{ "Event": { "analysis": "2", "date": "2019-05-02", "extends_uuid": "", "info": "OSINT - Goblin Panda continues to target Vietnam", "publish_timestamp": "1556803538", "published": true, "threat_level_id": "3", "timestamp": "1556803290", "uuid": "5ccaeddb-dc84-4cc2-9f73-4a70950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#10ca00", "name": "misp-galaxy:threat-actor=\"Hellsing\"" }, { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"NewCore RAT\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803056", "to_ids": false, "type": "link", "uuid": "5ccaedf0-5fd0-4f8c-a5f5-49d4950d210f", "value": "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803079", "to_ids": false, "type": "text", "uuid": "5ccaee07-32d8-4255-9cb5-4686950d210f", "value": "Chinese actors have changed the rtf exploit following my different articles and Anomali article https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain\r\n\r\nBut In march a researcher of Anomali @aRtAGGI made a link very interesting between Icefog and an article targeting Mongelian speaker https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "sha256", "uuid": "5ccaee32-bb50-4bc4-bdb8-4817950d210f", "value": "81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "filename", "uuid": "5ccaee32-5ce8-48fd-8fb0-4ff8950d210f", "value": "Shortcuts\\QcLite.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "sha256", "uuid": "5ccaee32-b744-4e07-bd11-4f6d950d210f", "value": "207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "filename", "uuid": "5ccaee32-4a50-4c78-8d6f-4a8c950d210f", "value": "Shortcuts\\QcConsol.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "sha256", "uuid": "5ccaee32-db04-4dc2-83d0-47ca950d210f", "value": "9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "hostname", "uuid": "5ccaee32-cb00-49b9-b3cc-47bd950d210f", "value": "web.hcmuafgh.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "ip-dst", "uuid": "5ccaee32-0310-4075-8920-4337950d210f", "value": "193.29.56.62" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803122", "to_ids": true, "type": "url", "uuid": "5ccaee32-1ad0-4b57-98b5-4f6c950d210f", "value": "http://web.hcmuafgh.com:4357/link?url=maOVmKGmMDU1&enpl=OXcoVQ==&encd=XARIZTE=" }, { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "timestamp": "1556803195", "to_ids": true, "type": "sha256", "uuid": "5ccaee7b-9258-45b6-9420-4bba950d210f", "value": "05d0ad2bcc1c6e2752a231bc36d07a841f075a0a32a3a62abaafddbdafd72f62" }, { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "timestamp": "1556803195", "to_ids": true, "type": "sha256", "uuid": "5ccaee7b-27b0-4803-a8e5-412e950d210f", "value": "5a592b92ffcbea75e458726cecc7f159b8f71c46b80de30bac2a48006ac1e1b3" }, { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "timestamp": "1556803195", "to_ids": true, "type": "sha256", "uuid": "5ccaee7b-0eb8-4058-be18-47d6950d210f", "value": "5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556803274", "to_ids": false, "type": "vulnerability", "uuid": "5ccaeeca-5668-4e48-9f70-496c950d210f", "value": "CVE-2017\u00e2\u20ac\u201c11882" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556803161", "uuid": "6af30035-5440-401a-976b-bc64ed82ad01", "ObjectReference": [ { "comment": "", "object_uuid": "6af30035-5440-401a-976b-bc64ed82ad01", "referenced_uuid": "c6f4a078-7797-4e7f-a50a-f441a9441493", "relationship_type": "analysed-with", "timestamp": "1556803161", "uuid": "5ccaee59-5a8c-4363-bebd-4bed950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556803122", "to_ids": true, "type": "md5", "uuid": "ab124dfa-92ff-485d-a669-8e365c666763", "value": "6d2e6a61eede06fa9d633ce151208831" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556803122", "to_ids": true, "type": "sha1", "uuid": "106a8fdf-dffe-4228-8fa5-ada33eef0792", "value": "f764163f3912376ebcabaf1cf3a60b6bc74561be" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556803122", "to_ids": true, "type": "sha256", "uuid": "60444fbf-9c77-48fe-a82a-dd321618dc9b", "value": "207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556803161", "uuid": "c6f4a078-7797-4e7f-a50a-f441a9441493", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556803122", "to_ids": false, "type": "datetime", "uuid": "8a8e9657-f185-4b4a-a864-9dfd038906ce", "value": "2019-05-02T11:28:30" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556803122", "to_ids": false, "type": "link", "uuid": "a0b8060b-4c47-4415-8ee8-481d250cdbaf", "value": "https://www.virustotal.com/file/207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3/analysis/1556796510/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556803122", "to_ids": false, "type": "text", "uuid": "8d0ecb1f-84c3-4e39-85e6-5382f49cc22c", "value": "15/69" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556803161", "uuid": "3ad479ea-41de-4e77-a2e2-e443cdc7e06f", "ObjectReference": [ { "comment": "", "object_uuid": "3ad479ea-41de-4e77-a2e2-e443cdc7e06f", "referenced_uuid": "61bf2686-6262-435a-9039-372f43219b6e", "relationship_type": "analysed-with", "timestamp": "1556803162", "uuid": "5ccaee5a-6e70-4478-894a-4c2d950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556803122", "to_ids": true, "type": "md5", "uuid": "c0f28c2a-0d92-46be-b786-f79defa4e0b7", "value": "109d51899c832287d7ce1f70b5bd885d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556803122", "to_ids": true, "type": "sha1", "uuid": "a90d29a2-35af-473b-a9b8-8c66e5fc6147", "value": "daa69d1b1abc00139b1d73d075921ab93137598d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556803122", "to_ids": true, "type": "sha256", "uuid": "b259722e-416d-4590-a0e6-164a49207e4b", "value": "9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556803161", "uuid": "61bf2686-6262-435a-9039-372f43219b6e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556803122", "to_ids": false, "type": "datetime", "uuid": "5e67a2b3-2334-4dd1-b4da-148e54772693", "value": "2019-04-29T23:04:06" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556803122", "to_ids": false, "type": "link", "uuid": "2861f6a6-f61f-4226-8b1a-5552c3c1fa06", "value": "https://www.virustotal.com/file/9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770/analysis/1556579046/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556803122", "to_ids": false, "type": "text", "uuid": "f186be1f-70d3-4b2d-8f82-32aa84b64c0b", "value": "0/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556803161", "uuid": "f9c0db13-b132-48c2-bf17-631eff339a1f", "ObjectReference": [ { "comment": "", "object_uuid": "f9c0db13-b132-48c2-bf17-631eff339a1f", "referenced_uuid": "065f0f1c-08b4-4411-9d4d-300f2e0ac82e", "relationship_type": "analysed-with", "timestamp": "1556803162", "uuid": "5ccaee5a-db04-4d65-b2c1-4633950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556803122", "to_ids": true, "type": "md5", "uuid": "fd6c0413-7685-4cb6-aa2e-f6dd97d0cce8", "value": "84fca27bc75f40194c95534b07838d6c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556803122", "to_ids": true, "type": "sha1", "uuid": "093b8656-2505-4c48-b31e-413a7ee51b86", "value": "9520a18e9f6d4f6f014aa576b8843cdff176f701" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556803122", "to_ids": true, "type": "sha256", "uuid": "5a2bb8d4-5262-4f0c-8bf7-2a0945fa157f", "value": "81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556803161", "uuid": "065f0f1c-08b4-4411-9d4d-300f2e0ac82e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556803122", "to_ids": false, "type": "datetime", "uuid": "e051a82c-c83e-4283-8de4-161be247465f", "value": "2019-05-01T10:35:55" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556803122", "to_ids": false, "type": "link", "uuid": "8a0a6690-a7e6-449b-9c8d-6afd65d8be44", "value": "https://www.virustotal.com/file/81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6/analysis/1556706955/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556803122", "to_ids": false, "type": "text", "uuid": "bab1b9f2-f67e-493b-912e-525dcaa79d9c", "value": "30/58" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556803233", "uuid": "f2fb7d05-f968-4edc-8d24-24b91cf0df61", "ObjectReference": [ { "comment": "", "object_uuid": "f2fb7d05-f968-4edc-8d24-24b91cf0df61", "referenced_uuid": "7077ee06-f4ff-4873-86f7-ba89aef8c723", "relationship_type": "analysed-with", "timestamp": "1556803234", "uuid": "5ccaeea2-cac8-4c3a-a079-4722950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556803195", "to_ids": true, "type": "md5", "uuid": "c495f771-242a-44d6-ba60-604f0cd9c923", "value": "1b19175c41b9a9881b23b4382cc5935f" }, { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556803195", "to_ids": true, "type": "sha1", "uuid": "14b8e5a4-c34b-4bb2-bdba-cc9de529c924", "value": "3752656c024284ea63421d70235ec48d76a95df3" }, { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556803195", "to_ids": true, "type": "sha256", "uuid": "a960d2df-329d-476e-98e4-388b714a781a", "value": "5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556803234", "uuid": "7077ee06-f4ff-4873-86f7-ba89aef8c723", "Attribute": [ { "category": "Other", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556803195", "to_ids": false, "type": "datetime", "uuid": "a6e30d35-1912-4743-86bb-917b906bfc44", "value": "2019-04-29T23:04:01" }, { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556803195", "to_ids": false, "type": "link", "uuid": "f6aba0fc-493d-46cd-809d-fb34b7ade2cb", "value": "https://www.virustotal.com/file/5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76/analysis/1556579041/" }, { "category": "Payload delivery", "comment": "The dll is a variant of the newcoreRAT with many similarities with", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556803195", "to_ids": false, "type": "text", "uuid": "35ac479c-bae6-42e5-a362-b3477657ef04", "value": "46/70" } ] } ] } }