{ "Event": { "analysis": "2", "date": "2016-06-14", "extends_uuid": "", "info": "OSINT - Mofang: A politically motivated information stealing adversary", "publish_timestamp": "1469260595", "published": true, "threat_level_id": "2", "timestamp": "1468918774", "uuid": "57608399-aa20-4d2c-b03d-4a69950d210f", "Orgc": { "name": "FOXIT-CERT", "uuid": "55f6ea5f-03c4-42c7-83bb-4984950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#006262", "local": "0", "name": "ecsirt:malicious-code=\"malware\"", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943193", "to_ids": true, "type": "hostname", "uuid": "57608499-087c-41b0-84e3-4445950d210f", "value": "video.today-nytimes.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943193", "to_ids": true, "type": "hostname", "uuid": "57608499-1ddc-41b9-8ad2-43e4950d210f", "value": "api.officeonlinetool.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943193", "to_ids": true, "type": "hostname", "uuid": "57608499-69c0-4efa-94b0-4ece950d210f", "value": "ie.update-windows-microsoft.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943193", "to_ids": true, "type": "hostname", "uuid": "57608499-14e0-442e-8035-4e65950d210f", "value": "travel.tripmans.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943194", "to_ids": true, "type": "hostname", "uuid": "5760849a-fc9c-41d7-95e4-4afc950d210f", "value": "dns.undpus.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943194", "to_ids": true, "type": "hostname", "uuid": "5760849a-c8cc-42e7-bbfa-4b1d950d210f", "value": "secure2.sophosrv.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943194", "to_ids": true, "type": "hostname", "uuid": "5760849a-92cc-43ea-b582-4d34950d210f", "value": "update.nfkllyuisyahooapis.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943194", "to_ids": true, "type": "hostname", "uuid": "5760849a-5748-4ec6-99f6-4ec7950d210f", "value": "www.go-gga.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943194", "to_ids": true, "type": "hostname", "uuid": "5760849a-dbe0-4f97-8f2b-4fff950d210f", "value": "images.defexpoindia14.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943194", "to_ids": true, "type": "hostname", "uuid": "5760849a-b468-4cd7-9f26-4d39950d210f", "value": "update.micrdsoft.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943195", "to_ids": true, "type": "hostname", "uuid": "5760849b-0008-44e3-904a-4906950d210f", "value": "support.f--secure.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943195", "to_ids": true, "type": "hostname", "uuid": "5760849b-b0a0-425d-a0ca-49ec950d210f", "value": "store.outlook-microsoft.net" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943195", "to_ids": true, "type": "hostname", "uuid": "5760849b-dba0-446e-b855-40d7950d210f", "value": "b.support.outlook-microsoft.net" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943195", "to_ids": true, "type": "hostname", "uuid": "5760849b-9c20-4d7f-9c8a-4920950d210f", "value": "logon.had-one-job.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943195", "to_ids": true, "type": "hostname", "uuid": "5760849b-3e08-4fb0-b077-486e950d210f", "value": "www.avgfree.us" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943196", "to_ids": true, "type": "hostname", "uuid": "5760849c-5844-4822-b388-4e11950d210f", "value": "mail.upgoogle.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943196", "to_ids": true, "type": "hostname", "uuid": "5760849c-d3f4-488b-a5e6-47ee950d210f", "value": "wbmail.city-library.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943196", "to_ids": true, "type": "hostname", "uuid": "5760849c-43c4-4e67-a8d7-45db950d210f", "value": "library.cpgcorp.org" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943266", "to_ids": true, "type": "sha256", "uuid": "576084e2-fdd8-498d-b142-41f8950d210f", "value": "558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943266", "to_ids": true, "type": "sha256", "uuid": "576084e2-f5c4-4aee-9f0b-4629950d210f", "value": "a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943266", "to_ids": true, "type": "sha256", "uuid": "576084e2-2ff0-46c2-95e9-46ae950d210f", "value": "2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943266", "to_ids": true, "type": "sha256", "uuid": "576084e2-fe04-4c77-9bda-4de3950d210f", "value": "2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943267", "to_ids": true, "type": "sha256", "uuid": "576084e3-1ea8-4035-ae99-4947950d210f", "value": "af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943267", "to_ids": true, "type": "sha256", "uuid": "576084e3-bcd4-4a2c-9765-4c90950d210f", "value": "e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943267", "to_ids": true, "type": "sha256", "uuid": "576084e3-e7c4-46d1-a92d-4be3950d210f", "value": "d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943267", "to_ids": true, "type": "sha256", "uuid": "576084e3-d87c-46db-b60f-40a8950d210f", "value": "0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943267", "to_ids": true, "type": "sha256", "uuid": "576084e3-eee0-4c0d-b5ea-476f950d210f", "value": "f71025d47105dcd674a0b9ef0c83a83854ba20cb0eb8168da36a7908d150e44f" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943267", "to_ids": true, "type": "sha256", "uuid": "576084e4-ed54-41fb-aee6-4d16950d210f", "value": "5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943268", "to_ids": true, "type": "sha256", "uuid": "576084e4-6bf8-4688-97aa-47a5950d210f", "value": "8ee3fc5ccef751e098c4e64b36e8b5c95dc48473ac83380b59d10ea32f9946f9" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943268", "to_ids": true, "type": "sha256", "uuid": "576084e4-1d08-4aae-9e66-4704950d210f", "value": "35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943268", "to_ids": true, "type": "sha256", "uuid": "576084e4-59cc-411b-b6b5-41df950d210f", "value": "36422e6ccaa50a9ecceb7fb709a9e383552732525cb579f8438237d87aaf8377" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943268", "to_ids": true, "type": "sha256", "uuid": "576084e4-346c-4225-8e53-4ad3950d210f", "value": "3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943268", "to_ids": true, "type": "sha256", "uuid": "576084e4-f424-424a-8fc7-48b6950d210f", "value": "a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943269", "to_ids": true, "type": "sha256", "uuid": "576084e5-15d8-48bb-8c34-4e05950d210f", "value": "b53b27bb3e9d02e3ec5404cf3e67debb90d9337dbb570ca8b8cfce1054428466" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943269", "to_ids": true, "type": "sha256", "uuid": "576084e5-8548-42ea-8d8a-43c4950d210f", "value": "ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943269", "to_ids": true, "type": "sha256", "uuid": "576084e5-ad58-49f0-83bd-4366950d210f", "value": "2b111e287d356ac4561ba4f56135b7c1361b7da32e5825028a5e300e44b05579" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943269", "to_ids": true, "type": "sha256", "uuid": "576084e5-c128-4139-a50b-4ada950d210f", "value": "029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943269", "to_ids": true, "type": "sha256", "uuid": "576084e5-1758-48c2-a388-4762950d210f", "value": "15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943269", "to_ids": true, "type": "sha256", "uuid": "576084e5-a53c-4e0c-86ff-45e1950d210f", "value": "33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943270", "to_ids": true, "type": "sha256", "uuid": "576084e6-c3e8-48c9-a854-46bc950d210f", "value": "eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943270", "to_ids": true, "type": "sha256", "uuid": "576084e6-75f4-444b-a32d-46c7950d210f", "value": "5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943270", "to_ids": true, "type": "sha256", "uuid": "576084e6-d0a4-4ae3-b588-4fa2950d210f", "value": "241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943270", "to_ids": true, "type": "sha256", "uuid": "576084e6-acdc-4c09-97ff-4a36950d210f", "value": "577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943270", "to_ids": true, "type": "sha256", "uuid": "576084e6-d71c-4624-803a-4374950d210f", "value": "d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943271", "to_ids": true, "type": "sha256", "uuid": "576084e7-859c-43fd-b12b-4869950d210f", "value": "dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943271", "to_ids": true, "type": "sha256", "uuid": "576084e7-7ffc-410e-925c-4049950d210f", "value": "23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943271", "to_ids": true, "type": "sha256", "uuid": "576084e7-b3ac-4d51-a9bb-4902950d210f", "value": "fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943271", "to_ids": true, "type": "sha256", "uuid": "576084e7-29f8-47d8-9d97-4dd4950d210f", "value": "234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943271", "to_ids": true, "type": "sha256", "uuid": "576084e7-dc2c-4716-9556-4eff950d210f", "value": "e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943271", "to_ids": true, "type": "sha256", "uuid": "576084e7-9d40-4dde-b74e-4538950d210f", "value": "2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943272", "to_ids": true, "type": "sha256", "uuid": "576084e8-7c04-42d0-ab53-4ea9950d210f", "value": "6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943272", "to_ids": true, "type": "sha256", "uuid": "576084e8-f4b8-47b6-bb66-41c0950d210f", "value": "1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943272", "to_ids": true, "type": "sha256", "uuid": "576084e8-94b4-4162-9a17-4a2e950d210f", "value": "1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943272", "to_ids": true, "type": "sha256", "uuid": "576084e8-1d18-4dd0-a026-49e5950d210f", "value": "b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943272", "to_ids": true, "type": "sha256", "uuid": "576084e8-0c18-46d3-bff0-47d1950d210f", "value": "ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943273", "to_ids": true, "type": "sha256", "uuid": "576084e9-f660-478c-9961-4ca9950d210f", "value": "0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943273", "to_ids": true, "type": "sha256", "uuid": "576084e9-bf88-48ab-bb04-4b48950d210f", "value": "722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1465943273", "to_ids": true, "type": "sha256", "uuid": "576084e9-db04-41cf-81a3-4698950d210f", "value": "7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1468918774", "to_ids": true, "type": "yara", "uuid": "57608528-91e4-4666-b514-42ef950d210f", "value": "rule shimrat\r\n{\r\n meta:\r\n description = \"Detects ShimRat and the ShimRat loader\"\r\n author = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\n date = \"20/11/2015\"\r\n \r\n strings:\r\n $dll = \".dll\"\r\n $dat = \".dat\"\r\n $headersig = \"QWERTYUIOPLKJHG\"\r\n $datasig = \"MNBVCXZLKJHGFDS\"\r\n $datamarker1 = \"Data$$00\"\r\n $datamarker2 = \"Data$$01%c%sData\"\r\n $cmdlineformat = \"ping localhost -n 9 /c %s > nul\"\r\n $demoproject_keyword1 = \"Demo\"\r\n $demoproject_keyword2 = \"Win32App\"\r\n $comspec = \"COMSPEC\"\r\n $shim_func1 = \"ShimMain\"\r\n $shim_func2 = \"NotifyShims\"\r\n $shim_func3 = \"GetHookAPIs\"\r\n\r\n\r\n condition:\r\n ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)\r\n}\r\n\r\nrule shimratreporter\r\n{\r\n meta:\r\n description = \"Detects ShimRatReporter\"\r\n author = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\n date = \"20/11/2015\"\r\n\r\n strings:\r\n $IpInfo = \"IP-INFO\"\r\n $NetworkInfo = \"Network-INFO\"\r\n $OsInfo = \"OS-INFO\"\r\n $ProcessInfo = \"Process-INFO\"\r\n $BrowserInfo = \"Browser-INFO\"\r\n $QueryUserInfo = \"QueryUser-INFO\"\r\n $UsersInfo = \"Users-INFO\"\r\n $SoftwareInfo = \"Software-INFO\"\r\n $AddressFormat = \"%02X-%02X-%02X-%02X-%02X-%02X\"\r\n $proxy_str = \"(from environment) = %s\"\r\n\r\n $netuserfun = \"NetUserEnum\"\r\n $networkparams = \"GetNetworkParams\"\r\n\r\n condition:\r\n all of them\r\n}" }, { "category": "Network activity", "comment": "Snort signatures", "deleted": false, "disable_correlation": false, "timestamp": "1468918772", "to_ids": true, "type": "snort", "uuid": "57608570-b360-43b8-99cd-4833950d210f", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRat check-in (Data)\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php HTTP/1.\"; content:\"|0d0a0d0a|Data$$\"; fast_pattern:only; content:!\"Content-Type\"; content:!\"Referer:\"; content:!\"Cookie:\"; content:\"|0d0a0d0a|\"; pcre:\"/Data\\$\\$\\d\\d/R\"; content:\"Data\"; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001854; rev:4;)" }, { "category": "Internal reference", "comment": "Mofang IOCs on Github", "deleted": false, "disable_correlation": false, "timestamp": "1465943507", "to_ids": false, "type": "link", "uuid": "576085d3-b7f8-4625-9080-4a2d950d210f", "value": "https://github.com/fox-it/mofang" }, { "category": "Internal reference", "comment": "Full report on Mofang group can be found here", "deleted": false, "disable_correlation": false, "timestamp": "1465943659", "to_ids": false, "type": "link", "uuid": "5760866b-5714-4531-acd7-4eca950d210f", "value": "http://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f", "deleted": false, "disable_correlation": false, "timestamp": "1465955735", "to_ids": true, "type": "sha1", "uuid": "5760b597-6b90-490c-bedb-4da102de0b81", "value": "5428d25b9ec583260c25af0d71eba364388a530e" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f", "deleted": false, "disable_correlation": false, "timestamp": "1465955735", "to_ids": true, "type": "md5", "uuid": "5760b597-6ff8-4d33-be86-496b02de0b81", "value": "b43e5988bde7bb03133eec60daaf22d5" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f", "deleted": false, "disable_correlation": false, "timestamp": "1465955735", "to_ids": false, "type": "link", "uuid": "5760b597-396c-4496-b182-4c8602de0b81", "value": "https://www.virustotal.com/file/7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f/analysis/1444933085/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2", "deleted": false, "disable_correlation": false, "timestamp": "1465955736", "to_ids": true, "type": "sha1", "uuid": "5760b598-2b58-4cea-849c-4cb002de0b81", "value": "961ad7d813f6c64aae3d999aab802f50f8d94172" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2", "deleted": false, "disable_correlation": false, "timestamp": "1465955736", "to_ids": true, "type": "md5", "uuid": "5760b598-ee44-47bf-b208-49fd02de0b81", "value": "582e4adddfd12f7d68035c3b8e2e3378" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2", "deleted": false, "disable_correlation": false, "timestamp": "1465955736", "to_ids": false, "type": "link", "uuid": "5760b598-c4b0-4aa5-84f0-416802de0b81", "value": "https://www.virustotal.com/file/722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2/analysis/1445877385/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07", "deleted": false, "disable_correlation": false, "timestamp": "1465955736", "to_ids": true, "type": "sha1", "uuid": "5760b598-3a30-4f28-99c3-47f802de0b81", "value": "8817dcb6d244676d22fa430cacd0dd6b7a1c5f24" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07", "deleted": false, "disable_correlation": false, "timestamp": "1465955736", "to_ids": true, "type": "md5", "uuid": "5760b598-13fc-45eb-89db-41f002de0b81", "value": "fb80354303a0ff748696baae3d264af4" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07", "deleted": false, "disable_correlation": false, "timestamp": "1465955737", "to_ids": false, "type": "link", "uuid": "5760b599-8678-4518-8a40-4cd002de0b81", "value": "https://www.virustotal.com/file/0741a18bfd79dac1fb850a7d4fcc62098c43fb0c803df6cd9934e82a1362dd07/analysis/1433495631/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99", "deleted": false, "disable_correlation": false, "timestamp": "1465955737", "to_ids": true, "type": "sha1", "uuid": "5760b599-b324-4cdf-abd8-455302de0b81", "value": "5fc9cec7f98c26c1881f142b2ff79a6457fd642e" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99", "deleted": false, "disable_correlation": false, "timestamp": "1465955737", "to_ids": true, "type": "md5", "uuid": "5760b599-c9bc-4b54-afe1-47f102de0b81", "value": "0067bbd63db0a4f5662cdb1633d92444" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99", "deleted": false, "disable_correlation": false, "timestamp": "1465955737", "to_ids": false, "type": "link", "uuid": "5760b599-385c-462a-a796-430a02de0b81", "value": "https://www.virustotal.com/file/ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99/analysis/1433150046/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5", "deleted": false, "disable_correlation": false, "timestamp": "1465955737", "to_ids": true, "type": "sha1", "uuid": "5760b599-6828-4cc4-9f11-467d02de0b81", "value": "fb2a1294d76bbe97eb9be744d72a135fc9a6af1e" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5", "deleted": false, "disable_correlation": false, "timestamp": "1465955738", "to_ids": true, "type": "md5", "uuid": "5760b59a-0764-474e-992b-4a3602de0b81", "value": "9a6167cf7c180f15d8ae13f48d549d2e" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5", "deleted": false, "disable_correlation": false, "timestamp": "1465955738", "to_ids": false, "type": "link", "uuid": "5760b59a-997c-4ff3-9cfc-411402de0b81", "value": "https://www.virustotal.com/file/b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5/analysis/1434710549/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2", "deleted": false, "disable_correlation": false, "timestamp": "1465955738", "to_ids": true, "type": "sha1", "uuid": "5760b59a-631c-4eeb-b395-4de402de0b81", "value": "7c9eb0815c0baff8729acdbe5ebfb74b77673c5c" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2", "deleted": false, "disable_correlation": false, "timestamp": "1465955738", "to_ids": true, "type": "md5", "uuid": "5760b59a-93f0-4ab4-8c95-4d9f02de0b81", "value": "5c00ccf456135514c591478904b146e3" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2", "deleted": false, "disable_correlation": false, "timestamp": "1465955738", "to_ids": false, "type": "link", "uuid": "5760b59a-dcd4-4f3a-b654-4d7d02de0b81", "value": "https://www.virustotal.com/file/1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2/analysis/1441743554/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f", "deleted": false, "disable_correlation": false, "timestamp": "1465955739", "to_ids": true, "type": "sha1", "uuid": "5760b59b-9418-4bc1-b2e7-40d802de0b81", "value": "b1b303058e1e586dc2ae2939340a2c35de3c2289" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f", "deleted": false, "disable_correlation": false, "timestamp": "1465955739", "to_ids": true, "type": "md5", "uuid": "5760b59b-c1a8-42a4-95fe-474702de0b81", "value": "484c7f9e6c9233ba6ed4adb79b87ebce" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f", "deleted": false, "disable_correlation": false, "timestamp": "1465955739", "to_ids": false, "type": "link", "uuid": "5760b59b-a59c-4aeb-a0ff-417302de0b81", "value": "https://www.virustotal.com/file/1922273bb36ab282e3b7846f1bb2802f5803bde66078fa996e44b84d0265675f/analysis/1447679426/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197", "deleted": false, "disable_correlation": false, "timestamp": "1465955739", "to_ids": true, "type": "sha1", "uuid": "5760b59b-8ef0-450b-abb9-441f02de0b81", "value": "a6105b2aef7845af8c18459442bdabb476038835" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197", "deleted": false, "disable_correlation": false, "timestamp": "1465955739", "to_ids": true, "type": "md5", "uuid": "5760b59b-a220-4520-af45-4bb002de0b81", "value": "2384febe404ef48d6585f050e3cd51a8" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197", "deleted": false, "disable_correlation": false, "timestamp": "1465955740", "to_ids": false, "type": "link", "uuid": "5760b59c-326c-4dd0-8d86-4a1202de0b81", "value": "https://www.virustotal.com/file/6882664f1d0eb8c8cf61bdd16494380d34b6207455638342c6c3a7eef1ed9197/analysis/1425014357/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882", "deleted": false, "disable_correlation": false, "timestamp": "1465955740", "to_ids": true, "type": "sha1", "uuid": "5760b59c-ab4c-4504-a0ab-47ed02de0b81", "value": "8576e17b70de2ba61e4acfc4ff8ff14287d1c067" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882", "deleted": false, "disable_correlation": false, "timestamp": "1465955740", "to_ids": true, "type": "md5", "uuid": "5760b59c-1100-40be-ab6b-409402de0b81", "value": "916a2a20a447b10e379543a47a60b40f" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882", "deleted": false, "disable_correlation": false, "timestamp": "1465955740", "to_ids": false, "type": "link", "uuid": "5760b59c-a630-49ed-8088-425902de0b81", "value": "https://www.virustotal.com/file/2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882/analysis/1380958163/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc", "deleted": false, "disable_correlation": false, "timestamp": "1465955740", "to_ids": true, "type": "sha1", "uuid": "5760b59c-9c5c-4e0c-807b-496402de0b81", "value": "26b788c117a8c22b0fdd78952c7eff132ed5a990" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc", "deleted": false, "disable_correlation": false, "timestamp": "1465955741", "to_ids": true, "type": "md5", "uuid": "5760b59d-a794-44e8-a281-413502de0b81", "value": "888cac09f613db4505c4ee8d01d4291b" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc", "deleted": false, "disable_correlation": false, "timestamp": "1465955741", "to_ids": false, "type": "link", "uuid": "5760b59d-e1ac-4cb2-bef6-40fd02de0b81", "value": "https://www.virustotal.com/file/e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc/analysis/1378854272/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce", "deleted": false, "disable_correlation": false, "timestamp": "1465955741", "to_ids": true, "type": "sha1", "uuid": "5760b59d-055c-4ea1-aba0-4d6702de0b81", "value": "25dae9e0e597df3a020326b039e93c8ffa93d252" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce", "deleted": false, "disable_correlation": false, "timestamp": "1465955741", "to_ids": true, "type": "md5", "uuid": "5760b59d-5924-460e-8005-497a02de0b81", "value": "d7a575895b07b007d0daf1f15bfb14a1" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce", "deleted": false, "disable_correlation": false, "timestamp": "1465955741", "to_ids": false, "type": "link", "uuid": "5760b59d-199c-480b-8934-42c702de0b81", "value": "https://www.virustotal.com/file/234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce/analysis/1443828297/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723", "deleted": false, "disable_correlation": false, "timestamp": "1465955742", "to_ids": true, "type": "sha1", "uuid": "5760b59e-f56c-4d22-81d1-46f402de0b81", "value": "ee485a666c425be84585fd00062f29535bee0804" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723", "deleted": false, "disable_correlation": false, "timestamp": "1465955742", "to_ids": true, "type": "md5", "uuid": "5760b59e-6050-4a3b-89f0-4e8702de0b81", "value": "a326e2abacc72c7a050ffe36e3d3d0eb" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723", "deleted": false, "disable_correlation": false, "timestamp": "1465955742", "to_ids": false, "type": "link", "uuid": "5760b59e-2630-4137-96aa-497602de0b81", "value": "https://www.virustotal.com/file/fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723/analysis/1425101429/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34", "deleted": false, "disable_correlation": false, "timestamp": "1465955742", "to_ids": true, "type": "sha1", "uuid": "5760b59e-3980-436d-a3be-4dc202de0b81", "value": "412cb33b9f5d09ba9f75b704619b47dd05fba426" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34", "deleted": false, "disable_correlation": false, "timestamp": "1465955742", "to_ids": true, "type": "md5", "uuid": "5760b59e-01f8-4591-b8aa-46f502de0b81", "value": "3dab6ff3719ff7fcb01080fc36fe97dc" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34", "deleted": false, "disable_correlation": false, "timestamp": "1465955743", "to_ids": false, "type": "link", "uuid": "5760b59f-851c-4a2c-b677-42d702de0b81", "value": "https://www.virustotal.com/file/23132f4dfd4cb8abe11af1064e4930bc36a464d1235f43bad4ff20708babcc34/analysis/1427970735/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb", "deleted": false, "disable_correlation": false, "timestamp": "1465955743", "to_ids": true, "type": "sha1", "uuid": "5760b59f-d530-40f1-b7bb-422c02de0b81", "value": "ff646e7d832759fa24810b9723e0d6581bcbc1a1" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb", "deleted": false, "disable_correlation": false, "timestamp": "1465955743", "to_ids": true, "type": "md5", "uuid": "5760b59f-a150-4d68-9418-466002de0b81", "value": "36e057fa2020c65f2849d718f2bb90ad" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb", "deleted": false, "disable_correlation": false, "timestamp": "1465955743", "to_ids": false, "type": "link", "uuid": "5760b59f-64a8-409d-ba94-493f02de0b81", "value": "https://www.virustotal.com/file/dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb/analysis/1448490452/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15", "deleted": false, "disable_correlation": false, "timestamp": "1465955743", "to_ids": true, "type": "sha1", "uuid": "5760b59f-7bd8-42ff-8d1d-42f302de0b81", "value": "e6035ffbdc4abd0d8b6d4890f83de42ffecde1ff" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15", "deleted": false, "disable_correlation": false, "timestamp": "1465955744", "to_ids": true, "type": "md5", "uuid": "5760b5a0-4670-42ec-ae2f-459e02de0b81", "value": "2f14d8c3d4815436f806fc1a435e29e3" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15", "deleted": false, "disable_correlation": false, "timestamp": "1465955744", "to_ids": false, "type": "link", "uuid": "5760b5a0-b4e8-44da-bfc6-4d6a02de0b81", "value": "https://www.virustotal.com/file/d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15/analysis/1427970044/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c", "deleted": false, "disable_correlation": false, "timestamp": "1465955744", "to_ids": true, "type": "sha1", "uuid": "5760b5a0-ab84-4ffb-8298-47d602de0b81", "value": "16f4a3f9485df96e25ac508d8a24e5b65fcf2fab" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c", "deleted": false, "disable_correlation": false, "timestamp": "1465955744", "to_ids": true, "type": "md5", "uuid": "5760b5a0-ecac-4c8c-a640-44ef02de0b81", "value": "4e22e8bc3034d0df1e902413c9cfefc9" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c", "deleted": false, "disable_correlation": false, "timestamp": "1465955744", "to_ids": false, "type": "link", "uuid": "5760b5a0-1a58-4f98-9421-453a02de0b81", "value": "https://www.virustotal.com/file/577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c/analysis/1459351611/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb", "deleted": false, "disable_correlation": false, "timestamp": "1465955745", "to_ids": true, "type": "sha1", "uuid": "5760b5a1-5e10-42ea-b82a-430b02de0b81", "value": "b31cf0d74fa4db0b00518e637f95bd366a25b477" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb", "deleted": false, "disable_correlation": false, "timestamp": "1465955745", "to_ids": true, "type": "md5", "uuid": "5760b5a1-3054-4c56-bfd9-44e902de0b81", "value": "b281a2e1457cd5ca8c85700817018902" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb", "deleted": false, "disable_correlation": false, "timestamp": "1465955745", "to_ids": false, "type": "link", "uuid": "5760b5a1-8194-4e9e-b010-468202de0b81", "value": "https://www.virustotal.com/file/241c66bb54bd27afeb4805aa8a8045155b81c8cd7093dde7ef19273728f502eb/analysis/1409778711/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3", "deleted": false, "disable_correlation": false, "timestamp": "1465955745", "to_ids": true, "type": "sha1", "uuid": "5760b5a1-e180-4cc9-bc08-4c1502de0b81", "value": "24b26252a0181e9a88290fa4702379eab7006682" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3", "deleted": false, "disable_correlation": false, "timestamp": "1465955745", "to_ids": true, "type": "md5", "uuid": "5760b5a1-5bdc-4760-9f42-43f202de0b81", "value": "06cca5013175c5a1c8ff89a494e24245" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3", "deleted": false, "disable_correlation": false, "timestamp": "1465955746", "to_ids": false, "type": "link", "uuid": "5760b5a2-5814-40c5-b2db-446e02de0b81", "value": "https://www.virustotal.com/file/5da5a5643e32d6200567768e6112d4d3161335d8d7a6dd48f02bf444fe98aab3/analysis/1450293548/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1", "deleted": false, "disable_correlation": false, "timestamp": "1465955746", "to_ids": true, "type": "sha1", "uuid": "5760b5a2-49e0-4eb1-8520-47c202de0b81", "value": "20175624f9672d15aaa68a35a7ae79efeeb21ce5" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1", "deleted": false, "disable_correlation": false, "timestamp": "1465955746", "to_ids": true, "type": "md5", "uuid": "5760b5a2-c1c4-4277-8cf8-419002de0b81", "value": "cf883d04762b868b450275017ab3ccfa" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1", "deleted": false, "disable_correlation": false, "timestamp": "1465955746", "to_ids": false, "type": "link", "uuid": "5760b5a2-fb28-44c1-a44b-497302de0b81", "value": "https://www.virustotal.com/file/eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1/analysis/1402677511/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f", "deleted": false, "disable_correlation": false, "timestamp": "1465955746", "to_ids": true, "type": "sha1", "uuid": "5760b5a2-b198-41eb-a137-485302de0b81", "value": "2dee817ec73a51f4d2ac6334134a033157b8d5dc" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f", "deleted": false, "disable_correlation": false, "timestamp": "1465955746", "to_ids": true, "type": "md5", "uuid": "5760b5a3-9984-42d4-86f4-4ac002de0b81", "value": "25e87e846bb969802e8db9b36d6cf67c" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f", "deleted": false, "disable_correlation": false, "timestamp": "1465955747", "to_ids": false, "type": "link", "uuid": "5760b5a3-0bf8-4f6e-be5a-440f02de0b81", "value": "https://www.virustotal.com/file/33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f/analysis/1392684716/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc", "deleted": false, "disable_correlation": false, "timestamp": "1465955747", "to_ids": true, "type": "sha1", "uuid": "5760b5a3-1550-45c6-938a-4f5c02de0b81", "value": "17ac65b0ae949bb846ca356b334ce3c40c36d0a5" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc", "deleted": false, "disable_correlation": false, "timestamp": "1465955747", "to_ids": true, "type": "md5", "uuid": "5760b5a3-2c8c-497c-af24-493302de0b81", "value": "b213fe655d2c6a05f60da5b114fe481e" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc", "deleted": false, "disable_correlation": false, "timestamp": "1465955747", "to_ids": false, "type": "link", "uuid": "5760b5a3-d604-4b8f-a697-415e02de0b81", "value": "https://www.virustotal.com/file/15b9c033b49a5328ddb06997a817af55469aaf6bc3911de030e6f5ad845160bc/analysis/1427976396/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e", "deleted": false, "disable_correlation": false, "timestamp": "1465955748", "to_ids": true, "type": "sha1", "uuid": "5760b5a4-ba48-40d8-9b25-4ff702de0b81", "value": "5f502ef8b45567234b42d6edbd1926665057615e" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e", "deleted": false, "disable_correlation": false, "timestamp": "1465955748", "to_ids": true, "type": "md5", "uuid": "5760b5a4-7efc-4d3e-a269-4c3702de0b81", "value": "ca41c19366bee737fe5bc5008250976a" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e", "deleted": false, "disable_correlation": false, "timestamp": "1465955748", "to_ids": false, "type": "link", "uuid": "5760b5a4-0810-4e7b-8b82-473402de0b81", "value": "https://www.virustotal.com/file/029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e/analysis/1415618882/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf", "deleted": false, "disable_correlation": false, "timestamp": "1465955748", "to_ids": true, "type": "sha1", "uuid": "5760b5a4-20c8-439e-87dd-483d02de0b81", "value": "ee4c94151b08e0c5af5ad754dff8e86a22537cec" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf", "deleted": false, "disable_correlation": false, "timestamp": "1465955748", "to_ids": true, "type": "md5", "uuid": "5760b5a4-764c-4f51-be02-4c4002de0b81", "value": "663e54e686842eb8f8bae2472cf01ba1" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf", "deleted": false, "disable_correlation": false, "timestamp": "1465955749", "to_ids": false, "type": "link", "uuid": "5760b5a5-577c-4db3-8993-4a3d02de0b81", "value": "https://www.virustotal.com/file/ba0057a1b132ec16559efc832941455cc07f34c434da2a7434f73f1d2141bebf/analysis/1425282070/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68", "deleted": false, "disable_correlation": false, "timestamp": "1465955749", "to_ids": true, "type": "sha1", "uuid": "5760b5a5-8d5c-4ed6-926c-4e9b02de0b81", "value": "cd9ad276b10cffd4b60c37cd441d9b720f3cfd95" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68", "deleted": false, "disable_correlation": false, "timestamp": "1465955749", "to_ids": true, "type": "md5", "uuid": "5760b5a5-e48c-4913-847c-47dd02de0b81", "value": "5965731f2f237a12f7a4873e3e37658a" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68", "deleted": false, "disable_correlation": false, "timestamp": "1465955749", "to_ids": false, "type": "link", "uuid": "5760b5a5-3c4c-4a7f-b9b0-412d02de0b81", "value": "https://www.virustotal.com/file/a03bd56eeee9f376eb59c6f4d19bf8a651eeb57bb4ebb7f884192b22a6616e68/analysis/1416960110/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d", "deleted": false, "disable_correlation": false, "timestamp": "1465955749", "to_ids": true, "type": "sha1", "uuid": "5760b5a5-e700-4b0d-84a2-47d302de0b81", "value": "64e3fb5a3833e0d662cfe8a85985c3fe61e36224" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d", "deleted": false, "disable_correlation": false, "timestamp": "1465955750", "to_ids": true, "type": "md5", "uuid": "5760b5a6-7d00-423b-9c42-4e3402de0b81", "value": "a3f7895fae05fa121a4e23dd3595c366" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d", "deleted": false, "disable_correlation": false, "timestamp": "1465955750", "to_ids": false, "type": "link", "uuid": "5760b5a6-0da4-40ad-b36b-426f02de0b81", "value": "https://www.virustotal.com/file/3c5c4d68d0fa6520637fb4afe6a7097ec7d0f1d6a738bb0064bb009ea6344e8d/analysis/1414573515/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b", "deleted": false, "disable_correlation": false, "timestamp": "1465955750", "to_ids": true, "type": "sha1", "uuid": "5760b5a6-68a8-4f54-b382-44c702de0b81", "value": "6c6e3e434d2f08ed7725dff646c67c96cdfb5775" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b", "deleted": false, "disable_correlation": false, "timestamp": "1465955750", "to_ids": true, "type": "md5", "uuid": "5760b5a6-c25c-40e7-970d-48d002de0b81", "value": "f34c6239b7d70f23ce02a8d207176637" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b", "deleted": false, "disable_correlation": false, "timestamp": "1465955750", "to_ids": false, "type": "link", "uuid": "5760b5a6-c52c-43e9-9341-4be102de0b81", "value": "https://www.virustotal.com/file/35589ce27c27dd4407a79540f32031d752b774b4bd6b8a3687e19a177ae6b18b/analysis/1434442386/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c", "deleted": false, "disable_correlation": false, "timestamp": "1465955751", "to_ids": true, "type": "sha1", "uuid": "5760b5a7-5d84-4b46-84b0-4bed02de0b81", "value": "99fc9f54516a78926827495f167ca14682dcc9bf" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c", "deleted": false, "disable_correlation": false, "timestamp": "1465955751", "to_ids": true, "type": "md5", "uuid": "5760b5a7-7104-436c-8759-418202de0b81", "value": "26ff9e2da06b7e90443d6190388581ab" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c", "deleted": false, "disable_correlation": false, "timestamp": "1465955751", "to_ids": false, "type": "link", "uuid": "5760b5a7-0eb4-4fd4-a2a8-409b02de0b81", "value": "https://www.virustotal.com/file/5dc3f4a067ae125f99fa90844bba667235ec7ef667353e282ff29712dda5b71c/analysis/1432405782/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38", "deleted": false, "disable_correlation": false, "timestamp": "1465955751", "to_ids": true, "type": "sha1", "uuid": "5760b5a7-e7a4-4fa4-b672-4e6f02de0b81", "value": "6f61b571984dbcf9dfc2f584337bdcd3e58555b4" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38", "deleted": false, "disable_correlation": false, "timestamp": "1465955751", "to_ids": true, "type": "md5", "uuid": "5760b5a7-d38c-40e7-b154-49cc02de0b81", "value": "b4554c52f708154e529f62ba8e0de084" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38", "deleted": false, "disable_correlation": false, "timestamp": "1465955752", "to_ids": false, "type": "link", "uuid": "5760b5a8-1e28-493d-aa7f-4a8a02de0b81", "value": "https://www.virustotal.com/file/0cc1660e384683f2147e02ff76c69822ee2b98433c3a3613bbd28b9d8258da38/analysis/1417518524/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8", "deleted": false, "disable_correlation": false, "timestamp": "1465955752", "to_ids": true, "type": "sha1", "uuid": "5760b5a8-4ef0-441b-aeb1-48c002de0b81", "value": "bdf804fb1869ea58b04a818316cf2327d9a6b1dc" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8", "deleted": false, "disable_correlation": false, "timestamp": "1465955752", "to_ids": true, "type": "md5", "uuid": "5760b5a8-ca94-4730-94cb-460e02de0b81", "value": "23a1a7f0f30f18ba4d0461829eb46766" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8", "deleted": false, "disable_correlation": false, "timestamp": "1465955752", "to_ids": false, "type": "link", "uuid": "5760b5a8-ef18-41a0-a0f9-431002de0b81", "value": "https://www.virustotal.com/file/d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8/analysis/1415092839/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2", "deleted": false, "disable_correlation": false, "timestamp": "1465955752", "to_ids": true, "type": "sha1", "uuid": "5760b5a8-4330-4da5-a0db-4e4002de0b81", "value": "d122349b4dc611d4b3470b6ff2d23fd644491ecc" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2", "deleted": false, "disable_correlation": false, "timestamp": "1465955752", "to_ids": true, "type": "md5", "uuid": "5760b5a8-548c-4c9c-a3f2-48a802de0b81", "value": "c27fb6999a0243f041c5e387280f9442" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2", "deleted": false, "disable_correlation": false, "timestamp": "1465955753", "to_ids": false, "type": "link", "uuid": "5760b5a9-ce3c-4cfa-b12b-493002de0b81", "value": "https://www.virustotal.com/file/e5bcb55d7881b3b367521532af173e85d1eee66badf89586168d22ed17bc25b2/analysis/1417748024/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d", "deleted": false, "disable_correlation": false, "timestamp": "1465955753", "to_ids": true, "type": "sha1", "uuid": "5760b5a9-8070-4c8f-a4f8-479302de0b81", "value": "31fb6ba509d41ef086137ba454c351eb902f8c13" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d", "deleted": false, "disable_correlation": false, "timestamp": "1465955753", "to_ids": true, "type": "md5", "uuid": "5760b5a9-3cd4-4b72-af82-4fd002de0b81", "value": "d8b95e942993b979fb82c22ea5b5ca18" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d", "deleted": false, "disable_correlation": false, "timestamp": "1465955753", "to_ids": false, "type": "link", "uuid": "5760b5a9-cb60-4743-bc5a-4b5b02de0b81", "value": "https://www.virustotal.com/file/af67df976fb941c99f4d3dd948ed4828a445dd6f9c98ffc2070c8be76c60484d/analysis/1415327976/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf", "deleted": false, "disable_correlation": false, "timestamp": "1465955753", "to_ids": true, "type": "sha1", "uuid": "5760b5a9-1b68-4461-90fd-4cdd02de0b81", "value": "7e33ef786015b0c0962f314f4c9c7531d451596d" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf", "deleted": false, "disable_correlation": false, "timestamp": "1465955754", "to_ids": true, "type": "md5", "uuid": "5760b5aa-963c-4539-8190-42ba02de0b81", "value": "4e493a649e2b87ef1a341809dab34a38" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf", "deleted": false, "disable_correlation": false, "timestamp": "1465955754", "to_ids": false, "type": "link", "uuid": "5760b5aa-1a44-4994-8e4b-433202de0b81", "value": "https://www.virustotal.com/file/2d40ca005a7df46b3f7c691006c9951fc3bee25bb4fa4a0ebbdee76d7d117fdf/analysis/1444915836/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d", "deleted": false, "disable_correlation": false, "timestamp": "1465955754", "to_ids": true, "type": "sha1", "uuid": "5760b5aa-7964-44b1-aca4-483102de0b81", "value": "2927297d3dfd2fe2c18ea918fa422cd56cbb4bfd" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d", "deleted": false, "disable_correlation": false, "timestamp": "1465955754", "to_ids": true, "type": "md5", "uuid": "5760b5aa-0bcc-4bad-b4c5-4ccd02de0b81", "value": "6b126cd9a5f2af30bb048caef92ceb51" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d", "deleted": false, "disable_correlation": false, "timestamp": "1465955754", "to_ids": false, "type": "link", "uuid": "5760b5aa-2c54-41d3-98c3-497d02de0b81", "value": "https://www.virustotal.com/file/2653ecc3ea17e0d5613ddebe76bdddea6c108713330b0bd8e68d2d5141a4a07d/analysis/1454913570/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672", "deleted": false, "disable_correlation": false, "timestamp": "1465955755", "to_ids": true, "type": "sha1", "uuid": "5760b5ab-f0a0-4057-868c-4d5c02de0b81", "value": "538a1bd99b2c202c0ed18571b5b30ea4004009bf" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672", "deleted": false, "disable_correlation": false, "timestamp": "1465955755", "to_ids": true, "type": "md5", "uuid": "5760b5ab-22a0-4197-9129-4c2202de0b81", "value": "e79b2d2934e5525e7a40d74875f9d761" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672", "deleted": false, "disable_correlation": false, "timestamp": "1465955755", "to_ids": false, "type": "link", "uuid": "5760b5ab-060c-4caa-b5ea-4e7702de0b81", "value": "https://www.virustotal.com/file/a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672/analysis/1432210810/" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a", "deleted": false, "disable_correlation": false, "timestamp": "1465955755", "to_ids": true, "type": "sha1", "uuid": "5760b5ab-ebc4-40b9-9c50-489002de0b81", "value": "5856baf74ef33f2e5a6966f1f02505f4251d7e17" }, { "category": "Payload delivery", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a", "deleted": false, "disable_correlation": false, "timestamp": "1465955755", "to_ids": true, "type": "md5", "uuid": "5760b5ab-9420-447d-acde-415102de0b81", "value": "f4b247a44be362898c4e587545c7653f" }, { "category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: 558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a", "deleted": false, "disable_correlation": false, "timestamp": "1465955756", "to_ids": false, "type": "link", "uuid": "5760b5ac-f3e0-4f8a-b8bf-4ecf02de0b81", "value": "https://www.virustotal.com/file/558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a/analysis/1427979640/" }, { "category": "Payload delivery", "comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:", "deleted": false, "disable_correlation": false, "timestamp": "1465956104", "to_ids": true, "type": "pattern-in-file", "uuid": "5760b708-b0f0-42c2-8d68-491e950d210f", "value": "z:\\project2012\\remotecontrol\\winhttpnet\\amcy\\app\\win7\\installscript\\objfre_wxp_x86\\i386\\InstallScript.pdb" }, { "category": "Payload delivery", "comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:", "deleted": false, "disable_correlation": false, "timestamp": "1465956104", "to_ids": true, "type": "pattern-in-file", "uuid": "5760b708-a274-40ba-af8a-4a2e950d210f", "value": "z:\\project2012\\remotecontrol\\winhttpnet\\amcy\\app\\win7\\serviceapp\\objfre_wxp_x86\\i386\\ServiceApp.pdb" }, { "category": "Payload delivery", "comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:", "deleted": false, "disable_correlation": false, "timestamp": "1465956104", "to_ids": true, "type": "pattern-in-file", "uuid": "5760b708-66c8-4821-a214-468f950d210f", "value": "z:\\project2012\\remotecontrol\\winhttpnet\\cqgaen\\app\\installscript\\objfre_wxp_x86\\i386\\InstallScript.pdb" }, { "category": "Payload delivery", "comment": "A program database path, a file present on the authors\u00e2\u20ac\u2122 machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012:", "deleted": false, "disable_correlation": false, "timestamp": "1465956104", "to_ids": true, "type": "pattern-in-file", "uuid": "5760b708-0e1c-41d1-bad6-436f950d210f", "value": "z:\\project2012\\remotecontrol\\winhttpnet\\cqgaen\\app\\serviceapp\\objfre_wxp_x86\\i386\\ServiceApp.pdb" }, { "category": "Payload delivery", "comment": "ShimRat core - C&C", "deleted": false, "disable_correlation": false, "timestamp": "1465956182", "to_ids": true, "type": "url", "uuid": "5760b756-b958-4f16-8184-4a77950d210f", "value": "http://www.avgfree.us/index.php" }, { "category": "Payload delivery", "comment": "ShimRat core - C&C", "deleted": false, "disable_correlation": false, "timestamp": "1465956234", "to_ids": true, "type": "url", "uuid": "5760b78a-4060-4b6c-9763-44de950d210f", "value": "http://adventurelearning.me/wp-content/uploads/index.php" }, { "category": "Network activity", "comment": "he website citrixmeeting.com was under control of Citrix until they let it expire on April 3rd, 2015. The website used to hold information about the conferencing products from Citrix. Almost 4 months after the domain expired, on July the 27 th , the Mofang group regis - tered the domain and set it up for their newest campaign. A new version of ShimRat was built on the 7 th of September, uploaded to the server and only days later used in a new campaign. The payload was hosted at http://www.citrixmeeting.com/download/ livechat.exe and contained a newly packaged ShimRat sample and a new dll hijacked program.", "deleted": false, "disable_correlation": false, "timestamp": "1465956902", "to_ids": false, "type": "domain", "uuid": "5760ba26-b1f8-4a6f-b5fd-486a950d210f", "value": "citrixmeeting.com" }, { "category": "Network activity", "comment": "Enriched via the circl_passivedns module", "deleted": false, "disable_correlation": false, "timestamp": "1465975271", "to_ids": true, "type": "ip-dst", "uuid": "576101e7-9d7c-4f12-866d-4c4f950d210f", "value": "46.101.2.135" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1465989817", "to_ids": true, "type": "snort", "uuid": "57613ab9-601c-4f6e-bee3-41c9950d210f", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRatReporter check-in\"; content:\"POST\"; http_method; content:\"Accept-Encoding: utf-8|0d0a|\"; fast_pattern; uricontent:\".php?filename=\"; content:\"Accept: */*\"; content:!\"Referer\"; content:!\"Content-Type\"; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001857; rev:4;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1465989816", "to_ids": true, "type": "snort", "uuid": "57613ab8-e4e0-4f51-9b71-48e6950d210f", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRat check-in (php)\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php HTTP/1.\"; content:\"|0d0a0d0a|php\"; fast_pattern:only; content:!\"Content-Type\"; content:!\"Referer:\"; content:!\"Cookie:\"; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001855; rev:4;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1465989817", "to_ids": true, "type": "snort", "uuid": "57613ab9-2728-4b84-8114-4e9d950d210f", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"FOX-SRT - Trojan - ShimRat check-in (Yuok)\"; flow:established,to_server; content:\"POST\"; http_method; content:\".php HTTP/1.1|0d0a|User-Agent: \"; fast_pattern:only; content:!\"Content-Type\"; content:!\"Referer:\"; content:!\"Cookie:\"; content:\"|0d0a0d0a|\"; pcre:\"/(php)?Yuok\\$\\$\\d\\d/R\"; content:\"Yuok\"; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; sid:21001856; rev:4;)" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1466414172", "to_ids": true, "type": "yara", "uuid": "5767b45c-78c4-46d5-b94b-4ef5950d210f", "value": "rule shimrat\r\n{\r\nmeta:\r\ndescription = \"Detects ShimRat and the ShimRat loader\"\r\nauthor = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\ndate = \"20/11/2015\"\r\nstrings:\r\n$dll = \".dll\"\r\n$dat = \".dat\"\r\n$headersig = \"QWERTYUIOPLKJHG\"\r\n$datasig = \"MNBVCXZLKJHGFDS\"\r\n$datamarker1 = \"Data$$00\"\r\n$datamarker2 = \"Data$$01%c%sData\"\r\n$cmdlineformat = \"ping localhost -n 9 /c %s > nul\"\r\n$demoproject_keyword1 = \"Demo\"\r\n$demoproject_keyword2 = \"Win32App\"\r\n$comspec = \"COMSPEC\"\r\n$shim_func1 = \"ShimMain\"\r\n$shim_func2 = \"NotifyShims\"\r\n$shim_func3 = \"GetHookAPIs\"\r\ncondition:\r\n($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)\r\n}" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1466414148", "to_ids": true, "type": "yara", "uuid": "5767b444-185c-4442-bb4f-4f86950d210f", "value": "rule shimratreporter\r\n{\r\nmeta:\r\ndescription = \"Detects ShimRatReporter\"\r\nauthor = \"Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)\"\r\ndate = \"20/11/2015\"\r\nstrings:\r\n$IpInfo = \"IP-INFO\"\r\n$NetworkInfo = \"Network-INFO\"\r\n$OsInfo = \"OS-INFO\"\r\n$ProcessInfo = \"Process-INFO\"\r\n$BrowserInfo = \"Browser-INFO\"\r\n$QueryUserInfo = \"QueryUser-INFO\"\r\n$UsersInfo = \"Users-INFO\"\r\n$SoftwareInfo = \"Software-INFO\"\r\n$AddressFormat = \"%02X-%02X-%02X-%02X-%02X-%02X\"\r\n$proxy_str = \"(from environment) = %s\"\r\n$netuserfun = \"NetUserEnum\"\r\n$networkparams = \"GetNetworkParams\"\r\ncondition:\r\nall of them\r\n}" } ] } }