misp-circl-feed/feeds/circl/misp/5b0438ad-6d20-4a53-9a8b-2c1c0acd0835.json

777 lines
No EOL
22 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2018-05-22",
"extends_uuid": "",
"info": "Emotet 5-18-2018",
"publish_timestamp": "1589183759",
"published": true,
"threat_level_id": "3",
"timestamp": "1621849729",
"uuid": "5b0438ad-6d20-4a53-9a8b-2c1c0acd0835",
"Orgc": {
"name": "Synovus Financial",
"uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a"
},
"Tag": [
{
"colour": "#0088cc",
"name": "misp-galaxy:tool=\"Emotet\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#003860",
"name": "osint:source-type=\"pastie-website\""
},
{
"colour": "#002642",
"name": "osint:source-type=\"microblog-post\""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004061",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-c7ac-49a6-b78f-2c420acd0835",
"value": "50.37.10.78|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-20f0-4baa-b9ad-2c420acd0835",
"value": "50.84.214.74|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-1464-4a92-bcd8-2c420acd0835",
"value": "65.25.17.131|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-6724-4133-9846-2c420acd0835",
"value": "67.20.224.109|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-caf4-4260-a33f-2c420acd0835",
"value": "69.129.91.38|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-6944-4ac5-bb83-2c420acd0835",
"value": "70.167.17.7|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-fa54-4b42-a740-2c420acd0835",
"value": "72.49.55.42|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-6978-4f21-8e03-2c420acd0835",
"value": "86.209.63.166|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-5114-4463-aac3-2c420acd0835",
"value": "105.228.39.7|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-a450-43be-80a9-2c420acd0835",
"value": "119.18.8.51|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004061",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-b090-4a74-bec9-2c420acd0835",
"value": "169.0.250.138|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-7ed0-41b4-aa42-2c420acd0835",
"value": "179.52.46.11|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-7444-4a71-a9d9-2c420acd0835",
"value": "192.227.112.57|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-f0a0-46ed-8938-2c420acd0835",
"value": "199.167.209.11|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-9548-496f-96fb-2c420acd0835",
"value": "222.112.169.133|80",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-2c44-4426-895e-2c420acd0835",
"value": "37.120.170.231|443",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-4c8c-4d5e-b966-2c420acd0835",
"value": "174.140.167.85|443",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c4-b078-43e2-9d5d-2c420acd0835",
"value": "188.226.223.31|443",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004062",
"to_ids": true,
"type": "ip-dst|port",
"uuid": "5b0438c5-fbd8-4d17-bb11-2c420acd0835",
"value": "217.160.93.187|443",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b0438d9-9b24-475a-9eb1-08ef0acd0835",
"value": "http://lemat.sk/YQJHmA",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b0438d9-ae60-4a28-b202-08ef0acd0835",
"value": "http://columbiainstitute.org/O/YBC4RQ/",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Support Tool",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527003738",
"to_ids": false,
"type": "link",
"uuid": "5b0438e9-88c4-4681-aa0b-2c060acd0835",
"value": "https://www.virustotal.com/#/file/1b9e1f248b3dd13e0c8668117caa7f8af1e34918f1e9ac6f71d619e50fd91538/detection"
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2d-d2e0-4a3a-a20f-2ade0acd0835",
"value": "http://emulsiflex.com/Wz51Bq1/",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2d-6a18-4b90-b690-2ade0acd0835",
"value": "http://e-muhr.de/IcS1A5z/",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2d-cc18-4e88-95f6-2ade0acd0835",
"value": "http://emulsiflex.com/Wz51Bq1",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2d-6720-440e-a5c4-2ade0acd0835",
"value": "http://lemat.sk/YQJHmA/",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2e-b2f8-4984-9875-2ade0acd0835",
"value": "http://columbiainstitute.org/O/YBC4RQ",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2e-ba3c-44c1-8389-2ade0acd0835",
"value": "http://sweatshop.org/dnqN0nl",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2e-c00c-4b03-9b9d-2ade0acd0835",
"value": "http://www.gardonyrefhir.hu/gmQuF9x",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2e-aeac-4727-aa52-2ade0acd0835",
"value": "http://sweatshop.org/dnqN0nl/",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
},
{
"category": "Network activity",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527004113",
"to_ids": true,
"type": "url",
"uuid": "5b043a2e-1968-4be5-a86d-2ade0acd0835",
"value": "http://e-muhr.de/IcS1A5z",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#cc4900",
"name": "diamond-model:Infrastructure"
}
]
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1527003445",
"uuid": "5b043935-825c-49d4-b93c-08ef0acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1527003738",
"to_ids": true,
"type": "md5",
"uuid": "5b043935-b294-48fc-bce2-08ef0acd0835",
"value": "923a8d46eca1e77e020e0ac0951226d8"
},
{
"category": "Other",
"comment": "Emotet",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1527003738",
"to_ids": false,
"type": "text",
"uuid": "5b043935-0f14-48ff-bd0c-08ef0acd0835",
"value": "Emotet"
},
{
"category": "Payload delivery",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1527003738",
"to_ids": true,
"type": "sha256",
"uuid": "5b043935-45b8-4e74-90b9-08ef0acd0835",
"value": "1b9e1f248b3dd13e0c8668117caa7f8af1e34918f1e9ac6f71d619e50fd91538"
},
{
"category": "Payload delivery",
"comment": "Emotet",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1527003738",
"to_ids": true,
"type": "filename",
"uuid": "5b043935-1384-439f-b8f6-08ef0acd0835",
"value": "22468.exe"
},
{
"category": "Payload delivery",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1527003738",
"to_ids": true,
"type": "sha1",
"uuid": "5b043935-1ac0-445b-9399-08ef0acd0835",
"value": "45ef0de6aa324ebebdf9ba61129cd316e19973ae"
},
{
"category": "Payload delivery",
"comment": "Emotet",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1527003738",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b043935-797c-41b6-a6b1-08ef0acd0835",
"value": "3072:8ZL3fu/kIS5c7+iMfmGkV1C5o63qaGymSUO:G0fac7Kflgao63qaGLS"
},
{
"category": "Other",
"comment": "Emotet",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1527003738",
"to_ids": false,
"type": "text",
"uuid": "5b043935-160c-4861-8ce2-08ef0acd0835",
"value": "Malicious"
}
]
}
]
}
}