{ "Event": { "analysis": "1", "date": "2024-09-04", "extends_uuid": "", "info": "[Threat Intel] The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government", "protected": false, "publish_timestamp": "1780041379", "published": true, "threat_level_id": "2", "timestamp": "1780041379", "uuid": "f6e08cf8-0233-4db5-a87b-68d99ce7191e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic API Resolution - T1027.007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted/Encoded File - T1027.013\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LNK Icon Smuggling - T1027.012\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Political party\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"BabyLon RAT\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3a00dd", "local": false, "name": "rectifyq:action-taken=\"diamond-model\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Cyble\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1725538842", "to_ids": false, "type": "link", "uuid": "017bc0d1-a663-47c5-a5ad-0d0b55826588", "value": "https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1780041377", "to_ids": true, "type": "ip-dst", "uuid": "9fc5f861-eae4-4eab-9b03-e7737880b496", "value": "64.176.65.152", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1725539214", "to_ids": true, "type": "domain", "uuid": "b2ce9085-a032-4e2f-b75b-305bb701b42c", "value": "workhub-microsoft-team.com" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1780041379", "to_ids": true, "type": "ip-dst", "uuid": "4f92da5a-2358-4084-bc15-c5520943c803", "value": "149.28.19.207", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1725539214", "to_ids": true, "type": "hostname", "uuid": "63823526-84fa-4ad1-b478-3fba0bbe8ad0", "value": "fund.sekretariatparti.org" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770877277", "to_ids": false, "type": "comment", "uuid": "355d6238-43db-4a30-9d3b-4ae22cdd2015", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240904-Babylon-RAT/60.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770877290", "to_ids": false, "type": "comment", "uuid": "0a521a07-abd3-4733-8b4a-c1cafdcf4380", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240904-Babylon-RAT/61.png" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540250", "uuid": "369b2d46-ec9d-476c-b883-5667eb9debf2", "Attribute": [ { "category": "Payload delivery", "comment": "SalahLaku_MARA.iso", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540250", "to_ids": true, "type": "md5", "uuid": "7e5c921b-a609-4bfa-bbba-8f0d9cd6929d", "value": "85bf32363c6e50c95a674ac964bdba8a", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SalahLaku_MARA.iso", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540250", "to_ids": true, "type": "sha1", "uuid": "2ec43362-0a8a-4828-a4da-32870d2c63e5", "value": "8431e5383daa8a8ff61aa8414568bbdfe5c7faae", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SalahLaku_MARA.iso", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540250", "to_ids": true, "type": "sha256", "uuid": "be38fa39-2f43-4e07-a477-f76231bd72b5", "value": "54a52310ade00eca0abb8ba32f4cacc42deb69b6e1f07309e44df2213bf2569c", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539238", "to_ids": true, "type": "ssdeep", "uuid": "61f924b1-d447-4419-a4cd-ce5670e93578", "value": "6291456:WIVKn0F7r0SL1Q2VlTstG5AP6dRM9o/bILtQXIEqpIc3:WIInAfd5z4sZdRBMOXtq2c" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539238", "to_ids": false, "type": "size-in-bytes", "uuid": "b10e9ce1-caf8-4bdf-b210-a9ee8ddce512", "value": "315889664" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539238", "to_ids": true, "type": "vhash", "uuid": "0a3d9cee-809a-4a67-9fb2-79b039c43ca5", "value": "152bed7b5e0505a941bf8ba934b104ca" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539238", "to_ids": true, "type": "filename", "uuid": "18e220e4-a364-48aa-86df-5769b38baf96", "value": "SalahLaku_MARA.iso" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539238", "to_ids": false, "type": "text", "uuid": "43cc0841-67f5-41b5-b93e-7fc1cf76f9f5", "value": "SalahLaku_MARA.iso\r\nType Description: ISO image\nSymantec: Trojan.Gen.MBT\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:8/67" } ] }, { "comment": "0122a7f913", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539238", "uuid": "66c1907b-515d-4a17-9a18-689b15d9418a", "Attribute": [ { "category": "Other", "comment": "0122a7f913", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539238", "to_ids": false, "type": "text", "uuid": "9e716f18-275c-4f43-a687-ee9029a9c211", "value": "Windows_API_Function" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539238", "to_ids": false, "type": "link", "uuid": "7aca6574-7477-44ff-9475-a05644fff701", "value": "https://github.com/InQuest/yara-rules-vt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539238", "to_ids": false, "type": "comment", "uuid": "69195dd5-0d02-4c62-a304-014d4cba7dc7", "value": "Ruleset Nam%WINDIR%\\API_Function\nDescription: This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.\nRule Author: InQuest Labs" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540251", "uuid": "106d4e53-0be7-4aaf-982e-ad85bf112933", "Attribute": [ { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.iso", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540251", "to_ids": true, "type": "md5", "uuid": "90097326-882c-4ad2-af88-32c969c0c9ad", "value": "f3e410928fecf68cec98236d1bf0598d", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.iso", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540251", "to_ids": true, "type": "sha1", "uuid": "0852c221-1234-490e-84f4-d418079cfc3e", "value": "ca8e7f70b35fe202eba3cb7b52cc5967eca32d47", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.iso", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540251", "to_ids": true, "type": "sha256", "uuid": "47165fc2-a222-4765-8727-510281c3ac63", "value": "d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539264", "to_ids": true, "type": "ssdeep", "uuid": "7d0a2951-c525-47c7-a19b-31d76d61fa78", "value": "6291456:btfHLnhapc6UQ5cBe4raaM7N+2i35r6pLOfEL44i:pfdapc6FEWk5rei8L43" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539264", "to_ids": false, "type": "size-in-bytes", "uuid": "dcb3c703-c951-4884-a1f8-9708930110a6", "value": "315891712" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539264", "to_ids": true, "type": "vhash", "uuid": "866e7128-6a13-40f5-912a-b4624c0492b6", "value": "152bed7b5e0505a941bf8ba934b104ca" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539264", "to_ids": true, "type": "filename", "uuid": "2d22faa6-432c-4fda-ab9a-e58a0fc4c5d7", "value": "PANDUAN_PENGGUNA_MyKHAS.iso" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539264", "to_ids": false, "type": "text", "uuid": "2d38e32b-1562-4040-8505-16f3a34408fb", "value": "PANDUAN_PENGGUNA_MyKHAS.iso\r\nType Description: ISO image\nSymantec: Trojan.Gen.MBT\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:8/68" } ] }, { "comment": "0122a7f913", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539264", "uuid": "402e378e-cb38-4925-823b-508c4f20546d", "Attribute": [ { "category": "Other", "comment": "0122a7f913", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539264", "to_ids": false, "type": "text", "uuid": "6c8371a8-0773-48fb-a239-aa308b25d560", "value": "Windows_API_Function" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539264", "to_ids": false, "type": "link", "uuid": "72dc16f2-a4d5-4141-b1c4-c1b73c78aa2e", "value": "https://github.com/InQuest/yara-rules-vt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539264", "to_ids": false, "type": "comment", "uuid": "21dad485-57f4-4b39-aaa3-ddae13714fbb", "value": "Ruleset Nam%WINDIR%\\API_Function\nDescription: This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.\nRule Author: InQuest Labs" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540252", "uuid": "679ed364-5298-4bd9-9778-ffce16ec294b", "Attribute": [ { "category": "Payload delivery", "comment": "LimKitSiang_teks_penuh.iso", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540252", "to_ids": true, "type": "md5", "uuid": "96bdc163-4e9f-483a-af9e-f61cb31d7940", "value": "e2766648a25373c2cf86c9dd3a2fd7c8", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LimKitSiang_teks_penuh.iso", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540252", "to_ids": true, "type": "sha1", "uuid": "9438a32f-e51e-47a7-9f28-aaf9caa0483d", "value": "275c7d168227e1abab049ec34ff0191e08724ad7", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LimKitSiang_teks_penuh.iso", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540252", "to_ids": true, "type": "sha256", "uuid": "f55dcc4b-527e-4bfa-8cc4-20e547481f42", "value": "8e6717e88ab6bb4a96e465dc0e9db3cf371e8e75af29e4c3ebc175707702b3b6", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539287", "to_ids": true, "type": "ssdeep", "uuid": "d6b82c15-54b7-431b-8900-ba380f11d8e3", "value": "6291456:vIVKn0F7r0SL1Q2VlTstG5AP6dRM9o/bILtQXIEqpIc3:vIInAfd5z4sZdRBMOXtq2c" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539287", "to_ids": false, "type": "size-in-bytes", "uuid": "f1453b99-6a7f-4ef7-acd6-bfaeb4c3cc76", "value": "315817984" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539287", "to_ids": true, "type": "vhash", "uuid": "080e00d7-1135-4227-a5d4-6c7256c07131", "value": "152bed7b5e0505a941bf8ba934b104ca" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539287", "to_ids": true, "type": "filename", "uuid": "31d22fcc-3680-4b5d-a5d9-035d080c96a6", "value": "LimKitSiang_teks_penuh.iso" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539287", "to_ids": false, "type": "text", "uuid": "388c55a2-1d09-4dda-b9e9-2ba7beb7ed8c", "value": "LimKitSiang_teks_penuh.iso\r\nType Description: ISO image\nSymantec: Trojan.Gen.MBT\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:6/68" } ] }, { "comment": "0122a7f913", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539287", "uuid": "f65966ee-0215-4cee-b7e1-345c8350ab57", "Attribute": [ { "category": "Other", "comment": "0122a7f913", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539287", "to_ids": false, "type": "text", "uuid": "18c16d9a-d030-4df8-8393-1ac7f3a9af99", "value": "Windows_API_Function" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539287", "to_ids": false, "type": "link", "uuid": "93944d80-b9a5-4ace-a8c6-234182d9ee68", "value": "https://github.com/InQuest/yara-rules-vt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539287", "to_ids": false, "type": "comment", "uuid": "8042d434-847e-451a-a7e3-4f3d60fd91f9", "value": "Ruleset Nam%WINDIR%\\API_Function\nDescription: This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.\nRule Author: InQuest Labs" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540253", "uuid": "151c22e3-f6be-4902-bf42-67cec28131ac", "Attribute": [ { "category": "Payload delivery", "comment": "Salahlaku_Sektor_Keusahawanan_MARA.lnk", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540253", "to_ids": true, "type": "md5", "uuid": "50dcfdc7-f2fc-47bb-8296-f34237737e15", "value": "3b76157fa7707ef11312a6061d7c7f4e", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Salahlaku_Sektor_Keusahawanan_MARA.lnk", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540253", "to_ids": true, "type": "sha1", "uuid": "2459fdf6-6120-482d-9fca-b2deee07f643", "value": "dd9e0fb51ed12689083252d9d754780348493249", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Salahlaku_Sektor_Keusahawanan_MARA.lnk", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540253", "to_ids": true, "type": "sha256", "uuid": "7456ca2c-8b52-4bbc-a967-09de9ac86d6c", "value": "cf2b8c735f6acc0310ec76607b5c37ef994c96c74442373686e1f3a141c7a892", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539313", "to_ids": true, "type": "ssdeep", "uuid": "d4e06ac8-1c1c-4565-b17c-df499cf59c64", "value": "48:8ws1dvnSC6FaSUXdn1mXuH7fNTmc2nNRIU:8wmdw90gubxmc2V" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539313", "to_ids": false, "type": "size-in-bytes", "uuid": "bb6c7fec-62db-4915-bb24-46b37206fd18", "value": "3446" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539313", "to_ids": true, "type": "vhash", "uuid": "07e80f28-14d9-489b-ade6-49513fac4a04", "value": "ea5c6fe1c9a32a0ee3a7f59611ac208d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539313", "to_ids": true, "type": "filename", "uuid": "c4a6945b-bab3-43be-9734-8decef02bcb5", "value": "SALAHLAKU_SEKTOR_KEUSAHAWANAN_MARA.LNK" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539313", "to_ids": false, "type": "text", "uuid": "1826b407-e2e4-4eab-b07d-bb0f8544eb7c", "value": "Salahlaku_Sektor_Keusahawanan_MARA.lnk\r\nType Descriptio%WINDIR%\\shortcut\nSymantec: None\nMicrosoft: None\nSentinelOne: Static AI - Suspicious LNK\nVT Total Detection:7/66" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539313", "uuid": "84114eb8-f3b8-4d3a-a178-f7ab893c35c3", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539313", "to_ids": false, "type": "text", "uuid": "1617554e-a10b-4fd1-9e73-84f91d6bb266", "value": "PS_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539313", "to_ids": false, "type": "link", "uuid": "195c02c0-5f3d-4bf6-b94f-4a13787874a5", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539313", "to_ids": false, "type": "comment", "uuid": "c28fe6b5-6830-46e2-8ebd-febe246fcb77", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies PowerShell artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539314", "uuid": "502e08e7-3f8f-418c-9fad-7dbd74d19b29", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539314", "to_ids": false, "type": "text", "uuid": "909bfd16-bb99-43ef-a1b2-2b38d28ff1eb", "value": "EXE_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539314", "to_ids": false, "type": "link", "uuid": "d743ce88-f3b0-4e8c-9ad9-8ac71ac5d30f", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539314", "to_ids": false, "type": "comment", "uuid": "170da0c3-ad52-4587-8af5-0614c49c4d73", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies executable artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539314", "uuid": "1b451d47-9eb7-4acd-bc71-241f4933b7b0", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539314", "to_ids": false, "type": "text", "uuid": "d6283527-16b7-4876-91f9-d44711c654f3", "value": "Execution_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539314", "to_ids": false, "type": "link", "uuid": "54958962-c1e2-442f-900f-e3c3c3ccb6fb", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539314", "to_ids": false, "type": "comment", "uuid": "c6a39e18-980c-42f1-8e77-7531a40ae694", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies execution artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539314", "uuid": "dc9256ee-c045-4f19-88f3-c56661d041c9", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539314", "to_ids": false, "type": "text", "uuid": "e588d047-5a81-48cb-9a45-ec433280ee36", "value": "PDF_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539314", "to_ids": false, "type": "link", "uuid": "fabe5018-cd01-46af-ae0d-2fd9dba854b3", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539314", "to_ids": false, "type": "comment", "uuid": "0a42556b-37eb-479d-8858-c5d97b0d782e", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies Adobe Acrobat artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539314", "uuid": "a0cda895-839a-47f1-8f09-5e8563cf03b7", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539314", "to_ids": false, "type": "text", "uuid": "e0eb297c-684f-4b29-b92f-96d9aea3788b", "value": "Long_RelativePath_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539314", "to_ids": false, "type": "link", "uuid": "41bbd3f5-83c1-4216-ae31-64ca633bd727", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539314", "to_ids": false, "type": "comment", "uuid": "5e349d93-3cb5-4e7b-8109-7fe8110760b9", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.\nRule Author: @bartblaze" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540255", "uuid": "82247e09-2c98-4230-9433-bb5d8b5c3556", "Attribute": [ { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.lnk", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540254", "to_ids": true, "type": "md5", "uuid": "8d117a6b-cbef-4c13-bdcd-02fae92f023b", "value": "843154177ad124c22d0107ea786b82f8", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.lnk", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540255", "to_ids": true, "type": "sha1", "uuid": "5fe6c13d-5327-4c4c-b044-9b4788656993", "value": "c0d80dfd81bd6b59ae8effad3e2e643da93becb9", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.lnk", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540255", "to_ids": true, "type": "sha256", "uuid": "e23ea1a2-4c0f-4f0e-8737-ad998057272d", "value": "b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539339", "to_ids": true, "type": "ssdeep", "uuid": "c89608ab-714f-40d1-b9c7-f62d6bcb6f49", "value": "48:8wsCsaMJlFVHyrldeLPLC13XuHvHyrtQC+DqHyr5nn:8wtilfHBzenuPHxJDqHc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539339", "to_ids": false, "type": "size-in-bytes", "uuid": "a86dcc05-6e77-4084-88d0-0b18648e8306", "value": "3329" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539339", "to_ids": true, "type": "vhash", "uuid": "15287ed5-03ad-4c0b-b294-744860f92d49", "value": "d67632d06e7834426de275ebd250577a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539339", "to_ids": true, "type": "filename", "uuid": "807cbb95-b856-447a-9b40-7a895ddfa0bf", "value": "PANDUAN_PENGGUNA_MyKHAS.lnk" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539339", "to_ids": false, "type": "text", "uuid": "9b22a720-6a96-4c8d-8c22-dd4fd51847e2", "value": "PANDUAN_PENGGUNA_MyKHAS.lnk\r\nType Descriptio%WINDIR%\\shortcut\nSymantec: None\nMicrosoft: None\nSentinelOne: Static AI - Suspicious LNK\nVT Total Detection:7/68" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539339", "uuid": "547a9721-c6b0-41a2-b856-4d389e0799fa", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539339", "to_ids": false, "type": "text", "uuid": "b255328a-7f9b-4840-bfa1-c04ef7d50ee2", "value": "PS_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539339", "to_ids": false, "type": "link", "uuid": "5721c962-badc-4a0d-bb83-b9bcaa314679", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539339", "to_ids": false, "type": "comment", "uuid": "dc4e6c61-f998-4409-89a4-9dd0ec1fafba", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies PowerShell artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539339", "uuid": "46e722ee-4d1f-45e8-b00a-2520356e8556", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539339", "to_ids": false, "type": "text", "uuid": "eb59fc86-dc8b-4ea4-bb65-9a687eaff953", "value": "EXE_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539339", "to_ids": false, "type": "link", "uuid": "787cd19f-0a52-4f33-9848-e9effe12eb16", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539339", "to_ids": false, "type": "comment", "uuid": "01a33cf9-7261-42a8-997e-f7380155db3b", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies executable artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539339", "uuid": "42d86ec2-4f46-4ef9-ac38-a2e1406c8721", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539339", "to_ids": false, "type": "text", "uuid": "d143ebcf-0b7f-4dae-917d-8fc867783f8c", "value": "Execution_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539339", "to_ids": false, "type": "link", "uuid": "f8323925-74f1-4572-a40b-dc55990d0876", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539339", "to_ids": false, "type": "comment", "uuid": "4666be77-f71c-49ba-9227-3bdad54437c2", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies execution artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539340", "uuid": "a9a6f39f-0259-4f27-ae21-d910ddd42ba2", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539340", "to_ids": false, "type": "text", "uuid": "470de355-ec55-44d1-b251-f626e0529a38", "value": "PDF_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539340", "to_ids": false, "type": "link", "uuid": "68f64920-e2b6-42ff-b772-02dc736e0071", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539340", "to_ids": false, "type": "comment", "uuid": "869fbfd9-4304-42b1-940b-503b83f3d005", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies Adobe Acrobat artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539340", "uuid": "3f5aadb0-f29b-4d48-99a3-3b2533683120", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539340", "to_ids": false, "type": "text", "uuid": "8d53f74e-196c-482c-ad94-74c93022c5af", "value": "Long_RelativePath_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539340", "to_ids": false, "type": "link", "uuid": "a0cba130-0c03-4151-92a7-38eb830e335b", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539340", "to_ids": false, "type": "comment", "uuid": "51212b14-bcf6-404a-8013-a50c0b3a4815", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.\nRule Author: @bartblaze" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540256", "uuid": "f68e6827-760f-4c67-a781-c765701944ae", "Attribute": [ { "category": "Payload delivery", "comment": "Salahlaku_Sektor_Keusahawanan_MARA.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540256", "to_ids": true, "type": "md5", "uuid": "23d9e7bd-3341-4b35-92a1-7ed3b4fafd3a", "value": "96d29a1b21594dccd795d5295f7f9967", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Salahlaku_Sektor_Keusahawanan_MARA.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540256", "to_ids": true, "type": "sha1", "uuid": "54019705-3b67-4c07-bee7-ec1362874904", "value": "056cba5a888dd9620f4c936a85d3fdbe3486041b", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Salahlaku_Sektor_Keusahawanan_MARA.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540256", "to_ids": true, "type": "sha256", "uuid": "5307b0a3-913f-4c84-8b7f-0f39d9365290", "value": "401a524c5a446107547475d27f9acd548182eac06294245dc43313b47ffa0e5c", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539364", "to_ids": true, "type": "ssdeep", "uuid": "225d4194-105a-4665-9fe1-c53802e8b145", "value": "12:+OtWEm94KW203xVjjjPQ3pmKmCwFBFwn19ELx8FHQ:ptKCxV/jDbBFo19ExEHQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539364", "to_ids": false, "type": "size-in-bytes", "uuid": "f90a1156-6391-4098-bd42-fab51035756f", "value": "528" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539364", "to_ids": true, "type": "vhash", "uuid": "df01896d-a35a-42a3-b65b-2c1abbe56501", "value": "040d7349661bab1efa058c8f4668a6fe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539364", "to_ids": true, "type": "filename", "uuid": "17c10082-7262-4da3-adaf-9e512f61d000", "value": "Salahlaku_Sektor_Keusahawanan_MARA.ps1" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539364", "to_ids": false, "type": "text", "uuid": "09db46a4-8441-4dae-be4a-ccbdf0ee9b6f", "value": "Salahlaku_Sektor_Keusahawanan_MARA.ps1\r\nType Description: JavaScript\nSymantec: None\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:0/65" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540257", "uuid": "f2d5d6fe-0896-4712-94c6-5c1f9f0349f1", "Attribute": [ { "category": "Payload delivery", "comment": "Wrapper for Babylon RAT - controller.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540257", "to_ids": true, "type": "md5", "uuid": "e034f063-5e50-41c2-b747-5ec5d30e1eb8", "value": "a17a1666f47953d6e505182909c74170", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wrapper for Babylon RAT - controller.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540257", "to_ids": true, "type": "sha1", "uuid": "0852106d-af04-4db9-82c7-11790391b64e", "value": "b1054b4702ff9b112dfdf8ce40f0fdf399ba8a95", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wrapper for Babylon RAT - controller.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540257", "to_ids": true, "type": "sha256", "uuid": "81002be5-77b3-4992-8c40-5f2c0a11a728", "value": "f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539390", "to_ids": true, "type": "ssdeep", "uuid": "ddbcdb5f-8b46-43bc-9518-59a9998d0681", "value": "6291456:etfHLnhapc6UQ5cBe4raaM7N+2i35r6pLOfEL44iC:Qfdapc6FEWk5rei8L43C" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539390", "to_ids": false, "type": "size-in-bytes", "uuid": "b380631d-13ae-4579-8098-eca5aac6f5e1", "value": "315434424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539390", "to_ids": true, "type": "vhash", "uuid": "926f16e4-58b4-4903-b8d6-b203ab0e183d", "value": "038056651d75655019zf!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539390", "to_ids": true, "type": "filename", "uuid": "e8c2f3c7-9dda-4b91-b37e-dd9198b3eab3", "value": "SonyVaio" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539390", "to_ids": false, "type": "text", "uuid": "fd3e9572-706e-4330-b62f-dc1e8f386515", "value": "Wrapper for Babylon RAT - controller.exe\r\nType Description: Win32 EXE\nSymantec: Trojan Horse\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:10/74" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540259", "uuid": "5a04c139-a82b-4599-85c7-80dfb2b241a5", "Attribute": [ { "category": "Payload delivery", "comment": "Artifact contained in iso - PDFview.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540258", "to_ids": true, "type": "md5", "uuid": "9542f262-9fb6-426a-bb1f-332eba873357", "value": "bc598aa0d798948e0d1a9184e0e4be5e", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Artifact contained in iso - PDFview.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540259", "to_ids": true, "type": "sha1", "uuid": "5b89acee-05cb-48c9-b333-4e0e8d6e81f1", "value": "8c20b018a33092be4b73c569380ae463d956aec1", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Artifact contained in iso - PDFview.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540259", "to_ids": true, "type": "sha256", "uuid": "ecbddfd7-e62e-40a5-824d-0162972bba83", "value": "77e22b511cd236cae46f55e50858aea174021a1cd431beaa5e7839a9d062e4c7", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539413", "to_ids": true, "type": "ssdeep", "uuid": "79c99c88-5202-4213-bb9b-d88de970f871", "value": "6291456:iIVKn0F7r0SL1Q2VlTstG5AP6dRM9o/bILtQXIEqpIc32:iIInAfd5z4sZdRBMOXtq2cm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539413", "to_ids": false, "type": "size-in-bytes", "uuid": "f79c6da3-60ba-4968-a299-70d0cd185fe9", "value": "315637248" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539413", "to_ids": true, "type": "vhash", "uuid": "644c21c9-46cc-49bd-b329-c833bd7a6943", "value": "038056651d75555019zf!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539413", "to_ids": true, "type": "filename", "uuid": "2651dd8a-20f1-4306-afb0-2a44bb7c0189", "value": "Sony VioV3" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539413", "to_ids": false, "type": "text", "uuid": "b98e69f1-6bb1-4255-865a-1b51db61cce4", "value": "Artifact contained in iso - PDFview.exe\r\nType Description: Win32 EXE\nSymantec: Trojan Horse\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:16/74" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540260", "uuid": "3e09d7fc-502b-42f4-b84d-0d536a1af097", "Attribute": [ { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540260", "to_ids": true, "type": "md5", "uuid": "03f7ef25-3534-4ab4-8a2e-c0e38a93899c", "value": "e7d2e1452702bc0de5a92e745dbdc4a9", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540260", "to_ids": true, "type": "sha1", "uuid": "25d08a38-ba94-4c38-b5ae-9bf820e471dc", "value": "da8e9f9f43e29f02e5a0332239f38416f4dff844", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PANDUAN_PENGGUNA_MyKHAS.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540260", "to_ids": true, "type": "sha256", "uuid": "a08fc070-dc77-429b-9035-5e06c0a56735", "value": "b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539436", "to_ids": true, "type": "ssdeep", "uuid": "04376997-22bb-42e4-979c-6bdfaf5a23b0", "value": "12:+fz16tDovm94KWO04Vj6xVjjb3bDPq2EmKmCwFBFwn19ELx8FHQ:Kz1GDTc4VexV/GgbBFo19ExEHQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539436", "to_ids": false, "type": "size-in-bytes", "uuid": "e5a093b4-a3dc-464f-93d7-1a099294522e", "value": "627" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539436", "to_ids": true, "type": "vhash", "uuid": "26cbb877-5826-4657-812d-13e74e957809", "value": "040d7349661bab1efa058c8f4668a6fe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539436", "to_ids": true, "type": "filename", "uuid": "bb22a741-7fa4-416a-a6a9-63fd5d9a45bf", "value": "PANDUAN_PENGGUNA_MyKHAS.ps1" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539436", "to_ids": false, "type": "text", "uuid": "efba7c4b-804d-4d53-86d3-9bb9b20fd1c0", "value": "PANDUAN_PENGGUNA_MyKHAS.ps1\r\nType Description: Powershell\nSymantec: None\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:0/65" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540261", "uuid": "7a90fe8a-66cb-40bb-a4db-1cdad7a7bbde", "Attribute": [ { "category": "Payload delivery", "comment": "Kit_Siang_Bimbang_Gelombang_Hijau.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540261", "to_ids": true, "type": "md5", "uuid": "a2b6bd2c-4fc5-4b78-a8fd-889afb16f880", "value": "2fc775f241750387ba578af5ed11ec99", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Kit_Siang_Bimbang_Gelombang_Hijau.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540261", "to_ids": true, "type": "sha1", "uuid": "25031143-9aa4-4dc9-be3f-29c14348aa95", "value": "325113a93de58832bb40d2cb761eb71a17917ff6", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Kit_Siang_Bimbang_Gelombang_Hijau.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540261", "to_ids": true, "type": "sha256", "uuid": "d7d947dd-a947-4db4-bbc4-3f9c215bdaaa", "value": "2a5a1ae773c59f18cceada37c4d78427ff18bd9a8c0ceb584c0cf997f6ac36b0", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539458", "to_ids": true, "type": "ssdeep", "uuid": "86c71e06-3b23-4880-9c65-227efb5f32d9", "value": "12:+OZUIvm94KW203xVjjy3pmKmCwFBFwn19ELx8FHQ:pBaCxV/tbBFo19ExEHQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539458", "to_ids": false, "type": "size-in-bytes", "uuid": "4a236a67-eccf-4e22-8cdc-a7102b4c70fa", "value": "525" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539458", "to_ids": true, "type": "vhash", "uuid": "872e7ca8-cb34-47dd-bc98-0f8b225cbf2b", "value": "040d7349661bab1efa058c8f4668a6fe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539458", "to_ids": true, "type": "filename", "uuid": "16000e1a-f1e8-4ad9-9c0b-25980cf70cbb", "value": "KIT_SIANG_BIMBANG_GELOMBANG_HIJAU.PS1" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539458", "to_ids": false, "type": "text", "uuid": "d44e929d-37c9-4d78-90c8-dbc7f9b5953d", "value": "Kit_Siang_Bimbang_Gelombang_Hijau.ps1\r\nType Description: JavaScript\nSymantec: None\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:0/65" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1725540263", "uuid": "1ecc162c-3dca-4e48-b6b9-501945e9f1bd", "Attribute": [ { "category": "Payload delivery", "comment": "Kit_Siang_Bimbang_Gelombang_Hijau.lnk", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1725540262", "to_ids": true, "type": "md5", "uuid": "75e4b101-df25-4bbe-a9d3-607fc8d8bf5a", "value": "840a97991dc4489c5d1a37172bf54ac7", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Kit_Siang_Bimbang_Gelombang_Hijau.lnk", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1725540263", "to_ids": true, "type": "sha1", "uuid": "f200daea-3c4a-4a72-859a-da9655096a03", "value": "de9b9730218109b66cb1607a52cd2e88d8d5f4ba", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Kit_Siang_Bimbang_Gelombang_Hijau.lnk", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1725540263", "to_ids": true, "type": "sha256", "uuid": "9a8b39c2-bf9c-46c7-96f2-c2bf20f27cd1", "value": "f30901bd966b8c4803ffd517347167b4bba2c1b85cc7b5bcbe08791e249eb86b", "Tag": [ { "colour": "#233f94", "local": false, "name": "rectifyq=ioc-enriched", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1725539481", "to_ids": true, "type": "ssdeep", "uuid": "9a1676fb-bd9f-40bf-8f5f-768f0388f935", "value": "24:8wX81ttJ/BvVQAA7ja+/CCCkGSKqdd9wPTEL1vORXuHYMKcNFaQm2mc2CcNFaymy:8ws1dvnSQFadn1mXuH7fNTmc2nNRIU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1725539481", "to_ids": false, "type": "size-in-bytes", "uuid": "13e054c9-aa90-49ea-8155-65bd2f3dbe78", "value": "3438" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1725539481", "to_ids": true, "type": "vhash", "uuid": "99062b9d-d44d-4d99-b6f0-a144efaa61ec", "value": "ea5c6fe1c9a32a0ee3a7f59611ac208d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1725539481", "to_ids": true, "type": "filename", "uuid": "f11d387f-666e-406b-b3ee-a3349799238b", "value": "KIT_SIANG_BIMBANG_GELOMBANG_HIJAU.LNK" }, { "category": "Other", "comment": "Checked: 05/09/2024\nLast-scan\t: 05/09/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1725539481", "to_ids": false, "type": "text", "uuid": "1dc782c0-e211-4d52-a4aa-1c84ead4f339", "value": "Kit_Siang_Bimbang_Gelombang_Hijau.lnk\r\nType Descriptio%WINDIR%\\shortcut\nSymantec: None\nMicrosoft: None\nSentinelOne: Static AI - Suspicious LNK\nVT Total Detection:7/66" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539481", "uuid": "473d9837-6d4a-438e-a5cc-015dec49ef79", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539481", "to_ids": false, "type": "text", "uuid": "bfe0aa66-b79d-41b6-8d0b-78ad0e5347e8", "value": "PS_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539481", "to_ids": false, "type": "link", "uuid": "7c011c84-f0ec-43fb-abf3-e43c9382e613", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539481", "to_ids": false, "type": "comment", "uuid": "afba6da2-0ee3-4232-a008-eb261be83212", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies PowerShell artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539481", "uuid": "d1979e9a-04ae-492d-a709-ff82dd238a2f", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539481", "to_ids": false, "type": "text", "uuid": "523a9a02-3494-4f3d-a0bc-2876a8924968", "value": "EXE_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539481", "to_ids": false, "type": "link", "uuid": "33e200c4-03ba-4980-b6a8-ed10c82e4358", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539481", "to_ids": false, "type": "comment", "uuid": "ff674d5a-42d4-4aa9-885d-111eae9ce2fb", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies executable artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539482", "uuid": "bde0a0ac-8383-4a90-aa8f-9d5cac650879", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539482", "to_ids": false, "type": "text", "uuid": "61360162-9d7f-4e29-8ee1-8d86950d8257", "value": "Execution_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539482", "to_ids": false, "type": "link", "uuid": "8c415025-66fd-41d3-b4c0-ae19a111d77d", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539482", "to_ids": false, "type": "comment", "uuid": "4b2f63e0-1e39-442a-ac11-f087d4782a76", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies execution artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539482", "uuid": "050c00de-1c03-4cbf-9e7f-c984ef99bd2a", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539482", "to_ids": false, "type": "text", "uuid": "934ea6cd-ae65-4f17-bd49-7e2757f0254a", "value": "PDF_in_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539482", "to_ids": false, "type": "link", "uuid": "c56af185-5478-435b-bd96-c1196061c24d", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539482", "to_ids": false, "type": "comment", "uuid": "e83e8458-7563-41a4-a487-04165b1a388d", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies Adobe Acrobat artefacts in shortcut (LNK) files.\nRule Author: @bartblaze" } ] }, { "comment": "002bb473a9", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1725539482", "uuid": "bda2b2c6-4511-480d-95cb-4e4d9f499d73", "Attribute": [ { "category": "Other", "comment": "002bb473a9", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1725539482", "to_ids": false, "type": "text", "uuid": "b5c578c2-77bc-42dc-acee-3c5d50cc09e9", "value": "Long_RelativePath_LNK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1725539482", "to_ids": false, "type": "link", "uuid": "92bcd78e-6a33-40c0-aee5-c2c795474e44", "value": "https://github.com/bartblaze/Yara-rules" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1725539482", "to_ids": false, "type": "comment", "uuid": "2fe42845-1e30-4ec4-9e99-4a5d0bf19da2", "value": "Ruleset Name: LNK_Ruleset\nDescription: Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.\nRule Author: @bartblaze" } ] } ] } }