{ "Event": { "analysis": "1", "date": "2021-01-27", "extends_uuid": "", "info": "[Threat Intel] SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS", "protected": false, "publish_timestamp": "1772425121", "published": true, "threat_level_id": "1", "timestamp": "1772425098", "uuid": "0f53028b-ce92-4eef-81ea-3926dcd89dcd", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cron - T1053.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Launch Daemon - T1543.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Launchd - T1053.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Setuid and Setgid - T1548.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Systemd Service - T1543.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"IRIDIUM\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PAS\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#3600cf", "local": false, "name": "rectifyq:detection-rules=\"snort-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Exaramel (ELF)\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772265416", "to_ids": false, "type": "link", "uuid": "37761ec5-6614-4da7-b68c-fe81ce23a6d4", "value": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313672", "to_ids": false, "type": "snort", "uuid": "8b240d53-5122-4b13-8edc-c0eb3a357cb1", "value": "alert tcp any any -> any any ( sid:2000211001; msg:\"P.A.S. webshell - Password cookie\"; flow:established; content:\"g__g_=\"; http_cookie; offset:0; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313673", "to_ids": false, "type": "snort", "uuid": "96c5e4ea-09be-49b0-aad2-baae27ecf3f1", "value": "alert tcp any any -> any any ( sid:2000211002; msg:\"P.A.S. webshell - Password form var\"; flow:to_server,established; content:\"POST\"; http_method; content:\"g__g_=\"; http_cookie; http_client_body; offset:0; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "823641c2-7099-4a3b-bf9a-3d51072445b7", "value": "alert tcp any any -> any any ( sid:2000210001; msg:\"P.A.S. webshell - Explorer - download file\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fdw=%2F\"; http_client_body; offset:0)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "79934c2e-8cdc-4dba-9055-63c64293d44c", "value": "alert tcp any any -> any any ( sid:2000210002; msg:\"P.A.S. webshell - Explorer - copy file\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fcf=%2F\"; http_client_body; offset:0)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "a2f9de08-98f1-4b80-b9ff-dd56586896c5", "value": "alert tcp any any -> any any ( sid:2000210003; msg:\"P.A.S. webshell - Explorer - move file\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fm=%2F\"; http_client_body; offset:0)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "5155ca46-cb4c-4d2c-a885-0c2b5b79abf2", "value": "alert tcp any any -> any any ( sid:2000210004; msg:\"P.A.S. webshell - Explorer - del file\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fd=%2F\"; http_client_body; offset:0)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "1f87ed67-4887-4417-8329-cf92439fbe05", "value": "alert tcp any any -> any any ( sid:2000210005; msg:\"P.A.S. webshell - Explorer - multi file download\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; content:\"&fdwa=Download\"; http_client_body; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "ddf1e592-5809-4a16-958d-ba2661f892a3", "value": "alert tcp any any -> any any ( sid:2000210006; msg:\"P.A.S. webshell - Explorer - multi file copy\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; content:\"&fca=Copy\"; http_client_body;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "9750fb0b-bf76-42fd-a2d3-1c7716b90e51", "value": "alert tcp any any -> any any ( sid:2000210007; msg:\"P.A.S. webshell - Explorer - multi file move\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; content:\"&fma=Move\"; http_client_body; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "4fcb0158-5a72-462e-9286-3661d8ef7bde", "value": "alert tcp any any -> any any ( sid:2000210008; msg:\"P.A.S. webshell - Explorer - multi file delete\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fc%5B%5D=%2F\"; http_client_body; offset:0; content:\"&fda=Delete\"; http_client_body; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313886", "to_ids": false, "type": "snort", "uuid": "2da6dbb1-9462-45a1-bc26-51ffc11bd34c", "value": "alert tcp any any -> any any ( sid:2000210009; msg:\"P.A.S. webshell - Explorer - paste\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fbp=Paste\"; http_client_body; offset:0; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313946", "to_ids": false, "type": "snort", "uuid": "6c14ea34-85a5-46b0-a658-4db6df124497", "value": "alert tcp any any -> any any ( sid:2000210010; msg:\"P.A.S. webshell - Searcher form parameters\"; flow:to_server,established; content:\"POST\"; http_method; content:\"fe=&fsr=\"; offset:0; fast_pattern; pcre:\"/fe=&fsr=[0-2]&fst=[0-2]&fsn=(\\*|[A-Za-z0-9 *._%-]+)&fsp=[A-Za-z0-9*._%-]+&fs=%3E&fss=.*/\";)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772313980", "to_ids": false, "type": "snort", "uuid": "9e399178-2c01-4e09-843c-476666c22bea", "value": "alert tcp any any -> any any ( sid:2000210011; msg:\"P.A.S. webshell - SQL-client connect parameters\"; flow:to_server,established; content:\"POST\"; http_method; content:\"sc%5Btp%5D=\"; offset:0; http_client_body; fast_pattern; pcre:\"/sc%5Btp%5D=(mysql|mssql|pg)&sc%5Bha%5D=/\"; http_client_body;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772314085", "to_ids": false, "type": "snort", "uuid": "ac3113f9-1dce-4c84-ba71-5b57ad63e093", "value": "alert tcp any any -> any any ( sid:2000210012; msg:\"P.A.S. webshell - Network Tools - Bind Port\"; flow:to_server,established; content:\"POST\"; http_method; content:\"pb=\"; offset:0; http_client_body; pcre:\"/pb=[0-9]{1,5}&nt=bp/\"; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772314085", "to_ids": false, "type": "snort", "uuid": "19a7973e-b6ee-44fc-b1f2-b34f463e5a3d", "value": "alert tcp any any -> any any ( sid:2000210013; msg:\"P.A.S. webshell - Network Tools - Back-connect\"; flow:to_server,established; content:\"POST\"; http_method; content:\"hbc=\"; offset:0; http_client_body; pcre:\"/hbc=[a-z0-9.-]{4,63}&pbc=[0-9]{1,5}&nt=bc/\"; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772314086", "to_ids": false, "type": "snort", "uuid": "8296c7b4-8577-46bd-9f42-051efce163e0", "value": "alert tcp any any -> any any ( sid:2000210014; msg:\"P.A.S. webshell - Network Tools - Port scanner\"; flow:to_server,established; content:\"POST\"; http_method; content:\"hs=\"; offset:0; http_client_body; pcre:\"/hs=[a-z0-9.-]{4,63}&pf=[0-9]{1,5}&pl=[0-9]{1,5}&sc=[0-9]{1,5}&nt=ps/\"; )" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772314138", "to_ids": false, "type": "snort", "uuid": "a570797c-102a-499f-a866-252efa2465ef", "value": "alert tcp any any -> any any ( sid:2000210015; msg:\"P.A.S. webshell - passwd BruteForce form parameters\"; flow:to_server,established; content:\"POST\"; http_method; content:\"br=&brp%5B%5D=\"; http_client_body; fast_pattern; pcre:\"/br=&brp%5B%5D=[hfmysp]&h%5B[hfmysp]%5D=.{1,64}&p%5B[hfmysp]%5D=[0-9]{1,5}/\"; http_client_body;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772314170", "to_ids": false, "type": "snort", "uuid": "b208769a-ccd2-4ea9-b71e-3b7583d9db35", "value": "alert tcp any any -> any any ( sid:2000210016; msg:\"P.A.S. webshell - Bind shell session\"; content:\"Hello from P.A.S. Bind Port\"; )\r\nalert tcp any any -> any any ( sid:2000210017; msg:\"P.A.S. webshell - Reverse shell session\"; content:\"Hello from P.A.S. BackConnect\"; )" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772328608", "to_ids": false, "type": "link", "uuid": "8d821042-87f2-4ee2-a2bf-fc5e3ac48dbc", "value": "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-002" }, { "category": "External analysis", "comment": "Cert-IST Description", "deleted": false, "disable_correlation": false, "timestamp": "1772328659", "to_ids": false, "type": "comment", "uuid": "18e0f9a4-bade-4705-b357-ce445a638ea9", "value": "These IOCs come from an ANSSI report (CERTFR-2021-CTI-004) published on February 15, 2021, which document a campaign of system compromises that impacted several French entities. This campaign targeted the Centreon IT monitoring software.\\r\\n\\r\\nThe first compromises identified by the ANSSI date back from the end of 2017 and the attacks have continued until 2020. They mainly affected IT service providers, particularly web hosting providers.\\r\\n\\r\\nOn the compromised systems, the webshell P.A.S. (alias Fobushell) is deployed in the Centreon web folder. Its content remains encrypted until the attacker connects to it and enters the right password.\\r\\n\\r\\nIn several cases, this webshell has been used to deploy the Exaramel backdoor. This malware written in Go language is also deployed in the Centreon directory and its persistence is ensured via a scheduled task (Cron).\\r\\n\\r\\nThe initial vector of this attack campaign is not precisely known. It can simply be assumed that it involves the exploitation of a vulnerability or a weakness in the Centreon monitoring software.\\r\\n\\r\\nThe analyses allowed to identify two categories of infrastructure used in these attacks:\\r\\n\\r\\n\\r\\n\\tAnonymization infrastructure: attackers use Tor or VPN services to connect to the webshells,\\r\\n\\tCommand and control infrastructure: Attackers use dedicated servers to manage the implants.\\r\\n\\r\\n\\r\\nNote: Exaramel communicates with its command and control servers via HTTPS.\\r\\n\\r\\nWARNING: the ANSSI does not attribute these attacks to the Sandworm group (alias Telebots) and therefore even less to a Russian intelligence unit. The similarities observed relate to the modus operandi implemented: in particular the Exaramel backdoor and infrastructure elements. In reality, these elements of similarity even seem rather weak, at least on the sole reading of the ANSSI report." }, { "category": "Other", "comment": "Cert-IST First Seen Date", "deleted": false, "disable_correlation": false, "timestamp": "1772328761", "to_ids": false, "type": "datetime", "uuid": "987e776a-5250-4a73-86a6-75f314a6dade", "value": "2017-10-31T23:00:00+00:00" }, { "category": "Other", "comment": "Cert-IST First Disclosed Date", "deleted": false, "disable_correlation": false, "timestamp": "1772328753", "to_ids": false, "type": "datetime", "uuid": "b9dd4967-7548-41b5-9d1b-68a0b69a88d3", "value": "2021-01-26T23:00:00+00:00" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772266616", "uuid": "10d1611c-2efa-4bf1-b21d-98cb6d44c9c4", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772266616", "to_ids": false, "type": "text", "uuid": "22b5dff4-90f8-4503-8b99-047172fbac32", "value": "PAS_webshell" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772266616", "to_ids": false, "type": "comment", "uuid": "5528504a-4dfa-4330-8025-c7bf2ac974f3", "value": "Detects P.A.S. PHP webshell - Based on DHS/FBI JAR-16-2029 (Grizzly Steppe)" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772266616", "to_ids": true, "type": "yara", "uuid": "179ce6b5-d873-45e2-b300-b11df1d3df72", "value": "rule PAS_webshell {\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Detects P.A.S. PHP webshell - Based on DHS/FBI JAR-16-2029 (Grizzly Steppe)\"\r\n\t\tTLP = \"White\"\r\n\tstrings:\r\n\t\t$php = \" 20KB and filesize < 200KB) and\r\n\t\t#cookie == 2 and\r\n\t\t#isset == 3 and\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772266694", "uuid": "04fc7ec8-b574-4592-8e80-ad8d1fa49acc", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772266694", "to_ids": false, "type": "text", "uuid": "13128ab3-e553-4034-a1d8-0c2f130643d9", "value": "PAS_webshell_ZIPArchiveFile" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772266694", "to_ids": false, "type": "comment", "uuid": "46b2c9a8-f8aa-4e32-b8c7-ac74a76dbd13", "value": "Detects an archive file created by P.A.S. for download operation" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772266694", "to_ids": true, "type": "yara", "uuid": "b5694c34-975f-4510-a6d0-9f88d451cc34", "value": "rule PAS_webshell_ZIPArchiveFile {\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Detects an archive file created by P.A.S. for download operation\"\r\n\t\tTLP = \"White\"\r\n\tstrings:\r\n\t$ = /Archive created by P\\.A\\.S\\. v.{1,30}\\nHost: : .{1,200}\\nDate : [0-9]{1,2}-[0-9]{1,2}-[0-9]{4}/\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772266772", "uuid": "204f11b6-17df-4403-bfef-d3cfae1bec36", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772266772", "to_ids": false, "type": "text", "uuid": "4126b5e9-f502-4c5d-9999-cde7beacbdeb", "value": "PAS_webshell_PerlNetworkScript" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772266772", "to_ids": false, "type": "comment", "uuid": "f5aed712-c7f2-4997-a8e4-dfef76692179", "value": "Detects PERL scripts created by P.A.S. webshell to supports network functionnalities" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772266772", "to_ids": true, "type": "yara", "uuid": "f35d4d58-4aff-4eb4-b450-f3c88b1944fd", "value": "rule PAS_webshell_PerlNetworkScript {\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Detects PERL scripts created by P.A.S. webshell to supports network functionnalities\"\r\n\t\tTLP = \"White\"\r\n\tstrings:\r\n\t\t$pl_start = \"#!/usr/bin/perl\\n$SIG{'CHLD'}='IGNORE'; use IO::Socket; use FileHandle;\"\r\n\t\t$pl_status = \"$o=\\\" [OK]\\\";$e=\\\" Error: \\\"\"\r\n\t\t$pl_socket = \"socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print \\\"$l$e$!$l\"\r\n\t\t$msg1 = \"print \\\"$l OK! I\\\\'m successful connected.$l\\\"\"\r\n\t\t$msg2 = \"print \\\"$l OK! I\\\\'m accept connection.$l\\\"\"\r\n\tcondition:\r\n\t\tfilesize < 6000 and\r\n\t\t($pl_start at 0 and all of ($pl*)) or\r\n\t\tany of ($msg*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772266829", "uuid": "0fb364a4-bf4d-43c4-80ff-0990c0c11438", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772266829", "to_ids": false, "type": "text", "uuid": "9508a099-6753-419c-9383-1ea94de07665", "value": "PAS_webshell_SQLDumpFile" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772266829", "to_ids": false, "type": "comment", "uuid": "5a438af8-18fb-4974-8a77-e41c4b0b1a73", "value": "Detects SQL dump file created by P.A.S. webshell" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772266829", "to_ids": true, "type": "yara", "uuid": "abc9769d-d2a9-4c49-b6b4-bdb174cd3c4e", "value": "rule PAS_webshell_SQLDumpFile {\r\n\tmeta:\r\n\t\tauthor = \"FR/ANSSI/SDO\"\r\n\t\tdescription = \"Detects SQL dump file created by P.A.S. webshell\"\r\n\t\tTLP = \"White\"\r\n\tstrings:\r\n\t\t$ = \"-- [ SQL Dump created by P.A.S. ] --\"\r\n\tcondition:\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772328366", "uuid": "2f2981c8-85be-4de0-8b8f-b8f454d98597", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772328366", "to_ids": false, "type": "text", "uuid": "ee453e0b-9acb-46dc-9308-3636a86b36f7", "value": "exaramel" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772328366", "to_ids": false, "type": "comment", "uuid": "4f01478f-0146-45a7-8250-2c862d8247c1", "value": "exaramel" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772328366", "to_ids": true, "type": "yara", "uuid": "274b91db-c31c-4ad4-a256-82075237b3ac", "value": "/* configuration file */\r\nrule exaramel_configuration_key {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Encryption key for the configuration file in sample e1ff72[...]\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = \"odhyrfjcnfkdtslt\"\r\ncondition:\r\n\tall of them\r\n}\r\nrule exaramel_configuration_name_encrypted {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Name of the configuration file in sample e1ff72[...]\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = \"configtx.json\"\r\ncondition:\r\n\tall of them\r\n}\r\nrule exaramel_configuration_file_plaintext {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Content of the configuration file (plaintext)\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = /{\"Hosts\":\\[\".{10,512}\"\\],\"Proxy\":\".{0,512}\",\"Version\":\".{1,32}\",\"Guid\":\"/\r\n\r\ncondition:\r\nall of them\r\n}\r\nrule exaramel_configuration_file_ciphertext {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Content of the configuration file (encrypted with key odhyrfjcnfkdtslt, sample e1ff72[...]\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = {6F B6 08 E9 A3 0C 8D 5E DD BE D4} // encrypted with key odhyrfjcnfkdtslt\r\ncondition:\r\n\tall of them\r\n}\r\n\r\n/* persistence */\r\nprivate rule exaramel_persistence_file_systemd {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Beginning of the file /etc/systemd/system/syslogd.service created for persistence with systemd\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = /\\[Unit\\]\\nDescription=Syslog daemon\\n\\n\\[Service\\]\\nWorkingDirectory=.{1,512}\\nExecStartPre=\\/bin\\/rm\\-f \\/tmp\\/\\.applocktx\\n/\r\ncondition:\r\n\tall of them\r\n}\r\nprivate rule exaramel_persistence_file_upstart {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Part of the file /etc/init/syslogd.conf created for persistence with upstart\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = /start on runlevel \\[2345\\]\\nstop on runlevel \\[06\\]\\n\\nrespawn\\n\\nscript\\nrm \\-f \\/tmp\\/\\.applocktx\\nchdir/\r\ncondition: \r\n\tall of them\r\n}\r\nprivate rule exaramel_persistence_file_systemv {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Part of the file /etc/init.d/syslogd created for persistence with upstart\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = \"# Short-Description: Syslog service for monitoring \\n### END INIT INFO\\n\\nrm -f /tmp/.applocktx && cd \"\r\ncondition:\r\n\tall of them\r\n}\r\nrule exaramel_persistence_file {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"File created for persistence. Depends on the environment\"\r\n\tTLP = \"White\"\r\ncondition:\r\n\texaramel_persistence_file_systemd or exaramel_persistence_file_upstart or exaramel_persistence_file_systemv\r\n}\r\n\r\n/* misc */\r\nrule exaramel_socket_path {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Path of the unix socket created to prevent concurrent executions\"\r\n\tTLP = \"White\"\r\nstrings:\r\n$ = \"/tmp/.applocktx\"\r\ncondition:\r\n\tall of them\r\n}\r\nrule exaramel_task_names {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Name of the tasks received by the CC\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = \"App.Delete\"\r\n\t$ = \"App.SetServer\"\r\n\t$ = \"App.SetProxy\"\r\n\t$ = \"App.SetTimeout\"\r\n\t$ = \"App.Update\"\r\n\t$ = \"IO.ReadFile\"\r\n\t$ = \"IO.WriteFile\"\r\n\t$ = \"OS.ShellExecute\"\r\ncondition:\r\n\tall of them\r\n}\r\nrule exaramel_struct {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Beginning of type _type struct for some of the most important structs\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$struct_le_config = {70 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 47 2d 28 42 0? [2] 19}\r\n\t$struct_le_worker = {30 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 46 6a 13 e2 0? [2] 19}\r\n\t$struct_le_client = {20 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 7b 6a 49 84 0? [2] 19}\r\n\t$struct_le_report = {30 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 bf 35 0d f9 0? [2] 19}\r\n\t$struct_le_task = {50 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 88 60 a1 c5 0? [2] 19}\r\ncondition:\r\nany of them\r\n}\r\nprivate rule exaramel_strings_url {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Misc strings coming from URL parts\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$url1 = \"/tasks.get/\"\r\n\t$url2 = \"/time.get/\"\r\n\t$url3 = \"/time.set\"\r\n\t$url4 = \"/tasks.report\"\r\n\t$url5 = \"/attachment.get/\"\r\n\t$url6 = \"/auth/app\"\r\ncondition:\r\n\t5 of ($url*)\r\n}\r\nprivate rule exaramel_strings_typo {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Misc strings with typo\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$typo1 = \"/sbin/init | awk \"\r\n\t$typo2 = \"Syslog service for monitoring \\n\"\r\n\t$typo3 = \"Error.Can't update app! Not enough update archive.\"\r\n\t$typo4 = \":\\\"metod\\\"\"\r\ncondition:\r\n\t3 of ($typo*)\r\n}\r\nprivate rule exaramel_strings_persistence {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Misc strings describing persistence methods\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = \"systemd\"\r\n\t$ = \"upstart\"\r\n\t$ = \"systemV\"\r\n\t$ = \"freebsd rc\"\r\ncondition:\r\n\tall of them\r\n}\r\nprivate rule exaramel_strings_report {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Misc strings coming from report file name\"\r\n\tTLP = \"White\"\r\nstrings:\r\n\t$ = \"systemdupdate.rep\"\r\n\t$ = \"upstartupdate.rep\"\r\n\t$ = \"remove.rep\"\r\ncondition:\r\n\tall of them\r\n}\r\nrule exaramel_strings {\r\nmeta:\r\n\tauthor = \"FR/ANSSI/SDO\"\r\n\tdescription = \"Misc strings including URLs, typos, supported startup systems and report file names\"\r\n\tTLP = \"White\"\r\ncondition:\r\n\texaramel_strings_typo or (exaramel_strings_url and\r\n\texaramel_strings_persistence) or (exaramel_strings_persistence and\r\n\texaramel_strings_report) or (exaramel_strings_url and\r\n\texaramel_strings_report)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772349600", "uuid": "c9de2d73-8f87-4e99-b65b-2ee138aa82da", "Attribute": [ { "category": "Payload delivery", "comment": "Exaramel backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772349600", "to_ids": true, "type": "md5", "uuid": "a0dfb814-9694-4dda-a4b2-5fbaa4c0b9d8", "value": "8eff45383a7a0c6e3ea6d526a599610d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Exaramel backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349563", "to_ids": true, "type": "sha1", "uuid": "0494e159-198e-489c-9855-09c519be7580", "value": "f74ea45ad360c8ef8db13f8e975a5e0d42e58732", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Exaramel backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349564", "to_ids": true, "type": "sha256", "uuid": "4af15d52-e5bd-4911-bb37-4011671795f1", "value": "c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349029", "to_ids": true, "type": "ssdeep", "uuid": "8564115b-06a5-4be9-ab80-87e8b975eb73", "value": "49152:xxhIX7oZLo++KYLEMEBkAIc5sbAhIwLtd7TXlX/8/gowjA3yQmjIqKKaHYjbXSic:Hc7Ko7lLe7+oUcfjIqm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349029", "to_ids": false, "type": "size-in-bytes", "uuid": "31d57471-73e3-427b-ba08-cb1497864cb5", "value": "6469139" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772349029", "to_ids": true, "type": "vhash", "uuid": "264d69f0-8332-4d97-bc23-9d1c40875f49", "value": "4124a8e4149e19d1fbefb0214a3420af" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349029", "to_ids": true, "type": "filename", "uuid": "b85d2345-a8ec-4fa6-b217-5eb95d378fd8", "value": "ntdll.dll" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 20/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349029", "to_ids": false, "type": "text", "uuid": "bd117fd2-26fb-4a7e-83c8-2731c3c6bb55", "value": "Exaramel backdoor\r\nType Description: ELF\nMicrosoft: Backdoor:Linux/Exaramel.A!MTB\nVT Total Detection:37/66\nFirst Submission:2019-10-22T07:28:43.000000+00:00\nLast Submission:2024-09-28T12:58:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772349621", "uuid": "69b5d6e8-d65b-4b08-bdcc-57c50f39224b", "Attribute": [ { "category": "Payload delivery", "comment": "Linux/Exaramel", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772349621", "to_ids": true, "type": "md5", "uuid": "818bd8e9-da6d-4fe4-89a6-a81e6fa439c7", "value": "92ef0aaf5f622b1253e5763f11a08857", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Linux/Exaramel", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349565", "to_ids": true, "type": "sha1", "uuid": "b49d9320-5aa6-4c5b-9ac0-c08dacce251e", "value": "a739f44390037b3d0a3942cd43d161a7c45fd7e7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Linux/Exaramel", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349565", "to_ids": true, "type": "sha256", "uuid": "80d07aed-e356-45b5-963d-b58e14fe8e10", "value": "e1ff729f45b587a5ebbc8a8a97a7923fc4ada14de4973704c9b4b89c50fd1146", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349050", "to_ids": true, "type": "ssdeep", "uuid": "4d53485a-118b-4df3-9209-beb07796170f", "value": "49152:unp3T7oFqipheyWxmuo/QGc6O1+CfmgArKzy7s3koxcKgScnef3V+5uyQmjUqKKm:6F7GpEXxl5pMr5PjUqE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349050", "to_ids": false, "type": "size-in-bytes", "uuid": "5c583f3a-8d15-4e91-ad1c-e22c2bb94bb0", "value": "6469139" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772349050", "to_ids": true, "type": "vhash", "uuid": "fb6c26a5-2e57-40dc-97ea-52366f65af85", "value": "4124a8e4149e19d1fbefb0214a3420af" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349050", "to_ids": true, "type": "filename", "uuid": "43279708-3da1-4846-8173-81db61094825", "value": "exaramel" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 20/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349050", "to_ids": false, "type": "text", "uuid": "5afe9b77-aebb-4f7f-8d12-fca668d26e87", "value": "Linux/Exaramel\r\nType Description: ELF\nMicrosoft: Trojan:Linux/Multiverze\nVT Total Detection:35/65\nFirst Submission:2022-03-29T14:53:36.000000+00:00\nLast Submission:2023-03-07T17:29:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772425013", "uuid": "d0b7c22c-22e8-48a6-bc0d-aa20a101f40f", "Attribute": [ { "category": "Payload delivery", "comment": "SetUID Binary No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772424981", "to_ids": true, "type": "md5", "uuid": "d93dc687-f648-4313-90f9-b3b3e5a47ce8", "value": "9885fcdda12167b2f598b2d22de07d5b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772425003", "to_ids": true, "type": "sha1", "uuid": "4de23b7a-bd1b-49bc-b16d-844abbdd2e4d", "value": "5a58e46e5b8f468445f848f8eca741eddebcef3e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772425013", "to_ids": true, "type": "sha256", "uuid": "44ab119a-bc2e-42d9-8c56-71f7dcf66ad6", "value": "ebe98d5e1ab6966ec1e292fafbd5ef21c2b15bd7c7bb871d8e756971b8b6877a" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772425072", "uuid": "7e83f029-93cc-4328-b869-f1dc90e7b9fe", "Attribute": [ { "category": "Payload delivery", "comment": "P.A.S. webshell with CRLF lines No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772425041", "to_ids": true, "type": "md5", "uuid": "11bf5268-0288-46c2-a0ce-7e20a8b0e94c", "value": "a89251cd4c15909a8e15256ead40584e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772425061", "to_ids": true, "type": "sha1", "uuid": "9045a3ed-7f81-448a-bf1e-a8db68f637dd", "value": "b7afb8c91f8f9df4f18764c25251576a0f8bef6f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772425072", "to_ids": true, "type": "sha256", "uuid": "b8c3bea1-dd94-437a-a01c-5fba7872d69d", "value": "928d8dde63b0255feffc3d03db30aa76f7ed8913238321cc101083c2c5056ffa" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772425098", "uuid": "387baf62-3cf2-43ab-b3fa-13674d87058d", "Attribute": [ { "category": "Payload delivery", "comment": "P.A.S. webshell No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772425051", "to_ids": true, "type": "md5", "uuid": "71a2b7be-2e57-45f7-9ad6-ee09e15c471f", "value": "84837778682450cdca43d1397afd2310", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772425084", "to_ids": true, "type": "sha1", "uuid": "882d964a-bee1-4ada-b25e-40406cef551d", "value": "c69db1b120d21bd603f13006d87e817fed016667" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772425098", "to_ids": true, "type": "sha256", "uuid": "d18e4cb2-9a75-4362-a3fc-59b21f5e39a3", "value": "893750547255b848a273bd1668e128a5e169011e79a7f5c7bb86cc5d7b2153bc" } ] } ] } }