{ "Event": { "analysis": "2", "date": "2015-08-12", "extends_uuid": "", "info": "OSINT Potao Express samples from contagiodump", "publish_timestamp": "1498162770", "published": true, "threat_level_id": "2", "timestamp": "1498162722", "uuid": "55cc400a-ee68-4aaa-b144-4d73950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Potato Ransomware\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439449115", "to_ids": false, "type": "link", "uuid": "55cc401b-9f9c-42d9-a155-4878950d210b", "value": "http://contagiodump.blogspot.be/2015/08/potao-express-samples.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439449159", "to_ids": false, "type": "text", "uuid": "55cc4047-6cc0-4d42-96e1-34af950d210b", "value": "Operation Potao Express" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439449160", "to_ids": false, "type": "text", "uuid": "55cc4048-b494-420a-b02b-34af950d210b", "value": "Potao Express" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439449160", "to_ids": false, "type": "text", "uuid": "55cc4048-5808-451d-afea-34af950d210b", "value": "Potao" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449984", "to_ids": true, "type": "sha256", "uuid": "55cc4380-ecf8-4902-a121-4e70950d210b", "value": "1fe6af3d704d2fc0c7acd58b069a31eec866668ec6e25f52354e6e61266db8db" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449985", "to_ids": true, "type": "md5", "uuid": "55cc4381-f09c-4e0c-853c-4dbb950d210b", "value": "85b0e3264820008a30f17ca19332fa19" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449985", "to_ids": true, "type": "sha256", "uuid": "55cc4381-9e48-479f-bb2f-4839950d210b", "value": "2ff0941fe3514abc12484ad2853d22fd7cb36469a313b5ecb6ef0c6391cf78ab" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449985", "to_ids": true, "type": "md5", "uuid": "55cc4381-2ea0-4f9d-acf0-4630950d210b", "value": "ac854a3c91d52bfc09605506e76975ae" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449985", "to_ids": true, "type": "sha256", "uuid": "55cc4381-10ec-4b85-9df2-4319950d210b", "value": "54a76f5cd5a32ed7d5fa78e5d8311bafc0de57a475bc2fddc23ee4b3510b9d44" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449985", "to_ids": true, "type": "md5", "uuid": "55cc4381-0b00-4892-a1a5-4c5f950d210b", "value": "3b7d88a069631111d5585b1b10cccc86" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449986", "to_ids": true, "type": "sha256", "uuid": "55cc4382-ae8c-4990-9735-4a7b950d210b", "value": "76c7c67274cf5384615a120e69be3af64cc31d9c4f05ff2031120612443c8360" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449986", "to_ids": true, "type": "md5", "uuid": "55cc4382-a56c-4101-9456-49bb950d210b", "value": "d1658b792dd1569abc27966083f59d44" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449986", "to_ids": true, "type": "sha256", "uuid": "55cc4382-e4ec-4fcf-8be6-4778950d210b", "value": "244c181eb442fefcf1e1daf900896bee6569481c0e885e3c63efeef86cd64c55" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449986", "to_ids": true, "type": "md5", "uuid": "55cc4382-5e8c-4ef5-9ea9-43c0950d210b", "value": "0c7183d761f15772b7e9c788be601d29" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449986", "to_ids": true, "type": "sha256", "uuid": "55cc4382-ca24-4c60-9da7-4df6950d210b", "value": "887a721254486263f1f3f25f3c677da62ef5c062c3afa7ef70c895bc8b17b424" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449987", "to_ids": true, "type": "md5", "uuid": "55cc4383-9648-40fe-add0-4169950d210b", "value": "a35e48909a49334a7ebb5448a78dcff9" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449987", "to_ids": true, "type": "sha256", "uuid": "55cc4383-a6ec-4de4-8eb8-4e6a950d210b", "value": "945c594aee1b5bd0f3a72abe8f5a3df74fc6ca686887db5e40fe859e3fc90bb1" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449987", "to_ids": true, "type": "md5", "uuid": "55cc4383-7c94-4236-9b45-4387950d210b", "value": "502f35002b1a95f1ae135baff6cff836" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449987", "to_ids": true, "type": "sha256", "uuid": "55cc4383-0da8-421f-87d4-4a97950d210b", "value": "ab8d308fd59a8db8a130fcfdb6db56c4f7717877c465be98f71284bdfccdfa25" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449987", "to_ids": true, "type": "md5", "uuid": "55cc4383-da48-43fa-b6c1-4838950d210b", "value": "a446ced5db1de877cf78f77741e2a804" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449987", "to_ids": true, "type": "sha256", "uuid": "55cc4383-4bbc-46ba-b3ee-4389950d210b", "value": "b22a614a291111398657cf8d1fa64fa50ed9c66c66a0b09d08c53972c6536766" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449988", "to_ids": true, "type": "md5", "uuid": "55cc4384-3004-4378-9b88-417c950d210b", "value": "d939a05e1e3c9d7b6127d503c025dbc4" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449988", "to_ids": true, "type": "sha256", "uuid": "55cc4384-c2ac-4b2e-b928-4f44950d210b", "value": "fcfdcbdd60f105af1362cfeb3decbbbbe09d5fc82bde6ee8dfd846b2b844f972" }, { "category": "Payload delivery", "comment": "1stVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439449988", "to_ids": true, "type": "md5", "uuid": "55cc4384-6af8-41f9-a7ef-4b57950d210b", "value": "14634d446471b9e2f55158d9ac09d0b2" }, { "category": "Payload delivery", "comment": "DebugVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439450010", "to_ids": true, "type": "sha256", "uuid": "55cc439a-beb4-4229-8fb7-4eb1950d210b", "value": "910f55e1c4e75696405e158e40b55238d767730c60119539b644ef3e6bc32a5d" }, { "category": "Payload delivery", "comment": "DebugVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439450010", "to_ids": true, "type": "md5", "uuid": "55cc439a-a728-44a5-95f5-4a08950d210b", "value": "7263a328f0d47c76b4e103546b648484" }, { "category": "Payload delivery", "comment": "DebugVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439450010", "to_ids": true, "type": "sha256", "uuid": "55cc439a-5360-4ba5-a0c9-43ac950d210b", "value": "c821cb34c86ec259af37c389a8f6cd635d98753576c675882c9896025a1abc53" }, { "category": "Payload delivery", "comment": "DebugVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439450010", "to_ids": true, "type": "md5", "uuid": "55cc439a-48b0-4e83-a687-4861950d210b", "value": "bdc9255df5385f534fea83b497c371c8" }, { "category": "Payload delivery", "comment": "DebugVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439450011", "to_ids": true, "type": "sha256", "uuid": "55cc439b-7588-4cfe-9cd4-4b2e950d210b", "value": "f845778c3f2e3272145621776a90f662ee9344e3ae550c76f65fd954e7277d19" }, { "category": "Payload delivery", "comment": "DebugVersion", "deleted": false, "disable_correlation": false, "timestamp": "1439450011", "to_ids": true, "type": "md5", "uuid": "55cc439b-f48c-43ca-904c-4c17950d210b", "value": "5199fcd031987834ed3121fb316f4970" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450027", "to_ids": true, "type": "sha256", "uuid": "55cc43ab-7174-47ab-9e9d-444e950d210b", "value": "4dcf14c41b31f8accf9683917bfc9159b9178d6fe36227195fabc232909452af" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450027", "to_ids": true, "type": "md5", "uuid": "55cc43ab-9804-47c4-91c2-40ab950d210b", "value": "65f494580c95e10541d1f377c0a7bd49" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450027", "to_ids": true, "type": "sha256", "uuid": "55cc43ab-bb8c-4ea1-9165-415e950d210b", "value": "8bc189dee0a71b3a8a1767e95cc726e13808ed7d2e9546a9d6b6843cea5eb3bd" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450027", "to_ids": true, "type": "md5", "uuid": "55cc43ab-a04c-4055-9562-4eeb950d210b", "value": "a4b0615cb639607e6905437dd900c059" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450027", "to_ids": true, "type": "sha256", "uuid": "55cc43ab-6440-4db5-b619-41b0950d210b", "value": "048621ecf8f25133b2b09d512bb0fe15fc274ec7cb2ccc966aeb44d7a88beb5b" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450028", "to_ids": true, "type": "md5", "uuid": "55cc43ac-2624-4157-a4fe-45ff950d210b", "value": "07e99b2f572b84af5c4504c23f1653bb" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450028", "to_ids": true, "type": "sha256", "uuid": "55cc43ac-1fd4-4376-8a4d-427e950d210b", "value": "aa23a93d2fed81daacb93ea7ad633426e04fcd063ff2ea6c0af5649c6cfa0385" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450028", "to_ids": true, "type": "md5", "uuid": "55cc43ac-13bc-42e8-b578-4284950d210b", "value": "1927a80cd45f0d27b1ae034c11ddedb0" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450028", "to_ids": true, "type": "sha256", "uuid": "55cc43ac-7e1c-4cd2-9322-41a5950d210b", "value": "c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450028", "to_ids": true, "type": "md5", "uuid": "55cc43ac-0c84-4ecd-ad39-4195950d210b", "value": "579ad4a596602a10b7cf4659b6b6909d" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450028", "to_ids": true, "type": "sha256", "uuid": "55cc43ac-d5d8-494d-8ccc-4a09950d210b", "value": "d6f126ab387f1d856672c730991573385c5746c7c84738ab97b13c897063ff4a" }, { "category": "Payload delivery", "comment": "Droppersfrompostalsites", "deleted": false, "disable_correlation": false, "timestamp": "1439450029", "to_ids": true, "type": "md5", "uuid": "55cc43ad-2754-451e-9138-490a950d210b", "value": "e64eb8b571f655b744c9154d8032caef" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450041", "to_ids": true, "type": "sha256", "uuid": "55cc43b9-8fa0-4819-9847-43f9950d210b", "value": "61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450041", "to_ids": true, "type": "md5", "uuid": "55cc43b9-bb30-4e01-b7ed-4f46950d210b", "value": "d755e52ba5658a639c778c22d1a906a3" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450041", "to_ids": true, "type": "sha256", "uuid": "55cc43b9-02b4-4b39-b592-4df7950d210b", "value": "4328b06093a4ad01f828dc837053cb058fe00f3a7fd5cfb9d1ff7feb7ebb8e32" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450042", "to_ids": true, "type": "md5", "uuid": "55cc43ba-c268-4f57-8b30-4989950d210b", "value": "b4d909077aa25f31386722e716a5305c" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450042", "to_ids": true, "type": "sha256", "uuid": "55cc43ba-3be0-49f8-a97f-4c3a950d210b", "value": "15760f0979f2ba1b4d991f19e8b59fc1e61632fcc88755a4d147c0f5d47965c5" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450042", "to_ids": true, "type": "md5", "uuid": "55cc43ba-9510-4e9e-8ffd-4350950d210b", "value": "fc4b285088413127b6d827656b9d0481" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450042", "to_ids": true, "type": "sha256", "uuid": "55cc43ba-4dec-4821-afef-488b950d210b", "value": "b9c285f485421177e616a148410ddc5b02e43f0af375d3141b7e829f7d487bfd" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450042", "to_ids": true, "type": "md5", "uuid": "55cc43ba-5118-49d2-b472-49fb950d210b", "value": "73e7ee83133a175b815059f1af79ab1b" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450043", "to_ids": true, "type": "sha256", "uuid": "55cc43bb-b570-4cd4-85e5-4310950d210b", "value": "cf3b0d8e9a7d0ad32351ade0c52de583b5ca2f72e5af4adbf638c81f4ad8fbcb" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450043", "to_ids": true, "type": "md5", "uuid": "55cc43bb-f224-44a1-9e10-48b2950d210b", "value": "eebbcb1ed5f5606aec296168dee39166" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450043", "to_ids": true, "type": "sha256", "uuid": "55cc43bb-9db4-40b3-b2cb-42c2950d210b", "value": "dbc1b98b1df1d9c2dc8a5635682ed44a91df6359264ed63370724afa9f19c7ee" }, { "category": "Payload delivery", "comment": "Dropperswdecoy", "deleted": false, "disable_correlation": false, "timestamp": "1439450043", "to_ids": true, "type": "md5", "uuid": "55cc43bb-932c-4bdc-8b64-4ddf950d210b", "value": "5a24a7370f35dbdbb81adf52e769a442" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450055", "to_ids": true, "type": "sha256", "uuid": "55cc43c7-33f0-4d8d-bd4e-4e8d950d210b", "value": "4c01ffcc90e6271374b34b252fefb5d6fffda29f6ad645a879a159f78e095979" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450055", "to_ids": true, "type": "md5", "uuid": "55cc43c7-aecc-4bfe-b3dc-47bf950d210b", "value": "b64dbe5817b24d17a0404e9b2606ad96" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450055", "to_ids": true, "type": "sha256", "uuid": "55cc43c7-e810-41e2-a535-4475950d210b", "value": "5de8c04a77e37dc1860da490453085506f8aa378fbc7d811128694d8581b89ba" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450055", "to_ids": true, "type": "md5", "uuid": "55cc43c7-4824-40f8-9cd5-4226950d210b", "value": "7ca6101c2ae4838fbbd7ceb0b2354e43" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450055", "to_ids": true, "type": "sha256", "uuid": "55cc43c7-57f4-46fd-90f0-4622950d210b", "value": "73aae05fab96290cabbe4b0ec561d2f6d79da71834509c4b1f4b9ae714159b42" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450055", "to_ids": true, "type": "md5", "uuid": "55cc43c7-9920-4f2c-b1db-442b950d210b", "value": "f64704ed25f4c728af996eee3ee85411" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450056", "to_ids": true, "type": "sha256", "uuid": "55cc43c8-8138-4d1c-8c9b-4990950d210b", "value": "c7212d249b5eb7e2cea948a173ce96e1d2b8c44dcc2bb1d101dce64bb3f5becc" }, { "category": "Payload delivery", "comment": "FakeTrueCryptextractedexe", "deleted": false, "disable_correlation": false, "timestamp": "1439450056", "to_ids": true, "type": "md5", "uuid": "55cc43c8-85fc-4e29-a529-4b99950d210b", "value": "c1f715ff0afc78af81d215d485cc235c" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450170", "to_ids": true, "type": "sha256", "uuid": "55cc443a-6fb8-48bc-bce3-4323950d210b", "value": "42028874fae37ad9dc89eb37149ecb1e6439869918309a07f056924c1b981def" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450171", "to_ids": true, "type": "md5", "uuid": "55cc443b-7ec4-4260-8f3a-4d4d950d210b", "value": "f34b77f7b2233ee6f727d59fb28f438a" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450171", "to_ids": true, "type": "sha256", "uuid": "55cc443b-7f34-4021-bd73-4e75950d210b", "value": "a3a43bbc69e24c0bc3ab06fbf3ccc35cf8687e2862f86fb0d269258b68c710c9" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450171", "to_ids": true, "type": "md5", "uuid": "55cc443b-20b0-4ced-9599-4119950d210b", "value": "babd17701cbe876149dc07e68ec7ca4f" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450171", "to_ids": true, "type": "sha256", "uuid": "55cc443b-5d94-4fbb-a65e-4422950d210b", "value": "b8844e5b72971fe67d2905e77ddaa3366ae1c3bead92be6effd58691bc1ff8ec" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450171", "to_ids": true, "type": "md5", "uuid": "55cc443b-c8a8-4b72-ab03-46b1950d210b", "value": "cfc8901fe6a9a8299087bfc73ae8909e" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450172", "to_ids": true, "type": "sha256", "uuid": "55cc443c-cc0c-4efa-844d-4424950d210b", "value": "fe3547f0e052c71f872bf09cdc1654137ee68f878fc6d5a78df16a13e6de1768" }, { "category": "Payload delivery", "comment": "FakeTrueCryptSetup", "deleted": false, "disable_correlation": false, "timestamp": "1439450172", "to_ids": true, "type": "md5", "uuid": "55cc443c-c0b4-485c-83a1-49af950d210b", "value": "83f3ec97a95595ebe40a75e94c98a7bd" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450184", "to_ids": true, "type": "sha256", "uuid": "55cc4448-0d00-4f5c-93b7-4853950d210b", "value": "2de76a3c07344ce322151dbb42febdff97ade8176466a3af07e5280bd859a186" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450184", "to_ids": true, "type": "md5", "uuid": "55cc4448-3910-421f-b657-44e0950d210b", "value": "38e708fea8016520cb25d3cb933f2244" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450184", "to_ids": true, "type": "sha256", "uuid": "55cc4448-d268-4a20-ac25-448f950d210b", "value": "4e88b8b121d768c611fe16ae1f008502b2191edc6f2ee84fef7b12b4d86fe000" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450184", "to_ids": true, "type": "md5", "uuid": "55cc4448-4c9c-4693-82a6-4955950d210b", "value": "360df4c2f2b99052c07e08edbe15ab2c" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450185", "to_ids": true, "type": "sha256", "uuid": "55cc4449-822c-4231-89e2-447c950d210b", "value": "29dfc81b400a1400782623c618cb1d507f5d17bb13de44f123a333093648048f" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450185", "to_ids": true, "type": "md5", "uuid": "55cc4449-1d04-463a-a7e9-438e950d210b", "value": "89a3ea3967745e04199ebf222494452e" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450185", "to_ids": true, "type": "sha256", "uuid": "55cc4449-0084-4e73-ad0c-4315950d210b", "value": "97afe4b12a9fed40ad20ab191ba0a577f5a46cbfb307e118a7ae69d04adc2e2d" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450185", "to_ids": true, "type": "md5", "uuid": "55cc4449-b0c8-42b2-818a-43a8950d210b", "value": "6ba88e8e74b12c914483c026ae92eb42" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450185", "to_ids": true, "type": "sha256", "uuid": "55cc4449-acb8-4f3b-8f7e-48b1950d210b", "value": "793a8ce811f423dfde47a5f44ae50e19e7e41ad055e56c7345927eac951e966b" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450186", "to_ids": true, "type": "md5", "uuid": "55cc444a-ab1c-4133-9777-484e950d210b", "value": "043f99a875424ca0023a21739dba51ef" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450186", "to_ids": true, "type": "sha256", "uuid": "55cc444a-1144-4208-a45a-4972950d210b", "value": "904bb2efe661f654425e691b7748556e558a636d4f25c43af9d2d4dfbe83262e" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450186", "to_ids": true, "type": "md5", "uuid": "55cc444a-727c-4601-be66-4e67950d210b", "value": "02d438df779affddaf02ca995c60cecb" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450186", "to_ids": true, "type": "sha256", "uuid": "55cc444a-cf04-4328-a0e7-42a8950d210b", "value": "b62589ee5ba94d15edcf8613e3d57255dd7a12fce6d2dbd660fd7281ce6234f4" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450186", "to_ids": true, "type": "md5", "uuid": "55cc444a-d570-4e02-952d-4a80950d210b", "value": "11b4e7ea6bae19a29343ae3ff3fb00ca" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450187", "to_ids": true, "type": "sha256", "uuid": "55cc444b-6954-4fe0-88c1-4207950d210b", "value": "d2c11706736fda2b178ac388206472fd8d050e0f13568c84b37683423acd155d" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450187", "to_ids": true, "type": "md5", "uuid": "55cc444b-e9d4-47b5-8a95-4f10950d210b", "value": "27d74523b182ae630c4e5236897e11f3" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450187", "to_ids": true, "type": "sha256", "uuid": "55cc444b-abe4-498c-881a-4e43950d210b", "value": "f1f61a0f9488be3925665f8063006f90fab1bf0bd0b6ff5f7799f8995ff8960e" }, { "category": "Payload delivery", "comment": "OtherDroppers", "deleted": false, "disable_correlation": false, "timestamp": "1439450187", "to_ids": true, "type": "md5", "uuid": "55cc444b-6338-4ded-99a6-4f54950d210b", "value": "1ab8d45656e245aca4e59aa0519f6ba0" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450203", "to_ids": true, "type": "sha256", "uuid": "55cc445b-3d2c-4d88-bdb8-41ad950d210b", "value": "1acae7c11fb559b81df5fc6d0df0fe502e87f674ca9f4aefc2d7d8f828ba7f5c" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450203", "to_ids": true, "type": "md5", "uuid": "55cc445b-4798-45f7-82fc-4c7d950d210b", "value": "76dda7ca15323fd658054e0550149b7b" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450203", "to_ids": true, "type": "sha256", "uuid": "55cc445b-dc5c-4515-84a6-4a59950d210b", "value": "3d78f52fa0c08d8bf3d42074bf76ee56aa233fb9a6bc76119998d085d94368ca" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450203", "to_ids": true, "type": "md5", "uuid": "55cc445b-1548-4fe1-9997-49c0950d210b", "value": "ca1a3618088f91b8fb2a30c9a9aa4aca" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450204", "to_ids": true, "type": "sha256", "uuid": "55cc445c-c2dc-4bce-8dc3-46f5950d210b", "value": "7d15bd854c1dfef847cdd3caabdf4ab81f2410ee5c7f91d377cc72eb81135ff4" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450204", "to_ids": true, "type": "md5", "uuid": "55cc445c-e6f8-4f9e-813a-4587950d210b", "value": "a2bb01b764491dd61fa3a7ba5afc709c" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450204", "to_ids": true, "type": "sha256", "uuid": "55cc445c-9d00-4fa7-93c8-422d950d210b", "value": "09c04206b57bb8582faffb37e4ebb6867a02492ffc08268bcbc717708d1a8919" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450204", "to_ids": true, "type": "md5", "uuid": "55cc445c-0a7c-4ff7-85c9-4807950d210b", "value": "a59053cc3f66e72540634eb7895824ac" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450204", "to_ids": true, "type": "sha256", "uuid": "55cc445c-57b8-4f00-b278-4046950d210b", "value": "12bb18fa9a12cb89dea3733b342940b80cd453886390079cb4c2ffcd664baeda" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450205", "to_ids": true, "type": "md5", "uuid": "55cc445d-9608-47f5-aef9-47ed950d210b", "value": "2bd0d2b5ee4e93717ea71445b102e38e" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450205", "to_ids": true, "type": "sha256", "uuid": "55cc445d-85f4-4e02-b8d4-4777950d210b", "value": "34e6fb074284e58ca80961feda4fe651d6d658077914a528a4a6efa91ecc749d" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450205", "to_ids": true, "type": "md5", "uuid": "55cc445d-d78c-449b-accb-4f0f950d210b", "value": "057028e46ea797834da401e4db7c860a" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450205", "to_ids": true, "type": "sha256", "uuid": "55cc445d-166c-439e-90af-4b19950d210b", "value": "90b20b1687909c2f76f750ba3fd4b14731ce736c08c3a8608d28eae3f4cd68f3" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450205", "to_ids": true, "type": "md5", "uuid": "55cc445d-e864-45cf-b346-4ad3950d210b", "value": "514423670de210f13092d6cb8916748e" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450206", "to_ids": true, "type": "sha256", "uuid": "55cc445e-151c-4505-ae5f-4b85950d210b", "value": "93accb71bf4e776955756c76990298decfebe4b1dd9fbf9d368e81dc1cb9532d" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450206", "to_ids": true, "type": "md5", "uuid": "55cc445e-900c-408f-b84f-426c950d210b", "value": "abb9f4fab64dd7a03574abdd1076b5ea" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450206", "to_ids": true, "type": "sha256", "uuid": "55cc445e-ac3c-49c6-a91b-4af9950d210b", "value": "99a09ad92cc1a2564f3051057383cb6268893bc4a62903eabf3538c6bfb3aa9c" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450206", "to_ids": true, "type": "md5", "uuid": "55cc445e-96d8-4d60-b4d5-49c5950d210b", "value": "542b00f903f945ad3a9291cb0af73446" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450206", "to_ids": true, "type": "sha256", "uuid": "55cc445e-0e88-4c2e-bec9-468c950d210b", "value": "339a5199e6d0b5f781b08b2ca0ad0495e75e52b8e2fd69e1d970388fbca7a0d6" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450207", "to_ids": true, "type": "md5", "uuid": "55cc445f-5158-49a0-b7c5-4e5c950d210b", "value": "a427ff7abb17af6cf5fb70c49e9bf4e1" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450207", "to_ids": true, "type": "sha256", "uuid": "55cc445f-dab0-4866-8658-4a32950d210b", "value": "340b09d661a6ac45af53c348a5c1846ad6323d34311e66454e46c1d38d53af8b" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450207", "to_ids": true, "type": "md5", "uuid": "55cc445f-dd48-44c8-9a6b-4512950d210b", "value": "2646f7159e1723f089d63e08c8bfaffb" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450207", "to_ids": true, "type": "sha256", "uuid": "55cc445f-facc-493c-8330-4b00950d210b", "value": "461dd5a58ffcad9fffba9181e234f2e0149c8b8ba28c7ea53753c74fdfa0b0d5" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450207", "to_ids": true, "type": "md5", "uuid": "55cc445f-484c-4d3f-a776-4745950d210b", "value": "609abb2a86c324bbb9ba1e253595e573" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450207", "to_ids": true, "type": "sha256", "uuid": "55cc445f-7bfc-450d-ab81-488d950d210b", "value": "4688afcc161603bfa1c997b6d71b9618be96f9ff980e5486c451b1cc2c5076cb" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450208", "to_ids": true, "type": "md5", "uuid": "55cc4460-2d84-45f2-9b79-4057950d210b", "value": "ae552fc43f1ba8684655d8bf8c6af869" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450208", "to_ids": true, "type": "sha256", "uuid": "55cc4460-1c18-4cd8-9ca7-4984950d210b", "value": "7492e84a30e890ebe3ca5140ad547965cc8c43f0a02f66be153b038a73ee5314" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450208", "to_ids": true, "type": "md5", "uuid": "55cc4460-2778-43fd-b47f-43d7950d210b", "value": "1234bf4f0f5debc800d85c1bd2255671" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450208", "to_ids": true, "type": "sha256", "uuid": "55cc4460-6cb0-4c1f-9d57-4c0b950d210b", "value": "61862a55dcf8212ce9dd4a8f0c92447a6c7093681c592eb937a247e38c8109d4" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450208", "to_ids": true, "type": "md5", "uuid": "55cc4460-4270-4f04-b3ab-434b950d210b", "value": "e685ea8b37f707f3706d7281b8f6816a" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450209", "to_ids": true, "type": "sha256", "uuid": "55cc4461-2e20-49c2-b5ac-4e44950d210b", "value": "95631685006ac92b7eb0755274e2a36a3c9058cf462dd46f9f4f66e8d67b9db2" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450209", "to_ids": true, "type": "md5", "uuid": "55cc4461-a388-464c-926a-428e950d210b", "value": "9179f4683ece450c1ac7a819b32bdb6d" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450209", "to_ids": true, "type": "sha256", "uuid": "55cc4461-1800-46f6-abf7-4a7d950d210b", "value": "b8b02cc57e45bcf500b433806e6a4f8af7f0ac0c5fc9adfd11820eebf4eb5d79" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450209", "to_ids": true, "type": "md5", "uuid": "55cc4461-9bf4-4aef-b26a-4026950d210b", "value": "cdc60eb93b594fb5e7e5895e2b441240" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450209", "to_ids": true, "type": "sha256", "uuid": "55cc4461-694c-4061-bc26-47a9950d210b", "value": "e57eb9f7fdf3f0e90b1755d947f1fe7bb65e67308f1f4a8c25bc2946512934b7" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450210", "to_ids": true, "type": "md5", "uuid": "55cc4462-9588-464d-ac91-49a3950d210b", "value": "39b67cc6dae5214328022c44f28ced8b" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450210", "to_ids": true, "type": "sha256", "uuid": "55cc4462-7df0-4c13-8c81-424d950d210b", "value": "e3892d2d9f87ea848477529458d025898b24a6802eb4df13e96b0314334635d0" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450210", "to_ids": true, "type": "md5", "uuid": "55cc4462-7100-49c1-8e23-416b950d210b", "value": "3813b848162261cc5982dd64c741b450" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450210", "to_ids": true, "type": "sha256", "uuid": "55cc4462-c640-4e8e-b471-4641950d210b", "value": "f1d7e36af4c30bf3d680c87bbc4430de282d00323bf8ae9e17b04862af286736" }, { "category": "Payload delivery", "comment": "USBSpreaders", "deleted": false, "disable_correlation": false, "timestamp": "1439450210", "to_ids": true, "type": "md5", "uuid": "55cc4462-7794-4fdb-82b1-472e950d210b", "value": "35724e234f6258e601257fb219db9079" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440874739", "to_ids": true, "type": "yara", "uuid": "55e200f3-9ea8-4758-a9b4-4f4a950d210b", "value": "// Operation Potao yara rules\r\n// For feedback or questions contact us at: github@eset.com\r\n// https://github.com/eset/malware-ioc/\r\n//\r\n// These yara rules are provided to the community under the two-clause BSD\r\n// license as follows:\r\n//\r\n// Copyright (c) 2015, ESET\r\n// All rights reserved.\r\n//\r\n// Redistribution and use in source and binary forms, with or without\r\n// modification, are permitted provided that the following conditions are met:\r\n//\r\n// 1. Redistributions of source code must retain the above copyright notice, this\r\n// list of conditions and the following disclaimer.\r\n//\r\n// 2. Redistributions in binary form must reproduce the above copyright notice,\r\n// this list of conditions and the following disclaimer in the documentation\r\n// and/or other materials provided with the distribution.\r\n//\r\n// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\r\n// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\r\n// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\r\n// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\r\n// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\r\n// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\r\n// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\r\n// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\r\n// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\r\n// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\r\n//\r\nprivate rule PotaoDecoy\r\n{\r\n strings:\r\n $mz = { 4d 5a }\r\n $str1 = \"eroqw11\"\r\n $str2 = \"2sfsdf\"\r\n $str3 = \"RtlDecompressBuffer\"\r\n $wiki_str = \"spanned more than 100 years and ruined three consecutive\" wide\r\n\r\n $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}\r\n $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} \r\n condition:\r\n ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )\r\n}\r\nprivate rule PotaoDll\r\n{\r\n strings:\r\n $mz = { 4d 5a }\r\n \r\n $dllstr1 = \"?AVCncBuffer@@\"\r\n $dllstr2 = \"?AVCncRequest@@\"\r\n $dllstr3 = \"Petrozavodskaya, 11, 9\"\r\n $dllstr4 = \"_Scan@0\"\r\n $dllstr5 = \"\\x00/sync/document/\"\r\n $dllstr6 = \"\\\\temp.temp\"\r\n \r\n $dllname1 = \"node69MainModule.dll\"\r\n $dllname2 = \"node69-main.dll\"\r\n $dllname3 = \"node69MainModuleD.dll\"\r\n $dllname4 = \"task-diskscanner.dll\"\r\n $dllname5 = \"\\x00Screen.dll\"\r\n $dllname6 = \"Poker2.dll\" \r\n $dllname7 = \"PasswordStealer.dll\"\r\n $dllname8 = \"KeyLog2Runner.dll\" \r\n $dllname9 = \"GetAllSystemInfo.dll\" \r\n $dllname10 = \"FilePathStealer.dll\" \r\n condition:\r\n ($mz at 0) and (any of ($dllstr*) and any of ($dllname*))\r\n}\r\nprivate rule PotaoUSB\r\n{\r\n strings:\r\n $mz = { 4d 5a }\r\n \r\n $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 }\r\n $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3}\r\n condition:\r\n ($mz at 0) and any of ($binary*)\r\n}\r\nprivate rule PotaoSecondStage\r\n{\r\n strings:\r\n $mz = { 4d 5a }\r\n // hash of CryptBinaryToStringA and CryptStringToBinaryA\r\n $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8}\r\n // old hash of CryptBinaryToStringA and CryptStringToBinaryA\r\n $binary2 = {5F 21 63 DD [10-30] EC FD 33 02}\r\n $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A}\r\n \r\n $str1 = \"?AVCrypt32Import@@\"\r\n $str2 = \"%.5llx\"\r\n condition:\r\n ($mz at 0) and any of ($binary*) and any of ($str*)\r\n}\r\nrule Potao\r\n{\r\n meta:\r\n Author = \"Anton Cherepanov\"\r\n Date = \"2015/07/29\"\r\n Description = \"Operation Potao\"\r\n Reference = \"http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf\"\r\n Source = \"https://github.com/eset/malware-ioc/\"\r\n Contact = \"threatintel@eset.com\"\r\n License = \"BSD 2-Clause\"\r\n condition:\r\n PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage\r\n}" }, { "category": "Payload delivery", "comment": "Automatically added (via 85b0e3264820008a30f17ca19332fa19)", "deleted": false, "disable_correlation": false, "timestamp": "1455857296", "to_ids": true, "type": "sha1", "uuid": "56c69e90-fc44-4264-9e4e-45ab950d210f", "value": "ce7f96b400ed51f7fab465dea26147984f2627bd" }, { "category": "Payload delivery", "comment": "Automatically added (via ac854a3c91d52bfc09605506e76975ae)", "deleted": false, "disable_correlation": false, "timestamp": "1455857298", "to_ids": true, "type": "sha1", "uuid": "56c69e92-852c-45eb-928d-4322950d210f", "value": "52e59cd4c864fbfc9902a144ed5e68c9ded45deb" }, { "category": "Payload delivery", "comment": "Automatically added (via 3b7d88a069631111d5585b1b10cccc86)", "deleted": false, "disable_correlation": false, "timestamp": "1455857299", "to_ids": true, "type": "sha1", "uuid": "56c69e93-42b8-4267-9c06-c650950d210f", "value": "642be4b2a87b47e77814744d154094392e413ab1" }, { "category": "Payload delivery", "comment": "Automatically added (via d1658b792dd1569abc27966083f59d44)", "deleted": false, "disable_correlation": false, "timestamp": "1455857300", "to_ids": true, "type": "sha1", "uuid": "56c69e94-0ec4-454d-ba48-4c0d950d210f", "value": "18ddcd41dccfbbd904347ea75bc9413ff6dc8786" }, { "category": "Payload delivery", "comment": "Automatically added (via 0c7183d761f15772b7e9c788be601d29)", "deleted": false, "disable_correlation": false, "timestamp": "1455857301", "to_ids": true, "type": "sha1", "uuid": "56c69e95-1d38-4d6b-b371-5ca1950d210f", "value": "d88c7c1e465bea7bf7377c08fba3aaf77cbf485f" }, { "category": "Payload delivery", "comment": "Automatically added (via a35e48909a49334a7ebb5448a78dcff9)", "deleted": false, "disable_correlation": false, "timestamp": "1455857302", "to_ids": true, "type": "sha1", "uuid": "56c69e96-41d8-47da-b2fc-59a4950d210f", "value": "81efb422ed2631c739cc690d0a9a5eaa07897531" }, { "category": "Payload delivery", "comment": "Automatically added (via 502f35002b1a95f1ae135baff6cff836)", "deleted": false, "disable_correlation": false, "timestamp": "1455857303", "to_ids": true, "type": "sha1", "uuid": "56c69e97-db3c-4443-a8a4-599e950d210f", "value": "5c52996d9f68ba6fd0da4982f238ec1d279a7f9d" }, { "category": "Payload delivery", "comment": "Automatically added (via a446ced5db1de877cf78f77741e2a804)", "deleted": false, "disable_correlation": false, "timestamp": "1455857304", "to_ids": true, "type": "sha1", "uuid": "56c69e98-9db8-4d50-ab6f-59a1950d210f", "value": "8839d3e213717b88a06ffc48827929891a10059e" }, { "category": "Payload delivery", "comment": "Automatically added (via d939a05e1e3c9d7b6127d503c025dbc4)", "deleted": false, "disable_correlation": false, "timestamp": "1455857305", "to_ids": true, "type": "sha1", "uuid": "56c69e99-0660-470d-be5c-4372950d210f", "value": "eb86615f539e35a8d3e4838949382d09743502bf" }, { "category": "Payload delivery", "comment": "Automatically added (via 14634d446471b9e2f55158d9ac09d0b2)", "deleted": false, "disable_correlation": false, "timestamp": "1455857306", "to_ids": true, "type": "sha1", "uuid": "56c69e9a-8834-4dc1-be46-59a0950d210f", "value": "e400e1dd983fd94e29345aabc77fadeb3f43c219" }, { "category": "Payload delivery", "comment": "Automatically added (via 7263a328f0d47c76b4e103546b648484)", "deleted": false, "disable_correlation": false, "timestamp": "1455857307", "to_ids": true, "type": "sha1", "uuid": "56c69e9b-09f4-4de3-8a0c-599d950d210f", "value": "ba35edc3143ad021bb2490a3eb7b50c06f2ea40b" }, { "category": "Payload delivery", "comment": "Automatically added (via bdc9255df5385f534fea83b497c371c8)", "deleted": false, "disable_correlation": false, "timestamp": "1455857308", "to_ids": true, "type": "sha1", "uuid": "56c69e9c-0474-4ba3-880d-c653950d210f", "value": "73a4a6864ef68c810c7c699ed51b759cf1c4adfb" }, { "category": "Payload delivery", "comment": "Automatically added (via 5199fcd031987834ed3121fb316f4970)", "deleted": false, "disable_correlation": false, "timestamp": "1455857310", "to_ids": true, "type": "sha1", "uuid": "56c69e9e-2a04-420a-b94d-59a3950d210f", "value": "9d584de2cce6b654e62573938c2c824d7cc7d0eb" }, { "category": "Payload delivery", "comment": "Automatically added (via 65f494580c95e10541d1f377c0a7bd49)", "deleted": false, "disable_correlation": false, "timestamp": "1455857311", "to_ids": true, "type": "sha1", "uuid": "56c69e9f-23a4-4342-9ac1-445c950d210f", "value": "cc9bdbe37cbaf0cc634076950fd32d9a377de650" }, { "category": "Payload delivery", "comment": "Automatically added (via a4b0615cb639607e6905437dd900c059)", "deleted": false, "disable_correlation": false, "timestamp": "1455857312", "to_ids": true, "type": "sha1", "uuid": "56c69ea0-eb30-4319-8242-c654950d210f", "value": "a4d685fca8afe9885db75282516006f5bc56c098" }, { "category": "Payload delivery", "comment": "Automatically added (via 07e99b2f572b84af5c4504c23f1653bb)", "deleted": false, "disable_correlation": false, "timestamp": "1455857314", "to_ids": true, "type": "sha1", "uuid": "56c69ea2-6bb8-461d-a4e4-599d950d210f", "value": "0ae4e6e6fa1b1f8161a74525d4cb5a1808abfaf4" }, { "category": "Payload delivery", "comment": "Automatically added (via 1927a80cd45f0d27b1ae034c11ddedb0)", "deleted": false, "disable_correlation": false, "timestamp": "1455857315", "to_ids": true, "type": "sha1", "uuid": "56c69ea3-5468-48a7-a99d-5ca1950d210f", "value": "94bbf39fff09b3a62a583c7d45a00b2492102dd7" }, { "category": "Payload delivery", "comment": "Automatically added (via 579ad4a596602a10b7cf4659b6b6909d)", "deleted": false, "disable_correlation": false, "timestamp": "1455857316", "to_ids": true, "type": "sha1", "uuid": "56c69ea4-c028-4060-bf72-59a4950d210f", "value": "ec0563cde3ffaff424b97d7eb692847132344127" }, { "category": "Payload delivery", "comment": "Automatically added (via e64eb8b571f655b744c9154d8032caef)", "deleted": false, "disable_correlation": false, "timestamp": "1455857317", "to_ids": true, "type": "sha1", "uuid": "56c69ea5-58cc-47f2-918d-59a1950d210f", "value": "f347da9aad52b717641ad3dd96925ab634ceb572" }, { "category": "Payload delivery", "comment": "Automatically added (via d755e52ba5658a639c778c22d1a906a3)", "deleted": false, "disable_correlation": false, "timestamp": "1455857318", "to_ids": true, "type": "sha1", "uuid": "56c69ea6-85f0-47b6-ada2-5ca1950d210f", "value": "9be3800b49e84e0c014852977557f21bcde2a775" }, { "category": "Payload delivery", "comment": "Automatically added (via b4d909077aa25f31386722e716a5305c)", "deleted": false, "disable_correlation": false, "timestamp": "1455857320", "to_ids": true, "type": "sha1", "uuid": "56c69ea8-2418-4718-9ec1-5f51950d210f", "value": "f8bcdad02da2e0223f45f15da4fbab053e73cf6e" }, { "category": "Payload delivery", "comment": "Automatically added (via fc4b285088413127b6d827656b9d0481)", "deleted": false, "disable_correlation": false, "timestamp": "1455857321", "to_ids": true, "type": "sha1", "uuid": "56c69ea9-ea30-48e3-aa1d-c654950d210f", "value": "fbb399568e0a3b2e461a4eb3268abdf07f3d5764" }, { "category": "Payload delivery", "comment": "Automatically added (via 73e7ee83133a175b815059f1af79ab1b)", "deleted": false, "disable_correlation": false, "timestamp": "1455857322", "to_ids": true, "type": "sha1", "uuid": "56c69eaa-784c-4120-9335-4781950d210f", "value": "2cdd6aabb71fdb244baa313ebba13f06bcad2612" }, { "category": "Payload delivery", "comment": "Automatically added (via eebbcb1ed5f5606aec296168dee39166)", "deleted": false, "disable_correlation": false, "timestamp": "1455857323", "to_ids": true, "type": "sha1", "uuid": "56c69eab-cbc4-4482-b2bb-4cfb950d210f", "value": "bcc5a0ce0bcdfea2fd1d64b5529eac7309488273" }, { "category": "Payload delivery", "comment": "Automatically added (via 5a24a7370f35dbdbb81adf52e769a442)", "deleted": false, "disable_correlation": false, "timestamp": "1455857324", "to_ids": true, "type": "sha1", "uuid": "56c69eac-b2f8-4b51-9102-59a0950d210f", "value": "4d5e0808a03a75bfe8202e3a6d2920eddbfc7774" }, { "category": "Payload delivery", "comment": "Automatically added (via 38e708fea8016520cb25d3cb933f2244)", "deleted": false, "disable_correlation": false, "timestamp": "1455857327", "to_ids": true, "type": "sha1", "uuid": "56c69eaf-3998-4378-a183-4a58950d210f", "value": "1b278a1a5e109f32b526660087aea99fb8d89403" }, { "category": "Payload delivery", "comment": "Automatically added (via 360df4c2f2b99052c07e08edbe15ab2c)", "deleted": false, "disable_correlation": false, "timestamp": "1455857328", "to_ids": true, "type": "sha1", "uuid": "56c69eb0-ed34-4b9a-84cf-c652950d210f", "value": "855ca024afba0dc09d336a0896318d5cc47f03a6" }, { "category": "Payload delivery", "comment": "Automatically added (via 89a3ea3967745e04199ebf222494452e)", "deleted": false, "disable_correlation": false, "timestamp": "1455857329", "to_ids": true, "type": "sha1", "uuid": "56c69eb1-82ac-4194-a49b-599c950d210f", "value": "d8837002a04f4c93cc3b857f6a42ced6c9f3b882" }, { "category": "Payload delivery", "comment": "Automatically added (via 6ba88e8e74b12c914483c026ae92eb42)", "deleted": false, "disable_correlation": false, "timestamp": "1455857330", "to_ids": true, "type": "sha1", "uuid": "56c69eb2-1c80-42c7-a8a9-4dfa950d210f", "value": "4332a5ad314616d9319c248d41c7d1a709124db2" }, { "category": "Payload delivery", "comment": "Automatically added (via 043f99a875424ca0023a21739dba51ef)", "deleted": false, "disable_correlation": false, "timestamp": "1455857331", "to_ids": true, "type": "sha1", "uuid": "56c69eb3-077c-425e-bf78-4705950d210f", "value": "ba5ad566a28d7712e0a64899d4675c06139f3ff0" }, { "category": "Payload delivery", "comment": "Automatically added (via 02d438df779affddaf02ca995c60cecb)", "deleted": false, "disable_correlation": false, "timestamp": "1455857333", "to_ids": true, "type": "sha1", "uuid": "56c69eb5-9820-46c4-a661-599d950d210f", "value": "ff6f6dcbedc24d22541013d2273c63b5f0f19fe9" }, { "category": "Payload delivery", "comment": "Automatically added (via 11b4e7ea6bae19a29343ae3ff3fb00ca)", "deleted": false, "disable_correlation": false, "timestamp": "1455857334", "to_ids": true, "type": "sha1", "uuid": "56c69eb6-77ec-4a20-ad16-599e950d210f", "value": "12240271e928979ab2347c29b5599d6ac7cd6b8e" }, { "category": "Payload delivery", "comment": "Automatically added (via 27d74523b182ae630c4e5236897e11f3)", "deleted": false, "disable_correlation": false, "timestamp": "1455857335", "to_ids": true, "type": "sha1", "uuid": "56c69eb7-545c-40e5-a4e0-59a4950d210f", "value": "76da7b4abc9b711ab1ef87b97c61dd895e508232" }, { "category": "Payload delivery", "comment": "Automatically added (via 1ab8d45656e245aca4e59aa0519f6ba0)", "deleted": false, "disable_correlation": false, "timestamp": "1455857336", "to_ids": true, "type": "sha1", "uuid": "56c69eb8-4aa0-42d9-8f21-59a2950d210f", "value": "5bea9423db6d0500920578c12cb127cbafdd125e" }, { "category": "Payload delivery", "comment": "Automatically added (via 76dda7ca15323fd658054e0550149b7b)", "deleted": false, "disable_correlation": false, "timestamp": "1455857337", "to_ids": true, "type": "sha1", "uuid": "56c69eb9-7318-4f8e-98b5-c650950d210f", "value": "bb0500a24853e404ad6ca708813f926b90b38468" }, { "category": "Payload delivery", "comment": "Automatically added (via ca1a3618088f91b8fb2a30c9a9aa4aca)", "deleted": false, "disable_correlation": false, "timestamp": "1455857338", "to_ids": true, "type": "sha1", "uuid": "56c69eba-554c-40da-9557-5ca1950d210f", "value": "db966220463db87c2c51c19303b3a20f4577d632" }, { "category": "Payload delivery", "comment": "Automatically added (via a2bb01b764491dd61fa3a7ba5afc709c)", "deleted": false, "disable_correlation": false, "timestamp": "1455857340", "to_ids": true, "type": "sha1", "uuid": "56c69ebc-2c7c-4a5a-8b59-c652950d210f", "value": "224a07f002e8dfb3f2b615b3fa71166cf1a61b6d" }, { "category": "Payload delivery", "comment": "Automatically added (via a59053cc3f66e72540634eb7895824ac)", "deleted": false, "disable_correlation": false, "timestamp": "1455857341", "to_ids": true, "type": "sha1", "uuid": "56c69ebd-a430-4383-8415-599e950d210f", "value": "971a69547c5bc9b711a3bb6f6f2c5e3a46bf7b29" }, { "category": "Payload delivery", "comment": "Automatically added (via 2bd0d2b5ee4e93717ea71445b102e38e)", "deleted": false, "disable_correlation": false, "timestamp": "1455857342", "to_ids": true, "type": "sha1", "uuid": "56c69ebe-03bc-495c-9ad1-42e5950d210f", "value": "5be1ac1515da2397a7c52a8b1df384dd938fa714" }, { "category": "Payload delivery", "comment": "Automatically added (via 057028e46ea797834da401e4db7c860a)", "deleted": false, "disable_correlation": false, "timestamp": "1455857343", "to_ids": true, "type": "sha1", "uuid": "56c69ebf-43a0-44d4-b602-c650950d210f", "value": "bb7a089bae3a4af44fb9b053bb703239e03c036e" }, { "category": "Payload delivery", "comment": "Automatically added (via 514423670de210f13092d6cb8916748e)", "deleted": false, "disable_correlation": false, "timestamp": "1455857345", "to_ids": true, "type": "sha1", "uuid": "56c69ec1-b4cc-4e8b-8f28-5ca1950d210f", "value": "5d4724fba02965916a15a50a6937cdb6ab609fdd" }, { "category": "Payload delivery", "comment": "Automatically added (via abb9f4fab64dd7a03574abdd1076b5ea)", "deleted": false, "disable_correlation": false, "timestamp": "1455857346", "to_ids": true, "type": "sha1", "uuid": "56c69ec2-f910-4ddd-89c0-599d950d210f", "value": "c1d8be765adcf76e5ccb2cf094191c0fec4bf085" }, { "category": "Payload delivery", "comment": "Automatically added (via 542b00f903f945ad3a9291cb0af73446)", "deleted": false, "disable_correlation": false, "timestamp": "1455857347", "to_ids": true, "type": "sha1", "uuid": "56c69ec3-7914-4ed4-a57f-c653950d210f", "value": "7664c490160858ec8cfc8203f88d354aea1cfe43" }, { "category": "Payload delivery", "comment": "Automatically added (via a427ff7abb17af6cf5fb70c49e9bf4e1)", "deleted": false, "disable_correlation": false, "timestamp": "1455857348", "to_ids": true, "type": "sha1", "uuid": "56c69ec4-a450-4c2d-80fd-c652950d210f", "value": "71a5da3ccb4347fe785c6bfff7b741af80b76091" }, { "category": "Payload delivery", "comment": "Automatically added (via 2646f7159e1723f089d63e08c8bfaffb)", "deleted": false, "disable_correlation": false, "timestamp": "1455857349", "to_ids": true, "type": "sha1", "uuid": "56c69ec5-4490-4841-91bd-5f51950d210f", "value": "48904399f7726b9adf7f28c07b0599717f741b8b" }, { "category": "Payload delivery", "comment": "Automatically added (via 609abb2a86c324bbb9ba1e253595e573)", "deleted": false, "disable_correlation": false, "timestamp": "1455857350", "to_ids": true, "type": "sha1", "uuid": "56c69ec6-7d6c-4de6-bf3e-59a1950d210f", "value": "5b30ecfd47988a77556fe6c0c0b950510052c91e" }, { "category": "Payload delivery", "comment": "Automatically added (via ae552fc43f1ba8684655d8bf8c6af869)", "deleted": false, "disable_correlation": false, "timestamp": "1455857351", "to_ids": true, "type": "sha1", "uuid": "56c69ec7-5b6c-48fe-bb28-59a4950d210f", "value": "b80a90b39fba705f86676c5cc3e0deca225d57ff" }, { "category": "Payload delivery", "comment": "Automatically added (via 1234bf4f0f5debc800d85c1bd2255671)", "deleted": false, "disable_correlation": false, "timestamp": "1455857352", "to_ids": true, "type": "sha1", "uuid": "56c69ec8-fd0c-4669-8f1e-491e950d210f", "value": "2531f40a1d9e50793d04d245fd6185aaebcc54f4" }, { "category": "Payload delivery", "comment": "Automatically added (via e685ea8b37f707f3706d7281b8f6816a)", "deleted": false, "disable_correlation": false, "timestamp": "1455857353", "to_ids": true, "type": "sha1", "uuid": "56c69ec9-a8ac-406a-ac42-c653950d210f", "value": "56f6ac6197ce9cc774f72df948b414eed576b6c3" }, { "category": "Payload delivery", "comment": "Automatically added (via 9179f4683ece450c1ac7a819b32bdb6d)", "deleted": false, "disable_correlation": false, "timestamp": "1455857354", "to_ids": true, "type": "sha1", "uuid": "56c69eca-a14c-40f4-8fd9-59a3950d210f", "value": "791ecf11c04470e9ea881549aebd1dded3e4a5ca" }, { "category": "Payload delivery", "comment": "Automatically added (via cdc60eb93b594fb5e7e5895e2b441240)", "deleted": false, "disable_correlation": false, "timestamp": "1455857355", "to_ids": true, "type": "sha1", "uuid": "56c69ecb-c15c-49ba-8a25-5ca1950d210f", "value": "181e9bca23484156cae005f421629da56b5cc6b5" }, { "category": "Payload delivery", "comment": "Automatically added (via 39b67cc6dae5214328022c44f28ced8b)", "deleted": false, "disable_correlation": false, "timestamp": "1455857356", "to_ids": true, "type": "sha1", "uuid": "56c69ecc-f068-4acb-854e-c654950d210f", "value": "f6f290a95d68373da813782ef4723e39524d048b" }, { "category": "Payload delivery", "comment": "Automatically added (via 3813b848162261cc5982dd64c741b450)", "deleted": false, "disable_correlation": false, "timestamp": "1455857358", "to_ids": true, "type": "sha1", "uuid": "56c69ece-cbac-43d8-9827-599c950d210f", "value": "37a3e77bfa6ca1afbd0af7661655815fb1d3da83" }, { "category": "Payload delivery", "comment": "Automatically added (via 35724e234f6258e601257fb219db9079)", "deleted": false, "disable_correlation": false, "timestamp": "1455857359", "to_ids": true, "type": "sha1", "uuid": "56c69ecf-f6d0-416b-bdca-c650950d210f", "value": "850c9f3b14f895aaa97a85ae147f07c9770fb4c7" } ] } }