{ "Event": { "analysis": "2", "date": "2016-12-13", "extends_uuid": "", "info": "OSINT - The rise of TeleBots: Analyzing disruptive KillDisk attacks", "publish_timestamp": "1481654492", "published": true, "threat_level_id": "2", "timestamp": "1481654318", "uuid": "58503e2f-4c78-442d-833f-8ad202de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"TeleBots\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1481653825", "to_ids": false, "type": "comment", "uuid": "58503e41-62e8-4280-b09c-467402de0b81", "value": "In the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted cyberattacks against high-value targets in the Ukrainian financial sector. We believe that the main goal of attackers using these tools is cybersabotage. This blog post outlines the details about the campaign that we discovered.\r\n\r\nWe will refer to the gang behind the malware as TeleBots. However it\u00e2\u20ac\u2122s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1481653838", "to_ids": false, "type": "link", "uuid": "58503e4e-56bc-45a0-8a80-e8a002de0b81", "value": "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" }, { "category": "Payload delivery", "comment": "Win32/KillDisk", "deleted": false, "disable_correlation": false, "timestamp": "1481653858", "to_ids": true, "type": "sha1", "uuid": "58503e62-222c-4236-aa34-e8a002de0b81", "value": "71a2b3f48828e4552637fa9753f0324b7146f3af" }, { "category": "Payload delivery", "comment": "Win32/KillDisk", "deleted": false, "disable_correlation": false, "timestamp": "1481653859", "to_ids": true, "type": "sha1", "uuid": "58503e63-0a98-4f7b-a6d3-e8a002de0b81", "value": "8eb8527562dda552fc6b8827c0ebf50968848f1a" }, { "category": "Payload delivery", "comment": "Intercepter-NG and silent WinPCAP installer", "deleted": false, "disable_correlation": false, "timestamp": "1481653875", "to_ids": true, "type": "sha1", "uuid": "58503e73-ef34-4b46-9215-e8ac02de0b81", "value": "64cb897acc37e12e4f49c4da4dfad606b3976225" }, { "category": "Payload delivery", "comment": "Intercepter-NG and silent WinPCAP installer", "deleted": false, "disable_correlation": false, "timestamp": "1481653875", "to_ids": true, "type": "sha1", "uuid": "58503e73-66cc-42cd-8dd1-e8ac02de0b81", "value": "a0b9a35675153f4933c3e55418b6566e1a5dbf8a" }, { "category": "Payload delivery", "comment": "Win64/Spy.KeyLogger.G trojan", "deleted": false, "disable_correlation": false, "timestamp": "1481653891", "to_ids": true, "type": "sha1", "uuid": "58503e83-6230-4797-8a91-c7c302de0b81", "value": "7582de9e93e2f35f9a63b59317eba48846eea4c7" }, { "category": "Payload delivery", "comment": "CredRaptor password stealer", "deleted": false, "disable_correlation": false, "timestamp": "1481653911", "to_ids": true, "type": "sha1", "uuid": "58503e97-84e4-4fe5-a7cc-4ab602de0b81", "value": "fffc20567da4656059860ed06c53fd4e5ad664c2" }, { "category": "Payload delivery", "comment": "CredRaptor password stealer", "deleted": false, "disable_correlation": false, "timestamp": "1481653911", "to_ids": true, "type": "sha1", "uuid": "58503e97-041c-4ebf-9541-479202de0b81", "value": "58a45ef055b287bad7b81033e17446ee6b682e2d" }, { "category": "Payload delivery", "comment": "LDAP query tool", "deleted": false, "disable_correlation": false, "timestamp": "1481653926", "to_ids": true, "type": "sha1", "uuid": "58503ea6-c204-49fc-9ea6-e8a402de0b81", "value": "81f73c76fbf4ab3487d5e6e8629e83c0568de713" }, { "category": "Payload delivery", "comment": "Modified Mimikatz", "deleted": false, "disable_correlation": false, "timestamp": "1481653944", "to_ids": true, "type": "sha1", "uuid": "58503eb8-4cac-48aa-b1e7-458d02de0b81", "value": "b0ba3405bb2b0fa5ba34b57c2cc7e5c184d86991" }, { "category": "Payload delivery", "comment": "Modified Mimikatz", "deleted": false, "disable_correlation": false, "timestamp": "1481653944", "to_ids": true, "type": "sha1", "uuid": "58503eb8-928c-4b35-a948-4f4b02de0b81", "value": "ad2d3d00c7573733b70d9780ae3b89eeb8c62c76" }, { "category": "Payload delivery", "comment": "Modified Mimikatz", "deleted": false, "disable_correlation": false, "timestamp": "1481653945", "to_ids": true, "type": "sha1", "uuid": "58503eb9-06f8-44a2-9940-418602de0b81", "value": "d8614bc1d428ebabccbfae76a81037ff908a8f79" }, { "category": "Payload delivery", "comment": "BCS-server", "deleted": false, "disable_correlation": false, "timestamp": "1481653957", "to_ids": true, "type": "sha1", "uuid": "58503ec5-1a14-4455-a56f-49ec02de0b81", "value": "4b692e2597683354e106dfb9b90677c9311972a1" }, { "category": "Payload delivery", "comment": "BCS-server", "deleted": false, "disable_correlation": false, "timestamp": "1481653957", "to_ids": true, "type": "sha1", "uuid": "58503ec5-eab8-42f1-ba84-461c02de0b81", "value": "bf3cb98dc668e455188ebb4c311bd19cd9f46667" }, { "category": "Payload delivery", "comment": "VBS backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1481653976", "to_ids": true, "type": "sha1", "uuid": "58503ed8-ce04-4ac2-a419-469502de0b81", "value": "f00f632749418b2b75ca9ece73a02c485621c3b4" }, { "category": "Payload delivery", "comment": "VBS backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1481653977", "to_ids": true, "type": "sha1", "uuid": "58503ed9-b6d4-4688-ba83-476b02de0b81", "value": "06e1f816cbaf45bd6ee55f74f0261a674e805f86" }, { "category": "Payload delivery", "comment": "VBS backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1481653977", "to_ids": true, "type": "sha1", "uuid": "58503ed9-66b8-4518-846f-47aa02de0b81", "value": "35d71de3e665cf9d6a685ae02c3876b7d56b1687" }, { "category": "Payload delivery", "comment": "VBS backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1481653978", "to_ids": true, "type": "sha1", "uuid": "58503eda-0d74-4e8d-a7c3-406702de0b81", "value": "f22cea7bc080e712e85549848d35e7d5908d9b49" }, { "category": "Payload delivery", "comment": "VBS backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1481653978", "to_ids": true, "type": "sha1", "uuid": "58503eda-bcf0-4241-91ff-425502de0b81", "value": "c473ccb92581a803c1f1540be2193bc8b9599bfe" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481653998", "to_ids": true, "type": "sha1", "uuid": "58503eee-5734-415d-a834-44bd02de0b81", "value": "16c206d9cfd4c82d6652afb1eebb589a927b041b" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481653999", "to_ids": true, "type": "sha1", "uuid": "58503eef-e4f4-4565-ba44-4eb702de0b81", "value": "1dc1660677a41b6622b795a1eb5aa5e5118d8f18" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481653999", "to_ids": true, "type": "sha1", "uuid": "58503eef-cd30-4c21-9acd-409a02de0b81", "value": "26da35564d04bb308d57f645f353d1de1fb76677" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654000", "to_ids": true, "type": "sha1", "uuid": "58503ef0-c93c-41bf-bd4c-405d02de0b81", "value": "30d2da7caf740baaa8a1300ee48220b3043a327d" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654000", "to_ids": true, "type": "sha1", "uuid": "58503ef0-6a38-4fa9-b633-4bae02de0b81", "value": "385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654001", "to_ids": true, "type": "sha1", "uuid": "58503ef1-3d38-46d8-8e58-405a02de0b81", "value": "4d5023f9f9d0ba7a7328a8ee341dbbca244f72c5" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654001", "to_ids": true, "type": "sha1", "uuid": "58503ef1-eeb0-41eb-8d93-41bf02de0b81", "value": "57dad9cda501bc8f1d0496ef010146d9a1d3734f" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654002", "to_ids": true, "type": "sha1", "uuid": "58503ef2-bfbc-4cce-bc6a-4ae202de0b81", "value": "68377a993e5a85eb39aded400755a22eb7273ca0" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654002", "to_ids": true, "type": "sha1", "uuid": "58503ef2-f5cc-48cb-b254-4afe02de0b81", "value": "77d7ea627f645219cf6b8454459baef1e5192467" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654003", "to_ids": true, "type": "sha1", "uuid": "58503ef3-1630-4ee5-9791-429502de0b81", "value": "7b87ad4a25e80000ff1011b51f03e48e8ea6c23d" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654003", "to_ids": true, "type": "sha1", "uuid": "58503ef3-703c-4518-9dd9-480d02de0b81", "value": "7c822f0fdb5ec14dd335cbe0238448c14015f495" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654004", "to_ids": true, "type": "sha1", "uuid": "58503ef4-ecbc-481e-a3e3-4c1702de0b81", "value": "86abbf8a4cf9828381dde9fd09e55446e7533e78" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654004", "to_ids": true, "type": "sha1", "uuid": "58503ef4-61c0-4b1a-84d8-41c402de0b81", "value": "9512a8280214674e6b16b07be281bb9f0255004b" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654004", "to_ids": true, "type": "sha1", "uuid": "58503ef4-1f20-4beb-b829-4c4d02de0b81", "value": "b2e9d964c304fc91dcaf39ff44e3c38132c94655" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1481654005", "to_ids": true, "type": "sha1", "uuid": "58503ef5-9cd4-4623-8d55-4c0602de0b81", "value": "fe4c1c6b3d8fdc9e562c57849e8094393075bc93" }, { "category": "Payload delivery", "comment": "Win32/TrojanDownloader.Agent.CWY", "deleted": false, "disable_correlation": false, "timestamp": "1481654018", "to_ids": true, "type": "sha1", "uuid": "58503f02-21ec-4514-b5ba-c7c302de0b81", "value": "f1bf54186c2c64cd104755f247867238c8472504" }, { "category": "Payload delivery", "comment": "XLS documents with malicious macro", "deleted": false, "disable_correlation": false, "timestamp": "1481654036", "to_ids": true, "type": "sha1", "uuid": "58503f14-99ec-4578-b7dd-451502de0b81", "value": "7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f" }, { "category": "Payload delivery", "comment": "XLS documents with malicious macro", "deleted": false, "disable_correlation": false, "timestamp": "1481654036", "to_ids": true, "type": "sha1", "uuid": "58503f14-a8bc-4338-be8d-448202de0b81", "value": "c361a06e51d2e2cd560f43d4cc9dabe765536179" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654055", "to_ids": false, "type": "hostname", "uuid": "58503f27-ec78-4a65-abb3-425702de0b81", "value": "srv70.putdrive.com" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654056", "to_ids": false, "type": "ip-dst", "uuid": "58503f28-1a5c-46ca-a24e-4a3f02de0b81", "value": "188.165.14.185" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654056", "to_ids": false, "type": "hostname", "uuid": "58503f28-a918-4725-b7a7-4d4f02de0b81", "value": "api.telegram.org" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654056", "to_ids": false, "type": "ip-dst", "uuid": "58503f28-747c-4b4a-8cba-4e9902de0b81", "value": "149.154.167.200" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654057", "to_ids": false, "type": "ip-dst", "uuid": "58503f29-2b9c-4d14-82a6-4dda02de0b81", "value": "149.154.167.197" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654057", "to_ids": false, "type": "ip-dst", "uuid": "58503f29-2fbc-4fbc-8e65-4b0202de0b81", "value": "149.154.167.198" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654058", "to_ids": false, "type": "ip-dst", "uuid": "58503f2a-a898-494b-8cfa-480f02de0b81", "value": "149.154.167.199" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654058", "to_ids": false, "type": "hostname", "uuid": "58503f2a-9d08-4001-93a6-43fc02de0b81", "value": "smtp-mail.outlook.com" }, { "category": "Network activity", "comment": "Legitimate servers abused by malware authors", "deleted": false, "disable_correlation": false, "timestamp": "1481654059", "to_ids": false, "type": "ip-dst", "uuid": "58503f2b-c1c4-4de6-b948-4be302de0b81", "value": "65.55.176.126" }, { "category": "Network activity", "comment": "C&C Server", "deleted": false, "disable_correlation": false, "timestamp": "1481654074", "to_ids": true, "type": "ip-dst", "uuid": "58503f3a-4414-4e2c-9562-424302de0b81", "value": "93.190.137.212" }, { "category": "Network activity", "comment": "C&C Server", "deleted": false, "disable_correlation": false, "timestamp": "1481654074", "to_ids": true, "type": "ip-dst", "uuid": "58503f3a-a690-4478-a0ef-4fd602de0b81", "value": "95.141.37.3" }, { "category": "Network activity", "comment": "C&C Server", "deleted": false, "disable_correlation": false, "timestamp": "1481654075", "to_ids": true, "type": "ip-dst", "uuid": "58503f3b-6e14-4deb-82c4-47c602de0b81", "value": "80.233.134.147" }, { "category": "Payload delivery", "comment": "XLS documents with malicious macro - Xchecked via VT: c361a06e51d2e2cd560f43d4cc9dabe765536179", "deleted": false, "disable_correlation": false, "timestamp": "1481654318", "to_ids": true, "type": "sha256", "uuid": "5850402e-f8a8-4990-ba17-484002de0b81", "value": "97b317afa02cd35db40c197fea3a6ef8cdc8c01ca73523983850f323a47d0c2e" }, { "category": "Payload delivery", "comment": "XLS documents with malicious macro - Xchecked via VT: c361a06e51d2e2cd560f43d4cc9dabe765536179", "deleted": false, "disable_correlation": false, "timestamp": "1481654319", "to_ids": true, "type": "md5", "uuid": "5850402f-a854-4c2e-af09-431a02de0b81", "value": "7d4fc63f2096a485d2da3db1150e6d34" }, { "category": "External analysis", "comment": "XLS documents with malicious macro - Xchecked via VT: c361a06e51d2e2cd560f43d4cc9dabe765536179", "deleted": false, "disable_correlation": false, "timestamp": "1481654320", "to_ids": false, "type": "link", "uuid": "58504030-569c-417e-a638-49e502de0b81", "value": "https://www.virustotal.com/file/97b317afa02cd35db40c197fea3a6ef8cdc8c01ca73523983850f323a47d0c2e/analysis/1481528849/" }, { "category": "Payload delivery", "comment": "XLS documents with malicious macro - Xchecked via VT: 7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f", "deleted": false, "disable_correlation": false, "timestamp": "1481654320", "to_ids": true, "type": "sha256", "uuid": "58504030-0760-4dcf-8527-409e02de0b81", "value": "a260320bb52eb0fe767d7e30e069492ab063b65a26969dd78d10d8141b850bc8" }, { "category": "Payload delivery", "comment": "XLS documents with malicious macro - Xchecked via VT: 7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f", "deleted": false, "disable_correlation": false, "timestamp": "1481654321", "to_ids": true, "type": "md5", "uuid": "58504031-ffa8-46c5-9bb6-429f02de0b81", "value": "fd0fd58b20b1476e8f67d6a05307e9bc" }, { "category": "External analysis", "comment": "XLS documents with malicious macro - Xchecked via VT: 7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f", "deleted": false, "disable_correlation": false, "timestamp": "1481654321", "to_ids": false, "type": "link", "uuid": "58504031-4490-49ed-854e-429202de0b81", "value": "https://www.virustotal.com/file/a260320bb52eb0fe767d7e30e069492ab063b65a26969dd78d10d8141b850bc8/analysis/1481528895/" }, { "category": "Payload delivery", "comment": "Win32/TrojanDownloader.Agent.CWY - Xchecked via VT: f1bf54186c2c64cd104755f247867238c8472504", "deleted": false, "disable_correlation": false, "timestamp": "1481654322", "to_ids": true, "type": "sha256", "uuid": "58504032-0ec8-49a1-94f3-482b02de0b81", "value": "2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2" }, { "category": "Payload delivery", "comment": "Win32/TrojanDownloader.Agent.CWY - Xchecked via VT: f1bf54186c2c64cd104755f247867238c8472504", "deleted": false, "disable_correlation": false, "timestamp": "1481654322", "to_ids": true, "type": "md5", "uuid": "58504032-e93c-4675-bb15-4e5b02de0b81", "value": "1019c101fc1ae71e5c1687e34f0628e6" }, { "category": "External analysis", "comment": "Win32/TrojanDownloader.Agent.CWY - Xchecked via VT: f1bf54186c2c64cd104755f247867238c8472504", "deleted": false, "disable_correlation": false, "timestamp": "1481654323", "to_ids": false, "type": "link", "uuid": "58504033-4cf4-4a9a-a6d3-405302de0b81", "value": "https://www.virustotal.com/file/2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2/analysis/1479466980/" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", "deleted": false, "disable_correlation": false, "timestamp": "1481654323", "to_ids": true, "type": "sha256", "uuid": "58504033-4f20-4199-af62-440802de0b81", "value": "ea57a45dda5b735fc2a982700a21363cbee138de2605d1df06103a5d94c539da" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", "deleted": false, "disable_correlation": false, "timestamp": "1481654324", "to_ids": true, "type": "md5", "uuid": "58504034-e410-4ff2-ad04-483302de0b81", "value": "24313581bbbffa9a784b48075b525810" }, { "category": "External analysis", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", "deleted": false, "disable_correlation": false, "timestamp": "1481654324", "to_ids": false, "type": "link", "uuid": "58504034-db74-413e-a182-4bec02de0b81", "value": "https://www.virustotal.com/file/ea57a45dda5b735fc2a982700a21363cbee138de2605d1df06103a5d94c539da/analysis/1481525869/" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", "deleted": false, "disable_correlation": false, "timestamp": "1481654325", "to_ids": true, "type": "sha256", "uuid": "58504035-d258-418c-825d-48b102de0b81", "value": "dcdc4c72c6e0867e74790a882e8e8c20e8a38416e9b10ed64fbf0f64f4e2567c" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", "deleted": false, "disable_correlation": false, "timestamp": "1481654325", "to_ids": true, "type": "md5", "uuid": "58504035-8c44-4988-8226-488002de0b81", "value": "0fce93cd9beeea30a7f0e2a819d2b968" }, { "category": "External analysis", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", "deleted": false, "disable_correlation": false, "timestamp": "1481654326", "to_ids": false, "type": "link", "uuid": "58504036-c064-4e2c-9d3f-484d02de0b81", "value": "https://www.virustotal.com/file/dcdc4c72c6e0867e74790a882e8e8c20e8a38416e9b10ed64fbf0f64f4e2567c/analysis/1481552578/" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", "deleted": false, "disable_correlation": false, "timestamp": "1481654326", "to_ids": true, "type": "sha256", "uuid": "58504036-1ce4-46ad-9a87-40f502de0b81", "value": "904df5d6b900fcdac44c002f03ab1fbc698b8d421a22639819b3b208aaa6ea2c" }, { "category": "Payload delivery", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", "deleted": false, "disable_correlation": false, "timestamp": "1481654327", "to_ids": true, "type": "md5", "uuid": "58504037-f7ac-43a0-9e31-485f02de0b81", "value": "75ee947e31a40ab4b5cde9f4a767310b" }, { "category": "External analysis", "comment": "Python/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", "deleted": false, "disable_correlation": false, "timestamp": "1481654327", "to_ids": false, "type": "link", "uuid": "58504037-9f80-4883-8f0d-46b302de0b81", "value": "https://www.virustotal.com/file/904df5d6b900fcdac44c002f03ab1fbc698b8d421a22639819b3b208aaa6ea2c/analysis/1481552575/" }, { "category": "Payload delivery", "comment": "VBS backdoors - Xchecked via VT: f22cea7bc080e712e85549848d35e7d5908d9b49", "deleted": false, "disable_correlation": false, "timestamp": "1481654328", "to_ids": true, "type": "sha256", "uuid": "58504038-7214-4a85-a564-4ee102de0b81", "value": "1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb" }, { "category": "Payload delivery", "comment": "VBS backdoors - Xchecked via VT: f22cea7bc080e712e85549848d35e7d5908d9b49", "deleted": false, "disable_correlation": false, "timestamp": "1481654328", "to_ids": true, "type": "md5", "uuid": "58504038-e2c4-4186-96bf-4f3b02de0b81", "value": "c404b959b51ad0425f1789f03e2c6ecf" }, { "category": "External analysis", "comment": "VBS backdoors - Xchecked via VT: f22cea7bc080e712e85549848d35e7d5908d9b49", "deleted": false, "disable_correlation": false, "timestamp": "1481654329", "to_ids": false, "type": "link", "uuid": "58504039-f2d8-419a-936a-4f4602de0b81", "value": "https://www.virustotal.com/file/1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb/analysis/1481552577/" }, { "category": "Payload delivery", "comment": "VBS backdoors - Xchecked via VT: 35d71de3e665cf9d6a685ae02c3876b7d56b1687", "deleted": false, "disable_correlation": false, "timestamp": "1481654329", "to_ids": true, "type": "sha256", "uuid": "58504039-15bc-45d6-b60f-4dc602de0b81", "value": "eb31a918ccc1643d069cf08b7958e2760e8551ba3b88ea9e5d496e07437273b2" }, { "category": "Payload delivery", "comment": "VBS backdoors - Xchecked via VT: 35d71de3e665cf9d6a685ae02c3876b7d56b1687", "deleted": false, "disable_correlation": false, "timestamp": "1481654330", "to_ids": true, "type": "md5", "uuid": "5850403a-eec4-4723-a1e0-4ff902de0b81", "value": "2d7866989d659c1f8ae795e5cab40bf3" }, { "category": "External analysis", "comment": "VBS backdoors - Xchecked via VT: 35d71de3e665cf9d6a685ae02c3876b7d56b1687", "deleted": false, "disable_correlation": false, "timestamp": "1481654330", "to_ids": false, "type": "link", "uuid": "5850403a-fdf0-46d5-abcc-4bf802de0b81", "value": "https://www.virustotal.com/file/eb31a918ccc1643d069cf08b7958e2760e8551ba3b88ea9e5d496e07437273b2/analysis/1481552576/" }, { "category": "Payload delivery", "comment": "Modified Mimikatz - Xchecked via VT: d8614bc1d428ebabccbfae76a81037ff908a8f79", "deleted": false, "disable_correlation": false, "timestamp": "1481654331", "to_ids": true, "type": "sha256", "uuid": "5850403b-0c30-4fe4-b6f1-482e02de0b81", "value": "b2edc9351b389f1cbcdf0ac52b9d0b3bd982a077e5a3df8cebebc32c450ffeec" }, { "category": "Payload delivery", "comment": "Modified Mimikatz - Xchecked via VT: d8614bc1d428ebabccbfae76a81037ff908a8f79", "deleted": false, "disable_correlation": false, "timestamp": "1481654331", "to_ids": true, "type": "md5", "uuid": "5850403b-2be0-4103-8f8f-4ceb02de0b81", "value": "bde6c0dac3e594a4a859b490aaaf1217" }, { "category": "External analysis", "comment": "Modified Mimikatz - Xchecked via VT: d8614bc1d428ebabccbfae76a81037ff908a8f79", "deleted": false, "disable_correlation": false, "timestamp": "1481654332", "to_ids": false, "type": "link", "uuid": "5850403c-4150-43c1-be39-482502de0b81", "value": "https://www.virustotal.com/file/b2edc9351b389f1cbcdf0ac52b9d0b3bd982a077e5a3df8cebebc32c450ffeec/analysis/1471587292/" }, { "category": "Payload delivery", "comment": "LDAP query tool - Xchecked via VT: 81f73c76fbf4ab3487d5e6e8629e83c0568de713", "deleted": false, "disable_correlation": false, "timestamp": "1481654332", "to_ids": true, "type": "sha256", "uuid": "5850403c-e308-48a9-b780-415702de0b81", "value": "a35951855503188a66c94019bd419cd97208291f05e382151fd3c2a9d1848857" }, { "category": "Payload delivery", "comment": "LDAP query tool - Xchecked via VT: 81f73c76fbf4ab3487d5e6e8629e83c0568de713", "deleted": false, "disable_correlation": false, "timestamp": "1481654332", "to_ids": true, "type": "md5", "uuid": "5850403d-ac3c-4442-a474-4b2f02de0b81", "value": "76691c58103431624d26f2b8384a57b0" }, { "category": "External analysis", "comment": "LDAP query tool - Xchecked via VT: 81f73c76fbf4ab3487d5e6e8629e83c0568de713", "deleted": false, "disable_correlation": false, "timestamp": "1481654333", "to_ids": false, "type": "link", "uuid": "5850403d-507c-4196-b7e7-461702de0b81", "value": "https://www.virustotal.com/file/a35951855503188a66c94019bd419cd97208291f05e382151fd3c2a9d1848857/analysis/1471530894/" }, { "category": "Payload delivery", "comment": "CredRaptor password stealer - Xchecked via VT: 58a45ef055b287bad7b81033e17446ee6b682e2d", "deleted": false, "disable_correlation": false, "timestamp": "1481654333", "to_ids": true, "type": "sha256", "uuid": "5850403d-6128-4f26-bf07-4fa102de0b81", "value": "50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26" }, { "category": "Payload delivery", "comment": "CredRaptor password stealer - Xchecked via VT: 58a45ef055b287bad7b81033e17446ee6b682e2d", "deleted": false, "disable_correlation": false, "timestamp": "1481654334", "to_ids": true, "type": "md5", "uuid": "5850403e-5358-4e0c-be49-485202de0b81", "value": "389ae3a4589e355e173e9b077d6f1a0a" }, { "category": "External analysis", "comment": "CredRaptor password stealer - Xchecked via VT: 58a45ef055b287bad7b81033e17446ee6b682e2d", "deleted": false, "disable_correlation": false, "timestamp": "1481654334", "to_ids": false, "type": "link", "uuid": "5850403e-6d80-44e0-8c42-4b7102de0b81", "value": "https://www.virustotal.com/file/50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26/analysis/1481650988/" }, { "category": "Payload delivery", "comment": "Win64/Spy.KeyLogger.G trojan - Xchecked via VT: 7582de9e93e2f35f9a63b59317eba48846eea4c7", "deleted": false, "disable_correlation": false, "timestamp": "1481654335", "to_ids": true, "type": "sha256", "uuid": "5850403f-49bc-4edb-9e43-451502de0b81", "value": "e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e" }, { "category": "Payload delivery", "comment": "Win64/Spy.KeyLogger.G trojan - Xchecked via VT: 7582de9e93e2f35f9a63b59317eba48846eea4c7", "deleted": false, "disable_correlation": false, "timestamp": "1481654335", "to_ids": true, "type": "md5", "uuid": "5850403f-b088-4448-b8aa-4f4702de0b81", "value": "4919569cd19164c1f123f97c5b44b03b" }, { "category": "External analysis", "comment": "Win64/Spy.KeyLogger.G trojan - Xchecked via VT: 7582de9e93e2f35f9a63b59317eba48846eea4c7", "deleted": false, "disable_correlation": false, "timestamp": "1481654336", "to_ids": false, "type": "link", "uuid": "58504040-8818-4b41-b6f3-421502de0b81", "value": "https://www.virustotal.com/file/e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e/analysis/1469022930/" }, { "category": "Payload delivery", "comment": "Intercepter-NG and silent WinPCAP installer - Xchecked via VT: 64cb897acc37e12e4f49c4da4dfad606b3976225", "deleted": false, "disable_correlation": false, "timestamp": "1481654336", "to_ids": true, "type": "sha256", "uuid": "58504040-f9a4-4380-87a4-405a02de0b81", "value": "5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118" }, { "category": "Payload delivery", "comment": "Intercepter-NG and silent WinPCAP installer - Xchecked via VT: 64cb897acc37e12e4f49c4da4dfad606b3976225", "deleted": false, "disable_correlation": false, "timestamp": "1481654337", "to_ids": true, "type": "md5", "uuid": "58504041-d378-4427-aafb-415d02de0b81", "value": "5bd6b79a4443afd27f7ed1fbf66060ea" }, { "category": "External analysis", "comment": "Intercepter-NG and silent WinPCAP installer - Xchecked via VT: 64cb897acc37e12e4f49c4da4dfad606b3976225", "deleted": false, "disable_correlation": false, "timestamp": "1481654337", "to_ids": false, "type": "link", "uuid": "58504041-6110-4ca7-be7a-4fd602de0b81", "value": "https://www.virustotal.com/file/5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118/analysis/1471786034/" }, { "category": "Payload delivery", "comment": "Win32/KillDisk - Xchecked via VT: 8eb8527562dda552fc6b8827c0ebf50968848f1a", "deleted": false, "disable_correlation": false, "timestamp": "1481654338", "to_ids": true, "type": "sha256", "uuid": "58504042-c64c-4694-a0ff-47b902de0b81", "value": "8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d" }, { "category": "Payload delivery", "comment": "Win32/KillDisk - Xchecked via VT: 8eb8527562dda552fc6b8827c0ebf50968848f1a", "deleted": false, "disable_correlation": false, "timestamp": "1481654338", "to_ids": true, "type": "md5", "uuid": "58504042-1fa8-423e-87d2-40ee02de0b81", "value": "b75c869561e014f4d384773427c879a6" }, { "category": "External analysis", "comment": "Win32/KillDisk - Xchecked via VT: 8eb8527562dda552fc6b8827c0ebf50968848f1a", "deleted": false, "disable_correlation": false, "timestamp": "1481654339", "to_ids": false, "type": "link", "uuid": "58504043-2dc4-43c6-9623-423f02de0b81", "value": "https://www.virustotal.com/file/8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d/analysis/1481528958/" }, { "category": "Payload delivery", "comment": "Win32/KillDisk - Xchecked via VT: 71a2b3f48828e4552637fa9753f0324b7146f3af", "deleted": false, "disable_correlation": false, "timestamp": "1481654339", "to_ids": true, "type": "sha256", "uuid": "58504043-2408-4775-944a-4c1202de0b81", "value": "26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e" }, { "category": "Payload delivery", "comment": "Win32/KillDisk - Xchecked via VT: 71a2b3f48828e4552637fa9753f0324b7146f3af", "deleted": false, "disable_correlation": false, "timestamp": "1481654340", "to_ids": true, "type": "md5", "uuid": "58504044-c16c-46f8-87e9-48bb02de0b81", "value": "ffb1e8babaecc4a8cb3d763412294469" }, { "category": "External analysis", "comment": "Win32/KillDisk - Xchecked via VT: 71a2b3f48828e4552637fa9753f0324b7146f3af", "deleted": false, "disable_correlation": false, "timestamp": "1481654340", "to_ids": false, "type": "link", "uuid": "58504044-2238-4999-9bd4-471902de0b81", "value": "https://www.virustotal.com/file/26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e/analysis/1481554993/" } ] } }