{ "Event": { "analysis": "0", "date": "2021-08-17", "extends_uuid": "", "info": "Nanocore 20210816", "publish_timestamp": "1629204289", "published": true, "threat_level_id": "3", "timestamp": "1629204277", "uuid": "b6a0d910-69ae-463d-80a8-1f84839a2514", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": false, "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Nanocore RAT\"", "relationship_type": "" }, { "colour": "#054100", "local": false, "name": "misp-galaxy:tool=\"NanoCoreRAT\"", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203718", "to_ids": true, "type": "hostname", "uuid": "5fe0a2c9-529a-463d-bdf1-ce9810a326a1", "value": "coc88.duckdns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203718", "to_ids": true, "type": "hostname", "uuid": "f664f99d-7c72-43f8-978e-b37728009b2e", "value": "torok1111112.ddns.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "1d6fc8a1-543c-4e88-bdb1-cc881073ef5a", "value": "2a2c0a635beba215a9e3f21c398d684dc1d2ad487356e29140247b14f2c6838f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "b7a87190-e31c-49f4-a48a-17a28d9e387e", "value": "060dc5124e4d0f8869856b52016cbed32339b8ac456b8cb5fea50f628961fc73" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "sha1", "uuid": "0204068e-f994-45b0-9ee1-82075c844cfe", "value": "ec958c2d48c6719238780878d1621b8af18c4b65" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "sha1", "uuid": "bceb056d-02a2-4d20-8805-274c2176302e", "value": "716c942e237ebe40e5e0bf443bf2128e5a883197" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "md5", "uuid": "41496714-768e-4cec-8863-ed1478fc5ba6", "value": "d915f9f8421aa34dfd88d1595249f954" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "md5", "uuid": "98127c27-a87e-4d7d-97ce-86933ccbe785", "value": "cab3529dc19b4c630163a24759125fd7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "7b6fbd55-6968-4d0a-97c6-cf59b2793d09", "value": "afdcfeac16d321fef57c2aae9b001952544a53fc785ba78a6ad794a81bef0c05" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "2c6ff02d-d040-4b06-906f-9a12052e1e0e", "value": "67b695b139106a73c333aa2fdd0f08ae160ff5ee38d843cb9999146ad605da73" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "4", "timestamp": "1629203805", "uuid": "691b9653-eeb4-4e37-813c-615d479136f2", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1629203805", "to_ids": false, "type": "link", "uuid": "65d659ce-c79b-486f-ac9e-aad1da028ee6", "value": "https://otx.alienvault.com/pulse/611ba6128fe8c7c18b06861f" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "type", "timestamp": "1629203805", "to_ids": false, "type": "text", "uuid": "4873e17e-8594-4331-94c8-69f04a44bc90", "value": "Report" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1629203900", "uuid": "952d82ff-7ba8-4518-84fb-ca5532b2bf11", "ObjectReference": [ { "comment": "", "object_uuid": "952d82ff-7ba8-4518-84fb-ca5532b2bf11", "referenced_uuid": "be08969d-fac1-4f76-b6bc-a1c79350a375", "relationship_type": "analysed-with", "timestamp": "1629203904", "uuid": "c2dc1d33-5b7b-4aa7-8d85-d51808c36121" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1629203773", "to_ids": true, "type": "md5", "uuid": "c8a957d2-cfc4-4b93-b355-283b4ce3ce35", "value": "d915f9f8421aa34dfd88d1595249f954" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1629203773", "to_ids": true, "type": "sha1", "uuid": "e442a7c8-57af-4536-85f2-01c54f9d7905", "value": "ec958c2d48c6719238780878d1621b8af18c4b65" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "2f6b87ea-237b-48e7-bfc5-ba0177bf2c52", "value": "060dc5124e4d0f8869856b52016cbed32339b8ac456b8cb5fea50f628961fc73" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1629203900", "uuid": "be08969d-fac1-4f76-b6bc-a1c79350a375", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-submission", "timestamp": "1629203773", "to_ids": false, "type": "datetime", "uuid": "d5778aa6-c074-44ec-9ca7-e1a05a3fd2c7", "value": "2021-08-14T23:15:37+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1629203773", "to_ids": false, "type": "link", "uuid": "873c9e6f-b87d-4f6c-b4fb-b382279e7869", "value": "https://www.virustotal.com/gui/file/060dc5124e4d0f8869856b52016cbed32339b8ac456b8cb5fea50f628961fc73/detection/f-060dc5124e4d0f8869856b52016cbed32339b8ac456b8cb5fea50f628961fc73-1628982937" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1629203773", "to_ids": false, "type": "text", "uuid": "c817e8d0-2681-4626-b8a5-26034b3083fe", "value": "56/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1629203900", "uuid": "6f98c9e8-8a06-417f-af9e-c5e33fda7f1f", "ObjectReference": [ { "comment": "", "object_uuid": "6f98c9e8-8a06-417f-af9e-c5e33fda7f1f", "referenced_uuid": "d05559b0-7b96-4f69-804d-1d31b20faafa", "relationship_type": "analysed-with", "timestamp": "1629203904", "uuid": "254390a1-afe8-497f-b142-3b569766bcea" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1629203773", "to_ids": true, "type": "md5", "uuid": "57e54783-e496-4931-a9bf-96197d5df12f", "value": "cab3529dc19b4c630163a24759125fd7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1629203773", "to_ids": true, "type": "sha1", "uuid": "03af482c-7521-44e4-a9db-5efa3a055c94", "value": "716c942e237ebe40e5e0bf443bf2128e5a883197" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "4946ac19-f9ec-45f7-b774-7e328dea3cc1", "value": "2a2c0a635beba215a9e3f21c398d684dc1d2ad487356e29140247b14f2c6838f" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1629203900", "uuid": "d05559b0-7b96-4f69-804d-1d31b20faafa", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-submission", "timestamp": "1629203773", "to_ids": false, "type": "datetime", "uuid": "d8b8fa9c-d29b-43cf-814d-cb35cc093819", "value": "2021-08-15T19:04:24+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1629203773", "to_ids": false, "type": "link", "uuid": "5d2d3405-9efa-4ddb-93b3-185b2119ffe4", "value": "https://www.virustotal.com/gui/file/2a2c0a635beba215a9e3f21c398d684dc1d2ad487356e29140247b14f2c6838f/detection/f-2a2c0a635beba215a9e3f21c398d684dc1d2ad487356e29140247b14f2c6838f-1629054264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1629203773", "to_ids": false, "type": "text", "uuid": "75c51767-eda2-48ae-9839-0899f7dd20ab", "value": "55/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1629203901", "uuid": "7774835c-4f7f-49bd-8bc4-d45323247df8", "ObjectReference": [ { "comment": "", "object_uuid": "7774835c-4f7f-49bd-8bc4-d45323247df8", "referenced_uuid": "ecaaa472-1599-4a58-b1ef-f5f6b318fb20", "relationship_type": "analysed-with", "timestamp": "1629203905", "uuid": "1d16b4d0-f0e2-4c9e-ab16-11a29d874acf" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1629203773", "to_ids": true, "type": "md5", "uuid": "c4cc9c6e-565e-463c-8ad3-ad6dab49ca6c", "value": "0ff932908a4201a1c0a27db317321e1c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1629203773", "to_ids": true, "type": "sha1", "uuid": "ed35a6fc-dc0e-4dcf-b545-d19a79c18ed0", "value": "511e815032cfeec9706117436c6bfdc9e974e4df" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "9f2929b3-fa6f-4957-a80f-c74fa7a0d16a", "value": "67b695b139106a73c333aa2fdd0f08ae160ff5ee38d843cb9999146ad605da73" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1629203902", "uuid": "ecaaa472-1599-4a58-b1ef-f5f6b318fb20", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-submission", "timestamp": "1629203773", "to_ids": false, "type": "datetime", "uuid": "50179a94-1afe-4b10-94b2-17d4e048a618", "value": "2021-08-17T01:10:57+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1629203773", "to_ids": false, "type": "link", "uuid": "7c2c183a-dcaa-4590-9bdb-28d540697bb0", "value": "https://www.virustotal.com/gui/file/67b695b139106a73c333aa2fdd0f08ae160ff5ee38d843cb9999146ad605da73/detection/f-67b695b139106a73c333aa2fdd0f08ae160ff5ee38d843cb9999146ad605da73-1629162657" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1629203773", "to_ids": false, "type": "text", "uuid": "fc3d84a1-1144-4e3d-bc89-25bd85f87d88", "value": "35/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1629203902", "uuid": "491b2ed4-78ea-4b29-afad-103e9f3ebf07", "ObjectReference": [ { "comment": "", "object_uuid": "491b2ed4-78ea-4b29-afad-103e9f3ebf07", "referenced_uuid": "4af9b009-2178-4c95-aaa7-56f231e4052d", "relationship_type": "analysed-with", "timestamp": "1629203905", "uuid": "0d0d623c-32cd-43a2-9a96-3ed06f739477" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1629203773", "to_ids": true, "type": "md5", "uuid": "2f7b1687-2c5e-43cf-8729-adfc6bf4909e", "value": "9bdfa3add2456a5efccabdad1343fa70" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1629203773", "to_ids": true, "type": "sha1", "uuid": "666b367a-456a-48ee-b7db-30e24f5d5424", "value": "02a34db66b361e9cb326f32d6e8f71f1cd284b68" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1629203773", "to_ids": true, "type": "sha256", "uuid": "f5edb02c-1ac0-4e08-ab9d-b13dd08d0bf0", "value": "afdcfeac16d321fef57c2aae9b001952544a53fc785ba78a6ad794a81bef0c05" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1629203903", "uuid": "4af9b009-2178-4c95-aaa7-56f231e4052d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-submission", "timestamp": "1629203773", "to_ids": false, "type": "datetime", "uuid": "0c1866c0-8a38-4065-9cbd-6d1911176ce1", "value": "2021-08-16T14:55:59+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1629203773", "to_ids": false, "type": "link", "uuid": "b641bd56-f3f7-437d-825e-0130676151a8", "value": "https://www.virustotal.com/gui/file/afdcfeac16d321fef57c2aae9b001952544a53fc785ba78a6ad794a81bef0c05/detection/f-afdcfeac16d321fef57c2aae9b001952544a53fc785ba78a6ad794a81bef0c05-1629125759" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1629203773", "to_ids": false, "type": "text", "uuid": "17fd4f40-6ac2-416d-91a8-2b10001962da", "value": "34/69" } ] }, { "comment": "torok1111112.ddns.net: Enriched via the farsight_passivedns module", "deleted": false, "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", "first_seen": "2021-08-17T04:15:12+00:00", "last_seen": "2021-08-17T04:15:12+00:00", "meta-category": "network", "name": "passive-dns", "template_uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", "template_version": "3", "timestamp": "1629204035", "uuid": "2735f53e-0789-4e37-aba1-ec69432d5be7", "ObjectReference": [ { "comment": "", "object_uuid": "2735f53e-0789-4e37-aba1-ec69432d5be7", "referenced_uuid": "f664f99d-7c72-43f8-978e-b37728009b2e", "relationship_type": "related-to", "timestamp": "1629204004", "uuid": "724e140e-327e-468d-882e-4259cd6516aa" } ], "Attribute": [ { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: torok1111112.ddns.net", "deleted": false, "disable_correlation": false, "object_relation": "rdata", "timestamp": "1629204035", "to_ids": true, "type": "text", "uuid": "ce780277-1f91-474f-925d-46ce6d9e5324", "value": "86.125.138.162" }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: torok1111112.ddns.net", "deleted": false, "disable_correlation": true, "object_relation": "count", "timestamp": "1629204003", "to_ids": false, "type": "counter", "uuid": "3592cfeb-a2d7-409e-9fdc-fe43d259edb7", "value": "1" }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: torok1111112.ddns.net", "deleted": false, "disable_correlation": true, "object_relation": "time_first", "timestamp": "1629204003", "to_ids": false, "type": "datetime", "uuid": "a6c8bc85-7c31-4323-8d3c-dc334af7d25a", "value": "2021-08-17T04:15:12+00:00" }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: torok1111112.ddns.net", "deleted": false, "disable_correlation": true, "object_relation": "time_last", "timestamp": "1629204003", "to_ids": false, "type": "datetime", "uuid": "2ad3f979-e163-4ac7-be91-df63246ffdfa", "value": "2021-08-17T04:15:12+00:00" }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: torok1111112.ddns.net", "deleted": false, "disable_correlation": false, "object_relation": "rrname", "timestamp": "1629204003", "to_ids": false, "type": "text", "uuid": "929f0a46-9f0a-43f5-9eed-80309941123c", "value": "torok1111112.ddns.net." }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: torok1111112.ddns.net", "deleted": false, "disable_correlation": true, "object_relation": "rrtype", "timestamp": "1629204003", "to_ids": false, "type": "text", "uuid": "b239a327-5646-485a-a586-06fc86a3b49d", "value": "A" }, { "category": "Network activity", "comment": "Result from a rrset lookup on DNSDB about the hostname: torok1111112.ddns.net", "deleted": false, "disable_correlation": true, "object_relation": "bailiwick", "timestamp": "1629204029", "to_ids": false, "type": "domain", "uuid": "cb30f6bb-1a01-4bf4-bee7-fda9eab45ac9", "value": "ddns.net" } ] } ] } }