{ "Event": { "analysis": "2", "date": "2019-01-11", "extends_uuid": "", "info": "ServHelper and FlawedGrace - New malware introduced by TA505", "publish_timestamp": "1547235309", "published": true, "threat_level_id": "2", "timestamp": "1547235254", "uuid": "5c38eb9d-a470-4466-8aa5-461802de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1547234229", "to_ids": false, "type": "link", "uuid": "5c38ebb5-2b1c-43f9-b582-4ce402de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1547234265", "to_ids": false, "type": "text", "uuid": "5c38ebd9-1e0c-47f9-b3de-4e5f02de0b81", "value": "For much of 2018, we observed threat actors increasingly distributing downloaders, backdoors, information stealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing a new backdoor we named \u00e2\u20ac\u0153ServHelper\u00e2\u20ac\u009d. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader. Additionally we have observed the downloader variant download a malware we call \u00e2\u20ac\u0153FlawedGrace.\u00e2\u20ac\u009d FlawedGrace is a full-featured RAT that we first observed in November 2017. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families. This targeting falls in line with other activity we reported earlier in 2018.[1] [2]" }, { "category": "Payload delivery", "comment": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign attachment", "deleted": false, "disable_correlation": false, "timestamp": "1547234344", "to_ids": true, "type": "sha256", "uuid": "5c38ec28-4288-404a-8d79-409502de0b81", "value": "52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c" }, { "category": "Network activity", "comment": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign payload", "deleted": false, "disable_correlation": false, "timestamp": "1547234345", "to_ids": true, "type": "url", "uuid": "5c38ec29-ca90-4d61-b587-483402de0b81", "value": "http://officemysuppbox.com/staterepository" }, { "category": "Payload delivery", "comment": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234345", "to_ids": true, "type": "sha256", "uuid": "5c38ec29-cbcc-426b-a112-479a02de0b81", "value": "1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8" }, { "category": "Network activity", "comment": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C", "deleted": false, "disable_correlation": false, "timestamp": "1547234433", "to_ids": true, "type": "url", "uuid": "5c38ec81-8114-453f-a76f-462c02de0b81", "value": "https://checksolutions.pw/ghuae/huadh.php" }, { "category": "Network activity", "comment": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C", "deleted": false, "disable_correlation": false, "timestamp": "1547234434", "to_ids": true, "type": "url", "uuid": "5c38ec82-7328-43ae-a83c-4e0d02de0b81", "value": "https://rgoianrdfa.pw/ghuae/huadh.php" }, { "category": "Network activity", "comment": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C", "deleted": false, "disable_correlation": false, "timestamp": "1547234436", "to_ids": true, "type": "url", "uuid": "5c38ec84-6238-4587-a4c2-47e802de0b81", "value": "https://arhidsfderm.pw/ghuae/huadh.php" }, { "category": "Payload delivery", "comment": "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign attachment", "deleted": false, "disable_correlation": false, "timestamp": "1547234502", "to_ids": true, "type": "sha256", "uuid": "5c38ecc6-ad9c-4c16-8b57-406702de0b81", "value": "eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4" }, { "category": "Network activity", "comment": "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign payload", "deleted": false, "disable_correlation": false, "timestamp": "1547234503", "to_ids": true, "type": "url", "uuid": "5c38ecc7-3d94-48ef-86dd-4af602de0b81", "value": "http://offficebox.com/host32" }, { "category": "Payload delivery", "comment": "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234504", "to_ids": true, "type": "sha256", "uuid": "5c38ecc8-9afc-4b51-a387-462b02de0b81", "value": "3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a" }, { "category": "Payload delivery", "comment": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign attachment", "deleted": false, "disable_correlation": false, "timestamp": "1547234632", "to_ids": true, "type": "sha256", "uuid": "5c38ed48-9170-4e7a-9c80-457902de0b81", "value": "f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac" }, { "category": "Network activity", "comment": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign payload", "deleted": false, "disable_correlation": false, "timestamp": "1547234633", "to_ids": true, "type": "url", "uuid": "5c38ed49-f930-49d8-a74d-479002de0b81", "value": "http://office365onlinehome.com/host32" }, { "category": "Payload delivery", "comment": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234635", "to_ids": true, "type": "sha256", "uuid": "5c38ed4b-94a4-4a0a-99ed-493702de0b81", "value": "d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58" }, { "category": "Network activity", "comment": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign ServHelper C&C", "deleted": false, "disable_correlation": false, "timestamp": "1547234636", "to_ids": true, "type": "url", "uuid": "5c38ed4c-1850-4b83-acff-41a902de0b81", "value": "https://afgdhjkrm.pw/aggdst/Hasrt.php" }, { "category": "Payload delivery", "comment": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign FlawedGrace", "deleted": false, "disable_correlation": false, "timestamp": "1547234637", "to_ids": true, "type": "sha256", "uuid": "5c38ed4d-4cfc-4dcb-9589-426502de0b81", "value": "efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74" }, { "category": "Network activity", "comment": "On port 443 - December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign FlawedGrace C&C", "deleted": false, "disable_correlation": false, "timestamp": "1547234638", "to_ids": true, "type": "ip-dst|port", "uuid": "5c38ed4e-a218-45c1-8b89-417302de0b81", "value": "46.161.27.241|443" }, { "category": "Payload delivery", "comment": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234683", "to_ids": true, "type": "sha256", "uuid": "5c38ed7b-e224-4af8-9dc7-42ee02de0b81", "value": "9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579" }, { "category": "Network activity", "comment": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234684", "to_ids": true, "type": "url", "uuid": "5c38ed7c-9934-48fb-bd11-468502de0b81", "value": "http://dedsolutions.bit/sav/s.php" }, { "category": "Network activity", "comment": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234684", "to_ids": true, "type": "url", "uuid": "5c38ed7c-c294-4a13-8ca0-4a6c02de0b81", "value": "http://dedoshop.pw/sav/s.php" }, { "category": "Network activity", "comment": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234685", "to_ids": true, "type": "url", "uuid": "5c38ed7d-78a4-4209-9d86-487802de0b81", "value": "http://asgaage.pw/sav/s.php" }, { "category": "Network activity", "comment": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234685", "to_ids": true, "type": "url", "uuid": "5c38ed7d-5044-42a1-ad79-448802de0b81", "value": "http://sghee.pw/sav/s.php" }, { "category": "Payload delivery", "comment": "\u00e2\u20ac\u0153loaddll\u00e2\u20ac\u009d command ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234729", "to_ids": true, "type": "sha256", "uuid": "5c38eda9-e79c-4d21-81f8-f12202de0b81", "value": "a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549" }, { "category": "Network activity", "comment": "\u00e2\u20ac\u0153loaddll\u00e2\u20ac\u009d command ServHelper", "deleted": false, "disable_correlation": false, "timestamp": "1547234730", "to_ids": true, "type": "url", "uuid": "5c38edaa-4f38-4119-9419-f12202de0b81", "value": "https://vesecase.com/support/form.php" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235223", "uuid": "93f50fcd-264a-4734-b4c0-bfec7f37860f", "ObjectReference": [ { "comment": "", "object_uuid": "93f50fcd-264a-4734-b4c0-bfec7f37860f", "referenced_uuid": "42ba88bf-bca8-4ff2-b33d-d23ce9877340", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-6818-4ef5-877b-461c02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235223", "to_ids": true, "type": "md5", "uuid": "d37db0d8-0b47-4dcf-974f-9139ab53714a", "value": "4b9054475ff9aa15be35b42264715354" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235223", "to_ids": true, "type": "sha1", "uuid": "a7f9f74d-cabb-4dab-a78e-ac7d84332fab", "value": "a088dfaee1779878353a1dc347a91a892e5dfd74" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235224", "to_ids": true, "type": "sha256", "uuid": "9fa0c5b3-d24b-4a0d-8535-65945b8de58c", "value": "efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235224", "uuid": "42ba88bf-bca8-4ff2-b33d-d23ce9877340", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235225", "to_ids": false, "type": "datetime", "uuid": "8a72aaeb-4f03-47e2-a3e4-adb505a7051b", "value": "2019-01-11T18:46:42" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235225", "to_ids": false, "type": "link", "uuid": "7156ecf8-44d3-4ea7-b9ea-f06a090614d6", "value": "https://www.virustotal.com/file/efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74/analysis/1547232402/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235225", "to_ids": false, "type": "text", "uuid": "08a7810c-0763-4997-b152-80ddfc699815", "value": "27/63" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235225", "uuid": "c14e45cb-8dfc-4140-b541-135402f6af96", "ObjectReference": [ { "comment": "", "object_uuid": "c14e45cb-8dfc-4140-b541-135402f6af96", "referenced_uuid": "7d6c516a-90e2-4597-9b08-c10fa4cd2a81", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-9c70-4f52-a04e-42ea02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235226", "to_ids": true, "type": "md5", "uuid": "06d4e9eb-a98f-4a85-b936-ec5eb0e0e835", "value": "daf7d35eeed3058c821bde464913f9ca" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235226", "to_ids": true, "type": "sha1", "uuid": "6fe88569-9df9-49c5-a6c0-8d6a428b9b9b", "value": "e2c8cb0d6a89b995a9ec77b2838863c08e33d6a5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235226", "to_ids": true, "type": "sha256", "uuid": "b5f72d32-8b4a-4aff-b7a4-a82d4bea94a3", "value": "9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235227", "uuid": "7d6c516a-90e2-4597-9b08-c10fa4cd2a81", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235227", "to_ids": false, "type": "datetime", "uuid": "589de291-5218-445f-8af9-6b3e8e0d4cf1", "value": "2019-01-11T09:15:15" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235228", "to_ids": false, "type": "link", "uuid": "e9665877-4b83-4dcb-b524-c1ec6348aaa3", "value": "https://www.virustotal.com/file/9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579/analysis/1547198115/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235228", "to_ids": false, "type": "text", "uuid": "0a6d3f73-b8f8-4f65-90ca-e98976f2b898", "value": "43/68" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235228", "uuid": "35fdb030-5cd9-4621-b76c-2dfab467bc3b", "ObjectReference": [ { "comment": "", "object_uuid": "35fdb030-5cd9-4621-b76c-2dfab467bc3b", "referenced_uuid": "c8cbc23d-0f33-4643-977f-fe2fd3da8a19", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-0900-4615-8cba-4f7a02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235228", "to_ids": true, "type": "md5", "uuid": "5783ce23-2253-4595-bafa-4b4e6d209b7e", "value": "5cd4aecb962528166ad1a0b72f675c44" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235229", "to_ids": true, "type": "sha1", "uuid": "67f6728e-466f-4dc7-9da1-6cde3a9058c5", "value": "1242dc4d1ece26ef15dc3bdb8ed13e8b04d6a178" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235229", "to_ids": true, "type": "sha256", "uuid": "f8d4664e-189d-4b53-afc6-e7c5482defc4", "value": "1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235230", "uuid": "c8cbc23d-0f33-4643-977f-fe2fd3da8a19", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235230", "to_ids": false, "type": "datetime", "uuid": "c41b5480-eac8-4ba5-b286-a39a2b93b45a", "value": "2019-01-11T09:32:27" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235230", "to_ids": false, "type": "link", "uuid": "5e9a3b2e-2b50-4563-9093-17602afa0130", "value": "https://www.virustotal.com/file/1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8/analysis/1547199147/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235231", "to_ids": false, "type": "text", "uuid": "69071e5c-1be3-4edf-b07b-f87e150428b7", "value": "43/69" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235231", "uuid": "0d6c7429-1495-4d3f-bfe1-d3834a273606", "ObjectReference": [ { "comment": "", "object_uuid": "0d6c7429-1495-4d3f-bfe1-d3834a273606", "referenced_uuid": "9dd16ec7-f062-459f-968c-c5bb43d3a327", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-f7cc-4ea3-aa55-4e0002de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235231", "to_ids": true, "type": "md5", "uuid": "cbfd2fb5-184f-4052-9cec-f7e1dc9d1ef4", "value": "db0b9554ef0c4b3004c2cdb43a9fb020" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235231", "to_ids": true, "type": "sha1", "uuid": "36a32ac2-0ab1-4d9c-ad07-111851271352", "value": "2f760f967f042827cda567fa07713371d746aa11" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235232", "to_ids": true, "type": "sha256", "uuid": "8aaa4d01-99d0-403b-8a3f-f6a26d52c502", "value": "52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235232", "uuid": "9dd16ec7-f062-459f-968c-c5bb43d3a327", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235232", "to_ids": false, "type": "datetime", "uuid": "d4da3848-cf16-4df4-9301-83f9b703e5a0", "value": "2019-01-11T09:02:13" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235233", "to_ids": false, "type": "link", "uuid": "75d2b444-f984-4e6b-b32b-5f6588f4eb5c", "value": "https://www.virustotal.com/file/52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c/analysis/1547197333/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235233", "to_ids": false, "type": "text", "uuid": "1d1f3b46-6c15-4450-9871-039ddc29078f", "value": "37/58" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235233", "uuid": "dc0e2eae-79dc-496c-8e6f-51c6a3f7b419", "ObjectReference": [ { "comment": "", "object_uuid": "dc0e2eae-79dc-496c-8e6f-51c6a3f7b419", "referenced_uuid": "8d3be9f6-584f-4b1d-bfbf-c9dff2c08ad7", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-f914-4e0f-a194-41b602de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235233", "to_ids": true, "type": "md5", "uuid": "da4090ad-66ca-4b0a-bf25-167cfef511a5", "value": "a6563a927d925b1231deaa090403bc9a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235234", "to_ids": true, "type": "sha1", "uuid": "f094be33-d8e9-40ff-9907-4405b8e1d4fb", "value": "e501be071953aa308faad656cfa2d73a3902d8a4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235234", "to_ids": true, "type": "sha256", "uuid": "b7555159-7a4f-48d7-a8df-15808f42980b", "value": "a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235235", "uuid": "8d3be9f6-584f-4b1d-bfbf-c9dff2c08ad7", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235235", "to_ids": false, "type": "datetime", "uuid": "d0f5ecbe-6c20-4b4d-8170-ba4e93d94ebb", "value": "2019-01-11T09:12:29" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235235", "to_ids": false, "type": "link", "uuid": "cb9a7cb0-5e67-4e8d-a706-4ea332ac156e", "value": "https://www.virustotal.com/file/a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549/analysis/1547197949/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235236", "to_ids": false, "type": "text", "uuid": "8c082351-3562-4c7e-b5bf-057e81fad3da", "value": "30/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235236", "uuid": "9e493185-b642-4a33-9cc1-0b141391605d", "ObjectReference": [ { "comment": "", "object_uuid": "9e493185-b642-4a33-9cc1-0b141391605d", "referenced_uuid": "6624c405-ed32-4075-9501-29967d631716", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-9c04-4fef-b4e6-47e702de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235236", "to_ids": true, "type": "md5", "uuid": "0047f237-4e10-4df8-a694-39b6990e5674", "value": "bf4ea62bb7117b1d5f31873c84a95f5a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235236", "to_ids": true, "type": "sha1", "uuid": "0e2f24dc-bc59-4b7e-8369-d398ca89e570", "value": "3fc7d7f1d47b2ac971d778f580cf64a112127aa9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235237", "to_ids": true, "type": "sha256", "uuid": "2d9e790e-ffd3-4195-a175-b3440e718d2c", "value": "f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235237", "uuid": "6624c405-ed32-4075-9501-29967d631716", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235237", "to_ids": false, "type": "datetime", "uuid": "f70d9f53-8238-4721-9518-5eddacb58d1b", "value": "2019-01-11T10:52:12" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235238", "to_ids": false, "type": "link", "uuid": "d34102bb-440b-4393-b738-9ae187d0fefe", "value": "https://www.virustotal.com/file/f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac/analysis/1547203932/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235238", "to_ids": false, "type": "text", "uuid": "b35598ba-ea92-4b89-97ae-fe5379e4a3f7", "value": "9/58" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235238", "uuid": "40d64a11-4524-4a53-b736-9326233a65d9", "ObjectReference": [ { "comment": "", "object_uuid": "40d64a11-4524-4a53-b736-9326233a65d9", "referenced_uuid": "6a7c6829-6213-4f4a-9141-eb2394cd32a7", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-df38-4b99-b8e1-4b0402de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235238", "to_ids": true, "type": "md5", "uuid": "28103ef5-bc72-4611-a1bc-b7f4ee871232", "value": "0f459932b21d0c6dfcc199951058c0a5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235239", "to_ids": true, "type": "sha1", "uuid": "c02f4009-4a3d-4df8-9888-7839fa1b1e62", "value": "9ff00fe5f0921a6a591b7db3a1838834348e123d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235239", "to_ids": true, "type": "sha256", "uuid": "5af6bd13-94a4-4baf-a393-5de82bea149f", "value": "3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235241", "uuid": "6a7c6829-6213-4f4a-9141-eb2394cd32a7", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235241", "to_ids": false, "type": "datetime", "uuid": "a508cd3f-eb30-450e-82ea-6eac3d988f84", "value": "2019-01-11T09:13:28" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235242", "to_ids": false, "type": "link", "uuid": "7138648d-6ba2-4f2d-aeca-1fe74de7801e", "value": "https://www.virustotal.com/file/3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a/analysis/1547198008/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235243", "to_ids": false, "type": "text", "uuid": "5466e6ec-78e0-4762-bb46-3112333840a2", "value": "40/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235243", "uuid": "4170ad0b-e0f8-4246-8505-63d85a0e84bd", "ObjectReference": [ { "comment": "", "object_uuid": "4170ad0b-e0f8-4246-8505-63d85a0e84bd", "referenced_uuid": "8d4ff865-dbce-44b3-86ac-0e461519ea20", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-1220-45d5-a097-469502de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235243", "to_ids": true, "type": "md5", "uuid": "859b804b-5434-418f-9873-587ecf464add", "value": "b811a63eaa3f6a76d4176a64655c086f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235245", "to_ids": true, "type": "sha1", "uuid": "9f794af6-9c18-4ee3-a960-c4b7ccd8a8e0", "value": "45f3b9f49d4c680de6fdede99427289a11317aa0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235246", "to_ids": true, "type": "sha256", "uuid": "47de8a0b-b871-402e-83d8-7aa9667ef3fb", "value": "eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235247", "uuid": "8d4ff865-dbce-44b3-86ac-0e461519ea20", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235247", "to_ids": false, "type": "datetime", "uuid": "c6f3b4ea-17b4-4132-99eb-5bcbd85146db", "value": "2019-01-11T09:09:08" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235249", "to_ids": false, "type": "link", "uuid": "5c4776a4-dbe9-4950-8a7e-81a4f9519100", "value": "https://www.virustotal.com/file/eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4/analysis/1547197748/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235250", "to_ids": false, "type": "text", "uuid": "832ae984-cfdb-4ba3-a7d7-ce24471b9b48", "value": "35/58" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1547235250", "uuid": "6ef8a2ea-6ae3-4fa0-afe7-bdb2e9607a56", "ObjectReference": [ { "comment": "", "object_uuid": "6ef8a2ea-6ae3-4fa0-afe7-bdb2e9607a56", "referenced_uuid": "027e06a2-ba9d-4604-9a8d-5230c140eae8", "relationship_type": "analysed-with", "timestamp": "1547235257", "uuid": "5c38efb9-11f8-41b2-b7f7-474a02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1547235250", "to_ids": true, "type": "md5", "uuid": "c1611d5c-08e6-4db5-943a-59d63bfd0111", "value": "c4a201a6f5e07136923f824bda4cd54f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1547235251", "to_ids": true, "type": "sha1", "uuid": "e1173c46-d6e8-4489-b971-70e7b634d79b", "value": "a0bcdb0ce8999bfb75723236e15e4f557a784743" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1547235253", "to_ids": true, "type": "sha256", "uuid": "56acae1c-f536-4fe7-aa3e-8c4ed91abed9", "value": "d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1547235254", "uuid": "027e06a2-ba9d-4604-9a8d-5230c140eae8", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1547235254", "to_ids": false, "type": "datetime", "uuid": "73a12bc5-bfd2-4c6d-b138-4b6258f0dd17", "value": "2019-01-11T10:52:31" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1547235255", "to_ids": false, "type": "link", "uuid": "c043dc85-8fc5-4e39-abd0-c8237f97d111", "value": "https://www.virustotal.com/file/d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58/analysis/1547203951/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1547235257", "to_ids": false, "type": "text", "uuid": "9213d232-6ae9-4629-8593-4d493d7007ac", "value": "33/69" } ] } ] } }