{ "Event": { "analysis": "1", "date": "2024-11-25", "extends_uuid": "", "info": "[Threat Intel] Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions", "protected": false, "publish_timestamp": "1780496833", "published": true, "threat_level_id": "1", "timestamp": "1780496685", "uuid": "05866c45-7c9e-4481-ae50-60471a9c91ed", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"self-curated\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#86e845", "local": false, "name": "misp-galaxy:target-information=\"Afghanistan\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#098efb", "local": false, "name": "misp-galaxy:target-information=\"British Indian Ocean Territory\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#670cf4", "local": false, "name": "misp-galaxy:target-information=\"Pakistan\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#35a578", "local": false, "name": "misp-galaxy:target-information=\"South Africa\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Earth Estries\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Chemical\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Consulting\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"NGO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Technology\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Telecoms\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Transport\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-tool=\"PsExec - S0029\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Swaziland\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#3a00dd", "local": false, "name": "rectifyq:action-taken=\"diamond-model\"", "relationship_type": "" }, { "colour": "#3a00e0", "local": false, "name": "rectifyq:action-taken=\"x\"", "relationship_type": "" }, { "colour": "#3b00e2", "local": false, "name": "rectifyq:action-taken=\"linkedin\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MASOL\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SNAPPYBEE\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "link", "uuid": "701f55d1-a8fb-41a5-a41f-bd572abddc51", "value": "https://www.trendmicro.com/en_us/research/24/k/earth-estries.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "link", "uuid": "b1869fb5-a647-40bf-96f0-e20333f94573", "value": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/k/earth-estries/IOC_list-EarthEstries.txt" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "text", "uuid": "feb94a04-7972-4ab0-928a-2cf711ed8782", "value": "Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023. The group employs advanced techniques and multiple backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, to compromise organizations in telecommunications, government, and other industries across various countries. Their sophisticated attacks exploit server vulnerabilities for initial access and use living-off-the-land binaries for lateral movement. Earth Estries has successfully infiltrated over 20 organizations, demonstrating a complex C&C infrastructure and possible shared tools with other Chinese APT groups. The group's operations involve long-term espionage activities, targeting not only critical services but also vendor networks to facilitate broader access." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "text", "uuid": "d28ab3e9-f5a5-45ed-a09a-b00c3498af9d", "value": "Name: Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions\nAuthor: AlienVault\nAdversary: Earth Estries\nTags: [\"chinese apt\", \"demodex\", \"crowdoor\", \"masol rat\", \"telecommunications\", \"sparrowdoor\", \"snappybee\", \"government\"]\nTgtd countries: [\"Afghanistan\", \"Brazil\", \"Eswatini\", \"British Indian Ocean Territory\", \"India\", \"Indonesia\", \"Malaysia\", \"Pakistan\", \"Philippines\", \"South Africa\", \"Taiwan\", \"Thailand\"]\nMlwr families: [\"GHOSTSPIDER\", \"SNAPPYBEE\", \"MASOL RAT\", \"DEMODEX\", \"SparrowDoor\", \"CrowDoor\"]\nAttack_ids: [\"T1132.001\", \"T1003\", \"T1133\", \"T1082\", \"T1053\", \"T1140\", \"T1190\", \"T1055\", \"T1021.002\", \"T1112\", \"T1505.003\", \"T1016\", \"T1083\", \"T1059.001\", \"T1078\", \"T1068\", \"T1027\", \"T1102.002\", \"T1573.002\", \"T1071.001\"]\nIndustries: [\"Telecommunications\", \"Government\", \"Technology\", \"Consulting\", \"Chemical\", \"Transportation\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1780384679", "to_ids": false, "type": "threat-actor", "uuid": "f01433a3-396a-4671-bb6a-3bc4524d363b", "value": "Earth Estries", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Earth Estries\"", "relationship_type": "" }, { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "4e7a387e-0d1f-474b-b912-ede842f2a809", "value": "CVE-2021-26855" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "74ed427e-6930-4d5a-b936-832d9591b382", "value": "CVE-2021-26857" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "eec21528-3659-499d-92ae-4994cfd0dd8c", "value": "CVE-2021-26858" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "87a23c09-c142-4629-b15a-9edba8025d3c", "value": "CVE-2021-27065" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "469c8b07-2d78-4177-94c0-21eb4dbd813d", "value": "CVE-2022-3236" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "2ee820e7-938e-4c2b-948d-c870110fce43", "value": "CVE-2023-46805" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "d485302c-988a-483c-821a-a63d3f591476", "value": "CVE-2023-48788" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736659573", "to_ids": false, "type": "vulnerability", "uuid": "4249cdc1-0801-4516-bc70-e412510554be", "value": "CVE-2024-21887" }, { "category": "Network activity", "comment": "Campaign Alpha (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039165", "to_ids": true, "type": "ip-dst", "uuid": "5c5a408d-44b3-41f6-909b-95376635aa75", "value": "103.91.64.214", "Tag": [ { "colour": "#78321d", "local": false, "name": "asn:asn=\"55720\"", "relationship_type": "" }, { "colour": "#295f2f", "local": false, "name": "asn:as-owner=\"GIGABIT-MY Gigabit Hosting Sdn Bhd\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Alpha (frpc)", "deleted": false, "disable_correlation": false, "timestamp": "1780039166", "to_ids": true, "type": "ip-dst", "uuid": "1bb1d3a6-b7e3-44a9-b62b-99014465eb4d", "value": "165.154.227.192", "Tag": [ { "colour": "#76b345", "local": false, "name": "asn:asn=\"142002\"", "relationship_type": "" }, { "colour": "#2ff8a8", "local": false, "name": "asn:as-owner=\"SCLOUDPTELTD-AS Scloud Pte Ltd\"", "relationship_type": "" }, { "colour": "#d906de", "local": false, "name": "asn:as-country=\"SG\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"singapore\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Alpha (Open directory C&C)", "deleted": false, "disable_correlation": false, "timestamp": "1780039168", "to_ids": true, "type": "ip-dst", "uuid": "8048a561-337c-4d33-887a-675a49d6cdbf", "value": "23.81.41.166", "Tag": [ { "colour": "#dd9023", "local": false, "name": "asn:asn=\"134351\"", "relationship_type": "" }, { "colour": "#e0ee97", "local": false, "name": "asn:as-owner=\"LEASEWEB-AS-AP Leaseweb Japan K.K.\"", "relationship_type": "" }, { "colour": "#bab83b", "local": false, "name": "asn:as-country=\"JP\"", "relationship_type": "" }, { "colour": "#e8b447", "local": false, "name": "misp-galaxy:country=\"japan\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Alpha (SNAPPYBEE)", "deleted": false, "disable_correlation": false, "timestamp": "1780039170", "to_ids": true, "type": "ip-dst", "uuid": "59806813-5465-49c0-8f6d-a8996dfd9001", "value": "158.247.222.165", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Alpha (related C&C)", "deleted": false, "disable_correlation": false, "timestamp": "1780039172", "to_ids": true, "type": "ip-dst", "uuid": "9c77f154-fda3-47c6-89ed-1fe703b4bf37", "value": "172.93.165.14", "Tag": [ { "colour": "#567db4", "local": false, "name": "asn:asn=\"9312\"", "relationship_type": "" }, { "colour": "#c4d3e5", "local": false, "name": "asn:as-owner=\"XTOM xTom\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Alpha (SNAPPYBEE)", "deleted": false, "disable_correlation": false, "timestamp": "1780039173", "to_ids": true, "type": "ip-dst", "uuid": "3b086d6f-54af-4549-aca8-4d35edea6b17", "value": "91.245.253.27", "Tag": [ { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Alpha (related C&C)", "deleted": false, "disable_correlation": false, "timestamp": "1780039177", "to_ids": true, "type": "ip-dst", "uuid": "5b3a4871-6ef5-4b24-8e75-1de1f7243809", "value": "103.75.190.73", "Tag": [ { "colour": "#78321d", "local": false, "name": "asn:asn=\"55720\"", "relationship_type": "" }, { "colour": "#295f2f", "local": false, "name": "asn:as-owner=\"GIGABIT-MY Gigabit Hosting Sdn Bhd\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039179", "to_ids": true, "type": "ip-dst", "uuid": "bc75af42-a101-438a-ae90-c8ba77ffecf4", "value": "45.125.67.144", "Tag": [ { "colour": "#70bd37", "local": false, "name": "asn:asn=\"133398\"", "relationship_type": "" }, { "colour": "#91ffab", "local": false, "name": "asn:as-owner=\"TELE-AS Tele Asia Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039181", "to_ids": true, "type": "ip-dst", "uuid": "0871054e-fcc0-4452-b1d6-341db7826d00", "value": "43.226.126.164", "Tag": [ { "colour": "#dd0399", "local": false, "name": "asn:asn=\"152194\"", "relationship_type": "" }, { "colour": "#8c0628", "local": false, "name": "asn:as-owner=\"CTGSERVERLIMITED-AS-AP CTG Server Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039182", "to_ids": true, "type": "ip-dst", "uuid": "e79f363c-3059-432f-91f8-ec980b3d1e62", "value": "172.93.165.10", "Tag": [ { "colour": "#567db4", "local": false, "name": "asn:asn=\"9312\"", "relationship_type": "" }, { "colour": "#c4d3e5", "local": false, "name": "asn:as-owner=\"XTOM xTom\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039187", "to_ids": true, "type": "ip-dst", "uuid": "0b083fbf-57e3-46f9-93b5-c051ccfd4420", "value": "193.239.86.168", "Tag": [ { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039189", "to_ids": true, "type": "ip-dst", "uuid": "cd4b22de-00a0-407e-84b5-19d3182b6dd0", "value": "146.70.79.18", "Tag": [ { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039190", "to_ids": true, "type": "ip-dst", "uuid": "7080579f-dc84-45ad-8a24-5b6e746eeee7", "value": "146.70.79.105", "Tag": [ { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039192", "to_ids": true, "type": "ip-dst", "uuid": "54ceb714-f3a7-4782-8056-ff5201e15e2c", "value": "205.189.160.3", "Tag": [ { "colour": "#16c9e0", "local": false, "name": "asn:asn=\"133752\"", "relationship_type": "" }, { "colour": "#3e7857", "local": false, "name": "asn:as-owner=\"LEASEWEB-APAC-HKG-10 LEASEWEB HONG KONG LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039194", "to_ids": true, "type": "ip-dst", "uuid": "2daab73a-51c6-4791-ab93-973830a8ed9b", "value": "96.9.211.27", "Tag": [ { "colour": "#fbff18", "local": false, "name": "asn:asn=\"8888\"", "relationship_type": "" }, { "colour": "#83da11", "local": false, "name": "asn:as-owner=\"XTOM xTom Pty Ltd\"", "relationship_type": "" }, { "colour": "#7f61db", "local": false, "name": "asn:as-country=\"AU\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"australia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1780039195", "to_ids": true, "type": "ip-dst", "uuid": "0f5017df-e86f-4877-abe9-fc83caab3687", "value": "43.226.126.165", "Tag": [ { "colour": "#dd0399", "local": false, "name": "asn:asn=\"152194\"", "relationship_type": "" }, { "colour": "#8c0628", "local": false, "name": "asn:as-owner=\"CTGSERVERLIMITED-AS-AP CTG Server Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1780039197", "to_ids": true, "type": "ip-dst", "uuid": "a6bab968-8db0-407a-8ee2-2cb39bc6cb95", "value": "139.59.108.43", "Tag": [ { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1780039199", "to_ids": true, "type": "ip-dst", "uuid": "0a2e8d23-c3dd-413f-aa09-92eb10ffbdb6", "value": "185.105.1.243", "Tag": [ { "colour": "#932b43", "local": false, "name": "asn:asn=\"199524\"", "relationship_type": "" }, { "colour": "#568d89", "local": false, "name": "asn:as-owner=\"GCORE\"", "relationship_type": "" }, { "colour": "#830a90", "local": false, "name": "asn:as-country=\"LU\"", "relationship_type": "" }, { "colour": "#49384d", "local": false, "name": "misp-galaxy:country=\"luxembourg\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1780039200", "to_ids": true, "type": "ip-dst", "uuid": "8f0416f7-454f-489e-80d0-fd949c3f4964", "value": "143.198.92.175", "Tag": [ { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1780039202", "to_ids": true, "type": "ip-dst", "uuid": "74071587-9532-488a-a7e4-e3246769a11f", "value": "139.99.114.108", "Tag": [ { "colour": "#21ca95", "local": false, "name": "asn:asn=\"16276\"", "relationship_type": "" }, { "colour": "#983aa5", "local": false, "name": "asn:as-owner=\"OVH\"", "relationship_type": "" }, { "colour": "#93736f", "local": false, "name": "asn:as-country=\"FR\"", "relationship_type": "" }, { "colour": "#f6cea1", "local": false, "name": "misp-galaxy:country=\"france\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1780039204", "to_ids": true, "type": "ip-dst", "uuid": "fd5ebb64-9e3f-4245-9373-20fbb9b082bf", "value": "139.59.236.31", "Tag": [ { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1780039205", "to_ids": true, "type": "ip-dst", "uuid": "1db9bd64-f6c2-4785-8d77-95429716e04c", "value": "104.194.153.65", "Tag": [ { "colour": "#652a80", "local": false, "name": "asn:asn=\"14956\"", "relationship_type": "" }, { "colour": "#9f7512", "local": false, "name": "asn:as-owner=\"ROUTERHOSTING\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Campaign Alpha (related C&C)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "domain", "uuid": "1149357c-3cac-404b-98af-0b43cfa8b6e0", "value": "materialplies.com" }, { "category": "Network activity", "comment": "Campaign Alpha (related C&C)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "5f33c9af-10a7-4bc6-a154-136e6ad70f99", "value": "news.colourtinctem.com" }, { "category": "Network activity", "comment": "Campaign Alpha (SNAPPYBEE)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "1c955a2d-8df6-4ee6-85d5-d802e4312cc7", "value": "api.solveblemten.com" }, { "category": "Network activity", "comment": "Campaign Alpha (SNAPPYBEE)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "614b4818-5e1f-4b88-9d65-81fd95d5b49a", "value": "esh.hoovernamosong.com" }, { "category": "Network activity", "comment": "Campaign Alpha (SoftEther VPN)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "7076bd98-b20d-4504-a28e-483b2d1d5679", "value": "vpn114240349.softether.net" }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "4c7ab675-cfe5-429a-b922-3b2ab84524eb", "value": "imap.dateupdata.com" }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "domain", "uuid": "8b1d9d51-cf29-4e78-9097-0be6e1c4216b", "value": "pulseathermakf.com" }, { "category": "Network activity", "comment": "Campaign Beta (DEMODEX)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "2d85cd4a-a5ab-4493-b332-37241dbf641b", "value": "www.infraredsen.com" }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "59f06ddb-0df3-4a60-8877-53697d1afaa5", "value": "billing.clothworls.com" }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "94e552d4-3cda-48ea-b945-0228eeedc19d", "value": "helpdesk.stnekpro.com" }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "7296201c-0a68-4acf-8961-2ef09c2945a6", "value": "jasmine.lhousewares.com" }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "173007dc-391a-4962-9f1c-ff0ca2d05fca", "value": "private.royalnas.com" }, { "category": "Network activity", "comment": "Campaign Beta (GHOSTSPIDER)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "6767e157-70eb-4fa7-b7da-ac87be30d0de", "value": "telcom.grishamarkovgf8936.workers.dev" }, { "category": "Network activity", "comment": "Campaign Beta (SoftEther VPN)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "4b509f11-cec0-4dc4-b4d8-7b0f34d242e9", "value": "vpn305783366.softether.net" }, { "category": "Network activity", "comment": "Campaign Beta (SoftEther VPN)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "3ccec4c2-802c-4d4c-9f67-cd53471d304d", "value": "vpn487875652.softether.net" }, { "category": "Network activity", "comment": "Campaign Beta (SoftEther VPN)", "deleted": false, "disable_correlation": false, "timestamp": "1746084848", "to_ids": true, "type": "hostname", "uuid": "3d5ec43c-5fc8-41a1-bb9f-3572b93264e8", "value": "vpn943823465.softether.net" }, { "category": "Payload delivery", "comment": "DEMODEX driver No sample in VT\r\nLast check:01/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746087303", "to_ids": true, "type": "sha256", "uuid": "0c675b53-78d2-4c59-8efe-16f0b4faf581", "value": "16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DEMODEX loader No sample in VT\r\nLast check:01/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746087306", "to_ids": true, "type": "sha256", "uuid": "11d8913d-7a18-4806-998c-a964a300a03b", "value": "9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader No sample in VT\r\nLast check:01/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746087308", "to_ids": true, "type": "sha256", "uuid": "34673623-d734-4d93-8e1d-73f8d69249af", "value": "6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746085436", "to_ids": false, "type": "link", "uuid": "22a84be2-97e2-45f7-8213-85004fe0ecdd", "value": "https://x.com/_rectifyq/status/1861077973727895669" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770866495", "to_ids": false, "type": "comment", "uuid": "cd9c5166-e142-442d-9960-59514b1ca410", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/241125-Earth-Estries/67.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770866495", "to_ids": false, "type": "comment", "uuid": "45dc269c-23cb-416d-893b-fa30b02eb93c", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/241125-Earth-Estries/68.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770866495", "to_ids": false, "type": "comment", "uuid": "41b6345e-ed91-4eca-977a-c4036a8f2e1c", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/241125-Earth-Estries/69.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770866495", "to_ids": false, "type": "comment", "uuid": "58e10614-33eb-4ec8-923a-f643de27ac68", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/241125-Earth-Estries/70.png" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1746066638", "uuid": "732631b2-ef3b-4fb9-b1d3-889f9e807693", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1746066638", "to_ids": false, "type": "comment", "uuid": "92ea7a15-a6a1-43a5-a933-2da720afd2eb", "value": "Backdoor_GHOSTSPIDER_beacon_loader" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1746066638", "to_ids": true, "type": "yara", "uuid": "8f033ee6-7c37-4917-a49c-cd31cc5f2417", "value": "rule Backdoor_GHOSTSPIDER_beacon_loader\r\n{\r\n meta:\r\n author = \"Trend Micro Research\"\r\n\r\n strings:\r\n $clr = {\r\n\t\t\tC7 45 ?? 43 4C 52 43\r\n\t\t\tC7 45 ?? 72 65 61 74\r\n\t\t\tC7 45 ?? 65 49 6E 73\r\n\t\t\tC7 45 ?? 74 61 6E 63\r\n\t\t}\r\n\r\n $chunk1 = {\r\n\t\t\tC1 EA ??\r\n\t\t\t0F B6 D2\r\n\t\t\t8B 34 95 ?? ?? ?? ??\r\n\t\t\t8B 55 ??\r\n\t\t\tC1 EA ??\r\n\t\t\t8B 14 95 ?? ?? ?? ??\r\n\t\t\tC1 E9 ??\r\n\t\t\t0F B6 F9\r\n\t\t\t33 34 BD ?? ?? ?? ??\r\n\t\t\t8B 7D ??\r\n\t\t\t89 75 ??\r\n\t\t\t31 55 ??\r\n\t\t\t0F B6 55 ??\r\n\t\t\t8B 75 ??\r\n\t\t\t33 34 95 ?? ?? ?? ??\r\n\t\t\t8B D3\r\n\t\t\t33 B0 ?? ?? ?? ??\r\n\t\t}\r\n\r\n $chunk2 = {\r\n 41 0F B6 1B\r\n 41 8B C2\r\n 99\r\n 41 F7 F9\r\n 48 63 C2\r\n 0F B6 4C 05 ??\r\n 44 03 C1\r\n 44 03 C3\r\n }\r\n\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n\t\tfilesize < 300KB and\r\n (\r\n $clr and any of ($chunk*)\r\n )\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1746066638", "to_ids": false, "type": "text", "uuid": "650303b2-7d6f-43d0-bab8-6f498552d531", "value": "Backdoor_GHOSTSPIDER_beacon_loader" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1746066657", "uuid": "96e2f056-5b9c-408f-aa7b-bbc9e88a30b2", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1746066657", "to_ids": false, "type": "comment", "uuid": "da3b032d-245a-468b-aae6-d0f1c874099a", "value": "Backdoor_GHOSTSPIDER_stager" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1746066657", "to_ids": true, "type": "yara", "uuid": "fb826b47-07bf-4118-a10d-4246e119ddb4", "value": "rule Backdoor_GHOSTSPIDER_stager\r\n{\r\n meta:\r\n author = \"Trend Micro Research\"\r\n\r\n strings:\r\n $s1 = \"new_comp\" ascii wide\r\n $s2 = \"del_comp\" ascii wide\r\n $s3 = \"new_client\" ascii wide\r\n $s4 = \"del_client\" ascii wide\r\n $s5 = \"new_base\" ascii wide\r\n $s6 = \"del_base\" ascii wide\r\n $cookie = \"phpsessid=%s; b=%d; path=/; expires=%s\" ascii wide\r\n\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize < 300KB and\r\n (\r\n $cookie and 2 of ($s*)\r\n )\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1746066657", "to_ids": false, "type": "text", "uuid": "d6ebae42-0bc4-49b9-8bc3-8a9fac8540a7", "value": "Backdoor_GHOSTSPIDER_stager" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746087288", "uuid": "8e1e2d26-53eb-4da6-bae1-0fec3ac36349", "Attribute": [ { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746087288", "to_ids": true, "type": "md5", "uuid": "5a7e9daa-4927-4c2c-ada8-e9eaa49fdfd8", "value": "8bd8506f6b1a80eea68e877fa81e267c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746085470", "to_ids": true, "type": "sha1", "uuid": "10dbbe35-3daa-47e4-8739-e8ccab36a43d", "value": "b5367820cd32640a2d5e4c3a3c1ceedbbb715be2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746085470", "to_ids": true, "type": "sha256", "uuid": "305841bd-989d-4d33-a835-434c70954fb2", "value": "fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746085469", "to_ids": true, "type": "ssdeep", "uuid": "4fbb4948-1032-44d8-af95-9485c7ccb113", "value": "48:igw4onN3wIyHnM8zwTeefXXDW7AreFtzwhJhohxP:zXIHOzAL8AreF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746085469", "to_ids": false, "type": "size-in-bytes", "uuid": "0599847a-a398-4378-853d-cae615b5946c", "value": "3584" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746085469", "to_ids": true, "type": "vhash", "uuid": "9bac8851-8b2a-4870-ae3b-16c9fc3f9da9", "value": "133046651d051bz4?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746085469", "to_ids": true, "type": "filename", "uuid": "f9f8f90a-5bdc-46e5-8ac0-59b566af4f94", "value": "WINMM.dll" }, { "category": "Other", "comment": "Checked: 01/05/2025\nLast-scan\t: 11/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746085469", "to_ids": false, "type": "text", "uuid": "29b8480a-d5c0-44a9-8669-6a108e6c5296", "value": "SNAPPYBEE loader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Znyonm\nVT Total Detection:51/72\nFirst Submission:2023-11-07T08:25:58.000000+00:00\nLast Submission:2024-05-04T21:28:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746087290", "uuid": "3d73b2d3-b745-4565-86b8-2f1136bead12", "Attribute": [ { "category": "Payload delivery", "comment": "SNAPPYBEE payload", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746087290", "to_ids": true, "type": "md5", "uuid": "bd88744f-642b-4f40-956b-38b312214a37", "value": "334c9477f71802c57349a997b8bf6d61", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE payload", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746085491", "to_ids": true, "type": "sha1", "uuid": "a70e3d53-ae32-442a-9a6f-7ef1155fc3c1", "value": "124f487ef0c4b009fc7b72577af4429fcaf74f79", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE payload", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746085492", "to_ids": true, "type": "sha256", "uuid": "a369b947-36a3-472b-a40b-4f3a093e0a12", "value": "fba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746085491", "to_ids": true, "type": "ssdeep", "uuid": "0542fe43-5e6f-4b3d-aa9c-063c82aeeeba", "value": "3072:FyUuTjD9WgnEYtqlIOHYtSvbKl+gm34TtUCT0umdZobAh:F+HRW+EYtmI8YWxH4TO7i2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746085491", "to_ids": false, "type": "size-in-bytes", "uuid": "8a816c01-d719-461f-8ecb-a31f973bb129", "value": "128924" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746085491", "to_ids": true, "type": "filename", "uuid": "65bd2ee2-edbd-4dab-9a5f-9b987c586cd6", "value": "NortonLog.txt" }, { "category": "Other", "comment": "Checked: 01/05/2025\nLast-scan\t: 21/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746085491", "to_ids": false, "type": "text", "uuid": "48fd677c-15e1-4bba-9975-742f18c67ed6", "value": "SNAPPYBEE payload\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:23/61\nFirst Submission:2024-04-09T19:30:53.000000+00:00\nLast Submission:2024-04-10T03:44:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746087292", "uuid": "e1878f52-fe14-4341-b774-8d7f5f1aaa11", "Attribute": [ { "category": "Payload delivery", "comment": "DEMODEX PowerShell dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746087292", "to_ids": true, "type": "md5", "uuid": "c99d2f73-03ee-4ac5-8479-c813253c8d50", "value": "3f98cc479ee574320dc5dabb67c56c94", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DEMODEX PowerShell dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746085513", "to_ids": true, "type": "sha1", "uuid": "ae8436b2-5131-4f8f-b4d8-319a410b9999", "value": "e84821ba25852e32bf540a507dbfa8fb50d3e1ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DEMODEX PowerShell dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746085513", "to_ids": true, "type": "sha256", "uuid": "5e35f83a-b629-4823-8e75-ac106c4d5e52", "value": "2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746085512", "to_ids": true, "type": "ssdeep", "uuid": "86f4dc97-b175-4be5-93ab-5ea7d8f684ac", "value": "49152:L0Qz8U9dg6k4vSeAJQJZzUksNL8Ael3jTdW3Ewgv:X" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746085512", "to_ids": false, "type": "size-in-bytes", "uuid": "8afbf8c0-37eb-48b6-8e70-dc9aa7469ff7", "value": "4125491" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746085512", "to_ids": true, "type": "vhash", "uuid": "23cf5bb2-9b5b-478c-be74-ea4ddacbf35b", "value": "16212d97b530f048eaa8c8c22a41ca55" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746085512", "to_ids": true, "type": "filename", "uuid": "685698bd-8dce-40d5-afff-17033dc2eaa6", "value": "e84821ba25852e32bf540a507dbfa8fb50d3e1ff.rl" }, { "category": "Other", "comment": "Checked: 01/05/2025\nLast-scan\t: 20/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746085512", "to_ids": false, "type": "text", "uuid": "b9279ad3-b776-4e0d-a2ca-804ce389980e", "value": "DEMODEX PowerShell dropper\r\nType Description: Powershell\nMicrosoft: Trojan:PowerShell/Obfuscator!MSR\nVT Total Detection:23/62\nFirst Submission:2025-04-17T14:07:17.000000+00:00\nLast Submission:2025-04-17T14:07:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746087294", "uuid": "c638d15a-388f-4f81-bee3-ef16413651a5", "Attribute": [ { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746087294", "to_ids": true, "type": "md5", "uuid": "678a5c32-b7ee-415e-9bff-c15010b6b63e", "value": "505b55c2b68e32acb5ad13588e1491a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746085579", "to_ids": true, "type": "sha1", "uuid": "a565baee-a33f-47db-b773-4d12f5e520b2", "value": "9218e2c37c339527736cdc9d9aad88de728931a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746085579", "to_ids": true, "type": "sha256", "uuid": "e66982ea-9ddc-4881-91e1-3ac815cd2be3", "value": "25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746085578", "to_ids": true, "type": "ssdeep", "uuid": "a2d24a57-99e9-4ba2-86ab-f72a4048bd04", "value": "3072:lS4xNcfANGOTod1j1ripLdfXnu6+iS733aHQC2mCokXXOlzInVYZ/SeCN8hDwFn8:lZxNcoNsCcnaoHOlUn6HsTv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746085578", "to_ids": false, "type": "size-in-bytes", "uuid": "e7e0df86-5db4-410d-8777-13377425764b", "value": "220672" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746085578", "to_ids": true, "type": "vhash", "uuid": "88967ec9-a42d-4eca-8c76-ad7b7fe5eda8", "value": "125046655d156038z4bvza6z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746085578", "to_ids": true, "type": "filename", "uuid": "83b4a965-7c29-43da-bb51-c83b7438fabd", "value": "25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b.bin" }, { "category": "Other", "comment": "Checked: 01/05/2025\nLast-scan\t: 01/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746085578", "to_ids": false, "type": "text", "uuid": "8cca2635-001b-4e36-82bd-2043b2ce3045", "value": "SNAPPYBEE loader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:50/72\nFirst Submission:2023-11-19T22:42:24.000000+00:00\nLast Submission:2025-02-03T19:24:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746087297", "uuid": "05400b02-92be-4bf0-aa70-963fdf981d68", "Attribute": [ { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746087297", "to_ids": true, "type": "md5", "uuid": "adc8650c-bf92-4f38-a45f-e877f5ed8ebc", "value": "43f3f328248da7bda95407968604ff0b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746085621", "to_ids": true, "type": "sha1", "uuid": "9d92646e-3a14-4857-b072-c79c4289e038", "value": "7d9ea7c8934d293429103fd0f8f58b370bd1249b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746085622", "to_ids": true, "type": "sha256", "uuid": "71d25b51-76da-4d37-aaad-b6fccea6b617", "value": "b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746085621", "to_ids": true, "type": "ssdeep", "uuid": "c34d2bff-4671-45ed-881e-8ad3359fd9cb", "value": "6144:aJG8G4Z2pZcMx+/HTAOx+CbWHlouxsMnWU:CFMZjxaMA+CbWHldW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746085621", "to_ids": false, "type": "size-in-bytes", "uuid": "c9fe7300-af45-40a1-820b-d5af09be9cea", "value": "261120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746085621", "to_ids": true, "type": "vhash", "uuid": "79ded695-e5e6-4726-9ab4-2f425820b9ca", "value": "125056655d15555038z4evza6z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746085621", "to_ids": true, "type": "filename", "uuid": "0822aade-7b5e-498e-98a3-3368a95b7c8e", "value": "imfsbSvc.exe.bin" }, { "category": "Other", "comment": "Checked: 01/05/2025\nLast-scan\t: 26/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746085621", "to_ids": false, "type": "text", "uuid": "06cc1ebb-a544-4c3e-abd2-0fd3f0604141", "value": "SNAPPYBEE loader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:47/72\nFirst Submission:2024-01-23T08:55:50.000000+00:00\nLast Submission:2024-12-03T14:03:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746087298", "uuid": "c1ee1f23-f10f-4771-b4c6-26b4a9521bb3", "Attribute": [ { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746087298", "to_ids": true, "type": "md5", "uuid": "fb162c27-dcf5-4133-86fd-75f8fd543451", "value": "45d7997340065904ae092ac427c54f41", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746085644", "to_ids": true, "type": "sha1", "uuid": "793fb81e-cf7f-4e2f-bb8d-c9ac4492e370", "value": "6cd5114bedf9c867b32558ee961fbf052a2a125d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746085644", "to_ids": true, "type": "sha256", "uuid": "17149f51-265d-482a-ad59-4142f9a2cec8", "value": "05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746085642", "to_ids": true, "type": "ssdeep", "uuid": "bf6845b6-d555-448e-aafc-c540588ad189", "value": "6144:BZNQxws72WY28YXHuXP+pNRT2El1WZ2RxTX/jo620lJu:BZuxwsCWY2RTtR17nu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746085642", "to_ids": false, "type": "size-in-bytes", "uuid": "242dd561-0117-4db1-a6f9-f65c290b09f3", "value": "621264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746085642", "to_ids": true, "type": "vhash", "uuid": "8df63be0-5acf-479b-a701-e55f5d40f0b1", "value": "165076551d155515151az6e2z7b5z1pz51" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746085642", "to_ids": true, "type": "filename", "uuid": "7dde6e77-f5f9-4061-b445-33183e0c2800", "value": "imfsbDll.dll" }, { "category": "Other", "comment": "Checked: 01/05/2025\nLast-scan\t: 01/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746085642", "to_ids": false, "type": "text", "uuid": "2726074c-9521-42bc-9b7a-1ddedc3fdad7", "value": "SNAPPYBEE loader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:47/72\nFirst Submission:2024-01-23T09:46:57.000000+00:00\nLast Submission:2024-04-10T05:04:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746087301", "uuid": "48ca2e03-c61a-4a4a-b660-d797a18e8b43", "Attribute": [ { "category": "Payload delivery", "comment": "SNAPPYBEE payload", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746087301", "to_ids": true, "type": "md5", "uuid": "3310a332-f07e-4f09-89ee-722d0dbe30b5", "value": "b706f4806dc88611873cadeb3ad1ff97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE payload", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746085665", "to_ids": true, "type": "sha1", "uuid": "b06af9d8-72a3-4883-816c-e1b83ae01049", "value": "dfe752f103e8e0cdb6ee419a5e753a451488420c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SNAPPYBEE payload", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746085666", "to_ids": true, "type": "sha256", "uuid": "6643e401-79d8-48c9-b53d-91443c6f1169", "value": "1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746085665", "to_ids": true, "type": "ssdeep", "uuid": "7532bd27-8245-4176-8681-9bf6cfacd75a", "value": "3072:zaNVm/i2SD6ixL7x6oC3bwmNU4MNTVI7nBHM+ZNWqdiTOz2:pi2ajL78kJdXM2oW64R" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746085665", "to_ids": false, "type": "size-in-bytes", "uuid": "a4845795-8427-46a8-9dc0-998b830c77b1", "value": "131065" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746085665", "to_ids": true, "type": "filename", "uuid": "f4a8ee68-7f49-4b9b-b97a-5a0dbc8dd3d8", "value": "dbindex.dat" }, { "category": "Other", "comment": "Checked: 01/05/2025\nLast-scan\t: 30/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746085665", "to_ids": false, "type": "text", "uuid": "0d114ec6-f312-40e2-ba61-85ff60b91603", "value": "SNAPPYBEE payload\r\nType Description: unknown\nMicrosoft: Backdoor:Script/Obfuscator!MSR\nVT Total Detection:26/61\nFirst Submission:2024-04-09T16:55:29.000000+00:00\nLast Submission:2024-04-09T16:55:29.000000+00:00" } ] } ] } }