misp-circl-feed/feeds/circl/misp/5b773e07-e694-458b-b99c-27f30a016219.json

1036 lines
1.4 MiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--5b773e07-e694-458b-b99c-27f30a016219",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
2023-06-24 09:36:52 +00:00
"created": "2023-05-22T21:15:47.000Z",
"modified": "2023-05-22T21:15:47.000Z",
2023-06-14 17:31:25 +00:00
"name": "ESET",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b773e07-e694-458b-b99c-27f30a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
2023-06-24 09:36:52 +00:00
"created": "2023-05-22T21:15:47.000Z",
"modified": "2023-05-22T21:15:47.000Z",
2023-06-14 17:31:25 +00:00
"name": "Turla Outlook White Paper",
2023-06-24 09:36:52 +00:00
"published": "2023-05-25T08:18:54Z",
2023-06-14 17:31:25 +00:00
"object_refs": [
"observed-data--5b773e89-9738-4bbb-90bc-2fb20a016219",
"file--5b773e89-9738-4bbb-90bc-2fb20a016219",
"observed-data--5b773e89-7e14-4280-9249-2fb20a016219",
"file--5b773e89-7e14-4280-9249-2fb20a016219",
"observed-data--5b773e89-4934-4d34-be4c-2fb20a016219",
"file--5b773e89-4934-4d34-be4c-2fb20a016219",
"observed-data--5b773e89-1e7c-48d3-a6cb-2fb20a016219",
"file--5b773e89-1e7c-48d3-a6cb-2fb20a016219",
"observed-data--5b773eed-662c-4150-b6ef-2fb10a016219",
"windows-registry-key--5b773eed-662c-4150-b6ef-2fb10a016219",
"observed-data--5b773eed-6158-4680-941f-2fb10a016219",
"windows-registry-key--5b773eed-6158-4680-941f-2fb10a016219",
"observed-data--5b773f0c-07c4-4a31-b191-2fb20a016219",
"windows-registry-key--5b773f0c-07c4-4a31-b191-2fb20a016219",
"observed-data--5b7c7085-9658-46bf-afdc-59530a016219",
"url--5b7c7085-9658-46bf-afdc-59530a016219",
"observed-data--5b854bdf-32a4-4f17-8bab-32abc0a8ab16",
"url--5b854bdf-32a4-4f17-8bab-32abc0a8ab16",
"observed-data--5b87e307-7618-4378-ba96-4abb9f590eb0",
"file--5b87e307-7618-4378-ba96-4abb9f590eb0",
"artifact--5b87e307-7618-4378-ba96-4abb9f590eb0",
"indicator--5b83aad8-f964-4899-9743-7267d5388438",
"indicator--5b83aade-d508-4f29-9577-7267d5388438",
"indicator--5b83aae3-1b28-417a-90e4-7267d5388438",
"indicator--5b83aae8-5a50-4714-b5ba-7267d5388438",
"indicator--5b83aaee-6008-4818-a291-7267d5388438",
"indicator--5b83aaf3-23b4-4a0e-8ceb-7267d5388438",
"x-misp-attribute--5b83abb1-2524-4295-9eee-7268d5388438",
"observed-data--5b83abb1-76b4-4b70-80bd-10f2d5388438",
"url--5b83abb1-76b4-4b70-80bd-10f2d5388438",
"x-misp-attribute--5b83abb2-7e1c-4cfa-8c10-10a6d5388438",
"x-misp-attribute--5b83abb2-9420-4692-aa94-10f4d5388438",
"x-misp-attribute--5b83abb2-6450-4242-908f-7265d5388438",
"x-misp-attribute--5b83abb2-409c-4018-bfbc-7267d5388438",
"x-misp-attribute--5b83abb2-4064-4b38-b5d7-726ad5388438",
"x-misp-attribute--5b83abb2-90ec-47c7-8869-10a7d5388438",
"x-misp-attribute--5b83abb2-5c5c-411d-a011-726bd5388438",
"x-misp-attribute--5b83abb2-45e0-4bf4-8ad2-0968d5388438",
"x-misp-attribute--5b83abb3-5430-49a6-b4cb-7268d5388438",
"x-misp-attribute--5b83abb3-e5fc-480d-b4a6-10f2d5388438",
"x-misp-attribute--5b83abb3-39a4-4cb2-a08f-10a6d5388438",
"x-misp-attribute--5b83abb3-7e7c-4c8f-a29f-10f4d5388438",
"observed-data--5b8fa050-e5e8-424e-9b8d-07a7d5388438",
"url--5b8fa050-e5e8-424e-9b8d-07a7d5388438",
"x-misp-object--dbbfc337-d1f9-462f-aca7-ddc30563ddd9",
"indicator--8adddb25-84d0-4480-9221-68e2d85b6cba",
"x-misp-object--628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd",
"indicator--46a74309-e65f-4fd7-b816-917ade7475c9",
"indicator--cba9ad80-221b-4873-af6c-3a5e678f9a3b",
"x-misp-object--1da8705f-aa50-4400-b643-5912e7beb7f6",
"indicator--73bb4f5c-2b1c-40be-a290-1b5c585f226c",
2023-06-24 09:36:52 +00:00
"relationship--1388ce8b-ad66-4b21-bd55-64a1a2be04ef",
"relationship--537d189f-f77f-4136-84cd-2b9a9c3a3e69",
"relationship--eb40b46a-23a9-419e-adc9-80228d056eb3"
2023-06-14 17:31:25 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Turla Group\"",
"misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking\"",
"misp-galaxy:mitre-attack-pattern=\"Email Collection\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Component Object Model Hijacking - T1122\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Email Collection - T1114\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"cert-ist:threat_targeted_sector=\"Academic and Research\"",
"cert-ist:threat_targeted_sector=\"Gov\"",
"cert-ist:threat_targeted_region=\"Western Europe\"",
"cert-ist:enriched",
"cert-ist:ioc_accuracy=\"medium\"",
"cert-ist:threat_level=\"medium\"",
"cert-ist:threat_type=\"apt\"",
"BR_CTI_Investigar"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b773e89-9738-4bbb-90bc-2fb20a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-20T22:45:11.000Z",
"modified": "2018-08-20T22:45:11.000Z",
"first_observed": "2018-08-20T22:45:11Z",
"last_observed": "2018-08-20T22:45:11Z",
"number_observed": 1,
"object_refs": [
"file--5b773e89-9738-4bbb-90bc-2fb20a016219"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b773e89-9738-4bbb-90bc-2fb20a016219",
"name": "%appdata%\\Microsoft\\Windows\\scawrdot.db"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b773e89-7e14-4280-9249-2fb20a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-20T22:45:02.000Z",
"modified": "2018-08-20T22:45:02.000Z",
"first_observed": "2018-08-20T22:45:02Z",
"last_observed": "2018-08-20T22:45:02Z",
"number_observed": 1,
"object_refs": [
"file--5b773e89-7e14-4280-9249-2fb20a016219"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b773e89-7e14-4280-9249-2fb20a016219",
"name": "%appdata%\\Microsoft\\Windows\\flobcsnd.dat"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b773e89-4934-4d34-be4c-2fb20a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-17T21:30:49.000Z",
"modified": "2018-08-17T21:30:49.000Z",
"first_observed": "2018-08-17T21:30:49Z",
"last_observed": "2018-08-17T21:30:49Z",
"number_observed": 1,
"object_refs": [
"file--5b773e89-4934-4d34-be4c-2fb20a016219"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b773e89-4934-4d34-be4c-2fb20a016219",
"name": "mapid.tlb"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b773e89-1e7c-48d3-a6cb-2fb20a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-17T21:30:49.000Z",
"modified": "2018-08-17T21:30:49.000Z",
"first_observed": "2018-08-17T21:30:49Z",
"last_observed": "2018-08-17T21:30:49Z",
"number_observed": 1,
"object_refs": [
"file--5b773e89-1e7c-48d3-a6cb-2fb20a016219"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b773e89-1e7c-48d3-a6cb-2fb20a016219",
"name": "msmime.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b773eed-662c-4150-b6ef-2fb10a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-17T21:32:29.000Z",
"modified": "2018-08-17T21:32:29.000Z",
"first_observed": "2018-08-17T21:32:29Z",
"last_observed": "2018-08-17T21:32:29Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--5b773eed-662c-4150-b6ef-2fb10a016219"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--5b773eed-662c-4150-b6ef-2fb10a016219",
"key": "HKCU\\Software\\Classes\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b773eed-6158-4680-941f-2fb10a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-17T21:32:29.000Z",
"modified": "2018-08-17T21:32:29.000Z",
"first_observed": "2018-08-17T21:32:29Z",
"last_observed": "2018-08-17T21:32:29Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--5b773eed-6158-4680-941f-2fb10a016219"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--5b773eed-6158-4680-941f-2fb10a016219",
"key": "HKCU\\Software\\Classes\\CLSID\\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b773f0c-07c4-4a31-b191-2fb20a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-17T21:33:00.000Z",
"modified": "2018-08-17T21:33:00.000Z",
"first_observed": "2018-08-17T21:33:00Z",
"last_observed": "2018-08-17T21:33:00Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--5b773f0c-07c4-4a31-b191-2fb20a016219"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--5b773f0c-07c4-4a31-b191-2fb20a016219",
"key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Settings\\ZonePolicy\\"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b7c7085-9658-46bf-afdc-59530a016219",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-21T20:05:25.000Z",
"modified": "2018-08-21T20:05:25.000Z",
"first_observed": "2018-08-21T20:05:25Z",
"last_observed": "2018-08-21T20:05:25Z",
"number_observed": 1,
"object_refs": [
"url--5b7c7085-9658-46bf-afdc-59530a016219"
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b7c7085-9658-46bf-afdc-59530a016219",
"value": "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b854bdf-32a4-4f17-8bab-32abc0a8ab16",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-28T13:19:27.000Z",
"modified": "2018-08-28T13:19:27.000Z",
"first_observed": "2018-08-28T13:19:27Z",
"last_observed": "2018-08-28T13:19:27Z",
"number_observed": 1,
"object_refs": [
"url--5b854bdf-32a4-4f17-8bab-32abc0a8ab16"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b854bdf-32a4-4f17-8bab-32abc0a8ab16",
"value": "https://github.com/eset/malware-ioc/tree/master/turla"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b87e307-7618-4378-ba96-4abb9f590eb0",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:28:55.000Z",
"modified": "2018-08-30T12:28:55.000Z",
"first_observed": "2018-08-30T12:28:55Z",
"last_observed": "2018-08-30T12:28:55Z",
"number_observed": 1,
"object_refs": [
"file--5b87e307-7618-4378-ba96-4abb9f590eb0",
"artifact--5b87e307-7618-4378-ba96-4abb9f590eb0"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b87e307-7618-4378-ba96-4abb9f590eb0",
"name": "Eset-Turla-Outlook-Backdoor.pdf",
"content_ref": "artifact--5b87e307-7618-4378-ba96-4abb9f590eb0"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5b87e307-7618-4378-ba96-4abb9f590eb0",
"payload_bin": "JVBERi0xLjQNJeLjz9MNCjE1MjUgMCBvYmoNPDwvTGluZWFyaXplZCAxL0wgMTAzMjUyMC9PIDE1MjcvRSA1NzM5OC9OIDI0L1QgMTAwMTkwMy9IIFsgODkzIDEwMjhdPj4NZW5kb2JqDSAgICAgICAgIA14cmVmDQoxNTI1IDI5DQowMDAwMDAwMDE2IDAwMDAwIG4NCjAwMDAwMDIxMzEgMDAwMDAgbg0KMDAwMDAwMjI5NCAwMDAwMCBuDQowMDAwMDAyNzQ5IDAwMDAwIG4NCjAwMDAwMDMxMDQgMDAwMDAgbg0KMDAwMDAwMzk2MiAwMDAwMCBuDQowMDAwMDA0Mzc4IDAwMDAwIG4NCjAwMDAwMDQ0OTMgMDAwMDAgbg0KMDAwMDAwNDcyNyAwMDAwMCBuDQowMDAwMDA1MTAwIDAwMDAwIG4NCjAwMDAwMDU4ODggMDAwMDAgbg0KMDAwMDAwNjYyNiAwMDAwMCBuDQowMDAwMDA3Mjc2IDAwMDAwIG4NCjAwMDAwMDc4MTkgMDAwMDAgbg0KMDAwMDAwODM1MiAwMDAwMCBuDQowMDAwMDA4OTA1IDAwMDAwIG4NCjAwMDAwMDk0NTkgMDAwMDAgbg0KMDAwMDAxMDA1MSAwMDAwMCBuDQowMDAwMDEwNTM4IDAwMDAwIG4NCjAwMDAwMTA5NDEgMDAwMDAgbg0KMDAwMDAxMTM4NSAwMDAwMCBuDQowMDAwMDExOTk1IDAwMDAwIG4NCjAwMDAwMTI2NjQgMDAwMDAgbg0KMDAwMDAxNDQ4NiAwMDAwMCBuDQowMDAwMDIwNzQ5IDAwMDAwIG4NCjAwMDAwMjMzODggMDAwMDAgbg0KMDAwMDA1NzM1NyAwMDAwMCBuDQowMDAwMDAxOTIxIDAwMDAwIG4NCjAwMDAwMDA4OTMgMDAwMDAgbg0KdHJhaWxlcg08PC9TaXplIDE1NTQvUm9vdCAxNTI2IDAgUi9JbmZvIDQyMSAwIFIvSURbPEYzQTFFN0VEQ0E0QzQ5NzhCODBDNDNDMzNEQTAxQzdDPjxCMTdBRDA3NTY5RUM0Mjg1OTFFNTFDQzZBNzk4QzBBRD5dL1ByZXYgMTAwMTg5MC9YUmVmU3RtIDE5MjE+Pg1zdGFydHhyZWYNMA0lJUVPRg0gICAgICAgICAgICAgIA0xNTUzIDAgb2JqDTw8L0MgMTExMC9GaWx0ZXIvRmxhdGVEZWNvZGUvSSAxMTMyL0xlbmd0aCA5MzcvUyA5Mjg+PnN0cmVhbQ0KaN5iYGBgYmBg+cTAxsDAtpZBkAEBBIFi7AwsDBwxDOKGwd46R6N1zvAxTj2tw+CQ4dlw98BLX7uFB503/ri+yq9St4pXbG37mj2TrlruO7q5JyWOOdsxTqokajf3vhkMDEJPmGotLscUlj5MY70V8l0kkjUy5+oTJKsYmFiZZBwUEnunmqQscFjg3MHCY7hpWc8UDpEfhQxTBJRsXj7VPKflMFFKZdllRaOMjQGN4e0CHBwJmYJLXXYmMilfm20UaCS06rQUh4hAIU/khgyHjq+nw6SNZmwM8zrLwsVh0eJxSTVmK1Dl2dU6LRcnrWyy49pi0eDdISi3sVmsL3JPXs7JRUtn2pY83ByedVm3RkDrwCNGPQWXKhPPIOmw1pfJbl7LOP4qhXgc5OATzTp6xH1C0d2Hm47GaOdc5Vysd9kKZC2LB7/HVClVoLVhLRsXqwY71AhoKDzi4FfamXUkM0jJbC3YFCfXDw6LD3ewOCqFZPQurIoAuYW1ScZBicV9tk7KqmRHkSYuBZuI9L4V9hyNgi9uLvKapLhZtWuhiYBOwiNGfgVXLRePswtNUlYlHWRay6cgZHpi0pIIh47PWReAQbfBYRNzB6tMo+Czs5I+ESscnzhNACpRWSm5uCNnkzDIDxwOAa/FdeUcuoAeM+7IWbVFrWeaj4CWwyNGZa/OoqstHP08PJxbUycADVuU0OjILnCxmznVVzJFQBuoxJCHh8tSY9KShJyFwW6RihwTtVQSHNtYFCwiek4Iyn1Muq57Xbokkrvt1K3dGhknA0DxmpbRAaIqOhqAJHtHByy+RUPDOyA8RkEhJSX1DjCPSUnFBSwBVC0oCORUdMC0CAoKineAQQOYKwTTA+IIG4N1Qc0wNk5Lh6oDyYRWwDUJQs1zcQeLMBsDlQJBOpjH4pKWVgFVCeTAmOwQmklJyRysmVFQSdnYJBxuprCxsTnEZtbQCqhusC6Yw11cQ2GuIyPbAC1MYuATmwg0SRKIvcBmSjMIMK5h9GC2Z2xliGA4zxjF9JPpOFM+EwvjLyY+Jn4mU8YzjBWMC5ncmZrYmSViuExapjHwMdYyFjDWMRkx+nN9ZVzAsF4gjfE4gyXjUSY1hiSGY/wMDIkMwm7pDC+ZtJmyGEQZPzPpCqkzRDC5MHyXv8M4l8EVaK82IytDHsNkBjEGcSAWY3jMcJkhjMkYzBZjWIScoRknM/A9lwAyeBgYAmfDRZcy8Hs8BzGAeBdAgAEAKnFYdA1lbmRzdHJlYW0NZW5kb2JqDTE1NTIgMCBvYmoNPDwvRGVjb2RlUGFybXM8PC9Db2x1bW5zIDQvUHJlZGljdG9yIDEyPj4vRmlsdGVyL0ZsYXRlRGVjb2RlL0luZGV4WzQyMiAxMTAzXS9MZW5ndGggNTYvU2l6ZSAxNTI1L1R5cGUvWFJlZi9XWzEgMiAxXT4+c3RyZWFtDQpo3uzRoQEAMAzDsKT/s+H9ui9GKqID7JmeTJJiEb0aeA7P4Tk8h+fwHJ7Dc3iOn8+fAAMAH+cUQg1lbmRzdHJlYW0NZW5kb2JqDTE1MjYgMCBvYmoNPDwvTGFuZyhlbi1VUykvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDQyMCAwIFIvUGFnZXMgNDE1IDAgUi9TdHJ1Y3RUcmVlUm9vdCA0MjIgMCBSL1R5cGUvQ2F0YWxvZy9WaWV3ZXJQcmVmZXJlbmNlczw8L0RpcmVjdGlvbi9MMlI+Pj4+DWVuZG9iag0xNTI3IDAgb2JqDTw8L0FydEJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9CbGVlZEJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9Db250ZW50c1sxNTM2IDAgUiAxNTM3IDAgUiAxNTM4IDAgUiAxNTM5IDAgUiAxNTQwIDAgUiAxNTQxIDAgUiAxNTQ1IDAgUiAxNTQ2IDAgUl0vQ3JvcEJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9NZWRpYUJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9QYXJlbnQgNDE2IDAgUi9SZXNvdXJjZXM8PC9FeHRHU3RhdGU8PC9HUzAgMTUzMSAwIFI+Pi9Gb250PDwvVDFfMCAxNTI4IDAgUi9UMV8xIDE1MjkgMCBSL1QxXzIgMTU0MiAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dF0vUHJvcGVydGllczw8L01DMCAxNTUxIDAgUj4+Pj4vUm90YXRlIDAvU3RydWN0UGFyZW50cyAwL1RyaW1Cb3hbMC4wIDAuMCA1OTUuMjc2IDg0MS44OV0vVHlwZS9QYWdlPj4NZW5kb2JqDTE1MjggMCBvYmoNPDwvQmFzZUZvbnQvSVRGRk1RK0ZlZHJhU2Fuc0FsdFByby1Cb2xkTEYvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZpcnN0Q2hhciAzMi9Gb250RGVzY3JpcHRvciAxNTMzIDAgUi9MYXN0Q2hhciA4OS9TdWJ0eXBlL1R5cGUxL1RvVW5pY29kZSAxNTMwIDAgUi9UeXBlL0ZvbnQvV2lkdGhzWzIzMSAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDMwNyAwIDAgMzc1IDU0MCA1MTMgNTg5IDUzNCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNzE4IDY4MSA2NzcgNzg3IDYxMSA2MTEgNzA5IDgwNiAzMzYgMCA3MjMgNTY
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b83aad8-f964-4899-9743-7267d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:40:08.000Z",
"modified": "2018-08-27T07:40:08.000Z",
"description": "Merged from event 11961",
"pattern": "[rule turla_outlook_log { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"First bytes of the encrypted Turla Outlook logs\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2018-08-27T07:40:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b83aade-d508-4f29-9577-7267d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:40:14.000Z",
"modified": "2018-08-27T07:40:14.000Z",
"description": "Merged from event 11961",
"pattern": "[rule outlook_misty1 { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detects the Turla MISTY1 implementation\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2018-08-27T07:40:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b83aae3-1b28-417a-90e4-7267d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:40:19.000Z",
"modified": "2018-08-27T07:40:19.000Z",
"description": "Merged from event 11961",
"pattern": "[rule turla_outlook_gen { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Outlook\" ascii wide $s2 = \"Outlook Express\" ascii wide $s3 = \"Outlook watchdog\" ascii wide $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide $s5 = \"Mail Event Window\" ascii wide $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide $s9 = \"rctrl_renwnd32\" ascii wide $s10 = \"NetUIHWND\" ascii wide $s11 = \"homePostalAddress\" ascii wide $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide $s14 = \"IPM.Note\" ascii wide $s15 = \"MAPILogonEx\" ascii wide $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide $s17 = \"PowerShellRunner.dll\" ascii wide $s18 = \"cmd container\" ascii wide $s19 = \"mapid.tlb\" ascii wide nocase $s20 = \"Content-Type: F)*+\" ascii wide fullword condition: 5 of them }]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2018-08-27T07:40:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b83aae8-5a50-4714-b5ba-7267d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:40:24.000Z",
"modified": "2018-08-27T07:40:24.000Z",
"description": "Merged from event 11961",
"pattern": "[import \"pe\"rule turla_outlook_exports { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Export names of Turla Outlook Malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" condition: (pe.exports(\"install\") or pe.exports(\"Install\")) and pe.exports(\"TBP_Initialize\") and pe.exports(\"TBP_Finalize\") and pe.exports(\"TBP_GetName\") and pe.exports(\"DllRegisterServer\") and pe.exports(\"DllGetClassObject\") }]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2018-08-27T07:40:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b83aaee-6008-4818-a291-7267d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:40:30.000Z",
"modified": "2018-08-27T07:40:30.000Z",
"description": "Merged from event 11961",
"pattern": "[rule turla_outlook_filenames { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook filenames\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"mapid.tlb\" $s2 = \"msmime.dll\" $s3 = \"scawrdot.db\" condition: any of them }]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2018-08-27T07:40:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b83aaf3-23b4-4a0e-8ceb-7267d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:40:35.000Z",
"modified": "2018-08-27T07:40:35.000Z",
"description": "Merged from event 11961",
"pattern": "[rule turla_outlook_pdf { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detect PDF documents generated by Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Adobe PDF Library 9.0\" ascii wide nocase $s2 = \"Acrobat PDFMaker 9.0\" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = \"W5M0MpCehiHzreSzNTczkc9d\" ascii wide nocase $s6 = \"PDF-1.4\" ascii wide nocase condition: 5 of them }]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2018-08-27T07:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb1-2524-4295-9eee-7268d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:45.000Z",
"modified": "2018-08-27T07:43:45.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Attack name",
"x_misp_type": "text",
"x_misp_value": "Turla"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b83abb1-76b4-4b70-80bd-10f2d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:45.000Z",
"modified": "2018-08-27T07:43:45.000Z",
"first_observed": "2018-08-27T07:43:45Z",
"last_observed": "2018-08-27T07:43:45Z",
"number_observed": 1,
"object_refs": [
"url--5b83abb1-76b4-4b70-80bd-10f2d5388438"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b83abb1-76b4-4b70-80bd-10f2d5388438",
"value": "https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-7e1c-4cfa-8c10-10a6d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Attack Alias",
"x_misp_type": "comment",
"x_misp_value": "Snake"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-9420-4692-aa94-10f4d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Attack Alias",
"x_misp_type": "comment",
"x_misp_value": "Uroburos"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-6450-4242-908f-7265d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Attack Alias",
"x_misp_type": "comment",
"x_misp_value": "Venomous Bear"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-409c-4018-bfbc-7267d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Attack Alias",
"x_misp_type": "comment",
"x_misp_value": "KRYPTON"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-4064-4b38-b5d7-726ad5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Attack Alias",
"x_misp_type": "comment",
"x_misp_value": "Waterbug"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-90ec-47c7-8869-10a7d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Attack Alias",
"x_misp_type": "comment",
"x_misp_value": "WhiteBear"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-5c5c-411d-a011-726bd5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Description",
"x_misp_type": "comment",
"x_misp_value": "these IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017.\r\n\r\nThe extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer."
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb2-45e0-4bf4-8ad2-0968d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:46.000Z",
"modified": "2018-08-27T07:43:46.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Cert-IST Malware Name",
"x_misp_type": "comment",
"x_misp_value": "Outlook"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb3-5430-49a6-b4cb-7268d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:47.000Z",
"modified": "2018-08-27T07:43:47.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Cert-IST Targeted Country",
"x_misp_type": "target-location",
"x_misp_value": "Germany"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb3-e5fc-480d-b4a6-10f2d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:47.000Z",
"modified": "2018-08-27T07:43:47.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Cert-IST Targeted Country",
"x_misp_type": "target-location",
"x_misp_value": "France"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb3-39a4-4cb2-a08f-10a6d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:47.000Z",
"modified": "2018-08-27T07:43:47.000Z",
"labels": [
"misp:type=\"datetime\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Cert-IST First Seen Date",
"x_misp_type": "datetime",
"x_misp_value": "2015-12-31T23:00:00+00:00"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b83abb3-7e7c-4c8f-a29f-10f4d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-27T07:43:47.000Z",
"modified": "2018-08-27T07:43:47.000Z",
"labels": [
"misp:type=\"datetime\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Cert-IST First Disclosed Date",
"x_misp_type": "datetime",
"x_misp_value": "2018-08-21T22:00:00+00:00"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b8fa050-e5e8-424e-9b8d-07a7d5388438",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-09-05T09:22:24.000Z",
"modified": "2018-09-05T09:22:24.000Z",
"first_observed": "2018-09-05T09:22:24Z",
"last_observed": "2018-09-05T09:22:24Z",
"number_observed": 1,
"object_refs": [
"url--5b8fa050-e5e8-424e-9b8d-07a7d5388438"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b8fa050-e5e8-424e-9b8d-07a7d5388438",
"value": "https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--dbbfc337-d1f9-462f-aca7-ddc30563ddd9",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:30:11.000Z",
"modified": "2018-08-30T12:30:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/",
"category": "External analysis",
"uuid": "84e013cb-ecaf-4f21-9ee8-796886e3454a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/65",
"category": "Other",
"uuid": "31d8cb43-4506-45d0-93c0-0785a2394bbe"
},
{
"type": "text",
"object_relation": "comment",
"value": "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28222) Detection: Trojan ( 00461fd31 )\r\nK7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 )\r\nTrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17963) Detection: Win32/Turla.N\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen\r\nBitDefender (7.2) Detection: Trojan.GenericKD.1592844\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.m!c\r\nAvast (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J)\r\nEndgame (3.0.1) Detection: No detection\r\nSophos (4.98.0) Detection: Troj/Turla-F\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.27\r\nVIPRE (69182) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: No detection\r\nMcAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.H\r\nJiangmin (16.0.100) Detection: Backdoor/Turla.b\r\nWebroot (1.0.0.403) Detection: W32.Trojan.GenKD\r\nAvira (8.3.3.6) Detection: TR/Rogue.290816.12\r\nMAX (2017.11.15.1) Detection: malware (ai score=83)\r\nAntiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric\r\nKingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud)\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAd-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir\r\nYandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU\r\nIkarus (0.1.5.2) Detection: Trojan.SuspectCRC\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.N!tr\r\nAVG (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nPanda (4.6.4.2) Detection: Trj/Genetic.gen\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9",
"category": "Other",
"uuid": "50384da0-f70b-4e0d-96cf-653a6bfe5c6d"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-08-29T14:17:42",
"category": "Other",
"uuid": "78651b01-2afe-40cb-b40d-a1e929df79b0"
}
],
"x_misp_comment": "File 7009af646c6c3e6abc0af744152ca968",
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8adddb25-84d0-4480-9221-68e2d85b6cba",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:30:11.000Z",
"modified": "2018-08-30T12:30:11.000Z",
"description": "Backdoor DLL",
"pattern": "[file:hashes.MD5 = '7009af646c6c3e6abc0af744152ca968' AND file:hashes.SHA1 = '8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2' AND file:hashes.SHA256 = 'e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-30T12:30:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:31:08.000Z",
"modified": "2018-08-30T12:31:08.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/",
"category": "External analysis",
"uuid": "5ca9d215-5e2a-42c3-bea4-b66b2748f54e"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/65",
"category": "Other",
"uuid": "ff44d53e-022b-4782-ab44-0ac4df101a82"
},
{
"type": "text",
"object_relation": "comment",
"value": "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: RDN/Generic.com\r\nCylance (2.3.1.101) Detection: Unsafe\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28228) Detection: Trojan ( 004fb2be1 )\r\nK7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 )\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.I\r\nSymantec (1.7.0.0) Detection: Trojan.Gen.2\r\nESET-NOD32 (17964) Detection: a variant of Win32/Turla.R\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak\r\nBitDefender (7.2) Detection: Trojan.Generic.21818445\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt\r\nViRobot (2014.3.20.0) Detection: No detection\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey\r\nAd-Aware (3.0.5.370) Detection: Trojan.Generic.21818445\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.111\r\nVIPRE (69200) Detection: No detection\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/AD.Turla.ckypp\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C\r\nEndgame (3.0.1) Detection: No detection\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.4!c\r\nZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445\r\nTACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: No detection\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD)\r\nYandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.AK!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0",
"category": "Other",
"uuid": "304c97d6-a81d-4b24-87b9-3b198f39a2bb"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-08-30T05:52:57",
"category": "Other",
"uuid": "5adce2fa-bb3d-4a93-b348-3da8877ae372"
}
],
"x_misp_comment": "File af8889f4705145d4390ee8d581f45436",
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--46a74309-e65f-4fd7-b816-917ade7475c9",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:31:08.000Z",
"modified": "2018-08-30T12:31:08.000Z",
"description": "Backdoor DLL",
"pattern": "[file:hashes.MD5 = 'af8889f4705145d4390ee8d581f45436' AND file:hashes.SHA1 = 'cf943895684c6ff8d1e922a76b71a188cfb371d7' AND file:hashes.SHA256 = '6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-30T12:31:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cba9ad80-221b-4873-af6c-3a5e678f9a3b",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:31:37.000Z",
"modified": "2018-08-30T12:31:37.000Z",
"description": "Backdoor DLL",
"pattern": "[file:hashes.SHA1 = '851dffa6cd611dc70c9a0d5b487ff00bc3853f30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-30T12:31:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--1da8705f-aa50-4400-b643-5912e7beb7f6",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:32:01.000Z",
"modified": "2018-08-30T12:32:01.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/",
"category": "External analysis",
"uuid": "18187d0c-367d-4bdd-903b-1535c3b6295c"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/67",
"category": "Other",
"uuid": "c9b90b46-8d03-4899-a721-3535cdbef578"
},
{
"type": "text",
"object_relation": "comment",
"value": "Bkav (1.3.0.8876) Detection: W32.eHeur.Malware10\r\nMicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: TrojanSpy.Agent\r\nMcAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: No detection\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28216) Detection: Trojan ( 005097051 )\r\nK7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 )\r\nArcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17962) Detection: Win32/Turla.AW\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1\r\nKaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe\r\nBitDefender (7.2) Detection: Gen:Variant.Zusy.258575\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Troj.W32.Gen.lJ0K\r\nRising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD)\r\nAd-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575\r\nEmsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B)\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575\r\nDrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438\r\nVIPRE (69176) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.G\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nEndgame (3.0.1) Detection: malicious (high confidence)\r\nMicrosoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAhnLab-V3 (3.13.1.21616) Detection: No detection\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: TrojanSpy.Agent\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye\r\nYandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nCybereason (1.2.27) Detection: malicious.62d7c9\r\nPaloalto (1.0) Detection: generic.ml\r\nCrowdStrike (1.0) Detection: malicious_confidence_70% (D)\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45",
"category": "Other",
"uuid": "56d584fc-bfc7-424a-b4ce-d5b46c612323"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-08-29T09:57:38",
"category": "Other",
"uuid": "73940c69-6556-412e-915e-d7d1a07f205b"
}
],
"x_misp_comment": "File ff8c3f362d7c9b9a19cfa09b4b3cfc75",
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--73bb4f5c-2b1c-40be-a290-1b5c585f226c",
"created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f",
"created": "2018-08-30T12:32:01.000Z",
"modified": "2018-08-30T12:32:01.000Z",
"description": "Dropper",
"pattern": "[file:hashes.MD5 = 'ff8c3f362d7c9b9a19cfa09b4b3cfc75' AND file:hashes.SHA1 = 'f992abe8a67120667a01b88cd5bf11ca39d491a0' AND file:hashes.SHA256 = '881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-30T12:32:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
2023-06-24 09:36:52 +00:00
"id": "relationship--1388ce8b-ad66-4b21-bd55-64a1a2be04ef",
2023-06-14 17:31:25 +00:00
"created": "2021-03-09T11:51:15.000Z",
"modified": "2021-03-09T11:51:15.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--8adddb25-84d0-4480-9221-68e2d85b6cba",
"target_ref": "x-misp-object--dbbfc337-d1f9-462f-aca7-ddc30563ddd9"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-06-24 09:36:52 +00:00
"id": "relationship--537d189f-f77f-4136-84cd-2b9a9c3a3e69",
2023-06-14 17:31:25 +00:00
"created": "2021-03-09T11:51:15.000Z",
"modified": "2021-03-09T11:51:15.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--46a74309-e65f-4fd7-b816-917ade7475c9",
"target_ref": "x-misp-object--628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-06-24 09:36:52 +00:00
"id": "relationship--eb40b46a-23a9-419e-adc9-80228d056eb3",
2023-06-14 17:31:25 +00:00
"created": "2021-03-09T11:51:15.000Z",
"modified": "2021-03-09T11:51:15.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--73bb4f5c-2b1c-40be-a290-1b5c585f226c",
"target_ref": "x-misp-object--1da8705f-aa50-4400-b643-5912e7beb7f6"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:AMBER",
"definition": {
"tlp": "amber"
}
}
2023-04-21 13:25:09 +00:00
]
}