{ "Event": { "analysis": "0", "date": "2019-09-19", "extends_uuid": "", "info": "OSINT - New Gootkit Banking Trojan campaign against Italian Companies and Users.", "publish_timestamp": "1568898584", "published": true, "threat_level_id": "3", "timestamp": "1568897957", "uuid": "5d832991-f5e4-4623-945f-4bf6950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#6edb00", "name": "circl:topic=\"finance\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0088cc", "name": "misp-galaxy:tool=\"GootKit\"" }, { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"GootKit\"" }, { "colour": "#0088cc", "name": "misp-galaxy:financial-fraud=\"Malware\"" } ], "Attribute": [ { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-a06c-4378-92f3-c1bb950d210f", "value": "Unicredit" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-9278-44d9-ba81-c1bb950d210f", "value": "In-Bank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-8ca4-42bf-a750-c1bb950d210f", "value": "Cedacri" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-6ce8-44b5-861c-c1bb950d210f", "value": "Intesa Sanpaolo" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-a79c-4138-bd9b-c1bb950d210f", "value": "Groupe Banque Populaire" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-a554-4a3c-a460-c1bb950d210f", "value": "Poste Italiane" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-bb98-40a1-9f0d-c1bb950d210f", "value": "Cr\u00c3\u00a9dit Agricole" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-ffd8-421c-86ff-c1bb950d210f", "value": "CariParma" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-a01c-4e29-aff6-c1bb950d210f", "value": "Cr\u00c3\u00a9dit Coop\u00c3\u00a9ratif" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-7d04-4b3e-ba6f-c1bb950d210f", "value": "BNP Paribas" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-0ef4-4904-881d-c1bb950d210f", "value": "Caisse D'Epargne" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-eef0-42d9-9f25-c1bb950d210f", "value": "Banco BPM" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897461", "to_ids": false, "type": "target-org", "uuid": "5d8379b5-b3b0-4eab-86a2-c1bb950d210f", "value": "Raiffeisen" }, { "category": "Network activity", "comment": "Dropurl", "deleted": false, "disable_correlation": false, "timestamp": "1568897684", "to_ids": true, "type": "url", "uuid": "5d837a94-cb00-4865-b2c8-c1c3950d210f", "value": "https://itp.surfpapara.com/b807112.bin" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897684", "to_ids": true, "type": "hostname", "uuid": "5d837a94-7960-4cb7-a565-c1c3950d210f", "value": "itp.surfpapara.com" }, { "category": "Network activity", "comment": "C2 (gootkit)", "deleted": false, "disable_correlation": false, "timestamp": "1568897684", "to_ids": true, "type": "url", "uuid": "5d837a94-b35c-4ba9-80d4-c1c3950d210f", "value": "https://web.mavensd.org/200" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897684", "to_ids": true, "type": "hostname", "uuid": "5d837a94-af68-40ed-85e3-c1c3950d210f", "value": "web.mavensd.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897684", "to_ids": true, "type": "hostname", "uuid": "5d837a94-be98-448c-9a29-c1c3950d210f", "value": "cdn.areascans.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568897684", "to_ids": true, "type": "ip-dst", "uuid": "5d837a94-2fd4-407b-99f3-c1c3950d210f", "value": "185.141.27.101" }, { "category": "Network activity", "comment": "Attribute #7619842 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1568897713", "to_ids": false, "type": "ip-src", "uuid": "5d837ab1-3664-49ea-aca3-4514e387cbd9", "value": "89.238.181.100" }, { "category": "Network activity", "comment": "Attribute #7619844 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1568897713", "to_ids": false, "type": "ip-src", "uuid": "5d837ab1-bf58-441a-ac3e-418fe387cbd9", "value": "46.166.176.152" } ], "Object": [ { "comment": "", "deleted": false, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "name": "microblog", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "template_version": "7", "timestamp": "1568878187", "uuid": "5d832cb5-cc3c-43b6-ad5c-4c04950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "post", "timestamp": "1568878187", "to_ids": false, "type": "text", "uuid": "5d832cb5-4318-4aa8-a51e-4e22950d210f", "value": "New Gootkit Banking Trojan campaign against Italian Companies and Users.\r\nhttps://blog.yoroi.company/warning/nuove-operazioni-di-attacco-gootkit/\r\nIOCs:\r\nhttps://pastebin.com/6P5NWa1U\r\n#Gootkit #Banking #Trojan #Malware" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1568878187", "to_ids": false, "type": "text", "uuid": "5d832cb5-5874-420a-92bd-4fb4950d210f", "value": "Twitter" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "embedded-link", "timestamp": "1568878187", "to_ids": true, "type": "url", "uuid": "5d832cb5-a7bc-4969-8d1d-4dab950d210f", "value": "https://t.co/3yyykFMc1R?amp=1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "username", "timestamp": "1568878187", "to_ids": false, "type": "text", "uuid": "5d832cb5-b220-45ea-9690-4d2f950d210f", "value": "Bank_Security" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1568878187", "to_ids": false, "type": "link", "uuid": "5d832cb5-c344-49e8-a1a4-47b4950d210f", "value": "https://mobile.twitter.com/Bank_Security/status/1174556512980819968" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1568878187", "to_ids": false, "type": "text", "uuid": "5d832cdd-7090-4089-88f3-46ca950d210f", "value": "Informative" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "creation-date", "timestamp": "1568878187", "to_ids": false, "type": "datetime", "uuid": "5d832cdd-6b08-4374-8c0f-4d43950d210f", "value": "2019-09-19T07:31:00" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "embedded-link", "timestamp": "1568878187", "to_ids": true, "type": "url", "uuid": "5d832e6b-6108-463f-9d4d-46ea950d210f", "value": "https://t.co/9luSvWSO2e?amp=1" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "embedded-link", "timestamp": "1568897942", "to_ids": true, "type": "link", "uuid": "5d832e6b-010c-4433-b25e-470c950d210f", "value": "https://blog.yoroi.company/warning/nuove-operazioni-di-attacco-gootkit/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "embedded-link", "timestamp": "1568897957", "to_ids": true, "type": "link", "uuid": "5d832e6b-abfc-4b0c-b672-465c950d210f", "value": "https://pastebin.com/6P5NWa1U", "Tag": [ { "colour": "#003860", "name": "osint:source-type=\"pastie-website\"" } ] } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1568897524", "uuid": "6bbf9a7d-6542-429f-ac4a-333de70ae74b", "ObjectReference": [ { "comment": "", "object_uuid": "6bbf9a7d-6542-429f-ac4a-333de70ae74b", "referenced_uuid": "3434304f-aa8f-4e7a-ac4a-4bce602af10e", "relationship_type": "analysed-with", "timestamp": "1568897525", "uuid": "5d8379f5-2a0c-405a-8cde-c1c8950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "vbs", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1568897511", "to_ids": true, "type": "md5", "uuid": "f47aa0eb-61ff-4702-ab17-1190bedea230", "value": "eb2a050f3c7b6fa0dc1d455232e786f3" }, { "category": "Payload delivery", "comment": "vbs", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1568897511", "to_ids": true, "type": "sha1", "uuid": "0a79bfac-971d-47db-9a80-1c94de72e0d3", "value": "da03a783b590c9c998b593b9701cb227322856b9" }, { "category": "Payload delivery", "comment": "vbs", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1568897511", "to_ids": true, "type": "sha256", "uuid": "7dfbacd5-7d00-4817-8731-4e6d1382ed25", "value": "67a96b2a5657bf39971c50e1b0e7f08f742b62bb1dffe45398298806d2e9fdba" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1568897524", "uuid": "3434304f-aa8f-4e7a-ac4a-4bce602af10e", "Attribute": [ { "category": "Other", "comment": "vbs", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1568897511", "to_ids": false, "type": "datetime", "uuid": "a7a82bfa-e573-4fe9-8ce4-a1c1b03717f4", "value": "2019-09-19T05:45:56" }, { "category": "Payload delivery", "comment": "vbs", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1568897511", "to_ids": false, "type": "link", "uuid": "603f9363-bbf0-4a65-8917-3251a4739791", "value": "https://www.virustotal.com/file/67a96b2a5657bf39971c50e1b0e7f08f742b62bb1dffe45398298806d2e9fdba/analysis/1568871956/" }, { "category": "Payload delivery", "comment": "vbs", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1568897511", "to_ids": false, "type": "text", "uuid": "4c4adb3b-c544-4ec3-b57f-4343cabfb5d7", "value": "12/56" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1568897524", "uuid": "2d9d2fde-e283-457f-af6a-c2ed2d413a2b", "ObjectReference": [ { "comment": "", "object_uuid": "2d9d2fde-e283-457f-af6a-c2ed2d413a2b", "referenced_uuid": "5e753062-9287-4953-9bdb-0dd05bbbffa7", "relationship_type": "analysed-with", "timestamp": "1568897525", "uuid": "5d8379f5-2298-44db-9aee-c1c8950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1568897512", "to_ids": true, "type": "md5", "uuid": "ed21a624-0d43-40e4-8856-c12a16b81c74", "value": "41db936a62634ba98b33051da243632a" }, { "category": "Payload delivery", "comment": "exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1568897512", "to_ids": true, "type": "sha1", "uuid": "d73aaea1-9f79-4d8d-a158-0364d47488bf", "value": "f074c230441a9b682fb5cc4dae8615d4ad1a3fa5" }, { "category": "Payload delivery", "comment": "exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1568897512", "to_ids": true, "type": "sha256", "uuid": "f5493cf8-2c69-4cab-8901-b4a2dcbb2101", "value": "c18c2e2636ebf84eec95f59b16c3091d02d57ac9f1b9d79fb61e160fb1a32a73" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1568897525", "uuid": "5e753062-9287-4953-9bdb-0dd05bbbffa7", "Attribute": [ { "category": "Other", "comment": "exe", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1568897512", "to_ids": false, "type": "datetime", "uuid": "72ea703a-87e2-421b-9abe-f5c5cc0fe8f1", "value": "2019-09-18T13:39:42" }, { "category": "Payload delivery", "comment": "exe", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1568897512", "to_ids": false, "type": "link", "uuid": "e4eeee01-bbc4-41e0-816b-381eb061278f", "value": "https://www.virustotal.com/file/c18c2e2636ebf84eec95f59b16c3091d02d57ac9f1b9d79fb61e160fb1a32a73/analysis/1568813982/" }, { "category": "Payload delivery", "comment": "exe", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1568897512", "to_ids": false, "type": "text", "uuid": "ebd702a3-5b3b-4264-a959-8e9bebc5db73", "value": "39/69" } ] } ] } }