{ "Event": { "analysis": "2", "date": "2017-01-29", "extends_uuid": "", "info": "OSINT - #OCJP-133: Hancitor\u00e3\u0192\u017e\u00e3\u0192\u00ab\u00e3\u201a\u00a6\u00e3\u201a\u00a7\u00e3\u201a\u00a2\u00e6\u201e\u0178\u00e6\u0178\u201c \u00e3\u0081\u00a8 \u00e3\u0192\u008f\u00e3\u0192\u0192\u00e3\u201a\u00ad\u00e3\u0192\u00b3\u00e3\u201a\u00b0\u00e3\u0081\u2022\u00e3\u201a\u0152\u00e3\u0081\u0178Wordpress", "publish_timestamp": "1485701896", "published": true, "threat_level_id": "3", "timestamp": "1485700355", "uuid": "588df693-0480-41bd-b8fd-4e9302de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#0c9200", "local": "0", "name": "misp-galaxy:tool=\"Hancitor\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485699075", "to_ids": false, "type": "link", "uuid": "588df77f-b26c-4985-9fbc-8c6f02de0b81", "value": "http://blog.0day.jp/2017/01/ocjp-133-hancitorwordpress.html", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#075200", "local": "0", "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485699837", "to_ids": false, "type": "link", "uuid": "588df837-b088-4518-9cd0-404a02de0b81", "value": "https://otx.alienvault.com/pulse/588dc57f5aa00d150559d1e1/", "Tag": [ { "colour": "#004577", "local": "0", "name": "osint:source-type=\"block-or-filter-list\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Hancitor CNC, Trojan Fareit CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700355", "to_ids": true, "type": "ip-dst", "uuid": "588dfbdc-32e0-4688-a878-424202de0b81", "value": "95.169.190.104", "Tag": [ { "colour": "#7600bf", "local": "0", "name": "adversary:infrastructure-type=\"proxy\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Zeus/Pony Panel/CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700061", "to_ids": true, "type": "domain", "uuid": "588dfbdd-0c94-439c-9612-4d8002de0b81", "value": "rowatterding.ru" }, { "category": "Network activity", "comment": "Zeus/Pony Panel/CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700062", "to_ids": true, "type": "domain", "uuid": "588dfbde-0244-46c1-8a74-47b602de0b81", "value": "fortrittotfor.ru" }, { "category": "Network activity", "comment": "Zeus/Pony Panel/CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700062", "to_ids": true, "type": "domain", "uuid": "588dfbde-eee8-4585-b7d1-4d9f02de0b81", "value": "fortmamuchco.ru" }, { "category": "Network activity", "comment": "Hancitor CNC, Trojan Fareit CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700063", "to_ids": true, "type": "domain", "uuid": "588dfbdf-aa44-4f47-ad24-49a702de0b81", "value": "howbetmarow.ru" }, { "category": "Network activity", "comment": "Zeus/Pony Panel/CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700313", "to_ids": true, "type": "domain", "uuid": "588dfbe0-f6cc-4473-a496-4cd902de0b81", "value": "aningronbut.ru", "Tag": [ { "colour": "#9100ea", "local": "0", "name": "adversary:infrastructure-type=\"panel\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Zeus/Pony Panel/CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700323", "to_ids": true, "type": "ip-dst", "uuid": "588dfbe1-e7d0-4a5c-99ee-4a7802de0b81", "value": "46.166.172.105", "Tag": [ { "colour": "#9100ea", "local": "0", "name": "adversary:infrastructure-type=\"panel\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ZeusPanel and also Trojan Fareit CNC", "deleted": false, "disable_correlation": false, "timestamp": "1485700335", "to_ids": true, "type": "ip-dst", "uuid": "588dfbe1-5db4-4f29-b1f9-412a02de0b81", "value": "62.76.89.178", "Tag": [ { "colour": "#9100ea", "local": "0", "name": "adversary:infrastructure-type=\"panel\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hancitor DOC Malware Hash", "deleted": false, "disable_correlation": false, "timestamp": "1485700066", "to_ids": true, "type": "sha1", "uuid": "588dfbe2-e548-4a27-aed8-476702de0b81", "value": "7085d46b2fb3763464c63918f16f534e2d86a7fb" }, { "category": "Payload delivery", "comment": "Hancitor DLL Malware Hash", "deleted": false, "disable_correlation": false, "timestamp": "1485700067", "to_ids": true, "type": "sha1", "uuid": "588dfbe3-c8a8-40c3-84e1-482f02de0b81", "value": "8b3a8d24022fe6ee4292b36efa62f95ae4bdda53" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485700068", "to_ids": true, "type": "url", "uuid": "588dfbe4-c12c-4d5c-9e82-427a02de0b81", "value": "http://howbetmarow.ru/ls5/forum.php" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485700068", "to_ids": true, "type": "url", "uuid": "588dfbe4-1738-4dd0-aa7f-4c0502de0b81", "value": "http://howbetmarow.ru/klu/forum.php" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485700069", "to_ids": true, "type": "url", "uuid": "588dfbe5-8160-441b-ad1b-44f602de0b81", "value": "http://aningronbut.ru/bdk/gate.php" }, { "category": "Payload delivery", "comment": "Hancitor DLL Malware Hash - Xchecked via VT: 8b3a8d24022fe6ee4292b36efa62f95ae4bdda53", "deleted": false, "disable_correlation": false, "timestamp": "1485700127", "to_ids": true, "type": "sha256", "uuid": "588dfc1f-1c44-41e7-8248-8c6c02de0b81", "value": "edd954f233c0f72ecf4beb0e63177969a297c6ee8e1da2bcc90924b922da0d88" }, { "category": "Payload delivery", "comment": "Hancitor DLL Malware Hash - Xchecked via VT: 8b3a8d24022fe6ee4292b36efa62f95ae4bdda53", "deleted": false, "disable_correlation": false, "timestamp": "1485700127", "to_ids": true, "type": "md5", "uuid": "588dfc1f-6304-454c-86b0-8c6c02de0b81", "value": "fb436eeb13a673a30cbadbf781db4add" }, { "category": "External analysis", "comment": "Hancitor DLL Malware Hash - Xchecked via VT: 8b3a8d24022fe6ee4292b36efa62f95ae4bdda53", "deleted": false, "disable_correlation": false, "timestamp": "1485700128", "to_ids": false, "type": "link", "uuid": "588dfc20-fa44-4d8d-b90d-8c6c02de0b81", "value": "https://www.virustotal.com/file/edd954f233c0f72ecf4beb0e63177969a297c6ee8e1da2bcc90924b922da0d88/analysis/1485679503/" }, { "category": "Payload delivery", "comment": "Hancitor DOC Malware Hash - Xchecked via VT: 7085d46b2fb3763464c63918f16f534e2d86a7fb", "deleted": false, "disable_correlation": false, "timestamp": "1485700129", "to_ids": true, "type": "sha256", "uuid": "588dfc21-d5f0-45fa-98f5-8c6c02de0b81", "value": "190140f672fa138a01e4928714ff8b3c0bc0baabeb36ced9c9801dd032cdfe51" }, { "category": "Payload delivery", "comment": "Hancitor DOC Malware Hash - Xchecked via VT: 7085d46b2fb3763464c63918f16f534e2d86a7fb", "deleted": false, "disable_correlation": false, "timestamp": "1485700129", "to_ids": true, "type": "md5", "uuid": "588dfc21-a46c-49f3-8ef5-8c6c02de0b81", "value": "c0a0a6be5dbb5ce5ba08ea01fbd87e42" }, { "category": "External analysis", "comment": "Hancitor DOC Malware Hash - Xchecked via VT: 7085d46b2fb3763464c63918f16f534e2d86a7fb", "deleted": false, "disable_correlation": false, "timestamp": "1485700130", "to_ids": false, "type": "link", "uuid": "588dfc22-003c-4f2b-a084-8c6c02de0b81", "value": "https://www.virustotal.com/file/190140f672fa138a01e4928714ff8b3c0bc0baabeb36ced9c9801dd032cdfe51/analysis/1485523743/" } ] } }