{"Event": {"info": "OSINT - BitterRAT PATCHWORK", "Tag": [{"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\""}, {"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#0071c3", "exportable": true, "name": "osint:lifetime=\"perpetual\""}, {"colour": "#0087e8", "exportable": true, "name": "osint:certainty=\"50\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#14f400", "exportable": true, "name": "misp-galaxy:threat-actor=\"Dropping Elephant\""}], "publish_timestamp": "1547983827", "timestamp": "1551345508", "Object": [{"comment": "", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "uuid": "5c445998-17e4-4411-ac90-4c8902de0b81", "sharing_group_id": "0", "timestamp": "1547983256", "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "template_version": "5", "Attribute": [{"comment": "", "category": "Other", "uuid": "5c445998-bcb8-4f80-8d60-437002de0b81", "timestamp": "1547983291", "to_ids": false, "value": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group. Hashes: 7845d817e021db8cde06a8437693b3b2 d34fc3a5df544d90ed1933b79deb1868 59ca69647eeceab0193d88b8b72e3d60", "Tag": [{"colour": "#002642", "exportable": true, "name": "osint:source-type=\"microblog-post\""}, {"colour": "#007ed9", "exportable": true, "name": "osint:certainty=\"93\""}], "disable_correlation": false, "object_relation": "post", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5c445998-e110-4f97-917a-4f0802de0b81", "timestamp": "1547983292", "to_ids": false, "value": "Twitter", "Tag": [{"colour": "#002642", "exportable": true, "name": "osint:source-type=\"microblog-post\""}, {"colour": "#007ed9", "exportable": true, "name": "osint:certainty=\"93\""}], "disable_correlation": true, "object_relation": "type", "type": "text"}, {"comment": "", "category": "Network activity", "uuid": "5c445998-ea68-4dae-a03e-492f02de0b81", "timestamp": "1547983293", "to_ids": true, "value": "https://twitter.com/shotgunner101/status/1086792700114948096", "Tag": [{"colour": "#002642", "exportable": true, "name": "osint:source-type=\"microblog-post\""}, {"colour": "#007ed9", "exportable": true, "name": "osint:certainty=\"93\""}], "disable_correlation": false, "object_relation": "url", "type": "url"}, {"comment": "", "category": "Other", "uuid": "5c445999-3450-4150-8196-459102de0b81", "timestamp": "1547983294", "to_ids": false, "value": "shotgunner101", "Tag": [{"colour": "#002642", "exportable": true, "name": "osint:source-type=\"microblog-post\""}, {"colour": "#007ed9", "exportable": true, "name": "osint:certainty=\"93\""}], "disable_correlation": false, "object_relation": "username", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "microblog"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "8cb15f0f-006b-4400-8fd1-e4ac9586b92e", "sharing_group_id": "0", "timestamp": "1547983352", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "8cb15f0f-006b-4400-8fd1-e4ac9586b92e", "uuid": "5c445a01-9c40-418e-a92c-996e02de0b81", "timestamp": "1547983361", "referenced_uuid": "b29e2cdc-6709-40b3-b08b-227aacd7503c", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "a3949817-5786-4c6a-95fb-2f9054df8b39", "timestamp": "1547983352", "to_ids": true, "value": "d34fc3a5df544d90ed1933b79deb1868", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "cdb431c8-e0a8-4eaf-8857-10e936bc5ac9", "timestamp": "1547983353", "to_ids": true, "value": "6c5d2012f58ee390500c515506f67e43e491818f", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "a3a14283-6c31-4134-9691-17c163f324bc", "timestamp": "1547983353", "to_ids": true, "value": "386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "b29e2cdc-6709-40b3-b08b-227aacd7503c", "sharing_group_id": "0", "timestamp": "1547983354", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "cd5abe05-07bc-49f1-834b-984f412fd69b", "timestamp": "1547983354", "to_ids": false, "value": "2018-12-17 11:42:39", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "b46db101-5b99-4641-bacc-c1488b6b1c13", "timestamp": "1547983354", "to_ids": false, "value": "https://www.virustotal.com/file/386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55/analysis/1545046959/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "7e191cc5-c4b9-41b7-9370-30af876f9087", "timestamp": "1547983355", "to_ids": false, "value": "40/70", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "9a14aeab-1cc6-4fad-b1db-007f193da4aa", "sharing_group_id": "0", "timestamp": "1547983355", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "9a14aeab-1cc6-4fad-b1db-007f193da4aa", "uuid": "5c445a01-f544-4754-bbd2-996e02de0b81", "timestamp": "1547983361", "referenced_uuid": "baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "f516d6d4-52a3-407a-b3bc-bce8e44e1798", "timestamp": "1547983355", "to_ids": true, "value": "59ca69647eeceab0193d88b8b72e3d60", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "0d2d75af-a3ab-4e81-a3eb-7b9af7e2e6d4", "timestamp": "1547983356", "to_ids": true, "value": "4d441ba024b5fba0c2d02a30c00cd1ba63aaa1f0", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "37be4c02-c62c-4e1f-b0bb-52f5a57e9e71", "timestamp": "1547983356", "to_ids": true, "value": "80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f", "sharing_group_id": "0", "timestamp": "1547983357", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "b6767065-40ce-4769-b41d-d80c76e36f6b", "timestamp": "1547983357", "to_ids": false, "value": "2019-01-20 05:28:41", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "dd19c19d-8f28-4860-9592-8899a91a9f44", "timestamp": "1547983357", "to_ids": false, "value": "https://www.virustotal.com/file/80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377/analysis/1547962121/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "a5e53653-a585-48dc-a595-12b67dae1846", "timestamp": "1547983358", "to_ids": false, "value": "42/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "645535fc-0fe5-4f38-a8b0-a247d8f46d87", "sharing_group_id": "0", "timestamp": "1547983358", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "645535fc-0fe5-4f38-a8b0-a247d8f46d87", "uuid": "5c445a01-8cf0-42ca-87d2-996e02de0b81", "timestamp": "1547983361", "referenced_uuid": "7cf96e54-0bab-47c1-a06a-6c3ea9173676", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "cc888762-e76a-4bea-9e24-74b5f7cea595", "timestamp": "1547983358", "to_ids": true, "value": "7845d817e021db8cde06a8437693b3b2", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "aedddca8-5a78-452b-adb5-57065ecbdbff", "timestamp": "1547983358", "to_ids": true, "value": "bdb21b57c572744b58f8dc4f4020e32e1787f46d", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "b667d81d-43c8-42be-88cc-19c61b888fd7", "timestamp": "1547983359", "to_ids": true, "value": "57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "7cf96e54-0bab-47c1-a06a-6c3ea9173676", "sharing_group_id": "0", "timestamp": "1547983360", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "263b4bfc-fee6-4604-8ad6-3e718c0bbd60", "timestamp": "1547983360", "to_ids": false, "value": "2019-01-20 05:31:17", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "2a347a59-cf7a-4973-bd1c-5fb4c1b1488d", "timestamp": "1547983361", "to_ids": false, "value": "https://www.virustotal.com/file/57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e/analysis/1547962277/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "6fb014a0-3fbe-4f2a-9ab4-e54bf354e276", "timestamp": "1547983361", "to_ids": false, "value": "32/70", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5c445a91-96e4-4a76-81bf-4bb302de0b81", "sharing_group_id": "0", "timestamp": "1547983505", "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "7", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5c445a91-2928-46bd-a05f-425e02de0b81", "timestamp": "1547983505", "to_ids": true, "value": "netwareservice.ddns.net", "disable_correlation": false, "object_relation": "hostname", "type": "hostname"}, {"comment": "", "category": "Network activity", "uuid": "5c445a92-68b4-4a3e-a94b-4b5702de0b81", "timestamp": "1547983506", "to_ids": true, "value": "185.45.193.10", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}, {"comment": "", "category": "Other", "uuid": "5c445a93-21b0-4eb8-8990-4e2402de0b81", "timestamp": "1547983507", "to_ids": false, "value": "There is also another domain and IP Address that I couldn't find linked with any PATCHWORK/Bitter RAT reports.", "disable_correlation": true, "object_relation": "text", "type": "text"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "db8c563d-74f7-492a-ab64-12d646b305ef", "sharing_group_id": "0", "timestamp": "1547983710", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "db8c563d-74f7-492a-ab64-12d646b305ef", "uuid": "5c445b70-1450-4d84-9333-a52a02de0b81", "timestamp": "1547983728", "referenced_uuid": "573e5323-af68-46ff-bf63-ab4367951a1a", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "b9beb4e2-2f09-4f89-a758-ea39c786b399", "timestamp": "1547983710", "to_ids": true, "value": "a098d91f04eb259bf27432e81a9c523b", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "1b251358-c92c-41c1-b45d-dbd992217fc2", "timestamp": "1547983711", "to_ids": true, "value": "a359d15c1055fe8574eb0a68f429c6ee4f0894ff", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "d4ed4c1c-cf7e-4b29-bae7-5a6bdb69a0eb", "timestamp": "1547983711", "to_ids": true, "value": "b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "573e5323-af68-46ff-bf63-ab4367951a1a", "sharing_group_id": "0", "timestamp": "1547983712", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "a044a306-15d0-435d-aeec-dd77d24f9e2e", "timestamp": "1547983712", "to_ids": false, "value": "2019-01-10 01:04:42", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "50958fd2-c56f-44ea-999e-03c8428dc48b", "timestamp": "1547983712", "to_ids": false, "value": "https://www.virustotal.com/file/b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42/analysis/1547082282/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "cc0dce63-893d-4ba6-ba93-d620445ebc17", "timestamp": "1547983713", "to_ids": false, "value": "43/70", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "b30ed68b-1525-4bc7-a433-4ead4df9845c", "sharing_group_id": "0", "timestamp": "1547983713", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "b30ed68b-1525-4bc7-a433-4ead4df9845c", "uuid": "5c445b70-19b8-407d-93c4-a52a02de0b81", "timestamp": "1547983728", "referenced_uuid": "d9e9def6-73c0-4b65-b2d3-1d382d809e1b", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "9caef831-f8a7-4f94-ba0b-6f1f1dba0cfc", "timestamp": "1547983713", "to_ids": true, "value": "26d175ac27b4554885b5c3d2ec9c6769", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "3654a4cf-925b-471f-b313-7a451f392ab3", "timestamp": "1547983713", "to_ids": true, "value": "205e77e7f708b5c2f3f6370547255ae4c6b61b5b", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "eca05964-da14-45a5-8535-93487890db48", "timestamp": "1547983714", "to_ids": true, "value": "4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "d9e9def6-73c0-4b65-b2d3-1d382d809e1b", "sharing_group_id": "0", "timestamp": "1547983714", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "13e649fd-ebb4-4f6e-a7e5-4cd02ab8e4df", "timestamp": "1547983714", "to_ids": false, "value": "2018-12-26 06:32:20", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "ab8369e4-bd22-4d44-9904-59d1520d6b88", "timestamp": "1547983716", "to_ids": false, "value": "https://www.virustotal.com/file/4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4/analysis/1545805940/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "4aaec601-7d0d-45f8-9c5f-6018bb4cf450", "timestamp": "1547983717", "to_ids": false, "value": "42/69", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "80cdfaf6-8bf3-4374-9f68-992799ed3b70", "sharing_group_id": "0", "timestamp": "1547983717", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "80cdfaf6-8bf3-4374-9f68-992799ed3b70", "uuid": "5c445b70-aaa4-426c-ad3c-a52a02de0b81", "timestamp": "1547983728", "referenced_uuid": "6da3bd65-82d7-45c7-9a90-417575cca55d", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "ceb0bb61-30ba-4e07-aada-812da1d7afd8", "timestamp": "1547983717", "to_ids": true, "value": "b694f3b1ef7ff302c339a51c3f0f50f3", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "863e9db5-d16e-460c-a77f-83a779ac634f", "timestamp": "1547983717", "to_ids": true, "value": "02a5aaa1956b437f1066a4793cc079201c02603b", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "e9af9fb2-eade-4904-8c83-97216dff0b35", "timestamp": "1547983718", "to_ids": true, "value": "523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "6da3bd65-82d7-45c7-9a90-417575cca55d", "sharing_group_id": "0", "timestamp": "1547983718", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "bd626c6a-66b1-41d4-9803-d7be0957d811", "timestamp": "1547983718", "to_ids": false, "value": "2018-12-20 20:38:41", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "542b3ccc-7a07-4b00-9213-a1287036339e", "timestamp": "1547983719", "to_ids": false, "value": "https://www.virustotal.com/file/523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4/analysis/1545338321/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "f69ec892-9c22-4f81-9fba-9c59c550efab", "timestamp": "1547983719", "to_ids": false, "value": "46/70", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "e1137dbb-bedf-4093-8391-b598b22d0a87", "sharing_group_id": "0", "timestamp": "1547983719", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "e1137dbb-bedf-4093-8391-b598b22d0a87", "uuid": "5c445b70-bc94-4992-890c-a52a02de0b81", "timestamp": "1547983728", "referenced_uuid": "7df872cb-7f5d-4df9-b654-92c03908f4af", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "3f869c53-943b-485a-b24a-3f52380b7942", "timestamp": "1547983720", "to_ids": true, "value": "e4abdd40f7d1adb3f139940438484695", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "c6aba0f7-b57a-42ea-9da7-281b651b06e6", "timestamp": "1547983720", "to_ids": true, "value": "fddfb467c6d04f7333206591a2105881be985d5c", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "2e67db33-baa6-44fd-94da-08e153964e7e", "timestamp": "1547983720", "to_ids": true, "value": "e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "7df872cb-7f5d-4df9-b654-92c03908f4af", "sharing_group_id": "0", "timestamp": "1547983721", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "4800929b-92d6-42d9-a7e0-a3390c4f821e", "timestamp": "1547983721", "to_ids": false, "value": "2019-01-17 11:33:07", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "294505dc-8126-4e47-9eef-3721f0086fbf", "timestamp": "1547983721", "to_ids": false, "value": "https://www.virustotal.com/file/e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db/analysis/1547724787/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "e83fe184-6c74-4558-97de-f741bc1b94ba", "timestamp": "1547983722", "to_ids": false, "value": "25/57", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "57bc77e0-6e6a-4ac3-a678-4d620ca79902", "sharing_group_id": "0", "timestamp": "1547983722", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "57bc77e0-6e6a-4ac3-a678-4d620ca79902", "uuid": "5c445b70-b5c4-4e1b-bda8-a52a02de0b81", "timestamp": "1547983728", "referenced_uuid": "be750522-8ad5-4911-8601-070557f5b9b2", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "189e690b-d2e8-48d4-9b18-720543816a3a", "timestamp": "1547983722", "to_ids": true, "value": "53d6ed9a3e56785ccbee9b73b14ec62c", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "166a8601-6d7a-4753-aa26-431bca51e502", "timestamp": "1547983723", "to_ids": true, "value": "2075cddc453492a349de81e4aae309a376c1147a", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "63b23e4d-a1c7-4c80-a6a8-9f42705f9bab", "timestamp": "1547983723", "to_ids": true, "value": "aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "be750522-8ad5-4911-8601-070557f5b9b2", "sharing_group_id": "0", "timestamp": "1547983723", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "ce177d9a-fdaf-447f-9628-969f55f142eb", "timestamp": "1547983724", "to_ids": false, "value": "2019-01-20 05:27:08", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "41820a0e-61aa-4b65-8672-b2985cdf6a1a", "timestamp": "1547983725", "to_ids": false, "value": "https://www.virustotal.com/file/aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75/analysis/1547962028/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "88ad0b3d-a8ab-45f8-b782-228493b9ad39", "timestamp": "1547983725", "to_ids": false, "value": "38/66", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a403b39-3b33-41e6-852f-277fe242197e", "sharing_group_id": "0", "timestamp": "1547983725", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "5a403b39-3b33-41e6-852f-277fe242197e", "uuid": "5c445b70-2708-4855-bc3c-a52a02de0b81", "timestamp": "1547983728", "referenced_uuid": "61c4a2cb-234e-4428-9dd5-e214916b1536", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "6c1b3dd7-81fb-44c5-b17f-3d88aaea0a2e", "timestamp": "1547983725", "to_ids": true, "value": "3dcc9ac06cd5318f247be0d73c8c1d1d", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "b0480972-69fa-4b70-8a6f-89eefca504c5", "timestamp": "1547983726", "to_ids": true, "value": "969fc7f9b770215ce2ad3fe38451d286fda4e7cb", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "41f064f9-1bd0-49f8-bdb6-acc7aa5429a6", "timestamp": "1547983726", "to_ids": true, "value": "5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "61c4a2cb-234e-4428-9dd5-e214916b1536", "sharing_group_id": "0", "timestamp": "1547983727", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "896b9522-f5fa-4ffd-8ef2-76826c41225b", "timestamp": "1547983727", "to_ids": false, "value": "2019-01-18 18:25:53", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "cfa6606b-9b09-4da3-8675-1f1e9b067030", "timestamp": "1547983727", "to_ids": false, "value": "https://www.virustotal.com/file/5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299/analysis/1547835953/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "6269f302-e585-4ca1-8cab-bed4ad17f06b", "timestamp": "1547983728", "to_ids": false, "value": "16/70", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}], "analysis": "0", "Attribute": [{"comment": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.", "category": "Payload delivery", "uuid": "5c4459da-6374-4f25-9bb6-a83202de0b81", "timestamp": "1547983322", "to_ids": true, "value": "7845d817e021db8cde06a8437693b3b2", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.", "category": "Payload delivery", "uuid": "5c4459db-214c-4cf3-8bfc-a83202de0b81", "timestamp": "1547983323", "to_ids": true, "value": "d34fc3a5df544d90ed1933b79deb1868", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.", "category": "Payload delivery", "uuid": "5c4459db-4f5c-4f63-8d30-a83202de0b81", "timestamp": "1547983323", "to_ids": true, "value": "59ca69647eeceab0193d88b8b72e3d60", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "External analysis", "uuid": "5c445ae0-8b4c-44cf-973f-98d302de0b81", "timestamp": "1547983584", "to_ids": false, "value": "https://analyze.intezer.com/#/analyses/314c7fb5-7d2e-4e3c-93d8-84c2064672d3", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5c445ae0-af98-460b-b37c-98d302de0b81", "timestamp": "1547983584", "to_ids": false, "value": "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5c445ae0-86f0-40ca-a041-98d302de0b81", "timestamp": "1547983584", "to_ids": false, "value": "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "RTF file", "category": "Payload delivery", "uuid": "5c445b0a-f430-49fb-9097-468002de0b81", "timestamp": "1547983626", "to_ids": true, "value": "e4abdd40f7d1adb3f139940438484695", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Payload", "category": "Payload delivery", "uuid": "5c445b0a-ae24-4bed-8e2d-416e02de0b81", "timestamp": "1547983626", "to_ids": true, "value": "a098d91f04eb259bf27432e81a9c523b", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Payload", "category": "Payload delivery", "uuid": "5c445b0b-8f78-4d23-8027-46ab02de0b81", "timestamp": "1547983627", "to_ids": true, "value": "53d6ed9a3e56785ccbee9b73b14ec62c", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Payload", "category": "Payload delivery", "uuid": "5c445b0b-01d8-4b1d-81bb-472f02de0b81", "timestamp": "1547983627", "to_ids": true, "value": "26d175ac27b4554885b5c3d2ec9c6769", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders.", "category": "Payload delivery", "uuid": "5c445b2d-b2ec-4067-8891-98d302de0b81", "timestamp": "1547983661", "to_ids": true, "value": "3dcc9ac06cd5318f247be0d73c8c1d1d", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders.", "category": "Network activity", "uuid": "5c445b2e-1280-4f6b-a51f-98d302de0b81", "timestamp": "1547983662", "to_ids": true, "value": "wcnsservice.ddns.net", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Additional URL - Couldn't find it in any writeups:", "category": "Network activity", "uuid": "5c445b54-b390-4847-8585-4c9802de0b81", "timestamp": "1547983700", "to_ids": true, "value": "rmmun.org.pk/svch", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Additional URL - Couldn't find it in any writeups:", "category": "Payload delivery", "uuid": "5c445b55-eff0-4fe7-aaff-427c02de0b81", "timestamp": "1547983701", "to_ids": true, "value": "b694f3b1ef7ff302c339a51c3f0f50f3", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Attribute #1425890 enriched by dns.", "category": "Network activity", "uuid": "5c445b83-6b80-43b2-a950-44b0e387cbd9", "timestamp": "1547983747", "to_ids": false, "value": "185.45.193.10", "disable_correlation": false, "object_relation": null, "type": "ip-src"}, {"comment": "Attribute #1425901 enriched by dns.", "category": "Network activity", "uuid": "5c445b84-c18c-404c-8f53-4cf3e387cbd9", "timestamp": "1547983748", "to_ids": false, "value": "185.121.139.53", "disable_correlation": false, "object_relation": null, "type": "ip-src"}, {"comment": "rtf exploit", "category": "Artifacts dropped", "uuid": "5c76b08c-f724-4322-a531-418e02de0b81", "timestamp": "1551282316", "to_ids": false, "value": "rule dropper_elephant {\r\n\tstrings:\r\n\t\t$head = \"{\\\\rt\"\r\n\t\t$water = { 33 35 33 32 33 34 36 36 36 31 33 36 33 33 36 31 33 35 33 30 30 30}\r\n\tcondition:\r\n\t\t$head at 0 and $water \r\n\r\n}", "disable_correlation": false, "object_relation": null, "type": "yara"}, {"comment": "rtf file", "category": "Payload delivery", "uuid": "5c77a701-6ed0-4e6b-a497-47cb02de0b81", "timestamp": "1551345409", "to_ids": true, "value": "d3122d94a7fde33bc1f35ab49f56408a19a46847cce3686ff40c7a5f2ff71ca1", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "rtf file", "category": "Payload delivery", "uuid": "5c77a724-a98c-43d6-9335-452402de0b81", "timestamp": "1551345444", "to_ids": true, "value": "52c10f300f15e6b4f7e3e1989a35c7d2719217f4d3d64fe0afcf83bb922ec61f", "disable_correlation": false, "object_relation": null, "type": "sha256"}], "extends_uuid": "", "published": false, "date": "2019-01-20", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5c4458f2-6270-4c17-8fe2-992402de0b81"}}