{ "Event": { "analysis": "1", "date": "2020-06-22", "extends_uuid": "", "info": "[Threat Intel] Advanced techniques used in a Malaysian-focused APT campaign", "protected": false, "publish_timestamp": "1780039662", "published": true, "threat_level_id": "1", "timestamp": "1780039662", "uuid": "6f707024-b346-4f24-a6aa-f95bb9d695cc", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#8196ba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"", "relationship_type": "" }, { "colour": "#03bdda", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\"", "relationship_type": "" }, { "colour": "#9651e2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1107\"", "relationship_type": "" }, { "colour": "#37f8da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Shared Modules - T1129\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a3aa59", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", "relationship_type": "" }, { "colour": "#2cfe4e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Template Injection - T1221\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Elastic\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT40\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740307503", "to_ids": false, "type": "link", "uuid": "f815e490-558d-43c1-9317-d7be3db0566e", "value": "https://www.elastic.co/security-labs/advanced-techniques-used-in-malaysian-focused-apt-campaign" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736670123", "to_ids": false, "type": "text", "uuid": "5a0111a6-f183-4bc5-9532-6154363d38b7", "value": "\"The Elastic Security Intelligence & Analytics Team researches adversary innovations of many kinds, and has recently focused on an activity group that leveraged remote templates, VBA code evasion, and DLL side-loading techniques. Based on code similarity and shared tactics, techniques, and procedures (TTPs), the team assessed this activity to be possibly linked to a Chinese-based group known as APT40, or Leviathan. The group\u2019s campaign appears to target Malaysian government officials with a lure regarding the 2020 Malaysian political crisis.\"" }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736670123", "to_ids": false, "type": "text", "uuid": "3618a2c0-a75a-4717-a59d-2d5b199a1753", "value": "Name: Advanced techniques used in a Malaysian-focused APT campaign\nAuthor: AlienVault\nAdversary: APT40\nTags: [\"cn_APT\", \"Leviathan\"]\nTgtd countries: [\"Malaysia\"]\nMlwr families: []\nAttack_ids: [\"T1055\", \"T1059\", \"T1060\", \"T1073\", \"T1107\", \"T1129\", \"T1140\", \"T1193\", \"T1221\"]\nIndustries: [\"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736670123", "to_ids": false, "type": "threat-actor", "uuid": "e3f23a3b-407a-4466-8f76-5974fd6ac194", "value": "APT40" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740309965", "to_ids": true, "type": "sha256", "uuid": "14203ab6-8f64-47f9-9b65-1e5f83ee26d6", "value": "06a4246be400ad0347e71b3c4ecd607edda59fbf873791d3772ce001f580c1d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883787", "to_ids": true, "type": "hostname", "uuid": "ff4a7389-fb6f-4b3b-a2d8-a70b0b52586f", "value": "armybar.hopto.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883808", "to_ids": true, "type": "hostname", "uuid": "3569f2f5-331e-4831-89ad-614f9c547cb0", "value": "tomema.myddns.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883830", "to_ids": true, "type": "url", "uuid": "713d26ef-efa5-4fa8-a2f5-5674453659de", "value": "https://armybar.hopto.org/LogiMail.dll", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883851", "to_ids": true, "type": "url", "uuid": "a8df97a7-13b4-4d2b-bdea-70f9675f6590", "value": "https://armybar.hopto.org/LogiMailApp.exe", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883872", "to_ids": true, "type": "url", "uuid": "2551dc8b-d373-405b-983d-03bda2f8c8e0", "value": "https://armybar.hopto.org/Encrypted", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883893", "to_ids": true, "type": "url", "uuid": "6d6627ac-175e-427b-bf8a-01cab411f007", "value": "http://tomema.myddns.me/postlogin", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883914", "to_ids": true, "type": "url", "uuid": "a838cee8-3d9f-4d1b-8fbb-232ee918483e", "value": "http://tomema.myddns.me/list_direction", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740883936", "to_ids": true, "type": "url", "uuid": "66bbb253-2548-4d2f-92ab-ddbaa0d1bc5f", "value": "http://tomema.myddns.me/post_document", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039660", "to_ids": true, "type": "ip-dst", "uuid": "3ffa9372-fdf6-4df5-9d91-945bdc138d36", "value": "104.248.148.156", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039662", "to_ids": true, "type": "ip-dst", "uuid": "7166ca8c-1472-43fe-80f5-0e3a74c3132f", "value": "139.59.31.188", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740307679", "uuid": "f15094a8-a780-41af-b3cd-f5dbff8e62f2", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740307679", "to_ids": false, "type": "comment", "uuid": "9b42f2bb-63a5-4fb2-8d07-64282bb0e96a", "value": "APT40 second stage implant" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740307679", "to_ids": true, "type": "yara", "uuid": "c6ccd5da-7350-40c4-aaa3-0cc3f4dd1301", "value": "rule APT_APT40_Implant_June2020 {\r\n meta:\r\n version = \"1.0\"\r\n author = \"Elastic Security\"\r\n date_added = \"2020-06-19\"\r\n description = \"APT40 second stage implant\"\r\n strings:\r\n $a = \"/list_direction\" fullword wide\r\n $b = \"/post_document\" fullword wide\r\n $c = \"/postlogin\" fullword wide\r\n $d = \"Download Read Path Failed %s\" fullword ascii\r\n $e = \"Open Pipe Failed %s\" fullword ascii\r\n $f = \"Open Remote File %s Failed For: %s\" fullword ascii\r\n $g = \"Download Read Path Failed %s\" fullword ascii\r\n $h = \"\\\\cmd.exe\" fullword wide\r\n condition:\r\n all of them\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740307679", "to_ids": false, "type": "text", "uuid": "81e452dc-9a3f-433f-9b6f-0469c59338e9", "value": "APT_APT40_Implant_June2020" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740883999", "uuid": "72130297-8475-48d1-b600-5c7bd167949b", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:research_pe_signed_outside_timestamp", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740883999", "to_ids": true, "type": "md5", "uuid": "53364636-284c-4e76-a248-be3ceb0c4483", "value": "850a163ce1f9cff0367854038d8cfa7e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:research_pe_signed_outside_timestamp", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740309954", "to_ids": true, "type": "sha1", "uuid": "b1179493-560f-4bf2-95c6-b0f855597021", "value": "517894e4443b8d3c1204eef81247958772280538", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:research_pe_signed_outside_timestamp", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740309955", "to_ids": true, "type": "sha256", "uuid": "081d8825-4188-48fa-8b3c-40a7ae02e5fa", "value": "93810c5fd9a287d85c182d2ad13e7d30f99df76e55bb40e5bc7a486d259810c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309173", "to_ids": true, "type": "ssdeep", "uuid": "2b7897ae-04b8-4bdc-b14a-559b926fc52b", "value": "6144:sCwBXsdQT1LEJEvka5p+/zip3hrkEiFuTLeGa3MEJun49g7P0k:Bw11Wqp3hrX6uTCGa3JEn45k" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309173", "to_ids": false, "type": "size-in-bytes", "uuid": "7e8d1bd2-ec53-4f2c-b636-e0fc5a375d1c", "value": "311656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309173", "to_ids": true, "type": "vhash", "uuid": "78973199-b3f9-4684-a87b-310a103152e9", "value": "035046655d151091z10021z847zf147z40079fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309173", "to_ids": true, "type": "filename", "uuid": "7affa903-708a-4dd2-9483-9d6a55badcf4", "value": "LogiMailApp.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 19/10/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309173", "to_ids": false, "type": "text", "uuid": "e3e4b95c-093d-4f39-9867-ab608bc31249", "value": "IOC-title:research_pe_signed_outside_timestamp\r\nType Description: Win32 EXE\n\nMicrosoft: None\nVT Total Detection:0/73" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740884021", "uuid": "9d651e5f-ecdb-43f3-a9e0-d8f036d39357", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740884021", "to_ids": true, "type": "md5", "uuid": "49241f47-e1c9-4a40-adae-9644a6144514", "value": "e9ff489de21c9ff9addef54891ba099e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740309956", "to_ids": true, "type": "sha1", "uuid": "6642209c-530d-419f-9842-97f4b0c73879", "value": "6b39a1faa21bae810e5ee549c5bf7d027c2ec3b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740309956", "to_ids": true, "type": "sha256", "uuid": "65206deb-bc58-4616-b706-93da640cc199", "value": "523cbdaf31ddc920e5b6c873f3ab42fb791fb4c9d1f4d9e6a7f174105d4f72a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309195", "to_ids": true, "type": "ssdeep", "uuid": "648a87a1-ede6-407e-a4c6-168fcef49350", "value": "6144:wahffJHPyXiueAYqR69J4hTly/TdRMxeQe:BhffJv5uere69J4PyxWxy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309195", "to_ids": false, "type": "size-in-bytes", "uuid": "be265652-d2aa-457c-83de-cff4bf2f20e8", "value": "204525" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309195", "to_ids": true, "type": "vhash", "uuid": "a2d56583-1573-400e-bad1-2ec8559f8852", "value": "98a09e29b310c8ca98af2540f01837d4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309195", "to_ids": true, "type": "filename", "uuid": "60e786e9-1a73-4d0e-8e5a-b534c8fa7f79", "value": "523cbdaf31ddc920e5b6c873f3ab42fb791fb4c9d1f4d9e6a7f174105d4f72a1.bin" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 28/07/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309195", "to_ids": false, "type": "text", "uuid": "e48748d1-abf8-457f-8f05-44fe05032003", "value": "Type Description: ZIP\n\nMicrosoft: Exploit:O97M/CVE-2017-11882.AAR!MTB\nVT Total Detection:27/64" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740884042", "uuid": "c4063d5d-0867-4752-b9a9-76a3ed45903b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740884042", "to_ids": true, "type": "md5", "uuid": "b0f958e7-469b-4a65-a367-611e941490f2", "value": "8114e5e15d4086843cf33e3fca7c945b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740309958", "to_ids": true, "type": "sha1", "uuid": "1d48f8bc-e447-468b-9bb3-5d5ffa0b3089", "value": "5f7f0b1419448c5fe1a8051ac8cb2cf7b95a3ffa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740309958", "to_ids": true, "type": "sha256", "uuid": "3d2b0e2f-2e17-49c9-8149-f263ec119e1d", "value": "145daf50aefb7beec32556fd011e10c9eaa71e356649edfce4404409c1e8fa30", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309217", "to_ids": true, "type": "ssdeep", "uuid": "89c1d5ca-2e9f-49e5-aeb0-0b6ecf97c197", "value": "384:tmtsWZZILcSYamg5z+mlH8mODooOT5Le/mnsqn0i13LpzOU2X6Ujnw+3uFKpqOeS:qsKuLcSYBg5zimCHOgsv13dK+H+3uFKp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309217", "to_ids": false, "type": "size-in-bytes", "uuid": "bcde3a5e-ca9c-4416-bbfe-f9c89b5bc466", "value": "24329" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309217", "to_ids": true, "type": "vhash", "uuid": "48163c67-0bf0-427d-b0f0-1c2212f792d0", "value": "f1b646236edcaee9e7817e094d541345" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309217", "to_ids": true, "type": "filename", "uuid": "5c01b2c0-98e8-4683-8d3f-11969e7c734c", "value": "RemoteLoad.dotm" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 10/11/2021", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309217", "to_ids": false, "type": "text", "uuid": "318c3b66-bfe3-4ecd-b058-f001a6bc742f", "value": "Type Description: Office Open XML Document\n\nMicrosoft: None\nVT Total Detection:31/64" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740884063", "uuid": "3c410e37-e6e3-49ec-b496-bf3dc8c64bdf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740884063", "to_ids": true, "type": "md5", "uuid": "113c2710-3b54-4034-a49f-def7d6386035", "value": "ccbdda7217ba439dfb6bbc6c3bd594f8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740309959", "to_ids": true, "type": "sha1", "uuid": "af16481f-613f-4a92-9446-5e53df278e23", "value": "610919bfae5a4e5fa7ca150a17c6f03659a43fd8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740309959", "to_ids": true, "type": "sha256", "uuid": "5219a4cc-b159-4e6d-8304-76bc68210f8e", "value": "925f404b0207055f2a524d9825c48aa511199da95120ed7aafa52d3f7594b0c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309238", "to_ids": true, "type": "ssdeep", "uuid": "733bca90-c1de-480c-b534-cb8abc351c42", "value": "12:e1GSG93V2/SaswlasV1hr35UV4yOlkUyCMiLIWEhI9yqhiGhWVhdPaawvZ8:e1GSijwwsV1F6VKdREhWhiGhwhdPeZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309238", "to_ids": false, "type": "size-in-bytes", "uuid": "d3bb9816-cd0f-426f-9bd1-4decc32e409b", "value": "3072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309238", "to_ids": true, "type": "vhash", "uuid": "f64a1694-3707-453f-8562-c0f4e902b0e9", "value": "13303615151bz4?z2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309238", "to_ids": true, "type": "filename", "uuid": "44c7ddb9-3cfb-4986-b94e-7f87390d7e63", "value": "sl1.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 09/11/2021", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309238", "to_ids": false, "type": "text", "uuid": "69647d08-a9a8-44ca-94e3-1829dffcfbe9", "value": "Type Description: Win32 DLL\n\nMicrosoft: PUA:Win32/Vigua.A\nVT Total Detection:32/68" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740884085", "uuid": "61c57e44-a2ad-42c1-b467-3d34783e3aee", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:SLF:SCPT:OffRelAttachedTemplateHttp.A", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740884085", "to_ids": true, "type": "md5", "uuid": "7c96c35d-085c-486b-8192-ee2a905caec4", "value": "afbe00e755a2cf963f0eedbb4e310198", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:SLF:SCPT:OffRelAttachedTemplateHttp.A", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740309961", "to_ids": true, "type": "sha1", "uuid": "a58a451c-aa76-4ee4-ac10-b7fcf0ab790c", "value": "a55bd3f15ce743c9cda7bec05afe50b9aefa4683", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:SLF:SCPT:OffRelAttachedTemplateHttp.A", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740309961", "to_ids": true, "type": "sha256", "uuid": "a1155bb0-44ae-4add-b804-0a94ceb98b9c", "value": "ab541df861c6045a17006969dac074a7d300c0a8edd0a5815c8b871b62ecdda7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309260", "to_ids": true, "type": "ssdeep", "uuid": "3de83ce9-60fb-41ce-8b59-2fcc17cb5bba", "value": "6144:nnSjk+9xiZQi36pvpQwVQgQ8qr36dcZLZuBvIO6Jav11h2:nn6ZMZQ+6wngQjNLo1IfJa7h2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309260", "to_ids": false, "type": "size-in-bytes", "uuid": "d22c2c12-09a4-45b6-b9ad-b95605384e9a", "value": "220063" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309260", "to_ids": true, "type": "vhash", "uuid": "b04e1ab2-dc80-41e8-993d-e53c14c53a63", "value": "4e5ca07fbfd27eaef09825d08dd4a91b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309260", "to_ids": true, "type": "filename", "uuid": "6156dabb-922a-4321-b52e-2d2460cd6220", "value": "ab541df861c6045a17006969dac074a7d300c0a8edd0a5815c8b871b62ecdda7.bin" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 27/07/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309260", "to_ids": false, "type": "text", "uuid": "7646d5ca-175c-4178-903d-ff56aa8cfd0e", "value": "IOC-title:SLF:SCPT:OffRelAttachedTemplateHttp.A\r\nType Description: Office Open XML Document\n\nMicrosoft: Exploit:O97M/CVE-2017-11882.AAR!MTB\nVT Total Detection:29/64" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740884106", "uuid": "1428644e-0b16-4b15-8fd2-8164105b15d8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740884106", "to_ids": true, "type": "md5", "uuid": "f090eefb-4b7c-4ae4-a307-0246f36a43f0", "value": "7ae50fe69debbfda23a9ae28e1a8df9f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740309962", "to_ids": true, "type": "sha1", "uuid": "a91ca68f-2aea-45ba-96c3-52aae31a5783", "value": "6f3f1c7d3764d814b0e6ed95c50f7e1bddda36c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740309963", "to_ids": true, "type": "sha256", "uuid": "d21960e6-1cfe-4ba7-869f-52d42b81e38c", "value": "77ef350639b767ce0a748f94f723a6a88609c67be485b9d8ff8401729b8003d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309283", "to_ids": true, "type": "ssdeep", "uuid": "0953fada-54e3-4fc2-9a3d-ab71b46105de", "value": "98304:nQ1kvpmA5Ys36BvOa2kxI/qu3TduRNWzKXgoWRAjp0vfGoRENWzKXgoWRAjp0vfp:nQ1kv7rAGad+qP/XQq90jRa/XQq90jRL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309283", "to_ids": false, "type": "size-in-bytes", "uuid": "653e11a9-7885-4485-95c6-e9d0aae6d79f", "value": "5578822" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309283", "to_ids": true, "type": "vhash", "uuid": "8aea2e3a-612c-4d97-b917-140240371a55", "value": "1d3a57ae72cf45c49eddb57e515e4981" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309284", "to_ids": true, "type": "filename", "uuid": "fbd552a6-bdf7-4fac-b71a-119a324581e8", "value": "77ef350639b767ce0a748f94f723a6a88609c67be485b9d8ff8401729b8003d2.bin" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 25/02/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309284", "to_ids": false, "type": "text", "uuid": "a082f6e6-5d5e-436c-b57f-937587d414d0", "value": "Type Description: Office Open XML Document\n\nMicrosoft: None\nVT Total Detection:26/64" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740884127", "uuid": "0f17720e-1d96-42ec-8cdb-e436bf3991b1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740884127", "to_ids": true, "type": "md5", "uuid": "4d65224e-3d90-4bc1-a3f4-fd3dea037c14", "value": "dbfa006d64f39cde78b0efda1373309c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740309964", "to_ids": true, "type": "sha1", "uuid": "3a6b2f6e-cd1d-4f36-876a-443b1823c36a", "value": "4fa1588cb7785161b6a902dd07dbfccd4e05d6c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740309964", "to_ids": true, "type": "sha256", "uuid": "b95f5162-fd0d-4de1-97c5-6378c9e5f656", "value": "feca9ad5058bc8571d89c9d5a1eebce09e709cc82954f8dce1564e8cc6750a77", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740309305", "to_ids": true, "type": "ssdeep", "uuid": "3046b4c0-d123-4108-9c33-3c023b27a9e0", "value": "24:e1GSiYNb/1AJkkxbq3Vs4Vcz/Ah2hpoPAKJ78Z:SiYJ/1akzKpz/Ah2hpw18" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740309305", "to_ids": false, "type": "size-in-bytes", "uuid": "ab370e64-04cb-4472-827c-083f84319f11", "value": "3072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740309305", "to_ids": true, "type": "vhash", "uuid": "0302d9fa-ab2f-4bd4-ab14-801132cda36a", "value": "13303615151bz4?z2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740309305", "to_ids": true, "type": "filename", "uuid": "e79a5fa6-e3ed-44a1-a92c-ad761b27f0c8", "value": "sl2.tmp" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 12/08/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740309305", "to_ids": false, "type": "text", "uuid": "f980231d-74a0-4a65-9f82-c43ea71b0a2c", "value": "Type Description: Win32 DLL\n\nMicrosoft: Virus:Win32/Aicat.A!ml\nVT Total Detection:38/70" } ] } ] } }