{ "Event": { "analysis": "1", "date": "2020-10-01", "extends_uuid": "", "info": "[Threat Intel] SlothfulMedia RAT Used in Targeted Attacks", "protected": false, "publish_timestamp": "1780039628", "published": true, "threat_level_id": "2", "timestamp": "1772901948", "uuid": "878d7da6-94df-48e6-a7c7-24eb048491ca", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#4df024", "local": false, "name": "misp-galaxy:target-information=\"Kazakhstan\"", "relationship_type": "" }, { "colour": "#41c393", "local": false, "name": "misp-galaxy:target-information=\"Kyrgyzstan\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#e4d611", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CISA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SlothfulMedia\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736669643", "to_ids": false, "type": "link", "uuid": "246b403d-87e2-4957-bcf9-1926f0734556", "value": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736669643", "to_ids": false, "type": "text", "uuid": "57ff6767-53f4-462b-ae8e-1487f1507665", "value": "A relatively new implant, which we have dubbed #SlothfulMedia, has been used to target victims in a number of countries, including: India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine. The #SlothfulMedia implant has the ability to run commands, kill processes, invoke a remote shell, add and delete registry values, take screen shots and interact with the file system." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736669643", "to_ids": false, "type": "text", "uuid": "6a3c8f4e-5505-4c8c-aab2-ce0ce54dc46d", "value": "Name: SlothfulMedia RAT Used in Targeted Attacks\nAuthor: AlienVault\nAdversary: \nTags: [\"cisa\", \"Implant\", \"backdoor\", \"cn_apt\", \"China\", \"JackOfHearts\", \"IAmTheKing\", \"PowerPool\"]\nTgtd countries: [\"Russian Federation\", \"India\", \"Kazakhstan\", \"Kyrgyzstan\", \"Malaysia\", \"Ukraine\"]\nMlwr families: [\"SlothfulMedia\"]\nAttack_ids: []\nIndustries: []" }, { "category": "Network activity", "comment": "command-and-control", "deleted": false, "disable_correlation": false, "timestamp": "1747505114", "to_ids": true, "type": "domain", "uuid": "681dcf43-3c45-45c3-8a7c-24349f8270f5", "value": "sdvro.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "remote-access-trojan No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740280988", "to_ids": true, "type": "sha256", "uuid": "1f13c0c5-8a54-4084-8339-ad5c4e03e3ba", "value": "4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746475582", "to_ids": false, "type": "mutex", "uuid": "9e92cb7b-0d70-476c-b693-398731d2030a", "value": "Global\\mukimukix" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981268", "uuid": "9b876996-b191-4e22-ae46-4d41a155c3e1", "Attribute": [ { "category": "Payload delivery", "comment": "botdropperinformation-stealerkeyloggerremote-access-trojantrojan", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981268", "to_ids": true, "type": "md5", "uuid": "bef30578-ac3c-420a-ae50-3f21087a4c41", "value": "448838b2a60484ee78c2198f2c0c9c85", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "botdropperinformation-stealerkeyloggerremote-access-trojantrojan", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1747981268", "to_ids": true, "type": "sha1", "uuid": "95975f8b-70e0-48d5-a737-0653f65d7131", "value": "f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "botdropperinformation-stealerkeyloggerremote-access-trojantrojan", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1747981268", "to_ids": true, "type": "sha256", "uuid": "e3ff922a-3443-4dc1-82ff-d6a41b2dca52", "value": "64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740280755", "to_ids": true, "type": "ssdeep", "uuid": "e665894d-6068-499f-98b5-b4a03e15b8f0", "value": "3072:PGA5q4Xmco7ciR7BiU+q+TESaiQ4RHpxJdW:O0qtUYBiU+qRiQy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740280755", "to_ids": false, "type": "size-in-bytes", "uuid": "15316211-cac0-4e0f-ae5b-3e4b4029fe7a", "value": "117760" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740280755", "to_ids": true, "type": "vhash", "uuid": "a040d346-f16f-445a-8af1-79c4f773de71", "value": "015056655d65551038z4a7z17z3lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740280755", "to_ids": true, "type": "filename", "uuid": "d9155f35-58e8-443d-b9fe-256bec4e1451", "value": "64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 17/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740280755", "to_ids": false, "type": "text", "uuid": "67325410-be16-40ed-8df5-d51943d8004b", "value": "botdropperinformation-stealerkeyloggerremote-access-trojantrojan\r\nType Description: Win32 EXE\n\nMicrosoft: TrojanDropper:Win32/Keylogger!MSR\nVT Total Detection:61/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981268", "uuid": "cfb589b2-2ea5-4e77-8909-2e65d1241544", "Attribute": [ { "category": "Payload delivery", "comment": "remote-access-trojan", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981268", "to_ids": true, "type": "md5", "uuid": "baef9588-9f57-4798-8d42-d8982597e32b", "value": "9f23bd89694b66d8a67bb18434da4ee8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "remote-access-trojan", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1747981268", "to_ids": true, "type": "sha1", "uuid": "c60ae9a7-283c-4045-8743-e04e7349ceaa", "value": "db8c6ea90b1be5aa560bfbe5a34577eb284243af", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "remote-access-trojan", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1747981268", "to_ids": true, "type": "sha256", "uuid": "95219bf4-63b4-4255-8c0b-50be436a1bbc", "value": "927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740280776", "to_ids": true, "type": "ssdeep", "uuid": "67084904-7cca-4eda-9d7c-e5fc7ab260ca", "value": "768:NRw4PZcMc8ie9+dZL6DSKdzxSGyCevVcxjw3e3PxKfRXAxo3vhxfFORpa9sxw:NRwaBiU+dZODSKeGHSaxjw3QUfRH/hx7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740280776", "to_ids": false, "type": "size-in-bytes", "uuid": "1b155be7-5fe6-4c7a-a2d8-18ac0b44b114", "value": "46080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740280776", "to_ids": true, "type": "vhash", "uuid": "4ec06dbb-c004-441a-adb6-90898771539b", "value": "044056655d55151165z60049389z13z1011z803091zb7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740280776", "to_ids": true, "type": "filename", "uuid": "671398a8-e3eb-4d3a-90ab-6b3b6c770356", "value": "mediaplayer.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 13/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740280776", "to_ids": false, "type": "text", "uuid": "3bd5e9dc-9228-402b-bef0-07e159a3688a", "value": "remote-access-trojan\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:58/72" } ] } ] } }