{ "Event": { "analysis": "1", "date": "2017-11-07", "extends_uuid": "", "info": "[Threat Intel] Sowbug: Cyber espionage group targets South American and Southeast Asian governments", "protected": false, "publish_timestamp": "1780039687", "published": true, "threat_level_id": "1", "timestamp": "1772901958", "uuid": "57df35b2-526b-4224-a79d-1357afde164c", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#2afb09", "local": false, "name": "misp-galaxy:target-information=\"Argentina\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#321f24", "local": false, "name": "misp-galaxy:target-information=\"Ecuador\"", "relationship_type": "" }, { "colour": "#1c5aae", "local": false, "name": "misp-galaxy:target-information=\"Peru\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Felismus\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"StarLoader\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Symantec\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sowbug\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Brunei\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736673578", "to_ids": false, "type": "link", "uuid": "1f502676-8513-421f-8117-ef65f97d14ef", "value": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736673578", "to_ids": false, "type": "text", "uuid": "d977d93f-a40a-4511-a7b0-49d524ac5065", "value": "Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. \n\nTo date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia. The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736673578", "to_ids": false, "type": "text", "uuid": "74b65660-ab3e-4304-9b4a-e8a912837f94", "value": "Name: Sowbug: Cyber espionage group targets South American and Southeast Asian governments\nAuthor: AlienVault\nAdversary: Sowbug\nTags: [\"Sowbug\", \"apt\", \"South America\", \"Southeast Asia\"]\nTgtd countries: [\"Argentina\", \"Brazil\", \"Ecuador\", \"Peru\", \"Brunei Darussalam\", \"Malaysia\"]\nMlwr families: []\nAttack_ids: []\nIndustries: [\"government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736673578", "to_ids": false, "type": "threat-actor", "uuid": "6bfdd8f3-0dfe-4c64-a1cf-af6e17f32c50", "value": "Sowbug" }, { "category": "Payload delivery", "comment": "Backdoor.Felismus No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740310330", "to_ids": true, "type": "md5", "uuid": "f5defd54-302e-40d6-b2e8-7623fd1deb43", "value": "c1f65ddabcc1f23d9ba1600789eb581b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1747520241", "to_ids": true, "type": "domain", "uuid": "695dfabf-f783-4ff6-b30e-e41347c94bd2", "value": "cosecman.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1747520259", "to_ids": true, "type": "domain", "uuid": "a9602d56-a97c-48d3-ac15-ac6f9214a7af", "value": "nasomember.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1747520259", "to_ids": true, "type": "domain", "uuid": "32771bbf-ec42-4b8b-82bf-8aec8cb4d770", "value": "unifoxs.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740888158", "to_ids": false, "type": "other", "uuid": "2a752e47-4a7d-460a-beff-8cdd42efcbc1", "value": "https://web.archive.org/web/20240116125105/https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=d544bd14-1dd2-4ab6-a5a0-181788b7d73b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740888237", "uuid": "ee72ce4d-ccdb-451c-bf68-3dc51d4c729f", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740888237", "to_ids": true, "type": "md5", "uuid": "6a582777-4de7-44fd-ac14-8464cd1851c1", "value": "00d356a7cf9f67dd5bb8b2a88e289bc8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740310322", "to_ids": true, "type": "sha1", "uuid": "a3edc848-9bb0-4625-bf3f-7d1a1604e682", "value": "fd5ec9ad13281ffa2b19b521788daddd7ffe06ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740310322", "to_ids": true, "type": "sha256", "uuid": "49a6d97a-cdb6-4a8e-aeac-8f0aaa24495d", "value": "dcd8dc99aceb617cbba658d1b7d776013f53b00d818999d3d619a73eec8e6a8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309805", "to_ids": true, "type": "ssdeep", "uuid": "0e5f1102-2ccc-45a3-9ddb-6b130e5c1e3a", "value": "3072:Z48MR+uDJmiCh6UdnnYIUvV7Vk6VTcplM9hK2E+74CnqSOSNfE0z:CnZDQEUdnnY966lH7E+MCnBvFxz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309805", "to_ids": false, "type": "size-in-bytes", "uuid": "8d23f172-acc3-40e4-ac69-7e422765362f", "value": "154656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309805", "to_ids": true, "type": "vhash", "uuid": "8ec3009a-ca00-4de5-ac67-070d60a1146a", "value": "015036651d1az48jz11z2fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309805", "to_ids": true, "type": "filename", "uuid": "fe8fd5a5-84a0-4973-b024-73da405d32dc", "value": "00d356a7cf9f67dd5bb8b2a88e289bc8.virus" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 22/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309805", "to_ids": false, "type": "text", "uuid": "876e9186-f4de-4e3b-bfb5-00556195ea0a", "value": "Backdoor.Felismus\r\nType Description: Win32 EXE\n\nMicrosoft: VirTool:Win32/CeeInject\nVT Total Detection:52/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740888258", "uuid": "d5e78c89-fa84-4aa5-b70c-31d42c8c8bfb", "Attribute": [ { "category": "Payload delivery", "comment": "Trojan.Starloader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740888258", "to_ids": true, "type": "md5", "uuid": "69bc4e6a-ab14-4a0b-b1c8-58e55f87923c", "value": "4984e9e1a5d595c079cc490a22d67490", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Trojan.Starloader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740310324", "to_ids": true, "type": "sha1", "uuid": "fe2c8ad9-67ad-4429-a09d-e357a432152e", "value": "e1d40c5f366134f966b2ae1ba66ba4c38743f661", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Trojan.Starloader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740310324", "to_ids": true, "type": "sha256", "uuid": "24ad1bfe-4723-467f-b3c9-a261f0e5d1db", "value": "2154a8c899dc488ca11c4cef5fec35e1bb65efc89f7a1ced6efa1aa9879f6557", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309827", "to_ids": true, "type": "ssdeep", "uuid": "495fb796-c5f5-4571-96cd-d5673ea8795b", "value": "768:5xZ9LLu6PRDPP5wsSoSlUUT7iKjLZXIyg6KD9RD0uJlz4TYhDrfSJ5CgYPjF+UEj:Fk6PrUTuKjLCndRRDZlzTHCheUfY8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309827", "to_ids": false, "type": "size-in-bytes", "uuid": "e992f9af-a985-4331-a625-b5656be5e3f4", "value": "82432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309827", "to_ids": true, "type": "vhash", "uuid": "5252ec86-bc9d-482a-9fc1-606dda7c79cc", "value": "084056655d15551az52!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309827", "to_ids": true, "type": "filename", "uuid": "4483c6bc-6716-4f0d-a02c-84bc394f4d86", "value": "4984e9e1a5d595c079cc490a22d67490.virus" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 16/02/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309827", "to_ids": false, "type": "text", "uuid": "7021d149-e2bf-490d-89e9-565626075858", "value": "Trojan.Starloader\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Skeeyah.A!bit\nVT Total Detection:59/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740888280", "uuid": "80d3e5e6-7a5b-45d1-ab8e-347048fd857d", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740888280", "to_ids": true, "type": "md5", "uuid": "9988d091-af77-4186-9759-069bbb777b45", "value": "514f85ebb05cad9e004eee89dde2ed07", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740310325", "to_ids": true, "type": "sha1", "uuid": "3070953c-1b43-477a-87e3-75d5e05ffecc", "value": "d2e374b62878ec8fa4b3b0be626d6016f71afbd7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740310325", "to_ids": true, "type": "sha256", "uuid": "8d3af696-3c41-41f0-99ba-127f0d857770", "value": "44108ae87289132294232616d54bdab768005fbdcf6fdc8aaf0a016d6a98a540", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309848", "to_ids": true, "type": "ssdeep", "uuid": "262f04ec-562b-4e62-beec-1e937f8e6579", "value": "768:y1jYeHRtNvD2MR1N0iohZXtuWiW2u30u80Mm0+yMP3iAPBOstv3FxWyok1bNYNV3:AUKFNqJRf30udyAZztv3HJri" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309848", "to_ids": false, "type": "size-in-bytes", "uuid": "033bc5bf-4e74-477c-8fa9-73e55cee1d79", "value": "77312" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309848", "to_ids": true, "type": "vhash", "uuid": "1d7f1619-5823-42be-b51f-76e100a007a2", "value": "0740865d155c0d5d1d1d7az3535lzb5z47z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309848", "to_ids": true, "type": "filename", "uuid": "a4e0278c-8709-40f9-a6bc-61d7afbaed35", "value": "514f85ebb05cad9e004eee89dde2ed07.virus" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 13/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309848", "to_ids": false, "type": "text", "uuid": "e3f6b23e-ae6a-49dc-80f1-5ab0b5e1dec1", "value": "Backdoor.Felismus\r\nType Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Tomyjery.A\nVT Total Detection:60/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740888301", "uuid": "59df8fbe-eca3-49b3-99ef-4b42f563b4b6", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740888301", "to_ids": true, "type": "md5", "uuid": "225f576f-e082-4fb9-ac74-56852b0fb5e3", "value": "967d60c417d70a02030938a2ee8a0b74", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740310327", "to_ids": true, "type": "sha1", "uuid": "03686759-3f98-4473-85b9-84284c7a82f2", "value": "28eb0013ead27c20add397818752f541492d63b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor.Felismus", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740310327", "to_ids": true, "type": "sha256", "uuid": "78bafd54-afdc-4e33-babf-4573ca5a7a98", "value": "d922f00862682369baa9ec966bc2f4de51c76f6e7d9d03aaf2e0683200a6462f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309870", "to_ids": true, "type": "ssdeep", "uuid": "53694916-b271-4746-aa8f-40946c6f0bb6", "value": "768:ry9KsFAk48s6ciDmaUqPhMW65XD1aRSLP:mLb4H6JxPhMW65eSLP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309870", "to_ids": false, "type": "size-in-bytes", "uuid": "583cddd4-f97c-4bb3-b7e9-edbb1deaabb0", "value": "34304" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309870", "to_ids": true, "type": "vhash", "uuid": "0497879b-24f4-4d83-8c02-463de2506d9d", "value": "1340a66d655c051d1d1d1058z281bfz13z1ez6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309870", "to_ids": true, "type": "filename", "uuid": "51de8948-bf78-4b54-98b3-f2a496837588", "value": "HTTPDLL.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 29/12/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309870", "to_ids": false, "type": "text", "uuid": "fcaaf401-4062-474f-ae7a-7a7fc9ef563d", "value": "Backdoor.Felismus\r\nType Description: Win32 DLL\n\nMicrosoft: Backdoor:Win32/Tomyjery.A\nVT Total Detection:51/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740888322", "uuid": "77af133b-3e9d-4324-b856-1167287aae21", "Attribute": [ { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740888322", "to_ids": true, "type": "md5", "uuid": "f02d28ec-d376-4e14-a8a4-e1cc098989fa", "value": "e4e1c98feac9356dbfcac1d8c362ab22", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740310329", "to_ids": true, "type": "sha1", "uuid": "c469f37a-28d7-493a-a67c-10119d9ced38", "value": "12346fb48c5307470d2d761033f7cf1d2faba010", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740310329", "to_ids": true, "type": "sha256", "uuid": "ebd76dbe-ec93-42a1-a5d9-c7d242a37943", "value": "cfd73f28a85ea63cedba5e4c3b09dc5b68117e65e19203a274c5cf7bef57e6c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309913", "to_ids": true, "type": "ssdeep", "uuid": "e0864cc0-0006-4866-8e1a-c3324d10de1d", "value": "3072:WTwhfm1Vnc7y7Up64RdsvpeVzmezx4omqLkcHX6Gehg53FN3kIjeG7KZy+gTJP7H:7qVcHdueVDg5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309913", "to_ids": false, "type": "size-in-bytes", "uuid": "72780c68-bfae-45d1-bb68-4c9f7ddc2e40", "value": "251904" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309913", "to_ids": true, "type": "vhash", "uuid": "d8862b52-0f05-42fd-9364-4e97d6b5ed82", "value": "025056651d151563b3zb2z632z119z501031z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309913", "to_ids": true, "type": "filename", "uuid": "6d82bee9-5e06-4d2a-8cf1-bb9f037523c9", "value": "fontlib.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 30/12/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309913", "to_ids": false, "type": "text", "uuid": "8661655a-9b3e-4857-8d2f-230b94e82fa3", "value": "Mimikatz\r\nType Description: Win32 EXE\n\nMicrosoft: HackTool:Win32/Mimikatz.A!dha\nVT Total Detection:56/72" } ] } ] } }