh7DiSRQBrI8wRAmMSgNF/AaEtj5C250gmHnlmJ7Udjz67A48/uxtxJwqQXdyMHIJevvwz7MK6PhTU9jHsfCQXNBEgc1Hc2G/izKvuIWD2UdrvpQiUhLzsilYCXiPPJ+AR7LIJszmlTSisJRDSLYf5z67q4PndBhgPJxVjgQrGli1btmzZsmXLli1bts4nlbcOmemaOVXt2HYoBbXdTkJUr4GdmPJPqQsFBCZLhDOudWy+35gEXFmEpZ1Hs1HWPIyX4zLNCFx+FSFMIowV0F8hIayktgdHk4vw4KPPo2vIjf4xL9deNHWOEvR2IS2vDhWNA/TXZ6BQEFnaNExwzEZKYTP2JhQQWIfm4mX8DD+3ohvJ+Y14dNNe3PfoZty97ils3XcMW3bHYe0jz2DNI89h+/5E+iV4alSPcJtR3mrSLYg8mlqGBZXtI7Bly5YtW7Zs2bJly5at801VHQ7zbN4WQo/Ar7C+D/m1vSg4pR4U1/eisKYLRTWdKK7pOKXC2i4UN/QbwLJG2Ohvbq1ju4/norJt1Izk5RGgighqhTW9XNOdwJaQUYHdcenYeTAZd695Aqk5pTieko/41CKUECDvX78ZGQX1KOJ2aV0/CmqUln6UtzgM5GWUCiRzCKvDTHP3XHoZf3UfUvIa8MTmvUjLL0dNSwde3HMY26iWzl7si0vFpu2HCJvt1nRVQm4ey0BpF9AeSSHkqWBs2bJly5YtW7Zs2bJl63zSfMjTSJ5G9goEeYSdQkJVEYGqmPs5Fa0orGozKqpsOaXcCqqq08CVXrBS3DBgQEnn6bk8PZMnyNNInuBJgFZIaCyjv+ySFjy+aQ8yC6uRWVCJrIIq5BVX45f3bcATz+xAHM9du2EL0vPrzGhfUTUBby5sQZ6maQrydhEkS9sGTR4KBaNKew1Br7IbhxjG+idexKDLjz6HB30jLmQXVOCpzbuQlF2BfI3kEfAKGwieTUzbHOQdSyvHgurOUdiyZcuWLVu2bNmyZcvW+aaarjHzLN5Lh1NR0TZC2CGsNQ0R2AYNUGUUN+GpF/Zi00t7sfmlPdRuPL9N2oPHNr2MjdvjDBwJ8gwUEuAkgd++EwWoah8zI3nal3tpYz8hrx85Jc1Y++jzKKvpQHxyLhKS81FKaPzF3Q9jzUPPIiGtDA88/Dwhrx6ldb2oah5BKdNUwrArWkex+3ieedHK7vg8lHcMo6ix1zybJ/cSAmpFwxDS8+rx3IsH8OLLh9Ez4EJb1zAefvx5HDmRizzGVd0+bKarFutFNC0WpGq08Fh6BRZo7qotW7Zs2bJly5YtW7ZsnU8S4Gkt0Nkel4aqjlGUtoyghEBVRGiraHUgNb8Ov1q3EbUtfahr6UF9SzcaWrqMskvqsObJbadG8fT8ndYx4NOnFGo6XebtmnrWr7ihD+UtQ4SwXuSUNmPd41uQlFGCTS/uwwFC5otb9+Oeezbg3geexJOb9mDTtjgU13SjrJ7nEfDKGb7iqGp3mmfxMss6sCchH1XdDkIaAbKFaWD4FY1DKCin26E0bN1xBFW1nThyPB15hdXIK67Dhqdfwv7jWahuGzbTNUsJeOUEXL0kRsAan1GJBfW9btiyZcuWLVu2bNmyZcvW+aS6HpdZ6y2bO45mEPqcqGgfI/SMoojAo1G49KJGbHj2ZWQW1CC7oBo5BRXILSg36xOZJVjzxDbUdXvMSJ2gUKAUgz190662y23esmlG2TRipjd6Eqzyylvx4GMv4FhSHu5d8wTuue8x7Nx1FD/58RokJhciLbcGpTU9qGwaRH2HE+UEt0qGrzhqOt3Yd6IQ2RVdZrSwtm8MZe0EtfZhVBLWqgiqeaVteOKZnUhILkD8iRw8u/llrN/wLLLyq8x38p7ZdgD13cwr01KuF9F0OAigI2ZKaUJmFRbU9XlRTzX0etDUY6mRhdXQNydua79JBcn9un5rXW/c5JfnzEnbOqbz6vs8RrHw6/t8dLPisfxY7pK23xkpHbz4VMNrSPmI6exh2LJly5at/z063be9LXq9sN6ueN5qHL/p+N8uvaPxz6sbxj6ZZ6fEtue7napHtmzZOhckwNNaoKPv5NV2uQzklbcRfghTGtkraegj9JRiy84j2LrzMHUI23YctLT3OI5lVhg4qiaICQr1DJ4Fe4M4lFJiAFCQV9I4YJ4B1KcbzDTJmk5s2xNvno/buHk3nn52B56hHnt8C4rKWlDTMowahlNJaKxhmFUtDp43hiqmra7bi/2JRcip7DYfZK8fcBPSRlBJUKvuGKN/+iMUHksqxEu7jmPPgURk51YgM6cc2/ccw8v7EpGaX4sKpkWjmTqvqpOAy/jMx9uza7CgbCSAmsEAWvr86OryopMeWrtHWWDUgBPNJMu2rhF08Vj1ECl0xIXKYcIRE9PMQm0lFLYz812EuNYeAmG3E00EwYZBD2oHvagaCKCyN4Sa3gga+yNo6fWjlY1lcz8vzICXfnxc+9BINb0Z9XvNuc39rzzeMOCnAvPkZ7iEzCEH6odG0DA0bNQ0NGTUOMhjg6OoH2RBDzq5ZtqZnvlh2rJly5at/11qZv/UQjX3u87Ydpnt19p/J9xOx//Gft8Jt3cj/vOhjJtoTzT0z7cfXluNtC3OVq9s2bL1m1HzIO1/8ojgS5BngZ93ThYIarSvtnMUla0aSRs0qppTZduwea4v5tc63zpHI3aHUosZRwDbDqWaOGIjiPqRqK7LSWgjmJlwh1DN8KSatiHUEdQaerxo6Gb7IvVYEtzVc13b5cHB5BLkVffiQHIxj3kZJ+MlUxk/VF2nBzWCTgJoVesIattHGS7zYfYdqCGU1tO/ztVoo8KUqujveFY1FlQPBwk5ATZ2PnQwUx29LrT3seEjxDVQ9QIqNWy9PlQzkAoGUt4h2mQgnT7So5+Z9KKRCW4mKLYwnBaeI0CsG2IChwl4AxHUEvAa+0NopZ+2Pq/x00gIrBtiw8kLdLYLdzY1E8SaDehpO3Zc5/vZ+KoBjjXGQW7HRHdCZxOBronAZ6RtHrPOUdrCp8I5M05btmzZsnX+S31Gy4DH9D8xY9/W/3XJxtEPzUFjN7yRZDOcrW7ZsmXr3ZcAT9K2nstLyK1CdmUbsirakB0T909tV7S+WnJ/DSUX1iGjrJmM4OV2LVKLG067z4/jbOGa4x3ILn+l0opbkMV1SmGT+V6epoWmFTebD6+/Wu3Iksrn1vP3z5D851
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1527194805",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5b0722ec-95d4-4c29-8557-082c0acd0835",
|
||
|
"value": "WellsPhish.PNG",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#993700",
|
||
|
"name": "diamond-model:Capability"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Support Tool",
|
||
|
"comment": "DomainTools Pivot on Registrant Email",
|
||
|
"data": "ZG9tYWluLCJ3aG9pcyB1cmwiLGFkc2Vuc2UsYWxleGEsImdvb2dsZSBhbmFseXRpY3MiLHN0YXR1cywiYWRtaW4gY29udGFjdCBuYW1lIiwiYWRtaW4gY29udGFjdCBvcmciLCJhZG1pbiBjb250YWN0IHN0cmVldCIsImFkbWluIGNvbnRhY3QgY2l0eSIsImFkbWluIGNvbnRhY3Qgc3RhdGUiLCJhZG1pbiBjb250YWN0IHBvc3RhbCIsImFkbWluIGNvbnRhY3QgY291bnRyeSIsImFkbWluIGNvbnRhY3QgcGhvbmUiLCJhZG1pbiBjb250YWN0IGZheCIsImFkbWluIGNvbnRhY3QgZW1haWwgMSIsImFkbWluIGNvbnRhY3QgZW1haWwgMiIsImFkbWluIGNvbnRhY3QgZW1haWwgMyIsImJpbGxpbmcgY29udGFjdCBuYW1lIiwiYmlsbGluZyBjb250YWN0IG9yZyIsImJpbGxpbmcgY29udGFjdCBzdHJlZXQiLCJiaWxsaW5nIGNvbnRhY3QgY2l0eSIsImJpbGxpbmcgY29udGFjdCBzdGF0ZSIsImJpbGxpbmcgY29udGFjdCBwb3N0YWwiLCJiaWxsaW5nIGNvbnRhY3QgY291bnRyeSIsImJpbGxpbmcgY29udGFjdCBwaG9uZSIsImJpbGxpbmcgY29udGFjdCBmYXgiLCJiaWxsaW5nIGNvbnRhY3QgZW1haWwgMSIsImJpbGxpbmcgY29udGFjdCBlbWFpbCAyIiwiYmlsbGluZyBjb250YWN0IGVtYWlsIDMiLCJyZWdpc3RyYW50IGNvbnRhY3QgbmFtZSIsInJlZ2lzdHJhbnQgY29udGFjdCBvcmciLCJyZWdpc3RyYW50IGNvbnRhY3Qgc3RyZWV0IiwicmVnaXN0cmFudCBjb250YWN0IGNpdHkiLCJyZWdpc3RyYW50IGNvbnRhY3Qgc3RhdGUiLCJyZWdpc3RyYW50IGNvbnRhY3QgcG9zdGFsIiwicmVnaXN0cmFudCBjb250YWN0IGNvdW50cnkiLCJyZWdpc3RyYW50IGNvbnRhY3QgcGhvbmUiLCJyZWdpc3RyYW50IGNvbnRhY3QgZmF4IiwicmVnaXN0cmFudCBjb250YWN0IGVtYWlsIDEiLCJyZWdpc3RyYW50IGNvbnRhY3QgZW1haWwgMiIsInJlZ2lzdHJhbnQgY29udGFjdCBlbWFpbCAzIiwidGVjaG5pY2FsIGNvbnRhY3QgbmFtZSIsInRlY2huaWNhbCBjb250YWN0IG9yZyIsInRlY2huaWNhbCBjb250YWN0IHN0cmVldCIsInRlY2huaWNhbCBjb250YWN0IGNpdHkiLCJ0ZWNobmljYWwgY29udGFjdCBzdGF0ZSIsInRlY2huaWNhbCBjb250YWN0IHBvc3RhbCIsInRlY2huaWNhbCBjb250YWN0IGNvdW50cnkiLCJ0ZWNobmljYWwgY29udGFjdCBwaG9uZSIsInRlY2huaWNhbCBjb250YWN0IGZheCIsInRlY2huaWNhbCBjb250YWN0IGVtYWlsIDEiLCJ0ZWNobmljYWwgY29udGFjdCBlbWFpbCAyIiwidGVjaG5pY2FsIGNvbnRhY3QgZW1haWwgMyIsImNyZWF0ZSBkYXRlIiwiZXhwaXJhdGlvbiBkYXRlIiwiZW1haWwgZG9tYWluIDEiLCJlbWFpbCBkb21haW4gMiIsImVtYWlsIGRvbWFpbiAzIiwiZW1haWwgZG9tYWluIDQiLCJlbWFpbCBkb21haW4gNSIsImVtYWlsIGRvbWFpbiA2Iiwic29hIGVtYWlsIDEiLCJhZGRpdGlvbmFsIHdob2lzIGVtYWlsIDEiLCJhZGRpdGlvbmFsIHdob2lzIGVtYWlsIDIiLCJhZGRpdGlvbmFsIHdob2lzIGVtYWlsIDMiLCJpcCAxIC0gYWRkcmVzcyIsImlwIDEgLSBhc24gMSIsImlwIDEgLSBjb3VudHJ5X2NvZGUiLCJpcCAxIC0gaXNwIiwibXggMSAtIGhvc3QiLCJteCAxIC0gZG9tYWluIiwibXggMSAtIGlwIDEiLCJteCAxIC0gaXAgMiIsIm14IDEgLSBpcCAzIiwibXggMSAtIGlwIDQiLCJteCAxIC0gaXAgNSIsIm14IDEgLSBpcCA2IiwibXggMSAtIGlwIDciLCJteCAxIC0gaXAgOCIsIm14IDEgLSBpcCA5IiwibXggMSAtIHByaW9yaXR5IiwibXggMiAtIGhvc3QiLCJteCAyIC0gZG9tYWluIiwibXggMiAtIGlwIDEiLCJteCAyIC0gaXAgMiIsIm14IDIgLSBpcCAzIiwibXggMiAtIGlwIDQiLCJteCAyIC0gaXAgNSIsIm14IDIgLSBpcCA2IiwibXggMiAtIGlwIDciLCJteCAyIC0gaXAgOCIsIm14IDIgLSBpcCA5IiwibXggMiAtIHByaW9yaXR5IiwibXggMyAtIGhvc3QiLCJteCAzIC0gZG9tYWluIiwibXggMyAtIGlwIDEiLCJteCAzIC0gaXAgMiIsIm14IDMgLSBpcCAzIiwibXggMyAtIGlwIDQiLCJteCAzIC0gaXAgNSIsIm14IDMgLSBpcCA2IiwibXggMyAtIGlwIDciLCJteCAzIC0gaXAgOCIsIm14IDMgLSBpcCA5IiwibXggMyAtIHByaW9yaXR5IiwibXggNCAtIGhvc3QiLCJteCA0IC0gZG9tYWluIiwibXggNCAtIGlwIDEiLCJteCA0IC0gaXAgMiIsIm14IDQgLSBpcCAzIiwibXggNCAtIGlwIDQiLCJteCA0IC0gaXAgNSIsIm14IDQgLSBpcCA2IiwibXggNCAtIGlwIDciLCJteCA0IC0gaXAgOCIsIm14IDQgLSBpcCA5IiwibXggNCAtIHByaW9yaXR5IiwibXggNSAtIGhvc3QiLCJteCA1IC0gZG9tYWluIiwibXggNSAtIGlwIDEiLCJteCA1IC0gaXAgMiIsIm14IDUgLSBpcCAzIiwibXggNSAtIGlwIDQiLCJteCA1IC0gaXAgNSIsIm14IDUgLSBpcCA2IiwibXggNSAtIGlwIDciLCJteCA1IC0gaXAgOCIsIm14IDUgLSBpcCA5IiwibXggNSAtIHByaW9yaXR5IiwibXggNiAtIGhvc3QiLCJteCA2IC0gZG9tYWluIiwibXggNiAtIGlwIDEiLCJteCA2IC0gaXAgMiIsIm14IDYgLSBpcCAzIiwibXggNiAtIGlwIDQiLCJteCA2IC0gaXAgNSIsIm14IDYgLSBpcCA2IiwibXggNiAtIGlwIDciLCJteCA2IC0gaXAgOCIsIm14IDYgLSBpcCA5IiwibXggNiAtIHByaW9yaXR5IiwibXggNyAtIGhvc3QiLCJteCA3IC0gZG9tYWluIiwibXggNyAtIGlwIDEiLCJteCA3IC0gaXAgMiIsIm14IDcgLSBpcCAzIiwibXggNyAtIGlwIDQiLCJteCA3IC0gaXAgNSIsIm14IDcgLSBpcCA2IiwibXggNyAtIGlwIDciLCJteCA3IC0gaXAgOCIsIm14IDcgLSBpcCA5IiwibXggNyAtIHByaW9yaXR5Iiwic3NsIDEgLSBzdWJqZWN0Iiwic3NsIDEgLSBoYXNoIiwic3NsIDEgLSBvcmciLCJzc2wgMSAtIGVtYWlsIDEiLCJzc2wgMSAtIGVtYWlsIDIiLCJzc2wgMSAtIGVtYWlsIDMiLCJzc2wgMSAtIGVtYWlsIDQiLCJzc2wgMSAtIGVtYWlsIDUiLCJzc2wgMiAtIHN1YmplY3QiLCJzc2wgMiAtIGhhc2giLCJzc2wgMiAtIG9yZyIsInNzbCAyIC0gZW1haWwgMSIsInNzbCAyIC0gZW1haWwgMiIsInNzbCAyIC0gZW1haWwgMyIsInNzbCAyIC0gZW1haWwgNCIsInNzbCAyIC0gZW1haWwgNSIsInNzbCAzIC
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1527194819",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5b07230b-598c-4d5a-bc93-0e520acd0835",
|
||
|
"value": "iris-pe-export-2018-05-24T13_07_22-07_00.csv"
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1527194430",
|
||
|
"to_ids": true,
|
||
|
"type": "whois-registrant-email",
|
||
|
"uuid": "5b072323-4fb0-4c02-a5bc-2a940acd0835",
|
||
|
"value": "emamdouh515@gmail.com",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#662500",
|
||
|
"name": "diamond-model:Adversary"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1527194430",
|
||
|
"to_ids": false,
|
||
|
"type": "whois-registrant-name",
|
||
|
"uuid": "5b072335-1ff8-4921-b7e3-27d00acd0835",
|
||
|
"value": "Brenda Baker",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#662500",
|
||
|
"name": "diamond-model:Adversary"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1527194852",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b0724e4-a0d8-4e45-9096-2af10acd0835",
|
||
|
"value": "Phishing attempt came in that contained a link that had a google redirect to a mailer site that auto downloaded an HTML file. This html file took you to a Wells Fargo copy cat site that attempts to harvest your creds. \r\n\r\nI did a pivot off of the registrant and found the malicious domains attached in the spreadsheet. \r\n\r\nFile downloaded: 05AE25-EBILLS.PDF.htm\r\nMD5: 432e313e21fa3294358bcecfdf204dbc\r\nThe malicious link in the htm file we received was: hxxp://eooosskl[.]com/pint.php\r\nhttps://www.virustotal.com/en/file/f72eb7069a84b78aa539b9987357b98ae22aa7706885d21212f655dac2bb83f0/analysis/1527187313/\r\n\r\nLink in email: hxxps://www.google[.]com/url?hl=en&q=hxxp://email.veromailer[.]com/c/eJxdkFFPwyAUhX9N-7LYAIWVPvRhs11iMs2iDz42rNytKJQG2Bb_vbRGrSY8XO75OOeETphRqPOQsK2DTo0KhtBKa4SKq7r6mrLOmrT7JSEudesvxzfowoQ9g1SprETOUbkEr8IpEZSdve7tEJzVqaoIwhwxQnFBCpxnOCsoLTYNQzVveEGbdULRFdyUrcHN6X18dKQS5QwxsYYciKAcl2U0oYAF5qdl7qJaQvjBwVXBLSHlai6qqz6E0Sf5JiG7eMBa6_27noLiFbFNQ9hds33Y71-yQ73L-mBSV7mL96B17HazVp6sk8af_3_N6OyU3A7CwBT_GtHVLrKrx7NbguFjnIEnuHkNIcBfFcyoRYAfn6X4PbZKThItSsbJJ5k4lVo&source=gmail&ust=1527269237118000&usg=AFQjCNHRTJZyy2nGQxuHiHXQ-8ouH3wcwg"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|