misp-circl-feed/feeds/circl/misp/5b58330e-b924-4828-b3a5-4986950d210f.json


			
				
				
					
						
						
						
							
							
							{"Event": {"info": "OSINT - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware", "Tag": [{"colour": "#284800", "exportable": true, "name": "malware_classification:malware-category=\"Trojan\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#002f76", "exportable": true, "name": "ms-caro-malware-full:malware-family=\"Banker\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:banker=\"Kronos\""}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "publish_timestamp": "1532552661", "timestamp": "1532589437", "Object": [{"comment": "containing SmokeLoader from /download.php on Nov 8", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b583628-807c-4168-843b-43eb950d210f", "sharing_group_id": "0", "timestamp": "1532507688", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b583629-0a98-4886-aba6-4489950d210f", "timestamp": "1532507689", "to_ids": true, "value": "4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5b583629-5e3c-4698-acd9-48af950d210f", "timestamp": "1532507689", "to_ids": true, "value": "EmployeeID-47267.zip", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b583629-12e0-4dda-bfb9-4821950d210f", "timestamp": "1532507689", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "containing ZeuS from /download.php on Nov 8", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b58365c-aa24-4e3d-a908-49e6950d210f", "sharing_group_id": "0", "timestamp": "1532507740", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b58365c-e28c-4eb6-903a-4f84950d210f", "timestamp": "1532507740", "to_ids": true, "value": "711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5b58365c-2300-41fa-a979-4c7d950d210f", "timestamp": "1532507740", "to_ids": true, "value": "EmployeeID-47267.zip", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b58365c-c044-4165-8d87-4119950d210f", "timestamp": "1532507740", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "SmokeLoader", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b583698-e9f8-428f-8754-4eed950d210f", "sharing_group_id": "0", "timestamp": "1532507800", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b583699-ffd8-4c48-9374-43f5950d210f", "timestamp": "1532507801", "to_ids": true, "value": "EmployeeID-47267.pif", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b583699-ff74-4e92-9206-4492950d210f", "timestamp": "1532507801", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}, {"comment": "", "category": "Payload delivery", "uuid": "5b583698-d37c-4816-8fdc-4eb3950d210f", "timestamp": "1532507800", "to_ids": true, "value": "90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "ZeuS", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b583727-3fe0-4c85-81b7-41a1950d210f", "sharing_group_id": "0", "timestamp": "1532507943", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b583727-e290-4db9-8051-49c4950d210f", "timestamp": "1532507943", "to_ids": true, "value": "4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5b583728-18ac-4f63-9118-4b29950d210f", "timestamp": "1532507944", "to_ids": true, "value": "EmployeeID-47267.pif", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b583728-ef24-4eff-93b0-4f08950d210f", "timestamp": "1532507944", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "downloaded from phishing links on Nov 10", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b58374c-d1a8-4736-8cea-42e9950d210f", "sharing_group_id": "0", "timestamp": "1532507980", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b58374d-f8a0-4a89-b21b-4551950d210f", "timestamp": "1532507981", "to_ids": true, "value": "a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5b58374d-fd68-4f30-8736-4185950d210f", "timestamp": "1532507981", "to_ids": true, "value": "EmployeeID-847267.doc", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b58374d-ddc8-4909-8336-4dfb950d210f", "timestamp": "1532507981", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "Kronos on Nov 10", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b58375c-ae60-4530-8186-425b950d210f", "sharing_group_id": "0", "timestamp": "1532552560", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b58375d-4c70-4647-939b-48ba950d210f", "timestamp": "1532552558", "to_ids": false, "value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5b58375d-f0ac-4742-9a40-4008950d210f", "timestamp": "1532507997", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "SmokeLoader", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b58389b-2f00-49cc-b0ac-4454950d210f", "sharing_group_id": "0", "timestamp": "1532508315", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b58389b-f294-468b-831d-4581950d210f", "timestamp": "1532508315", "to_ids": true, "value": "d0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5b58389b-b608-4e71-8ebc-4923950d210f", "timestamp": "1532508315", "to_ids": true, "value": "c1c06f7d.exe", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b58389b-c540-4d83-83cd-4c28950d210f", "timestamp": "1532508315", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "SmokeLoader", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b5838b0-acf8-4d3e-8b64-4fa7950d210f", "sharing_group_id": "0", "timestamp": "1532508336", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b5838b0-33f4-419f-944b-465d950d210f", "timestamp": "1532508336", "to_ids": true, "value": "d9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5b5838b1-d7c4-4ea7-92c3-484d950d210f", "timestamp": "1532508337", "to_ids": true, "value": "1f80ff71.exe", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b5838b1-f86c-4d51-822c-4b36950d210f", "timestamp": "1532508337", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "ScanPOS", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b5838c7-ae6c-4367-903a-4975950d210f", "sharing_group_id": "0", "timestamp": "1532508359", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b5838c8-c784-415c-837d-4235950d210f", "timestamp": "1532508360", "to_ids": true, "value": "093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5b5838c8-f248-4c6e-a8e7-4de1950d210f", "timestamp": "1532508360", "to_ids": true, "value": "a8b05325.exe", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5b5838c8-c870-4e4d-adbb-47eb950d210f", "timestamp": "1532508360", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "downloaded from phishing links on Nov 14", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b5838da-60ac-4477-be0d-41d4950d210f", "sharing_group_id": "0", "timestamp": "1532508378", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b5838da-3434-490a-8849-45fc950d210f", "timestamp": "1532508378", "to_ids": true, "value": "fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5b5838db-8534-4929-aaba-42a3950d210f", "timestamp": "1532508379", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "Kronos on Nov 14 (same C&C as previous)", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5b5838e9-b540-4e30-ad63-44aa950d210f", "sharing_group_id": "0", "timestamp": "1532508393", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b5838e9-3ba4-4791-aba4-4b48950d210f", "timestamp": "1532508393", "to_ids": true, "value": "269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5b5838e9-a300-4f31-9cc4-43d5950d210f", "timestamp": "1532508393", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "a9d88727-e3a0-4095-b1d0-2b156670a502", "sharing_group_id": "0", "timestamp": "1532552544", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "a9d88727-e3a0-4095-b1d0-2b156670a502", "uuid": "5b58e5a8-8968-4b60-9d79-490702de0b81", "timestamp": "1532552616", "referenced_uuid": "edb2ae54-a660-4d51-ab66-8f27d9223543", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "24a34e31-cfa8-4f95-940d-5f5d00a96728", "timestamp": "1532552541", "to_ids": true, "value": "f99d1571ce9be023cc897522f82ec6cc", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "0d622a66-fbb7-4bda-b733-c0d3116a70c1", "timestamp": "1532552542", "to_ids": true, "value": "9b931700d85a5fb986575f89c7c29d03dc5f4c1e", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "93fab791-d810-45b9-9229-c2025c9f946f", "timestamp": "1532552544", "to_ids": true, "value": "d0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "edb2ae54-a660-4d51-ab66-8f27d9223543", "sharing_group_id": "0", "timestamp": "1532552545", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "87767aea-51ec-4953-993c-f4a3db01bf9a", "timestamp": "1532552545", "to_ids": false, "value": "2018-07-23 10:53:44", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "b5192082-ba75-490e-abe7-4244a424182a", "timestamp": "1532552546", "to_ids": false, "value": "https://www.virustotal.com/file/d0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984/analysis/1532343224/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "7fc96d39-bd29-47e8-be21-3bab9cd4738e", "timestamp": "1532552548", "to_ids": false, "value": "51/68", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "98a247a0-d160-4eee-be67-362795be9206", "sharing_group_id": "0", "timestamp": "1532552551", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "98a247a0-d160-4eee-be67-362795be9206", "uuid": "5b58e5a9-5498-498a-9d31-458202de0b81", "timestamp": "1532552617", "referenced_uuid": "0d28ddad-c7aa-4a6b-a448-c253efd98a2f", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "e07154d4-fc4b-4eac-bddf-3275cdbabbb8", "timestamp": "1532552548", "to_ids": true, "value": "73871970ccf1b551a29f255605d05f61", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "49edb145-852e-4982-98de-b6a4f7923c15", "timestamp": "1532552549", "to_ids": true, "value": "f74b2c624c6cffccec2680679a26fd863040828f", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "f3b7ff19-e11b-4d39-9450-b8d08a0f76e1", "timestamp": "1532552550", "to_ids": true, "value": "d9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "0d28ddad-c7aa-4a6b-a448-c253efd98a2f", "sharing_group_id": "0", "timestamp": "1532552552", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "5e3f9c64-39c9-4b35-b4e4-a8435f37c780", "timestamp": "1532552552", "to_ids": false, "value": "2018-07-23 10:55:04", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "a96cf4aa-68b4-4c69-b511-928a17309792", "timestamp": "1532552553", "to_ids": false, "value": "https://www.virustotal.com/file/d9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98/analysis/1532343304/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "ddfade3b-fda0-4c64-b533-d1c78daf7927", "timestamp": "1532552554", "to_ids": false, "value": "53/68", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "b0fd87a7-f7be-4f96-8ebc-90044b6c09ab", "sharing_group_id": "0", "timestamp": "1532552558", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "b0fd87a7-f7be-4f96-8ebc-90044b6c09ab", "uuid": "5b58e5a9-c214-4a2d-a0d1-46d602de0b81", "timestamp": "1532552617", "referenced_uuid": "e548da40-21e0-44e7-8878-30051f1ffa04", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "2d2bf51c-de45-4c1c-a7c5-a2b837d8bb31", "timestamp": "1532552555", "to_ids": true, "value": "4a03b999b87cfe3c44e617ac911a2018", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "19de1a9b-e905-438c-a17f-63738779ecb3", "timestamp": "1532552556", "to_ids": true, "value": "b1a62023dc97668ce5ad0ed78788c79f797753c3", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "8f8c1165-84fb-476a-9997-b5566ef62b7a", "timestamp": "1532552557", "to_ids": true, "value": "4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "e548da40-21e0-44e7-8878-30051f1ffa04", "sharing_group_id": "0", "timestamp": "1532552558", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "0d79d2bd-bd94-4ac7-983d-9d804def7917", "timestamp": "1532552558", "to_ids": false, "value": "2017-09-27 17:35:43", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "e76cf28d-af73-426f-bdfe-0d795cc4ac0b", "timestamp": "1532552560", "to_ids": false, "value": "https://www.virustotal.com/file/4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74/analysis/1506533743/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "0e1d278b-6aa8-49d3-afe9-d32dd68d13cf", "timestamp": "1532552561", "to_ids": false, "value": "43/65", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "ef42d127-90f8-425a-8866-83310e33e640", "sharing_group_id": "0", "timestamp": "1532552564", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "ef42d127-90f8-425a-8866-83310e33e640", "uuid": "5b58e5a9-371c-4399-b5b3-487502de0b81", "timestamp": "1532552617", "referenced_uuid": "6709cf8f-3627-407e-8485-e6218167d3c0", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "2a4ede6b-35cd-4246-8d41-6cadc4743ff3", "timestamp": "1532552561", "to_ids": true, "value": "5cac0a88767a301d7df64cfc84ccc951", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "cf1b0548-4dae-4214-b750-e89b48917755", "timestamp": "1532552563", "to_ids": true, "value": "1e207f9cfadd92bf56a827cb6b7765abe0fa3bac", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "cdfbd39d-36d9-455c-a289-f2e988487e4a", "timestamp": "1532552564", "to_ids": true, "value": "4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "6709cf8f-3627-407e-8485-e6218167d3c0", "sharing_group_id": "0", "timestamp": "1532552566", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "58be0aad-494f-48dc-a412-02bd982d577a", "timestamp": "1532552566", "to_ids": false, "value": "2016-11-17 19:05:53", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "8f5efb1a-9343-4079-a3fe-3d8d9994f4eb", "timestamp": "1532552567", "to_ids": false, "value": "https://www.virustotal.com/file/4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5/analysis/1479409553/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "f93324bc-edc7-4330-9ec3-8c50d17168ab", "timestamp": "1532552568", "to_ids": false, "value": "31/57", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "f734d0d6-468b-4c5d-8883-d137f6140100", "sharing_group_id": "0", "timestamp": "1532552571", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "f734d0d6-468b-4c5d-8883-d137f6140100", "uuid": "5b58e5a9-0d50-4f83-9271-4dce02de0b81", "timestamp": "1532552617", "referenced_uuid": "71d925d6-48ee-413d-bb73-c729eedd03f1", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "cdf30066-5852-418d-921f-3127398b7dc7", "timestamp": "1532552568", "to_ids": true, "value": "dfef3c6bf91ddbc2784bda187670983b", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "e2c5333b-5e48-4f4b-b73f-256b2cf9021e", "timestamp": "1532552570", "to_ids": true, "value": "d97139b60ec56ddf87d5a1798ca840fa872a580f", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "d3dd85df-ff46-415c-a766-335dcbcbada7", "timestamp": "1532552571", "to_ids": true, "value": "fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "71d925d6-48ee-413d-bb73-c729eedd03f1", "sharing_group_id": "0", "timestamp": "1532552572", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "31088d4b-45b8-4012-8414-4d6c62cf9959", "timestamp": "1532552572", "to_ids": false, "value": "2017-07-18 21:20:03", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "a7973cf8-6939-41d7-8745-ada586d7accc", "timestamp": "1532552574", "to_ids": false, "value": "https://www.virustotal.com/file/fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462/analysis/1500412803/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "c7fa26cf-cf90-4317-95d6-e7cb733aae80", "timestamp": "1532552575", "to_ids": false, "value": "17/58", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "31d38205-0b87-4063-a326-2e4f1a2459db", "sharing_group_id": "0", "timestamp": "1532552578", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "31d38205-0b87-4063-a326-2e4f1a2459db", "uuid": "5b58e5a9-c910-4ef9-b607-4db802de0b81", "timestamp": "1532552617", "referenced_uuid": "4ed5377e-7638-45ba-9377-a1aa31e4a4ae", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "d1d443d2-b0e3-40da-a33d-0bb12cd9aa21", "timestamp": "1532552575", "to_ids": true, "value": "11180b265b010fbfa05c08681261ac57", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "3363a080-15f9-4513-b6cf-480cb0b8e9d0", "timestamp": "1532552577", "to_ids": true, "value": "0eed43d63b6f3e5e696e7b99cfa538c12a13321d", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "b4185980-0a32-4f7a-81a0-604de97e867c", "timestamp": "1532552578", "to_ids": true, "value": "269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "4ed5377e-7638-45ba-9377-a1aa31e4a4ae", "sharing_group_id": "0", "timestamp": "1532552579", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "bb0f567b-3154-4c7a-9f5d-478efc6fa6b8", "timestamp": "1532552579", "to_ids": false, "value": "2017-03-15 10:30:38", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "bff87e3b-7d19-4641-94ca-2d92f7683cde", "timestamp": "1532552581", "to_ids": false, "value": "https://www.virustotal.com/file/269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3/analysis/1489573838/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "44855b6c-b687-4d04-8cd0-a297a0f47c32", "timestamp": "1532552582", "to_ids": false, "value": "52/60", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "b6d5fe7e-b69f-4e54-942e-360486c7bfcb", "sharing_group_id": "0", "timestamp": "1532552585", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "b6d5fe7e-b69f-4e54-942e-360486c7bfcb", "uuid": "5b58e5a9-fa80-4fa3-8775-450d02de0b81", "timestamp": "1532552617", "referenced_uuid": "776e2aba-176a-48be-895a-c6d665ffcd02", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "05d29642-68d9-4471-9992-82653c14a125", "timestamp": "1532552582", "to_ids": true, "value": "dc31516a473d8b9cb634bf1f48a7065f", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5b074b1b-0338-4e91-9394-a81a72ccf5a7", "timestamp": "1532552584", "to_ids": true, "value": "10301bf7f1202c57df484ebcc125b84d8d427014", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "baad5642-2a73-41ca-ae44-01cd9dcc649c", "timestamp": "1532552585", "to_ids": true, "value": "711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "776e2aba-176a-48be-895a-c6d665ffcd02", "sharing_group_id": "0", "timestamp": "1532552586", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "58e7f184-7092-463f-a342-2b475e53aec4", "timestamp": "1532552586", "to_ids": false, "value": "2016-11-10 15:50:58", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "e18d6539-c159-47bf-91be-068da68abe71", "timestamp": "1532552588", "to_ids": false, "value": "https://www.virustotal.com/file/711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c/analysis/1478793058/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "884a8c07-14d5-4574-aaa4-7aac53dde5c8", "timestamp": "1532552589", "to_ids": false, "value": "26/54", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4", "sharing_group_id": "0", "timestamp": "1532552592", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4", "uuid": "5b58e5a9-0b48-4a99-a3c7-4ed502de0b81", "timestamp": "1532552617", "referenced_uuid": "3acaf083-3b2a-4b5f-9451-7c1ea9b39768", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "cf71031a-a7c2-4d71-857b-d371d79c1f29", "timestamp": "1532552589", "to_ids": true, "value": "d41d8cd98f00b204e9800998ecf8427e", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "8831c230-00a0-4600-be26-7200a57808e0", "timestamp": "1532552590", "to_ids": true, "value": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "07f4c4b5-cd6c-4e14-8039-cbab2fadd7d5", "timestamp": "1532552592", "to_ids": true, "value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "3acaf083-3b2a-4b5f-9451-7c1ea9b39768", "sharing_group_id": "0", "timestamp": "1532552593", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "d5580362-b4ad-4ee2-9c38-7bb05878a591", "timestamp": "1532552593", "to_ids": false, "value": "2018-07-25 20:49:30", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "887aea02-9162-47a8-9684-0cb42bda0520", "timestamp": "1532552594", "to_ids": false, "value": "https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1532551770/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "6d26efdf-e637-4a26-a036-b21a524e663a", "timestamp": "1532552596", "to_ids": false, "value": "0/61", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "16984ff8-41a2-42d9-a859-87df65432e94", "sharing_group_id": "0", "timestamp": "1532552599", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "16984ff8-41a2-42d9-a859-87df65432e94", "uuid": "5b58e5a9-ab08-4b43-a862-4c6f02de0b81", "timestamp": "1532552617", "referenced_uuid": "8df7db4c-c0a1-495d-a400-6e134bf827a6", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "149fe2d0-6575-4915-ac0a-bed47d23be8b", "timestamp": "1532552596", "to_ids": true, "value": "6fcc13563aad936c7d0f3165351cb453", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "8a8c672a-a15e-4091-b3f3-978453df9055", "timestamp": "1532552597", "to_ids": true, "value": "8b1757b95b7b7f9c4dfa09b52b0d3c6451b269fc", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "ec370fbd-8b99-4fa9-b291-21e620e5ea61", "timestamp": "1532552598", "to_ids": true, "value": "093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "8df7db4c-c0a1-495d-a400-6e134bf827a6", "sharing_group_id": "0", "timestamp": "1532552600", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "520c34d4-ed53-4cf2-be8d-0d6dbcc95604", "timestamp": "1532552600", "to_ids": false, "value": "2017-12-19 00:26:19", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "1c2745c4-6d74-407c-aef0-dc86e8edce38", "timestamp": "1532552601", "to_ids": false, "value": "https://www.virustotal.com/file/093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e/analysis/1513643179/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "473e0959-9f52-4d7c-82d1-1540cb995bb3", "timestamp": "1532552603", "to_ids": false, "value": "44/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "18574ddd-6a89-41b7-924b-d9a1388d4fc0", "sharing_group_id": "0", "timestamp": "1532552606", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "18574ddd-6a89-41b7-924b-d9a1388d4fc0", "uuid": "5b58e5a9-0dd8-486e-b08b-47c902de0b81", "timestamp": "1532552617", "referenced_uuid": "77f014cd-c354-4167-86fa-78e315ba907b", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "63260a7d-5b5c-4333-80ed-fa62d1457c46", "timestamp": "1532552603", "to_ids": true, "value": "83d21d808f7408ebcb3947cb88366172", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "11530bfc-289f-4fb9-ae70-47c0b0bc4d70", "timestamp": "1532552604", "to_ids": true, "value": "ef12b3c274c02a68f678b618828ee4c92a297e59", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "f241ea42-fc10-4c69-b8dd-dd1367664ff1", "timestamp": "1532552605", "to_ids": true, "value": "a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "77f014cd-c354-4167-86fa-78e315ba907b", "sharing_group_id": "0", "timestamp": "1532552607", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "e01b2c15-aa53-4020-82d3-0f1f7ce840e2", "timestamp": "1532552607", "to_ids": false, "value": "2017-07-18 20:58:26", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "684f43f7-25ca-47f6-be6d-5739d4f57d72", "timestamp": "1532552609", "to_ids": false, "value": "https://www.virustotal.com/file/a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156/analysis/1500411506/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "8a2f71fb-df0f-41c0-9950-db186f88f8f4", "timestamp": "1532552610", "to_ids": false, "value": "36/58", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "0d95e126-39c8-4048-be62-5470568b0f0f", "sharing_group_id": "0", "timestamp": "1532552613", "description": "File object describing a file with meta-information", "template_version": "11", "ObjectReference": [{"comment": "", "object_uuid": "0d95e126-39c8-4048-be62-5470568b0f0f", "uuid": "5b58e5a9-c9b8-47d3-8836-4f9d02de0b81", "timestamp": "1532552617", "referenced_uuid": "11e88643-99a3-4053-b9bf-73f53056ebae", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "65ed54fe-5c58-4200-a0d9-52cef2f2b519", "timestamp": "1532552610", "to_ids": true, "value": "8758b7984fa2f20ada64e95cf9d5d192", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "cb64ec7d-3812-4db8-9bba-17af77750d72", "timestamp": "1532552612", "to_ids": true, "value": "d35ee56d673fa44a72cf43e6c16f9270dea33f2d", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "49e052ce-fc40-4b1c-8c6f-c3a8480552e7", "timestamp": "1532552613", "to_ids": true, "value": "90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "11e88643-99a3-4053-b9bf-73f53056ebae", "sharing_group_id": "0", "timestamp": "1532552614", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "2aed675b-f09b-4b27-aa4e-d8cef860ee81", "timestamp": "1532552614", "to_ids": false, "value": "2016-12-13 19:02:03", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "57b62add-1e94-406b-9081-eac88b655b27", "timestamp": "1532552615", "to_ids": false, "value": "https://www.virustotal.com/file/90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0/analysis/1481655723/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "3208bb65-c286-4c9b-958f-f1d7488b957c", "timestamp": "1532552616", "to_ids": false, "value": "40/55", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5b58331e-7b14-4ec5-bf29-42e7950d210f", "timestamp": "1532589426", "to_ids": false, "value": "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Phishing link on Nov 8", "category": "Network activity", "uuid": "5b583b7d-41d0-4051-8331-4746950d210f", "timestamp": "1532513637", "to_ids": true, "value": "http://invoice.docs-sharepoint.com/profile/profile.php?id=[base64 e-mail address]", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Redirect from phishing link on Nov 8", "category": "Network activity", "uuid": "5b583b7e-9420-4436-9201-4f93950d210f", "timestamp": "1532509054", "to_ids": true, "value": "http://invoice.docs-sharepoint.com/profile/download.php", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "ZeuS C&C on Nov 8", "category": "Network activity", "uuid": "5b583b7e-ac24-421f-83f7-48d7950d210f", "timestamp": "1532509054", "to_ids": true, "value": "https://feed.networksupdates.com/feed/webfeed.xml", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "EmployeeID-847267.doc downloading payload (Kronos) on Nov 10", "category": "Network activity", "uuid": "5b583b7e-3b34-4162-970f-4b59950d210f", "timestamp": "1532509054", "to_ids": true, "value": "http://info.docs-sharepoint.com/officeup.exe", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "", "category": "Payload delivery", "uuid": "5b583b7f-80e8-4230-a77e-4453950d210f", "timestamp": "1532509055", "to_ids": true, "value": "EmployeeID-847267.doc", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Kronos C&C on Nov 10", "category": "Network activity", "uuid": "5b583b7f-aba8-44df-bee9-4880950d210f", "timestamp": "1532509055", "to_ids": true, "value": "http://www.networkupdate.club/kbps/connect.php", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Payload DL by Kronos on Nov 10", "category": "Network activity", "uuid": "5b583b80-8898-45cc-a722-4932950d210f", "timestamp": "1532509056", "to_ids": true, "value": "http://networkupdate.online/kbps/upload/c1c06f7d.exe", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Payload DL by Kronos on Nov 10", "category": "Network activity", "uuid": "5b583b80-50c4-483b-a57b-4b34950d210f", "timestamp": "1532509056", "to_ids": true, "value": "http://networkupdate.online/kbps/upload/1f80ff71.exe", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Payload DL by Kronos on Nov 10", "category": "Network activity", "uuid": "5b583b81-666c-47cc-82d7-418c950d210f", "timestamp": "1532509057", "to_ids": true, "value": "http://networkupdate.online/kbps/upload/a8b05325.exe", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Phishing link on Nov 10", "category": "Network activity", "uuid": "5b583b81-0354-4c37-9f23-4699950d210f", "timestamp": "1532513633", "to_ids": true, "value": "http://intranet.excelsharepoint.com/profile/Employee.php?id=[base64 e-mail address]", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "SmokeLoader C&C", "category": "Network activity", "uuid": "5b583b82-b2a0-4c3e-a7f6-4f40950d210f", "timestamp": "1532509058", "to_ids": true, "value": "http://webfeed.updatesnetwork.com/feedweb/feed.php", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "ScanPOS C&C", "category": "Network activity", "uuid": "5b583b82-7384-4bc0-ad26-4fa1950d210f", "timestamp": "1532509058", "to_ids": true, "value": "http://invoicesharepoint.com/gateway.php", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Phishing link on Nov 14", "category": "Network activity", "uuid": "5b583b82-8e54-4390-b12a-42c1950d210f", "timestamp": "1532513614", "to_ids": true, "value": "http://intranet.excel-sharepoint.com/doc/employee.php?id=[base64 e-mail address]", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "EmployeeID-6283.doc downloading payload (Kronos) on Nov 14", "category": "Network activity", "uuid": "5b583b83-a568-4200-8c7a-48c2950d210f", "timestamp": "1532509059", "to_ids": true, "value": "http://profile.excel-sharepoint.com/doc/office.exe", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "", "category": "Payload delivery", "uuid": "5b583b83-8390-470a-ae42-4e22950d210f", "timestamp": "1532509059", "to_ids": true, "value": "EmployeeID-6283.doc", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "RIG-v domain on Nov 8", "category": "Payload delivery", "uuid": "5b5842d8-8e0c-45c9-ae13-451b950d210f", "timestamp": "1532510936", "to_ids": true, "value": "add.souloventure.org", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "", "category": "External analysis", "uuid": "5b587469-3e60-43ba-91fb-9146950d210f", "timestamp": "1532589434", "to_ids": false, "value": "Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads. Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "text"}], "extends_uuid": "", "published": false, "date": "2016-11-15", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5b58330e-b924-4828-b3a5-4986950d210f"}}
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink