{ "Event": { "analysis": "2", "date": "2018-02-13", "extends_uuid": "", "info": "[Threat Intel] Lotus Blossom Continues ASEAN Targeting", "protected": false, "publish_timestamp": "1780039831", "published": true, "threat_level_id": "1", "timestamp": "1772901980", "uuid": "26383d24-134d-4ea4-a8f3-df7d9ceb322a", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"LOTUS PANDA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"035 - South-eastern Asia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740396342", "to_ids": false, "type": "link", "uuid": "c163161a-78ff-4a46-b9a4-6748a539354b", "value": "https://community.netwitness.com/s/article/LotusBlossomContinuesASEANTargeting" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740396376", "to_ids": false, "type": "target-location", "uuid": "3e13f71a-9565-4d5a-addc-fb9b078fd65b", "value": "ASEAN" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746504896", "uuid": "8fa84bc9-c4d9-4e56-ba6b-74cf6528d515", "Attribute": [ { "category": "Payload delivery", "comment": "Malicious RTF Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746504896", "to_ids": true, "type": "md5", "uuid": "6eb61990-2c3c-46a2-badb-4a558f5de927", "value": "f12fc711529b48bcef52c5ca0a52335a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious RTF Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746504784", "to_ids": true, "type": "sha1", "uuid": "c7391e96-4dd2-49f8-bb54-8d33eaafcfbd", "value": "5f89a6b2f1f38b581c65e9a1117c43a3060bfdc1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious RTF Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746504784", "to_ids": true, "type": "sha256", "uuid": "3454a565-551f-464c-8ed2-5f147cd9ec33", "value": "d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746504783", "to_ids": true, "type": "ssdeep", "uuid": "ff068c84-df1a-4e0d-a1bf-bd0cffb11322", "value": "6144:qcMsuJupfCxIpE5IvZ8QnVTuiehYFYxWmkjxtGWe:qcMVuCxrs8A1uiehYCp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746504783", "to_ids": false, "type": "size-in-bytes", "uuid": "d9b3c19c-28e7-49d3-a4be-7215598b8085", "value": "261090" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746504783", "to_ids": true, "type": "vhash", "uuid": "d41c2175-ec78-46ef-bb9e-46cc7975382d", "value": "882e4f7e817ef87667db0242ec95f328e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746504783", "to_ids": true, "type": "filename", "uuid": "58b4ab53-b7e4-402c-8b1c-d9df5e03671b", "value": "DoNotOpen2.doc" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 20/12/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746504783", "to_ids": false, "type": "text", "uuid": "a5e3ccdd-3cba-4329-8d6d-6854e2ca422c", "value": "Malicious RTF Dropper\r\nType Description: Rich Text Format\nMicrosoft: Exploit:O97M/CVE-2017-11882.F\nVT Total Detection:45/61\nFirst Submission:2018-01-23T08:46:47.000000+00:00\nLast Submission:2024-10-27T20:55:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746504917", "uuid": "702b1de4-92b2-4e7a-833d-6fe9b31dc012", "Attribute": [ { "category": "Payload delivery", "comment": "NavShExt.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746504917", "to_ids": true, "type": "md5", "uuid": "0796ba3a-ca3a-463c-aa73-a10c5e173b11", "value": "cd36bbd7f949cf017edba0e6aaadf28c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NavShExt.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746504805", "to_ids": true, "type": "sha1", "uuid": "a4f2518e-51cb-4d5c-87cd-bf16d7bc7c1d", "value": "2fde32f2695bc7b3b702a1e3b53a8c38e60b7402", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NavShExt.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746504805", "to_ids": true, "type": "sha256", "uuid": "48c5434a-0376-4542-b7b0-42164e1b5499", "value": "6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746504805", "to_ids": true, "type": "ssdeep", "uuid": "20abf4d0-df98-4d08-bdc6-96ec96a335e2", "value": "1536:HIeVRmeZCXDakps1ru5eSA49pxjq/ahEhb51w:H1qVTaWs1rEbFjq/AEF51w" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746504805", "to_ids": false, "type": "size-in-bytes", "uuid": "7dafe6a6-7250-4078-955a-0308fdc128c8", "value": "72704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746504805", "to_ids": true, "type": "vhash", "uuid": "3bba7f64-591c-4e68-8f79-229430af43bb", "value": "174056655d75151az1f0cfz1kz1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746504805", "to_ids": true, "type": "filename", "uuid": "020bfa50-07f0-4e4c-ae53-1c10acfca1ee", "value": "NavShExt.dll" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 29/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746504805", "to_ids": false, "type": "text", "uuid": "cb976bca-a15b-48ca-a754-8b189f8e1c80", "value": "NavShExt.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Lianoufa.A\nVT Total Detection:61/72\nFirst Submission:2018-01-24T01:04:37.000000+00:00\nLast Submission:2024-10-27T20:54:59.000000+00:00" } ] } ] } }