{ "Event": { "analysis": "2", "date": "2019-07-15", "extends_uuid": "", "info": "OSINT - SWEED: Exposing years of Agent Tesla campaigns", "publish_timestamp": "1563210538", "published": true, "threat_level_id": "3", "timestamp": "1563210476", "uuid": "5d2cae34-7564-4049-b9c4-4ae902de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0082e1", "local": false, "name": "osint:certainty=\"75\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Agent Tesla\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-malware=\"Agent Tesla - S0331\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"Agent Tesla\"", "relationship_type": "" }, { "colour": "#75003f", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209286", "to_ids": false, "type": "link", "uuid": "5d2cae46-6b2c-4405-84c0-aac302de0b81", "value": "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209311", "to_ids": false, "type": "text", "uuid": "5d2cae5f-c280-4f19-8954-40d702de0b81", "value": "Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED \u00e2\u20ac\u201d which has been operating since at least 2017 \u00e2\u20ac\u201d primarily targets their victims with stealers and remote access trojans.\r\n\r\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla \u00e2\u20ac\u201d an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs)." }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209364", "to_ids": true, "type": "domain", "uuid": "5d2cae94-23d0-4a7e-8786-44ee02de0b81", "value": "sweeddehacklord.us" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "hostname", "uuid": "5d2cae9b-a984-4d8f-bff3-4f8f02de0b81", "value": "sweed-office.comie.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "domain", "uuid": "5d2cae9b-f470-4a85-86f7-415a02de0b81", "value": "sweed-viki.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "hostname", "uuid": "5d2cae9b-6494-4e1b-85bc-4bfd02de0b81", "value": "sweedoffice.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "hostname", "uuid": "5d2cae9b-fe6c-438e-b707-427202de0b81", "value": "sweedoffice-olamide.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "hostname", "uuid": "5d2cae9b-5870-4176-a210-4b6202de0b81", "value": "sweedoffice-chuks.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "hostname", "uuid": "5d2cae9b-1e90-4e41-b3a1-407f02de0b81", "value": "www.sweedoffice-kc.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "hostname", "uuid": "5d2cae9b-70e4-4321-ad36-4e3102de0b81", "value": "sweedoffice-kc.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209371", "to_ids": true, "type": "hostname", "uuid": "5d2cae9c-6690-4d02-a56e-46f102de0b81", "value": "sweedoffice-goodman.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "hostname", "uuid": "5d2cae9c-666c-4919-a174-4f5b02de0b81", "value": "sweedoffice-bosskobi.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "hostname", "uuid": "5d2cae9c-2630-4021-82aa-426c02de0b81", "value": "www.sweedoffice-olamide.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "hostname", "uuid": "5d2cae9c-f094-437b-9d54-4e9202de0b81", "value": "www.sweedoffice-chuks.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-383c-4889-9c11-48bd02de0b81", "value": "aelna.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-3d7c-4b9a-80c4-476a02de0b81", "value": "candqre.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-e9ec-4029-86f3-4d6502de0b81", "value": "spedaqinterfreight.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-0c4c-41e8-abc2-49f902de0b81", "value": "worldjaquar.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-e824-4946-afd5-44d602de0b81", "value": "zurieh.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-e01c-4903-99ef-45f102de0b81", "value": "aiaininsurance.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-1524-4fdf-9b0f-4eea02de0b81", "value": "aidanube.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-b44c-4332-9357-4b9b02de0b81", "value": "anernostat.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-e814-4e45-b039-471702de0b81", "value": "blssleel.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-fc78-48ff-a437-49ac02de0b81", "value": "bwayachtng.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-6c04-483c-ad36-43cd02de0b81", "value": "cablsol.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-ca7c-4bf3-8693-4c6a02de0b81", "value": "catalanoshpping.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-617c-4f4d-afbb-468002de0b81", "value": "cawus-coskunsu.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-b554-47fb-a7ca-4e0c02de0b81", "value": "crosspoiimeri.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-616c-437e-a2ac-443002de0b81", "value": "dougiasbarwick.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-dd0c-4390-a52b-40ab02de0b81", "value": "erieil.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-5934-4948-8ff3-4d4702de0b81", "value": "etqworld.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-fadc-4eb9-9144-4c5c02de0b81", "value": "evegreen-shipping.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-ab64-4869-a410-4d9402de0b81", "value": "gufageneys.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-2744-4ce8-9f5a-493902de0b81", "value": "hybru.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-5dbc-41c0-9f73-428802de0b81", "value": "intermodaishipping.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-4ed4-48cd-a0f2-4c3c02de0b81", "value": "jltqroup.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-ee10-46ac-a202-403702de0b81", "value": "jyexports.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-a6e8-40a5-8b80-4f1902de0b81", "value": "kayneslnterconnection.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-73d0-4b36-88a7-4bba02de0b81", "value": "kn-habour.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-4b40-4b91-8181-496802de0b81", "value": "leocouriercompany.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-f5e4-49a0-80db-405802de0b81", "value": "lnnovalues.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-40f0-4b2c-8258-422302de0b81", "value": "mglt-mea.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-f494-42ad-83cf-4ea002de0b81", "value": "mti-transt.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-d1f8-4f4c-9f7a-477f02de0b81", "value": "profbuiiders.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-1620-4928-9e19-4e4002de0b81", "value": "quycarp.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-1588-4f6c-8060-436302de0b81", "value": "regionaitradeinspections.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-4d0c-483a-b9d8-4c2c02de0b81", "value": "repotc.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-f130-492c-92f9-464f02de0b81", "value": "rsaqencies.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-1e40-4218-9feb-45cd02de0b81", "value": "samhwansleel.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-3474-4e94-977c-4c0302de0b81", "value": "serec.us" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-c488-45f0-8cfd-438702de0b81", "value": "snapqata.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209372", "to_ids": true, "type": "domain", "uuid": "5d2cae9c-fffc-4d13-813c-445f02de0b81", "value": "sukrltiv.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-9a5c-46b2-a8d5-433602de0b81", "value": "supe-lab.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-ba14-4774-bef4-44ba02de0b81", "value": "usarmy-mill.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-b4e8-4287-ba31-414d02de0b81", "value": "virdtech.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-bba0-4b0c-ad26-44b302de0b81", "value": "willistoweswatson.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-608c-4017-87be-481a02de0b81", "value": "xlnya-cn.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-7bd4-4df5-8bdf-4c0802de0b81", "value": "zarpac.us" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-fd18-4adb-8a21-4eee02de0b81", "value": "oralbdentaltreatment.tk" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563209373", "to_ids": true, "type": "domain", "uuid": "5d2cae9d-c658-4335-a822-407e02de0b81", "value": "wlttraco.com" }, { "category": "Payload installation", "comment": "Agent Tesla - Campaign #1", "deleted": false, "disable_correlation": false, "timestamp": "1563209617", "to_ids": true, "type": "sha256", "uuid": "5d2caf91-ddb0-4d8f-8152-4bbf02de0b81", "value": "8c8f755b427b32e3eb528f5b59805b1532af3f627d690603ac12bf924289f36f" }, { "category": "Network activity", "comment": "Attribute #7578135 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210157", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1ad-acc0-4b2d-a95f-4c04e387cbd9", "value": "198.54.125.61" }, { "category": "Network activity", "comment": "Attribute #7578138 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210158", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1ae-c9f4-4846-8276-4305e387cbd9", "value": "84.38.134.121" }, { "category": "Network activity", "comment": "Attribute #7578149 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210160", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1b0-fae0-4af9-a278-4e5ae387cbd9", "value": "185.26.122.68" }, { "category": "Network activity", "comment": "Attribute #7578153 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210161", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1b1-0bd4-4844-9628-490fe387cbd9", "value": "208.91.197.91" }, { "category": "Network activity", "comment": "Attribute #7578155 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210162", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1b2-f578-40c4-bb51-4f0be387cbd9", "value": "154.80.172.212" }, { "category": "Network activity", "comment": "Attribute #7578159 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210163", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1b3-daa0-4856-86f3-41fbe387cbd9", "value": "46.21.144.100" }, { "category": "Network activity", "comment": "Attribute #7578167 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210166", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1b6-59b8-41a7-bb62-4b7de387cbd9", "value": "151.80.88.242" }, { "category": "Network activity", "comment": "Attribute #7578174 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210167", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1b7-0f6c-49f8-a1a1-46b5e387cbd9", "value": "209.99.40.222" }, { "category": "Network activity", "comment": "Attribute #7578187 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1563210172", "to_ids": false, "type": "ip-src", "uuid": "5d2cb1bc-57a8-402c-bf0a-48dae387cbd9", "value": "209.99.40.223" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563210331", "to_ids": true, "type": "regkey", "uuid": "5d2cb25b-18e4-4b9b-9dff-4dbe02de0b81", "value": "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command" }, { "category": "Social network", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563210369", "to_ids": false, "type": "whois-registrant-email", "uuid": "5d2cb281-9ea8-457e-b4fd-4ada02de0b81", "value": "aaras480@gmail.com" }, { "category": "Network activity", "comment": "For example, in June 2019, the following URLs were hosting malicious content associated with these campaigns:", "deleted": false, "disable_correlation": false, "timestamp": "1563210417", "to_ids": true, "type": "url", "uuid": "5d2cb2b1-63bc-457a-9f3b-429a02de0b81", "value": "http://aelna.com/file/chuks.exe" }, { "category": "Network activity", "comment": "For example, in June 2019, the following URLs were hosting malicious content associated with these campaigns:", "deleted": false, "disable_correlation": false, "timestamp": "1563210418", "to_ids": true, "type": "url", "uuid": "5d2cb2b2-2b08-458c-a55f-443d02de0b81", "value": "http://aelna.com/file/sweed.exe" }, { "category": "Network activity", "comment": "For example, in June 2019, the following URLs were hosting malicious content associated with these campaigns:", "deleted": false, "disable_correlation": false, "timestamp": "1563210418", "to_ids": true, "type": "url", "uuid": "5d2cb2b2-327c-4bc3-907c-404602de0b81", "value": "http://aelna.com/file/duke.exe" }, { "category": "Network activity", "comment": "In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf", "deleted": false, "disable_correlation": false, "timestamp": "1563210450", "to_ids": true, "type": "url", "uuid": "5d2cb2d2-ea6c-4c3d-9789-48ff02de0b81", "value": "sodimodisfrance.cf/2/chuks.exe" }, { "category": "Network activity", "comment": "In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf", "deleted": false, "disable_correlation": false, "timestamp": "1563210450", "to_ids": true, "type": "url", "uuid": "5d2cb2d2-85f0-46c2-aa47-4fdf02de0b81", "value": "sodimodisfrance.cf/6/chuks.exe" }, { "category": "Network activity", "comment": "In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf", "deleted": false, "disable_correlation": false, "timestamp": "1563210450", "to_ids": true, "type": "url", "uuid": "5d2cb2d2-251c-44ac-a8ff-482202de0b81", "value": "sodimodisfrance.cf/5/goodman.exe" }, { "category": "Network activity", "comment": "In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf", "deleted": false, "disable_correlation": false, "timestamp": "1563210450", "to_ids": true, "type": "url", "uuid": "5d2cb2d2-8c98-448e-8f6b-451802de0b81", "value": "sodimodisfrance.cf/1/chuks.exe" }, { "category": "Network activity", "comment": "In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf", "deleted": false, "disable_correlation": false, "timestamp": "1563210450", "to_ids": true, "type": "url", "uuid": "5d2cb2d2-f618-4373-936d-4e5002de0b81", "value": "sodimodisfrance.cf/1/hipkid.exe" }, { "category": "Network activity", "comment": "In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf", "deleted": false, "disable_correlation": false, "timestamp": "1563210450", "to_ids": true, "type": "url", "uuid": "5d2cb2d2-15ac-4588-87e0-481702de0b81", "value": "sodimodisfrance.cf/5/sweed.exe" }, { "category": "Network activity", "comment": "In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf", "deleted": false, "disable_correlation": false, "timestamp": "1563210450", "to_ids": true, "type": "url", "uuid": "5d2cb2d2-76e0-4b97-a41f-497502de0b81", "value": "sodimodisfrance.cf/2/duke.boys.exe" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-8c84-4ac2-a0fc-4c1a02de0b81", "value": "sweed-office.comie.ru/goodman/panel" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-0554-4b04-b70f-46e402de0b81", "value": "sweed-office.comie.ru/kc/panel/" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-fcc8-4890-85bc-49ba02de0b81", "value": "wlttraco.com/sweed-office/omee/panel/login.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-11b4-46cc-8f66-426d02de0b81", "value": "wlttraco.com/sweed-client/humble1/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-86c8-4d2e-8f25-44b202de0b81", "value": "wlttraco.com/sweed-client/sima/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-e324-4981-bae1-495b02de0b81", "value": "wlttraco.com/sweed-office/omee/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-ea9c-4004-bfb5-4ef902de0b81", "value": "wlttraco.com/sweed-office/kc/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-561c-4376-b159-46e102de0b81", "value": "wlttraco.com/sweed-office/olamide/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-55e8-474c-bf23-492e02de0b81", "value": "wlttraco.com/sweed-office/jamil/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-e784-4aa2-83df-456402de0b81", "value": "wlttraco.com/sweed-client/niggab/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-bcf8-414e-b7bf-409502de0b81", "value": "wlttraco.com/sweed-client/humble2/panel/post.php" }, { "category": "Network activity", "comment": "In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:", "deleted": false, "disable_correlation": false, "timestamp": "1563210476", "to_ids": true, "type": "url", "uuid": "5d2cb2ec-0100-4c07-902f-484302de0b81", "value": "wlttraco.com/sweed-office/harry/panel/post.php" } ], "Object": [ { "comment": " Campaign #1", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563209538", "uuid": "5d2caf42-e134-4c02-8eda-45d702de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1563209538", "to_ids": true, "type": "filename", "uuid": "5d2caf42-6c50-458c-aae8-40f502de0b81", "value": "Java_Updater.zip" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209538", "to_ids": true, "type": "sha256", "uuid": "5d2caf42-b470-4f9c-8571-4b1102de0b81", "value": "59b15f6ace090d05ac5f7692ef834433d8504352a7f45e80e7feb05298d9c2dd" } ] }, { "comment": " Campaign #1", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563209580", "uuid": "5d2caf6c-a478-4dd2-a816-4a5e02de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1563209580", "to_ids": true, "type": "filename", "uuid": "5d2caf6c-54d0-4faa-abba-474702de0b81", "value": "P-O of Jun2017.zip" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209581", "to_ids": true, "type": "sha256", "uuid": "5d2caf6d-c7f8-47bc-a64a-47df02de0b81", "value": "e397ba1674a6dc470281c0c83acd70fd4d772bf8dcf23bf2c692db6575f6ab08" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563209652", "uuid": "90a459a2-ebdb-4229-9b32-7e02479444cf", "ObjectReference": [ { "comment": "", "object_uuid": "90a459a2-ebdb-4229-9b32-7e02479444cf", "referenced_uuid": "a99ed487-ccf6-481c-9b2e-31274a7de66b", "relationship_type": "analysed-with", "timestamp": "1563209654", "uuid": "5d2cafb6-a8f4-4730-9cf5-47df02de0b81" } ], "Attribute": [ { "category": "Payload installation", "comment": "Agent Tesla - Campaign #1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563209617", "to_ids": true, "type": "md5", "uuid": "aaaf185e-b440-408c-b941-968455eef2bf", "value": "1be08ed45c512f6daab34519995dda63" }, { "category": "Payload installation", "comment": "Agent Tesla - Campaign #1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563209617", "to_ids": true, "type": "sha1", "uuid": "4827eb9f-0b62-4ce0-a1b5-6a77b05e659c", "value": "4a4fa608ccdbae42ef3ed708b08b6bbacda20908" }, { "category": "Payload installation", "comment": "Agent Tesla - Campaign #1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209617", "to_ids": true, "type": "sha256", "uuid": "d602752b-1bb1-4246-8b1f-42d2797b2cb5", "value": "8c8f755b427b32e3eb528f5b59805b1532af3f627d690603ac12bf924289f36f" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563209653", "uuid": "a99ed487-ccf6-481c-9b2e-31274a7de66b", "Attribute": [ { "category": "Other", "comment": "Agent Tesla - Campaign #1", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209617", "to_ids": false, "type": "datetime", "uuid": "af28189f-7f1d-41a8-8c73-c9ea120555ca", "value": "2018-03-26T19:06:29" }, { "category": "External analysis", "comment": "Agent Tesla - Campaign #1", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209617", "to_ids": false, "type": "link", "uuid": "80f8f1b1-1a11-44ca-9efa-a09ab8cc83d5", "value": "https://www.virustotal.com/file/8c8f755b427b32e3eb528f5b59805b1532af3f627d690603ac12bf924289f36f/analysis/1522091189/" }, { "category": "Payload installation", "comment": "Agent Tesla - Campaign #1", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209617", "to_ids": false, "type": "text", "uuid": "eea81aef-999f-4df6-8f60-eec0e32da997", "value": "46/66" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210123", "uuid": "fa3e47a5-e0ae-420e-9eaa-1242638e7cc3", "ObjectReference": [ { "comment": "", "object_uuid": "fa3e47a5-e0ae-420e-9eaa-1242638e7cc3", "referenced_uuid": "5942866c-758a-412c-b1e8-6d51f4978c65", "relationship_type": "analysed-with", "timestamp": "1563209655", "uuid": "5d2cafb7-dcf4-41bf-b787-42bd02de0b81" }, { "comment": "", "object_uuid": "fa3e47a5-e0ae-420e-9eaa-1242638e7cc3", "referenced_uuid": "8c40c4c1-8e29-4715-ac40-3403a10e3b6e", "relationship_type": "analysed-with", "timestamp": "1563210125", "uuid": "5d2cb18d-f9c8-473a-85b1-4d7402de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563209581", "to_ids": true, "type": "md5", "uuid": "5c5ebbee-a57f-4a3e-9fc7-c0ce58eb21d1", "value": "bf58485904f69fb91b11cd802f6d76ca" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563209581", "to_ids": true, "type": "sha1", "uuid": "e3dfcdb8-4c98-4f6c-ba4f-173c186742a9", "value": "ae8f8bb3e7cfdeed7317b6eea7ef0cec4113b519" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209581", "to_ids": true, "type": "sha256", "uuid": "a3b3202d-6d25-4d3e-95e3-9fd910119f8d", "value": "e397ba1674a6dc470281c0c83acd70fd4d772bf8dcf23bf2c692db6575f6ab08" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563209653", "uuid": "5942866c-758a-412c-b1e8-6d51f4978c65", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209581", "to_ids": false, "type": "datetime", "uuid": "65f4da1c-0f6c-4b4a-a272-75e00434483e", "value": "2017-06-22T12:36:27" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209581", "to_ids": false, "type": "link", "uuid": "842578a7-27e5-4718-bb4c-479b7cb369ac", "value": "https://www.virustotal.com/file/e397ba1674a6dc470281c0c83acd70fd4d772bf8dcf23bf2c692db6575f6ab08/analysis/1498134987/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209581", "to_ids": false, "type": "text", "uuid": "5df2aec9-e3a5-48b2-a5f6-bd1ac1a30d9e", "value": "9/59" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210123", "uuid": "a1f9e105-0d5f-471f-8da2-7b6af6110a47", "ObjectReference": [ { "comment": "", "object_uuid": "a1f9e105-0d5f-471f-8da2-7b6af6110a47", "referenced_uuid": "d20b466c-ddd8-4f9c-b27c-1e5abaabc9ad", "relationship_type": "analysed-with", "timestamp": "1563209655", "uuid": "5d2cafb7-e404-40d2-8e59-4d8502de0b81" }, { "comment": "", "object_uuid": "a1f9e105-0d5f-471f-8da2-7b6af6110a47", "referenced_uuid": "5d15455c-9cb2-43a9-85f5-31c2c47f3f6a", "relationship_type": "analysed-with", "timestamp": "1563210126", "uuid": "5d2cb18e-f4b0-489b-8f00-4efd02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563209538", "to_ids": true, "type": "md5", "uuid": "c82f6757-2bbe-483e-afee-a39a2824b829", "value": "a313f809b1faf1643e0201e29cb4cbc0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563209538", "to_ids": true, "type": "sha1", "uuid": "1c242b9b-4dd2-4de8-a606-dc6c874d12a2", "value": "2dd851466760b8b35226e83b2bfa36a379c03db6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209538", "to_ids": true, "type": "sha256", "uuid": "f1726bbd-9edd-4acf-ad38-f03d821389c4", "value": "59b15f6ace090d05ac5f7692ef834433d8504352a7f45e80e7feb05298d9c2dd" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563209654", "uuid": "d20b466c-ddd8-4f9c-b27c-1e5abaabc9ad", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209538", "to_ids": false, "type": "datetime", "uuid": "553d5faf-a8ce-445a-82a9-3e17363cd1da", "value": "2017-10-12T13:33:10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209538", "to_ids": false, "type": "link", "uuid": "c14e58b2-77a5-46d7-ab6d-9afbf6ab18c7", "value": "https://www.virustotal.com/file/59b15f6ace090d05ac5f7692ef834433d8504352a7f45e80e7feb05298d9c2dd/analysis/1507815190/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209538", "to_ids": false, "type": "text", "uuid": "0161d30e-d327-4df9-a166-658673b5b49a", "value": "48/66" } ] }, { "comment": " Campaign #2", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563209741", "uuid": "5d2cb00d-a38c-4241-9ae1-40db02de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1563209742", "to_ids": true, "type": "filename", "uuid": "5d2cb00e-dbd4-4eb0-9e62-47eb02de0b81", "value": "Java sample" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209752", "to_ids": true, "type": "sha256", "uuid": "5d2cb018-2510-494c-8a33-420c02de0b81", "value": "d27a29bdb0492b25bf71e536c8a1fae8373a4b57f01ad7481006f6849b246a97" } ] }, { "comment": " Campaign #3", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563209841", "uuid": "5d2cb071-13f4-4927-b73c-409902de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1563209841", "to_ids": true, "type": "filename", "uuid": "5d2cb071-6398-4e67-bd9f-4eac02de0b81", "value": "New Order For Quotation.ppsx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209841", "to_ids": true, "type": "sha256", "uuid": "5d2cb071-b20c-4c93-8bcc-45b102de0b81", "value": "65bdd250aa4b4809edc32faeba2781864a3fee7e53e1f768b35a2bdedbb1243b" } ] }, { "comment": " Campaign #4", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563209901", "uuid": "5d2cb0ad-7148-479f-b5ea-97a202de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1563209901", "to_ids": true, "type": "filename", "uuid": "5d2cb0ad-fa6c-443c-80e6-97a202de0b81", "value": "SETTLEMENT OF OUTSTANDING.xlsx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209905", "to_ids": true, "type": "sha256", "uuid": "5d2cb0b1-38b0-4907-9a46-97a202de0b81", "value": "111e1fff673466cedaed8011218a8d65f84bee48d5ce6d7e8f62cb37df75e671" } ] }, { "comment": " Campaign #5", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210053", "uuid": "5d2cb145-d424-4c65-8ff4-401b02de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1563210053", "to_ids": true, "type": "filename", "uuid": "5d2cb145-0d48-4975-9987-496402de0b81", "value": "Request and specification of our new order.xls" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563210061", "to_ids": true, "type": "sha256", "uuid": "5d2cb14d-f17c-43ca-b678-449d02de0b81", "value": "1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075" } ] }, { "comment": " Campaign #5", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210111", "uuid": "5d2cb17f-e3a8-4d42-84c0-4cee02de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1563210111", "to_ids": true, "type": "filename", "uuid": "5d2cb17f-5b5c-45e3-8501-444102de0b81", "value": "Agent Tesla" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563210111", "to_ids": true, "type": "sha256", "uuid": "5d2cb17f-b354-4a75-bb27-413b02de0b81", "value": "fa6557302758bbea203967e70477336ac7a054b1df5a71d2fb6d822884e4e34f" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210123", "uuid": "f0efcfb4-d9f2-4fed-b2ab-07728dbefb63", "ObjectReference": [ { "comment": "", "object_uuid": "f0efcfb4-d9f2-4fed-b2ab-07728dbefb63", "referenced_uuid": "9ea6369a-c1e9-42ce-8c58-f359fe2f78d1", "relationship_type": "analysed-with", "timestamp": "1563210126", "uuid": "5d2cb18e-7230-40cc-aa6b-475002de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563210061", "to_ids": true, "type": "md5", "uuid": "98fd2890-bfbd-47f7-af31-577a3968610d", "value": "8e0b8b5200e879d7a4a62df5ea30253a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563210061", "to_ids": true, "type": "sha1", "uuid": "c7b975c1-bc40-4c6a-ad62-805451240b36", "value": "50c9dea7c3b2f396f22612f14dae00880ceffa9a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563210061", "to_ids": true, "type": "sha256", "uuid": "10d5f4e5-4374-46bd-abf6-9cef43b57a3b", "value": "1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563210123", "uuid": "9ea6369a-c1e9-42ce-8c58-f359fe2f78d1", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563210061", "to_ids": false, "type": "datetime", "uuid": "dabea056-538d-4442-b633-26c8a44edf75", "value": "2019-07-15T06:00:54" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563210061", "to_ids": false, "type": "link", "uuid": "f41b268d-f903-4aa4-b5ba-1e19066d5e42", "value": "https://www.virustotal.com/file/1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075/analysis/1563170454/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563210061", "to_ids": false, "type": "text", "uuid": "4cc2f15c-563f-4209-9583-41628ba52ea3", "value": "32/60" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563210123", "uuid": "5d15455c-9cb2-43a9-85f5-31c2c47f3f6a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209538", "to_ids": false, "type": "datetime", "uuid": "5f522c75-9e97-494d-9194-a6b93776287a", "value": "2017-10-12T13:33:10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209538", "to_ids": false, "type": "link", "uuid": "ad0b5f4e-0fff-4f75-be53-6265f58c29c1", "value": "https://www.virustotal.com/file/59b15f6ace090d05ac5f7692ef834433d8504352a7f45e80e7feb05298d9c2dd/analysis/1507815190/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209538", "to_ids": false, "type": "text", "uuid": "356ef8ff-0235-4e8f-bb33-8249a5caf79e", "value": "48/66" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210123", "uuid": "ef9c46e1-2109-4f2d-a196-0b32db320dde", "ObjectReference": [ { "comment": "", "object_uuid": "ef9c46e1-2109-4f2d-a196-0b32db320dde", "referenced_uuid": "57ad2c35-47de-4478-a5a2-ef662992dbd7", "relationship_type": "analysed-with", "timestamp": "1563210126", "uuid": "5d2cb18e-ed40-43d2-8ad3-46b602de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563209841", "to_ids": true, "type": "md5", "uuid": "cbb95568-35e5-40ae-9564-a9f06a5008ef", "value": "675b17eed5c3c5e0bb5ab937753672bb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563209841", "to_ids": true, "type": "sha1", "uuid": "9bfb4751-7f48-4444-b61e-a40d75a548ea", "value": "72d382cbf08d3f3fe2429eceed8a706b1b44fd65" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209841", "to_ids": true, "type": "sha256", "uuid": "1bfae243-80ca-4c61-ab06-7878e2add07b", "value": "65bdd250aa4b4809edc32faeba2781864a3fee7e53e1f768b35a2bdedbb1243b" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563210124", "uuid": "57ad2c35-47de-4478-a5a2-ef662992dbd7", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209841", "to_ids": false, "type": "datetime", "uuid": "aa822b4a-e563-4929-b1ba-7bf06ac4c469", "value": "2018-11-18T19:17:10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209841", "to_ids": false, "type": "link", "uuid": "4c438a43-6d73-412c-b2d0-0c36ee8a04c0", "value": "https://www.virustotal.com/file/65bdd250aa4b4809edc32faeba2781864a3fee7e53e1f768b35a2bdedbb1243b/analysis/1542568630/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209841", "to_ids": false, "type": "text", "uuid": "e4e98012-9f66-4620-a3a9-2d899b277a8e", "value": "20/56" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210124", "uuid": "94899e17-3ab7-4ef6-b462-5511f61bebc5", "ObjectReference": [ { "comment": "", "object_uuid": "94899e17-3ab7-4ef6-b462-5511f61bebc5", "referenced_uuid": "af2f967c-2424-4564-978c-5cdb327139f9", "relationship_type": "analysed-with", "timestamp": "1563210126", "uuid": "5d2cb18e-684c-44ca-9443-4b6502de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563209905", "to_ids": true, "type": "md5", "uuid": "a2d2f099-8815-42c9-b3d7-a74ba9302ffd", "value": "f082f44b0f4e52c44a6116e34ecb2a78" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563209905", "to_ids": true, "type": "sha1", "uuid": "111eaf1f-ecd2-48c8-b731-7f77a4793512", "value": "a2b75fce3fc2baf11eae550d05aa1fbe170be546" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209905", "to_ids": true, "type": "sha256", "uuid": "ceb839a2-c9c9-494f-9723-88fa18fedd33", "value": "111e1fff673466cedaed8011218a8d65f84bee48d5ce6d7e8f62cb37df75e671" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563210124", "uuid": "af2f967c-2424-4564-978c-5cdb327139f9", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209905", "to_ids": false, "type": "datetime", "uuid": "d0b8bb66-599a-448b-a8b5-674d8fdb2cb2", "value": "2018-11-18T19:12:47" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209905", "to_ids": false, "type": "link", "uuid": "e872a407-273f-4376-a8a1-49e69b57e6e7", "value": "https://www.virustotal.com/file/111e1fff673466cedaed8011218a8d65f84bee48d5ce6d7e8f62cb37df75e671/analysis/1542568367/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209905", "to_ids": false, "type": "text", "uuid": "934ba945-fbe4-4884-ad0d-dc8fa9cd8a20", "value": "32/59" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210124", "uuid": "b7cc06ad-5ab0-4f8a-b454-f3795dd44acf", "ObjectReference": [ { "comment": "", "object_uuid": "b7cc06ad-5ab0-4f8a-b454-f3795dd44acf", "referenced_uuid": "6d2912db-ff65-482e-8a39-c7aa4d2f68a6", "relationship_type": "analysed-with", "timestamp": "1563210126", "uuid": "5d2cb18e-8298-44ca-9e24-48d202de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563210111", "to_ids": true, "type": "md5", "uuid": "be0da9d5-ac3a-4f23-a640-d0248efc8f56", "value": "fc23bd61f8af13293fd960e6cb202145" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563210111", "to_ids": true, "type": "sha1", "uuid": "c9b6bb52-c147-4865-a907-11ba21ea1da7", "value": "d3e1421263a60abd5e58a49c3f02282710917210" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563210111", "to_ids": true, "type": "sha256", "uuid": "40e961a9-7482-4d86-af93-0ca07c9f72df", "value": "fa6557302758bbea203967e70477336ac7a054b1df5a71d2fb6d822884e4e34f" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563210124", "uuid": "6d2912db-ff65-482e-8a39-c7aa4d2f68a6", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563210111", "to_ids": false, "type": "datetime", "uuid": "89006026-47b7-45f8-ac3c-64326ebbe3ca", "value": "2019-06-18T02:08:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563210111", "to_ids": false, "type": "link", "uuid": "9cbf73dd-b749-4402-9737-395a241e805d", "value": "https://www.virustotal.com/file/fa6557302758bbea203967e70477336ac7a054b1df5a71d2fb6d822884e4e34f/analysis/1560823680/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563210111", "to_ids": false, "type": "text", "uuid": "d602cb8b-f80f-4839-aab8-eaadae303222", "value": "45/66" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563210125", "uuid": "8c40c4c1-8e29-4715-ac40-3403a10e3b6e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209581", "to_ids": false, "type": "datetime", "uuid": "5cbc4dea-fefe-4d73-ac3a-99c822b7118b", "value": "2017-06-22T12:36:27" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209581", "to_ids": false, "type": "link", "uuid": "8c6cfdd3-0eff-4938-a5d3-1ae36045c254", "value": "https://www.virustotal.com/file/e397ba1674a6dc470281c0c83acd70fd4d772bf8dcf23bf2c692db6575f6ab08/analysis/1498134987/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209581", "to_ids": false, "type": "text", "uuid": "2cf448aa-f7c9-48a8-825e-4a5ee6733ec5", "value": "9/59" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1563210125", "uuid": "641d3a70-e79d-4e0c-ad91-1bf7ec2ffec4", "ObjectReference": [ { "comment": "", "object_uuid": "641d3a70-e79d-4e0c-ad91-1bf7ec2ffec4", "referenced_uuid": "f00b6044-39c2-494d-9351-0a5aeea8581c", "relationship_type": "analysed-with", "timestamp": "1563210126", "uuid": "5d2cb18e-33ec-4603-8df7-4b5f02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1563209752", "to_ids": true, "type": "md5", "uuid": "034531f5-2366-43d7-9428-4efd897f9ac6", "value": "bcfe2c56500d6f58e8e3f4b5a35fb155" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1563209752", "to_ids": true, "type": "sha1", "uuid": "38761cd1-b60a-43b9-b80d-2d0aef7fa59b", "value": "f36b3a4353cddc2909f534a5dbf4f631c4c941a9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1563209752", "to_ids": true, "type": "sha256", "uuid": "d0de103c-2c10-4b1b-a90f-9b9d0d1ca896", "value": "d27a29bdb0492b25bf71e536c8a1fae8373a4b57f01ad7481006f6849b246a97" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1563210125", "uuid": "f00b6044-39c2-494d-9351-0a5aeea8581c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1563209752", "to_ids": false, "type": "datetime", "uuid": "ba91dac5-b7af-42b4-a351-b43c4cb949ea", "value": "2018-11-15T07:22:45" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1563209752", "to_ids": false, "type": "link", "uuid": "891da064-eda3-4824-94a3-6d7950aedd8c", "value": "https://www.virustotal.com/file/d27a29bdb0492b25bf71e536c8a1fae8373a4b57f01ad7481006f6849b246a97/analysis/1542266565/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1563209752", "to_ids": false, "type": "text", "uuid": "b2320be1-2302-421d-8aa1-07110023f45a", "value": "22/58" } ] } ] } }