{ "Event": { "analysis": "2", "date": "2018-09-17", "extends_uuid": "", "info": "[Threat Intel] TR-2018-25: PHISHING CAMPAIGN TARGETING ELECTRIC UTILITY COMPANIES", "protected": false, "publish_timestamp": "1772423287", "published": true, "threat_level_id": "2", "timestamp": "1772423283", "uuid": "229e949b-88b8-4351-8b4c-9d3f134af1a8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#FFC000", "local": false, "name": "tlp:amber", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Dragos\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Electric\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Gozi\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Snifula\"", "relationship_type": "" }, { "colour": "#dff146", "local": false, "name": "IT-impact-ICS", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772232757", "to_ids": false, "type": "link", "uuid": "74bd17e2-46d4-4c20-a908-f846ad95c757", "value": "http://web.archive.org/web/20210925003920/https://www.dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772252630", "to_ids": true, "type": "domain", "uuid": "362f24f2-8467-45b1-af29-6af52b0ab6a1", "value": "aosudbqihwbemmnn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772252652", "to_ids": true, "type": "domain", "uuid": "889cd35f-0bd7-4aba-bb3b-f7a48e0e5464", "value": "nasjduqwneqweasc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772252674", "to_ids": true, "type": "domain", "uuid": "5a7ec7f5-f5e5-48cf-b023-b48731d6968f", "value": "sale-fisher.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772252695", "to_ids": true, "type": "domain", "uuid": "1c62775f-d3af-4a2e-88b0-cfba3c5c4a0f", "value": "chernitagotothea.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772423283", "to_ids": true, "type": "url", "uuid": "1bfa7b9c-e607-41eb-bdb3-939c69c39704", "value": "http://treenosanywork.com/YUY/huonasdh.php?", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772252738", "to_ids": true, "type": "domain", "uuid": "0f0c2c19-07ce-451b-9e84-9ebee6191bf4", "value": "klockodicki.ca", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772252760", "uuid": "bdfbeded-e75d-4469-a2b2-2b240874746b", "Attribute": [ { "category": "Payload delivery", "comment": "initial malicious document identified", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772252760", "to_ids": true, "type": "md5", "uuid": "fb9315be-7ab7-447f-9f99-c2f2139e38b5", "value": "8b82e654e3bf51311c7db244e7013057", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "initial malicious document identified", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772252628", "to_ids": true, "type": "sha1", "uuid": "6a19e52a-3aa7-4ef5-ba88-7a432aef748f", "value": "3a9876ec9541a7874f757f9b882871dd27ec2c8c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "initial malicious document identified", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772252628", "to_ids": true, "type": "sha256", "uuid": "1d2ff926-5ebe-4a0b-82a3-db4aa888c5cd", "value": "71ca05b691c5f42b94c9af35242d95325a571293246415cec9d547a00a9968c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772252603", "to_ids": true, "type": "ssdeep", "uuid": "991877bc-0f39-4fc4-b207-cf4cb927041c", "value": "3072:J3NX1ESBVes3HqcYg29vtVqQ+SOdBLTzbMC2KDXS6nus75cXAagPO:J91E4cFySOPgdEjv75cX8P" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772252603", "to_ids": false, "type": "size-in-bytes", "uuid": "2cfb7c49-7233-4622-a49d-d53578345554", "value": "231936" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772252603", "to_ids": true, "type": "vhash", "uuid": "973ad6db-3021-4da4-be5d-a5a668fe9548", "value": "0c7ac4557533a8de93cb7841d43fe45f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772252603", "to_ids": true, "type": "filename", "uuid": "5594600d-b1d9-4cfb-882d-0ef71d14a1db", "value": "8b82e654e3bf51311c7db244e7013057-doc" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772252603", "to_ids": false, "type": "text", "uuid": "8bbdd43f-bacf-4673-ba99-2392d612b93e", "value": "initial malicious document identified\r\nType Description: MS Word Document\nMicrosoft: Trojan:VBA/Downldr.ARO!eml\nVT Total Detection:44/64\nFirst Submission:2018-08-30T09:34:21.000000+00:00\nLast Submission:2018-09-10T21:39:40.000000+00:00" } ] } ] } }