590 lines
No EOL
29 KiB
JSON
590 lines
No EOL
29 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-08-29",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Dridex Returns To Action For Smaller, More Targeted Attacks",
|
|
"publish_timestamp": "1497647644",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1497647635",
|
|
"uuid": "57c405cd-ab54-47b8-9eff-7a52950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#6edb00",
|
|
"local": "0",
|
|
"name": "circl:topic=\"finance\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3b7500",
|
|
"local": "0",
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0da700",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"Dridex\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464377",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c405f9-fe0c-40ed-9b92-800f950d210f",
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/Dridex-returns-to-action-for-smaller-more-targeted-attacks"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464399",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "57c4060f-fbec-432b-8d84-800e950d210f",
|
|
"value": "Since it was first detected in November 2014, Dridex has been one of the most prolific pieces of malware worldwide. Even when the actors behind distribution of Dridex began distributing Locky ransomware in February, 2016, they would often switch between the two payloads or distribute them simultaneously. More recently, though, Dridex email message volumes have dropped to a relative trickle, and a new geography of interest, Switzerland, has emerged. The much lower volume suggests a higher degree of targeting, freeing the actors to pursue more lucrative attacks and leverage stolen information more effectively.\r\n\r\nIn this post we\u00e2\u20ac\u2122ll investigate the recent Dridex campaigns, including their message volumes and targeting, and provide possible reasons for changes in the mode of operation."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464576",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c0-cb60-4bc4-aacb-800e950d210f",
|
|
"value": "313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464576",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c0-5820-4b47-b716-800e950d210f",
|
|
"value": "1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464576",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c0-fd78-438a-9502-800e950d210f",
|
|
"value": "1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464576",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c0-3898-46c6-abfd-800e950d210f",
|
|
"value": "026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 38923 Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464577",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c1-c66c-4933-b0f0-800e950d210f",
|
|
"value": "10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 124 Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464578",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c2-8ad4-4ae5-95d1-800e950d210f",
|
|
"value": "207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 144 Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464578",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c2-d160-4c6c-a9ff-800e950d210f",
|
|
"value": "75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 228 Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464578",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c2-fcb4-4a0f-8a18-800e950d210f",
|
|
"value": "160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 1124 Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464579",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c3-d550-4216-a10c-800e950d210f",
|
|
"value": "bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 302 Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464579",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c3-7aac-4786-8508-800e950d210f",
|
|
"value": "2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 1024 dropped by Neutrino",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464579",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57c406c3-0004-4083-ab33-800e950d210f",
|
|
"value": "fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "Appendix A: Applications Targeted by Dridex 228 on August 16, 2016",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464628",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "57c406f4-914c-4f8a-bf4b-7a58950d210f",
|
|
"value": "crealogix | multiversa | abacus | ebics | agro-office | cashcomm | softcrew | coconet | macrogram | mammut | omikron | multicash | quatersoft | alphasys | wineur | epsitec | myaccessweb | bellin | financesuite | moneta | softcash | trinity | financesuite | abrantix | starmoney | sfirm | migrosbank | migros bank | online banking | star money | multibit | bitgo | bither | blockchain | copay | msigna | armory | electrum | coinbase | magnr | keepkey | coinsbank | coolwallet | bitoex | xapo | changetip | coinapult | blocktrail | breadwallet | luxstack | airbitz | schildbach | ledger nano | mycelium | trezor | coinomi | bitcore | WinBacs | albacs | Albany.EFT.Corporate.Client | wpc | eSigner | StartStarMoney | StarMoney | acsagent | accrdsub | acevents | acCOMpkcs | jp2launcher | sllauncher | cspregtool | RegisterTool | OEBMCC32 | sfirm | Bbm24win | wip | paypen | mammut_tb | telelink | translink | deltaworks | dfsvc | bitcoin-qt | multibit | BacscomIP2 | runclient | paycentre | accesspay | PaymentStudio | DiasClient | SynIntegrationClient | QuestLauncher | RemoteAdminServer | SymForm2App | plink | launch | PaygateWpfClient | terminal | Telelink | EBsec | ftrskr | Suite Entreprise | rbpmain2 | rbpmain | tkc | ecbl-nxbp | sagedirect | turbo_teletransmission | cedripack | cedrisend | QikDesktop | QikDesktopCitrix | ConfigurationEditor | InteractFastConfig | otscm-client | ecb-sg | crs1 | GbpSV | pstw32 | MopaMaes | ldcptv10 | gslshmsrvc | launcher | tokensharesrv | universe | ifrun60 | roiwin31 | guawin32 | intwin31 | kb_pcb | spawin31 | cziwin31 | czawin31 | sta2gpc | etsr | tellerlauncher | prowin32 | dirclt32 | PLT1751 | PLT1151 | cegidebics | CCS3 | CCMPS3 | ComSX | keepass | c_agent | transac | relaisbtp | telebanking | ewallet | mstsc | cardentry | TPComplianceManager | TPWorkstation | BancLine 2.0 | MS000000 | BancLine 3.0 | BancLine 4.0 | BancLine 5.0 | SFW | ptw1151 | fedcomp | sfmain | VRNetWorld | KDS | Kasir | ICS | mpkds | pspooler | ipspool | POS-CFG | callerIdserver | EftTray | dpseftxc | EFTSERV | QBPOS | APRINT6 | POSCONFG | jRestaurant | AFR38 | rmpos | roi | AxUpdatePortal | Firefly | InitEpp | SM22 | xfsExplorer | XFSSimulator | WosaXFSTest | kiosk | CRE2004 | aspnet_wp | javav | XChrgSrv | rpccEngine | PTService | Rpro8 | UTG2Svc | Active-Charge | javaw | DDCDSRV1 | alohaedc | dbstpssvc | XPS | Transnet | posw | NCRLoader | PSTTransfer | TSTSolutions | wndaudit | TSTAdmin | TellerDR | merapplauncher | contact manager | goldtllr32 | goldtrakpc | farm42phyton | fx4cash | bpcssm | vp-ebanking | LLB Online Banking | efix | iberclear | AMBCN | SGO | SQLpnr | vmware-view | banktelapk | SynJhaIntService | uniservice | client32 | CanaraCustMaintenance | legaclt | pcsfe | pcscmenu | cwbtf | srvview | pcsmc2vb | cwb3uic | trcgui | cwbsvstr | rtopcb | cwbujcnv | cwbujbld | cwbuisxe | pcsws | cwbsvd | cwblog | cwbdsk | securID | jhaintexec | appupdate | SGNavigatorApp | dbr | WINTRV | bsaadmin | encompass | eautomate | link | adminconsole | commandclientplugin | commandclientplugin_gui | mfmanager | verex director-server manager | verex director-communication manager | notes | nlnotes | notes2 | sacmonitor | netterm | fspnet | bridgerinside | cardserver | si | dais.ebank.client.offlineclient | BGFWIN31 | BGDWIN31 | BGXWIN31 | bocusertool | CLXReader | UBSPay | Migros_Bank_E-Banking | Bank linth Online Banking | java | abastart | abamenu | abajvm | sage200.finanz.gui | vpxclient | htmlshell | mmc | e3K.Main | QOPT | cresus | wineur | abaeb | efinance | GestionPE | BCN-Netkey | Sage 30 | ISL_light_client | msaccess | proffix.v4 | pxShowThread"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "Appendix B: Applications Targeted by Dridex 120 in July 2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464660",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "57c40714-8904-4705-8609-8ac9950d210f",
|
|
"value": "Uniface | bankline | Aptos | Hyposwiss | episys quest | bancline | tellerplus | ACE Software Solutions | ACI Worldwide | Alliance Enterprise | Bottomline Technologies | Broadridge | China Systems | CMA Small Systems | Clear2Pay | Adaptor Payments | Decillion Group | EastNets | Infosys | Flexcube | ECS Financials | FircoSoft | Fiserv | Kyriba | Premium Technology | Smartstream Technologies | Sopra Banking | Surecomp | Tieto Payment | TONBELLER | Wall Street Systems | Western Union | MoneyGram | Unistream | Direct Link | Abacus | agro-twin | coconet | crealogix | macrogram | mammut soft | omikron | quatersoft | experian payment gateway | softcrew | WinBacs | albacs | Albany.EFT.Corporate.Client | wpc | eSigner | StartStarMoney | StarMoney | acsagent | accrdsub | acevents | acCOMpkcs | ac.sharedstore | jp2launcher+ | sllauncher | cspregtool | RegisterTool | OEBMCC32 | sfirm | Bbm24win | wip | paypen | mammut_tb | telelink | translink | deltaworks | dfsvc | bitcoin-qt | multibit | BacscomIP2 | runclient | paycentre | accesspay | PaymentStudio | DiasClient | SynIntegrationClient | QuestLauncher | RemoteAdminServer | SymForm2App | plink | launch | PaygateWpfClient | terminal | Telelink | EBsec | ftrskr | Suite | Entreprise | rbpmain2 | rbpmain | tkc | ecbl-nxbp | sagedirect | turbo_teletransmission | cedripack | cedrisend | QikDesktop | QikDesktopCitrix | ConfigurationEditor | InteractFastConfig | javaw | otscm-client+ | ecb-sg | crs1 | GbpSV | pstw32 | MopaMaes | ldcptv10 | gslshmsrvc | launcher | tokensharesrv | sage"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464688",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40730-30cc-42d6-809e-8aca950d210f",
|
|
"value": "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/offline-payment-software.html"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 1024 dropped by Neutrino - Xchecked via VT: fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464750",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c4076e-0bb4-45d7-89d4-7a5102de0b81",
|
|
"value": "6207bb1f208867a3b357c64e635993cc4ee01c7b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 1024 dropped by Neutrino - Xchecked via VT: fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464750",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c4076e-0bcc-458c-b1ec-7a5102de0b81",
|
|
"value": "87f8402f0e46fcb929e175f3a722a202"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Dridex 1024 dropped by Neutrino - Xchecked via VT: fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464750",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c4076e-dc1c-4fb6-8cb0-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb/analysis/1471591636/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 302 Loader - Xchecked via VT: 2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464751",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c4076f-05e4-4b12-9725-7a5102de0b81",
|
|
"value": "39b2aa526c79e263b77daf93c2426e96b61427ac"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 302 Loader - Xchecked via VT: 2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464751",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c4076f-1da4-4c89-ac85-7a5102de0b81",
|
|
"value": "d4c3e289e5c2240b4bc06e344be6e5b6"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Dridex 302 Loader - Xchecked via VT: 2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464751",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c4076f-43f4-4dba-8473-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44/analysis/1471129011/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 1124 Loader - Xchecked via VT: bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464751",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c4076f-c114-4aee-86b6-7a5102de0b81",
|
|
"value": "f16fb1512e40ab115fb26ad5e516cd3660d903d7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 1124 Loader - Xchecked via VT: bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464752",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40770-51e4-4454-9097-7a5102de0b81",
|
|
"value": "5a5dfe4ec70529af9f937f58399410cf"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Dridex 1124 Loader - Xchecked via VT: bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464752",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40770-ca40-4836-bea3-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f/analysis/1472443888/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 228 Loader - Xchecked via VT: 160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464753",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40771-2eac-4b02-849f-7a5102de0b81",
|
|
"value": "e682a268c7807fa3d4a5c7b0244a2f44663aadfc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 228 Loader - Xchecked via VT: 160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464753",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40771-731c-4fa8-a4f2-7a5102de0b81",
|
|
"value": "08f44a4d709f1a16a1a99598e6038960"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Dridex 228 Loader - Xchecked via VT: 160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464753",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40771-38a8-4b85-ba46-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8/analysis/1472283781/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 144 Loader - Xchecked via VT: 75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464753",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40771-9430-4687-bddd-7a5102de0b81",
|
|
"value": "ae99800e25d331403995c08fbbeef47a659ab804"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 144 Loader - Xchecked via VT: 75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464754",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40772-a618-4472-8d3e-7a5102de0b81",
|
|
"value": "d58ec78a177b82da975f2a42edfcdbad"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Dridex 144 Loader - Xchecked via VT: 75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464754",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40772-ea1c-4941-a9eb-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782/analysis/1471678904/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 124 Loader - Xchecked via VT: 207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464754",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40772-e9b0-4f2a-ae55-7a5102de0b81",
|
|
"value": "4af210a9c7c7c5d62dfac90de213c559bd04295c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 124 Loader - Xchecked via VT: 207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464754",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40772-48e0-4f43-bf9f-7a5102de0b81",
|
|
"value": "52faad132ecc0a103d368640db9274b7"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Dridex 124 Loader - Xchecked via VT: 207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464755",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40773-bc68-460c-aff9-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8/analysis/1470206023/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 38923 Loader - Xchecked via VT: 10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464755",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40773-62d0-47a3-80dc-7a5102de0b81",
|
|
"value": "8dda6643074fc4c08e621b06a4b9ba2b02307462"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 38923 Loader - Xchecked via VT: 10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464756",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40774-2914-4485-8441-7a5102de0b81",
|
|
"value": "b8946d3329e56a3f3e52547aac913e8e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Dridex 38923 Loader - Xchecked via VT: 10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464756",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40774-8b28-49e0-9519-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4/analysis/1469142637/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d - Xchecked via VT: 026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464757",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40775-c9e4-42d9-b7da-7a5102de0b81",
|
|
"value": "880d6e1db2928dacf3977595507a0b8441e18778"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d - Xchecked via VT: 026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464757",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40775-da1c-470f-9cf8-7a5102de0b81",
|
|
"value": "d0f9189af92bf014d2c3d1384806079b"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d - Xchecked via VT: 026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464757",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40775-ed24-4616-b20f-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99/analysis/1471302720/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d - Xchecked via VT: 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464758",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40776-4d88-4efb-9eb3-7a5102de0b81",
|
|
"value": "05e3a7ee1df443b75ec8106a7ef857ddeb299ac5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d - Xchecked via VT: 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464758",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40776-3c6c-4746-9439-7a5102de0b81",
|
|
"value": "5e89753e6a7e1cb8f18004aaa4c47374"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d - Xchecked via VT: 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464759",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40777-54f8-4870-b385-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639/analysis/1471932146/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d - Xchecked via VT: 1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464759",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40777-45a0-4150-b8e4-7a5102de0b81",
|
|
"value": "fcec303b9de6eb89f621ca3d469471a011e84b2f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d - Xchecked via VT: 1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464760",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c40778-09ec-4e47-9c47-7a5102de0b81",
|
|
"value": "bc4b5dbf114c3ad5ba93d966781257fa"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d - Xchecked via VT: 1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464761",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c40779-fd00-407c-8951-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5/analysis/1469347569/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d - Xchecked via VT: 313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464761",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "57c40779-48e0-4c1a-9091-7a5102de0b81",
|
|
"value": "eb78f441a57ffeec110a1cc3d6255043e612e5dd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d - Xchecked via VT: 313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464762",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "57c4077a-c778-43bc-a0ba-7a5102de0b81",
|
|
"value": "6369e4e4ddd8312b52a1c1b4818e463c"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d - Xchecked via VT: 313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1472464762",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57c4077a-7bbc-4d8a-83fa-7a5102de0b81",
|
|
"value": "https://www.virustotal.com/file/313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6/analysis/1470643493/"
|
|
}
|
|
]
|
|
}
|
|
} |