{"Event":{"info":"OSINT - Malicious script dropping an executable signed by Avast?","Tag":[{"colour":"#004646","exportable":true,"name":"type:OSINT"},{"colour":"#ffffff","exportable":true,"name":"tlp:white"}],"publish_timestamp":"0","timestamp":"1503489623","analysis":"2","Attribute":[{"comment":"","category":"External analysis","uuid":"599d5076-3860-4293-803d-4bd5950d210f","timestamp":"1503489623","to_ids":false,"value":"https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/","Tag":[{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""}],"disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"","category":"External analysis","uuid":"599d508f-0070-49fe-82ad-474b950d210f","timestamp":"1503489599","to_ids":false,"value":"Yesterday, I found an interesting sample that I started to analyze\u2026 It reached my spam trap attached to an email in Portuguese with the subject: \"Venho por meio desta solicitar or\u00e7amento dos produtos\u201d (\"I hereby request the products budget\u201d). There was one attached ZIP archive: PanilhaOrcamento.zip (SHA1: 3c159f65ba88bb208df30822d2a88b6531e4d0a7) with a VT score of 0/58.","disable_correlation":false,"object_relation":null,"type":"comment"},{"comment":"","category":"Payload delivery","uuid":"599d50c1-3250-4e6c-887d-42b2950d210f","timestamp":"1503489599","to_ids":false,"value":"Venho por meio desta solicitar or\u00e7amento dos produtos","disable_correlation":false,"object_relation":null,"type":"email-subject"},{"comment":"","category":"Payload delivery","uuid":"599d512d-3dec-4480-ad56-45bb950d210f","timestamp":"1503489599","to_ids":true,"value":"PanilhaOrcamento.zip|3c159f65ba88bb208df30822d2a88b6531e4d0a7","disable_correlation":false,"object_relation":null,"type":"filename|sha1"},{"comment":"","category":"Payload delivery","uuid":"599d5169-8bcc-47ae-b5f4-42e4950d210f","timestamp":"1503489599","to_ids":true,"value":"Panilha Orcamento Contabil 32f5.bat|c191821ddb1db46349afdb08789312ce418696d1","disable_correlation":false,"object_relation":null,"type":"filename|sha1"},{"comment":"","category":"Network activity","uuid":"599d521f-5cb8-40a6-ad5b-4eb9950d210f","timestamp":"1503489599","to_ids":true,"value":"https://1591523753.rsc.cdn77.org/p2r.php?","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"file signed by Avast","category":"Payload delivery","uuid":"599d52e1-1e84-4c24-9ee7-1992950d210f","timestamp":"1503489599","to_ids":true,"value":"C:\\rx hsdj\\o\\i\\x\\ffax bnzx\\fvenotify.exe|6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7","disable_correlation":false,"object_relation":null,"type":"filename|sha256"},{"comment":"","category":"Payload delivery","uuid":"599d530d-27b4-424a-819a-426d950d210f","timestamp":"1503489599","to_ids":true,"value":"C:\\rx hsdj\\o\\i\\x\\ffax bnzx\\secur32.dll|2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bb","disable_correlation":false,"object_relation":null,"type":"filename|sha256"},{"comment":"","category":"External analysis","uuid":"599d5475-c4d4-4400-984a-4a96950d210f","timestamp":"1503489599","to_ids":false,"value":"https://www.virustotal.com/#/file/9329de591b51c367908f2916307a4d2277caa2c766f2cecac8d06e02a2416246/detection","disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"","category":"External analysis","uuid":"599d5475-03a8-4fa8-b299-48de950d210f","timestamp":"1503489599","to_ids":false,"value":"https://www.virustotal.com/#/file/6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7/detection","disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"file signed by Avast - Xchecked via VT: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7","category":"Payload delivery","uuid":"599d6e3f-5458-4c0b-94f0-904802de0b81","timesta
