misp-circl-feed/feeds/circl/misp/57aaeefd-0bd4-4a41-87ad-4e17950d210f.json

{
  "Event": {
    "analysis": "2",
    "date": "2016-08-10",
    "extends_uuid": "",
    "info": "OSINT - Cracking Orcus RAT",
    "publish_timestamp": "1470822613",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1470822036",
    "uuid": "57aaeefd-0bd4-4a41-87ad-4e17950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#004646",
        "local": false,
        "name": "type:OSINT",
        "relationship_type": ""
      },
      {
        "colour": "#440055",
        "local": false,
        "name": "ms-caro-malware:malware-type=\"RemoteAccess\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820103",
        "to_ids": false,
        "type": "link",
        "uuid": "57aaef08-62dc-4948-ac44-473b950d210f",
        "value": "http://blog.deniable.org/blog/2016/08/09/cracking-orcus-rat/"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820155",
        "to_ids": false,
        "type": "comment",
        "uuid": "57aaef3b-655c-4274-a59d-4572950d210f",
        "value": "At first I thought I could be dealing with someone trying to \u00e2\u20ac\u02dcphish\u00e2\u20ac\u2122 me, but the offer was legit. Challenge accepted. The zip file I got is for version 1.4.2 (which is the latest version available at the \u00e2\u20ac\u02dcOrcus RAT\u00e2\u20ac\u2122 website, at the time of this writing). The zip file is massive. Here\u00e2\u20ac\u2122s the whole contents of the zip file."
      },
      {
        "category": "Payload installation",
        "comment": "Orcus.Administration.exe",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820191",
        "to_ids": true,
        "type": "sha256",
        "uuid": "57aaef5f-1808-4585-a00b-497c950d210f",
        "value": "4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea"
      },
      {
        "category": "Payload installation",
        "comment": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820374",
        "to_ids": true,
        "type": "sha1",
        "uuid": "57aaf016-8cf0-439a-b2a6-441002de0b81",
        "value": "ea6d05abfce77d01a1a039c8bc97f973b6780f07"
      },
      {
        "category": "Payload installation",
        "comment": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820374",
        "to_ids": true,
        "type": "md5",
        "uuid": "57aaf016-ac94-4574-ba76-4b6a02de0b81",
        "value": "d2140d8c9eb3889dee164f09014380d7"
      },
      {
        "category": "External analysis",
        "comment": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820374",
        "to_ids": false,
        "type": "link",
        "uuid": "57aaf016-ade0-4582-afcc-4d4602de0b81",
        "value": "https://www.virustotal.com/file/4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea/analysis/1467970246/"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820447",
        "to_ids": false,
        "type": "link",
        "uuid": "57aaf05f-b420-419c-bcc6-477d950d210f",
        "value": "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/"
      },
      {
        "category": "Payload installation",
        "comment": "Sample",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820582",
        "to_ids": true,
        "type": "filename|sha1",
        "uuid": "57aaf0e6-c11c-4aa5-99a0-4293950d210f",
        "value": "4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea|ea6d05abfce77d01a1a039c8bc97f973b6780f07"
      },
      {
        "category": "Payload installation",
        "comment": "Sample",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1470820583",
        "to_ids": true,
        "type": "filename|sha256",
        "uuid": "57aaf0e7-6fec-409e-9459-46ee950d210f",
        "value": "4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea|4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea"
      }
    ]
  }
}