1 line
No EOL
36 KiB
JSON
1 line
No EOL
36 KiB
JSON
{"Event": {"info": "OSINT - Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks", "Tag": [{"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:tool=\"Emotet\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:banker=\"Qakbot\""}], "publish_timestamp": "0", "timestamp": "1511184352", "Object": [{"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0acc3f-e330-4e19-b44c-4182950d210f", "sharing_group_id": "0", "timestamp": "1510657087", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0acc3f-cc94-4758-b472-4f0d950d210f", "timestamp": "1510657087", "to_ids": false, "value": "995", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0acc3f-9d2c-4cb7-86b7-4f26950d210f", "timestamp": "1510657087", "to_ids": true, "value": "64.183.173.170", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0acc5a-879c-469b-b4d6-4e68950d210f", "sharing_group_id": "0", "timestamp": "1510657114", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0acc5a-d424-4572-965f-4399950d210f", "timestamp": "1510657114", "to_ids": false, "value": "993", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0acc5a-b168-42f0-b18f-4d2f950d210f", "timestamp": "1510657114", "to_ids": true, "value": "67.213.243.228", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0accd4-f164-4638-8503-080d950d210f", "sharing_group_id": "0", "timestamp": "1510657236", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0accd4-b2d0-4396-ad98-080d950d210f", "timestamp": "1510657236", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0accd4-b2b8-48f3-830c-080d950d210f", "timestamp": "1510657236", "to_ids": true, "value": "96.67.244.225", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0acced-4fe4-4b29-9407-4db2950d210f", "sharing_group_id": "0", "timestamp": "1510657261", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0acced-c8f8-43ff-b64d-4ac0950d210f", "timestamp": "1510657261", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0acced-5fe4-4217-b75a-42d9950d210f", "timestamp": "1510657261", "to_ids": true, "value": "173.25.234.18", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0acd03-9880-4d9b-8816-0c9f950d210f", "sharing_group_id": "0", "timestamp": "1510657283", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0acd03-52f0-43b8-b511-0c9f950d210f", "timestamp": "1510657283", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0acd03-e63c-4b5f-b67d-0c9f950d210f", "timestamp": "1510657283", "to_ids": true, "value": "24.123.151.58", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0acdd2-42b0-4178-9599-0ab7950d210f", "sharing_group_id": "0", "timestamp": "1510657490", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0acdd2-df68-4c66-9b29-0ab7950d210f", "timestamp": "1510657490", "to_ids": false, "value": "995", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0acdd3-27dc-4e07-9834-0ab7950d210f", "timestamp": "1510657491", "to_ids": true, "value": "76.164.161.46", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0ace3f-f0f8-481b-b90f-0cdb950d210f", "sharing_group_id": "0", "timestamp": "1510657599", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0ace3f-a9c8-476c-a448-0cdb950d210f", "timestamp": "1510657599", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0ace3f-dd14-49d6-9c9e-0cdb950d210f", "timestamp": "1510657599", "to_ids": true, "value": "68.115.254.146", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aebe2-710c-459f-94f6-0d11950d210f", "sharing_group_id": "0", "timestamp": "1510665186", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aebe2-ce60-4c18-9163-0d11950d210f", "timestamp": "1510665186", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aebe2-14d0-4c77-b265-0d11950d210f", "timestamp": "1510665186", "to_ids": true, "value": "198.57.88.73", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aece9-8a7c-4e23-a82e-0d11950d210f", "sharing_group_id": "0", "timestamp": "1510665449", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aecea-6a34-4d8a-a45c-0d11950d210f", "timestamp": "1510665450", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aecea-4364-41ff-9330-0d11950d210f", "timestamp": "1510665450", "to_ids": true, "value": "47.21.79.34", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aed28-c8b0-415b-b8f8-0d11950d210f", "sharing_group_id": "0", "timestamp": "1510665512", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aed28-f570-4458-ada1-0d11950d210f", "timestamp": "1510665512", "to_ids": false, "value": "465", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aed28-232c-4fc5-a562-0d11950d210f", "timestamp": "1510665512", "to_ids": true, "value": "174.51.185.121", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aed3e-9dc4-4f60-b423-4595950d210f", "sharing_group_id": "0", "timestamp": "1510665534", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aed3e-96e4-4749-b7e4-42b1950d210f", "timestamp": "1510665534", "to_ids": false, "value": "993", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aed3e-ac88-4281-a110-4536950d210f", "timestamp": "1510665534", "to_ids": true, "value": "71.3.55.80", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aed4f-581c-4aec-8ef1-0d11950d210f", "sharing_group_id": "0", "timestamp": "1510665551", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aed4f-39bc-45ff-a36e-0d11950d210f", "timestamp": "1510665551", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aed4f-d610-4a5a-8114-0d11950d210f", "timestamp": "1510665551", "to_ids": true, "value": "88.244.177.127", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aee8a-fb14-4018-9413-4a3f950d210f", "sharing_group_id": "0", "timestamp": "1510665866", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aee8a-0af0-4cb2-90ef-4db3950d210f", "timestamp": "1510665866", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aee8a-2ba0-4a2e-9064-49c1950d210f", "timestamp": "1510665866", "to_ids": true, "value": "180.93.148.41", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aee9b-caf8-4ba4-af30-c1d9950d210f", "sharing_group_id": "0", "timestamp": "1510665883", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aee9b-8250-4e0e-9089-c1d9950d210f", "timestamp": "1510665883", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aee9b-0a88-425b-a3e6-c1d9950d210f", "timestamp": "1510665883", "to_ids": true, "value": "101.51.40.175", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aeeb0-5b5c-463f-b010-4dcf950d210f", "sharing_group_id": "0", "timestamp": "1510665904", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aeeb1-86f4-4742-b2db-464a950d210f", "timestamp": "1510665905", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aeeb1-6b0c-4a24-98c0-4aef950d210f", "timestamp": "1510665905", "to_ids": true, "value": "73.166.94.110", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aeefe-4eb4-43ad-9b97-4fec950d210f", "sharing_group_id": "0", "timestamp": "1510665982", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aeefe-d074-476e-b474-40f0950d210f", "timestamp": "1510665982", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aeefe-3574-48b1-a0c5-4c9e950d210f", "timestamp": "1510665982", "to_ids": true, "value": "71.88.202.122", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aef74-a3f4-4cff-b3ff-c1d9950d210f", "sharing_group_id": "0", "timestamp": "1510666100", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aef74-0264-4ce3-ace4-c1d9950d210f", "timestamp": "1510666100", "to_ids": false, "value": "990", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aef74-84d0-47cd-bbbd-c1d9950d210f", "timestamp": "1510666100", "to_ids": true, "value": "74.5.136.50", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aef88-7b34-4633-983a-4a4b950d210f", "sharing_group_id": "0", "timestamp": "1510666120", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aef88-b638-43b2-a9b2-4db7950d210f", "timestamp": "1510666120", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aef88-e260-4d88-a629-4858950d210f", "timestamp": "1510666120", "to_ids": true, "value": "89.43.179.209", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0aef9f-d298-42b6-8fd3-44b6950d210f", "sharing_group_id": "0", "timestamp": "1510666143", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0aef9f-e708-42e2-b69e-48f0950d210f", "timestamp": "1510666143", "to_ids": false, "value": "995", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0aef9f-94bc-4fe8-9aeb-472f950d210f", "timestamp": "1510666143", "to_ids": true, "value": "211.27.18.233", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0af012-82e4-49fa-9ca6-43e0950d210f", "sharing_group_id": "0", "timestamp": "1510666258", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0af012-9c6c-4cf7-9430-491a950d210f", "timestamp": "1510666258", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0af012-58a8-4aee-9c9a-45c9950d210f", "timestamp": "1510666258", "to_ids": true, "value": "96.82.91.67", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0af027-e910-4a68-8d5a-0d11950d210f", "sharing_group_id": "0", "timestamp": "1510666279", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0af027-cc2c-4f89-a4cc-0d11950d210f", "timestamp": "1510666279", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0af027-5d60-41de-b6ba-0d11950d210f", "timestamp": "1510666279", "to_ids": true, "value": "98.194.132.179", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0af038-fa20-4d65-928f-be53950d210f", "sharing_group_id": "0", "timestamp": "1510666296", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0af038-8b80-47e0-9cac-be53950d210f", "timestamp": "1510666296", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0af038-2a10-4cfc-ad7c-be53950d210f", "timestamp": "1510666296", "to_ids": true, "value": "98.113.137.220", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0af04d-9574-4849-9eb7-4e6b950d210f", "sharing_group_id": "0", "timestamp": "1510666317", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0af04d-6518-4261-9500-4cac950d210f", "timestamp": "1510666317", "to_ids": false, "value": "2222", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0af04d-d8f8-4b29-827b-4872950d210f", "timestamp": "1510666317", "to_ids": true, "value": "24.184.200.177", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a0af05e-299c-445b-88c7-4fc7950d210f", "sharing_group_id": "0", "timestamp": "1510666334", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "4", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a0af05e-5280-4c91-a7df-4605950d210f", "timestamp": "1510666334", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a0af05e-95dc-46a6-9b5a-4590950d210f", "timestamp": "1510666334", "to_ids": true, "value": "105.224.247.34", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a0ac04b-331c-457e-9154-4535950d210f", "timestamp": "1510922403", "to_ids": false, "value": "https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5a0ac07e-7154-4727-9128-4b2b950d210f", "timestamp": "1510922403", "to_ids": false, "value": "The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss.\r\n\r\nQakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.", "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "Qakbot malware", "category": "Payload delivery", "uuid": "5a0ac277-6480-4635-a01f-4b80950d210f", "timestamp": "1510922403", "to_ids": true, "value": "da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Qakbot malware", "category": "Payload delivery", "uuid": "5a0ac277-b4a0-490f-8e6a-4941950d210f", "timestamp": "1510922403", "to_ids": true, "value": "ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5a0ac405-e138-4948-8fd4-4827950d210f", "timestamp": "1510922403", "to_ids": true, "value": "%APPDATA%\\Microsoft\\Cexpalgxx\\Cexpalgxx.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a0ac405-1734-4d67-9c55-4422950d210f", "timestamp": "1510922403", "to_ids": true, "value": "%APPDATA%\\Microsoft\\Cexpalgxx\\Cexpalgxx32.dll", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0ac48c-b1fc-4778-9481-41b5950d210f", "timestamp": "1510922404", "to_ids": false, "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-bfa0-4123-a4c6-46e3950d210f", "timestamp": "1510922404", "to_ids": true, "value": "104.236.252.178", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-1274-4dff-b646-43f4950d210f", "timestamp": "1510922404", "to_ids": true, "value": "162.243.159.58", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-8568-4190-8a0b-489e950d210f", "timestamp": "1510922404", "to_ids": true, "value": "45.33.55.157", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-74d4-41c3-b9aa-4102950d210f", "timestamp": "1510922404", "to_ids": true, "value": "77.244.245.37", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-2050-407e-b273-4948950d210f", "timestamp": "1510922404", "to_ids": true, "value": "192.81.212.79", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-2ae4-4411-818f-4932950d210f", "timestamp": "1510922404", "to_ids": true, "value": "173.212.192.45", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-15f0-4c1f-a22e-4a3a950d210f", "timestamp": "1510922404", "to_ids": true, "value": "103.16.131.20", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-9e94-47b9-8d1e-4867950d210f", "timestamp": "1510922404", "to_ids": true, "value": "195.78.33.200", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-97a8-4b76-bf49-4e0d950d210f", "timestamp": "1510922404", "to_ids": true, "value": "50.116.54.16", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-1908-41f4-ae48-4aa8950d210f", "timestamp": "1510922404", "to_ids": true, "value": "212.83.166.45", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-2b14-4a7c-86d9-46cd950d210f", "timestamp": "1510922404", "to_ids": true, "value": "137.74.254.64", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-ae4c-4005-bd7b-4548950d210f", "timestamp": "1510922404", "to_ids": true, "value": "104.227.137.34", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-b178-4a7e-b14b-4a16950d210f", "timestamp": "1510922404", "to_ids": true, "value": "188.165.220.214", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-f5a0-4806-9b9f-4519950d210f", "timestamp": "1510922404", "to_ids": true, "value": "85.143.221.180", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-57c8-4d89-916f-486f950d210f", "timestamp": "1510922404", "to_ids": true, "value": "119.82.27.246", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-1a24-4ae0-a9fc-4823950d210f", "timestamp": "1510922404", "to_ids": true, "value": "194.88.246.7", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-8fb0-49d9-ae66-4eb7950d210f", "timestamp": "1510922404", "to_ids": true, "value": "206.214.220.79", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-debc-4839-80be-4b11950d210f", "timestamp": "1510922404", "to_ids": true, "value": "173.230.136.67", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a0ac4d2-1068-4201-9cc0-4b86950d210f", "timestamp": "1510922404", "to_ids": true, "value": "173.224.218.25", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0ac521-3dfc-422a-b3fa-4d7c950d210f", "timestamp": "1510922404", "to_ids": false, "value": "%appdata%\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\[random].lnk", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Payload delivery", "uuid": "5a0ac521-ca08-4726-bad0-4466950d210f", "timestamp": "1510922404", "to_ids": true, "value": "%Appdata%\\local\\[random]\\[random].exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0ac521-b370-4446-b84e-4bb2950d210f", "timestamp": "1510922404", "to_ids": false, "value": "%localappdata%\\microsoft\\windows", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Payload delivery", "uuid": "5a0ac521-ab0c-4ac5-b31f-4cf5950d210f", "timestamp": "1510922404", "to_ids": true, "value": "%WINDIR%\\System32\\netshedule.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Emotet downloader", "category": "Payload delivery", "uuid": "5a0ac577-0aec-403a-b697-4d69950d210f", "timestamp": "1510922404", "to_ids": true, "value": "4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Emotet malware", "category": "Payload delivery", "uuid": "5a0ac577-90f4-482f-b813-4e55950d210f", "timestamp": "1510922404", "to_ids": true, "value": "ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Emotet malware", "category": "Payload delivery", "uuid": "5a0ac577-9008-42f4-a39c-4dc9950d210f", "timestamp": "1510922404", "to_ids": true, "value": "59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087", "category": "Payload delivery", "uuid": "5a0ed8a4-6294-41ce-ae02-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "9214359938285f26785f7eaf25a74dddea678065", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087", "category": "Payload delivery", "uuid": "5a0ed8a4-8cbc-4980-a1c7-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "5aa9fa89cee3ffc4c3009e34db830de0", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087", "category": "External analysis", "uuid": "5a0ed8a4-1f84-4696-a287-e7e802de0b81", "timestamp": "1510922404", "to_ids": false, "value": "https://www.virustotal.com/file/59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087/analysis/1506215055/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440", "category": "Payload delivery", "uuid": "5a0ed8a4-1748-4308-a4e3-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "a33763608d07880c5ca31fd68e30355c04201c92", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440", "category": "Payload delivery", "uuid": "5a0ed8a4-073c-4f4c-aea8-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "03b933fb1b471d7710d82d8b3f6c62b1", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440", "category": "External analysis", "uuid": "5a0ed8a4-a5ec-4828-9615-e7e802de0b81", "timestamp": "1510922404", "to_ids": false, "value": "https://www.virustotal.com/file/ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440/analysis/1510558151/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96", "category": "Payload delivery", "uuid": "5a0ed8a4-690c-47b9-8647-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "82519982e32708e94c54ffce3c652714049a04f6", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96", "category": "Payload delivery", "uuid": "5a0ed8a4-0868-42fa-ad0f-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "517d9598ac8aa0ef0cb7145ffd64805e", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96", "category": "External analysis", "uuid": "5a0ed8a4-6c28-4f4a-8db3-e7e802de0b81", "timestamp": "1510922404", "to_ids": false, "value": "https://www.virustotal.com/file/4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96/analysis/1510180240/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a", "category": "Payload delivery", "uuid": "5a0ed8a4-fd94-4d5f-8e45-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "74153fa3ca1a97b68fdd31fa02c3e16daa03ac59", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a", "category": "Payload delivery", "uuid": "5a0ed8a4-1e1c-4eca-8532-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "54240940b30c9f21e006d87371f490e6", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a", "category": "External analysis", "uuid": "5a0ed8a4-2ee8-44be-abd5-e7e802de0b81", "timestamp": "1510922404", "to_ids": false, "value": "https://www.virustotal.com/file/ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a/analysis/1510257822/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c", "category": "Payload delivery", "uuid": "5a0ed8a4-4da0-47ea-9e6d-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "4c04c92cf88dc1a0cc4829229786ac50c1a51aa5", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c", "category": "Payload delivery", "uuid": "5a0ed8a5-a0cc-446a-8c32-e7e802de0b81", "timestamp": "1510922404", "to_ids": true, "value": "692802635dbd973b7944ebc8dbc22e2a", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c", "category": "External analysis", "uuid": "5a0ed8a5-2c5c-4318-9715-e7e802de0b81", "timestamp": "1510922405", "to_ids": false, "value": "https://www.virustotal.com/file/da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c/analysis/1510111314/", "disable_correlation": false, "object_relation": null, "type": "link"}], "extends_uuid": "", "published": false, "date": "2017-11-06", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5a0ac036-6fbc-4855-83af-422b950d210f"}} |