adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/98eb923a-6da8-4c63-87a0-a97a2eef3c98.json

1566 lines
No EOL
54 KiB
JSON
Raw Permalink Blame History

{
"Event": {
"analysis": "2",
"date": "2023-07-14",
"extends_uuid": "",
"info": "CustomerLoader: a new malware distributing a wide variety of payloads",
"publish_timestamp": "1693969262",
"published": true,
"threat_level_id": "2",
"timestamp": "1693969205",
"uuid": "98eb923a-6da8-4c63-87a0-a97a2eef3c98",
"Orgc": {
"name": "Centre for Cyber security Belgium",
"uuid": "5cf66e53-b5f8-43e7-be9a-49880a3b4631"
},
"Tag": [
{
"colour": "#075200",
"local": false,
"name": "admiralty-scale:source-reliability=\"b\"",
"relationship_type": ""
},
{
"colour": "#0fc000",
"local": false,
"name": "admiralty-scale:information-credibility=\"2\"",
"relationship_type": ""
},
{
"colour": "#E08AB5",
"local": false,
"name": "DOTRUNPEX",
"relationship_type": ""
},
{
"colour": "#BFC5AA",
"local": false,
"name": "Loader",
"relationship_type": ""
},
{
"colour": "#a00919",
"local": false,
"name": "feedly:source=\"Sekoia.io Blog\"",
"relationship_type": ""
},
{
"colour": "#345d00",
"local": false,
"name": "malware_classification:malware-category=\"Downloader\"",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"",
"relationship_type": ""
},
{
"colour": "#1f2325",
"local": false,
"name": "misp-galaxy:malpedia=\"vidar\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:malpedia=\"XLoader\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:malpedia=\"Agent Tesla\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:malpedia=\"AsyncRAT\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:malpedia=\"Ave Maria\"",
"relationship_type": ""
},
{
"colour": "#c6db8b",
"local": false,
"name": "misp-galaxy:malpedia=\"DarkCloud Stealer\"",
"relationship_type": ""
},
{
"colour": "#cb1870",
"local": false,
"name": "misp-galaxy:malpedia=\"LgoogLoader\"",
"relationship_type": ""
},
{
"colour": "#1f2325",
"local": false,
"name": "misp-galaxy:malpedia=\"RedLine Stealer\"",
"relationship_type": ""
},
{
"colour": "#bf1e78",
"local": false,
"name": "misp-galaxy:malpedia=\"SectopRAT\"",
"relationship_type": ""
},
{
"colour": "#5b067c",
"local": false,
"name": "misp-galaxy:malpedia=\"Stealc\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-malware=\"Agent Tesla - S0331\"",
"relationship_type": ""
},
{
"colour": "#3db017",
"local": false,
"name": "misp-galaxy:mitre-malware=\"WarzoneRAT - S0670\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-tool=\"QuasarRAT - S0262\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-tool=\"Remcos - S0332\"",
"relationship_type": ""
},
{
"colour": "#d9b45c",
"local": false,
"name": "misp-galaxy:rat=\"AsyncRAT\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:stealer=\"Vidar\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:stealer=\"DarkCloud Stealer\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:tool=\"FormBook\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:tool=\"Agent Tesla\"",
"relationship_type": ""
},
{
"colour": "#1f2325",
"local": false,
"name": "misp-galaxy:malpedia=\"BitRAT\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "misp-galaxy:mitre-malware=\"WannaCry - S0366\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Shared Modules - T1129\"",
"relationship_type": ""
},
{
"colour": "#064500",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Dynamic API Resolution - T1027.007\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
"relationship_type": ""
},
{
"colour": "#064f00",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "C2 server associated with CustomLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689341011",
"to_ids": true,
"type": "ip-dst",
"uuid": "73079733-94cc-4977-9ae8-21170b01f192",
"value": "5.42.94.169"
},
{
"category": "Network activity",
"comment": "C2 server associated with CustomLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689341011",
"to_ids": true,
"type": "domain",
"uuid": "7729ec3a-f59b-4f10-aa08-610417e76615",
"value": "kyliansuperm92139124.sbs"
},
{
"category": "External analysis",
"comment": "Domains receiving requets from ccrypter downloaded by CustomerLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343898",
"to_ids": true,
"type": "domain",
"uuid": "e1f2b17b-b81a-4480-9b59-ee02f3d62655",
"value": "get-vbs.com"
},
{
"category": "External analysis",
"comment": "Domains receiving requets from ccrypter downloaded by CustomerLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343899",
"to_ids": true,
"type": "domain",
"uuid": "c3e1d9f5-4166-4cc1-a255-ede76f3d8093",
"value": "cmd2.pw"
},
{
"category": "External analysis",
"comment": "Domains receiving requets from ccrypter downloaded by CustomerLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343899",
"to_ids": true,
"type": "domain",
"uuid": "04100f47-87f9-4256-b76d-dc1d4018f2e9",
"value": "mymine.pw"
},
{
"category": "External analysis",
"comment": "Domains receiving requets from ccrypter downloaded by CustomerLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343899",
"to_ids": true,
"type": "domain",
"uuid": "bef1438a-58ba-4b7a-b99d-79c18bf3dbf1",
"value": "vbs1.pw"
},
{
"category": "External analysis",
"comment": "Domains receiving requets from ccrypter downloaded by CustomerLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343899",
"to_ids": true,
"type": "domain",
"uuid": "7a183367-2ccd-4487-8f10-c749658a7a84",
"value": "vbs22.pw"
},
{
"category": "External analysis",
"comment": "Domains receiving requets from ccrypter downloaded by CustomerLoader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343899",
"to_ids": true,
"type": "domain",
"uuid": "4a4ec3fd-5047-4fb5-b075-4147499752a1",
"value": "vbs3.pw"
},
{
"category": "Network activity",
"comment": "Distribution site (landing page)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343984",
"to_ids": true,
"type": "domain",
"uuid": "a144d890-79c7-48f9-a832-abc885382a89",
"value": "macros-pro.net"
},
{
"category": "Network activity",
"comment": "Distribution site (landing page)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343985",
"to_ids": true,
"type": "domain",
"uuid": "2da87919-117a-4f9e-b8ca-436be650c645",
"value": "plugin4free.net"
},
{
"category": "Network activity",
"comment": "Distribution site (landing page)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343985",
"to_ids": true,
"type": "domain",
"uuid": "fee765d6-e638-43f5-95f5-4e5b4d296752",
"value": "self-games.com"
},
{
"category": "Network activity",
"comment": "Distribution site (landing page)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343985",
"to_ids": true,
"type": "domain",
"uuid": "f70f49e0-2c28-4fb4-ac8a-6c4423f581a4",
"value": "slackmessenger.site"
},
{
"category": "Network activity",
"comment": "Distribution site (landing page)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343986",
"to_ids": true,
"type": "domain",
"uuid": "ae8c6189-1237-4bfa-8669-e36124152dad",
"value": "soft-got.com"
},
{
"category": "Network activity",
"comment": "Distribution site (landing page)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343986",
"to_ids": true,
"type": "domain",
"uuid": "7245836c-7dfa-48fc-8330-85a879ee6343",
"value": "vpnsget.com"
},
{
"category": "Network activity",
"comment": "Distribution site (landing page)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689343986",
"to_ids": true,
"type": "domain",
"uuid": "0179392a-bbcb-4fd6-af43-b7910a5f3435",
"value": "vstget.com"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344015",
"to_ids": true,
"type": "domain",
"uuid": "fe6e9ac9-bb0a-49f5-a952-5b1f290adb8d",
"value": "seif-games.com"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "3a3c6854-09e2-4c48-b2e7-73d6b1b36d2a",
"value": "self-games.host"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "7fceb8da-6dfb-4023-9bd6-aa1a96c99624",
"value": "self-games.pw"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "f683883b-5951-4d80-b4d7-b4e6c1c01da5",
"value": "self-games.site"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "326c6f69-798e-41d5-b88b-6028079609ea",
"value": "self-games.space"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "117628a6-31c5-4d1c-9fc9-5f5b27a4a73b",
"value": "soft-got.co"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "0ffdaa41-2aaa-42ff-b7bd-aa195e2beb06",
"value": "soft-got.net"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "68dc1111-5ada-4ebb-9d77-4b0c7098cbf8",
"value": "soft-got.pw"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "e23b803d-efa5-41a6-8d37-2cbee9fcdcd7",
"value": "vst-dw.com"
},
{
"category": "Network activity",
"comment": "Redirection to distribution website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344016",
"to_ids": true,
"type": "domain",
"uuid": "97479af0-ef0e-481c-bec1-82c36ad93e81",
"value": "vstdw.com"
},
{
"category": "Network activity",
"comment": "File hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344047",
"to_ids": true,
"type": "domain",
"uuid": "00f1c68a-f030-4809-b4f3-f8bb170e100f",
"value": "hardcoverradio.com"
},
{
"category": "Network activity",
"comment": "File hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344047",
"to_ids": true,
"type": "domain",
"uuid": "7bc33ced-2de0-4bcd-9430-6456f3e05497",
"value": "macrospro.pw"
},
{
"category": "Network activity",
"comment": "File hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344047",
"to_ids": true,
"type": "domain",
"uuid": "4ac3880e-1a60-4512-9d97-18d9fd01bf01",
"value": "plugin4free.com"
},
{
"category": "Network activity",
"comment": "File hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344048",
"to_ids": true,
"type": "domain",
"uuid": "ebd96dc1-33b0-4d51-b62b-4a712ae8652d",
"value": "slackmessenger.pw"
},
{
"category": "Network activity",
"comment": "File hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344048",
"to_ids": true,
"type": "domain",
"uuid": "ccd1a007-e24b-4f4c-84b1-e975b69f5c1a",
"value": "vpnsget.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344088",
"to_ids": true,
"type": "domain",
"uuid": "fbd5612e-97aa-443c-8db9-a2ba8d486828",
"value": "adanagram.com"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "2198b70c-fdc8-4522-8efc-f5df47ac071c",
"value": "bin-a.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "a73ebe37-62c8-4325-a594-f19988acc65f",
"value": "bin-b.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "d287ec58-197e-4268-bf5e-16dc6468ba1c",
"value": "bin-c.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "743a5c1b-fef1-44f1-93af-f8643931ebc8",
"value": "bin-d.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "73e3f627-cd30-4740-8003-9876133aa266",
"value": "cmd1.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "eccd9c73-ef8f-46b8-aa46-5652a8db3233",
"value": "cmd2.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "41c1d377-d8af-47ea-91c0-774a36f8e6f2",
"value": "cmd22.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "b4e818c4-5efa-4312-8eb2-a3a3a0ee967f",
"value": "get-a.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "51e4ac8e-95c3-464d-8eb2-da4fb3743c50",
"value": "get-b.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "49dd8434-0ce8-4635-b256-9a291711fb1d",
"value": "get-c.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "725faf44-1d4e-4605-874a-c11d7c8037d4",
"value": "get-d.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "dd1dd5c8-71e4-4431-bd12-872d3863de51",
"value": "get-i.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "09904864-5c88-4074-aeef-dd3070a2d953",
"value": "get-vbs.com"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "9e4d0181-601e-4f7b-a85e-d77fdb13df46",
"value": "get-y.com"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "1e3eaf7d-2868-46c3-bd6a-293f34681e27",
"value": "hautegaleria.com"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "4cb564c8-0f92-434c-a1b8-64e2d0162493",
"value": "jacksmanual.com"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344089",
"to_ids": true,
"type": "domain",
"uuid": "9933c87b-63e9-4545-9b63-f344b3928605",
"value": "vbs1.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344090",
"to_ids": true,
"type": "domain",
"uuid": "b6daf1a9-ae53-4046-965c-058ce949d60d",
"value": "vbs2.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344090",
"to_ids": true,
"type": "domain",
"uuid": "a20cc7c3-aa95-4c45-976e-0819d218a5f2",
"value": "vbs22.pw"
},
{
"category": "Network activity",
"comment": "Redirection to file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344090",
"to_ids": true,
"type": "domain",
"uuid": "1f9512f6-4df4-4c31-85d2-8cb3bee3bbc0",
"value": "vbs3.pw"
},
{
"category": "Network activity",
"comment": "Miner\u2019s C2 domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344123",
"to_ids": true,
"type": "domain",
"uuid": "91d40c8e-8cf5-4a56-ae84-1b906fc04e03",
"value": "minemy.pw"
},
{
"category": "Network activity",
"comment": "Miner\u2019s C2 domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344123",
"to_ids": true,
"type": "domain",
"uuid": "268abd35-5515-495d-8671-536c285a1ef8",
"value": "mymine.pw"
},
{
"category": "Network activity",
"comment": "Encrypted file hosting domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344162",
"to_ids": true,
"type": "domain",
"uuid": "ad5e7288-4d3f-419e-84a5-86a7dbb96da6",
"value": "crypt1.pw"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344162",
"to_ids": true,
"type": "domain",
"uuid": "f46ff266-6855-4207-bfc6-60290cf58094",
"value": "gethere.pw"
},
{
"category": "Network activity",
"comment": "Server hosting macro-pro.]net",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344162",
"to_ids": true,
"type": "ip-dst",
"uuid": "d8fb9a0c-c57d-4ea2-8b56-bb00094111b8",
"value": "77.91.124.25"
},
{
"category": "Network activity",
"comment": "On port 80 - Redline C2 server",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689344162",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "1dbca102-9c8c-49ce-8a11-17640306433d",
"value": "104.193.255.48|80"
},
{
"category": "Network activity",
"comment": "Cryptominer C2 server",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689597843",
"to_ids": false,
"type": "ip-dst",
"uuid": "c8573245-d288-478e-946f-a1062740dab5",
"value": "179.43.170.241"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.",
"meta-category": "misc",
"name": "annotation",
"template_uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487",
"template_version": "3",
"timestamp": "1689339213",
"uuid": "739097b3-9ba6-442c-872f-528f42278bad",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "creation-date",
"timestamp": "1689339213",
"to_ids": false,
"type": "datetime",
"uuid": "1e5ba5dd-4d09-4d56-8bb8-79d888160c8e",
"value": "2023-07-12T00:00:00+00:00"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ref",
"timestamp": "1689339213",
"to_ids": false,
"type": "link",
"uuid": "9f328dc4-ec48-434f-9d26-ff17fa542c35",
"value": "https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "text",
"timestamp": "1689339213",
"to_ids": false,
"type": "text",
"uuid": "64add251-c842-49e9-81b7-de2b5514aa0e",
"value": "Report from Sekoia.io"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689339213",
"to_ids": false,
"type": "text",
"uuid": "b1cd70e0-fb01-4158-9b09-dacc1b0d2a50",
"value": "Executive Summary"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689340359",
"uuid": "88bb0d65-2753-42a8-b143-6a7939ed5e97",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Hyperlink contained in an image file mimicking a PDF file, itself delivered by a phishing email.\r\nThis link redirects to a compromised website hosting a ZIP file. The archive contains an executable which is the loader.",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689340359",
"to_ids": true,
"type": "url",
"uuid": "cfeca18c-fddc-48d2-98e7-55fa510c7c4d",
"value": "http://smartmaster.com.my/48E003A01/48E003A01.7z"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689340535",
"uuid": "d6b9d4ae-b825-4299-8458-8c32a546922d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "d6b9d4ae-b825-4299-8458-8c32a546922d",
"referenced_uuid": "88bb0d65-2753-42a8-b143-6a7939ed5e97",
"relationship_type": "downloaded-from",
"timestamp": "1689340535",
"uuid": "a6581e5d-23f7-4048-b272-d83681030802"
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "Archive file retrieved from \"smartmaster\" domain.\r\nThe archive contains an executable which is the loader.",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689340436",
"to_ids": true,
"type": "sha256",
"uuid": "e01569a9-21d0-4a4f-9682-da4489543e90",
"value": "d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689340852",
"uuid": "b9e4ca36-e6bf-4f5c-97b4-2a28045cc17a",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b9e4ca36-e6bf-4f5c-97b4-2a28045cc17a",
"referenced_uuid": "d6b9d4ae-b825-4299-8458-8c32a546922d",
"relationship_type": "contained-within",
"timestamp": "1689340666",
"uuid": "d34d804a-352d-4394-8c78-f474762afdce"
},
{
"comment": "",
"object_uuid": "b9e4ca36-e6bf-4f5c-97b4-2a28045cc17a",
"referenced_uuid": "ae4e6c5b-1cd1-4aa4-bbbc-dde8c74130c8",
"relationship_type": "redirects-to",
"timestamp": "1689340852",
"uuid": "e0b20ad0-ebe0-4041-83ae-6e4adaa71f49"
}
],
"Attribute": [
{
"category": "Payload installation",
"comment": "CustomerLoader payload. Contained in a ZIP archive file.",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689340622",
"to_ids": true,
"type": "sha256",
"uuid": "b6cf7978-e949-478d-be74-7594959568e0",
"value": "3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689340817",
"uuid": "ae4e6c5b-1cd1-4aa4-bbbc-dde8c74130c8",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ae4e6c5b-1cd1-4aa4-bbbc-dde8c74130c8",
"referenced_uuid": "b9e4ca36-e6bf-4f5c-97b4-2a28045cc17a",
"relationship_type": "redirects-to",
"timestamp": "1689340772",
"uuid": "0c4b5d3e-680e-475f-bc14-22968f0a57a2"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "CustomerLoader\u2019s C2 URL.",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689340702",
"to_ids": true,
"type": "url",
"uuid": "e67a895d-fd9a-4f99-b63e-eb3b5a69b0ff",
"value": "http://5.42.94.169/customer/735"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689341099",
"uuid": "3a6e54b7-bd2f-4c75-83cb-a755016b0aaa",
"Attribute": [
{
"category": "Network activity",
"comment": "Hundreds of YouTube videos from compromised accounts use the lure of cracked software to redirect users to the Telegra[.]ph webpage.The Telegra[.]ph web page aims at sharing instructions to disable Windows Defender protection and redirecting them to the download of a password-protected archive on MediaFire .",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689341099",
"to_ids": true,
"type": "url",
"uuid": "a1646870-301f-46ea-980f-b0b41cbc62b9",
"value": "https://telegra.ph/Full-Version-06-03-2"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689341360",
"uuid": "12e1ea86-9f1f-47e0-8d88-72a35d8d6819",
"ObjectReference": [
{
"comment": "",
"object_uuid": "12e1ea86-9f1f-47e0-8d88-72a35d8d6819",
"referenced_uuid": "3a6e54b7-bd2f-4c75-83cb-a755016b0aaa",
"relationship_type": "downloaded-from",
"timestamp": "1689341360",
"uuid": "07d72f4b-0a70-4cc4-b298-b6832a76aa19"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Page to download a malicious password-protected archive",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689341202",
"to_ids": true,
"type": "url",
"uuid": "fb5b26a5-9c10-4720-ab96-01ad96aed31f",
"value": "https://www.mediafire.com/file/nnamjnckj7h80xz/v2.4_2023.rar/file"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689341420",
"uuid": "d0a4f476-384d-46c3-b1dc-86207159f3f9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "d0a4f476-384d-46c3-b1dc-86207159f3f9",
"referenced_uuid": "3a6e54b7-bd2f-4c75-83cb-a755016b0aaa",
"relationship_type": "downloaded-from",
"timestamp": "1689341420",
"uuid": "6a8772df-c084-470c-b9bb-17ead9f3c5bf"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Webpage leads to the download of a malicious password-protected archive",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689341272",
"to_ids": true,
"type": "url",
"uuid": "a1f0fc10-497e-4b4f-aa60-b36dda695439",
"value": "https://www.mediafire.com/file/lgoql94feiic0x7/v2.5_2023.rar/file"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689342481",
"uuid": "a1731fc0-487f-4d3a-872e-f8f8826bedfe",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a1731fc0-487f-4d3a-872e-f8f8826bedfe",
"referenced_uuid": "12e1ea86-9f1f-47e0-8d88-72a35d8d6819",
"relationship_type": "delivered-by",
"timestamp": "1689341565",
"uuid": "c07db5d1-bfe9-4ea0-aa77-0b86ea7eccac"
},
{
"comment": "",
"object_uuid": "a1731fc0-487f-4d3a-872e-f8f8826bedfe",
"referenced_uuid": "d0a4f476-384d-46c3-b1dc-86207159f3f9",
"relationship_type": "delivered-by",
"timestamp": "1689341592",
"uuid": "e4a51d02-a421-4757-892f-e4e712dc2759"
},
{
"comment": "",
"object_uuid": "a1731fc0-487f-4d3a-872e-f8f8826bedfe",
"referenced_uuid": "6c15035d-e156-41d7-aeda-fc89eaa19818",
"relationship_type": "communicates-with",
"timestamp": "1689342480",
"uuid": "077ff4b4-5ea3-45b1-a00b-fd0690e78d83"
}
],
"Attribute": [
{
"category": "Payload installation",
"comment": "CustomerLoader sample contained in a decompressed archive.",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689341495",
"to_ids": true,
"type": "sha256",
"uuid": "fc405fa7-ad1b-4f2b-a9f8-aff64b2c864f",
"value": "c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689341496",
"to_ids": true,
"type": "filename",
"uuid": "192dc1bb-57e0-41e6-afd0-5e9bbc69296c",
"value": "Setup.exe"
}
]
},
{
"comment": "First-stage C2 server used in an infection starting with compromised Youtube channels. An encrypted payload can be downloaded from this address.",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689342753",
"uuid": "6c15035d-e156-41d7-aeda-fc89eaa19818",
"ObjectReference": [
{
"comment": "",
"object_uuid": "6c15035d-e156-41d7-aeda-fc89eaa19818",
"referenced_uuid": "690ead91-a1de-4a85-b227-64f58a2f79dd",
"relationship_type": "communicates-with",
"timestamp": "1689342724",
"uuid": "ea3eb4bd-963a-4121-b22b-d02cacaa5faf"
},
{
"comment": "",
"object_uuid": "6c15035d-e156-41d7-aeda-fc89eaa19818",
"referenced_uuid": "a208990a-f956-4cdb-bc5f-09004f922aac",
"relationship_type": "communicates-with",
"timestamp": "1689342753",
"uuid": "c5691d5f-eab3-438e-bf8d-4a1a1ccafa50"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689342434",
"to_ids": true,
"type": "url",
"uuid": "b80b747e-d7c3-4b4c-9af3-e5e4fd923773",
"value": "http://5.42.94.169/customer/770"
}
]
},
{
"comment": "C2 server communicating with Raccoon Stealer",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1689342593",
"uuid": "690ead91-a1de-4a85-b227-64f58a2f79dd",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689342593",
"to_ids": true,
"type": "ip-dst",
"uuid": "22145869-84fe-469b-be6a-5b6c2f4d43c3",
"value": "45.9.74.99"
}
]
},
{
"comment": "C2 server communicating with Raccoon Stealer",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1689342620",
"uuid": "a208990a-f956-4cdb-bc5f-09004f922aac",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689342620",
"to_ids": true,
"type": "ip-dst",
"uuid": "b9158e38-f6cb-4119-a0f2-e46a71931009",
"value": "5.42.65.69"
}
]
},
{
"comment": "A webpage impersonating the website of the video conferencing software Slack distributed CustomerLoader as a fake installer. The technique used to spread this fake web site remains unknown at the time of writing, it could be SEO-poisoning, phishing emails or redirections from legitimate forums.",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689343273",
"uuid": "4d29bad2-32fa-42a6-9369-4771a05a07ad",
"ObjectReference": [
{
"comment": "",
"object_uuid": "4d29bad2-32fa-42a6-9369-4771a05a07ad",
"referenced_uuid": "0724045e-fd3c-4698-98e4-6d493c35ac0c",
"relationship_type": "downloads",
"timestamp": "1689343272",
"uuid": "fab73d7e-237b-4059-9237-799bf1a95bdc"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "The user browses the webpage impersonating Slack website and clicks on the download button",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689342815",
"to_ids": true,
"type": "url",
"uuid": "6efd7cd4-4904-4c4e-9fb7-6b411b208d31",
"value": "https://slackmessenger.site/"
}
]
},
{
"comment": "The ZIP file contains the executable SlackSetup.exe, which turns out to be a CustomerLoader sample",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689343423",
"uuid": "0724045e-fd3c-4698-98e4-6d493c35ac0c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0724045e-fd3c-4698-98e4-6d493c35ac0c",
"referenced_uuid": "2dfde444-2afe-4ca3-9214-c790837a08c5",
"relationship_type": "communicates-with",
"timestamp": "1689343423",
"uuid": "565b6c82-f998-4bc4-9934-1f53c80b135c"
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689342870",
"to_ids": true,
"type": "sha256",
"uuid": "e8971b73-e936-42bb-87b8-668e068cbf9d",
"value": "b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689342870",
"to_ids": true,
"type": "filename",
"uuid": "661b0d19-f9e4-4f54-b822-bf5c70b20353",
"value": "SlackSetup.exe"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689343064",
"uuid": "f544867c-5acf-4970-a96a-7468d570c56b",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f544867c-5acf-4970-a96a-7468d570c56b",
"referenced_uuid": "0724045e-fd3c-4698-98e4-6d493c35ac0c",
"relationship_type": "executes",
"timestamp": "1689343064",
"uuid": "ce3e821b-effd-49a3-80b8-11989d712529"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Domain contains a malicious domain",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689342925",
"to_ids": true,
"type": "url",
"uuid": "e024e33c-3bb9-4cc9-ace9-372ec385bb03",
"value": "https://slackmessenger.pw/slack.zip"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689343378",
"uuid": "2dfde444-2afe-4ca3-9214-c790837a08c5",
"Attribute": [
{
"category": "Network activity",
"comment": "C2 server from which an encrypted payload can be downloaded",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689343378",
"to_ids": true,
"type": "url",
"uuid": "1430cd46-ec99-4068-b47b-785d31366128",
"value": "http://5.42.94.169/customer/798"
}
]
},
{
"comment": "C2 domain for Redline Stealer. Communications over port 80.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"timestamp": "1689343653",
"uuid": "40be5e44-04aa-41c4-8a97-0e642cb84940",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1689343653",
"to_ids": true,
"type": "domain",
"uuid": "59017e5b-e04f-4472-88bd-2c5c92a631a3",
"value": "missunno.com"
}
]
},
{
"comment": "C2 domain communicating with a cryptominer",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689343720",
"uuid": "6fdb80a4-e001-4173-8b30-3ef96ba05954",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689343684",
"to_ids": true,
"type": "url",
"uuid": "849a87a8-7c4f-47a2-b818-664bbbbc42eb",
"value": "http://179.43.170.241/BEBRIK.php"
}
]
}
],
"EventReport": [
{
"name": "CustomerLoader: a new malware distributing a wide variety of payloads",
"content": "During our daily threat hunting routine, we identified an undocumented .NET loader aimed at downloading, decrypting and executing next-stage payloads. In early June 2023, this new loader was actively distributed by multiple threat actors using malicious phishing emails, YouTube videos, and web pages impersonating legitimate websites. \r\n\r\nWe named this new malware \u201cCustomerLoader\u201d because of the presence of the string \u201ccustomer\u201d in its Command and Control (C2) communications and loading capabilities.\r\n\r\nThe malwrhunterteam and g0njxa researchers also observed campaigns distributing CustomerLoader in early June 2023.\r\n\r\nSekoia.io analysts\u2019 investigation led us to discover that all payloads downloaded by CustomerLoader are dotRunpeX samples that deliver a variety of malware families, including infostealers, Remote Access Trojans (RAT) and commodity ransomware. dotRunpeX is an .NET injector implementing several anti-analysis techniques, first publicly documented by Checkpoint in March 2023.\r\n\r\nWe assess that CustomerLoader is almost certainly associated with a Loader-as-a-Service, which remains unknown at the time of writing. It is possible that CustomerLoader is a new stage added before the execution of the dotRunpeX injector by its developer.\r\n\r\nThis blog post aims at presenting a technical analysis of CustomerLoader focusing on the decryption of the next-stage payloads, an overview of more than 30 known and distributed malware families, and details on three infection chains observed distributing the loader.",
"id": "264",
"event_id": "194267",
"timestamp": "1689339249",
"uuid": "4173dc9c-2c55-4e0e-8ef7-341ee4ea63c7",
"deleted": false
}
]
}
}
Reference in a new issue View git blame Copy permalink