misp-circl-feed/feeds/circl/misp/57608399-aa20-4d2c-b03d-4a69950d210f.json

2019 lines
86 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2016-06-14",
"extends_uuid": "",
"info": "OSINT - Mofang: A politically motivated information stealing adversary",
"publish_timestamp": "1469260595",
"published": true,
"threat_level_id": "2",
"timestamp": "1468918774",
"uuid": "57608399-aa20-4d2c-b03d-4a69950d210f",
"Orgc": {
"name": "FOXIT-CERT",
"uuid": "55f6ea5f-03c4-42c7-83bb-4984950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#006262",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "ecsirt:malicious-code=\"malware\"",
"relationship_type": ""
},
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943193",
"to_ids": true,
"type": "hostname",
"uuid": "57608499-087c-41b0-84e3-4445950d210f",
"value": "video.today-nytimes.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943193",
"to_ids": true,
"type": "hostname",
"uuid": "57608499-1ddc-41b9-8ad2-43e4950d210f",
"value": "api.officeonlinetool.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943193",
"to_ids": true,
"type": "hostname",
"uuid": "57608499-69c0-4efa-94b0-4ece950d210f",
"value": "ie.update-windows-microsoft.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943193",
"to_ids": true,
"type": "hostname",
"uuid": "57608499-14e0-442e-8035-4e65950d210f",
"value": "travel.tripmans.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943194",
"to_ids": true,
"type": "hostname",
"uuid": "5760849a-fc9c-41d7-95e4-4afc950d210f",
"value": "dns.undpus.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943194",
"to_ids": true,
"type": "hostname",
"uuid": "5760849a-c8cc-42e7-bbfa-4b1d950d210f",
"value": "secure2.sophosrv.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943194",
"to_ids": true,
"type": "hostname",
"uuid": "5760849a-92cc-43ea-b582-4d34950d210f",
"value": "update.nfkllyuisyahooapis.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943194",
"to_ids": true,
"type": "hostname",
"uuid": "5760849a-5748-4ec6-99f6-4ec7950d210f",
"value": "www.go-gga.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943194",
"to_ids": true,
"type": "hostname",
"uuid": "5760849a-dbe0-4f97-8f2b-4fff950d210f",
"value": "images.defexpoindia14.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943194",
"to_ids": true,
"type": "hostname",
"uuid": "5760849a-b468-4cd7-9f26-4d39950d210f",
"value": "update.micrdsoft.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943195",
"to_ids": true,
"type": "hostname",
"uuid": "5760849b-0008-44e3-904a-4906950d210f",
"value": "support.f--secure.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943195",
"to_ids": true,
"type": "hostname",
"uuid": "5760849b-b0a0-425d-a0ca-49ec950d210f",
"value": "store.outlook-microsoft.net"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943195",
"to_ids": true,
"type": "hostname",
"uuid": "5760849b-dba0-446e-b855-40d7950d210f",
"value": "b.support.outlook-microsoft.net"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943195",
"to_ids": true,
"type": "hostname",
"uuid": "5760849b-9c20-4d7f-9c8a-4920950d210f",
"value": "logon.had-one-job.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943195",
"to_ids": true,
"type": "hostname",
"uuid": "5760849b-3e08-4fb0-b077-486e950d210f",
"value": "www.avgfree.us"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943196",
"to_ids": true,
"type": "hostname",
"uuid": "5760849c-5844-4822-b388-4e11950d210f",
"value": "mail.upgoogle.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943196",
"to_ids": true,
"type": "hostname",
"uuid": "5760849c-d3f4-488b-a5e6-47ee950d210f",
"value": "wbmail.city-library.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943196",
"to_ids": true,
"type": "hostname",
"uuid": "5760849c-43c4-4e67-a8d7-45db950d210f",
"value": "library.cpgcorp.org"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943266",
"to_ids": true,
"type": "sha256",
"uuid": "576084e2-fdd8-498d-b142-41f8950d210f",
"value": "558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943266",
"to_ids": true,
"type": "sha256",
"uuid": "576084e2-f5c4-4aee-9f0b-4629950d210f",
"value": "a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943266",
"to_ids": true,
"type": "sha256",
"uuid": "576084e2-2ff0-46c2-95e9-46ae950d210f",
"value": "2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943266",
"to_ids": true,
"type": "sha256",
"uuid": "576084e2-fe04-4c77-9bda-4de3950d210f",
"value": "2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943267",
"to_ids": true,
"type": "sha256",
"uuid": "576084e3-1ea8-4035-ae99-4947950d210f",
"value": "af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943267",
"to_ids": true,
"type": "sha256",
"uuid": "576084e3-bcd4-4a2c-9765-4c90950d210f",
"value": "e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943267",
"to_ids": true,
"type": "sha256",
"uuid": "576084e3-e7c4-46d1-a92d-4be3950d210f",
"value": "d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943267",
"to_ids": true,
"type": "sha256",
"uuid": "576084e3-d87c-46db-b60f-40a8950d210f",
"value": "0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943267",
"to_ids": true,
"type": "sha256",
"uuid": "576084e3-eee0-4c0d-b5ea-476f950d210f",
"value": "f71025d47105dcd674a0b9ef0c83a83854ba20cb0eb8168da36a7908d150e44f"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943267",
"to_ids": true,
"type": "sha256",
"uuid": "576084e4-ed54-41fb-aee6-4d16950d210f",
"value": "5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943268",
"to_ids": true,
"type": "sha256",
"uuid": "576084e4-6bf8-4688-97aa-47a5950d210f",
"value": "8ee3fc5ccef751e098c4e64b36e8b5c95dc48473ac83380b59d10ea32f9946f9"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943268",
"to_ids": true,
"type": "sha256",
"uuid": "576084e4-1d08-4aae-9e66-4704950d210f",
"value": "35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943268",
"to_ids": true,
"type": "sha256",
"uuid": "576084e4-59cc-411b-b6b5-41df950d210f",
"value": "36422e6ccaa50a9ecceb7fb709a9e383552732525cb579f8438237d87aaf8377"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943268",
"to_ids": true,
"type": "sha256",
"uuid": "576084e4-346c-4225-8e53-4ad3950d210f",
"value": "3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943268",
"to_ids": true,
"type": "sha256",
"uuid": "576084e4-f424-424a-8fc7-48b6950d210f",
"value": "a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943269",
"to_ids": true,
"type": "sha256",
"uuid": "576084e5-15d8-48bb-8c34-4e05950d210f",
"value": "b53b27bb3e9d02e3ec5404cf3e67debb90d9337dbb570ca8b8cfce1054428466"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943269",
"to_ids": true,
"type": "sha256",
"uuid": "576084e5-8548-42ea-8d8a-43c4950d210f",
"value": "ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943269",
"to_ids": true,
"type": "sha256",
"uuid": "576084e5-ad58-49f0-83bd-4366950d210f",
"value": "2b111e287d356ac4561ba4f56135b7c1361b7da32e5825028a5e300e44b05579"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943269",
"to_ids": true,
"type": "sha256",
"uuid": "576084e5-c128-4139-a50b-4ada950d210f",
"value": "029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943269",
"to_ids": true,
"type": "sha256",
"uuid": "576084e5-1758-48c2-a388-4762950d210f",
"value": "15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943269",
"to_ids": true,
"type": "sha256",
"uuid": "576084e5-a53c-4e0c-86ff-45e1950d210f",
"value": "33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943270",
"to_ids": true,
"type": "sha256",
"uuid": "576084e6-c3e8-48c9-a854-46bc950d210f",
"value": "eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943270",
"to_ids": true,
"type": "sha256",
"uuid": "576084e6-75f4-444b-a32d-46c7950d210f",
"value": "5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943270",
"to_ids": true,
"type": "sha256",
"uuid": "576084e6-d0a4-4ae3-b588-4fa2950d210f",
"value": "241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943270",
"to_ids": true,
"type": "sha256",
"uuid": "576084e6-acdc-4c09-97ff-4a36950d210f",
"value": "577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943270",
"to_ids": true,
"type": "sha256",
"uuid": "576084e6-d71c-4624-803a-4374950d210f",
"value": "d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943271",
"to_ids": true,
"type": "sha256",
"uuid": "576084e7-859c-43fd-b12b-4869950d210f",
"value": "dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943271",
"to_ids": true,
"type": "sha256",
"uuid": "576084e7-7ffc-410e-925c-4049950d210f",
"value": "23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943271",
"to_ids": true,
"type": "sha256",
"uuid": "576084e7-b3ac-4d51-a9bb-4902950d210f",
"value": "fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943271",
"to_ids": true,
"type": "sha256",
"uuid": "576084e7-29f8-47d8-9d97-4dd4950d210f",
"value": "234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943271",
"to_ids": true,
"type": "sha256",
"uuid": "576084e7-dc2c-4716-9556-4eff950d210f",
"value": "e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943271",
"to_ids": true,
"type": "sha256",
"uuid": "576084e7-9d40-4dde-b74e-4538950d210f",
"value": "2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943272",
"to_ids": true,
"type": "sha256",
"uuid": "576084e8-7c04-42d0-ab53-4ea9950d210f",
"value": "6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943272",
"to_ids": true,
"type": "sha256",
"uuid": "576084e8-f4b8-47b6-bb66-41c0950d210f",
"value": "1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943272",
"to_ids": true,
"type": "sha256",
"uuid": "576084e8-94b4-4162-9a17-4a2e950d210f",
"value": "1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943272",
"to_ids": true,
"type": "sha256",
"uuid": "576084e8-1d18-4dd0-a026-49e5950d210f",
"value": "b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943272",
"to_ids": true,
"type": "sha256",
"uuid": "576084e8-0c18-46d3-bff0-47d1950d210f",
"value": "ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943273",
"to_ids": true,
"type": "sha256",
"uuid": "576084e9-f660-478c-9961-4ca9950d210f",
"value": "0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943273",
"to_ids": true,
"type": "sha256",
"uuid": "576084e9-bf88-48ab-bb04-4b48950d210f",
"value": "722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943273",
"to_ids": true,
"type": "sha256",
"uuid": "576084e9-db04-41cf-81a3-4698950d210f",
"value": "7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1468918774",
"to_ids": true,
"type": "yara",
"uuid": "57608528-91e4-4666-b514-42ef950d210f",
"value": "rule shimrat\r\n{\r\n meta:\r\n description = \"Detects ShimRat and the ShimRat loader\"\r\n author = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\n date = \"20/11/2015\"\r\n \r\n strings:\r\n $dll = \".dll\"\r\n $dat = \".dat\"\r\n $headersig = \"QWERTYUIOPLKJHG\"\r\n $datasig = \"MNBVCXZLKJHGFDS\"\r\n $datamarker1 = \"Data$$00\"\r\n $datamarker2 = \"Data$$01%c%sData\"\r\n $cmdlineformat = \"ping localhost -n 9 /c %s > nul\"\r\n $demoproject_keyword1 = \"Demo\"\r\n $demoproject_keyword2 = \"Win32App\"\r\n $comspec = \"COMSPEC\"\r\n $shim_func1 = \"ShimMain\"\r\n $shim_func2 = \"NotifyShims\"\r\n $shim_func3 = \"GetHookAPIs\"\r\n\r\n\r\n condition:\r\n ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)\r\n}\r\n\r\nrule shimratreporter\r\n{\r\n meta:\r\n description = \"Detects ShimRatReporter\"\r\n author = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\n date = \"20/11/2015\"\r\n\r\n strings:\r\n $IpInfo = \"IP-INFO\"\r\n $NetworkInfo = \"Network-INFO\"\r\n $OsInfo = \"OS-INFO\"\r\n $ProcessInfo = \"Process-INFO\"\r\n $BrowserInfo = \"Browser-INFO\"\r\n $QueryUserInfo = \"QueryUser-INFO\"\r\n $UsersInfo = \"Users-INFO\"\r\n $SoftwareInfo = \"Software-INFO\"\r\n $AddressFormat = \"%02X-%02X-%02X-%02X-%02X-%02X\"\r\n $proxy_str = \"(from environment) = %s\"\r\n\r\n $netuserfun = \"NetUserEnum\"\r\n $networkparams = \"GetNetworkParams\"\r\n\r\n condition:\r\n all of them\r\n}"
},
{
"category": "Network activity",
"comment": "Snort signatures",
"deleted": false,
"disable_correlation": false,
"timestamp": "1468918772",
"to_ids": true,
"type": "snort",
"uuid": "57608570-b360-43b8-99cd-4833950d210f",
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRat check-in (Data)\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php HTTP/1.\"; content:\"|0d0a0d0a|Data$$\"; fast_pattern:only; content:!\"Content-Type\"; content:!\"Referer:\"; content:!\"Cookie:\"; content:\"|0d0a0d0a|\"; pcre:\"/Data\\$\\$\\d\\d/R\"; content:\"Data\"; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001854; rev:4;)"
},
{
"category": "Internal reference",
"comment": "Mofang IOCs on Github",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943507",
"to_ids": false,
"type": "link",
"uuid": "576085d3-b7f8-4625-9080-4a2d950d210f",
"value": "https://github.com/fox-it/mofang"
},
{
"category": "Internal reference",
"comment": "Full report on Mofang group can be found here",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465943659",
"to_ids": false,
"type": "link",
"uuid": "5760866b-5714-4531-acd7-4eca950d210f",
"value": "http://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955735",
"to_ids": true,
"type": "sha1",
"uuid": "5760b597-6b90-490c-bedb-4da102de0b81",
"value": "5428d25b9ec583260c25af0d71eba364388a530e"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955735",
"to_ids": true,
"type": "md5",
"uuid": "5760b597-6ff8-4d33-be86-496b02de0b81",
"value": "b43e5988bde7bb03133eec60daaf22d5"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955735",
"to_ids": false,
"type": "link",
"uuid": "5760b597-396c-4496-b182-4c8602de0b81",
"value": "https://www.virustotal.com/file/7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f/analysis/1444933085/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955736",
"to_ids": true,
"type": "sha1",
"uuid": "5760b598-2b58-4cea-849c-4cb002de0b81",
"value": "961ad7d813f6c64aae3d999aab802f50f8d94172"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955736",
"to_ids": true,
"type": "md5",
"uuid": "5760b598-ee44-47bf-b208-49fd02de0b81",
"value": "582e4adddfd12f7d68035c3b8e2e3378"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955736",
"to_ids": false,
"type": "link",
"uuid": "5760b598-c4b0-4aa5-84f0-416802de0b81",
"value": "https://www.virustotal.com/file/722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2/analysis/1445877385/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955736",
"to_ids": true,
"type": "sha1",
"uuid": "5760b598-3a30-4f28-99c3-47f802de0b81",
"value": "8817dcb6d244676d22fa430cacd0dd6b7a1c5f24"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955736",
"to_ids": true,
"type": "md5",
"uuid": "5760b598-13fc-45eb-89db-41f002de0b81",
"value": "fb80354303a0ff748696baae3d264af4"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955737",
"to_ids": false,
"type": "link",
"uuid": "5760b599-8678-4518-8a40-4cd002de0b81",
"value": "https://www.virustotal.com/file/0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07/analysis/1433495631/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955737",
"to_ids": true,
"type": "sha1",
"uuid": "5760b599-b324-4cdf-abd8-455302de0b81",
"value": "5fc9cec7f98c26c1881f142b2ff79a6457fd642e"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955737",
"to_ids": true,
"type": "md5",
"uuid": "5760b599-c9bc-4b54-afe1-47f102de0b81",
"value": "0067bbd63db0a4f5662cdb1633d92444"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955737",
"to_ids": false,
"type": "link",
"uuid": "5760b599-385c-462a-a796-430a02de0b81",
"value": "https://www.virustotal.com/file/ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99/analysis/1433150046/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955737",
"to_ids": true,
"type": "sha1",
"uuid": "5760b599-6828-4cc4-9f11-467d02de0b81",
"value": "fb2a1294d76bbe97eb9be744d72a135fc9a6af1e"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955738",
"to_ids": true,
"type": "md5",
"uuid": "5760b59a-0764-474e-992b-4a3602de0b81",
"value": "9a6167cf7c180f15d8ae13f48d549d2e"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955738",
"to_ids": false,
"type": "link",
"uuid": "5760b59a-997c-4ff3-9cfc-411402de0b81",
"value": "https://www.virustotal.com/file/b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5/analysis/1434710549/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955738",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59a-631c-4eeb-b395-4de402de0b81",
"value": "7c9eb0815c0baff8729acdbe5ebfb74b77673c5c"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955738",
"to_ids": true,
"type": "md5",
"uuid": "5760b59a-93f0-4ab4-8c95-4d9f02de0b81",
"value": "5c00ccf456135514c591478904b146e3"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955738",
"to_ids": false,
"type": "link",
"uuid": "5760b59a-dcd4-4f3a-b654-4d7d02de0b81",
"value": "https://www.virustotal.com/file/1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2/analysis/1441743554/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955739",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59b-9418-4bc1-b2e7-40d802de0b81",
"value": "b1b303058e1e586dc2ae2939340a2c35de3c2289"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955739",
"to_ids": true,
"type": "md5",
"uuid": "5760b59b-c1a8-42a4-95fe-474702de0b81",
"value": "484c7f9e6c9233ba6ed4adb79b87ebce"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955739",
"to_ids": false,
"type": "link",
"uuid": "5760b59b-a59c-4aeb-a0ff-417302de0b81",
"value": "https://www.virustotal.com/file/1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f/analysis/1447679426/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955739",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59b-8ef0-450b-abb9-441f02de0b81",
"value": "a6105b2aef7845af8c18459442bdabb476038835"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955739",
"to_ids": true,
"type": "md5",
"uuid": "5760b59b-a220-4520-af45-4bb002de0b81",
"value": "2384febe404ef48d6585f050e3cd51a8"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955740",
"to_ids": false,
"type": "link",
"uuid": "5760b59c-326c-4dd0-8d86-4a1202de0b81",
"value": "https://www.virustotal.com/file/6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197/analysis/1425014357/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955740",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59c-ab4c-4504-a0ab-47ed02de0b81",
"value": "8576e17b70de2ba61e4acfc4ff8ff14287d1c067"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955740",
"to_ids": true,
"type": "md5",
"uuid": "5760b59c-1100-40be-ab6b-409402de0b81",
"value": "916a2a20a447b10e379543a47a60b40f"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955740",
"to_ids": false,
"type": "link",
"uuid": "5760b59c-a630-49ed-8088-425902de0b81",
"value": "https://www.virustotal.com/file/2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882/analysis/1380958163/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955740",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59c-9c5c-4e0c-807b-496402de0b81",
"value": "26b788c117a8c22b0fdd78952c7eff132ed5a990"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955741",
"to_ids": true,
"type": "md5",
"uuid": "5760b59d-a794-44e8-a281-413502de0b81",
"value": "888cac09f613db4505c4ee8d01d4291b"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955741",
"to_ids": false,
"type": "link",
"uuid": "5760b59d-e1ac-4cb2-bef6-40fd02de0b81",
"value": "https://www.virustotal.com/file/e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc/analysis/1378854272/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955741",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59d-055c-4ea1-aba0-4d6702de0b81",
"value": "25dae9e0e597df3a020326b039e93c8ffa93d252"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955741",
"to_ids": true,
"type": "md5",
"uuid": "5760b59d-5924-460e-8005-497a02de0b81",
"value": "d7a575895b07b007d0daf1f15bfb14a1"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955741",
"to_ids": false,
"type": "link",
"uuid": "5760b59d-199c-480b-8934-42c702de0b81",
"value": "https://www.virustotal.com/file/234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce/analysis/1443828297/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955742",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59e-f56c-4d22-81d1-46f402de0b81",
"value": "ee485a666c425be84585fd00062f29535bee0804"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955742",
"to_ids": true,
"type": "md5",
"uuid": "5760b59e-6050-4a3b-89f0-4e8702de0b81",
"value": "a326e2abacc72c7a050ffe36e3d3d0eb"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955742",
"to_ids": false,
"type": "link",
"uuid": "5760b59e-2630-4137-96aa-497602de0b81",
"value": "https://www.virustotal.com/file/fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723/analysis/1425101429/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955742",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59e-3980-436d-a3be-4dc202de0b81",
"value": "412cb33b9f5d09ba9f75b704619b47dd05fba426"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955742",
"to_ids": true,
"type": "md5",
"uuid": "5760b59e-01f8-4591-b8aa-46f502de0b81",
"value": "3dab6ff3719ff7fcb01080fc36fe97dc"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955743",
"to_ids": false,
"type": "link",
"uuid": "5760b59f-851c-4a2c-b677-42d702de0b81",
"value": "https://www.virustotal.com/file/23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34/analysis/1427970735/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955743",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59f-d530-40f1-b7bb-422c02de0b81",
"value": "ff646e7d832759fa24810b9723e0d6581bcbc1a1"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955743",
"to_ids": true,
"type": "md5",
"uuid": "5760b59f-a150-4d68-9418-466002de0b81",
"value": "36e057fa2020c65f2849d718f2bb90ad"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955743",
"to_ids": false,
"type": "link",
"uuid": "5760b59f-64a8-409d-ba94-493f02de0b81",
"value": "https://www.virustotal.com/file/dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb/analysis/1448490452/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955743",
"to_ids": true,
"type": "sha1",
"uuid": "5760b59f-7bd8-42ff-8d1d-42f302de0b81",
"value": "e6035ffbdc4abd0d8b6d4890f83de42ffecde1ff"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955744",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a0-4670-42ec-ae2f-459e02de0b81",
"value": "2f14d8c3d4815436f806fc1a435e29e3"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955744",
"to_ids": false,
"type": "link",
"uuid": "5760b5a0-b4e8-44da-bfc6-4d6a02de0b81",
"value": "https://www.virustotal.com/file/d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15/analysis/1427970044/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955744",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a0-ab84-4ffb-8298-47d602de0b81",
"value": "16f4a3f9485df96e25ac508d8a24e5b65fcf2fab"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955744",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a0-ecac-4c8c-a640-44ef02de0b81",
"value": "4e22e8bc3034d0df1e902413c9cfefc9"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955744",
"to_ids": false,
"type": "link",
"uuid": "5760b5a0-1a58-4f98-9421-453a02de0b81",
"value": "https://www.virustotal.com/file/577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c/analysis/1459351611/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955745",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a1-5e10-42ea-b82a-430b02de0b81",
"value": "b31cf0d74fa4db0b00518e637f95bd366a25b477"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955745",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a1-3054-4c56-bfd9-44e902de0b81",
"value": "b281a2e1457cd5ca8c85700817018902"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955745",
"to_ids": false,
"type": "link",
"uuid": "5760b5a1-8194-4e9e-b010-468202de0b81",
"value": "https://www.virustotal.com/file/241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb/analysis/1409778711/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955745",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a1-e180-4cc9-bc08-4c1502de0b81",
"value": "24b26252a0181e9a88290fa4702379eab7006682"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955745",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a1-5bdc-4760-9f42-43f202de0b81",
"value": "06cca5013175c5a1c8ff89a494e24245"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955746",
"to_ids": false,
"type": "link",
"uuid": "5760b5a2-5814-40c5-b2db-446e02de0b81",
"value": "https://www.virustotal.com/file/5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3/analysis/1450293548/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955746",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a2-49e0-4eb1-8520-47c202de0b81",
"value": "20175624f9672d15aaa68a35a7ae79efeeb21ce5"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955746",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a2-c1c4-4277-8cf8-419002de0b81",
"value": "cf883d04762b868b450275017ab3ccfa"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955746",
"to_ids": false,
"type": "link",
"uuid": "5760b5a2-fb28-44c1-a44b-497302de0b81",
"value": "https://www.virustotal.com/file/eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1/analysis/1402677511/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955746",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a2-b198-41eb-a137-485302de0b81",
"value": "2dee817ec73a51f4d2ac6334134a033157b8d5dc"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955746",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a3-9984-42d4-86f4-4ac002de0b81",
"value": "25e87e846bb969802e8db9b36d6cf67c"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955747",
"to_ids": false,
"type": "link",
"uuid": "5760b5a3-0bf8-4f6e-be5a-440f02de0b81",
"value": "https://www.virustotal.com/file/33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f/analysis/1392684716/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955747",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a3-1550-45c6-938a-4f5c02de0b81",
"value": "17ac65b0ae949bb846ca356b334ce3c40c36d0a5"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955747",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a3-2c8c-497c-af24-493302de0b81",
"value": "b213fe655d2c6a05f60da5b114fe481e"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955747",
"to_ids": false,
"type": "link",
"uuid": "5760b5a3-d604-4b8f-a697-415e02de0b81",
"value": "https://www.virustotal.com/file/15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc/analysis/1427976396/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955748",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a4-ba48-40d8-9b25-4ff702de0b81",
"value": "5f502ef8b45567234b42d6edbd1926665057615e"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955748",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a4-7efc-4d3e-a269-4c3702de0b81",
"value": "ca41c19366bee737fe5bc5008250976a"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955748",
"to_ids": false,
"type": "link",
"uuid": "5760b5a4-0810-4e7b-8b82-473402de0b81",
"value": "https://www.virustotal.com/file/029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e/analysis/1415618882/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955748",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a4-20c8-439e-87dd-483d02de0b81",
"value": "ee4c94151b08e0c5af5ad754dff8e86a22537cec"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955748",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a4-764c-4f51-be02-4c4002de0b81",
"value": "663e54e686842eb8f8bae2472cf01ba1"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955749",
"to_ids": false,
"type": "link",
"uuid": "5760b5a5-577c-4db3-8993-4a3d02de0b81",
"value": "https://www.virustotal.com/file/ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf/analysis/1425282070/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955749",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a5-8d5c-4ed6-926c-4e9b02de0b81",
"value": "cd9ad276b10cffd4b60c37cd441d9b720f3cfd95"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955749",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a5-e48c-4913-847c-47dd02de0b81",
"value": "5965731f2f237a12f7a4873e3e37658a"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955749",
"to_ids": false,
"type": "link",
"uuid": "5760b5a5-3c4c-4a7f-b9b0-412d02de0b81",
"value": "https://www.virustotal.com/file/a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68/analysis/1416960110/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955749",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a5-e700-4b0d-84a2-47d302de0b81",
"value": "64e3fb5a3833e0d662cfe8a85985c3fe61e36224"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955750",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a6-7d00-423b-9c42-4e3402de0b81",
"value": "a3f7895fae05fa121a4e23dd3595c366"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955750",
"to_ids": false,
"type": "link",
"uuid": "5760b5a6-0da4-40ad-b36b-426f02de0b81",
"value": "https://www.virustotal.com/file/3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d/analysis/1414573515/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955750",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a6-68a8-4f54-b382-44c702de0b81",
"value": "6c6e3e434d2f08ed7725dff646c67c96cdfb5775"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955750",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a6-c25c-40e7-970d-48d002de0b81",
"value": "f34c6239b7d70f23ce02a8d207176637"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955750",
"to_ids": false,
"type": "link",
"uuid": "5760b5a6-c52c-43e9-9341-4be102de0b81",
"value": "https://www.virustotal.com/file/35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b/analysis/1434442386/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955751",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a7-5d84-4b46-84b0-4bed02de0b81",
"value": "99fc9f54516a78926827495f167ca14682dcc9bf"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955751",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a7-7104-436c-8759-418202de0b81",
"value": "26ff9e2da06b7e90443d6190388581ab"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955751",
"to_ids": false,
"type": "link",
"uuid": "5760b5a7-0eb4-4fd4-a2a8-409b02de0b81",
"value": "https://www.virustotal.com/file/5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c/analysis/1432405782/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955751",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a7-e7a4-4fa4-b672-4e6f02de0b81",
"value": "6f61b571984dbcf9dfc2f584337bdcd3e58555b4"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955751",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a7-d38c-40e7-b154-49cc02de0b81",
"value": "b4554c52f708154e529f62ba8e0de084"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955752",
"to_ids": false,
"type": "link",
"uuid": "5760b5a8-1e28-493d-aa7f-4a8a02de0b81",
"value": "https://www.virustotal.com/file/0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38/analysis/1417518524/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955752",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a8-4ef0-441b-aeb1-48c002de0b81",
"value": "bdf804fb1869ea58b04a818316cf2327d9a6b1dc"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955752",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a8-ca94-4730-94cb-460e02de0b81",
"value": "23a1a7f0f30f18ba4d0461829eb46766"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955752",
"to_ids": false,
"type": "link",
"uuid": "5760b5a8-ef18-41a0-a0f9-431002de0b81",
"value": "https://www.virustotal.com/file/d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8/analysis/1415092839/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955752",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a8-4330-4da5-a0db-4e4002de0b81",
"value": "d122349b4dc611d4b3470b6ff2d23fd644491ecc"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955752",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a8-548c-4c9c-a3f2-48a802de0b81",
"value": "c27fb6999a0243f041c5e387280f9442"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955753",
"to_ids": false,
"type": "link",
"uuid": "5760b5a9-ce3c-4cfa-b12b-493002de0b81",
"value": "https://www.virustotal.com/file/e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2/analysis/1417748024/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955753",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a9-8070-4c8f-a4f8-479302de0b81",
"value": "31fb6ba509d41ef086137ba454c351eb902f8c13"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955753",
"to_ids": true,
"type": "md5",
"uuid": "5760b5a9-3cd4-4b72-af82-4fd002de0b81",
"value": "d8b95e942993b979fb82c22ea5b5ca18"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955753",
"to_ids": false,
"type": "link",
"uuid": "5760b5a9-cb60-4743-bc5a-4b5b02de0b81",
"value": "https://www.virustotal.com/file/af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d/analysis/1415327976/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955753",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5a9-1b68-4461-90fd-4cdd02de0b81",
"value": "7e33ef786015b0c0962f314f4c9c7531d451596d"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955754",
"to_ids": true,
"type": "md5",
"uuid": "5760b5aa-963c-4539-8190-42ba02de0b81",
"value": "4e493a649e2b87ef1a341809dab34a38"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955754",
"to_ids": false,
"type": "link",
"uuid": "5760b5aa-1a44-4994-8e4b-433202de0b81",
"value": "https://www.virustotal.com/file/2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf/analysis/1444915836/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955754",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5aa-7964-44b1-aca4-483102de0b81",
"value": "2927297d3dfd2fe2c18ea918fa422cd56cbb4bfd"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955754",
"to_ids": true,
"type": "md5",
"uuid": "5760b5aa-0bcc-4bad-b4c5-4ccd02de0b81",
"value": "6b126cd9a5f2af30bb048caef92ceb51"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955754",
"to_ids": false,
"type": "link",
"uuid": "5760b5aa-2c54-41d3-98c3-497d02de0b81",
"value": "https://www.virustotal.com/file/2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d/analysis/1454913570/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955755",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5ab-f0a0-4057-868c-4d5c02de0b81",
"value": "538a1bd99b2c202c0ed18571b5b30ea4004009bf"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955755",
"to_ids": true,
"type": "md5",
"uuid": "5760b5ab-22a0-4197-9129-4c2202de0b81",
"value": "e79b2d2934e5525e7a40d74875f9d761"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955755",
"to_ids": false,
"type": "link",
"uuid": "5760b5ab-060c-4caa-b5ea-4e7702de0b81",
"value": "https://www.virustotal.com/file/a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672/analysis/1432210810/"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955755",
"to_ids": true,
"type": "sha1",
"uuid": "5760b5ab-ebc4-40b9-9c50-489002de0b81",
"value": "5856baf74ef33f2e5a6966f1f02505f4251d7e17"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955755",
"to_ids": true,
"type": "md5",
"uuid": "5760b5ab-9420-447d-acde-415102de0b81",
"value": "f4b247a44be362898c4e587545c7653f"
},
{
"category": "External analysis",
"comment": "Imported via the Freetext Import Tool - Xchecked via VT: 558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465955756",
"to_ids": false,
"type": "link",
"uuid": "5760b5ac-f3e0-4f8a-b8bf-4ecf02de0b81",
"value": "https://www.virustotal.com/file/558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a/analysis/1427979640/"
},
{
"category": "Payload delivery",
"comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465956104",
"to_ids": true,
"type": "pattern-in-file",
"uuid": "5760b708-b0f0-42c2-8d68-491e950d210f",
"value": "z:\\project2012\\remotecontrol\\winhttpnet\\amcy\\app\\win7\\installscript\\objfre_wxp_x86\\i386\\InstallScript.pdb"
},
{
"category": "Payload delivery",
"comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465956104",
"to_ids": true,
"type": "pattern-in-file",
"uuid": "5760b708-a274-40ba-af8a-4a2e950d210f",
"value": "z:\\project2012\\remotecontrol\\winhttpnet\\amcy\\app\\win7\\serviceapp\\objfre_wxp_x86\\i386\\ServiceApp.pdb"
},
{
"category": "Payload delivery",
"comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465956104",
"to_ids": true,
"type": "pattern-in-file",
"uuid": "5760b708-66c8-4821-a214-468f950d210f",
"value": "z:\\project2012\\remotecontrol\\winhttpnet\\cqgaen\\app\\installscript\\objfre_wxp_x86\\i386\\InstallScript.pdb"
},
{
"category": "Payload delivery",
"comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465956104",
"to_ids": true,
"type": "pattern-in-file",
"uuid": "5760b708-0e1c-41d1-bad6-436f950d210f",
"value": "z:\\project2012\\remotecontrol\\winhttpnet\\cqgaen\\app\\serviceapp\\objfre_wxp_x86\\i386\\ServiceApp.pdb"
},
{
"category": "Payload delivery",
"comment": "ShimRat core - C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465956182",
"to_ids": true,
"type": "url",
"uuid": "5760b756-b958-4f16-8184-4a77950d210f",
"value": "http://www.avgfree.us/index.php"
},
{
"category": "Payload delivery",
"comment": "ShimRat core - C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465956234",
"to_ids": true,
"type": "url",
"uuid": "5760b78a-4060-4b6c-9763-44de950d210f",
"value": "http://adventurelearning.me/wp-content/uploads/index.php"
},
{
"category": "Network activity",
"comment": "he website citrixmeeting.com was under control of Citrix until they let it expire on April 3rd, 2015. The website used to hold information about the conferencing products from Citrix. Almost 4 months after the domain expired, on July the 27 th , the Mofang group regis - tered the domain and set it up for their newest campaign. A new version of ShimRat was built on the 7 th of September, uploaded to the server and only days later used in a new campaign. The payload was hosted at http://www.citrixmeeting.com/download/ livechat.exe and contained a newly packaged ShimRat sample and a new dll hijacked program.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465956902",
"to_ids": false,
"type": "domain",
"uuid": "5760ba26-b1f8-4a6f-b5fd-486a950d210f",
"value": "citrixmeeting.com"
},
{
"category": "Network activity",
"comment": "Enriched via the circl_passivedns module",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465975271",
"to_ids": true,
"type": "ip-dst",
"uuid": "576101e7-9d7c-4f12-866d-4c4f950d210f",
"value": "46.101.2.135"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465989817",
"to_ids": true,
"type": "snort",
"uuid": "57613ab9-601c-4f6e-bee3-41c9950d210f",
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRatReporter check-in\"; content:\"POST\"; http_method; content:\"Accept-Encoding: utf-8|0d0a|\"; fast_pattern; uricontent:\".php?filename=\"; content:\"Accept: */*\"; content:!\"Referer\"; content:!\"Content-Type\"; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001857; rev:4;)"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465989816",
"to_ids": true,
"type": "snort",
"uuid": "57613ab8-e4e0-4f51-9b71-48e6950d210f",
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRat check-in (php)\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php HTTP/1.\"; content:\"|0d0a0d0a|php\"; fast_pattern:only; content:!\"Content-Type\"; content:!\"Referer:\"; content:!\"Cookie:\"; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001855; rev:4;)"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1465989817",
"to_ids": true,
"type": "snort",
"uuid": "57613ab9-2728-4b84-8114-4e9d950d210f",
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRat check-in (Yuok)\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php HTTP/1.1|0d0a|User-Agent: \"; fast_pattern:only; content:!\"Content-Type\"; content:!\"Referer:\"; content:!\"Cookie:\"; content:\"|0d0a0d0a|\"; pcre:\"/(php)?Yuok\\$\\$\\d\\d/R\"; content:\"Yuok\"; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001856; rev:4;)"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1466414172",
"to_ids": true,
"type": "yara",
"uuid": "5767b45c-78c4-46d5-b94b-4ef5950d210f",
"value": "rule shimrat\r\n{\r\nmeta:\r\ndescription = \"Detects ShimRat and the ShimRat loader\"\r\nauthor = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\ndate = \"20/11/2015\"\r\nstrings:\r\n$dll = \".dll\"\r\n$dat = \".dat\"\r\n$headersig = \"QWERTYUIOPLKJHG\"\r\n$datasig = \"MNBVCXZLKJHGFDS\"\r\n$datamarker1 = \"Data$$00\"\r\n$datamarker2 = \"Data$$01%c%sData\"\r\n$cmdlineformat = \"ping localhost -n 9 /c %s > nul\"\r\n$demoproject_keyword1 = \"Demo\"\r\n$demoproject_keyword2 = \"Win32App\"\r\n$comspec = \"COMSPEC\"\r\n$shim_func1 = \"ShimMain\"\r\n$shim_func2 = \"NotifyShims\"\r\n$shim_func3 = \"GetHookAPIs\"\r\ncondition:\r\n($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)\r\n}"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1466414148",
"to_ids": true,
"type": "yara",
"uuid": "5767b444-185c-4442-bb4f-4f86950d210f",
"value": "rule shimratreporter\r\n{\r\nmeta:\r\ndescription = \"Detects ShimRatReporter\"\r\nauthor = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\ndate = \"20/11/2015\"\r\nstrings:\r\n$IpInfo = \"IP-INFO\"\r\n$NetworkInfo = \"Network-INFO\"\r\n$OsInfo = \"OS-INFO\"\r\n$ProcessInfo = \"Process-INFO\"\r\n$BrowserInfo = \"Browser-INFO\"\r\n$QueryUserInfo = \"QueryUser-INFO\"\r\n$UsersInfo = \"Users-INFO\"\r\n$SoftwareInfo = \"Software-INFO\"\r\n$AddressFormat = \"%02X-%02X-%02X-%02X-%02X-%02X\"\r\n$proxy_str = \"(from environment) = %s\"\r\n$netuserfun = \"NetUserEnum\"\r\n$networkparams = \"GetNetworkParams\"\r\ncondition:\r\nall of them\r\n}"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}