{ "Event": { "analysis": "2", "date": "2017-02-03", "extends_uuid": "", "info": "OSINT - Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX", "publish_timestamp": "1486158165", "published": true, "threat_level_id": "2", "timestamp": "1486158124", "uuid": "5894f679-33c8-4642-8e51-8cd902de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#043400", "local": "0", "name": "misp-galaxy:tool=\"PlugX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:tool=\"ZeroT\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486157485", "to_ids": false, "type": "link", "uuid": "5894f698-4df4-47de-b058-46c802de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#075200", "local": "0", "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486157510", "to_ids": false, "type": "text", "uuid": "5894f6c6-9b98-41eb-b759-8c2302de0b81", "value": "Although state-sponsored attacks against the United States by Chinese threat actors have decreased dramatically since the signing of the US-China Cyber Agreement in 2016, Proofpoint researchers have continued to observe advanced persistent threat (APT) activity associated with Chinese actors targeting other regions. We have previously written about related activity [2][3] in which a particular China-based attack group used PlugX and NetTraveler Trojans for espionage in Europe, Russia, Mongolia, Belarus, and other neighboring countries. Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.\r\n\r\nThis blog details the function of the new malware, provides delivery details for elements of the APT activity, and describes additional changes in tactics, techniques, and procedures (TTPs) associated with this group." }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives", "deleted": false, "disable_correlation": false, "timestamp": "1486157545", "to_ids": true, "type": "sha256", "uuid": "5894f6e9-7698-4db5-a2eb-0e7202de0b81", "value": "38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives", "deleted": false, "disable_correlation": false, "timestamp": "1486157546", "to_ids": true, "type": "sha256", "uuid": "5894f6ea-77c0-486b-8d81-0e7202de0b81", "value": "ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives", "deleted": false, "disable_correlation": false, "timestamp": "1486157547", "to_ids": true, "type": "sha256", "uuid": "5894f6eb-9078-49f1-b87a-0e7202de0b81", "value": "ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives", "deleted": false, "disable_correlation": false, "timestamp": "1486157548", "to_ids": true, "type": "sha256", "uuid": "5894f6ec-097c-4ee6-8414-0e7202de0b81", "value": "f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168" }, { "category": "Payload delivery", "comment": "CHM droppers", "deleted": false, "disable_correlation": false, "timestamp": "1486157561", "to_ids": true, "type": "sha256", "uuid": "5894f6f9-2cdc-41c8-ab62-0e7202de0b81", "value": "4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff" }, { "category": "Payload delivery", "comment": "CHM droppers", "deleted": false, "disable_correlation": false, "timestamp": "1486157561", "to_ids": true, "type": "sha256", "uuid": "5894f6f9-a598-441c-a2aa-0e7202de0b81", "value": "ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2" }, { "category": "Payload delivery", "comment": "CHM droppers", "deleted": false, "disable_correlation": false, "timestamp": "1486157562", "to_ids": true, "type": "sha256", "uuid": "5894f6fa-0710-41ae-9c18-0e7202de0b81", "value": "74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d" }, { "category": "Payload delivery", "comment": "Word Exploit documents", "deleted": false, "disable_correlation": false, "timestamp": "1486157574", "to_ids": true, "type": "sha256", "uuid": "5894f706-d434-43d7-9e92-7dba02de0b81", "value": "9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157603", "to_ids": true, "type": "sha256", "uuid": "5894f723-62b8-46b9-afb1-46f902de0b81", "value": "09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157604", "to_ids": true, "type": "sha256", "uuid": "5894f724-9ac4-45a9-a528-49d502de0b81", "value": "1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157605", "to_ids": true, "type": "sha256", "uuid": "5894f725-8180-42cc-984f-4bf402de0b81", "value": "399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157605", "to_ids": true, "type": "sha256", "uuid": "5894f725-24a0-42bc-8861-4c4e02de0b81", "value": "3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157606", "to_ids": true, "type": "sha256", "uuid": "5894f726-3c9c-4193-97b1-4aeb02de0b81", "value": "67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157607", "to_ids": true, "type": "sha256", "uuid": "5894f727-1fc0-4264-89e3-486002de0b81", "value": "74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157607", "to_ids": true, "type": "sha256", "uuid": "5894f727-35dc-4fd4-af4e-480702de0b81", "value": "a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157608", "to_ids": true, "type": "sha256", "uuid": "5894f728-2060-4201-bb24-445802de0b81", "value": "a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157609", "to_ids": true, "type": "sha256", "uuid": "5894f729-c338-490f-87b2-4c6f02de0b81", "value": "a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157610", "to_ids": true, "type": "sha256", "uuid": "5894f72a-8a18-4468-b070-45d802de0b81", "value": "aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157610", "to_ids": true, "type": "sha256", "uuid": "5894f72a-e3e4-4456-99ee-4c0b02de0b81", "value": "b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157611", "to_ids": true, "type": "sha256", "uuid": "5894f72b-b238-4c1f-bc46-493402de0b81", "value": "c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157612", "to_ids": true, "type": "sha256", "uuid": "5894f72c-24ec-4712-88ac-4db202de0b81", "value": "c5d022f0815aeaa27afb8f1efbce2771d95914be881d288b0841713dbbbeda1a" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157613", "to_ids": true, "type": "sha256", "uuid": "5894f72d-7a14-48bb-b228-477a02de0b81", "value": "d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157613", "to_ids": true, "type": "sha256", "uuid": "5894f72d-e640-46be-87db-49f402de0b81", "value": "fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478" }, { "category": "Payload delivery", "comment": "ZeroT", "deleted": false, "disable_correlation": false, "timestamp": "1486157614", "to_ids": true, "type": "sha256", "uuid": "5894f72e-a43c-407a-90dc-4c1002de0b81", "value": "97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4" }, { "category": "Payload delivery", "comment": "PlugX", "deleted": false, "disable_correlation": false, "timestamp": "1486157628", "to_ids": true, "type": "sha256", "uuid": "5894f73c-e224-4212-8b2a-451802de0b81", "value": "b185401a8562614ef42a84bc29f6c21aca31b7811c2c0e680f455b061229a77f" }, { "category": "Payload delivery", "comment": "PlugX", "deleted": false, "disable_correlation": false, "timestamp": "1486157629", "to_ids": true, "type": "sha256", "uuid": "5894f73d-5e10-469f-96a3-469e02de0b81", "value": "3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa" }, { "category": "Payload delivery", "comment": "PlugX", "deleted": false, "disable_correlation": false, "timestamp": "1486157629", "to_ids": true, "type": "sha256", "uuid": "5894f73d-256c-4459-9e24-474e02de0b81", "value": "07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67" }, { "category": "Network activity", "comment": "ZeroT C&C", "deleted": false, "disable_correlation": false, "timestamp": "1486157642", "to_ids": true, "type": "hostname", "uuid": "5894f74a-0890-451d-b6bc-4bfb02de0b81", "value": "www.tassnews.net" }, { "category": "Network activity", "comment": "ZeroT C&C", "deleted": false, "disable_correlation": false, "timestamp": "1486157643", "to_ids": true, "type": "hostname", "uuid": "5894f74b-66dc-4ac3-90d3-40ed02de0b81", "value": "www.versig.net" }, { "category": "Network activity", "comment": "ZeroT C&C", "deleted": false, "disable_correlation": false, "timestamp": "1486157644", "to_ids": true, "type": "hostname", "uuid": "5894f74c-b294-41b6-932a-4c8c02de0b81", "value": "www.riaru.net" }, { "category": "Network activity", "comment": "PlugX C&C", "deleted": false, "disable_correlation": false, "timestamp": "1486157661", "to_ids": true, "type": "hostname", "uuid": "5894f75d-0acc-47e4-95c8-8cd702de0b81", "value": "www.micrnet.net" }, { "category": "Network activity", "comment": "PlugX C&C", "deleted": false, "disable_correlation": false, "timestamp": "1486157662", "to_ids": true, "type": "hostname", "uuid": "5894f75e-13d0-4093-8d7b-8cd702de0b81", "value": "www.dicemention.com" }, { "category": "Network activity", "comment": "Likely Related C&C", "deleted": false, "disable_correlation": false, "timestamp": "1486157678", "to_ids": true, "type": "hostname", "uuid": "5894f76e-ebe4-4ea0-aea4-4fe002de0b81", "value": "www.rumiany.com" }, { "category": "Network activity", "comment": "Likely Related C&C", "deleted": false, "disable_correlation": false, "timestamp": "1486157678", "to_ids": true, "type": "hostname", "uuid": "5894f76e-29f0-4a49-bdf5-44dd02de0b81", "value": "www.yandcx.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486157710", "to_ids": false, "type": "text", "uuid": "5894f78e-8c64-40bf-8132-8cd902de0b81", "value": "Appendix A: Example PlugX Configuration\r\n\r\nSample hash: 07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67\r\n\r\nPlugX Config (0x36a4 bytes):\r\n\r\n Hide Dll: 0\r\n\r\n Keylogger: -1\r\n\r\n Sleep1: 167772160\r\n\r\n Sleep2: 0\r\n\r\n Cnc: www.micrnet[.]net:80 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:80 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:80 (UDP)\r\n\r\n Cnc: www.micrnet[.]net:443 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:443 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:443 (UDP)\r\n\r\n Cnc: www.micrnet[.]net:53 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:53 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:53 (UDP)\r\n\r\n Persistence: Run key\r\n\r\n Install Folder: %AUTO%\\TCMyXfeFAd\r\n\r\n Service Name: pQwEPnz\r\n\r\n Service Display Name: pQwEPnz\r\n\r\n Service Des%WINDIR%\\pQwEPnz Service\r\n\r\n Reg Hive: HKCU\r\n\r\n Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n Reg Value: mJqyCsNGBsge\r\n\r\n Injection: 1\r\n\r\n Inject Process: %windir%\\explorer.exe\r\n\r\n Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n\r\n Inject Process: %windir%\\system32\\svchost.exe\r\n\r\n Uac Bypass Injection: 1\r\n\r\n Uac Bypass Inject: %windir%\\explorer.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n\r\n Plugx Auth Str: TEST\r\n\r\n Cnc Auth Str: DuICS\r\n\r\n Mutex: Global\\WtMKAPYYxoWMoWW\r\n\r\n Screenshots: 0\r\n\r\n Screenshots Sec: 10\r\n\r\n Screenshots Zoom: 50\r\n\r\n Screenshots Bits: 16\r\n\r\n Screenshots Qual: 50\r\n\r\n Screenshots Keep: 3\r\n\r\n Screenshot Folder: %AUTO%\\FS\\screen\r\n\r\n Enable Tcp P2P: 1\r\n\r\n Tcp P2P Port: 1357\r\n\r\n Enable Udp P2P: 1\r\n\r\n Udp P2P Port: 1357\r\n\r\n Enable Icmp P2P: 1\r\n\r\n Icmp P2P Port: 1357\r\n\r\n Enable Ipproto P2P: 1\r\n\r\n Ipproto P2P Port: 1357\r\n\r\n Enable P2P Scan: 1\r\n\r\n P2P Start Scan1: 0.0.0.0\r\n\r\n P2P Start Scan2: 0.0.0.0\r\n\r\n P2P Start Scan3: 0.0.0.0\r\n\r\n P2P Start Scan4: 0.0.0.0\r\n\r\n P2P End Scan1: 0.0.0.0\r\n\r\n P2P End Scan2: 0.0.0.0\r\n\r\n P2P End Scan3: 0.0.0.0\r\n\r\n P2P End Scan4: 0.0.0.0\r\n\r\n Mac Disable: 00:00:00:00:00:00\r\n\r\nAppendix B: Example PlugX Configuration\r\n\r\nSample hash: 3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa\r\n\r\nProcess: fsguidll.exe (3980)\r\n\r\nPlugX Config (0x36a4 bytes):\r\n\r\n Hide Dll: 0\r\n\r\n Keylogger: -1\r\n\r\n Sleep1: 167772160\r\n\r\n Sleep2: 0\r\n\r\n Cnc: www.dicemention[.]com:80 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:443 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:25 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:80 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:443 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:25 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:80 (UDP)\r\n\r\n Cnc: www.dicemention[.]com:443 (UDP)\r\n\r\n Cnc: www.dicemention[.]com:25 (UDP)\r\n\r\n Persistence: Service + Run Key\r\n\r\n Install Folder: %AUTO%\\IZBpIciif\r\n\r\n Service Name: yAjUgUdMGHuvGaZ\r\n\r\n Service Display Name: yAjUgUdMGHuvGaZ\r\n\r\n Service Des%WINDIR%\\yAjUgUdMGHuvGaZ Service\r\n\r\n Reg Hive: HKCU\r\n\r\n Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n Reg Value: RqdFqFSYaBx\r\n\r\n Injection: 1\r\n\r\n Inject Process: %windir%\\system32\\svchost.exe\r\n\r\n Inject Process: %windir%\\explorer.exe\r\n\r\n Inject Process: %ProgramFiles%\\Internet Explorer\\iexplore.exe\r\n\r\n Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n\r\n Uac Bypass Injection: 1\r\n\r\n Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n\r\n Uac Bypass Inject: %windir%\\explorer.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n\r\n Plugx Auth Str: TEST\r\n\r\n Cnc Auth Str: NBz\r\n\r\n Mutex: Global\\ksMoQGOTIBJXumYclXtcsAnx\r\n\r\n Screenshots: 0\r\n\r\n Screenshots Sec: 10\r\n\r\n Screenshots Zoom: 50\r\n\r\n Screenshots Bits: 16\r\n\r\n Screenshots Qual: 50\r\n\r\n Screenshots Keep: 3\r\n\r\n Screenshot Folder: %AUTO%\\FS\\screen\r\n\r\n Enable Tcp P2P: 1\r\n\r\n Tcp P2P Port: 1357\r\n\r\n Enable Udp P2P: 1\r\n\r\n Udp P2P Port: 1357\r\n\r\n Enable Icmp P2P: 1\r\n\r\n Icmp P2P Port: 1357\r\n\r\n Enable Ipproto P2P: 1\r\n\r\n Ipproto P2P Port: 1357\r\n\r\n Enable P2P Scan: 1\r\n\r\n P2P Start Scan1: 0.0.0.0\r\n\r\n P2P Start Scan2: 0.0.0.0\r\n\r\n P2P Start Scan3: 0.0.0.0\r\n\r\n P2P Start Scan4: 0.0.0.0\r\n\r\n P2P End Scan1: 0.0.0.0\r\n\r\n P2P End Scan2: 0.0.0.0\r\n\r\n P2P End Scan3: 0.0.0.0\r\n\r\n P2P End Scan4: 0.0.0.0\r\n\r\n Mac Disable: 00:00:00:00:00:00" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4", "deleted": false, "disable_correlation": false, "timestamp": "1486157731", "to_ids": true, "type": "sha1", "uuid": "5894f7a4-f394-4ffe-9c10-874d02de0b81", "value": "ddd643d447e6ff3af7298c2a1858b52f86fcd0ef" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4", "deleted": false, "disable_correlation": false, "timestamp": "1486157732", "to_ids": true, "type": "md5", "uuid": "5894f7a4-201c-49b5-b4f9-874d02de0b81", "value": "c7a4292834dd2f75577af3a1fcaaf7b4" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4", "deleted": false, "disable_correlation": false, "timestamp": "1486157733", "to_ids": false, "type": "link", "uuid": "5894f7a5-f100-47d2-84f6-874d02de0b81", "value": "https://www.virustotal.com/file/97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4/analysis/1481642491/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478", "deleted": false, "disable_correlation": false, "timestamp": "1486157734", "to_ids": true, "type": "sha1", "uuid": "5894f7a6-0548-474e-9571-874d02de0b81", "value": "4b7088444def62d77c00efd11c3a16e0f26c54c9" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478", "deleted": false, "disable_correlation": false, "timestamp": "1486157735", "to_ids": true, "type": "md5", "uuid": "5894f7a7-22f4-4785-87ce-874d02de0b81", "value": "0892d0e0cf63d50a8ea8d55baea4ea33" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478", "deleted": false, "disable_correlation": false, "timestamp": "1486157735", "to_ids": false, "type": "link", "uuid": "5894f7a7-1b30-4134-a970-874d02de0b81", "value": "https://www.virustotal.com/file/fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478/analysis/1469547952/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375", "deleted": false, "disable_correlation": false, "timestamp": "1486157736", "to_ids": true, "type": "sha1", "uuid": "5894f7a8-a7b8-4ba8-974b-874d02de0b81", "value": "fd33857fdc9f88c258920a1d53bfcd5f79ecabb7" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375", "deleted": false, "disable_correlation": false, "timestamp": "1486157737", "to_ids": true, "type": "md5", "uuid": "5894f7a9-6a58-4577-8ed7-874d02de0b81", "value": "0b227712315620cd737809f288a32f2b" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375", "deleted": false, "disable_correlation": false, "timestamp": "1486157738", "to_ids": false, "type": "link", "uuid": "5894f7aa-8818-40c8-816c-874d02de0b81", "value": "https://www.virustotal.com/file/d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375/analysis/1479838803/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d", "deleted": false, "disable_correlation": false, "timestamp": "1486157739", "to_ids": true, "type": "sha1", "uuid": "5894f7ab-3024-4e0e-be6b-874d02de0b81", "value": "f4425e0a543e3efda38378c0884d8e2200d2821a" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d", "deleted": false, "disable_correlation": false, "timestamp": "1486157740", "to_ids": true, "type": "md5", "uuid": "5894f7ac-b12c-461e-9e7d-874d02de0b81", "value": "0530c718660fa2d1b4679570c7d0ae97" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d", "deleted": false, "disable_correlation": false, "timestamp": "1486157740", "to_ids": false, "type": "link", "uuid": "5894f7ac-767c-4d03-8433-874d02de0b81", "value": "https://www.virustotal.com/file/c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d/analysis/1477322459/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8", "deleted": false, "disable_correlation": false, "timestamp": "1486157741", "to_ids": true, "type": "sha1", "uuid": "5894f7ad-b52c-4b44-b537-874d02de0b81", "value": "935d02e4e5077c14df649b9887722b9cddcca4b7" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8", "deleted": false, "disable_correlation": false, "timestamp": "1486157742", "to_ids": true, "type": "md5", "uuid": "5894f7ae-4d58-447b-8832-874d02de0b81", "value": "b1b4b54dfa4b57885a74ef1c4a7cb6d6" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8", "deleted": false, "disable_correlation": false, "timestamp": "1486157743", "to_ids": false, "type": "link", "uuid": "5894f7af-f3d0-48fd-b5da-874d02de0b81", "value": "https://www.virustotal.com/file/b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8/analysis/1486130149/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267", "deleted": false, "disable_correlation": false, "timestamp": "1486157743", "to_ids": true, "type": "sha1", "uuid": "5894f7af-5cd4-48a3-aa87-874d02de0b81", "value": "16ca9dc8a8d35f4e7cbbeda2bf337e8e1c9b7a1f" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267", "deleted": false, "disable_correlation": false, "timestamp": "1486157744", "to_ids": true, "type": "md5", "uuid": "5894f7b0-cf18-49f4-bf02-874d02de0b81", "value": "df2a485a3eb76b3243ce7d25b5893b40" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267", "deleted": false, "disable_correlation": false, "timestamp": "1486157745", "to_ids": false, "type": "link", "uuid": "5894f7b1-f3b4-46dc-bc97-874d02de0b81", "value": "https://www.virustotal.com/file/aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267/analysis/1476267631/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8", "deleted": false, "disable_correlation": false, "timestamp": "1486157746", "to_ids": true, "type": "sha1", "uuid": "5894f7b2-495c-4bb6-ae90-874d02de0b81", "value": "e06fce249eefd4c65b57e2dd1300b0e40d417563" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8", "deleted": false, "disable_correlation": false, "timestamp": "1486157747", "to_ids": true, "type": "md5", "uuid": "5894f7b3-42e4-482d-bbdc-874d02de0b81", "value": "aea45c19234d85f31881eddd24dfe88f" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8", "deleted": false, "disable_correlation": false, "timestamp": "1486157747", "to_ids": false, "type": "link", "uuid": "5894f7b3-5d58-4632-a725-874d02de0b81", "value": "https://www.virustotal.com/file/a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8/analysis/1486145225/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0", "deleted": false, "disable_correlation": false, "timestamp": "1486157748", "to_ids": true, "type": "sha1", "uuid": "5894f7b4-399c-4bb3-9bc3-874d02de0b81", "value": "ae4cf0457505fb774df04d7ba2f8fc1c891328a9" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0", "deleted": false, "disable_correlation": false, "timestamp": "1486157749", "to_ids": true, "type": "md5", "uuid": "5894f7b5-f100-42f2-8f76-874d02de0b81", "value": "a3c41c9cace716707c629dc8087af371" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0", "deleted": false, "disable_correlation": false, "timestamp": "1486157750", "to_ids": false, "type": "link", "uuid": "5894f7b6-9ba4-4b30-9289-874d02de0b81", "value": "https://www.virustotal.com/file/a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0/analysis/1486130149/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3", "deleted": false, "disable_correlation": false, "timestamp": "1486157751", "to_ids": true, "type": "sha1", "uuid": "5894f7b7-45e4-4820-95f9-874d02de0b81", "value": "b6718ed9a64857e13b2894f5c50669a4306195ba" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3", "deleted": false, "disable_correlation": false, "timestamp": "1486157751", "to_ids": true, "type": "md5", "uuid": "5894f7b7-4fec-43df-946b-874d02de0b81", "value": "4a49a5358e6841ba625956fac62483ca" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3", "deleted": false, "disable_correlation": false, "timestamp": "1486157752", "to_ids": false, "type": "link", "uuid": "5894f7b8-b570-45da-849c-874d02de0b81", "value": "https://www.virustotal.com/file/a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3/analysis/1486130148/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df", "deleted": false, "disable_correlation": false, "timestamp": "1486157753", "to_ids": true, "type": "sha1", "uuid": "5894f7b9-2e88-4ddc-80cc-874d02de0b81", "value": "b66c11c8ecd3d5c064f7ada4e84e50ef0f4f6b4e" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df", "deleted": false, "disable_correlation": false, "timestamp": "1486157754", "to_ids": true, "type": "md5", "uuid": "5894f7ba-6218-4476-8b6a-874d02de0b81", "value": "3cff0e45be3bc3d8904151499da5a354" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df", "deleted": false, "disable_correlation": false, "timestamp": "1486157755", "to_ids": false, "type": "link", "uuid": "5894f7bb-4cc4-4cdb-af81-874d02de0b81", "value": "https://www.virustotal.com/file/74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df/analysis/1486130147/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b", "deleted": false, "disable_correlation": false, "timestamp": "1486157755", "to_ids": true, "type": "sha1", "uuid": "5894f7bb-8cd4-4351-87ea-874d02de0b81", "value": "39094640c5d3eb6d2b43282d724d792c81706a20" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b", "deleted": false, "disable_correlation": false, "timestamp": "1486157756", "to_ids": true, "type": "md5", "uuid": "5894f7bc-f890-45eb-97c1-874d02de0b81", "value": "b0b7e48f76bf7cabd46bd23be6a044c3" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b", "deleted": false, "disable_correlation": false, "timestamp": "1486157757", "to_ids": false, "type": "link", "uuid": "5894f7bd-267c-49fa-9bc8-874d02de0b81", "value": "https://www.virustotal.com/file/67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b/analysis/1486130147/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425", "deleted": false, "disable_correlation": false, "timestamp": "1486157758", "to_ids": true, "type": "sha1", "uuid": "5894f7be-9a98-410c-89b1-874d02de0b81", "value": "462e09c090d48fe4c7d9c5bab37666cb25a787f4" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425", "deleted": false, "disable_correlation": false, "timestamp": "1486157758", "to_ids": true, "type": "md5", "uuid": "5894f7be-f7c8-49e9-b21b-874d02de0b81", "value": "f973c23d96ff11b593068b06c727a94c" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425", "deleted": false, "disable_correlation": false, "timestamp": "1486157759", "to_ids": false, "type": "link", "uuid": "5894f7bf-05a0-4442-a42c-874d02de0b81", "value": "https://www.virustotal.com/file/3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425/analysis/1486130147/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343", "deleted": false, "disable_correlation": false, "timestamp": "1486157760", "to_ids": true, "type": "sha1", "uuid": "5894f7c0-8550-4723-97db-874d02de0b81", "value": "15f5f735dd60d295b826c0bebfca9625ffce725d" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343", "deleted": false, "disable_correlation": false, "timestamp": "1486157761", "to_ids": true, "type": "md5", "uuid": "5894f7c1-0ac8-487d-8ce2-874d02de0b81", "value": "4abb9a2b65ecd19b952e7b5ea0c2a854" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343", "deleted": false, "disable_correlation": false, "timestamp": "1486157761", "to_ids": false, "type": "link", "uuid": "5894f7c1-3fd0-45f4-9dd3-874d02de0b81", "value": "https://www.virustotal.com/file/399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343/analysis/1486130147/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4", "deleted": false, "disable_correlation": false, "timestamp": "1486157762", "to_ids": true, "type": "sha1", "uuid": "5894f7c2-966c-4b2f-8bd8-874d02de0b81", "value": "c15b209a8fcdc8a6c2b8fbc9eadc7a641cc771c5" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4", "deleted": false, "disable_correlation": false, "timestamp": "1486157763", "to_ids": true, "type": "md5", "uuid": "5894f7c3-0314-4673-86b4-874d02de0b81", "value": "25b30aa5ab498408d46c1042f121df3f" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4", "deleted": false, "disable_correlation": false, "timestamp": "1486157764", "to_ids": false, "type": "link", "uuid": "5894f7c4-1b28-4ff0-98ea-874d02de0b81", "value": "https://www.virustotal.com/file/1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4/analysis/1486130146/" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0", "deleted": false, "disable_correlation": false, "timestamp": "1486157764", "to_ids": true, "type": "sha1", "uuid": "5894f7c4-8ce0-4857-810d-874d02de0b81", "value": "1b86e4ead3ac8421ac83d9a39412f07706b6dd2e" }, { "category": "Payload delivery", "comment": "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0", "deleted": false, "disable_correlation": false, "timestamp": "1486157765", "to_ids": true, "type": "md5", "uuid": "5894f7c5-95c8-4da7-8c5d-874d02de0b81", "value": "47ff1d275bd63bb2e0b4820b121485c3" }, { "category": "External analysis", "comment": "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0", "deleted": false, "disable_correlation": false, "timestamp": "1486157766", "to_ids": false, "type": "link", "uuid": "5894f7c6-d09c-4b4c-ad3b-874d02de0b81", "value": "https://www.virustotal.com/file/09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0/analysis/1486130146/" }, { "category": "Payload delivery", "comment": "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58", "deleted": false, "disable_correlation": false, "timestamp": "1486157766", "to_ids": true, "type": "sha1", "uuid": "5894f7c6-6274-4788-ab7c-874d02de0b81", "value": "74f4086f2d93b8f40b8a011c10b8c26da7f35eb2" }, { "category": "Payload delivery", "comment": "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58", "deleted": false, "disable_correlation": false, "timestamp": "1486157767", "to_ids": true, "type": "md5", "uuid": "5894f7c7-073c-4308-a20e-874d02de0b81", "value": "970369ddf7ffff8806aea81b1093a06a" }, { "category": "External analysis", "comment": "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58", "deleted": false, "disable_correlation": false, "timestamp": "1486157768", "to_ids": false, "type": "link", "uuid": "5894f7c8-f694-487b-8647-874d02de0b81", "value": "https://www.virustotal.com/file/9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58/analysis/1482473568/" }, { "category": "Payload delivery", "comment": "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d", "deleted": false, "disable_correlation": false, "timestamp": "1486157769", "to_ids": true, "type": "sha1", "uuid": "5894f7c9-35bc-46bd-8b25-874d02de0b81", "value": "d6ab70f6a889077a28c5f4a7dae096e223759ebf" }, { "category": "Payload delivery", "comment": "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d", "deleted": false, "disable_correlation": false, "timestamp": "1486157770", "to_ids": true, "type": "md5", "uuid": "5894f7ca-5fa4-4da5-a064-874d02de0b81", "value": "da00090169a373606ef0707ea45cefa9" }, { "category": "External analysis", "comment": "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d", "deleted": false, "disable_correlation": false, "timestamp": "1486157771", "to_ids": false, "type": "link", "uuid": "5894f7cb-6d18-4303-ac70-874d02de0b81", "value": "https://www.virustotal.com/file/74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d/analysis/1481628229/" }, { "category": "Payload delivery", "comment": "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2", "deleted": false, "disable_correlation": false, "timestamp": "1486157772", "to_ids": true, "type": "sha1", "uuid": "5894f7cc-0218-4f9d-bf11-874d02de0b81", "value": "65913c8ea66b1c7a516e52f3ce5d33e1fc36ae66" }, { "category": "Payload delivery", "comment": "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2", "deleted": false, "disable_correlation": false, "timestamp": "1486157773", "to_ids": true, "type": "md5", "uuid": "5894f7cd-6124-481c-a7a6-874d02de0b81", "value": "e899619a5b12b9d90d07b87128a1430c" }, { "category": "External analysis", "comment": "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2", "deleted": false, "disable_correlation": false, "timestamp": "1486157773", "to_ids": false, "type": "link", "uuid": "5894f7cd-b09c-43b5-976f-874d02de0b81", "value": "https://www.virustotal.com/file/ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2/analysis/1477566896/" }, { "category": "Payload delivery", "comment": "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff", "deleted": false, "disable_correlation": false, "timestamp": "1486157774", "to_ids": true, "type": "sha1", "uuid": "5894f7ce-f1fc-46b6-8ead-874d02de0b81", "value": "0a48de42d2ba2f3c9536c7646eeeb8e279e25cfd" }, { "category": "Payload delivery", "comment": "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff", "deleted": false, "disable_correlation": false, "timestamp": "1486157775", "to_ids": true, "type": "md5", "uuid": "5894f7cf-43bc-4b5f-a376-874d02de0b81", "value": "2d9a3057512a6bca6aeecd124068471f" }, { "category": "External analysis", "comment": "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff", "deleted": false, "disable_correlation": false, "timestamp": "1486157775", "to_ids": false, "type": "link", "uuid": "5894f7cf-fe64-4c55-a629-874d02de0b81", "value": "https://www.virustotal.com/file/4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff/analysis/1486130147/" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168", "deleted": false, "disable_correlation": false, "timestamp": "1486157776", "to_ids": true, "type": "sha1", "uuid": "5894f7d0-7268-45dd-99ea-874d02de0b81", "value": "b005a426a17d32694c9cf224350e72a777d7d62c" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168", "deleted": false, "disable_correlation": false, "timestamp": "1486157777", "to_ids": true, "type": "md5", "uuid": "5894f7d1-b6c4-46c5-b719-874d02de0b81", "value": "bc96303c24aaa86c8acfbf2162b43e90" }, { "category": "External analysis", "comment": "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168", "deleted": false, "disable_correlation": false, "timestamp": "1486157778", "to_ids": false, "type": "link", "uuid": "5894f7d2-da64-4b71-9c5f-874d02de0b81", "value": "https://www.virustotal.com/file/f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168/analysis/1486130146/" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462", "deleted": false, "disable_correlation": false, "timestamp": "1486157779", "to_ids": true, "type": "sha1", "uuid": "5894f7d3-69c0-40e2-985d-874d02de0b81", "value": "83f57b2910627cba851b01be3b4c316873252e73" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462", "deleted": false, "disable_correlation": false, "timestamp": "1486157779", "to_ids": true, "type": "md5", "uuid": "5894f7d3-bd40-4342-a53f-874d02de0b81", "value": "55fd25ef423da52ba60b76a27650f485" }, { "category": "External analysis", "comment": "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462", "deleted": false, "disable_correlation": false, "timestamp": "1486157780", "to_ids": false, "type": "link", "uuid": "5894f7d4-856c-4159-9e00-874d02de0b81", "value": "https://www.virustotal.com/file/ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462/analysis/1486130151/" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097", "deleted": false, "disable_correlation": false, "timestamp": "1486157781", "to_ids": true, "type": "sha1", "uuid": "5894f7d5-3984-430e-9e61-874d02de0b81", "value": "cdc08d31a935e66e5ae6a3ba2b39cd2f506cc8fb" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097", "deleted": false, "disable_correlation": false, "timestamp": "1486157782", "to_ids": true, "type": "md5", "uuid": "5894f7d6-9608-4941-85f5-874d02de0b81", "value": "2be3003e464b3e56bc678cd182aac73d" }, { "category": "External analysis", "comment": "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097", "deleted": false, "disable_correlation": false, "timestamp": "1486157782", "to_ids": false, "type": "link", "uuid": "5894f7d6-8534-4c0f-b126-874d02de0b81", "value": "https://www.virustotal.com/file/ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097/analysis/1486130150/" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf", "deleted": false, "disable_correlation": false, "timestamp": "1486157783", "to_ids": true, "type": "sha1", "uuid": "5894f7d7-e764-48d6-898c-874d02de0b81", "value": "b35fc02b19f331f78e83d44b40116a2bf6f1252e" }, { "category": "Payload delivery", "comment": "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf", "deleted": false, "disable_correlation": false, "timestamp": "1486157784", "to_ids": true, "type": "md5", "uuid": "5894f7d8-7d10-403d-b3fa-874d02de0b81", "value": "4fa0bff0626ebe8253c04fd33462b5fc" }, { "category": "External analysis", "comment": "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf", "deleted": false, "disable_correlation": false, "timestamp": "1486157785", "to_ids": false, "type": "link", "uuid": "5894f7d9-afd0-47c3-bfdf-874d02de0b81", "value": "https://www.virustotal.com/file/38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf/analysis/1486130150/" }, { "category": "External analysis", "comment": "Additional references", "deleted": false, "disable_correlation": false, "timestamp": "1486158034", "to_ids": false, "type": "link", "uuid": "5894f8d2-d7e0-4225-834c-874d02de0b81", "value": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/" }, { "category": "External analysis", "comment": "Additional references", "deleted": false, "disable_correlation": false, "timestamp": "1486158083", "to_ids": false, "type": "link", "uuid": "5894f8d2-f494-476c-a034-874d02de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "Additional references", "deleted": false, "disable_correlation": false, "timestamp": "1486158076", "to_ids": false, "type": "link", "uuid": "5894f8d3-6008-437d-bec0-874d02de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "Additional references", "deleted": false, "disable_correlation": false, "timestamp": "1486158105", "to_ids": false, "type": "link", "uuid": "5894f8d4-7700-4a87-8aa3-874d02de0b81", "value": "http://researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "Additional references", "deleted": false, "disable_correlation": false, "timestamp": "1486158113", "to_ids": false, "type": "link", "uuid": "5894f8d5-a2c4-41d4-b4b7-874d02de0b81", "value": "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-office-exploit-generators-szappanos.pdf", "Tag": [ { "colour": "#002b4a", "local": "0", "name": "osint:source-type=\"technical-report\"", "relationship_type": "" } ] } ] } }