2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2020-01-23" ,
"extends_uuid" : "" ,
"info" : "OSINT - Iranian PupyRAT Bites Middle Eastern Organizations" ,
"publish_timestamp" : "1582700269" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1582700226" ,
"uuid" : "5e2a97e7-4bd4-41c4-8aaf-4262950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-enterprise-attack-tool=\"Pupy - S0192\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-tool=\"Pupy - S0192\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"PupyRAT\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#12dc00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"Cleaver\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"OilRig\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"APT35\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#440055" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "ms-caro-malware:malware-type=\"RemoteAccess\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#4bec00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "enisa:nefarious-activity-abuse=\"remote-access-tool\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#008ba9" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "veris:asset:variety=\"S - Remote access\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00bde6" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "veris:action:misuse:vector=\"Remote access\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#001739" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "ms-caro-malware-full:malware-type=\"RemoteAccess\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#5f0044" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "CERT-XLM:malicious-code=\"spyware-rat\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0087e8" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "Hosting PowerShell stages of PupyRAT download" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1580307698" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5e3194f2-e0f0-432a-bc5d-aea2950d210f" ,
"value" : "139.59.46.154"
} ,
{
"category" : "Network activity" ,
"comment" : "PupyRAT command and control server" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1580307700" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5e3194f4-98d0-4693-9695-aea2950d210f" ,
"value" : "89.107.62.39"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Microblog post like a Twitter tweet or a post on a Facebook wall." ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"meta-category" : "misc" ,
"name" : "microblog" ,
"template_uuid" : "8ec8c911-ddbe-4f5b-895b-fbff70c42a60" ,
"template_version" : "10" ,
"timestamp" : "1579852427" ,
"uuid" : "5e2a9a69-4f24-4f73-983b-478b950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "post" ,
"timestamp" : "1579851871" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e2a9a69-57e8-40b5-a0bb-4768950d210f" ,
"value" : "Thanks for reaching out @QW5kcmV3\r\n! Here is the report that mentions COBALT GYPSY use of the OST PupyRAT (https://secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations). Iran-nexus group overlaps are a fun challenge to deconstruct\u00e2\u20ac\u00a6Always appreciate the constructive feedback!\u00e2\u20ac\u00a6"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "type" ,
"timestamp" : "1579851871" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e2aa05f-4cd0-4f9b-9d01-49de950d210f" ,
"value" : "Twitter"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "link" ,
"timestamp" : "1579851872" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5e2aa060-7c98-4c40-9641-4b5f950d210f" ,
"value" : "https://mobile.twitter.com/maggintel/status/1220440024631644160"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "embedded-safe-link" ,
"timestamp" : "1579852427" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5e2aa060-5a2c-4588-ba48-4f90950d210f" ,
"value" : "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" ,
"Tag" : [
{
"colour" : "#002b4a" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"technical-report\"" ,
"relationship_type" : ""
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "embedded-safe-link" ,
"timestamp" : "1579851872" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5e2aa060-8c70-4462-8ead-45bf950d210f" ,
"value" : "https://t.co/NP4e8FXfKI?amp=1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "username-quoted" ,
"timestamp" : "1579851872" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e2aa060-9c48-4326-96bd-4301950d210f" ,
"value" : "@QW5kcmV3"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "verified-username" ,
"timestamp" : "1579851872" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e2aa060-1864-4154-9d99-43e1950d210f" ,
"value" : "Unverified"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "state" ,
"timestamp" : "1579851872" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e2aa060-e708-4e1f-8e34-4e22950d210f" ,
"value" : "Informative"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2026-05-13T21:15:00+00:00" ,
"object_relation" : "username" ,
"timestamp" : "1579851872" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e2aa060-e184-4c09-afb0-4b1d950d210f" ,
"value" : "maggintel"
}
]
} ,
{
"comment" : "Associated organization : National Technology Group, a Saudi Arabian telecommunications company" ,
"deleted" : false ,
"description" : "A domain and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "6" ,
"timestamp" : "1582700226" ,
"uuid" : "5e3187c7-9b64-4c78-b33f-1c2f950d210f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1580304327" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5e3187c7-da78-4519-9745-1c2f950d210f" ,
"value" : "45.32.186.33"
} ,
{
"category" : "Network activity" ,
"comment" : "Spoofed domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1580304327" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5e3187c7-3ca8-4aaf-94b0-1c2f950d210f" ,
"value" : "ntg-sa.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1582700226" ,
"to_ids" : false ,
"type" : "domain" ,
"uuid" : "5e3187c7-8cf0-4571-b695-1c2f950d210f" ,
"value" : "ntg.com.sa"
}
]
} ,
{
"comment" : "Associated organization : ITWorx, an Egyptian information technology services firm" ,
"deleted" : false ,
"description" : "A domain and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "6" ,
"timestamp" : "1582700218" ,
"uuid" : "5e318cb9-f1ac-4eac-a1b6-aea2950d210f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1580305594" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5e318cba-d264-40c8-abf6-aea2950d210f" ,
"value" : "45.32.186.33"
} ,
{
"category" : "Network activity" ,
"comment" : "Spoofed domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1580305599" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5e318cbf-203c-4241-b4fa-aea2950d210f" ,
"value" : "itworx.com-ho.me"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1582700218" ,
"to_ids" : false ,
"type" : "domain" ,
"uuid" : "5e318cc6-25a8-49a8-a30c-aea2950d210f" ,
"value" : "itworx.com"
}
]
} ,
{
"comment" : "Associated organization : Saudi Ministry of Commerce" ,
"deleted" : false ,
"description" : "A domain and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "6" ,
"timestamp" : "1582700212" ,
"uuid" : "5e318e40-4368-4040-bf75-4888950d210f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1580305984" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5e318e40-a670-4cea-b42d-4720950d210f" ,
"value" : "45.32.186.33"
} ,
{
"category" : "Network activity" ,
"comment" : "Spoofed domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1580305989" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5e318e45-9494-4eeb-8166-4333950d210f" ,
"value" : "mci.com-ho.me"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1582700212" ,
"to_ids" : false ,
"type" : "domain" ,
"uuid" : "5e318e4c-4980-489d-ab08-4dd0950d210f" ,
"value" : "mci.gov.sa"
}
]
} ,
{
"comment" : "Associated organization : Saudi Ministry of Health" ,
"deleted" : false ,
"description" : "A domain and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "6" ,
"timestamp" : "1582700205" ,
"uuid" : "5e318ece-eb38-430b-9235-2768950d210f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1580306126" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5e318ece-2d9c-4277-9448-2768950d210f" ,
"value" : "45.32.186.33"
} ,
{
"category" : "Network activity" ,
"comment" : "Spoofed domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1580306129" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5e318ed1-4c04-4b94-b13a-2768950d210f" ,
"value" : "moh.com-ho.me"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1582700205" ,
"to_ids" : false ,
"type" : "domain" ,
"uuid" : "5e318ed1-bbb8-47a1-879d-2768950d210f" ,
"value" : "moh.gov.sa"
}
]
} ,
{
"comment" : "Associated organization : Saudi Ministry of Labor" ,
"deleted" : false ,
"description" : "A domain and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "6" ,
"timestamp" : "1582700199" ,
"uuid" : "5e3190e6-cdc4-4ef3-8ee6-d77d950d210f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1580306662" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5e3190e6-dd1c-4a11-b857-d77d950d210f" ,
"value" : "45.32.186.33"
} ,
{
"category" : "Network activity" ,
"comment" : "Spoofed domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1580306666" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5e3190ea-fc30-49b2-889e-d77d950d210f" ,
"value" : "mol.com-ho.me"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1582700199" ,
"to_ids" : false ,
"type" : "domain" ,
"uuid" : "5e3190ea-5944-41c7-8f49-d77d950d210f" ,
"value" : "mol.gov.sa"
}
]
} ,
{
"comment" : "Ministry of Health lure (Health_insurance_registration.doc) delivering PupyRAT" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "19" ,
"timestamp" : "1582281744" ,
"uuid" : "5e3193d9-9110-4de4-85c0-4844950d210f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5e3193d9-9110-4de4-85c0-4844950d210f" ,
"referenced_uuid" : "83aabfa5-efd1-401e-a84d-75ab6ab670f0" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1582281781" ,
"uuid" : "5e4fb435-87a8-44ee-be84-47ad950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1580307940" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5e3193d9-3274-4039-a156-4844950d210f" ,
"value" : "1b5e33e5a244d2d67d7a09c4ccf16e56"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1580307946" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e3195ea-0514-4401-bdd1-f1bd950d210f" ,
"value" : "66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1580307953" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5e3195f1-0a2c-4fdc-ae3b-f1bd950d210f" ,
"value" : "934c51ff1ea00af2cb3b8465f0a3effcf759d866"
}
]
} ,
{
"comment" : "PupyRAT (pupyx86.dll) " ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "19" ,
"timestamp" : "1582281745" ,
"uuid" : "5e319643-2f90-4bf1-89f5-7f0b950d210f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5e319643-2f90-4bf1-89f5-7f0b950d210f" ,
"referenced_uuid" : "e5e73bc0-efa0-484e-8086-0f3137f470e3" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1582281781" ,
"uuid" : "5e4fb435-7134-495c-86d1-48c9950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1580308035" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5e319643-9e1c-4e62-9e51-7f0b950d210f" ,
"value" : "97cb7dc1395918c2f3018c109ab4ea5b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1580308040" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5e319648-0760-46c7-8fe5-7f0b950d210f" ,
"value" : "pupyx86.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1580308046" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e31964e-11c4-45ad-9f8e-7f0b950d210f" ,
"value" : "8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1580308052" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5e319654-88e0-452c-a212-7f0b950d210f" ,
"value" : "3215021976b933ff76ce3436e828286e124e2527"
}
]
} ,
{
"comment" : "Password-themed lure (Password_Policy.xlsm) delivering PupyRAT" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "19" ,
"timestamp" : "1582281745" ,
"uuid" : "5e31969e-8ca8-462e-b114-7f1d950d210f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5e31969e-8ca8-462e-b114-7f1d950d210f" ,
"referenced_uuid" : "87cbd279-31f6-474e-92b7-6f1ca9c322c8" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1582281781" ,
"uuid" : "5e4fb435-9e64-4abc-bfa3-47cb950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1580308127" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5e31969f-ad9c-4559-aacc-7f1d950d210f" ,
"value" : "03ea9457bf71d51d8109e737158be888"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1580308129" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5e3196a1-b288-42bc-9736-7f1d950d210f" ,
"value" : "Password_Policy.xlsm"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1580308135" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e3196a7-e080-40c1-b384-7f1d950d210f" ,
"value" : "6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1580308141" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5e3196ad-cd84-477f-9fa2-7f1d950d210f" ,
"value" : "d20168c523058c7a82f6d79ef63ea546c794e57b"
}
]
} ,
{
"comment" : "Job-themed Word document lure (qhtma) delivering PupyRAT" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "19" ,
"timestamp" : "1582281745" ,
"uuid" : "5e3196dc-2b94-4648-97b0-d77c950d210f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5e3196dc-2b94-4648-97b0-d77c950d210f" ,
"referenced_uuid" : "959f1fb7-4ad0-4407-82e1-0aa582296285" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1582281781" ,
"uuid" : "5e4fb435-994c-4636-a70b-44d0950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1580308188" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5e3196dc-6c14-4b40-a522-d77c950d210f" ,
"value" : "43fad2d62bc23ffdc6d301571135222c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1580308191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e3196df-53e4-46e6-8a69-d77c950d210f" ,
"value" : "e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1580308197" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5e3196e5-a51c-40f7-af2a-d77c950d210f" ,
"value" : "735f5d7ef0c5129f0574bec3cf3d6b06b052744a"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1582281745" ,
"uuid" : "e5e73bc0-efa0-484e-8086-0f3137f470e3" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1580308046" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "4efc3fca-4e47-41d4-9c53-6855fa268695" ,
"value" : "2019-10-06T12:32:49+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1580308046" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "1c2fbc9e-ec53-4563-a2fa-cbc5382a3f1e" ,
"value" : "https://www.virustotal.com/file/8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71/analysis/1570365169/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1580308046" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2c9d6d4a-d21b-483d-8e06-5a477d379ecd" ,
"value" : "48/68"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1582281768" ,
"uuid" : "83aabfa5-efd1-401e-a84d-75ab6ab670f0" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1580307946" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "bb7e0f82-e140-4983-81f3-1f50292b574a" ,
"value" : "2020-01-27T06:52:25+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1580307946" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "8c5c9af9-34a4-4495-b646-c40794eec2e9" ,
"value" : "https://www.virustotal.com/file/66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b/analysis/1580107945/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1580307946" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "920edadd-fc71-4b17-8faa-66e75327811d" ,
"value" : "42/61"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1582281781" ,
"uuid" : "87cbd279-31f6-474e-92b7-6f1ca9c322c8" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1580308135" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "20e4a0ed-3bd1-4690-a439-eada2cb6a90a" ,
"value" : "2020-01-16T14:24:18+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1580308135" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "8eb1988e-1d7e-4c00-8988-fbccd32e52ef" ,
"value" : "https://www.virustotal.com/file/6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b/analysis/1579184658/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1580308135" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "3f0c1ac0-fb20-4ecd-922a-cf23a82fd177" ,
"value" : "40/60"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1582281781" ,
"uuid" : "959f1fb7-4ad0-4407-82e1-0aa582296285" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1580308191" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "53ff6fff-365d-4afa-94dd-bac37560dba3" ,
"value" : "2020-01-15T20:35:20+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1580308191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "8148d76e-ac8e-4380-b1bb-0d233f81375c" ,
"value" : "https://www.virustotal.com/file/e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6/analysis/1579120520/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1580308191" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4eb9669c-778b-42fc-a507-99bbd567195d" ,
"value" : "42/59"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}
