{ "Event": { "analysis": "2", "date": "2017-02-18", "extends_uuid": "", "info": "OSINT - Demystifying targeted malware used against Polish banks", "publish_timestamp": "1487439248", "published": true, "threat_level_id": "3", "timestamp": "1487439192", "uuid": "58a883f4-a2f8-4901-9d5f-a16602de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#6bd600", "local": false, "name": "circl:topic=\"finance\"", "relationship_type": "" }, { "colour": "#13eb00", "local": false, "name": "misp-galaxy:threat-actor=\"Lazarus Group\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": false, "type": "link", "uuid": "58a8842b-bf7c-40d9-97af-a16e02de0b81", "value": "http://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": false, "type": "text", "uuid": "58a8843f-e9b0-48c4-8081-a16302de0b81", "value": "Hot news about successful attacks on Polish banks appeared recently on the Polish security portal ZaufanaTrzeciaStrona.pl (translated in English here). The impact of the attacks was described dramatically with adjectives like \u00e2\u20ac\u0153the most serious\u00e2\u20ac\u009d. The initial reports were very recently supported by two blogposts by Symantec and BAE Systems. The nationalities of affected institutions were extended also to Mexico and Uruguay, with even more high-profile targets in the attackers\u00e2\u20ac\u2122 viewfinder that are located worldwide. There are many interesting aspects to these attacks starting from the targets, moving on to the vector of compromise, right up to the specific features of the malicious executables used. While the first two aspects have been quite thoroughly examined so far, the malicious binaries involved haven\u00e2\u20ac\u2122t received much attention so far. The purpose of this blog post is to deliver technical details of this as-yet minimally documented malware.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tDropper;gpsvc.exe", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a884cb-05ac-4ab1-9637-568a02de0b81", "value": "bedceafa2109139c793cb158cec9fa48f980ff2b" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tEnigma-protected loader", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a884cc-b7ec-422b-bc5d-568a02de0b81", "value": "aa115e6587a535146b7493d6c02896a7d322879e" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tEnigma-protected module; RAT; libcurl v. 7.47.", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a884cd-41d0-4a0d-8e45-568a02de0b81", "value": "a107f1046f5224fdb3a5826fa6f940a981fe65a1" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a884ce-8f30-41ec-8f85-568a02de0b81", "value": "4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a884fe-28e0-4cdc-b437-569502de0b81", "value": "fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a884ff-2798-4d65-a9dd-569502de0b81", "value": "11568dffd6325ade217fbe49ce56a3ee5001cbcc" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tDecrypted module; RAT;libcurl v. 7.49.1 (*)", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a884ff-76f4-4eae-8513-569502de0b81", "value": "e45ca027635f904101683413dd58fbd64d602ebe" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1", "deleted": false, "disable_correlation": false, "timestamp": "1487439192", "to_ids": true, "type": "sha1", "uuid": "58a88500-3b1c-4c05-97b1-569502de0b81", "value": "50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1 - Xchecked via VT: 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c", "deleted": false, "disable_correlation": false, "timestamp": "1487439200", "to_ids": true, "type": "sha256", "uuid": "58a88560-396c-4bde-a174-a16a02de0b81", "value": "a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1 - Xchecked via VT: 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c", "deleted": false, "disable_correlation": false, "timestamp": "1487439201", "to_ids": true, "type": "md5", "uuid": "58a88561-131c-42f2-b22f-a16a02de0b81", "value": "40e698f961eb796728a57ddf81f52b9a" }, { "category": "External analysis", "comment": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1 - Xchecked via VT: 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c", "deleted": false, "disable_correlation": false, "timestamp": "1487439202", "to_ids": false, "type": "link", "uuid": "58a88562-0938-43d4-a375-a16a02de0b81", "value": "https://www.virustotal.com/file/a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118/analysis/1487306631/" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll - Xchecked via VT: 11568dffd6325ade217fbe49ce56a3ee5001cbcc", "deleted": false, "disable_correlation": false, "timestamp": "1487439203", "to_ids": true, "type": "sha256", "uuid": "58a88563-fe54-45ef-b63e-a16a02de0b81", "value": "752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll - Xchecked via VT: 11568dffd6325ade217fbe49ce56a3ee5001cbcc", "deleted": false, "disable_correlation": false, "timestamp": "1487439204", "to_ids": true, "type": "md5", "uuid": "58a88564-1760-4f31-b86f-a16a02de0b81", "value": "9cc6854bc5e217104734043c89dc4ff8" }, { "category": "External analysis", "comment": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll - Xchecked via VT: 11568dffd6325ade217fbe49ce56a3ee5001cbcc", "deleted": false, "disable_correlation": false, "timestamp": "1487439205", "to_ids": false, "type": "link", "uuid": "58a88565-c3ac-4f2a-9897-a16a02de0b81", "value": "https://www.virustotal.com/file/752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f/analysis/1487229167/" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe - Xchecked via VT: fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b", "deleted": false, "disable_correlation": false, "timestamp": "1487439205", "to_ids": true, "type": "sha256", "uuid": "58a88565-e914-49da-88cd-a16a02de0b81", "value": "cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6" }, { "category": "Payload delivery", "comment": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe - Xchecked via VT: fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b", "deleted": false, "disable_correlation": false, "timestamp": "1487439206", "to_ids": true, "type": "md5", "uuid": "58a88566-647c-4069-8021-a16a02de0b81", "value": "9914075cc687bdc352ee136ac6579707" }, { "category": "External analysis", "comment": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe - Xchecked via VT: fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b", "deleted": false, "disable_correlation": false, "timestamp": "1487439207", "to_ids": false, "type": "link", "uuid": "58a88567-7d2c-4f4a-be49-a16a02de0b81", "value": "https://www.virustotal.com/file/cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6/analysis/1487398403/" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe - Xchecked via VT: 4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2", "deleted": false, "disable_correlation": false, "timestamp": "1487439208", "to_ids": true, "type": "sha256", "uuid": "58a88568-4f10-4a12-9d26-a16a02de0b81", "value": "d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe - Xchecked via VT: 4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2", "deleted": false, "disable_correlation": false, "timestamp": "1487439209", "to_ids": true, "type": "md5", "uuid": "58a88569-b83c-4426-83c3-a16a02de0b81", "value": "85d316590edfb4212049c4490db08c4b" }, { "category": "External analysis", "comment": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe - Xchecked via VT: 4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2", "deleted": false, "disable_correlation": false, "timestamp": "1487439209", "to_ids": false, "type": "link", "uuid": "58a88569-82dc-4c8e-8ea9-a16a02de0b81", "value": "https://www.virustotal.com/file/d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2/analysis/1487344075/" } ] } }