misp-circl-feed/feeds/circl/misp/5b84012a-f9d4-4d92-abb3-344f950d210f.json

{
  "Event": {
    "analysis": "0",
    "date": "2018-05-15",
    "extends_uuid": "",
    "info": "OSINT - New Bip Dharma Ransomware Variant Released",
    "publish_timestamp": "1536238378",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1536238352",
    "uuid": "5b84012a-f9d4-4d92-abb3-344f950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:ransomware=\"Dharma Ransomware\""
      },
      {
        "colour": "#ffffff",
        "name": "tlp:white"
      },
      {
        "colour": "#2c4f00",
        "name": "malware_classification:malware-category=\"Ransomware\""
      },
      {
        "colour": "#00223b",
        "name": "osint:source-type=\"blog-post\""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1535379466",
        "to_ids": false,
        "type": "link",
        "uuid": "5b840189-c774-4f4c-83b7-5fb0950d210f",
        "value": "https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/",
        "Tag": [
          {
            "colour": "#00223b",
            "name": "osint:source-type=\"blog-post\""
          }
        ]
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1535379476",
        "to_ids": false,
        "type": "text",
        "uuid": "5b8401a0-d0e4-422e-a664-33af950d210f",
        "value": "Today, Michael Gillespie noticed what appeared to be a new variant of the Crysis/Dharma Ransomware uploaded to his ID-Ransomware site. Jakub Kroustek then discovered some samples to confirm that it was indeed a new Dharma variant. This new version will append the .Bip extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Dharma is typically spread by hacking into Remote Desktop Services and manually installing the ransomware.",
        "Tag": [
          {
            "colour": "#00223b",
            "name": "osint:source-type=\"blog-post\""
          }
        ]
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1536157268",
        "to_ids": true,
        "type": "email-src",
        "uuid": "5b8fe654-8db4-444c-ad10-495f950d210f",
        "value": "beamsell@qq.com"
      }
    ],
    "Object": [
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1535379389",
        "uuid": "5b8407bd-2440-40cd-80a2-5fb0950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1535379389",
            "to_ids": true,
            "type": "sha256",
            "uuid": "5b8407bd-2e48-4d88-8dc9-5fb0950d210f",
            "value": "208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1535379390",
            "to_ids": false,
            "type": "text",
            "uuid": "5b8407be-6f3c-4b13-8fea-5fb0950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1535379566",
        "uuid": "5b84086e-d5ec-4ab2-b371-0716950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1535379566",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b84086e-6970-41d9-bfac-0716950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Info.hta"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1535379566",
            "to_ids": false,
            "type": "text",
            "uuid": "5b84086e-8e5c-4464-88a4-0716950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1535379584",
        "uuid": "5b840880-b12c-4619-be47-0716950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1535379584",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b840880-de24-4e22-90f6-0716950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\[filename.exe]"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1535379584",
            "to_ids": false,
            "type": "text",
            "uuid": "5b840880-8cc8-4ab0-9e7a-0716950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1535380188",
        "uuid": "5b840adc-296c-4705-8c8f-0716950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1535380188",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b840adc-8bbc-402b-9974-0716950d210f",
            "value": "FILES ENCRYPTED.txt"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1535380188",
            "to_ids": false,
            "type": "text",
            "uuid": "5b840adc-c198-4927-a4a1-0716950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536238344",
        "uuid": "4da3496e-b9b6-48b4-9b2d-42beb59eb7ca",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "4da3496e-b9b6-48b4-9b2d-42beb59eb7ca",
            "referenced_uuid": "499803fa-d2c3-4722-8fb9-f1134171354f",
            "relationship_type": "analysed-with",
            "timestamp": "1536238355",
            "uuid": "5b912313-f4cc-4292-9e24-4a3e02de0b81"
          }
        ],
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "md5",
            "timestamp": "1536238343",
            "to_ids": true,
            "type": "md5",
            "uuid": "6647a831-e205-4827-bd04-b92af2f8e3dc",
            "value": "b84e41893fa55503a84688b36556db05"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha1",
            "timestamp": "1536238345",
            "to_ids": true,
            "type": "sha1",
            "uuid": "5778ca06-cb45-4793-9e93-531db811a383",
            "value": "94f83bfb5451383b9c7b486d05f38e1856fe62a5"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1536238347",
            "to_ids": true,
            "type": "sha256",
            "uuid": "f6a74a13-3854-4f00-85b6-0fe1d81a9b09",
            "value": "208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "2",
        "timestamp": "1536238349",
        "uuid": "499803fa-d2c3-4722-8fb9-f1134171354f",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1536238350",
            "to_ids": false,
            "type": "datetime",
            "uuid": "45a6abd8-a4ca-4133-bddb-bdd48c7ac32b",
            "value": "2018-08-24T17:37:17"
          },
          {
            "category": "External analysis",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1536238352",
            "to_ids": false,
            "type": "link",
            "uuid": "c55fb0f7-f9ce-4a7b-9b44-e99390947433",
            "value": "https://www.virustotal.com/file/208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7/analysis/1535132237/"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1536238354",
            "to_ids": false,
            "type": "text",
            "uuid": "b4c4e081-c8bd-4467-8211-fc83b3779c3f",
            "value": "52/68"
          }
        ]
      }
    ]
  }
}
chg: [feed] added 2023-04-21 13:25:09 +00:00			`{`
			`"Event": {`
			`"analysis": "0",`
			`"date": "2018-05-15",`
			`"extends_uuid": "",`
			`"info": "OSINT - New Bip Dharma Ransomware Variant Released",`
			`"publish_timestamp": "1536238378",`
			`"published": true,`
			`"threat_level_id": "3",`
			`"timestamp": "1536238352",`
			`"uuid": "5b84012a-f9d4-4d92-abb3-344f950d210f",`
			`"Orgc": {`
			`"name": "CIRCL",`
			`"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"`
			`},`
			`"Tag": [`
			`{`
			`"colour": "#0088cc",`
			`"name": "misp-galaxy:ransomware=\"Dharma Ransomware\""`
			`},`
			`{`
			`"colour": "#ffffff",`
			`"name": "tlp:white"`
			`},`
			`{`
			`"colour": "#2c4f00",`
			`"name": "malware_classification:malware-category=\"Ransomware\""`
			`},`
			`{`
			`"colour": "#00223b",`
			`"name": "osint:source-type=\"blog-post\""`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1535379466",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5b840189-c774-4f4c-83b7-5fb0950d210f",`
			`"value": "https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/",`
			`"Tag": [`
			`{`
			`"colour": "#00223b",`
			`"name": "osint:source-type=\"blog-post\""`
			`}`
			`]`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1535379476",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5b8401a0-d0e4-422e-a664-33af950d210f",`
			`"value": "Today, Michael Gillespie noticed what appeared to be a new variant of the Crysis/Dharma Ransomware uploaded to his ID-Ransomware site. Jakub Kroustek then discovered some samples to confirm that it was indeed a new Dharma variant. This new version will append the .Bip extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Dharma is typically spread by hacking into Remote Desktop Services and manually installing the ransomware.",`
			`"Tag": [`
			`{`
			`"colour": "#00223b",`
			`"name": "osint:source-type=\"blog-post\""`
			`}`
			`]`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1536157268",`
			`"to_ids": true,`
			`"type": "email-src",`
			`"uuid": "5b8fe654-8db4-444c-ad10-495f950d210f",`
			`"value": "beamsell@qq.com"`
			`}`
			`],`
			`"Object": [`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "11",`
			`"timestamp": "1535379389",`
			`"uuid": "5b8407bd-2440-40cd-80a2-5fb0950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1535379389",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5b8407bd-2e48-4d88-8dc9-5fb0950d210f",`
			`"value": "208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "state",`
			`"timestamp": "1535379390",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5b8407be-6f3c-4b13-8fea-5fb0950d210f",`
			`"value": "Malicious"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "11",`
			`"timestamp": "1535379566",`
			`"uuid": "5b84086e-d5ec-4ab2-b371-0716950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "filename",`
			`"timestamp": "1535379566",`
			`"to_ids": true,`
			`"type": "filename",`
			`"uuid": "5b84086e-6970-41d9-bfac-0716950d210f",`
			`"value": "%UserProfile%\\AppData\\Roaming\\Info.hta"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "state",`
			`"timestamp": "1535379566",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5b84086e-8e5c-4464-88a4-0716950d210f",`
			`"value": "Malicious"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "11",`
			`"timestamp": "1535379584",`
			`"uuid": "5b840880-b12c-4619-be47-0716950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "filename",`
			`"timestamp": "1535379584",`
			`"to_ids": true,`
			`"type": "filename",`
			`"uuid": "5b840880-de24-4e22-90f6-0716950d210f",`
			`"value": "%UserProfile%\\AppData\\Roaming\\[filename.exe]"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "state",`
			`"timestamp": "1535379584",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5b840880-8cc8-4ab0-9e7a-0716950d210f",`
			`"value": "Malicious"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "11",`
			`"timestamp": "1535380188",`
			`"uuid": "5b840adc-296c-4705-8c8f-0716950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "filename",`
			`"timestamp": "1535380188",`
			`"to_ids": true,`
			`"type": "filename",`
			`"uuid": "5b840adc-8bbc-402b-9974-0716950d210f",`
			`"value": "FILES ENCRYPTED.txt"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "state",`
			`"timestamp": "1535380188",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5b840adc-c198-4927-a4a1-0716950d210f",`
			`"value": "Malicious"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "11",`
			`"timestamp": "1536238344",`
			`"uuid": "4da3496e-b9b6-48b4-9b2d-42beb59eb7ca",`
			`"ObjectReference": [`
			`{`
			`"comment": "",`
			`"object_uuid": "4da3496e-b9b6-48b4-9b2d-42beb59eb7ca",`
			`"referenced_uuid": "499803fa-d2c3-4722-8fb9-f1134171354f",`
			`"relationship_type": "analysed-with",`
			`"timestamp": "1536238355",`
			`"uuid": "5b912313-f4cc-4292-9e24-4a3e02de0b81"`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "md5",`
			`"timestamp": "1536238343",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "6647a831-e205-4827-bd04-b92af2f8e3dc",`
			`"value": "b84e41893fa55503a84688b36556db05"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha1",`
			`"timestamp": "1536238345",`
			`"to_ids": true,`
			`"type": "sha1",`
			`"uuid": "5778ca06-cb45-4793-9e93-531db811a383",`
			`"value": "94f83bfb5451383b9c7b486d05f38e1856fe62a5"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1536238347",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "f6a74a13-3854-4f00-85b6-0fe1d81a9b09",`
			`"value": "208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "VirusTotal report",`
			`"meta-category": "misc",`
			`"name": "virustotal-report",`
			`"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",`
			`"template_version": "2",`
			`"timestamp": "1536238349",`
			`"uuid": "499803fa-d2c3-4722-8fb9-f1134171354f",`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "last-submission",`
			`"timestamp": "1536238350",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "45a6abd8-a4ca-4133-bddb-bdd48c7ac32b",`
			`"value": "2018-08-24T17:37:17"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "permalink",`
			`"timestamp": "1536238352",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "c55fb0f7-f9ce-4a7b-9b44-e99390947433",`
			`"value": "https://www.virustotal.com/file/208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7/analysis/1535132237/"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "detection-ratio",`
			`"timestamp": "1536238354",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "b4c4e081-c8bd-4467-8211-fc83b3779c3f",`
			`"value": "52/68"`
			`}`
			`]`
			`}`
			`]`
			`}`
			`}`