{ "Event": { "analysis": "0", "date": "2019-01-28", "extends_uuid": "", "info": "2019-01-28: Turla Kazuar RAT", "publish_timestamp": "1548767977", "published": true, "threat_level_id": "3", "timestamp": "1548767952", "uuid": "5c502e8e-09e8-4c7c-9135-4c1b950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"Turla RAT\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"" }, { "colour": "#12e200", "name": "misp-galaxy:threat-actor=\"Turla Group\"" }, { "colour": "#065100", "name": "misp-galaxy:tool=\"Turla\"" }, { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"Kazuar\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-malware=\"Kazuar - S0265\"" }, { "colour": "#0088cc", "name": "misp-galaxy:tool=\"Kazuar\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#440055", "name": "ms-caro-malware:malware-type=\"RemoteAccess\"" }, { "colour": "#4bec00", "name": "enisa:nefarious-activity-abuse=\"remote-access-tool\"" }, { "colour": "#008ba9", "name": "veris:asset:variety=\"S - Remote access\"" }, { "colour": "#00bde6", "name": "veris:action:misuse:vector=\"Remote access\"" }, { "colour": "#001739", "name": "ms-caro-malware-full:malware-type=\"RemoteAccess\"" }, { "colour": "#5f0044", "name": "CERT-XLM:malicious-code=\"spyware-rat\"" }, { "colour": "#002642", "name": "osint:source-type=\"microblog-post\"" } ], "Attribute": [ { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1548760999", "to_ids": true, "type": "url", "uuid": "5c5037a7-d6f4-47ee-bb67-4cc3950d210f", "value": "northviewcanada.com/wp-content/galler/slider/" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1548761000", "to_ids": true, "type": "url", "uuid": "5c5037a8-fcf8-4d3c-bab5-4c1e950d210f", "value": "zycie-chotomowa.pl/wp-content/languages/index.php" } ], "Object": [ { "comment": "", "deleted": false, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "name": "microblog", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "template_version": "5", "timestamp": "1548759728", "uuid": "5c5032b0-5a34-4e58-bcf7-0435950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "post", "timestamp": "1548759728", "to_ids": false, "type": "text", "uuid": "5c5032b0-929c-4c5c-bd49-0435950d210f", "value": "2019-01-28: #Turla #Kazuar #RAT: Component: { loader, service, solver, sender, singler, scripter } C2: { northviewcanada[.com/wp-content/galler/slider/, zycie-chotomowa[.pl/wp-content/languages/index.php } MD5: 988df2967a7239a4b916cc9fcedaff68 cc @DrunkBinary" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1548759728", "to_ids": false, "type": "text", "uuid": "5c5032b0-6b0c-42df-8c8b-0435950d210f", "value": "Twitter" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "url", "timestamp": "1548759728", "to_ids": true, "type": "url", "uuid": "5c5032b0-ea2c-4c6f-9ba0-0435950d210f", "value": "https://twitter.com/VK_Intel/status/1089959988116799491" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "username-quoted", "timestamp": "1548759728", "to_ids": false, "type": "text", "uuid": "5c5032b0-e2a8-4d81-a227-0435950d210f", "value": "DrunkBinary" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "creation-date", "timestamp": "1548759728", "to_ids": false, "type": "datetime", "uuid": "5c5032b0-6d34-4368-8ba7-0435950d210f", "value": "2019-01-28T10:54:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "username", "timestamp": "1548759728", "to_ids": false, "type": "text", "uuid": "5c5032b0-4528-4080-bbb4-0435950d210f", "value": "VK_Intel" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1548761278", "uuid": "5c5038be-fe38-403c-a413-0435950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548761278", "to_ids": true, "type": "md5", "uuid": "5c5038be-b8a4-41df-a614-0435950d210f", "value": "988df2967a7239a4b916cc9fcedaff68" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1548761278", "to_ids": false, "type": "text", "uuid": "5c5038be-ec78-4d5b-91f0-0435950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1548767943", "uuid": "8670f30a-fed5-4ecf-8486-544baa950b1d", "ObjectReference": [ { "comment": "", "object_uuid": "8670f30a-fed5-4ecf-8486-544baa950b1d", "referenced_uuid": "9001b360-5644-40b6-8310-2c8aa8711aab", "relationship_type": "analysed-with", "timestamp": "1548767943", "uuid": "5c5052c7-ec80-46a5-9eb3-4c3602de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548767943", "to_ids": true, "type": "md5", "uuid": "839827fd-8db6-4baf-b6c6-8ca80a321668", "value": "988df2967a7239a4b916cc9fcedaff68" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548767943", "to_ids": true, "type": "sha1", "uuid": "6dc280a4-698a-46fc-b336-3b42958143cd", "value": "321fac7d4cabce35ce0adc67c700f47d47359021" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548767943", "to_ids": true, "type": "sha256", "uuid": "7fd1ea29-dcde-427f-998b-00f5403c01b4", "value": "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1548767943", "uuid": "9001b360-5644-40b6-8310-2c8aa8711aab", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1548767943", "to_ids": false, "type": "datetime", "uuid": "d510388b-8e85-4a4d-90a3-54861f1c0110", "value": "2019-01-29T07:35:34" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1548767943", "to_ids": false, "type": "link", "uuid": "c8f2c1f7-80d2-4ea5-9750-e9a85809f91d", "value": "https://www.virustotal.com/file/44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac/analysis/1548747334/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1548767943", "to_ids": false, "type": "text", "uuid": "c977a42a-64e2-4f6d-b065-86ac107beec4", "value": "42/69" } ] } ] } }