{ "Event": { "analysis": "2", "date": "2022-04-29", "extends_uuid": "", "info": "[Threat Intel] The Lotus Panda is Awake Again: Analysis of the Last Strike", "protected": false, "publish_timestamp": "1780039979", "published": true, "threat_level_id": "1", "timestamp": "1780039979", "uuid": "f2a498fe-04a9-4917-88cc-a32d7ad4e4a8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Naikon\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Brunei\"", "relationship_type": "" }, { "colour": "#d53577", "local": false, "name": "misp-galaxy:target-information=\"Cambodia\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Laos\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#b03f2c", "local": false, "name": "misp-galaxy:target-information=\"Myanmar\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#7dbb86", "local": false, "name": "misp-galaxy:target-information=\"Singapore\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#1b8479", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#d39115", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Viper RAT\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740751178", "to_ids": false, "type": "link", "uuid": "49a67747-7f78-496c-803a-e73192bc2ce6", "value": "https://www.duskrise.com/2022/04/29/the-lotus-panda-is-awake-again-analysis-of-the-last-strike/" }, { "category": "Payload delivery", "comment": "FAKE INI No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746790117", "to_ids": true, "type": "sha256", "uuid": "b2c7d74d-c8bc-4436-9d8d-5a900c3b0356", "value": "ee50160fdd7cacb7d250f83c48efa55ae0479e47a1eece9c08fe387453b9492a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHELLCODE No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746790118", "to_ids": true, "type": "sha256", "uuid": "8c20858d-5877-4d74-b0df-f91dd1689cb3", "value": "eeb5dc51e3828ffbefc290dc1a973c5afc89ba7ff43ab337d5a3b3dc6ca4216f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1780039979", "to_ids": true, "type": "ip-dst", "uuid": "ac8d39b5-4e7d-48a4-9b14-8813525c41db", "value": "175.27.164.228", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#781e6a", "local": false, "name": "asn:asn=\"45090\"", "relationship_type": "" }, { "colour": "#7f7f9d", "local": false, "name": "asn:as-owner=\"TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747005013", "uuid": "a1b788d5-b614-4abc-aac9-83f9d3e2a75e", "Attribute": [ { "category": "Payload delivery", "comment": "MALDOC", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747005013", "to_ids": true, "type": "md5", "uuid": "c9c1f686-67ef-4ba1-a349-e126651b2541", "value": "33e75e9fe89b6f9ac800241f77c65af9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MALDOC", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748352", "to_ids": true, "type": "sha1", "uuid": "046bff8e-c6f4-425d-8307-0ab5c0a7fa8d", "value": "3b62c663e35bb3ca04afb75a839f25302579ebe5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MALDOC", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748352", "to_ids": true, "type": "sha256", "uuid": "8259801f-8b2b-4ea6-8dca-213d367b142d", "value": "05936ed2436f57237e7773d3b6095e8df46821a62da49985c98be34136594ebd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748351", "to_ids": true, "type": "ssdeep", "uuid": "d62e7e9a-9b3d-459e-8c42-08969a3dbb8e", "value": "6144:FHUfNBAhMzZuAFNCAEORfKwRCiCWeJDBtcPe:FSNqh3AFNCAlKxBtN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748351", "to_ids": false, "type": "size-in-bytes", "uuid": "000b8160-af63-464b-90cb-1200b8ff637c", "value": "232266" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748351", "to_ids": true, "type": "vhash", "uuid": "718d2ac7-0949-4b9b-bc3f-874beef8f365", "value": "62ce080ecfa742d46f82775c2dbe05e0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748351", "to_ids": true, "type": "filename", "uuid": "5e8f835d-55fa-4edc-b7f3-708be1c129f9", "value": "\u62db\u6807\u6587\u4ef6.doc" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 19/08/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748351", "to_ids": false, "type": "text", "uuid": "4d176187-3213-42c8-8d54-2faa0539f137", "value": "MALDOC\r\nType Description: Office Open XML Document\nMicrosoft: TrojanDownloader:O97M/Donoff.SG!MTB\nVT Total Detection:44/71\nFirst Submission:2022-04-20T05:42:18.000000+00:00\nLast Submission:2022-04-20T05:42:18.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981491", "uuid": "409cc2e5-4349-41bf-932f-c55253ef3b2e", "Attribute": [ { "category": "Payload delivery", "comment": "EXE", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981491", "to_ids": true, "type": "md5", "uuid": "ac6002c6-a9e3-4c84-b4ca-99e1b4d30283", "value": "754a201f853985b0c1c5a96d4637966d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EXE", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748373", "to_ids": true, "type": "sha1", "uuid": "86e4991a-936d-4571-b6ef-8f68f1a120ae", "value": "12b6c8ab12dc04106e9ac74f790a1145bdb3d844", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EXE", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748373", "to_ids": true, "type": "sha256", "uuid": "4876205b-1e13-4928-baff-6da31a540c34", "value": "8b831ee82975d43456ee861115272d3923e17f07a702eb057feeed8ce76ff4ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748373", "to_ids": true, "type": "ssdeep", "uuid": "47acbfb6-5033-4ee7-a7ce-25dc249ca0e1", "value": "384:D+s8bm5AanTGpzPzVdA48sZsIPEKfQsOYL7iVFbj+CW:6s8bm5AACpzPzkZuzs5sOsmV9NW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748373", "to_ids": false, "type": "size-in-bytes", "uuid": "06be09f5-9447-442f-b411-f73210338575", "value": "23040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748373", "to_ids": true, "type": "vhash", "uuid": "707e2be9-92ba-4c01-aaa8-f941b81405bc", "value": "0240a75d1515151c0d1d1078z1f26=z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748373", "to_ids": true, "type": "filename", "uuid": "df909d3b-bf4e-42aa-a4ab-9f6828fd6a5b", "value": "radAF574.tmp.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 13/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748373", "to_ids": false, "type": "text", "uuid": "673a7fb6-2d0f-4762-a9c0-46fc09ca64ff", "value": "EXE\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tnega!MSR\nVT Total Detection:56/72\nFirst Submission:2020-03-23T04:22:20.000000+00:00\nLast Submission:2024-08-29T08:23:05.000000+00:00" } ] } ] } }