{ "Event": { "analysis": "2", "date": "2017-03-30", "extends_uuid": "", "info": "OSINT - Carbon Paper: Peering into Turla\u00e2\u20ac\u2122s second stage backdoor", "publish_timestamp": "1493409751", "published": true, "threat_level_id": "3", "timestamp": "1493403824", "uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#065100", "local": false, "name": "misp-galaxy:tool=\"Turla\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": false, "type": "link", "uuid": "58dcfe9d-297c-4342-9155-42b6950d210f", "value": "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": false, "type": "text", "uuid": "58dcfed4-9290-4b22-a5c4-4530950d210f", "value": "The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.\r\n\r\nThis blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.\r\n\r\nLooking at the different versions numbers of Carbon we have, it is clear that it is still under active development. Through the internal versions embedded in the code, we see the new versions are pushed out regularly. The group is also known to change its tools once they are exposed. As such, we have seen that between two major versions, mutexes and file names are being changed." }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfef9-5b0c-4d85-b0d8-4490950d210f", "value": "7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfefa-f510-40f2-89a7-4b17950d210f", "value": "a08b8371ead1919500a4759c2f46553620d5a9d9" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfefa-25e0-413a-9a20-45b9950d210f", "value": "4636dccac5acf1d95a474747bb7bcd9b1a506cc3" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfefb-62cc-407b-8f80-469b950d210f", "value": "cbde204e7641830017bb84b89223131b2126bc46" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfefc-c1e0-45bc-8145-4d80950d210f", "value": "1ad46547e3dc264f940bf62df455b26e65b0101f" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfefd-d154-4651-8701-43e1950d210f", "value": "a28164de29e51f154be12d163ce5818fceb69233" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfefe-4d10-40ba-b545-486f950d210f", "value": "7c43f5df784bf50423620d8f1c96e43d8d9a9b28" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfeff-92dc-4bf1-93d7-4fb7950d210f", "value": "7ce746bb988cb3b7e64f08174bdb02938555ea53" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcfeff-6fac-4823-aab5-42c6950d210f", "value": "20393222d4eb1ba72a6536f7e67e139aadfa47fe" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff00-b88c-4883-808c-409b950d210f", "value": "1dbfcb9005abb2c83ffa6a3127257a009612798c" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff01-9700-41b4-9edd-4ef4950d210f", "value": "2f7e335e092e04f3f4734b60c5345003d10aa15d" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff02-93c4-4d80-8cf6-43f9950d210f", "value": "311f399c299741e80db8bec65bbf4b56109eedaf" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff03-df24-4707-97e5-4199950d210f", "value": "fbc43636e3c9378162f3b9712cb6d87bd48ddbd3" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff04-7f1c-4262-9be6-4692950d210f", "value": "554f59c1578f4ee77dbba6a23507401359a59f23" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff04-eb80-4341-85fb-44a7950d210f", "value": "2227fd6fc9d669a9b66c59593533750477669557" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff05-ae78-4cf2-9304-4cdd950d210f", "value": "87d718f2d6e46c53490c6a22de399c13f05336f0" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff06-9a44-4ae6-847b-45ae950d210f", "value": "1b233af41106d7915f6fa6fd1448b7f070b47eb3" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff07-2680-4a30-b9d7-4011950d210f", "value": "851e538357598ed96f0123b47694e25c2d52552b" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff08-1a34-4739-8962-4427950d210f", "value": "744b43d8c0fe8b217acf0494ad992df6d5191ed9" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff09-929c-4759-9bb9-41ea950d210f", "value": "bcf52240cc7940185ce424224d39564257610340" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff09-ca80-4976-8dcc-402b950d210f", "value": "777e2695ae408e1578a16991373144333732c3f6" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff0a-1624-4412-a929-4c3a950d210f", "value": "56b5627debb93790fdbcc9ecbffc3260adeafbab" }, { "category": "Payload delivery", "comment": "Carbon sample", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "sha1", "uuid": "58dcff0b-ee34-4335-909c-4b7e950d210f", "value": "678d486e21b001deb58353ca0255e3e5678f9614" }, { "category": "Network activity", "comment": "C&C server addresses (hacked websites used as 1st level of proxies", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "url", "uuid": "58dcff6e-1954-4818-a306-44d9950d210f", "value": "http://soheylistore.ir:80:/modules/mod_feed/feed.php" }, { "category": "Network activity", "comment": "C&C server addresses (hacked websites used as 1st level of proxies", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "url", "uuid": "58dcff6f-9334-4ff6-974f-41de950d210f", "value": "http://tazohor.com:80:/wp-includes/feed-rss-comments.php" }, { "category": "Network activity", "comment": "C&C server addresses (hacked websites used as 1st level of proxies", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "url", "uuid": "58dcff70-0fb0-4437-9781-4b6e950d210f", "value": "http://jucheafrica.com:80:/wp-includes/class-wp-edit.php" }, { "category": "Network activity", "comment": "C&C server addresses (hacked websites used as 1st level of proxies", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "url", "uuid": "58dcff71-7df8-45e7-8147-43a9950d210f", "value": "http://61paris.fr:80:/wp-includes/ms-set.php" }, { "category": "Network activity", "comment": "C&C server addresses (hacked websites used as 1st level of proxies", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "url", "uuid": "58dcff72-f5c0-4a48-905e-449a950d210f", "value": "http://doctorshand.org:80:/wp-content/about/" }, { "category": "Network activity", "comment": "C&C server addresses (hacked websites used as 1st level of proxies", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "url", "uuid": "58dcff73-fb90-4c4e-9f60-4227950d210f", "value": "http://www.lasac.eu:80:/credit_payment/url/" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "yara", "uuid": "58dcffa3-f8f4-4c59-bbe4-4dc1950d210f", "value": "rule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490878466", "to_ids": true, "type": "yara", "uuid": "58dcffbe-0f98-439c-a916-4524950d210f", "value": "rule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153ModuleStart\u00e2\u20ac\u009d\r\n$t1 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$t2 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493403824", "to_ids": true, "type": "yara", "uuid": "58dcffdf-e07c-4be4-b0af-4180950d210f", "value": "import \"pe\"\r\nimport \"hash\"\r\n\r\nrule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$s3 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and all of them\r\n}\r\n\r\nrule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\nand not (tags contains \u00e2\u20ac\u0153signed\u00e2\u20ac\u009d)\r\n}\r\n\r\nrule carbon_2016_filenames\r\n{\r\ncondition:\r\nfile_name contains \u00e2\u20ac\u0153wkstrend.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153cifrado.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153fsbootfail.dat\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153encodebase.inf\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153zcerterror.png\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153mkfieldsec.dll\u00e2\u20ac\u009d\r\n}" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab", "deleted": false, "disable_correlation": false, "timestamp": "1490878496", "to_ids": true, "type": "sha256", "uuid": "58dd0020-5a10-4542-bdee-436202de0b81", "value": "af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab", "deleted": false, "disable_correlation": false, "timestamp": "1490878497", "to_ids": true, "type": "md5", "uuid": "58dd0021-383c-416f-9302-4ba602de0b81", "value": "4085820a53a7f8dd58d4ba5ecf94e42b" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab", "deleted": false, "disable_correlation": false, "timestamp": "1490878497", "to_ids": false, "type": "link", "uuid": "58dd0021-2968-4da8-bfcb-481702de0b81", "value": "https://www.virustotal.com/file/af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4/analysis/1459899966/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6", "deleted": false, "disable_correlation": false, "timestamp": "1490878498", "to_ids": true, "type": "sha256", "uuid": "58dd0022-213c-42a4-9fac-460602de0b81", "value": "050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6", "deleted": false, "disable_correlation": false, "timestamp": "1490878499", "to_ids": true, "type": "md5", "uuid": "58dd0023-17f4-444c-89ca-428302de0b81", "value": "1fb407a20373f3970f08d3f3c086841d" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6", "deleted": false, "disable_correlation": false, "timestamp": "1490878500", "to_ids": false, "type": "link", "uuid": "58dd0024-6ac8-434b-877c-430c02de0b81", "value": "https://www.virustotal.com/file/050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a/analysis/1487311234/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340", "deleted": false, "disable_correlation": false, "timestamp": "1490878501", "to_ids": true, "type": "sha256", "uuid": "58dd0025-cec4-42ff-a43d-48ef02de0b81", "value": "2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340", "deleted": false, "disable_correlation": false, "timestamp": "1490878502", "to_ids": true, "type": "md5", "uuid": "58dd0026-146c-465b-acd3-434502de0b81", "value": "13a81d857610d05f387c1aa86b4b49b9" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340", "deleted": false, "disable_correlation": false, "timestamp": "1490878503", "to_ids": false, "type": "link", "uuid": "58dd0027-e934-4d33-a983-412202de0b81", "value": "https://www.virustotal.com/file/2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47/analysis/1460698324/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9", "deleted": false, "disable_correlation": false, "timestamp": "1490878504", "to_ids": true, "type": "sha256", "uuid": "58dd0028-37f4-473e-9d2f-4caf02de0b81", "value": "995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9", "deleted": false, "disable_correlation": false, "timestamp": "1490878505", "to_ids": true, "type": "md5", "uuid": "58dd0029-2d4c-47cb-ac4c-4beb02de0b81", "value": "278e56c4b171d4d8799b9a77c31e4484" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9", "deleted": false, "disable_correlation": false, "timestamp": "1490878506", "to_ids": false, "type": "link", "uuid": "58dd002a-5acc-4d51-b75b-468e02de0b81", "value": "https://www.virustotal.com/file/995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16/analysis/1460698430/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b", "deleted": false, "disable_correlation": false, "timestamp": "1490878506", "to_ids": true, "type": "sha256", "uuid": "58dd002a-f7b4-4527-853e-4fa002de0b81", "value": "c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b", "deleted": false, "disable_correlation": false, "timestamp": "1490878507", "to_ids": true, "type": "md5", "uuid": "58dd002b-43c4-483a-b84e-4f0202de0b81", "value": "3b28045c0636f455a3fdf75bd44256ba" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b", "deleted": false, "disable_correlation": false, "timestamp": "1490878508", "to_ids": false, "type": "link", "uuid": "58dd002c-2a44-4162-8831-449d02de0b81", "value": "https://www.virustotal.com/file/c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47/analysis/1460104267/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3", "deleted": false, "disable_correlation": false, "timestamp": "1490878509", "to_ids": true, "type": "sha256", "uuid": "58dd002d-ee14-4e08-83e8-468b02de0b81", "value": "d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3", "deleted": false, "disable_correlation": false, "timestamp": "1490878510", "to_ids": true, "type": "md5", "uuid": "58dd002e-38d0-496d-b553-488302de0b81", "value": "1c84038a7aac6342894d5896a390913d" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3", "deleted": false, "disable_correlation": false, "timestamp": "1490878511", "to_ids": false, "type": "link", "uuid": "58dd002f-e984-4cc5-93e2-427202de0b81", "value": "https://www.virustotal.com/file/d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db/analysis/1463398122/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0", "deleted": false, "disable_correlation": false, "timestamp": "1490878512", "to_ids": true, "type": "sha256", "uuid": "58dd0030-18bc-45aa-9365-4a3502de0b81", "value": "7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0", "deleted": false, "disable_correlation": false, "timestamp": "1490878512", "to_ids": true, "type": "md5", "uuid": "58dd0030-6898-4767-9ad6-4ea602de0b81", "value": "ea23d67e41d1f0a7f7e7a8b59e7cb60f" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0", "deleted": false, "disable_correlation": false, "timestamp": "1490878513", "to_ids": false, "type": "link", "uuid": "58dd0031-cac4-4c84-9ebc-4c4a02de0b81", "value": "https://www.virustotal.com/file/7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121/analysis/1490735057/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557", "deleted": false, "disable_correlation": false, "timestamp": "1490878514", "to_ids": true, "type": "sha256", "uuid": "58dd0032-fa80-4125-adbb-4e6f02de0b81", "value": "9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557", "deleted": false, "disable_correlation": false, "timestamp": "1490878515", "to_ids": true, "type": "md5", "uuid": "58dd0033-60e0-4e52-b5ba-4e4902de0b81", "value": "d115532ed6189b3f74569f8012efe110" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557", "deleted": false, "disable_correlation": false, "timestamp": "1490878516", "to_ids": false, "type": "link", "uuid": "58dd0034-c460-4ba5-b29d-44c802de0b81", "value": "https://www.virustotal.com/file/9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839/analysis/1463724060/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23", "deleted": false, "disable_correlation": false, "timestamp": "1490878517", "to_ids": true, "type": "sha256", "uuid": "58dd0035-adb0-4116-8b7f-4a3d02de0b81", "value": "d1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23", "deleted": false, "disable_correlation": false, "timestamp": "1490878517", "to_ids": true, "type": "md5", "uuid": "58dd0035-62f8-4558-9033-4e4302de0b81", "value": "21802eb06e2b05b5db40381f296d67ad" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23", "deleted": false, "disable_correlation": false, "timestamp": "1490878518", "to_ids": false, "type": "link", "uuid": "58dd0036-68cc-4f5f-a571-4a3802de0b81", "value": "https://www.virustotal.com/file/d1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19/analysis/1487239958/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3", "deleted": false, "disable_correlation": false, "timestamp": "1490878519", "to_ids": true, "type": "sha256", "uuid": "58dd0037-8088-49e9-944f-45ff02de0b81", "value": "e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3", "deleted": false, "disable_correlation": false, "timestamp": "1490878520", "to_ids": true, "type": "md5", "uuid": "58dd0038-5144-4ed3-adfe-4d3102de0b81", "value": "b4096859121998c065896d3d19e46e50" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3", "deleted": false, "disable_correlation": false, "timestamp": "1490878521", "to_ids": false, "type": "link", "uuid": "58dd0039-0208-4066-bc11-4eb502de0b81", "value": "https://www.virustotal.com/file/e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed/analysis/1487240002/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf", "deleted": false, "disable_correlation": false, "timestamp": "1490878522", "to_ids": true, "type": "sha256", "uuid": "58dd003a-b738-4acc-a32b-470c02de0b81", "value": "c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf", "deleted": false, "disable_correlation": false, "timestamp": "1490878523", "to_ids": true, "type": "md5", "uuid": "58dd003b-134c-47ef-9ec6-431402de0b81", "value": "4ae7e6011b550372d2a73ab3b4d67096" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf", "deleted": false, "disable_correlation": false, "timestamp": "1490878524", "to_ids": false, "type": "link", "uuid": "58dd003c-06e4-456b-b541-4a0302de0b81", "value": "https://www.virustotal.com/file/c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0/analysis/1472552183/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d", "deleted": false, "disable_correlation": false, "timestamp": "1490878525", "to_ids": true, "type": "sha256", "uuid": "58dd003d-9d0c-4261-9263-492e02de0b81", "value": "1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d", "deleted": false, "disable_correlation": false, "timestamp": "1490878525", "to_ids": true, "type": "md5", "uuid": "58dd003d-866c-493e-ab08-42ad02de0b81", "value": "244505129d96be57134cb00f27d4359c" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d", "deleted": false, "disable_correlation": false, "timestamp": "1490878526", "to_ids": false, "type": "link", "uuid": "58dd003e-eca8-4aaa-ae60-4cca02de0b81", "value": "https://www.virustotal.com/file/1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72/analysis/1472508860/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c", "deleted": false, "disable_correlation": false, "timestamp": "1490878527", "to_ids": true, "type": "sha256", "uuid": "58dd003f-e27c-4949-aab7-490c02de0b81", "value": "31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c", "deleted": false, "disable_correlation": false, "timestamp": "1490878528", "to_ids": true, "type": "md5", "uuid": "58dd0040-c27c-4ff6-bc0d-41d902de0b81", "value": "91a5594343b47462ebd6266a9c40abbe" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c", "deleted": false, "disable_correlation": false, "timestamp": "1490878529", "to_ids": false, "type": "link", "uuid": "58dd0041-f364-447a-82a3-423c02de0b81", "value": "https://www.virustotal.com/file/31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566/analysis/1487311644/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe", "deleted": false, "disable_correlation": false, "timestamp": "1490878530", "to_ids": true, "type": "sha256", "uuid": "58dd0042-ff94-4d44-8926-42b202de0b81", "value": "ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe", "deleted": false, "disable_correlation": false, "timestamp": "1490878531", "to_ids": true, "type": "md5", "uuid": "58dd0043-e258-4a82-b1cf-4f5b02de0b81", "value": "df230db9bddf200b24d8744ad84d80e8" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe", "deleted": false, "disable_correlation": false, "timestamp": "1490878532", "to_ids": false, "type": "link", "uuid": "58dd0044-5cfc-4f5d-bed1-42ec02de0b81", "value": "https://www.virustotal.com/file/ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f/analysis/1482320204/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53", "deleted": false, "disable_correlation": false, "timestamp": "1490878533", "to_ids": true, "type": "sha256", "uuid": "58dd0045-00c8-447f-b23a-4da402de0b81", "value": "8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53", "deleted": false, "disable_correlation": false, "timestamp": "1490878533", "to_ids": true, "type": "md5", "uuid": "58dd0045-20e4-4b68-8b47-44a502de0b81", "value": "554450c1ecb925693fedbb9e56702646" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53", "deleted": false, "disable_correlation": false, "timestamp": "1490878534", "to_ids": false, "type": "link", "uuid": "58dd0046-5560-49b6-8f5d-428102de0b81", "value": "https://www.virustotal.com/file/8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb/analysis/1472540442/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28", "deleted": false, "disable_correlation": false, "timestamp": "1490878535", "to_ids": true, "type": "sha256", "uuid": "58dd0047-efc8-49f9-8a9d-4bc502de0b81", "value": "ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28", "deleted": false, "disable_correlation": false, "timestamp": "1490878536", "to_ids": true, "type": "md5", "uuid": "58dd0048-f4bc-4507-9132-475902de0b81", "value": "e6d1dcc6c2601e592f2b03f35b06fa8f" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28", "deleted": false, "disable_correlation": false, "timestamp": "1490878537", "to_ids": false, "type": "link", "uuid": "58dd0049-3be8-4d8a-8293-4d8d02de0b81", "value": "https://www.virustotal.com/file/ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45/analysis/1472563917/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233", "deleted": false, "disable_correlation": false, "timestamp": "1490878538", "to_ids": true, "type": "sha256", "uuid": "58dd004a-9f74-4c4d-94da-4c6802de0b81", "value": "1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233", "deleted": false, "disable_correlation": false, "timestamp": "1490878539", "to_ids": true, "type": "md5", "uuid": "58dd004b-5b70-47be-a686-4e3002de0b81", "value": "43e896ede6fe025ee90f7f27c6d376a4" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233", "deleted": false, "disable_correlation": false, "timestamp": "1490878539", "to_ids": false, "type": "link", "uuid": "58dd004b-4d28-44d7-9414-425902de0b81", "value": "https://www.virustotal.com/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/1484282511/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f", "deleted": false, "disable_correlation": false, "timestamp": "1490878540", "to_ids": true, "type": "sha256", "uuid": "58dd004c-71f0-4e9c-85c4-4a4d02de0b81", "value": "02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f", "deleted": false, "disable_correlation": false, "timestamp": "1490878541", "to_ids": true, "type": "md5", "uuid": "58dd004d-5b4c-46b6-8974-40c602de0b81", "value": "4c1017de62ea4788c7c8058a8f825a2d" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f", "deleted": false, "disable_correlation": false, "timestamp": "1490878542", "to_ids": false, "type": "link", "uuid": "58dd004e-33e8-45a4-825d-491d02de0b81", "value": "https://www.virustotal.com/file/02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198/analysis/1487306753/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46", "deleted": false, "disable_correlation": false, "timestamp": "1490878543", "to_ids": true, "type": "sha256", "uuid": "58dd004f-1e20-4e75-8e21-477f02de0b81", "value": "3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46", "deleted": false, "disable_correlation": false, "timestamp": "1490878544", "to_ids": true, "type": "md5", "uuid": "58dd0050-d094-4d4f-86a3-4f4502de0b81", "value": "cb1b68d9971c2353c2d6a8119c49b51f" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46", "deleted": false, "disable_correlation": false, "timestamp": "1490878545", "to_ids": false, "type": "link", "uuid": "58dd0051-ce8c-4059-9ecb-476902de0b81", "value": "https://www.virustotal.com/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/1490734934/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3", "deleted": false, "disable_correlation": false, "timestamp": "1490878546", "to_ids": true, "type": "sha256", "uuid": "58dd0052-8e84-4b91-908a-40af02de0b81", "value": "0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3", "deleted": false, "disable_correlation": false, "timestamp": "1490878546", "to_ids": true, "type": "md5", "uuid": "58dd0052-8680-469f-8cbb-4f3802de0b81", "value": "7ddee9311d7ab2d548e9b252383863ef" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3", "deleted": false, "disable_correlation": false, "timestamp": "1490878547", "to_ids": false, "type": "link", "uuid": "58dd0053-5978-4766-94a4-468f02de0b81", "value": "https://www.virustotal.com/file/0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65/analysis/1485875623/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", "deleted": false, "disable_correlation": false, "timestamp": "1490878548", "to_ids": true, "type": "sha256", "uuid": "58dd0054-7e04-4ad1-b86f-47d002de0b81", "value": "7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", "deleted": false, "disable_correlation": false, "timestamp": "1490878549", "to_ids": true, "type": "md5", "uuid": "58dd0055-b800-4361-9aa0-47be02de0b81", "value": "e664b6f5f50d1a7991e254e5e81a683f" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", "deleted": false, "disable_correlation": false, "timestamp": "1490878550", "to_ids": false, "type": "link", "uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", "value": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b", "deleted": false, "disable_correlation": false, "timestamp": "1490878551", "to_ids": true, "type": "sha256", "uuid": "58dd0057-5a14-4f5d-884b-490202de0b81", "value": "aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c" }, { "category": "Payload delivery", "comment": "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b", "deleted": false, "disable_correlation": false, "timestamp": "1490878551", "to_ids": true, "type": "md5", "uuid": "58dd0057-cde0-4faa-a196-4a6302de0b81", "value": "213ca4db4c2abd3b631da00c299d75ef" }, { "category": "External analysis", "comment": "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b", "deleted": false, "disable_correlation": false, "timestamp": "1490878552", "to_ids": false, "type": "link", "uuid": "58dd0058-dcd4-4271-8e57-432702de0b81", "value": "https://www.virustotal.com/file/aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c/analysis/1487398090/" } ] } }