{ "Event": { "analysis": "2", "date": "2021-02-20", "extends_uuid": "", "info": "OSINT - IronNetInjector: Turla\u2019s New Malware Loading Tool", "publish_timestamp": "1613840000", "published": true, "threat_level_id": "2", "timestamp": "1613811965", "uuid": "1edd5ee1-7c91-4233-840a-6c419d6afc62", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613811034", "to_ids": true, "type": "pdb", "uuid": "191d97b2-d7ea-49cb-a19a-2f560bc94b3b", "value": "%USERPROFILE%\\source\\repos\\c4\\agent\\build\\_tools\\agent\\_dll\\_to\\_Python\\_loader\\NetInjector\\NetInjector\\obj\\Release\\NetInjector.pdb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "d9c8070f-ea2b-47e8-ae78-30a1f85a788c", "value": "a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "f4642726-7d3a-4f77-ac23-59c220678eb0", "value": "63d7695dabefb97aa30cbe522647c95395b44321e1a3b08b8028e4000d1be15e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "7218aec5-416f-438e-936a-1ba1f92ab346", "value": "b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "25def1c1-4edf-46dd-b831-d21ae46b1a48", "value": "3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "3e136590-6d34-418c-9896-78defc1c3f1c", "value": "a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "8c99b060-e98f-4903-a660-9b179da4f06b", "value": "c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "103f647f-76fc-4698-8193-2c29df55f26e", "value": "c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "00f2f454-0978-43f9-9dd8-55d407f1c190", "value": "82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "8389a593-98d2-4ae2-ae3a-3efbe519672a", "value": "ba17af72a9d90822eed447b8526fb68963f0cde78df07c16902dc5a0c44536c4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "c803c285-7b5e-41a2-8039-4cf867cc0cd3", "value": "8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "eeeffb3a-b92e-43d8-a954-60e99fd478d4", "value": "18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "490b1de9-53aa-4776-81fb-3ddd8f226dbf", "value": "a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "61288f48-9193-4986-942d-8186dc5832c3", "value": "c430ebab4bf827303bc4ad95d40eecc7988bdc17cc139c8f88466bc536755d4e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "c01c2b14-2df0-48be-a8b9-151d1eb6cabb", "value": "b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "ee49fa56-c0d1-4cf6-bd09-2a7c41e82812", "value": "b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613811114", "to_ids": true, "type": "pdb", "uuid": "1af7dfc6-d905-4932-aa29-6e8b580c1419", "value": "F:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper\\_Win32.pdb" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1613811020", "to_ids": true, "type": "pdb", "uuid": "f77b67e3-040f-43c6-b27f-7b3adb17acbc", "value": "F:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper\\_x64.pdb" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "2", "timestamp": "1613810873", "uuid": "b380f86c-fab0-4725-9f44-75c0066c3443", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1613810873", "to_ids": false, "type": "link", "uuid": "4f7c4a75-b3d0-4141-a0d5-1ab8216f1ff7", "value": "https://unit42.paloaltonetworks.com/ironnetinjector/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1613810873", "to_ids": false, "type": "text", "uuid": "5e9d4958-9976-4f9d-a7e6-25b1268356d3", "value": "In recent years, more and more ready-made malware is released on software development hosting sites available for everybody to use \u2013 including threat actors. This not only saves the bad guys development time, but also makes it much easier for them to find new ideas to prevent detection of their malware.\r\n\r\nUnit 42 researchers have found several malicious IronPython scripts whose purpose is to load and run Turla\u2019s malware tools on a victim\u2019s system. The use of IronPython for malicious purposes isn\u2019t new, but the way Turla uses it is new. The overall method is known as Bring Your Own Interpreter (BYOI). It describes the use of an interpreter, not present on a system by default, to run malicious code of an interpreted programming or scripting language.\r\n\r\nThe first malicious IronPython scripts of the tool we describe here were discovered last year by a security researcher from FireEye. At the beginning of this year, another security researcher from Dragos pointed out some new scripts of the same threat actor uploaded to VirusTotal from two different submitters. We found that one of the submitters also uploaded two other samples, which are most likely embedded payloads of one of the IronPython scripts. These samples helped us to understand how this tool works, what malware it loads and which threat actor uses it.\r\n\r\nWhile the IronPython scripts are only the first part of the tool, the main task of loading malware is done by an embedded process injector. We dubbed this toolchain IronNetInjector, the blend of IronPython and the injector\u2019s internal project name NetInjector. In this blog, we describe the IronPython scripts and how they\u2019re used to load one or more payloads with the help of an injector.\r\n\r\nPalo Alto Networks customers are protected from this threat through WildFire and Cortex XDR. AutoFocus customers can investigate this activity with the tag \u201cIronNetInjector\u201d." } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811963", "uuid": "b98e2b87-92d7-423a-ab0c-c2b959ed1531", "ObjectReference": [ { "comment": "", "object_uuid": "b98e2b87-92d7-423a-ab0c-c2b959ed1531", "referenced_uuid": "c344702e-a806-4c8f-b775-73df55233630", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "09806fa8-53a9-464d-857b-73dd70ebe3a5" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "113fce15-61f2-49fa-bfbb-26aaa77a2aad", "value": "0674e34d0b01e1c71e4666da1f3b589f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "40c270cc-ff02-47d6-8bff-b1657cc680eb", "value": "0133512142805b89b5a86dfa67a82aaedbbab69c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "3bef1341-4c92-441a-8817-1dc4d148e8eb", "value": "b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "c344702e-a806-4c8f-b775-73df55233630", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "953df01c-4d2e-450a-afd9-d31ece971d4f", "value": "2021-02-19T19:36:11+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "bbfdefe0-60e7-4bfc-a6fa-8491930fd0f8", "value": "https://www.virustotal.com/gui/file/b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040/detection/f-b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040-1613763371" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "c6daa0ea-94a8-4656-88a2-9385e163db80", "value": "7/59" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "bb6d2897-d966-484f-a16e-ef0d4883382c", "ObjectReference": [ { "comment": "", "object_uuid": "bb6d2897-d966-484f-a16e-ef0d4883382c", "referenced_uuid": "0999e1c5-edb5-4951-bb60-8439a93b7d1f", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "905906a9-8e41-4f0a-9585-db1c1a31ef05" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "8fc9329d-1f61-4609-abe1-a240a5d0919c", "value": "48f52e0c7aa72c2ccc5f5fcbd8e1290b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "dfffdfed-59f9-4cf2-95b6-14183d075222", "value": "347f31769431ad70147e68fbb6bfa1e17fe283e9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "58c2aa6f-202a-4909-9511-3b7f8a18bcd4", "value": "b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "0999e1c5-edb5-4951-bb60-8439a93b7d1f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "a72d5d15-a703-44ee-85a8-3944ca8c30ee", "value": "2021-02-19T18:04:13+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "d35f9f97-e4fd-47fb-bb91-0b848af5ed4c", "value": "https://www.virustotal.com/gui/file/b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d/detection/f-b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d-1613757853" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "2d866758-093e-4856-bf2a-e758ce033f7c", "value": "26/59" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "9f5dc2c2-3bfc-4447-b9d6-01d1ece470b1", "ObjectReference": [ { "comment": "", "object_uuid": "9f5dc2c2-3bfc-4447-b9d6-01d1ece470b1", "referenced_uuid": "b267c9dd-a93a-485d-8669-f183f000e830", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "daf3264d-27a3-4182-b6e3-f3cd4d90da1c" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "2015a9a1-f8c1-4dfd-9aa4-64e72c7e9878", "value": "f376bc51b1220e5fc520ce60762ac6ce" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "ea85804d-5418-4724-86d9-c439b75f8745", "value": "3e65b2df40001253ad8d9a3430a597c7b028bae9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "1244faf6-1cb0-4adc-af30-b3bdbbfbb84a", "value": "a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "b267c9dd-a93a-485d-8669-f183f000e830", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "27d7b061-8f1c-45c8-a1e3-0664f11916e7", "value": "2021-02-20T03:39:41+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "3370b374-bfa9-433e-b062-6c64666954d1", "value": "https://www.virustotal.com/gui/file/a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061/detection/f-a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061-1613792381" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "ac3a1514-866c-4895-8133-d003a148510f", "value": "48/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "fd84b821-3908-4308-82c5-3e80414485c0", "ObjectReference": [ { "comment": "", "object_uuid": "fd84b821-3908-4308-82c5-3e80414485c0", "referenced_uuid": "8952247a-923b-45d0-aeb2-e205c1471a97", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "0d3bc751-2b79-4cde-9e02-f0a9d1d836c1" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "8ea94f5f-2ad3-4088-b588-a71f6325b7da", "value": "9446059710c1869fc8aa9f0ef75d82f4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "e23a718e-a396-4b99-a011-908f38fcb11d", "value": "a91612cadaccc19d101710b0ae77151a7a1b043b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "209aab73-4653-4c6e-bfae-63426de9ba8d", "value": "8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "8952247a-923b-45d0-aeb2-e205c1471a97", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "a81ae9f3-97d4-4ace-8e64-c8e7e7370af4", "value": "2021-02-19T18:04:19+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "30a8de8e-8eb2-4ace-855d-e74fcb54608d", "value": "https://www.virustotal.com/gui/file/8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72/detection/f-8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72-1613757859" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "f099139a-13f7-46ba-918e-0492e4ca4340", "value": "22/59" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "ed5dc5f9-19a2-4c52-b860-6e397828864c", "ObjectReference": [ { "comment": "", "object_uuid": "ed5dc5f9-19a2-4c52-b860-6e397828864c", "referenced_uuid": "0628a0ba-1c51-4611-973f-127abfcbd35d", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "17472a77-bafd-4f5e-82ef-9f401e0bcff2" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "70a52887-9a96-451a-8682-984cf6468f65", "value": "7fcd8d3fde761de1d894dcf87827dde3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "23672d95-c2a4-476e-9e7d-44a0e882e09e", "value": "f2284d4777d2b5d2faf33844084b94c9552d5294" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "b94364d4-c6e1-4444-842a-6edfdef13d0b", "value": "a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "0628a0ba-1c51-4611-973f-127abfcbd35d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "67b46cdc-27d2-4d07-9be9-e932cbbcde01", "value": "2021-02-20T03:38:42+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "0091c69d-d04c-4879-aa0c-44616bf64e5a", "value": "https://www.virustotal.com/gui/file/a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56/detection/f-a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56-1613792322" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "803cccf0-f675-4664-80b4-f907076d9238", "value": "47/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "f844e12e-96a5-4275-9a6a-4fb3f6ab5a1e", "ObjectReference": [ { "comment": "", "object_uuid": "f844e12e-96a5-4275-9a6a-4fb3f6ab5a1e", "referenced_uuid": "ad644c7f-4026-413d-b7fd-c7d9b092715c", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "b4b90211-ad2a-420b-918a-73bd06085094" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "8a55c305-c59c-421c-8695-6edb137982f3", "value": "1777b81f3f87648b2344ea480bbcba65" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "098e3b1a-00c4-41d0-b6a4-1ad4d05057f8", "value": "ae76df8def138b6d4c82984f7172ed5bba737e1b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "c1037107-2a6c-4c29-8880-89fdb18538fa", "value": "c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "ad644c7f-4026-413d-b7fd-c7d9b092715c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "8b32b042-1ddb-443b-a4a7-0679753f79d1", "value": "2021-02-20T09:03:32+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "ee58a958-335f-43e6-a69e-cd4a46551abc", "value": "https://www.virustotal.com/gui/file/c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9/detection/f-c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9-1613811812" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "1ca876a3-9ff0-4392-84df-11ee11f2c491", "value": "3/69" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "9429ddde-5558-4980-b168-6adae4f881ee", "ObjectReference": [ { "comment": "", "object_uuid": "9429ddde-5558-4980-b168-6adae4f881ee", "referenced_uuid": "75ee7887-867a-44c9-99fa-c69874e6c3d2", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "8f864090-0997-4822-9827-4fa3418b9445" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "9ee8e1c3-5d9a-4697-9b15-97f93a69263b", "value": "eff5881b4bf83386e26c451ff7c34a90" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "4be7aca8-1982-472f-b5c2-f778eff9b207", "value": "d7a18413d8c2b2525a0c90aaa392bdaef377e2ec" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "4efeefd3-d530-49be-a6d7-70a6414fc5e2", "value": "18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "75ee7887-867a-44c9-99fa-c69874e6c3d2", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "69cb8722-3339-4367-9f5f-19af913184b0", "value": "2021-02-19T18:13:50+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "b864d0d7-71ef-4c0c-97a2-96d45559960f", "value": "https://www.virustotal.com/gui/file/18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746/detection/f-18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746-1613758430" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "2e321a84-f066-4515-bc1e-ce0ddd84e98f", "value": "43/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "f4dd150b-bc46-4ca3-bfd4-6e9bbdf57a75", "ObjectReference": [ { "comment": "", "object_uuid": "f4dd150b-bc46-4ca3-bfd4-6e9bbdf57a75", "referenced_uuid": "d6e00d51-3e6b-4568-9cec-dd77c1c0de47", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "fd8106da-0f36-4818-8c3f-32a48d2cac1d" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "7f3babc3-9f0b-4041-9317-c5110ec1553a", "value": "0ebe822e8c7ebb803ae5b6b74601c36f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "35b5a373-675f-48cf-acf3-ba15def8922c", "value": "86681c0c9b171f1afef5b06104abe8abcf0c992e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "98231e9e-8ba2-4b84-8960-ace7615cdb63", "value": "3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "d6e00d51-3e6b-4568-9cec-dd77c1c0de47", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "fb9530c3-4758-49cb-a9e9-55a039df9dd8", "value": "2021-02-19T18:02:33+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "a5e137aa-eb61-4524-9b88-4113cbe136bb", "value": "https://www.virustotal.com/gui/file/3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6/detection/f-3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6-1613757753" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "324b299c-0c8c-4430-97b2-9fc02b095f97", "value": "30/60" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "cd640421-1b74-4819-80e6-1c92cf4344e4", "ObjectReference": [ { "comment": "", "object_uuid": "cd640421-1b74-4819-80e6-1c92cf4344e4", "referenced_uuid": "521e7905-f504-432c-ad34-54b87b7896b3", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "4d60404e-514f-43b7-b55c-ce3d0b35c0d8" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "2acf5157-a4b7-4d73-a8ac-b7b30e3c723d", "value": "d672139849f9855bfb703fcaec020a2f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "25ffd605-b39e-4230-9bc4-eea7711a34f7", "value": "7e138c1337a29868fddfa99f52dfe1de38e46c9e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "72717563-3369-40b9-a04c-fa61773d3cfe", "value": "c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "521e7905-f504-432c-ad34-54b87b7896b3", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "78473fdb-7413-479d-89f9-eaf44270cad9", "value": "2021-02-19T19:37:27+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "e92bfb2d-804e-46e9-a1db-bea4af8058b4", "value": "https://www.virustotal.com/gui/file/c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad/detection/f-c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad-1613763447" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "3809e013-1036-475c-b671-47e8a0b84008", "value": "4/59" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "0c0447cb-deb3-4606-b74e-5d016a305472", "ObjectReference": [ { "comment": "", "object_uuid": "0c0447cb-deb3-4606-b74e-5d016a305472", "referenced_uuid": "d03967cc-5531-4f85-9fd7-c89057ee0c22", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "64663b63-0c63-4aa3-af31-badc2acc92b7" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "a856cfa0-c225-4225-94be-405cf2cd4f6f", "value": "b11d85844af9fa84bf84ff746557f0b5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "3ba7094a-54fe-4376-9909-de8888a82a39", "value": "44efacb89badadb486839165aba4d1ecdf3f047e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "0c942d0f-54f0-4bed-8bea-1d82cf6f21ae", "value": "b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "d03967cc-5531-4f85-9fd7-c89057ee0c22", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "5d7a76b9-f6f8-4e46-95ed-0b198b71976f", "value": "2021-02-19T18:04:36+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "c1e70c66-59bc-4f40-a8cf-4564237a915d", "value": "https://www.virustotal.com/gui/file/b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3/detection/f-b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3-1613757876" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "102ea680-2071-42f6-a95e-52d9a87163b0", "value": "22/58" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811964", "uuid": "0ad792f3-1b7b-4510-a584-a113276453bc", "ObjectReference": [ { "comment": "", "object_uuid": "0ad792f3-1b7b-4510-a584-a113276453bc", "referenced_uuid": "98cec741-7605-4ec0-8d35-7a8fa6037977", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "9dae3dcf-b5f8-4bc5-94d1-33862198bb9e" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "fce44e72-82c0-4707-bf3c-dc000ac26bad", "value": "e46da9ab2096ebb33279a808f5a7ee77" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "56bab591-b146-4fc0-bf53-f8aca7fcda9b", "value": "ad81f2f00f25cd0e45151d42d63c46db3ae39bed" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "579dfbfe-4194-439b-ab69-555dfbaef643", "value": "a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811964", "uuid": "98cec741-7605-4ec0-8d35-7a8fa6037977", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "ca73ed83-05f6-4bad-be26-36e0433048df", "value": "2021-02-20T09:04:22+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "a4a46491-8771-4a52-8bd6-9bbc4477ae82", "value": "https://www.virustotal.com/gui/file/a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc/detection/f-a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc-1613811862" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "9158f2ab-9d6c-48a9-b1d3-37e76f1d6c67", "value": "40/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "22", "timestamp": "1613811965", "uuid": "76c0248c-4198-4bea-b5d0-d33e7d28a020", "ObjectReference": [ { "comment": "", "object_uuid": "76c0248c-4198-4bea-b5d0-d33e7d28a020", "referenced_uuid": "ee307c62-c260-4da8-9d74-ceff7b11ea45", "relationship_type": "analysed-with", "timestamp": "1613811965", "uuid": "677bd01b-6520-46a1-8756-4dbbcac28dc8" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1613810910", "to_ids": true, "type": "md5", "uuid": "0d76897f-f845-4111-b7c0-e3ef91f1b365", "value": "98ce8c41188fcc1a92d0a23569c3765c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1613810910", "to_ids": true, "type": "sha1", "uuid": "9de52289-4101-4d81-a4f7-3ecc22536b14", "value": "2920d5e6c579fce772e5506caf03af65579088bd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1613810910", "to_ids": true, "type": "sha256", "uuid": "c82f7295-3a96-4c4a-965a-75a342037240", "value": "82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "3", "timestamp": "1613811965", "uuid": "ee307c62-c260-4da8-9d74-ceff7b11ea45", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1613810910", "to_ids": false, "type": "datetime", "uuid": "85f958ed-446d-454f-8b88-4e47a82c063f", "value": "2021-02-19T18:04:28+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1613810910", "to_ids": false, "type": "link", "uuid": "f10b6f7e-a1ec-4fb5-8f03-16c6e00c9bf9", "value": "https://www.virustotal.com/gui/file/82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93/detection/f-82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93-1613757868" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1613810910", "to_ids": false, "type": "text", "uuid": "1c366e4f-fd00-453f-9f3b-c6cf51c09e3e", "value": "18/59" } ] } ], "EventReport": [ { "name": "Report from - \r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/ (1613810890)", "content": "html [if IE]>
You are using an outd@[tag](misp-galaxy:tool=\"at\")ed browser. Please upgrade your browser to improve your experience.
Please enter your email address!\n\n Please mark, I'm not a robot!\n\n By submitting this form, you agree to our Terms of Use and acknowledge our Privacy St@[tag](misp-galaxy:tool=\"at\")ement.", "id": "41", "event_id": "82503", "timestamp": "1613810910", "uuid": "93647699-1a3e-44fa-9bd4-c00725e0fd11", "deleted": false } ] } }