2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2022-02-15" ,
"extends_uuid" : "" ,
"info" : "Charting TA2541's Flight" ,
"publish_timestamp" : "1666778598" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1666773062" ,
"uuid" : "2af530f6-7486-4a15-aa87-248d0c0b1e9f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#440055" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware:malware-type=\"RemoteAccess\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#4bec00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "enisa:nefarious-activity-abuse=\"remote-access-tool\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#008ba9" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "veris:asset:variety=\"S - Remote access\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00bde6" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "veris:action:misuse:vector=\"Remote access\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#001739" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware-full:malware-type=\"RemoteAccess\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#5f0044" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "CERT-XLM:malicious-code=\"spyware-rat\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"TA2541\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#326300" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:incident-classification=\"phishing\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Email lure requesting information on aircraft parts." ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B A 4 A A A H 7 C A Y A A A B M u d 1 N A A A B Q m l D Q 1 B J Q 0 M g U H J v Z m l s Z Q A A K J F j Y G A S S C w o y G F h Y G D I z S s p C n J 3 U o i I j F J g f 8 b A x M D J w M G g w y C b m F x c 4 B g Q 4 A N U w g C j U c G 3 a w y M I P q y L s i s i 3 v r 331 O l d x 7 X i s 6 p e + P 1 W d M 9 S i A K y W 1 O B l I / w H i p O S C o h I G B s Y E I F u 5 v K Q A x G 4 B s k W K g I 4 C s m e A 2 O k Q 9 h o Q O w n C P g B W E x L k D G R f A b I F k j M S U 4 D s J 0 C 2 T h K S e D o S G 2 o v C H A E O / o G h / q 5E3 A q 6 a A k t a I E R D v n F 1 Q W Z a Z n l C g 4 A k M o V c E z L 1 l P R 8 H I w M i I g Q E U 3 h D V n 8 X A 4 c g o d g o h l m / F w G B x g o G B e S p C L O k F A 8 P 2 m w w M k t w I M Z U t D A z 88 Q w M 23 o L E o s S 4 Q 5 g / M Z S n G Z s B G H z F D E w s P 74 //+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAAEDqADAAQAAAABAAAB+wAAAABBU0NJSQAAAFNjcmVlbnNob3S986+/AAAB12lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4xMDM4PC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPGV4aWY6VXNlckNvbW1lbnQ+U2NyZWVuc2hvdDwvZXhpZjpVc2VyQ29tbWVudD4KICAgICAgICAgPGV4aWY6UGl4ZWxZRGltZW5zaW9uPjUwNzwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpxn2WpAABAAElEQVR4Aey9Z5cbx7YluOG9K5T3nlX0FCl/3evb5vXMWj1rpv/qrJ6Z/vD6vfuuLCl6WyzvPQreA7N3oFAsSqREJ1FXipRAoIDMyIgdkZlx9tnnhKPJDXazCFgELAIWAYuARcAiYBGwCFgELAIWAYuARcAi8AIEnC/4zn5lEbAIWAQsAhYBi4BFwCJgEbAIWAQsAhYBi4BFwCBgiQM7ECwCFgGLgEXAImARsAhYBCwCFgGLgEXAImAReCkCljh4KTT2B4uARcAiYBGwCFgELAIWAYuARcAiYBGwCFgELHFgx4BFwCJgEbAIWAQsAhYBi4BFwCJgEbAIWAQsAi9FwP3SX+wPFgGLgEXAImARsAhYBCwCFgGLwGsh0M473n5/rYP/wXZ2OBzQq72pzb+Hdrfb+77e25i339uYt9/fV71+7ec14xUcr8dDto1X+/3XXv83rV97nLTf37ScnyQOGo2GvQG8Kbr2OIuARcAiYBGwCFgELAIWgd8NApo3V6tVlEol6PNveZMR4vF44Pf74XQ6jb2gdlcqFWs7vELHy1jVq23Mtd9f4VC4nC74/D54vV6ze3vM1ev1Vzn8d7kPKS643C4zXt3ulgmssfpbv1Y1rtRen89n3tttf5NB4OCAfelyjPpJA/C3fuN7E+DsMRYBi4BFwCJgEbAIWAQsAhaB0wjUajWk02nzlcvlOv3Tb+5z204QcRAKhQxhcnh4aAyU1zGCf3PAvGKDZOxns1kkEglzxOtgpnEm/JPJpLHT8vk89J0InNcp5xWr+pvZTXatMIrFYga3VCoFXaf67re6aZzIlhfJF4/HDXnwpm39ScXBmxZsj7MIWAQsAhYBi4BFwCJgEbAI/J4Q0ARdxokm6DJIfstGnNoqg1UGsDYZKDJeOzs7f9OG2Lsaz/J0FwoFRCIRM05eZ6zoWJE0BvdGy9ErAkev1ynnXbXlH6Ecjc9yuWzIGtVX41djt32t/iO04U3qqHZqnLWv0zcpo32MJQ7aSNh3i4BFwCJgEbAIWAQsAhYBi8BbICDjRJuMt1fx/ra9gTrmVfbXfr+mTe1st1nveqkdP+bBlSHTpLHrcLYCzRv87OTnHzvm19Tmd1UXYVUsFl95rJw+bxsrldFotsLK1RftcXd6X/v5GQLCTZi1tzZebTzb3//W3t9V+yxx8FsbGbY9FgGLgEXAImARsAhYBCwCv3oEZEDLA6rQBsUfSz4tQ+Z9bDKmZE/JgP85N7VZKoVsJotwJGyMOBnP0WgUgUDgl2+/MbyVZ0AS/3fRcuJIIqTJ8gTlq+Kq/d5X37+LVv+aymgRAyJRfk21+m3UxRIHv41+tK2wCFgELAIWAYuARcAiYBH4B0FAxo3kwwsLC1hZWcH4+Lgxnt9H9Zv1KgrZNFIFoLMrDp/H3U46/06r06g3kMlm8PjxY2xtbZk2C4OjoyNcunTpl5fZN+uoFDPY38vC29mPjiDbTWPzze1NhmpUCkjtHqAc7ERPxI1C5gj5qhMdyQS8TMx3mpdpGbjvFOLfeWEM2aiVkGfeiBLC6Ij64Xb9dnMXvI/Otmi+D9TtOS0CFgGLgEXAImARsAhYBH63CEhpsLa2ZoxoxR4Hg0GqDyomDvnHMuM36bGvlkso0UuvOPcSy6lUa4zXfnMo61XGy28s4eHcGnKVmtzkb17YS440REmxRZQsLy+bsIT9/X20P+swZbhX219kUJt2V8rP2l1qtbtO7/4bb80q8qlNPLj1AGsZYsiiXrnpDA+os77qs2d1oIKkkMLyo7t4sp5BpVzAzvoiniyso1BW+W9R1zdu5I8fKAVIG/eX7SnsKxxzUobo1R53tbcYcy8719t930S1mMb6whM83soy38aLx9Krn4NhIPWawadG0ut07zXZ/zX1P6+XXx0Mr97A197TKg5eGzJ7gEXAImARsAhYBCwCFgGLgEXgzRCQcby3t4enT5+aMAUtj3b37l1jRCtcobu722TL9/m0zGErbt2ciUZM/nAT9+7cwvJegdnRvfAEQkh2D2Jichxdxx7W15Joy5ilYVinUV4sKfs6ZfY82Zt73V+MiciR7e1to67QEoJq4/z8vAlbEIkig1SrCwwMDKCnp8cQKSerUjRrKNLAv3v7Dtudh9PlhscfNO0enxhDVyxEb/7rhxqIoGjUKlR+lFCtnzYLX9yGk29pNJay+1i4fw+LR16c/+wahom906EwhZohN8pV5R2gooGkTLnsemViR4a8tncVk35S5xd8UCLLzc1N0yejo6Po6e6Bx+t5LmRC7ckfbuPOV3/HckaZ+d2mbr5wApNXPseZbiVjfPfj5QXV/cmvTH9KPZPLI+dqrTrxkwf9yA6NagX7K3N4vLyLjunLmOyNUY2jhKckiHL7mLt1F6u1Hnz2h7OIUk3iPi0n+ZFy3/QnQ6hxmLZzg7xpOW9znCUOfgI9MUq6HF4p7kg3oOMO/bEbrjpeL5X5SuX+RB31s9hAFvbOynuFU/6udxHe7MHjPnwGRbtv1RdO3UlfcTspTxOEVzzG7vZ6CLRY9SqvvYZZ9/hkQvJ6xdi9LQIWAYuARcAi8FYIaK6gZ1Lbuy6jWhnyletgfX3dqBCGhoZw+fJls8xh+3klQ7RGz2+hUEWsfxxjfVGUjnaxsngL6UIdH149i2SAXlYahEaFwBmFkys7eDxeuJwtI1kGrTzfmm24SFi43R4SByILWnPTBg3FWrmIOmgIcfk2NycldRrX5WoTPr+PK0XQQH/D1qvNeokokWEsw1VbtfKs/TJkR0ZGcPHiRdN2M09usN2VPDK5MkL9UzjTG0YhtY
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645192014" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "62d778fa-31d2-4fce-873d-e52d520f490c" ,
"value" : "Screen Shot 2022-02-09 at 9.15.21 AM.png"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Email lure requesting ambulatory flight information." ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A r g A A A J 1 C A Y A A A A y t o N F A A A B Q m l D Q 1 B J Q 0 M g U H J v Z m l s Z Q A A K J F j Y G A S S C w o y G F h Y G D I z S s p C n J 3 U o i I j F J g f 8 b A x M D J w M G g w y C b m F x c 4 B g Q 4 A N U w g C j U c G 3 a w y M I P q y L s i s i 3 v r 331 O l d x 7 X i s 6 p e + P 1 W d M 9 S i A K y W 1 O B l I / w H i p O S C o h I G B s Y E I F u 5 v K Q A x G 4 B s k W K g I 4 C s m e A 2 O k Q 9 h o Q O w n C P g B W E x L k D G R f A b I F k j M S U 4 D s J 0 C 2 T h K S e D o S G 2 o v C H A E O / o G h / q 5E3 A q 6 a A k t a I E R D v n F 1 Q W Z a Z n l C g 4 A k M o V c E z L 1 l P R 8 H I w M i I g Q E U 3 h D V n 8 X A 4 c g o d g o h l m / F w G B x g o G B e S p C L O k F A 8 P 2 m w w M k t w I M Z U t D A z 88 Q w M 23 o L E o s S 4 Q 5 g / M Z S n G Z s B G H z F D E w s P 74 //+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAACuKADAAQAAAABAAACdQAAAABBU0NJSQAAAFNjcmVlbnNob3TEUmxiAAAB1mlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj42OTY8L2V4aWY6UGl4ZWxYRGltZW5zaW9uPgogICAgICAgICA8ZXhpZjpVc2VyQ29tbWVudD5TY3JlZW5zaG90PC9leGlmOlVzZXJDb21tZW50PgogICAgICAgICA8ZXhpZjpQaXhlbFlEaW1lbnNpb24+NjI5PC9leGlmOlBpeGVsWURpbWVuc2lvbj4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJERj4KPC94OnhtcG1ldGE+Co5EJkEAAEAASURBVHgB7L33k1xXmiV20nufWd4beEfQjtvZDc2u9h+VfpBCilCEVhG72tVMT/d0s2lhy3tfWem9T51zsxIoAAUCIMFukMxHFior8+V7937Xne9857vP0uWBC0e320Gr1b7wzuDlwAIDCwwsMLDAwAI/zQLtdhuFQgGVSgWBQAAOh+O1F9SypPNbrRasVqs512KxvPb8D+GDZrOJarViyhoKhWCz2dBoNJDPF0xd/H6/ee/lsvbrqTrLJvqta+n7+vtDr/fL9XmXvyuVKtLpFDweD6LRqGnrt/2+7FSv12nzKoLBIGRfoGv+zmZzcLvd5ufXbL+3tZXGUalUgtPpRCgUhN3u4NhqIpfLodPpGvvb7fa3vdwHc16/XiqQz+tCo15FYniM9XOaMv7yavTBmHZQkIEFBhYYWGBggfdtAQEXAcOzszOcnp4iHApjembaAL5fG1jRAp3JZHB0eAgbAcbExAQBcR6pVAqjI6MYHhnmYv1rXqZf4Nfed1caXO83Z4EX+9OveeT85pp2UOGBBQYWGFjgl24BMZrJZBLff/89Tk5OMD8/j7HxsUvZz19yXTudjmG0l5aWsLa2hoA/gHK5jI2NDQPwBfSjseivHOD+kltwUPYP3QLWD72Ag/INLDCwwMACAwv8Niwg0CcG8+nTp9jZ2YGDodTR0VETqv81WUDgVVINAduVlRUTane6nKbOx8fH8Hq9iMViv7p6/5racFCXD98CAwb3w2+jQQkHFhhY4CdaQJrGo6MjHBwcYGxsDFNTk2QEB9PfTzTre/26wG2xWIQYTYE+AV1pLMXkHjKEL41mPB5HOByGz+e7VLLQIftbq5SQyWZRqzcAqx0enx+RSARupx3Wd9HxEoS2aiUcH+xh+6yCO3duI+hz8xo/rdoCt7VaDbu7u3j8+LFha4eGhkxd9Z7qLJD77bffmv46PDyMRCJhdMuSK1yUaShnplGrIk8tZaFURgcW6izdCLG+fp8Hdup436W4sl+OmtjN3QNEpuYxnQjD8RY0mOrUatTIQJfQ7DoRDHjhdNj5XgWnR4fYP61gYXYUWV67YvXjytw4PA7bpYZUP7Co1Pr/pfbSfX6OQ/eUVEQOh+559epValV7OuqX76cyNGnzQjaNfKWGNjWsNocLfuqAY5EwbJeU++Vr/Jx/t+oVnOxt4yDTwOTcPMYTwXe+XafdQpXjqFytw+rwUibE8UYtvPpSl7aqU2teKBTh9PqpffXSEbu8Ld/5xro+7aufy/rAxfZ/uW9cdq/BDH+ZVf6C73U7bTPBWTgRSfj9dhMwEzCaLTQpErdQTO2w297ye3/Bir1wqy40cda54NiYNKFJ+u3q+cJF3vkPDdIGF4tmuwOnWxPuu03273zDv/oX2C/YJxqNJhxc5GzsF5qQ3nSYxFICQM7TsDucnMje5ltvuuqH9HmXwKmAhw8fYnl5GQsL80xKCZAhi39IhRyUhRaQ9jadTht2U/pUAUHJFKRJ1bwhZlNAd2ZmBnOzc/D6vC9IF7rtJrLJYzx4vISO1WnGfBtWhBJTuHN9Fn4morz93MN5i+OplM/hNJlHrdECcZsBXj+1sVQ3gXlJEsRSq14CWKqvwJbeF9gV0FUClkDutWvXMDk5+ULilMBGMZvEk+8fIlluEYgQzPA9TyiOK1cXMBQlSHsJJP5g2QksGgQvqbM0bPExtEGA+4Nf6H0ou2dOD/Dg2+9R947is0/uIB72Q++XSwXqqfMYGwoil82gbOtw7RojwH3xwgIvqvfOzq5JgJIjqrZWsp0+E+Mt6Yr6iFh9JSq+z0PXlROcpXOk+12/ft04U68AKX5WyqWx/P2XSLU8bA8XfP4ghm0uRMMs0V95+tS6V85nkTyrIzw8CSTe3UrtJp2s3XU8XNmGf3gBX9y/ybHj5EgiuK/msbf2FN+vHGDhzie4MjPBdePt1po3lUTyJI0DERFKHFQ7a2zo6OvVNT+o7UdGRt50Obx3gCvj1msVIv8aOwnvbzJgnUT5PgPE3lii93hCq9VAkQ1dLNfgiwwh4pf3/X57n+pbLGTpPdfg8YfowQXfoX+zszDr74SDqmZxY3pinCzDmz0hTWoV3vOY32sGhrE4OQQnJ4H3f/QAU4mZz4VyHXFOsi67lV65GANmQze6GBkdNh5+vVqiDSro2r0YjodesgEzW8t57G7twBYcwezUCJwEXz/m6LBNSwQr1UYHEYbwXnedDifWfOYM+3t7yDWsmLlyAxNR3yuMQL8MAnnNRp2TcQl51rfR5E4i7Csuj4+TXIhsCBfS99x3+vd+X7+73TaKuRR2tvYRn17ESDxMBufN9Eu7SVBxeoJcqY7x2XkE3O99WnhfVXzH6xCgELVr4dLCuLm5YRav3d09Ax76DE1vAXu/88I7FnRwOi2gdtBiNj09bZLLBGqVGT8+Pg6Xy0XwUzGOiqQLAiECggIh2mWhD0I0N8qpbbVtGCMYjPrs2N/dwcbqEqYmRuAii9vlHCJnu2uxEpyQ5eSc1iHgbHMul5Mntt9Kdt+pXR64iGlu0MLbrNdQrdk459jJWNl5f5ET3O2AAFUg7F0O1UesrZhZJdMpm1111aIukCfGWZ/ryGay7Lubpgyyjxb9Z/fTvMVyVcgkuoPDWLgyg2LqFLtHJziOc82jI8dZHDXuNNDqgI6viwwviRRyvU3aqc2ZWnUToJNz6yJQ0WtTX9atRgavS0rS7erZosm5otu1kKigI8z3NWoMi1wtI3VyiN39E7jCLSQzMwiIQaY91U5t/ui6HZZXP4IGlx0CscvLS8Ymc3NzuHfvnpFqiNWWNv
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645193100" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "8a6753cd-78ca-47c2-bce5-28157520225a" ,
"value" : "Screen Shot 2022-02-09 at 9.16.20 AM.png"
} ,
{
"category" : "Payload delivery" ,
"comment" : "PPE themed lure used by TA2541." ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A p A A A A I Y C A Y A A A D a V t z l A A A B Q m l D Q 1 B J Q 0 M g U H J v Z m l s Z Q A A K J F j Y G A S S C w o y G F h Y G D I z S s p C n J 3 U o i I j F J g f 8 b A x M D J w M G g w y C b m F x c 4 B g Q 4 A N U w g C j U c G 3 a w y M I P q y L s i s i 3 v r 331 O l d x 7 X i s 6 p e + P 1 W d M 9 S i A K y W 1 O B l I / w H i p O S C o h I G B s Y E I F u 5 v K Q A x G 4 B s k W K g I 4 C s m e A 2 O k Q 9 h o Q O w n C P g B W E x L k D G R f A b I F k j M S U 4 D s J 0 C 2 T h K S e D o S G 2 o v C H A E O / o G h / q 5E3 A q 6 a A k t a I E R D v n F 1 Q W Z a Z n l C g 4 A k M o V c E z L 1 l P R 8 H I w M i I g Q E U 3 h D V n 8 X A 4 c g o d g o h l m / F w G B x g o G B e S p C L O k F A 8 P 2 m w w M k t w I M Z U t D A z 88 Q w M 23 o L E o s S 4 Q 5 g / M Z S n G Z s B G H z F D E w s P 74 //+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAACkKADAAQAAAABAAACGAAAAABBU0NJSQAAAFNjcmVlbnNob3QNWlg4AAAB1mlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj42NTY8L2V4aWY6UGl4ZWxYRGltZW5zaW9uPgogICAgICAgICA8ZXhpZjpVc2VyQ29tbWVudD5TY3JlZW5zaG90PC9leGlmOlVzZXJDb21tZW50PgogICAgICAgICA8ZXhpZjpQaXhlbFlEaW1lbnNpb24+NTM2PC9leGlmOlBpeGVsWURpbWVuc2lvbj4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJERj4KPC94OnhtcG1ldGE+CjQkQ/YAAEAASURBVHgB7L33k11Hmh14nvfe1CvvUfAgQYJuutVSj3ZW6zShCMXqh/1n9G9sxCp2Q1LshmI0oZF2Z9Q9GnaTTW/ggUJ575733u358tUDCoWCIwGQAPOShXp13zWZJ/PePHm+78vP0OUGvWkENAIaAY2ARkAjoBHQCGgEnhEB4zMepw/TCGgENAIaAY2ARkAjoBHQCCgEzMdx6HQ6aLfbx3frvzUCGgGNgEZAI6AR0AhoBH6hCBiNRpiMJsDQA+ARAlmr1VAul6Et27/QHqKrrRHQCMBgMOh3oO4HPyMEZMTW3mY/owb5RRbFZrPB4/HAaOgZrx8hkFarDcIyNYH8RfYPXWmNgEaACBj4X1cP2K+kL8hY8zqPNzLZkK0/6Xg5dXnzCKTg9XIxeyXd97lv0q+3nPi69X2LxaLarF/pRwik0WiA2Wx+rR/ofuX0b42ARkAjoBH4+SIgA2i9Xker1XotxxwhAzKoyo8IL41GQ/28HBL5825HweJZNznW6XQqzMRlrl6ro915813n+v3FarUqIiZ9v9lsvhZ9X8ou3PDo9vBfR7/RnzUCGgGNgEZAI/ASERCf+2q1ep9Avm7ESwZVu91+f2AVQlCpVF4iYj/PSwsJMplMihA+rYR91U1wE9ItfaBcKavfTzv3df9e+ovD4VATDvksLoPy87psMlES8tvfNIHsI6F/awQ0AhoBjcBPgoCQj9dxEzIkRODoJqRIfo7vP3rMm/RZCKAor1Jni9lyP8DicXWU40VxPrr9UjA73l+kj7wudT/eZtJ+ehmfo71Yf9YIaAQ0AhqBnxUCQjhEpXldTH0ngSfEQdRJIVoyEPc/y/7XeevXq1gs9tpH+w2/zs353GXXCuRzQ6ZP0AhoBDQCGoFXgYCQx2w2i83NTYRCIcRiMWVCe5q61+V5nfvkrKfyHBMKn1j8PrF72n2eeJHDL+VasrLJ6uqqKrvb7UYul1M+gGNjY8qc+fjr9AKMOp3eb4Oom4yAfZ660MHukNZJ0Mrj76S+uX9sLyhI9h3FQtpDMDmKi+yTn/5xT7nDK/u625VykaALR2dsx3Pj9qNKKu3Vu8BRrJ7nklJ+ucbDeHdVnR7e9zxXfbHHagL5YvHUV9MIvHAE5MX8Q19CL7ww+oIagVeEgPT7QqGApcUlrKyu4Ny5c4pEih+WbE96JsqFNAqlCpodEi6LA5GQDzae91QCdVi3VrOOcq0Jj9vFde9+nKFOfDy3trZw8+ZNhMNh5S+ZTqcxMTGBwcHB+/6TJ9WnKwEmlTxSuTLXZ+7C4nDB5/PBaXv2urQbFVTbJljou2Y1PZl8tlnvaqWKDjFzO2RFFgMDXCpodAAnfRbLpSJ9+Jz3ffgO4XroV59IHq/Pi3iPyTX61zl+/YcKwYCcVq2IZK5EZbQNK8vs9wdht5r6Sxg+dPgL/6PdpMrcQMdk4z0ZYPU04n6sAF2Wv1ktIl/rQiYcdqtZ9d1Op4l0qggn+6WT7fNEDI5d82X8+eOejJdRIn1NjYBGQCEg0YmiXIhacZL/iYZJI/AmIyAma1Ht7ty9AzGRisqVSqWQTCbV3/L94yymB2s3cfvWDSwu3MOd+QUcZIqot6joPCNg5UIWi1sHqDce9tV7xtPvHybP8P7+Pm7cuKHM1vL3ysoK8vm8qk8ykVR1EhN9n3jdP5kfOq06cjt3ce3WXdxdWMDte8vYPcigyes800YVq15IYG0/hUKNke5POalazmB5/g5Wt+Ook3jJlk/uYG03iSoJ0cbaEkokkSeVVY6V+pVKpUci0WW/1PHHvsekzROJhFKln9T+nU4L5fgabt9dIG5L2NjaQ60pkf5Sype/dZo1JA62kCpUGV3+/Dftthoo7C7i22t3kcgW0RbizDrVi3Fcv3YLB4kssSarfwGbtI24VEjbHG1XwVf2H913/HY/SoG8LxGzWxpEVhfH4eN3eIF/K6mcoJkYSn7STFKAEEYuTqkvYxOzSKvdeqjhTHQaNnFWZzypQC+jEG/4NQXj9iHGXbroms0mtvcrmjUewbZXjjaM7Gs/VduKcjE/P68GzPfffx/BYPCl9e0jVdcfNQI/OQIyaMnkaWNjQ5EFefd/99136C9kHIsNYmxsVCl4R6NC+wUvFErwDozjzMQwMitXsbSThc3uQMgBVKokaxx7rU43FTmg2ZC/O2gKwTRa4XLaSHYqSNN03qyFUOy4eioS2jy3QdOzQ73z+/d60m8ZhHd2dtQkcHJyEvF4XJFfqd/169extLREZcyP2dlZTFCRdLlcD6lKHSpZzXIBtoHTuDgdRWb1DlbWdxGN+GDsNFCucvkb8jwbI3vtVCVrlSIMvHZD6mKwsqxWNCsFqrF2KllVmLot+Fx2GEhGqo02VUkbA18Ox22CkkkcYDvNCWseGBuOwEblq1IqIFexE58QMpkUIgPDjyViQhLv3bsHr9eL4eFhYulSy/MI6RPyL/ukvs+79UmMKNJffPGFMv9funQJkUjkRBeALseQZiULa+wU5kajiHqsSgVs18soUllus71NVgdVVUYUk+xR6EOHeBhNXZitTqrVBlSKZZhsDlgtRlRrDThsZtTYd+okogbpJy6HaoMasW7zx+ogri1ei5OOVjnLfpthP4lgIOBmdZ+PGUm7VwtJbK5n4R8cQjDghb1bx8HKIjaSGYQnJhUX6TTKqLDcrA7sXBbJyrGyVSuj0eY6tgYL+4SJkxCWmcdwMGOZnWpMPVoaGWekj0pUvCji8jyJr65MfIRUipvFSc+YtOEPJpAdNlCdnVUaQwpjdbgpqTI83XS0aHKLF7Sx4xfYIM
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645194143" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "8750e8ca-860e-4233-8124-939b41750ebb" ,
"value" : "Screen Shot 2022-02-09 at 9.29.02 AM.png"
} ,
{
"category" : "External analysis" ,
"comment" : "The figure below depicts an example from a recent campaign where the PowerShell code is hosted on the paste.ee URL : https://paste[.]ee/r/01f2w/0" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B D 0 A A A J w C A Y A A A C K 4 h r w A A A B Q m l D Q 1 B J Q 0 M g U H J v Z m l s Z Q A A K J F j Y G A S S C w o y G F h Y G D I z S s p C n J 3 U o i I j F J g f 8 b A x M D J w M G g w y C b m F x c 4 B g Q 4 A N U w g C j U c G 3 a w y M I P q y L s i s i 3 v r 331 O l d x 7 X i s 6 p e + P 1 W d M 9 S i A K y W 1 O B l I / w H i p O S C o h I G B s Y E I F u 5 v K Q A x G 4 B s k W K g I 4 C s m e A 2 O k Q 9 h o Q O w n C P g B W E x L k D G R f A b I F k j M S U 4 D s J 0 C 2 T h K S e D o S G 2 o v C H A E O / o G h / q 5E3 A q 6 a A k t a I E R D v n F 1 Q W Z a Z n l C g 4 A k M o V c E z L 1 l P R 8 H I w M i I g Q E U 3 h D V n 8 X A 4 c g o d g o h l m / F w G B x g o G B e S p C L O k F A 8 P 2 m w w M k t w I M Z U t D A z 88 Q w M 23 o L E o s S 4 Q 5 g / M Z S n G Z s B G H z F D E w s P 74 //+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAAEPaADAAQAAAABAAACcAAAAABBU0NJSQAAAFNjcmVlbnNob3TD+LwoAAAB12lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4xMDg1PC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPGV4aWY6VXNlckNvbW1lbnQ+U2NyZWVuc2hvdDwvZXhpZjpVc2VyQ29tbWVudD4KICAgICAgICAgPGV4aWY6UGl4ZWxZRGltZW5zaW9uPjYyNDwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgot8WFjAABAAElEQVR4AezdaZNdt5En/FMLd3GnRO0qWrIkW953e9rhmZ6IiZl+0xE9X2g+zkT0q2diIma629E9ttu75UW2tVgrtZKixJ0s1kY++ct78xK8KlJFmiIpCSBP4QBIJBJ/4ALIPDg4M5fCDd11BDoCHYGOQEegI9AR6Ah0BDoCHYGOQEegI9AR+IQhMP/c8y98wqrUq9MR6Ah0BDoCHYGOQEegI9AR6Ah0BDoCHYGOQEdgGGb6To/eDToCHYGOQEegI9AR6Ah0BDoCHYGOQEfg04rAR/3yw8zMzA1DuxHZ0GQZ8Q7HpfjHTZc5Hb5hga6RMWVVfFPdW1HuNUTKpPkPI+jpHYGOQEegI9AR6Ah0BDoCHYGOQEegI9AR+DQh0BoSWiV+XQzGxoYZhI3Cvy7tTYgkW10XL17M+2m2c3Nzw+zs7AeMH9N0NyOcxo5gtLa2NpBHuZOyp4wgN6O86+XRjR7Xi1in7wh0BDoCHYGOQEegI9AR6Ah0BDoCHYFPHAJlSLA7oYwJ4q5Q4ptatzSi5aurwkl+ExT/kg0/9wwMJ06cGI4ePZr3ZCSPi7v77ruHgwcPDlu2bMmwPB/lrouSiTxk2b9v/7Bp86aB8SWNQSnF7fnTjR63B/deakegI9AR6Ah0BDoCHYGOQEegI9AR6AjcZgQo662rcBkIpsMtrfs2XZ4Ru5tjYCjeyikDi/vV1dXh7Nmzw9tvvz288847adjYunVrykKG8+fPp+Fh3759mYZP1Uf+j8opY3FxcTh+/HjKeM8992T5DB+303Wjx/Wg3/4erti2tI7prmivoLuewjptR6Aj0BHoCHQEOgIdgY5AR6Aj0BHoCNwKBBgGapdEGi8uhqHAvzRkXE5rZSmjRBkUyrjAd01e8WgzXec9GeqcjirvzJkzw6uvvjocO3ZsIvPFtXjNJf5t3rx5YABRdtGTz7+PwmUZofvylWN3CaPMu+++m2UevPfgTcHhr5H9rzZ6tECWIFXha4WltZ2jDVe+O9qPRk1XfafC052pjB+Ii3aUs//tCHQEOgIdgY5AR6Aj0BHoCHQEOgIdgTsAgdJrZ2e8JnIpFPeVVNYZD7jSXadFFS+v1024ep2jDBXT9NcbbvmUjBcuXBiWl5fzFZbdu3ennMpnDLHLA90t3V1Bzw29F1Z33XXX8PDDDw+HDx8e3n7n7XzFhSHklsozBfINGz0K8OJ3vWH5pvMUrzvWnxgtxpaM1qDRCj2hG0deja7N0+87Ah2BjkBHoCPQEegIdAQ6Ah2BjkBH4JYiUEaLMmqsXVxLPZUCb+eHVzXqdY31BNu+ffuwd+/eYceOHan0yyMvfsVzvXzXG9fys2tj27ZtuavC2R0MCnZX2Pnx1ltvDSsrK1n2RN8OffTSzGjnyvWWu3H6keVD/e00uf/++4c//elPw/vvv5/GmY+l0WPjlf+YU15hsNBbxvUpw4Zw3WfSmGZCd0XixxyMLn5HoCPQEegIdAQ6Ah2BjkBHoCPQEfhkI9AaGC7Frg+7KBgVuGlDRu3wYOhwTQwNNwEiZRU/98Xf7g/l2u3Bl8bYUHF2gjB8VF70H9XrLZerGaXEDhMykuP8+XPD/Px8GmemMbuc59bc3dBOjwIvRUwdfwziWL+XnqCuo+9nWjQKdwWfjBn9uVrehuT23KprHIY7Fn8sbEREfdPycUm9xnWb0EVa4SC97m9PDXqpHYGOQEegI9AR6Ah0BDoCHYGOQEegIzCFAMX8CsNC6HiU9gN3Hxj27N0zRX05SMm3i8FrMaXr4XOFrnsTdEAqJ8NGOeVu2rQprzKG8Bk8XJXmoX3WrYQrBjfZrzqvrsSOk/eODUeOvDPs3r1rcJjp7dzloZo3ZPSY4BMAshppUP/WVkfvMQHbdTVrksZyJfhNh8g8V1gUJiXd1puo5mUXHbbCjpQZIzDqQtIuJ0bq5d59+e4yq37XEegIdAQ6Ah2BjkBHoCPQEegIdAQ6AncWAqWnkorhw3W9Do+/1rWGk0vx9F24jAsMGw4LXVpaynj6db2Gw9Bw4MCBNHyUSkpfv5p+/tfKWfnt8Dhy9EgYPI7E2R47hoMhx9atm0uEIrvl/vW3XokYyn2aOgJ4AKfhI7b+qFHde2+obahqoIqrrThY3oxOUaLdVD/qMHJ89avwyOSRFY5K5yaPJCy6cbbBwTcj2pvQ74tp9zsCHYGOQEegI9AR6Ah0BDoCHYGOQEfgDkbgZuq4NgiUHu3MDGd6eL3FmRnilUW/dsbHQw89NOzdszc3ItxKeMhBhl27dqUcW7dtuZXFX7WsmRCstPirEk0nVJaJsSNYVAWXl5aHpeWlyftF8kqrBmclq0a6vLPDVqLRSbeTHSJ/vWFsWuwbDDPtcF5j8R5XvbfCmDG+CsGU2Zaj8ZXQhl1pxneJy652x1QsZOquI9AR6Ah0BDoCHYGOQEegI9AR6Ah0BO5EBErvpknSShkUOMYOX2lxzkjp5PRturTXWujbPl1b+ra01EY/AlU0ZQx9mHx2nbi8zjI/P5c2APLMzd34Xoub0S4bNnoU4JNCo2IXY4sNkIFtew3gFxcXR40R6TOzI+CBLL9GqobasmVLnnDrlNvNm2LLy5i2GmZSzh1zE6f4DishDYOG3jIff0fGjEiIqFEPin0vEWAccdlCtCl810fQw4Jrdx2BjkBHoCPQEegIdAQ6Ah8vBOph4MdL6i5tR6AjcDMQ+IBevUGm8tG9Ofd11XhSfCtcerVwxa1X1HppxWs9+qvFef2GwYNaXGd40JdnnXcSuv7tdDdu9AipWZjOnj2blwNLGC7mZufyW7yMGo
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645195002" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "b6776413-b39b-408c-a448-18417210dc8c" ,
"value" : "Screen Shot 2022-02-09 at 9.18.02 AM.png"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645195206" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "fe0176be-c570-4f2b-b9ae-c7023ca7b71b" ,
"value" : "C:\\Users[User]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\SystemFramework64Bits.vbs"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645195254" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "4acf48c6-3ed1-4f94-bea7-1b6fe801b981" ,
"value" : "UserInterfaceLogin.vbs"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645195254" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2c869f55-df5e-4fcc-bf17-62fc3863bb19" ,
"value" : "HandlerUpdate64Bits.vbs"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645195254" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "a133c8af-bc05-4bb2-a36e-90b4af326986" ,
"value" : "WindowsCrashReportFix.vbs"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645195254" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "3628809d-188b-4847-b6e0-35480e458a45" ,
"value" : "SystemHardDrive.vbs"
} ,
{
"category" : "External analysis" ,
"comment" : "Scheduled Tasks" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645195434" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e621892e-e32d-42f9-afd4-92e58d53e48c" ,
"value" : "schtasks.exe /Create /TN \"Updates\\BQVIiVtepLtz\" /XML %TEMP%\\tmp7CF8.tmp \r\n\r\nschtasks /create /sc minute /mo 1 /tn Skype /tr \"%APPDATA%\\xubntzl.txt\""
} ,
{
"category" : "External analysis" ,
"comment" : "ET\u202fSignatures\u202f" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1645707771" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8ab0b8d2-636c-42b7-849b-b0e371b5abc1" ,
"value" : "2034978 - ET POLICY Pastebin-style Service (paste .ee) in TLS SNI \r\n2034979 - ET HUNTING Powershell Request for paste .ee Page \r\n2034980 - ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded \r\n2850933 - ETPRO HUNTING Double Extension VBS Download from Google Drive \r\n2850934 - ETPRO HUNTING Double Extension PIF Download from Google Drive \r\n2850936 - ETPRO HUNTING VBS Download from Google Drive"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "5" ,
"timestamp" : "1645180773" ,
"uuid" : "e69d8cb6-b8a0-42bc-8c6c-e029f4b5ffd0" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1645180773" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "71dbce6b-e0d5-4baa-ae4d-63c408ffbd95" ,
"value" : "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1645180773" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ca132417-e0d2-4bc2-aa21-d610314a583b" ,
"value" : "ProofPoint's analysis of TA2541, a persistent cybercriminal actor that distributes various remote access trojans (RATs) targeting the aviation, aerospace, transportation, and defense industries, among others."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1645180773" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7f8396c6-e14e-4388-b8af-9a4522f0a26f" ,
"value" : "Report"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Registry key object describing a Windows registry key with value and last-modified timestamp" ,
"meta-category" : "file" ,
"name" : "registry-key" ,
"template_uuid" : "8b3228ad-6d82-4fe6-b2ae-05426308f1d5" ,
"template_version" : "4" ,
"timestamp" : "1645195323" ,
"uuid" : "b8f20704-a074-4f20-bc8a-9f11b9097cc6" ,
"Attribute" : [
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "data" ,
"timestamp" : "1645195323" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "00ad07fe-b5d0-41e7-b62f-ffa9fac457a3" ,
"value" : "C:\\Users[User]\\AppData\\Roaming\\server\\server.exe"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "key" ,
"timestamp" : "1645195323" ,
"to_ids" : true ,
"type" : "regkey" ,
"uuid" : "34824001-4c58-45e1-8dde-7bbd7a66cac8" ,
"value" : "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Registry key object describing a Windows registry key with value and last-modified timestamp" ,
"meta-category" : "file" ,
"name" : "registry-key" ,
"template_uuid" : "8b3228ad-6d82-4fe6-b2ae-05426308f1d5" ,
"template_version" : "4" ,
"timestamp" : "1645195360" ,
"uuid" : "9ae3bc26-f58a-4300-94ab-90458a50a139" ,
"Attribute" : [
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "data" ,
"timestamp" : "1645195360" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f1a38889-c0ce-4b25-b00a-58810525c282" ,
"value" : "%APPDATA%\\xubntzl.txt"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "key" ,
"timestamp" : "1645195360" ,
"to_ids" : true ,
"type" : "regkey" ,
"uuid" : "4d62a448-1413-480b-bed0-4b05596105c0" ,
"value" : "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\xubntzl"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved Throughout 2021 " ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645436952" ,
"uuid" : "5167f167-110f-4077-a9fb-241c1313b211" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645436952" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "6eb2c6ca-9207-47d9-8ce3-4a9f7d34ac42" ,
"value" : "joelthomas.linkpc.net"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in January 2022" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645437031" ,
"uuid" : "a7ab830c-17f5-4025-9117-7c9a00d43a2c" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645437031" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "0ec1d1a0-e9c4-4953-9b75-34a3c1dc5613" ,
"value" : "rick63.publicvm.com"
}
]
} ,
{
"comment" : "Revenge RAT C2 Domain \r\nObserved in March 2021 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645536153" ,
"uuid" : "5342d9e1-7c5d-4828-a628-83921af6f5da" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645536153" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "c8974d5e-0e57-4b77-8d28-20f159042019" ,
"value" : "kimjoy.ddns.net"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in April/May 2021 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645536219" ,
"uuid" : "58fa717d-e89b-46a4-af67-555b5edd2dd3" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645536219" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "083e66b9-0013-4941-af7f-a76ec9a2a144" ,
"value" : "h0pe.ddns.net"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in September 2021 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645536567" ,
"uuid" : "88ad8d69-fd5c-4a63-b3ea-61e277aa6075" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645536567" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "b4a561a8-36b9-4796-af67-7cbaeaf255b2" ,
"value" : "6001dc.ddns.net"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in December 2021 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645542100" ,
"uuid" : "5539b401-b3de-4a63-8408-8931221e2eef" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645542100" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "d03eb20b-bd58-4d3d-99da-605183461915" ,
"value" : "bigdips0n.publicvm.com"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in January 2022 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645542126" ,
"uuid" : "628537f8-082a-4e57-a999-3ce83edf1916" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645542126" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "bf012e64-d747-4f95-80c4-834fd49806d4" ,
"value" : "bodmas01.zapto.org"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in June 2021 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645542149" ,
"uuid" : "ac69b73c-cec5-4d3c-ba0f-d09d9c0f6c5a" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645542149" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "235b81aa-00b3-4d3f-a93c-31140741cf93" ,
"value" : "e29rava.ddns.net"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in July 2021 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645542181" ,
"uuid" : "99e898e2-c31d-4d78-ae4f-ad89da26a73c" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645542181" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "c713d189-8509-4c4e-8739-1e9c4f56f6db" ,
"value" : "akconsult.ddns.net"
}
]
} ,
{
"comment" : "StrRAT C2 Domain \r\nObserved in January 2022 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645542203" ,
"uuid" : "cc6b04fc-0b4d-49f0-aa61-2567aaec8cf5" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645542203" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "48583d8d-1bc4-4979-b272-99b178809912" ,
"value" : "grace5321.publicvm.com"
}
]
} ,
{
"comment" : "Imminent Monitor C2 Domain \r\nObserved in November 2021 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645542228" ,
"uuid" : "4e311bed-a38f-4064-8de9-7eb32bebdacd" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645542228" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "8a67e71d-9dbb-4f3a-8c5f-3c18398de083" ,
"value" : "grace5321.publicvm.com"
}
]
} ,
{
"comment" : "AsyncRAT C2 Domain \r\nObserved in January 2022 \r\n" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "9" ,
"timestamp" : "1645542248" ,
"uuid" : "1225baa7-e3e9-4d64-b0d0-140012fb4987" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1645542248" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "575e5c9a-686e-4869-88d7-428d57ed41ce" ,
"value" : "tq744.publicvm.com"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1645612354" ,
"uuid" : "9d7ba649-2b4e-4dc0-ad58-fec05509454a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1645612354" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "2a8ba564-8213-403b-bf7e-a924c49f0af7" ,
"value" : "67250d5e5cb42df505b278e53ae346e7573ba60a06c3daac7ec05f853100e61c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1645612354" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "99568b0a-23da-43a9-9bee-48e1521cbd07" ,
"value" : "Aircrafts PN#_ALT PN#_Desc_&_Qty Details.vbs"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1645613409" ,
"uuid" : "c36a2697-8119-46e0-b89f-01384eb2053d" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1645613409" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "a0c362d3-ebc8-4d30-a213-83b7a320a8c6" ,
"value" : "ebd7809cacae62bc94dfb8077868f53d53beb0614766213d48f4385ed09c73a6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1645613409" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "50f28bc1-3d9c-4022-b2cd-f6d8c541edfb" ,
"value" : "charters details.pdf.vbs"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1645617913" ,
"uuid" : "8962cf89-2169-4b50-8eb5-a365e15941ba" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1645617913" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "52cd6219-c7ae-48f6-b104-192bf3beeb1d" ,
"value" : "4717ee69d28306254b1affa7efc0a50c481c3930025e75366ce93c99505ded96"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1645617913" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2b0cd042-4762-4317-8d01-cd5e3822498e" ,
"value" : "charters details.pdf.vbs"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1645619481" ,
"uuid" : "8c5391ff-1d25-46d1-9435-77bcaf4418f6" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1645619481" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "6d73cda5-243b-4f52-be7f-b1bd06fc1a13" ,
"value" : "d793f37eb89310ddfc6d0337598c316db0eccda4d30e34143c768235594a169c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1645619481" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "a9bd9239-fe5b-4feb-9595-b3a65345682b" ,
"value" : "4Pax Trip Details.pdf.vbs"
}
]
}
]
}
}
