misp-circl-feed/feeds/circl/misp/5a1e6038-a088-46ac-95ef-ad9e950d210f.json

348 lines
106 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2017-11-28",
"extends_uuid": "",
"info": "OSINT - ROKRAT Reloaded",
"publish_timestamp": "1511941714",
"published": true,
"threat_level_id": "3",
"timestamp": "1511941670",
"uuid": "5a1e6038-a088-46ac-95ef-ad9e950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:rat=\"rokrat\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "link",
"uuid": "5a1e604b-d290-4404-a793-7e40950d210f",
"value": "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html",
"Tag": [
{
"colour": "#00223b",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "comment",
"uuid": "5a1e606f-95f0-465c-a739-7e43950d210f",
"value": "Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case \"Evil New Years\". The second one was about the analysis and discovery of the ROKRAT malware.\r\n\r\nThis month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:\r\n\r\n It contains the same reconnaissance code used;\r\n Similar PDB pattern that the \"Evil New Years\" samples used;\r\n it contains the same cloud features and similar copy-paste methods that ROKRAT used;\r\n It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.",
"Tag": [
{
"colour": "#00223b",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "filename",
"uuid": "5a1e60c1-6e50-4137-bd1c-ac4e950d210f",
"value": "BIN0001.OLE"
},
{
"category": "Payload delivery",
"comment": "Path",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "filename",
"uuid": "5a1e60c1-0c24-4ec1-b1e0-ac4e950d210f",
"value": "%ALLUSERSPROFILE%\\HncModuleUpdate.exe"
},
{
"category": "Payload delivery",
"comment": "MalDoc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha256",
"uuid": "5a1e60c1-4574-482c-9c2b-ac4e950d210f",
"value": "171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824"
},
{
"category": "Payload delivery",
"comment": "Dropper #1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha256",
"uuid": "5a1e60c1-efbc-4f55-958d-ac4e950d210f",
"value": "a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037"
},
{
"category": "Payload delivery",
"comment": "Dropper #2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha256",
"uuid": "5a1e60c1-d4ac-47cb-8344-ac4e950d210f",
"value": "eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14"
},
{
"category": "Payload delivery",
"comment": "Dropper #3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha256",
"uuid": "5a1e60c1-9c24-4de8-ad40-ac4e950d210f",
"value": "9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f"
},
{
"category": "Payload delivery",
"comment": "ROKRAT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha256",
"uuid": "5a1e60c1-347c-4331-b888-ac4e950d210f",
"value": "b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e"
},
{
"category": "Payload delivery",
"comment": "Freenki",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha256",
"uuid": "5a1e60c1-afd0-4b33-af92-ac4e950d210f",
"value": "99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5"
},
{
"category": "External analysis",
"comment": "malicious HWP document",
"data": "iVBORw0KGgoAAAANSUhEUgAAAuMAAARVCAIAAACYXFmhAAAAA3NCSVQICAjb4U/gAAAAX3pUWHRSYXcgcHJvZmlsZSB0eXBlIEFQUDEAAAiZ40pPzUstykxWKCjKT8vMSeVSAANjEy4TSxNLo0QDAwMLAwgwNDAwNgSSRkC2OVQo0QAFmJibpQGhuVmymSmIzwUAT7oVaBst2IwAACAASURBVHic7L0/i+tKm/YrHR6YOfEwMCwWm0ZWNHA4wYGGs4/cAw5kf4AO5BU5MlhxIycOHYxExzJ05GhZQX8A24Fht8XmpeOZJ7KFaRYrGSac2Ceodxe1q6RSqSTbWmtfv6hbLan+qKruq+66q9o8n8+GGv/1X//1X//1X//6r/+qeD8AAAAAAMff//73f/7nf/7nf/5nxfv/j4vmBgAAAACgDlAqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9/++2339Tv9n3/P//zPy+XGwAAAAD89Pz9739Xv9k8n88V7jar3Q8AAAAAUIe2rP74vp8kSe6foiiKokjlYpsZDAZpmt46FxVoYYazLLNtu9Ijtm1nWVY/6SRJfN9X/BPNZ5qmg8GgkVSKaKqAEjSqXYR28Kp1UictdapW46Wr3TRNo6GaB+AnQFOppGlqlsHauSiKxBuqjiaKGWt2HPR9n8u2xJbYtk1vUxFSSZJIKlBeP1mWiTmplFuNDCuSmzcVBoNBaVtiyW1XennOTVqvFEUUfW6JNdLQLpKEGv/QjSDPbSOfILed/MWrHYAfCE2l4jjOmeF4PBqGcTwe2YuO49D7gyA4/5l+v39/f99MIS5DlmWmad7d3XE5v7u7yzWHpmmOx2N62263UxnsJpPJuQDP8yQPuq4bx7F2bjUynDvc5w7ElmU9PDxoDM3r9Vqsh36/X3S/2K6qpsiy3++5t7E1zEFrYzgcLhaLUuNnGIbneWyhaHKHw6FOtnMJw7CoXQVBwN3MClYWvaRpzSjOGdhq4VitVvKE1NsYVyFkyGoc9WonHZbATvwukSsAfnSaWf3xfT8Mw+fnZ8X7syw7HA6WZdH+uVgs2BvYCe50Op1Op/TXS7uOKa+vr6vVShzWgyAIw5AbIqMoCsOQvXm9XmdZVrqAQo2ciOTZwWCw3W61c6ud4aKBOAxD7k7P806n063Wj2j7uZBBMhiRtFqtqNyspDm+fft2obxV5XA4iN+00+lovCpJkpeXF/IGy7KadUr9TFiWRWqp3+9/+vSpTp0D8NPTgFIZDAa9Xi8IgoeHB0UZ8fz8PJ/PDcOgw+JkMmFvyJ1bE9brdf08N85ut3t8fOQu9nq9Umsk8amwTimWJEl6vZ5lWTfJsDpxHI9Go0Ze9enTp0r30/bTzqGfhDi8vb3dOiPNM5vNqIaO43i73daM57i7u2sgWy2GzNnIz4hKASCXWkqFzFxnsxmZmnueN5vNSt0eZH4vX9qgaPiiN5tNkZeikj/m8fFxOByK3gjf96fTqei9uBrL5VIUGe3Mreu6em4VxYhFcUFKIy1FqPer/qt835/NZlmWiWVsKhXWDclxOT8HKQ6roV3XfX9/v1Byp9PpQm/Wpma115x+APCzoqlUyML2aDSiU38ytpL4ldFoVDTa+r5/Op3I8j+7Usut/tC/0rX8/X4vXxAhcAE0dfwxxD17Op1EW3gW4iF6vd7r6yt3cbfblcbiSFZ/coc2unBWJ7d1MlyJh4eHr1+/1nwJW97j8UjKRW28uCBlMIEXDa7+UO8Xd/3j44NmhiQqd+T4vt/r9RzHieNYvLMolUpIIj/O0uCbmnz//p3zCtzd3X18fGi/UP5slmW73U775Y2jUe3s7p4syxpUwwD8TGgqFbKwXeQXoT2WvUgC4x8eHmiPpSu1Z2H1xzAM3/dXqxVdAXEcZ7/fkzWjaxLHMS2LZMQJgmA6nbIujcFgYFmWfJLEDW0GsxxWlJBoDDRyq53hqnz+/Ln+Zk42+KPT6ZByyfNJAy+usPqz2+02mw35mSQqkUfEV0RcXJZlqejvIi3buGuE2xPLloIKxDr79YbDoWma3W6XXimK5KXQGDWxzRPJfolgZMJ1qv319bXX65Gf39/fqexuMAkAfgKucZ4KiWx/e3uTiBuRw+HA3ew4DjUJBuNobTxsM3cANf68FEVgB9Dz+bzb7eifRqPRJSavYhyJXm71Mlzk3J5Op0WPqNsS9oXH47HT6bBXrhBJ3e12xaKV7hXfbDaTyUTFhA8GA9d1Wcce0d/dbrdIz0mm6bkfq9T2FzUGEVbkUYGo3n9FVqvV+Xze7/f0Sm4kr/FnvU4QW9Hz8/N4PB6Px4rbf7imK5ewV6v2l5cXupL79vYmruoCAAzD+JvGM7Zt584aTcFp2el0DocDWZHRyZ0UbutKUa5ESK4kN2hP1NRXl6rWIf318+fP3A11ppWVlsOCIGAr3FQ7sFg9SLD0bbnmnEy72Sul3zcXvUjt19fXyWTy5cuX0WhUasVzk6jZO7iSNuVj0POEffr0icvA6XR6eHhoJEssaZouFgtSb6ZpPj4+yn1sXNOtTyPVniSJ67o051mWIU4FgFx0fCq5M6FccjuwOP+IoiiOY26gd12Xm6emaSo5WqNmrkTUjw/RQDu3ojG4Qm61+fbt20UHX/E8FfXvW58sy6bT6dPTk+M4rutWqmTxe9m27XmexpRdVBX1G4NlWRrVSL41m5/tdnuJY5O63S49amW/319oje/S1T4cDunnjqKoqY1yAPx86K/+aJxnT0JVlsslZ1pIHCh389PT03A4pCs7aZp2u93ZbFaaRFMLyblWkCAeH0LQO4E+d1wrutmyrNx9MRq51c6wOm9vb1++fKn0iMYJ4hqnpzeStOu6q9WKmOc4jqfTqWI2TNM8nU7cZ1oul2bxYhN3rCIl10jrNYZGmM/nruuSn33fZ30GRXCCwPhzj+AGGRJoH4Yhndg4jhOGYa504NBoJ5erdtu2qdjKsuzl5aXOyhoAPzdX/b8/s9nseDyKx4TEcSyeTkbibWnoQLfbPRcfMXIJJDMkSVhGEev1Wsw8kW7iaEgCGItG1dFoJG7baTa3RRmuyna7bfCTaUz0c/dJaSB6O4gZZq3L8XgcDoel9pKcuSf6ThzHOR6PpVpchcYbgzqe543HY5JWlmUqoVoS/6Jo4H3fn0wm3FIOOd6wzhSlkXZSqdrZODzXdZfLZc3UAfiJact/KCyCHbaun3qlI8k1eHt7o5NyFsuyVqtV0clgnuflbs68XG71gnajKPqJx984jjkzTLR1S0IN1BsD/XadTofu8aForBtS18IlDmlcr9dFm+/acCakXh8kwXzyN5PDq5rOLwA/BjoRtdrM5/NOp7Pf77lu6fs+jY/7S/Hw8DAcDu/v7znzlmXZcDiU/NOT9Xo9GAyuNjRrhCyQRaVr+sB+FIIgME2TnipEIeub8v90cwlK+92l/1czUGE2m202mzRN0afAX5BaPhXJgYy56/1k7x89F45C/q9enZywSM5Sq7rTtWoBjYKdrkWpkwrhtuOapkk2hcrXrWezGefu1sht1QwrkmXZfD7XduSIM3uW3MAaclZHLpUWBeRJN2Wzz3/850gWco5i0UcXGwmhaL+bXmP46anaTtpT7Y7jdDodyBTw10Rpo2kLIU7pGx5pD0ApaZrO5/M2rErUIcsy13Wb2lFVqU70urnv+w8PDz9BgCpb80QetWRtEYAr86MqFQAAAAD8FWh7RC0AAAAA/spAqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAA
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "attachment",
"uuid": "5a1e6121-04f0-4644-a9d9-ad77950d210f",
"value": "malicious HWP document.png"
},
{
"category": "Payload delivery",
"comment": "Freenki - Xchecked via VT: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha1",
"uuid": "5a1e6613-1044-4d30-820a-ad0902de0b81",
"value": "f7fcadc8c71752ce5d47af1e8069069cc70e6e27"
},
{
"category": "Payload delivery",
"comment": "Freenki - Xchecked via VT: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "md5",
"uuid": "5a1e6613-2f20-433d-94cb-ad0902de0b81",
"value": "6c668fd6a98f0659abc54d88c1db209e"
},
{
"category": "External analysis",
"comment": "Freenki - Xchecked via VT: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "link",
"uuid": "5a1e6613-55a8-4765-a515-ad0902de0b81",
"value": "https://www.virustotal.com/file/99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5/analysis/1511910425/"
},
{
"category": "Payload delivery",
"comment": "Dropper #3 - Xchecked via VT: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha1",
"uuid": "5a1e6613-72d0-4ce7-ab5e-ad0902de0b81",
"value": "6b79d3519b09d6162a1d3ec55fed3ee7a4adf436"
},
{
"category": "Payload delivery",
"comment": "Dropper #3 - Xchecked via VT: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "md5",
"uuid": "5a1e6613-65a4-4371-a044-ad0902de0b81",
"value": "b441d9a75c60b222e3c9fd50c0d14c5b"
},
{
"category": "External analysis",
"comment": "Dropper #3 - Xchecked via VT: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "link",
"uuid": "5a1e6613-2e08-41a8-83e8-ad0902de0b81",
"value": "https://www.virustotal.com/file/9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f/analysis/1511903258/"
},
{
"category": "Payload delivery",
"comment": "Dropper #2 - Xchecked via VT: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha1",
"uuid": "5a1e6613-84c0-4417-8a0b-ad0902de0b81",
"value": "bd97943835cb3749ce2b1dc6ba89961555d92c38"
},
{
"category": "Payload delivery",
"comment": "Dropper #2 - Xchecked via VT: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "md5",
"uuid": "5a1e6613-6328-43f1-8e68-ad0902de0b81",
"value": "bdbabe7d5605c00d24d15e3fac6eda1e"
},
{
"category": "External analysis",
"comment": "Dropper #2 - Xchecked via VT: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "link",
"uuid": "5a1e6613-f690-455a-aa14-ad0902de0b81",
"value": "https://www.virustotal.com/file/eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14/analysis/1511903362/"
},
{
"category": "Payload delivery",
"comment": "Dropper #1 - Xchecked via VT: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha1",
"uuid": "5a1e6613-1638-444b-8524-ad0902de0b81",
"value": "96d8142c72942a84f6e45f5ec9f2a8f8e97bf28e"
},
{
"category": "Payload delivery",
"comment": "Dropper #1 - Xchecked via VT: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "md5",
"uuid": "5a1e6613-cba4-48ef-a655-ad0902de0b81",
"value": "9cf931c33319f2a23d0b49cb805a4a34"
},
{
"category": "External analysis",
"comment": "Dropper #1 - Xchecked via VT: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "link",
"uuid": "5a1e6613-9fb8-4216-8710-ad0902de0b81",
"value": "https://www.virustotal.com/file/a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037/analysis/1511903459/"
},
{
"category": "Payload delivery",
"comment": "MalDoc - Xchecked via VT: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "sha1",
"uuid": "5a1e6613-aab8-4af7-ba7b-ad0902de0b81",
"value": "359c953832b9c71363b87f66638d8b573214cb6f"
},
{
"category": "Payload delivery",
"comment": "MalDoc - Xchecked via VT: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": true,
"type": "md5",
"uuid": "5a1e6613-1860-4197-bee8-ad0902de0b81",
"value": "7ca1e08fc07166a440576d1af0a15bb1"
},
{
"category": "External analysis",
"comment": "MalDoc - Xchecked via VT: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824",
"deleted": false,
"disable_correlation": false,
"timestamp": "1511941651",
"to_ids": false,
"type": "link",
"uuid": "5a1e6613-db8c-4aec-8523-ad0902de0b81",
"value": "https://www.virustotal.com/file/171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824/analysis/1511881919/"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}