385 lines
No EOL
14 KiB
JSON
385 lines
No EOL
14 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-05-08",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - New Infostealer Trojan uses Fiddler Proxy & Json.NET",
|
|
"publish_timestamp": "1462717836",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1462709494",
|
|
"uuid": "572f0929-9b8c-42de-adc6-450202de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#6edb00",
|
|
"name": "circl:topic=\"finance\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700377",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "572f0959-382c-40fd-a1ef-417802de0b81",
|
|
"value": "https://www.zscaler.com/blogs/research/new-infostealer-trojan-uses-fiddler-proxy-jsonnet"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700394",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "572f096a-b6e4-4a00-a516-4b5202de0b81",
|
|
"value": "Zscaler ThreatLabZ came across a new Infostealer Trojan written in .NET that utilizes popular tools like Fiddler & Json.NET for its operation. In April, the new Infostealer family of Spanish origin was first noted targeting users in the U.S. and Mexico.\r\n\r\nThe malware authors are currently targeting users of Mexico's second largest bank, Banamex, but it is capable of updating the configuration file to include more financial institutions."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700436",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "572f0994-2888-4cb2-bef4-4cdc02de0b81",
|
|
"value": "123f4c1d2d3d691c2427aca42289fe85"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700436",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "572f0994-1398-43d7-a3c7-40f302de0b81",
|
|
"value": "070ab6aa63e658ff8a56ea05426a71b4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700436",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "572f0994-b168-4cec-ae39-44a802de0b81",
|
|
"value": "ac6027d316070dc6d2fd3b273162f2ee"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700437",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "572f0995-4b48-4a6a-b4e5-488a02de0b81",
|
|
"value": "98bbc1917613c4a73b1fe35e3ba9a8d9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700437",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "572f0995-32bc-4e5f-9a94-4dd502de0b81",
|
|
"value": "06f3da0adf8a18679d51c6adaa100bd4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700437",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "572f0995-0434-4e12-bb42-497502de0b81",
|
|
"value": "8c9896440fb0c8f2d36aff0382c9c2e4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 8c9896440fb0c8f2d36aff0382c9c2e4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700453",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "572f09a5-abf4-4a2c-8adf-4a2802de0b81",
|
|
"value": "fe7da12c96c2be9c0ab8e1ad3a069787be50d138e7c9b96ba73803b0ed8dd401"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 8c9896440fb0c8f2d36aff0382c9c2e4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700453",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "572f09a5-19cc-4ae4-8937-41d802de0b81",
|
|
"value": "5fdf01ca8ae47bdd65a2423e0ac7bfb9d80ef73e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 8c9896440fb0c8f2d36aff0382c9c2e4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700454",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "572f09a6-a9f0-4f63-b764-40b102de0b81",
|
|
"value": "https://www.virustotal.com/file/fe7da12c96c2be9c0ab8e1ad3a069787be50d138e7c9b96ba73803b0ed8dd401/analysis/1462520987/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 06f3da0adf8a18679d51c6adaa100bd4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700454",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "572f09a6-d610-4e53-8d4b-48cb02de0b81",
|
|
"value": "66d1130a801e0f698d38af5e597c3607415fd33902ab8516984b4e398e4f7baf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 06f3da0adf8a18679d51c6adaa100bd4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700454",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "572f09a6-87ec-4208-938d-40ce02de0b81",
|
|
"value": "8182d4eb88e9958039438c72e9b872d21e8af1d8"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 06f3da0adf8a18679d51c6adaa100bd4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700455",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "572f09a7-d788-4203-882c-423f02de0b81",
|
|
"value": "https://www.virustotal.com/file/66d1130a801e0f698d38af5e597c3607415fd33902ab8516984b4e398e4f7baf/analysis/1462538557/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 98bbc1917613c4a73b1fe35e3ba9a8d9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700455",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "572f09a7-9a88-42fe-b27d-41ca02de0b81",
|
|
"value": "9bf35a7318909b7eea0cc2a8201d378bbd35559a2399a0107017a902bd3bcc43"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 98bbc1917613c4a73b1fe35e3ba9a8d9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700455",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "572f09a7-4cec-4efe-a023-4dc702de0b81",
|
|
"value": "42bfe35afbcea775d5bdbc8bfeb25e928f76d4b7"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 98bbc1917613c4a73b1fe35e3ba9a8d9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700456",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "572f09a8-0d5c-4d48-ad67-469602de0b81",
|
|
"value": "https://www.virustotal.com/file/9bf35a7318909b7eea0cc2a8201d378bbd35559a2399a0107017a902bd3bcc43/analysis/1462525662/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: ac6027d316070dc6d2fd3b273162f2ee",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700456",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "572f09a8-51cc-43de-ab98-4ffa02de0b81",
|
|
"value": "87ddb2c79b9edc81443f5df5a6fb57101fba35dfcfb86a2c2bbfb08884dcf6e6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: ac6027d316070dc6d2fd3b273162f2ee",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700456",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "572f09a8-1ed0-48e0-b1ac-42e202de0b81",
|
|
"value": "1733cac501b28a6498a69d3f8fc24e0cc58b7cbb"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: ac6027d316070dc6d2fd3b273162f2ee",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700457",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "572f09a9-ec50-477e-81f2-4fd302de0b81",
|
|
"value": "https://www.virustotal.com/file/87ddb2c79b9edc81443f5df5a6fb57101fba35dfcfb86a2c2bbfb08884dcf6e6/analysis/1462004459/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 070ab6aa63e658ff8a56ea05426a71b4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700457",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "572f09a9-b624-4ab2-9562-4df802de0b81",
|
|
"value": "be6cbe01f409d3299c20e87dd6bc0ede12a7cb2b9abfb20241f46df210a57241"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 070ab6aa63e658ff8a56ea05426a71b4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700457",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "572f09a9-0000-4636-8c8a-4ff802de0b81",
|
|
"value": "8e5029121123c46bd673119e9dfe93f40d6f3b32"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 070ab6aa63e658ff8a56ea05426a71b4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700458",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "572f09aa-7b58-46ee-87ef-411b02de0b81",
|
|
"value": "https://www.virustotal.com/file/be6cbe01f409d3299c20e87dd6bc0ede12a7cb2b9abfb20241f46df210a57241/analysis/1462552657/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 123f4c1d2d3d691c2427aca42289fe85",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700458",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "572f09aa-40a0-4602-9f82-4fac02de0b81",
|
|
"value": "ac93f5fdc3b2ca4708794e19642e565d06912613499bbb2f48c174a20e3db8d3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 123f4c1d2d3d691c2427aca42289fe85",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700458",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "572f09aa-a274-4fec-9a5c-4e8f02de0b81",
|
|
"value": "ad56435e072b8c9da6cf8c0ed9ccedec9dd0bbb3"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Infostealer installer payload - Xchecked via VT: 123f4c1d2d3d691c2427aca42289fe85",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700459",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "572f09ab-ff50-46d6-b513-447002de0b81",
|
|
"value": "https://www.virustotal.com/file/ac93f5fdc3b2ca4708794e19642e565d06912613499bbb2f48c174a20e3db8d3/analysis/1462552657/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Sample URLs that we have seen serving installer payloads in last two weeks",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700490",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "572f09ca-4264-41c4-8427-448a02de0b81",
|
|
"value": "cigm.co/js/slick/curp.pdf.exe"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Sample URLs that we have seen serving installer payloads in last two weeks",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700491",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "572f09cb-5de8-455e-8cae-4a6f02de0b81",
|
|
"value": "saysa.com.co/js/rfc.pdf.exe"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Sample URLs that we have seen serving installer payloads in last two weeks",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700491",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "572f09cb-d388-4330-9fef-49ae02de0b81",
|
|
"value": "saysa.com.co/js/curp.pdf.exe"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Sample URLs that we have seen serving installer payloads in last two weeks",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700491",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "572f09cb-4d0c-43b9-81b0-444902de0b81",
|
|
"value": "bestdentalimplants.co.in/js/curp.pdf.exe"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Sample URLs that we have seen serving installer payloads in last two weeks",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700492",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "572f09cc-f888-45d5-804d-492302de0b81",
|
|
"value": "denticenter.com.co/js/slick/curp.pdf.exe"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1462700523",
|
|
"to_ids": false,
|
|
"type": "target-org",
|
|
"uuid": "572f09eb-6ed0-4642-a2bb-4bb102de0b81",
|
|
"value": "Banamex"
|
|
}
|
|
]
|
|
}
|
|
} |