{ "Event": { "analysis": "2", "date": "2017-10-16", "extends_uuid": "", "info": "OSINT - CoalaBot: http Ddos Bot", "publish_timestamp": "1540717002", "published": true, "threat_level_id": "3", "timestamp": "1540716975", "uuid": "5bb71d5e-8784-489b-b33f-46e7950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#0088cc", "name": "misp-galaxy:tool=\"CoalaBot\"" }, { "colour": "#00bdbd", "name": "ecsirt:availability=\"ddos\"" }, { "colour": "#285c00", "name": "ddos:type=\"amplification-attack\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1538732907", "to_ids": false, "type": "text", "uuid": "5bb71d7e-b968-4998-ac69-4c42950d210f", "value": "CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)\r\n\r\nI found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1538732894", "to_ids": false, "type": "link", "uuid": "5bb72389-6444-419d-8c8e-4877950d210f", "value": "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1540716844", "uuid": "5bb727a6-c410-4389-b3c0-4fbf950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1538729894", "to_ids": true, "type": "sha1", "uuid": "5bb727a6-c35c-4ef0-8214-498e950d210f", "value": "0ff1584eec4fc5c72439d94e8cee922703c44049" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1538729895", "to_ids": true, "type": "sha256", "uuid": "5bb727a7-e830-4435-8bb8-49e8950d210f", "value": "fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1538729900", "to_ids": true, "type": "md5", "uuid": "5bb727ac-7f4c-4787-acc8-4dd8950d210f", "value": "f3862c311c67cb027a06d4272b680a3b" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1538729904", "to_ids": false, "type": "text", "uuid": "5bb727b0-3d84-4e65-ba6c-479e950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1540716847", "uuid": "bbdbeb9e-0530-483d-b1c9-5351a35d1be7", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1540716851", "to_ids": false, "type": "datetime", "uuid": "07e074a4-cebf-4e42-9d97-2424eefe62f3", "value": "2018-05-19T06:43:56" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1540716852", "to_ids": false, "type": "link", "uuid": "0be6e036-4e69-4a59-8f46-c88815452718", "value": "https://www.virustotal.com/file/fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f/analysis/1526712236/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1540716852", "to_ids": false, "type": "text", "uuid": "e03a39f8-2e23-436e-be47-81ef153eaed7", "value": "48/67" } ] } ] } }