{ "Event": { "analysis": "2", "date": "2018-05-22", "extends_uuid": "", "info": "Emotet 5-18-2018", "publish_timestamp": "1589183759", "published": true, "threat_level_id": "3", "timestamp": "1621849729", "uuid": "5b0438ad-6d20-4a53-9a8b-2c1c0acd0835", "Orgc": { "name": "Synovus Financial", "uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:tool=\"Emotet\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#003860", "name": "osint:source-type=\"pastie-website\"" }, { "colour": "#002642", "name": "osint:source-type=\"microblog-post\"" } ], "Attribute": [ { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004061", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-c7ac-49a6-b78f-2c420acd0835", "value": "50.37.10.78|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-20f0-4baa-b9ad-2c420acd0835", "value": "50.84.214.74|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-1464-4a92-bcd8-2c420acd0835", "value": "65.25.17.131|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-6724-4133-9846-2c420acd0835", "value": "67.20.224.109|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-caf4-4260-a33f-2c420acd0835", "value": "69.129.91.38|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-6944-4ac5-bb83-2c420acd0835", "value": "70.167.17.7|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-fa54-4b42-a740-2c420acd0835", "value": "72.49.55.42|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-6978-4f21-8e03-2c420acd0835", "value": "86.209.63.166|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-5114-4463-aac3-2c420acd0835", "value": "105.228.39.7|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-a450-43be-80a9-2c420acd0835", "value": "119.18.8.51|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004061", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-b090-4a74-bec9-2c420acd0835", "value": "169.0.250.138|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-7ed0-41b4-aa42-2c420acd0835", "value": "179.52.46.11|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-7444-4a71-a9d9-2c420acd0835", "value": "192.227.112.57|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-f0a0-46ed-8938-2c420acd0835", "value": "199.167.209.11|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-9548-496f-96fb-2c420acd0835", "value": "222.112.169.133|80", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-2c44-4426-895e-2c420acd0835", "value": "37.120.170.231|443", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-4c8c-4d5e-b966-2c420acd0835", "value": "174.140.167.85|443", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c4-b078-43e2-9d5d-2c420acd0835", "value": "188.226.223.31|443", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004062", "to_ids": true, "type": "ip-dst|port", "uuid": "5b0438c5-fbd8-4d17-bb11-2c420acd0835", "value": "217.160.93.187|443", "Tag": [ { "colour": "#00aad0", "name": "veris:action:malware:variety=\"C2\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b0438d9-9b24-475a-9eb1-08ef0acd0835", "value": "http://lemat.sk/YQJHmA", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b0438d9-ae60-4a28-b202-08ef0acd0835", "value": "http://columbiainstitute.org/O/YBC4RQ/", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Support Tool", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527003738", "to_ids": false, "type": "link", "uuid": "5b0438e9-88c4-4681-aa0b-2c060acd0835", "value": "https://www.virustotal.com/#/file/1b9e1f248b3dd13e0c8668117caa7f8af1e34918f1e9ac6f71d619e50fd91538/detection" }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2d-d2e0-4a3a-a20f-2ade0acd0835", "value": "http://emulsiflex.com/Wz51Bq1/", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2d-6a18-4b90-b690-2ade0acd0835", "value": "http://e-muhr.de/IcS1A5z/", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2d-cc18-4e88-95f6-2ade0acd0835", "value": "http://emulsiflex.com/Wz51Bq1", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2d-6720-440e-a5c4-2ade0acd0835", "value": "http://lemat.sk/YQJHmA/", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2e-b2f8-4984-9875-2ade0acd0835", "value": "http://columbiainstitute.org/O/YBC4RQ", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2e-ba3c-44c1-8389-2ade0acd0835", "value": "http://sweatshop.org/dnqN0nl", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2e-c00c-4b03-9b9d-2ade0acd0835", "value": "http://www.gardonyrefhir.hu/gmQuF9x", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2e-aeac-4727-aa52-2ade0acd0835", "value": "http://sweatshop.org/dnqN0nl/", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] }, { "category": "Network activity", "comment": "Emotet", "deleted": false, "disable_correlation": false, "timestamp": "1527004113", "to_ids": true, "type": "url", "uuid": "5b043a2e-1968-4be5-a86d-2ade0acd0835", "value": "http://e-muhr.de/IcS1A5z", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" }, { "colour": "#cc4900", "name": "diamond-model:Infrastructure" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1527003445", "uuid": "5b043935-825c-49d4-b93c-08ef0acd0835", "Attribute": [ { "category": "Payload delivery", "comment": "Emotet", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1527003738", "to_ids": true, "type": "md5", "uuid": "5b043935-b294-48fc-bce2-08ef0acd0835", "value": "923a8d46eca1e77e020e0ac0951226d8" }, { "category": "Other", "comment": "Emotet", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1527003738", "to_ids": false, "type": "text", "uuid": "5b043935-0f14-48ff-bd0c-08ef0acd0835", "value": "Emotet" }, { "category": "Payload delivery", "comment": "Emotet", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1527003738", "to_ids": true, "type": "sha256", "uuid": "5b043935-45b8-4e74-90b9-08ef0acd0835", "value": "1b9e1f248b3dd13e0c8668117caa7f8af1e34918f1e9ac6f71d619e50fd91538" }, { "category": "Payload delivery", "comment": "Emotet", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1527003738", "to_ids": true, "type": "filename", "uuid": "5b043935-1384-439f-b8f6-08ef0acd0835", "value": "22468.exe" }, { "category": "Payload delivery", "comment": "Emotet", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1527003738", "to_ids": true, "type": "sha1", "uuid": "5b043935-1ac0-445b-9399-08ef0acd0835", "value": "45ef0de6aa324ebebdf9ba61129cd316e19973ae" }, { "category": "Payload delivery", "comment": "Emotet", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1527003738", "to_ids": true, "type": "ssdeep", "uuid": "5b043935-797c-41b6-a6b1-08ef0acd0835", "value": "3072:8ZL3fu/kIS5c7+iMfmGkV1C5o63qaGymSUO:G0fac7Kflgao63qaGLS" }, { "category": "Other", "comment": "Emotet", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1527003738", "to_ids": false, "type": "text", "uuid": "5b043935-160c-4861-8ce2-08ef0acd0835", "value": "Malicious" } ] } ] } }