{ "Event": { "analysis": "2", "date": "2018-11-22", "extends_uuid": "", "info": "OSINT - Turla PNG Dropper is back", "publish_timestamp": "1542987293", "published": true, "threat_level_id": "3", "timestamp": "1542987280", "uuid": "5bf7ba12-bec4-4d01-8330-4373950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#12e200", "local": false, "name": "misp-galaxy:threat-actor=\"Turla Group\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542962230", "to_ids": false, "type": "link", "uuid": "5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f", "value": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542962228", "to_ids": false, "type": "text", "uuid": "5bf7bb86-3374-4ece-8226-4383950d210f", "value": "This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with a new payload that we have internally named RegRunnerSvc.\r\n\r\nIt\u00e2\u20ac\u2122s worth noting at this point that there are other components to this infection that we have not managed to obtain. There will be a first stage dropper that will drop and install the PNG Dropper/RegRunnerSvc. Nevertheless, we think that this it is worth documenting this new use of the PNG Dropper.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542962976", "to_ids": false, "type": "link", "uuid": "5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f", "value": "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542969240", "to_ids": false, "type": "yara", "uuid": "5bf7d798-4a08-48f1-9e9c-4744950d210f", "value": "rule turla_png_dropper {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Detects the PNG Dropper used by the Turla group\"\r\n sha256 = \r\n\"6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27\"\r\n\r\n strings:\r\n $api0 = \"GdiplusStartup\"\r\n $api1 = \"GdipAlloc\"\r\n $api2 = \"GdipCreateBitmapFromStreamICM\"\r\n $api3 = \"GdipBitmapLockBits\"\r\n $api4 = \"GdipGetImageWidth\"\r\n $api5 = \"GdipGetImageHeight\"\r\n $api6 = \"GdiplusShutdown\"\r\n\r\n $code32 = {\r\n 8B 46 3C // mov eax, [esi+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n 66 39 4C 30 18 // cmp [eax+esi+18h], cx\r\n 8B 44 30 28 // mov eax, [eax+esi+28h]\r\n 6A 00 // push 0\r\n B9 AF BE AD DE // mov ecx, 0DEADBEAFh\r\n 51 // push ecx\r\n 51 // push ecx\r\n 03 C6 // add eax, esi\r\n 56 // push esi\r\n FF D0 // call eax\r\n }\r\n\r\n $code64 = {\r\n 48 63 43 3C // movsxd rax, dword ptr [rbx+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n BA AF BE AD DE // mov edx, 0DEADBEAFh\r\n 66 39 4C 18 18 // cmp [rax+rbx+18h], cx\r\n 8B 44 18 28 // mov eax, [rax+rbx+28h]\r\n 45 33 C9 // xor r9d, r9d\r\n 44 8B C2 // mov r8d, edx\r\n 48 8B CB // mov rcx, rbx\r\n 48 03 C3 // add rax, rbx\r\n FF D0 // call rax\r\n }\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n all of ($api*) and \r\n 1 of ($code*)\r\n}" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542969294", "to_ids": false, "type": "yara", "uuid": "5bf7d7ce-2514-4e61-ac16-6b24950d210f", "value": "rule turla_png_reg_enum_payload {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Payload that has most recently been dropped by the\r\nTurla PNG Dropper\"\r\n shas256 =\r\n\"fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3\"\r\n\r\n strings:\r\n $crypt00 = \"Microsoft Software Key Storage Provider\" wide\r\n $crypt01 = \"ChainingModeCBC\" wide\r\n $crypt02 = \"AES\" wide\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n pe.imports(\"advapi32.dll\", \"StartServiceCtrlDispatcherA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumValueA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumKeyExA\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenStorageProvider\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptEnumKeys\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenKey\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptDecrypt\") and\r\n pe.imports(\"ncrypt.dll\", \"BCryptGenerateSymmetricKey\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptGetProperty\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptDecrypt\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptEncrypt\") and \r\n all of them\r\n}" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542970221", "to_ids": false, "type": "link", "uuid": "5bf7db6d-d5c0-4a23-8aa8-60c4950d210f", "value": "https://github.com/carbonblack/threat-research-tools/tree/master/png_extract" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542971162", "to_ids": false, "type": "yara", "uuid": "5bf7df1a-f8d4-46d6-837e-446b950d210f", "value": "rule PNG_dropper:RU TR APT\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \u00e2\u20ac\u0153CarbonBlack Threat Research\u00e2\u20ac\u009d\r\n\r\n date = \u00e2\u20ac\u01532017-June-11\u00e2\u20ac\u009d\r\n\r\n description = \u00e2\u20ac\u0153Dropper tool that extracts payload from PNG resources\u00e2\u20ac\u009d\r\n\r\n yara_version = \u00e2\u20ac\u01533.5.0\u00e2\u20ac\u009d\r\n\r\n exemplar_hashes = \u00e2\u20ac\u01533a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3, 69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290, eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158 \u00e2\u20ac\u0153\r\n\r\n strings:\r\n\r\n$s1 = \u00e2\u20ac\u0153GdipGetImageWidth\u00e2\u20ac\u009d\r\n\r\n$s2 = \u00e2\u20ac\u0153GdipGetImageHeight\u00e2\u20ac\u009d\r\n\r\n$s3 = \u00e2\u20ac\u0153GdipCreateBitmapFromStream\u00e2\u20ac\u009d\r\n\r\n$s4 = \u00e2\u20ac\u0153GdipCreateBitmapFromStreamICM\u00e2\u20ac\u009d\r\n\r\n$s5 = \u00e2\u20ac\u0153GdipBitmapLockBits\u00e2\u20ac\u009d\r\n\r\n$s6 = \u00e2\u20ac\u0153GdipBitmapUnlockBits\u00e2\u20ac\u009d\r\n\r\n$s7 = \u00e2\u20ac\u0153LockResource\u00e2\u20ac\u009d\r\n\r\n$s8 = \u00e2\u20ac\u0153LoadResource\u00e2\u20ac\u009d\r\n\r\n$s9 = \u00e2\u20ac\u0153ExpandEnvironmentStringsW\u00e2\u20ac\u009d\r\n\r\n$s10 = \u00e2\u20ac\u0153SetFileTime\u00e2\u20ac\u009d\r\n\r\n$s11 = \u00e2\u20ac\u0153memcmp\u00e2\u20ac\u009d\r\n\r\n$s12 = \u00e2\u20ac\u0153strlen\u00e2\u20ac\u009d\r\n\r\n$s13 = \u00e2\u20ac\u0153memcpy\u00e2\u20ac\u009d\r\n\r\n$s14 = \u00e2\u20ac\u0153memchr\u00e2\u20ac\u009d\r\n\r\n$s15 = \u00e2\u20ac\u0153memmove\u00e2\u20ac\u009d\r\n\r\n$s16 = \u00e2\u20ac\u0153ZwQueryValueKey\u00e2\u20ac\u009d\r\n\r\n$s17 = \u00e2\u20ac\u0153ZwQueryInformationProcess\u00e2\u20ac\u009d\r\n\r\n$s18 = \u00e2\u20ac\u0153FindNextFile\u00e2\u20ac\u009d\r\n\r\n$s19 = \u00e2\u20ac\u0153GetModuleHandle\u00e2\u20ac\u009d\r\n\r\n$s20 = \u00e2\u20ac\u0153VirtualFree\u00e2\u20ac\u009d\r\n\r\n$PNG1 = {89 50 4E 47 [8] 49 48 44 52} //PNG Header\r\n\r\n$bin32_bit1 = {50 68 07 10 06 00 6A 07 8?} //BitmapLockBits_x86\r\n\r\n$bin64_bit1 = {41 B? 07 10 06 00} //BitmapLockBits_x64\r\n\r\n$bin64_bit2 = {41 B? 07 00 00 00}//BitmapLockBits_x64\r\n\r\n$bin32_virt1 = {6A 40 68 00 10 00 00 50 53} //VirtualAlloc_x86\r\n\r\n$bin64_virt1 = {40 41 B? 00 10 00 00}//VirtualAlloc_x64\r\n\r\n \r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and// MZ header check\r\n\r\n filesize < 6MB and\r\n\r\n 18 of ($s*) and\r\n\r\n (#PNG1 > 7) and\r\n\r\n//checks for multiple PNG headers\r\n\r\n ((#bin32_bit1 > 1 and $bin32_virt1) or\r\n\r\n//More than 1 of $bin32_bit and $bi32_virt1\r\n\r\n (for 1 of ($bin64_bit*) : (# > 2) and $bin64_virt1))\r\n\r\n//1 of $bin64_bit \u00e2\u20ac\u201c present more that 2 times and $bin64_Virt1\r\n\r\n}" } ], "Object": [ { "comment": "PNG Dropper", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542970068", "uuid": "5bf7dad4-098c-4666-9e4d-4958950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542970068", "to_ids": true, "type": "sha256", "uuid": "5bf7dad4-db18-4586-9b00-4988950d210f", "value": "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542970069", "to_ids": false, "type": "text", "uuid": "5bf7dad5-ee80-4267-9991-49d4950d210f", "value": "Malicious" } ] }, { "comment": "Payload contained in the PNG dropper", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542970154", "uuid": "5bf7db2a-2440-4ed3-ae21-6b24950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542970154", "to_ids": true, "type": "sha256", "uuid": "5bf7db2a-6678-4b72-b145-6b24950d210f", "value": "fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542970155", "to_ids": false, "type": "text", "uuid": "5bf7db2b-3808-4718-9d6b-6b24950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971483", "uuid": "5bf7e05b-4018-4130-afed-4d90950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542971483", "to_ids": true, "type": "md5", "uuid": "5bf7e05b-60bc-4d89-ae68-41a3950d210f", "value": "f84aa30676d2c05ed290b43c4c1e2d4c" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971484", "to_ids": false, "type": "text", "uuid": "5bf7e05c-5eb4-477d-8b71-472a950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971497", "uuid": "5bf7e069-2af4-442f-a0c4-4cd4950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542971497", "to_ids": true, "type": "md5", "uuid": "5bf7e069-b618-4cf0-a583-4a9e950d210f", "value": "ae2ec6d8e455c674d5486ce198d4d46e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971498", "to_ids": false, "type": "text", "uuid": "5bf7e06a-3020-402e-997f-458d950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971595", "uuid": "5bf7e0cb-7f0c-4eef-a610-f5d5950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542971595", "to_ids": true, "type": "md5", "uuid": "5bf7e0cb-cbf0-4b3e-861f-f5d5950d210f", "value": "7a1a174dd24d3f88454615102a074600" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971595", "to_ids": false, "type": "text", "uuid": "5bf7e0cb-c628-4527-930c-f5d5950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971618", "uuid": "5bf7e0e2-94c8-47df-a0ae-4620950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542971619", "to_ids": true, "type": "sha1", "uuid": "5bf7e0e3-9014-4a74-a457-4f81950d210f", "value": "645985805780510670092469b7627a23803eefd1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971619", "to_ids": false, "type": "text", "uuid": "5bf7e0e3-8a8c-45a5-8619-4eb3950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971683", "uuid": "5bf7e123-cbfc-4f9c-a8c0-4064950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542971684", "to_ids": true, "type": "sha1", "uuid": "5bf7e124-a378-40e4-a94c-4e58950d210f", "value": "17941a20d86c9518c168c7f765785095a57246a3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971684", "to_ids": false, "type": "text", "uuid": "5bf7e124-4584-4dae-8be4-4740950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971782", "uuid": "5bf7e186-6c94-4a68-90a1-493a950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542971782", "to_ids": true, "type": "sha1", "uuid": "5bf7e186-cb30-44d9-b585-48bd950d210f", "value": "ba221b85c1923866ce2ec3cd0824970216052c82" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971783", "to_ids": false, "type": "text", "uuid": "5bf7e187-1184-4eda-aee5-4727950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971848", "uuid": "5bf7e1c8-5f30-420c-b9e1-f5d5950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542971848", "to_ids": true, "type": "sha256", "uuid": "5bf7e1c8-e5bc-43ed-b004-f5d5950d210f", "value": "eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971849", "to_ids": false, "type": "text", "uuid": "5bf7e1c9-1fac-4081-9c58-f5d5950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971906", "uuid": "5bf7e202-29a4-4f46-94cc-fb4f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542971906", "to_ids": true, "type": "sha256", "uuid": "5bf7e202-341c-42e8-80ac-fb4f950d210f", "value": "69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971907", "to_ids": false, "type": "text", "uuid": "5bf7e203-5a04-410b-b272-fb4f950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542971920", "uuid": "5bf7e210-29f8-4e5c-964e-37a2950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542971920", "to_ids": true, "type": "sha256", "uuid": "5bf7e210-9948-4834-a0df-37a2950d210f", "value": "3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542971921", "to_ids": false, "type": "text", "uuid": "5bf7e211-2910-4ac8-a5b9-37a2950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1542987247", "uuid": "370ee35f-2e62-4fa1-87de-59a36b9ad817", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542987247", "to_ids": true, "type": "md5", "uuid": "b2221f9c-1ec7-4db4-b68b-4a0602a72a52", "value": "7a1a174dd24d3f88454615102a074600" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542987248", "to_ids": true, "type": "sha1", "uuid": "c0a23277-a937-47f9-8761-a4912552b6aa", "value": "645985805780510670092469b7627a23803eefd1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542987248", "to_ids": true, "type": "sha256", "uuid": "d0e263d7-b204-47bc-ba11-d372c6e954d1", "value": "eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1542987249", "uuid": "003ceafa-e652-4272-89f0-356846947659", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1542987249", "to_ids": false, "type": "datetime", "uuid": "ded701b7-f8e5-4a51-94eb-9509c5a5f6c7", "value": "2018-10-17T23:41:05" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1542987249", "to_ids": false, "type": "link", "uuid": "2b06642b-d74e-4910-9a74-980fdb5cebb3", "value": "https://www.virustotal.com/file/eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158/analysis/1539819665/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1542987250", "to_ids": false, "type": "text", "uuid": "2a5f6f23-8854-48fd-bb7c-dda116812263", "value": "48/67" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1542987250", "uuid": "672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542987250", "to_ids": true, "type": "md5", "uuid": "3d4227f3-7900-4736-ab21-d4a27e607a18", "value": "f84aa30676d2c05ed290b43c4c1e2d4c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542987250", "to_ids": true, "type": "sha1", "uuid": "e5ffabb1-86a8-44ca-88e8-15f6327d759f", "value": "17941a20d86c9518c168c7f765785095a57246a3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542987251", "to_ids": true, "type": "sha256", "uuid": "2678d24f-e74d-4b73-b66b-dcc94b2cfdbf", "value": "69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1542987251", "uuid": "ebf1d2c1-c387-463f-ac79-5573cec56447", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1542987251", "to_ids": false, "type": "datetime", "uuid": "6443cb5d-0517-4dda-b7b7-7eb5d39ae7fa", "value": "2018-09-27T23:11:14" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1542987252", "to_ids": false, "type": "link", "uuid": "3e316cfb-ba54-4612-9ee6-20204adc750d", "value": "https://www.virustotal.com/file/69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290/analysis/1538089874/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1542987252", "to_ids": false, "type": "text", "uuid": "e2c20e0f-18f6-4fbf-86ad-f0d025f17266", "value": "24/68" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1542987252", "uuid": "07a6a6dc-9c22-4773-8432-cdd60d62f8bc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542987252", "to_ids": true, "type": "md5", "uuid": "b3877b2d-3d83-4d75-b058-bbc1712c42e1", "value": "ae2ec6d8e455c674d5486ce198d4d46e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542987253", "to_ids": true, "type": "sha1", "uuid": "d9a5a82b-ec36-46b9-9601-1e24fb36c7fa", "value": "ba221b85c1923866ce2ec3cd0824970216052c82" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542987253", "to_ids": true, "type": "sha256", "uuid": "d4bee0b8-b4cc-4cce-b3aa-2e81601f9f03", "value": "3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1542987254", "uuid": "dfee9eb0-06b6-4817-aa43-a2d63f0a49f2", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1542987254", "to_ids": false, "type": "datetime", "uuid": "a4daa13a-1374-4259-af44-d8c88ea2cc58", "value": "2018-10-17T04:41:54" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1542987254", "to_ids": false, "type": "link", "uuid": "a305ca88-cd28-4233-af68-b4def8e76110", "value": "https://www.virustotal.com/file/3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3/analysis/1539751314/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1542987255", "to_ids": false, "type": "text", "uuid": "ad12f987-16cf-453d-8e0f-bd6d3758823d", "value": "45/67" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1542987255", "uuid": "b12e81db-47cb-482e-8deb-e6c98261d878", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542987255", "to_ids": true, "type": "md5", "uuid": "750f4fa1-9568-4fbe-a2c5-438d1a9038e5", "value": "d2e8e75c30dccd98a95d25b218ba7d2e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542987255", "to_ids": true, "type": "sha1", "uuid": "d67d0172-d108-4b6a-a9b0-0a02eee57dd4", "value": "72997e699d6c7cd5a2409535bfdef58695ed46fa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542987256", "to_ids": true, "type": "sha256", "uuid": "018dc18d-32d8-4f27-bc50-a6825580a146", "value": "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1542987256", "uuid": "cf0b0660-5bc6-4da8-816b-f6133511fbf0", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1542987256", "to_ids": false, "type": "datetime", "uuid": "9797ab40-8d7c-4a60-ab23-f6f99e9492b0", "value": "2018-11-23T13:40:06" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1542987257", "to_ids": false, "type": "link", "uuid": "2817750f-5b18-463e-baa8-19fba2fb0765", "value": "https://www.virustotal.com/file/6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27/analysis/1542980406/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1542987257", "to_ids": false, "type": "text", "uuid": "164f9a1b-2a21-40de-be22-762bb37ab16e", "value": "47/69" } ] } ] } }