adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/573efd23-b3a4-4374-9f11-3514950d210f.json

535 lines
No EOL
21 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2016-05-20",
"extends_uuid": "",
"info": "OSINT - Bolek: Leaked Carberp KBot Source Code Complicit in New Phishing Campaigns",
"publish_timestamp": "1463746138",
"published": true,
"threat_level_id": "3",
"timestamp": "1463746106",
"uuid": "573efd23-b3a4-4374-9f11-3514950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#004646",
"name": "type:OSINT"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745858",
"to_ids": false,
"type": "link",
"uuid": "573efd42-227c-461d-b75f-1169950d210f",
"value": "http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-campaigns/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745873",
"to_ids": false,
"type": "comment",
"uuid": "573efd51-8354-4089-bd3c-144b950d210f",
"value": "Reuse of infrastructure supporting malware distribution is a well-documented characteristic of online crime and a key way to track and classify threat actors. While it may seem simplistic for monitoring threat actor activities, the IP addresses, domains, hostnames, and URLs contacted by malware tools betray a significant amount of information about threat actor groups. For some malware attacks, it\u00e2\u20ac\u2122s possible to determine the threat actor\u00e2\u20ac\u2122s identity based on the infrastructure used, but, other times, the lines are blurred because some organizations harbor cyber criminals.\r\n\r\nWhy would threat actors leverage locations that they could safely presume to have been previously identified in threat intelligence as hostile? The answer for this is closely related to the nature of online crime as a business venture. To some degree, economic rational choice theory proves true for online crime as much as it does with other types of businesses.\r\n\r\nEach element of malware support requires an investment on the part of the threat actor. This may be the monetary investment of purchasing resources or it might be simply be the time and effort to compromise vulnerable hosts for malicious repurposing. In either case, the threat actor is forced to choose between expending one commodity in exchange for another. It therefore benefits threat actors to extract the maximum utility from any resource before writing it off as lost. Even if the resource has been identified by threat intelligence feeds or in block lists available to many, not all endpoints will have access to that information.\r\n\r\nOther influential factors that may lead to infrastructure reuse include the likelihood that the resource will be dismantled or impaired by researchers or seized by law enforcement. The \u00e2\u20ac\u0153bulletproof\u00e2\u20ac\u009d nature of certain hosting locations is a strong motivator for reusing infrastructure. Furthermore, threat actors may be reluctant to frequently dismantle and relocate sophisticated support infrastructure due to the hassle such a process entails.\r\n\r\nFurthermore, when delivering a new botnet malware that may very likely still be under development, a threat actor may consider older infrastructure as a staging ground for early stages of deployment. Later, the threat actor might gravitate toward other, stealthier or unidentified infrastructure."
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745983",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdbf-6298-4550-819d-1448950d210f",
"value": "141.105.69.251"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745983",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdbf-0260-41ea-a3a2-1448950d210f",
"value": "160.202.168.105"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745983",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdbf-abc8-4658-b767-1448950d210f",
"value": "191.101.239.161"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745984",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdc0-b530-43d1-85d9-1448950d210f",
"value": "217.28.218.217"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745984",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdc0-a784-4c79-aaa9-1448950d210f",
"value": "45.30.53.96"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745984",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdc0-362c-46b4-9136-1448950d210f",
"value": "46.32.254.136"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745985",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdc1-16ac-4bb3-9d5b-1448950d210f",
"value": "50.125.238.102"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745985",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdc1-1894-4c6c-99d9-1448950d210f",
"value": "52.74.127.205"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745985",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdc1-9998-4ec6-bedb-1448950d210f",
"value": "64.235.33.221"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745986",
"to_ids": true,
"type": "ip-dst",
"uuid": "573efdc2-eb28-411d-8ee8-1448950d210f",
"value": "93.111.155.134"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745986",
"to_ids": true,
"type": "domain",
"uuid": "573efdc2-ea8c-4295-a976-1448950d210f",
"value": "android-securityupdate.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745986",
"to_ids": true,
"type": "domain",
"uuid": "573efdc2-1164-4138-bb0f-1448950d210f",
"value": "cibc-clients.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745987",
"to_ids": true,
"type": "domain",
"uuid": "573efdc3-af6c-4c23-b9d1-1448950d210f",
"value": "cibc-security.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745987",
"to_ids": true,
"type": "domain",
"uuid": "573efdc3-e708-4e91-b623-1448950d210f",
"value": "knutesecos.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745987",
"to_ids": true,
"type": "domain",
"uuid": "573efdc3-c61c-415a-9c30-1448950d210f",
"value": "mensabuxus.net"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745988",
"to_ids": true,
"type": "domain",
"uuid": "573efdc4-0c88-4e69-8a3d-1448950d210f",
"value": "ogrthuvfewfdcfri5euwg.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745988",
"to_ids": true,
"type": "domain",
"uuid": "573efdc4-0340-4cf1-b014-1448950d210f",
"value": "ogrthuvwfdcfri5euwg.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745988",
"to_ids": true,
"type": "domain",
"uuid": "573efdc4-7dc8-4362-95c9-1448950d210f",
"value": "rogers-ca.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745989",
"to_ids": true,
"type": "domain",
"uuid": "573efdc5-c528-4eb0-a2f7-1448950d210f",
"value": "rogers-clients.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745989",
"to_ids": true,
"type": "domain",
"uuid": "573efdc5-7c58-4ff5-a400-1448950d210f",
"value": "signin-rogers.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745989",
"to_ids": true,
"type": "domain",
"uuid": "573efdc5-8948-4704-a6bf-1448950d210f",
"value": "signin-tangerine.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745990",
"to_ids": true,
"type": "domain",
"uuid": "573efdc6-1b34-4322-8734-1448950d210f",
"value": "tangerine-ca.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745990",
"to_ids": true,
"type": "domain",
"uuid": "573efdc6-f0c0-4d7b-949e-1448950d210f",
"value": "tangerine-can.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745990",
"to_ids": true,
"type": "domain",
"uuid": "573efdc6-e3cc-4166-b856-1448950d210f",
"value": "tangerine-security.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745991",
"to_ids": true,
"type": "domain",
"uuid": "573efdc7-f5cc-4d14-8194-1448950d210f",
"value": "tangerine-zone.com"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745991",
"to_ids": true,
"type": "md5",
"uuid": "573efdc7-65c8-4286-9db2-1448950d210f",
"value": "16b36f340a9fbce13ee553b5996442d1"
},
{
"category": "Payload delivery",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463745991",
"to_ids": true,
"type": "md5",
"uuid": "573efdc7-b964-4243-9147-1448950d210f",
"value": "24a497e3993289168455f12d11f0430f"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746005",
"to_ids": false,
"type": "link",
"uuid": "573efdd5-0430-4266-acbd-116f950d210f",
"value": "http://phishme.com/wp-content/uploads/bolek.txt"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746042",
"to_ids": false,
"type": "link",
"uuid": "573efdfa-b708-4980-ba8b-5c12950d210f",
"value": "http://www.cert.pl/news/11379/langswitch_lang/en"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746076",
"to_ids": true,
"type": "sha256",
"uuid": "573efe1c-74c0-40c2-84e7-1168950d210f",
"value": "62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746076",
"to_ids": true,
"type": "sha256",
"uuid": "573efe1c-3698-4bf7-b082-1168950d210f",
"value": "6e6ef05382010f857ecef17082e9c38b54133380f709b5b25e77afdcacf2b9ca"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746077",
"to_ids": true,
"type": "sha256",
"uuid": "573efe1d-f3d8-4eb7-8e59-1168950d210f",
"value": "12769a17f85a4c7d56cfe5754184db976b9a361dc7b5d2a8f50e82d7442651aa"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746077",
"to_ids": true,
"type": "sha256",
"uuid": "573efe1d-3a74-4342-82dd-1168950d210f",
"value": "5eccbdae80a1c1e8cb8574986393fc958394b66978ec348d00afe3ec828d20ac"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 5eccbdae80a1c1e8cb8574986393fc958394b66978ec348d00afe3ec828d20ac",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746106",
"to_ids": true,
"type": "sha1",
"uuid": "573efe3a-cf2c-4d90-bf41-116f02de0b81",
"value": "b4e4d2b18cc84d8494a1d80c6578544d278df7f6"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 5eccbdae80a1c1e8cb8574986393fc958394b66978ec348d00afe3ec828d20ac",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746107",
"to_ids": true,
"type": "md5",
"uuid": "573efe3b-2988-49c0-ab77-116f02de0b81",
"value": "d1449752bbe1e35dea8cc756262d2e7c"
},
{
"category": "External analysis",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 5eccbdae80a1c1e8cb8574986393fc958394b66978ec348d00afe3ec828d20ac",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746107",
"to_ids": false,
"type": "link",
"uuid": "573efe3b-9314-4dda-b9c3-116f02de0b81",
"value": "https://www.virustotal.com/file/5eccbdae80a1c1e8cb8574986393fc958394b66978ec348d00afe3ec828d20ac/analysis/1463404623/"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 12769a17f85a4c7d56cfe5754184db976b9a361dc7b5d2a8f50e82d7442651aa",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746107",
"to_ids": true,
"type": "sha1",
"uuid": "573efe3b-2d10-4b2a-8dda-116f02de0b81",
"value": "2c642ae221ae2c5559ba54be8a20b1f92ebba1f1"
},
{
"category": "External analysis",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 12769a17f85a4c7d56cfe5754184db976b9a361dc7b5d2a8f50e82d7442651aa",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746108",
"to_ids": false,
"type": "link",
"uuid": "573efe3c-82e0-4e6b-bc04-116f02de0b81",
"value": "https://www.virustotal.com/file/12769a17f85a4c7d56cfe5754184db976b9a361dc7b5d2a8f50e82d7442651aa/analysis/1463256431/"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 6e6ef05382010f857ecef17082e9c38b54133380f709b5b25e77afdcacf2b9ca",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746108",
"to_ids": true,
"type": "sha1",
"uuid": "573efe3c-19e8-4e7a-9677-116f02de0b81",
"value": "ee8799f864db739fbd51d9447e05a88726fae982"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 6e6ef05382010f857ecef17082e9c38b54133380f709b5b25e77afdcacf2b9ca",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746109",
"to_ids": true,
"type": "md5",
"uuid": "573efe3d-2b14-40e8-9cd8-116f02de0b81",
"value": "e7047960892f9c8e2123738a087c474f"
},
{
"category": "External analysis",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 6e6ef05382010f857ecef17082e9c38b54133380f709b5b25e77afdcacf2b9ca",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746109",
"to_ids": false,
"type": "link",
"uuid": "573efe3d-2ebc-4d57-b9d1-116f02de0b81",
"value": "https://www.virustotal.com/file/6e6ef05382010f857ecef17082e9c38b54133380f709b5b25e77afdcacf2b9ca/analysis/1463577277/"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746110",
"to_ids": true,
"type": "sha1",
"uuid": "573efe3e-4c4c-434b-b2cc-116f02de0b81",
"value": "ea127bb4e0c58902524e11740e15acd46ea71494"
},
{
"category": "Payload installation",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746110",
"to_ids": true,
"type": "md5",
"uuid": "573efe3e-81b8-4e71-a5b3-116f02de0b81",
"value": "e89ff40a8832cd27d2aae48ff7cd67d2"
},
{
"category": "External analysis",
"comment": "Here are some hashes for the unpacked sample - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1463746110",
"to_ids": false,
"type": "link",
"uuid": "573efe3e-64ac-4ddb-8963-116f02de0b81",
"value": "https://www.virustotal.com/file/62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9/analysis/1463419816/"
}
]
}
}
Reference in a new issue View git blame Copy permalink