{ "Event": { "analysis": "1", "date": "2021-12-08", "extends_uuid": "", "info": "[Threat Intel] Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia", "protected": false, "publish_timestamp": "1780039616", "published": true, "threat_level_id": "1", "timestamp": "1780039616", "uuid": "fbf292a8-ce2d-4811-882f-34fb7dd1c26b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#d53577", "local": false, "name": "misp-galaxy:target-information=\"Cambodia\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#1b8479", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#bf83fd", "local": false, "name": "misp-galaxy:producer=\"Recorded Future\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Military\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Police - Law enforcement\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"FunnyDream\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ShadowPad\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Trochilus RAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"8.t Dropper\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"NewCore RAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Laos\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:f3b46834-6ce9-44ef-852d-d7ac61a12920=\"058ba3b3-6530-41b4-ac3f-1b3ca0b97ec4\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:f3b46834-6ce9-44ef-852d-d7ac61a12920=\"00afde8d-6de3-46b1-9f35-e98fc8c1ee07\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:f3b46834-6ce9-44ef-852d-d7ac61a12920=\"e6520f6c-3713-489d-90c2-f06bb947988f\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:f3b46834-6ce9-44ef-852d-d7ac61a12920=\"b63153a8-f2e8-4543-a0f7-0a3e74515812\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:f3b46834-6ce9-44ef-852d-d7ac61a12920=\"eb1a21c9-5c30-4c70-a120-5452151b4eac\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Chinoxy\"", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736667962", "to_ids": false, "type": "text", "uuid": "4f34df17-054f-4a46-86be-a90d7c9a14c2", "value": "Recorded Future\u2019s Insikt Group tracks Chinese state-sponsored cyber espionage operations targeting government and private sector organizations across Southeast Asia. In this report, they highlight multiple examples of activity reported to Recorded Future clients throughout 2021." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736667962", "to_ids": false, "type": "text", "uuid": "56a131c3-00c4-4340-96e1-3bbc14aa0e1b", "value": "Name: Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia\nAuthor: AlienVault\nAdversary: TAG-16\nTags: [\"TAG-16\", \"APT40\", \"FunnyDream\", \"PCShare\", \"RedFoxtrot\", \"ShadowPad\", \"CobaltStrike\", \"Trochilus\", \"TAG-33\"]\nTgtd countries: [\"Cambodia\", \"Lao People's Democratic Republic\", \"Malaysia\", \"Philippines\", \"Viet Nam\", \"Thailand\", \"Indonesia\"]\nMlwr families: [\"FunnyDream\", \"PCShare\", \"ShadowPad\", \"CobaltStrike\", \"Trochilus\"]\nAttack_ids: []\nIndustries: [\"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736667962", "to_ids": false, "type": "threat-actor", "uuid": "845b53b8-678b-49ea-aeb7-ff3e73ec4fda", "value": "TAG-16" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740272819", "to_ids": false, "type": "link", "uuid": "d5764bcd-f130-49c4-a7a6-17bbf3b7c2b9", "value": "https://www.recordedfuture.com/blog/chinese-state-sponsored-cyber-espionage-expansion-power-influence-southeast-asia" }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740275936", "to_ids": true, "type": "hostname", "uuid": "4fd276ed-d65e-475f-9906-26122bb27537", "value": "www.cankerscarcass.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740275957", "to_ids": true, "type": "hostname", "uuid": "6823beb9-765b-4e5c-b66b-cc2acf126be7", "value": "www.appexistence.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740275978", "to_ids": true, "type": "hostname", "uuid": "e0688b50-1192-4b5f-ade4-017679525b4b", "value": "www.rninhsss.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740275999", "to_ids": true, "type": "hostname", "uuid": "efb82269-ff1a-4d1b-ac1e-1941d223b023", "value": "www.aexhausts.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276020", "to_ids": true, "type": "hostname", "uuid": "68425c2f-440d-4f19-877a-5934f1ea395c", "value": "ttxs.aexhausts.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276042", "to_ids": true, "type": "hostname", "uuid": "d8a5a8da-7460-4e9f-9ac0-af2aeea02c8a", "value": "cdn.aexhausts.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276064", "to_ids": true, "type": "hostname", "uuid": "c87984ab-9278-402a-baff-8729edd1cd08", "value": "www.bbranchs.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276085", "to_ids": true, "type": "hostname", "uuid": "6e1c8c55-6938-4617-8c64-2dc7683c5f33", "value": "www.carelessnessing.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276106", "to_ids": true, "type": "hostname", "uuid": "574ab452-b9cc-43e7-9808-92e87a13992e", "value": "www.dexercisep.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276127", "to_ids": true, "type": "hostname", "uuid": "95458767-59b3-4722-8072-c0e8ef368cf8", "value": "www.weekendorg.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276148", "to_ids": true, "type": "hostname", "uuid": "31efcc75-e11b-4cc6-bbc7-1acc0d89c48e", "value": "www.manaloguek.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-16 C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276170", "to_ids": true, "type": "hostname", "uuid": "19c5ecc3-2303-4b45-a794-d8553f484633", "value": "www.guardggg.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039589", "to_ids": true, "type": "ip-dst", "uuid": "27559c99-0ce4-44b9-a8af-f00fc3505307", "value": "150.109.14.19", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#129989", "local": false, "name": "asn:asn=\"38726\"", "relationship_type": "" }, { "colour": "#e7c038", "local": false, "name": "asn:as-owner=\"VTCDIGICOM-AS-VN VTC DIGICOM\"", "relationship_type": "" }, { "colour": "#b8567e", "local": false, "name": "asn:as-country=\"VN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039591", "to_ids": true, "type": "ip-dst", "uuid": "84ca3835-8fc1-424b-a315-0a4a995a4e16", "value": "103.198.241.11", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#129989", "local": false, "name": "asn:asn=\"38726\"", "relationship_type": "" }, { "colour": "#e7c038", "local": false, "name": "asn:as-owner=\"VTCDIGICOM-AS-VN VTC DIGICOM\"", "relationship_type": "" }, { "colour": "#b8567e", "local": false, "name": "asn:as-country=\"VN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039593", "to_ids": true, "type": "ip-dst", "uuid": "063e4872-e32e-47ba-846e-6310085491b7", "value": "103.198.241.55", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#129989", "local": false, "name": "asn:asn=\"38726\"", "relationship_type": "" }, { "colour": "#e7c038", "local": false, "name": "asn:as-owner=\"VTCDIGICOM-AS-VN VTC DIGICOM\"", "relationship_type": "" }, { "colour": "#b8567e", "local": false, "name": "asn:as-country=\"VN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039594", "to_ids": true, "type": "ip-dst", "uuid": "4c47031f-481f-47f7-95ac-a8c312324c48", "value": "103.198.241.58", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#129989", "local": false, "name": "asn:asn=\"38726\"", "relationship_type": "" }, { "colour": "#e7c038", "local": false, "name": "asn:as-owner=\"VTCDIGICOM-AS-VN VTC DIGICOM\"", "relationship_type": "" }, { "colour": "#b8567e", "local": false, "name": "asn:as-country=\"VN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039596", "to_ids": true, "type": "ip-dst", "uuid": "08fcfa33-9146-4ef9-a784-bf3daa752908", "value": "121.78.139.168", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#129989", "local": false, "name": "asn:asn=\"38726\"", "relationship_type": "" }, { "colour": "#e7c038", "local": false, "name": "asn:as-owner=\"VTCDIGICOM-AS-VN VTC DIGICOM\"", "relationship_type": "" }, { "colour": "#b8567e", "local": false, "name": "asn:as-country=\"VN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039597", "to_ids": true, "type": "ip-dst", "uuid": "793c5b7f-1562-4042-9937-542e4150f03e", "value": "121.78.139.169", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#129989", "local": false, "name": "asn:asn=\"38726\"", "relationship_type": "" }, { "colour": "#e7c038", "local": false, "name": "asn:as-owner=\"VTCDIGICOM-AS-VN VTC DIGICOM\"", "relationship_type": "" }, { "colour": "#b8567e", "local": false, "name": "asn:as-country=\"VN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039599", "to_ids": true, "type": "ip-dst", "uuid": "4df39263-2f83-4297-8688-5077a0078050", "value": "154.86.157.12", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#53f67a", "local": false, "name": "asn:asn=\"136897\"", "relationship_type": "" }, { "colour": "#7ef4eb", "local": false, "name": "asn:as-owner=\"ENJOYVC-AS-AP Enjoyvc Cloud Group Limited.\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039600", "to_ids": true, "type": "ip-dst", "uuid": "967b34b8-a867-480e-87b2-d912beb8a69a", "value": "154.86.157.15", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#53f67a", "local": false, "name": "asn:asn=\"136897\"", "relationship_type": "" }, { "colour": "#7ef4eb", "local": false, "name": "asn:as-owner=\"ENJOYVC-AS-AP Enjoyvc Cloud Group Limited.\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039602", "to_ids": true, "type": "ip-dst", "uuid": "487c7b1f-fe62-4dac-aa39-e658f40d877f", "value": "154.86.157.16", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#53f67a", "local": false, "name": "asn:asn=\"136897\"", "relationship_type": "" }, { "colour": "#7ef4eb", "local": false, "name": "asn:as-owner=\"ENJOYVC-AS-AP Enjoyvc Cloud Group Limited.\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039603", "to_ids": true, "type": "ip-dst", "uuid": "ad7480af-b5a5-436e-9959-9562c49bde1d", "value": "154.86.157.17", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#53f67a", "local": false, "name": "asn:asn=\"136897\"", "relationship_type": "" }, { "colour": "#7ef4eb", "local": false, "name": "asn:as-owner=\"ENJOYVC-AS-AP Enjoyvc Cloud Group Limited.\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039605", "to_ids": true, "type": "ip-dst", "uuid": "2db51e51-414e-4416-93bb-e5aa518ef5df", "value": "45.197.133.23", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#517762", "local": false, "name": "asn:asn=\"57043\"", "relationship_type": "" }, { "colour": "#c77b00", "local": false, "name": "asn:as-owner=\"HOSTKEY-AS\"", "relationship_type": "" }, { "colour": "#3ae32e", "local": false, "name": "asn:as-country=\"NL\"", "relationship_type": "" }, { "colour": "#768323", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039607", "to_ids": true, "type": "ip-dst", "uuid": "ff23c422-a568-4399-92af-ae0ebcd6e231", "value": "45.197.133.25", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#517762", "local": false, "name": "asn:asn=\"57043\"", "relationship_type": "" }, { "colour": "#c77b00", "local": false, "name": "asn:as-owner=\"HOSTKEY-AS\"", "relationship_type": "" }, { "colour": "#3ae32e", "local": false, "name": "asn:as-country=\"NL\"", "relationship_type": "" }, { "colour": "#768323", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Recently Active TAG-16 C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039608", "to_ids": true, "type": "ip-dst", "uuid": "11da5e0c-7035-4b22-86e3-0b18a936a519", "value": "45.197.133.44", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#517762", "local": false, "name": "asn:asn=\"57043\"", "relationship_type": "" }, { "colour": "#c77b00", "local": false, "name": "asn:as-owner=\"HOSTKEY-AS\"", "relationship_type": "" }, { "colour": "#3ae32e", "local": false, "name": "asn:as-country=\"NL\"", "relationship_type": "" }, { "colour": "#768323", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1740276467", "to_ids": true, "type": "domain", "uuid": "795efd37-26b4-4eb4-a3f9-a7f48e9a2cae", "value": "laodailylive.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1740276488", "to_ids": true, "type": "domain", "uuid": "c63512c3-5feb-4302-950e-c7edd6344bf2", "value": "laodiplomat.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1740276509", "to_ids": true, "type": "hostname", "uuid": "4517872c-0d08-4f2f-8fc7-25f7bba82ffb", "value": "api.dreamsbottle.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1740276530", "to_ids": true, "type": "hostname", "uuid": "550d2091-ca38-4dc5-83df-716966639d27", "value": "news.networkslaoupdate.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1740276552", "to_ids": true, "type": "domain", "uuid": "0c0ec43e-03ca-45a1-91aa-0cea98610dde", "value": "laodata.network", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1740276573", "to_ids": true, "type": "domain", "uuid": "7cdf78ae-b901-4f8b-8314-6c64512a9f8a", "value": "laotranslations.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1780039610", "to_ids": true, "type": "ip-dst", "uuid": "515e84df-7804-4e41-9ee2-5b3d187a81fb", "value": "193.56.255.225", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1780039611", "to_ids": true, "type": "ip-dst", "uuid": "5403b287-0db1-47ff-9755-f04291753838", "value": "139.99.22.94", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#21ca95", "local": false, "name": "asn:asn=\"16276\"", "relationship_type": "" }, { "colour": "#983aa5", "local": false, "name": "asn:as-owner=\"OVH\"", "relationship_type": "" }, { "colour": "#93736f", "local": false, "name": "asn:as-country=\"FR\"", "relationship_type": "" }, { "colour": "#f6cea1", "local": false, "name": "misp-galaxy:country=\"france\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276637", "to_ids": true, "type": "domain", "uuid": "607cc7e9-b890-43df-a757-5608aabe2395", "value": "nbabbpdbqljf.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276658", "to_ids": true, "type": "hostname", "uuid": "a37097b2-a5c9-464a-93b0-954e808cdb52", "value": "www.nbabbpdbqljf.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276679", "to_ids": true, "type": "domain", "uuid": "2479c26a-b9b3-49c2-852c-b2d5791a4786", "value": "iherlvufjknw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276700", "to_ids": true, "type": "hostname", "uuid": "7a017f1a-5961-4847-bbb8-6590b3d5af39", "value": "ja.iherlvufjknw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276722", "to_ids": true, "type": "hostname", "uuid": "3afac71b-5db1-4e1b-8610-bccc65bbbbf4", "value": "www.iherlvufjknw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276743", "to_ids": true, "type": "domain", "uuid": "e03ad004-3fde-43c5-b767-804d4c5e4f3a", "value": "musicandfile.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276764", "to_ids": true, "type": "hostname", "uuid": "9326cdf7-9957-48a3-a057-b0655ccd2f2e", "value": "www.musicandfile.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276785", "to_ids": true, "type": "hostname", "uuid": "57896f4b-c581-4434-a859-b696de8d36d5", "value": "cm.musicandfile.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276806", "to_ids": true, "type": "domain", "uuid": "dba0e56b-7c5c-432d-9632-db9ccad97027", "value": "duutsxlydw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276827", "to_ids": true, "type": "hostname", "uuid": "19e7fa2a-7b74-41e7-b5d5-93b2cd52145c", "value": "news.duutsxlydw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1740276848", "to_ids": true, "type": "hostname", "uuid": "9a2e5748-9840-4c73-aa45-951029006c08", "value": "office.duutsxlydw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1780039613", "to_ids": true, "type": "ip-dst", "uuid": "5c7d4aad-2f07-40ab-8f39-83ca5c301a0d", "value": "43.129.41.169", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#dd7331", "local": false, "name": "asn:asn=\"132203\"", "relationship_type": "" }, { "colour": "#723dcd", "local": false, "name": "asn:as-owner=\"TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1780039614", "to_ids": true, "type": "ip-dst", "uuid": "5067a996-0132-4d0e-a9df-6de9e8073dcc", "value": "43.129.36.175", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#dd7331", "local": false, "name": "asn:asn=\"132203\"", "relationship_type": "" }, { "colour": "#723dcd", "local": false, "name": "asn:as-owner=\"TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TAG-34 ShadowPad C2 IP Addresses & Associated Domain", "deleted": false, "disable_correlation": false, "timestamp": "1780039616", "to_ids": true, "type": "ip-dst", "uuid": "4de3118b-a681-48d8-821f-069d942c08b5", "value": "152.32.153.189", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740276933", "uuid": "0766ea3e-1132-45b9-ad83-d4cab716e82b", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740276933", "to_ids": true, "type": "md5", "uuid": "fd7b8865-1a54-4f88-9535-5648621a3ab9", "value": "a46ab13ebcaf10d512cb5793f052a5d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274764", "to_ids": true, "type": "sha1", "uuid": "71fd8d08-62f8-4090-8ebd-36c03761f3f3", "value": "5ae6385b73a2d19a234e4324b2ef869fcc02968a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274765", "to_ids": true, "type": "sha256", "uuid": "3036eb54-fc69-4519-95de-bacfacd875da", "value": "8f79333f2cc38d2259af81b6d0fbfb0731f1e3442c187b19a6538d0e7daf85df", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274278", "to_ids": true, "type": "ssdeep", "uuid": "190eee70-2c94-4f1a-9d21-e76e15f7d2f0", "value": "49152:yqze1YKNgKRYGmKdyMOGC2uuco5rvOiPGJPhbTql09:0HRvRr2VJ5y0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274278", "to_ids": false, "type": "size-in-bytes", "uuid": "2603092d-0693-4209-9d72-34ca0c3bc730", "value": "2169344" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274278", "to_ids": true, "type": "vhash", "uuid": "136e1b47-bcfa-41cb-86fd-68bfe5e380c0", "value": "026076655d156515155143z72z7djz21zd4z116z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274278", "to_ids": true, "type": "filename", "uuid": "7ff1b10a-709d-42a8-8c93-a45d7820b7d8", "value": "MSCRV98.EXE" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 12/04/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274278", "to_ids": false, "type": "text", "uuid": "09ad2ffe-b43f-4cd0-89a3-895d34a6c1b3", "value": "FunnyDream Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Tnega!ml\nVT Total Detection:47/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740276954", "uuid": "e0ef39b1-3e07-4080-b62a-ae02b0703814", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740276954", "to_ids": true, "type": "md5", "uuid": "24a9a701-fa4d-40e4-b9bc-71ec93913c4a", "value": "fa80669685cf12de62b4e3156b997553", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274766", "to_ids": true, "type": "sha1", "uuid": "b4f2cf1f-a7b2-41af-b9b5-84b9fbf6d0b8", "value": "e9812ffab193f4b7f07cf00352d07f76437c7304", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274766", "to_ids": true, "type": "sha256", "uuid": "1571e179-57a6-4232-892f-30405692253c", "value": "c2dbaafccfb8c9121904629c1b643b99dfa934a2ec9f4bd8754ba3cad38b9a90", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274300", "to_ids": true, "type": "ssdeep", "uuid": "fea54f42-752e-43bf-a5de-0c129633c3eb", "value": "49152:YD3unj4H70m2s4/ib9S4kc7HeiPvlvhTd:6bkc7+4lv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274300", "to_ids": false, "type": "size-in-bytes", "uuid": "8cfc569f-1072-40e6-9fcb-4f3a45aa90c7", "value": "2199552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274300", "to_ids": true, "type": "vhash", "uuid": "860375a3-734b-4518-b00a-49719b945a03", "value": "126076655d156515155143z72z7cjz21zb4z17z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274300", "to_ids": true, "type": "filename", "uuid": "b76cfe6f-897d-408f-bbde-262aa561d6cb", "value": "rundll_x64.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 05/06/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274300", "to_ids": false, "type": "text", "uuid": "b651e385-ad5f-49cf-b363-e11448ebc74b", "value": "FunnyDream Backdoor\r\nType Description: Win32 DLL\n\nMicrosoft: None\nVT Total Detection:40/73" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740276976", "uuid": "305035a1-a950-4c81-b7e8-61de83e2ec46", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740276976", "to_ids": true, "type": "md5", "uuid": "4a367d42-a369-4cfb-be4c-507327489aba", "value": "cd14c71626f022781cfd2192bd8b454e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274768", "to_ids": true, "type": "sha1", "uuid": "6bf6ebf9-ded9-4870-a76a-8a5208851515", "value": "8c37b22e42ed940324ae92ea66bfa49f2d5bdd8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274768", "to_ids": true, "type": "sha256", "uuid": "a0477069-47b1-42df-8cbe-8252d40055d0", "value": "7a3d7f1dc1e5d42e278785149a382651c70a8f967a153e1960cffff5f92eaa33", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274322", "to_ids": true, "type": "ssdeep", "uuid": "ba3776e7-093d-4611-8403-f9767df29d44", "value": "49152:wSLlJ6HEGV+WCIeJ1+IMPzy/nlW/3HF0A:wSLATqf+ly/n" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274322", "to_ids": false, "type": "size-in-bytes", "uuid": "7732caa9-ec70-4d93-8480-e32f4d0f4719", "value": "1775616" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274322", "to_ids": true, "type": "vhash", "uuid": "9a1ede39-a3d2-444f-ad6f-54ee092a82e6", "value": "016066656d1515156153z72z7bjz11zc4z18z" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 12/04/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274322", "to_ids": false, "type": "text", "uuid": "87778420-e97b-4371-bd1b-3a79cd26420e", "value": "FunnyDream Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Tnega!ml\nVT Total Detection:52/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740276997", "uuid": "e99476b4-d0dd-4ba4-80a7-5a3a6c2c554a", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740276997", "to_ids": true, "type": "md5", "uuid": "bd1f48b8-9b6d-444e-b1ed-e3ebd582c14a", "value": "1f3a2e8058411cc04f474a68501b3045", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274769", "to_ids": true, "type": "sha1", "uuid": "f3768d71-0300-4c90-956a-7fc4b8a7a627", "value": "5d2ace346fee26e8eacb907f0279d222579fd811", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274769", "to_ids": true, "type": "sha256", "uuid": "9d19be12-5393-44d8-8776-272b338e0ba7", "value": "6543180ba4e195b4f80399aae593eb7554588b61e651fce81b91fefa56baec30", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274344", "to_ids": true, "type": "ssdeep", "uuid": "582888c3-d14d-4e7e-9a29-8fbbe4b87835", "value": "49152:bm6doQsiSlO1Plu2/3jyKfmXKPbj9iP7VQbTBMSO:HyWPf9UVQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274344", "to_ids": false, "type": "size-in-bytes", "uuid": "1779d9aa-dc92-45ba-9595-17af8fd6f5fd", "value": "2322944" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274344", "to_ids": true, "type": "vhash", "uuid": "b1155f63-471e-4937-85c5-bcb187e07f61", "value": "026076655d156515155143z72z73jz11z95zf6z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274344", "to_ids": true, "type": "filename", "uuid": "867c3001-f012-4f52-9d77-d9e062ac117b", "value": "1f3a2e8058411cc04f474a68501b3045.virus" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 24/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274344", "to_ids": false, "type": "text", "uuid": "8f4928ad-e5c8-466e-9022-a9786e81b07e", "value": "FunnyDream Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:40/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277018", "uuid": "44ce7288-cbd8-4feb-aba1-456ff73e945f", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277018", "to_ids": true, "type": "md5", "uuid": "a61f028c-4594-40f6-905d-d5860c9732f1", "value": "3f36bfb561db8b56ae355dc031d3acdd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274771", "to_ids": true, "type": "sha1", "uuid": "1d09d4cc-cfa8-466d-924a-3bc20fd026a1", "value": "055c994b6692ca0089503be94cad8860f6545ac9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274771", "to_ids": true, "type": "sha256", "uuid": "19102c37-5c65-4d66-bd57-3d079b2727af", "value": "4ac3836414a384aee4c68e60eca54a848c8727a9e548de2b7ab76ecbd520107a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274365", "to_ids": true, "type": "ssdeep", "uuid": "8a08f0d2-5690-4fc2-abd8-181b100d3e88", "value": "24576:ds7y+jzDcrS5uVd+N/FUtulTJkcUFFceV0I48DaUspLuOQtP1VPEKz+OHovBN6HL:aP4+xOKz4EQtP1VPE7vBN6HN5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274365", "to_ids": false, "type": "size-in-bytes", "uuid": "b3a9d5e1-f896-431a-8ec6-da6b8752c711", "value": "1741312" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274365", "to_ids": true, "type": "vhash", "uuid": "abcf0f92-3913-4306-aa7d-5dfb3f4c8cdd", "value": "016066656d1515156153z72z7ajz11zc4z117z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274365", "to_ids": true, "type": "filename", "uuid": "54eaeaa8-cc5f-4626-a9ec-74ad040bfb4a", "value": "GameExplorer.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274365", "to_ids": false, "type": "text", "uuid": "ff8bd762-d84a-4d38-862c-efee571724b4", "value": "FunnyDream Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Tiggre!rfn\nVT Total Detection:52/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277042", "uuid": "2cb4e8ba-8777-4ca9-9c47-90c2f32386cd", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277042", "to_ids": true, "type": "md5", "uuid": "190baeb1-2276-48a1-90d8-b06196cd9a02", "value": "2f602c6feaa750e7d3b64276b630498a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274772", "to_ids": true, "type": "sha1", "uuid": "372b8da3-a825-4367-b0ad-2e9b077c8e39", "value": "1948ca4266b3a5ea5bc15c8a7b10261fb013109f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274772", "to_ids": true, "type": "sha256", "uuid": "625d3ba8-1292-4f86-9f8f-65bbc2e69bf2", "value": "9d0c2e8d0e2430c3e67b2677caff136e562570da162a371e9cfa6602c70b03bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274387", "to_ids": true, "type": "ssdeep", "uuid": "eb39e19c-e0df-49b6-8573-1497d3b6b26d", "value": "49152:R5TS8sKhdMj0kt9gA/Lk5mxIialKiPNhtIT1cG7L:mQsT5aYqhtAcG7L" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274387", "to_ids": false, "type": "size-in-bytes", "uuid": "221c4f20-c9d1-4cad-bd9e-e9cccebe61f4", "value": "2169344" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274387", "to_ids": true, "type": "vhash", "uuid": "3607e751-d3df-4968-b7d3-d2f46fb22dce", "value": "026076655d156515155143z72z7cjz11zd4z116z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274387", "to_ids": true, "type": "filename", "uuid": "42cca199-6881-4f9d-951c-61c9c5f6daea", "value": "1.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 29/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274387", "to_ids": false, "type": "text", "uuid": "138d3d96-ff18-4a42-ae6d-a0c5b00b799c", "value": "FunnyDream Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: None\nVT Total Detection:52/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277064", "uuid": "59efd88e-3371-424b-a37e-bcffb9696b51", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277064", "to_ids": true, "type": "md5", "uuid": "82edc44a-801c-46e7-8e53-4ba89903dd74", "value": "1a295e304be80266a832cd648ee7db9d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274774", "to_ids": true, "type": "sha1", "uuid": "f3690369-970a-425f-89c2-8c4761658855", "value": "21490cb65a07bd2e0401233e91d13d0a42f925bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274774", "to_ids": true, "type": "sha256", "uuid": "a4b000fb-597b-4757-a24d-c31749b576c5", "value": "c94d6649fe5c879ac2e4ccb313958736ac4c86f217c3a68c799f9641b6ac9f2a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274409", "to_ids": true, "type": "ssdeep", "uuid": "d3011e71-8601-4291-bc1d-c8ce24eecfd8", "value": "24576:W1s6AOGWFzyAhDsgD1mW4JkSLk/77rel7GMP2XZHzPu2809czQTyvOkjaLk:WbbbO3j2pzPuL09xTMOkjaLk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274409", "to_ids": false, "type": "size-in-bytes", "uuid": "e9489f05-e019-4616-82da-9a174e98a573", "value": "1774080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274409", "to_ids": true, "type": "vhash", "uuid": "6b1c8e8c-aed8-4706-9b16-4a0097fc1813", "value": "116066656d15151560f3z72z78jz11zb4z116z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274409", "to_ids": true, "type": "filename", "uuid": "bc807c38-5844-475f-9b07-a8243a8552ea", "value": "avp.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 22/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274409", "to_ids": false, "type": "text", "uuid": "3e224a8b-5266-4335-8c19-b6e58ed116fd", "value": "FunnyDream Backdoor\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Tiggre!rfn\nVT Total Detection:51/71" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277085", "uuid": "25a28824-4845-4978-84a2-43d498818b25", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277085", "to_ids": true, "type": "md5", "uuid": "538e20b1-9339-47da-8209-dc0c63e6d4aa", "value": "04662666c8a97998fb1b2fcf907526e8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274775", "to_ids": true, "type": "sha1", "uuid": "04e51c27-0d06-4d16-947b-be92193fcf20", "value": "63f074d52a6a6e2492bcf1de5fee12ccd75e157d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274775", "to_ids": true, "type": "sha256", "uuid": "f248e607-6c12-4679-9c45-24832c764084", "value": "a1859ce1575ab08b6c3dc2731cef31e358dd3ccfc7d6febaccb6a730bc1d58c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274430", "to_ids": true, "type": "ssdeep", "uuid": "4b3bfa16-7515-4495-93df-7336082bd7c6", "value": "24576:gr6CDp8zxP69ujkWhE+z9gnr8OUnhpipLBeWA/X2KzKQ3/SYhm4vPrHcXqHTdC8o:CD069uYLvp9c7BvvPrHcXMTlJEO3I" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274430", "to_ids": false, "type": "size-in-bytes", "uuid": "15ba9950-5061-415b-820d-e20aa2ac619d", "value": "1778688" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274431", "to_ids": true, "type": "vhash", "uuid": "71b12c62-0c09-4d65-ab32-68feca78f688", "value": "116066656d1515156143z72z79jz21zb4z17z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274431", "to_ids": true, "type": "filename", "uuid": "ef48e1b0-f328-4ee9-94cd-d15fd4152839", "value": "test" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 05/06/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274431", "to_ids": false, "type": "text", "uuid": "751f194c-aba6-4012-acf0-1e32d8d15249", "value": "FunnyDream Backdoor\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:52/73" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277106", "uuid": "41208d8f-0c4e-41b2-9406-a892a6e8e7a8", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277106", "to_ids": true, "type": "md5", "uuid": "a278c8bc-3b13-4727-94bd-6d52a2db6a91", "value": "1454d4feacdd503c0542f70f44a8edc1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274782", "to_ids": true, "type": "sha1", "uuid": "d4019b7a-4df2-4b4f-b1d8-6604a3ac4f9c", "value": "8b9d82882288adc86f58154ed5b2ceb5b626ce66", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274782", "to_ids": true, "type": "sha256", "uuid": "360b4786-d4cf-4960-a4b0-c9fe119dee9a", "value": "179d18ad80b718d861ea0b4b06ad885e0a7760051497db6eb87315f92dd24b53", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274453", "to_ids": true, "type": "ssdeep", "uuid": "c6213011-09f2-43cf-a373-98edfed9e10b", "value": "24576:+YSOaapO+S5on5eAqF+yVFuhVTOZDY+HwQemjgY/QoP1VnKfJiIHvBN6HJp:67awEior92HQoP1VnKjHvBN6HJp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274453", "to_ids": false, "type": "size-in-bytes", "uuid": "47cd2b22-2fab-4449-ae2d-702a6eb75cfb", "value": "1740800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274453", "to_ids": true, "type": "vhash", "uuid": "7291cb1b-6cc0-4519-9199-7c4b6dd9d880", "value": "016066656d1515156153z72z7ajz11zc4z117z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274453", "to_ids": true, "type": "filename", "uuid": "cf44012c-0936-4bdf-b1c2-1540fa552c0c", "value": "delta.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 22/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274453", "to_ids": false, "type": "text", "uuid": "9357c32b-365e-4db8-83de-eb1242811f99", "value": "FunnyDream Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:49/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277127", "uuid": "7bbae8d8-1a64-4f26-ae2b-eec23cc6d82b", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277127", "to_ids": true, "type": "md5", "uuid": "b8b258e1-94db-48e9-929a-021cc22fcb36", "value": "44aa5dc9e3a02af7937da590a622ac20", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274783", "to_ids": true, "type": "sha1", "uuid": "3a77e245-7946-44d2-b7ec-cac1fe45c830", "value": "e46b21ddbb8cbb5286367be3b92d3720097e6bc3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274784", "to_ids": true, "type": "sha256", "uuid": "3f23babf-8fe4-4db0-8a76-4a290291cf0e", "value": "b3c811595a0edbed9524a1a71ee9292c19792370c99f856f765a39f80a437418", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274475", "to_ids": true, "type": "ssdeep", "uuid": "d0304e72-c84b-4cff-ae14-bfc8edb69644", "value": "24576:vVEoODC4rBGNlckBz7so/mr8ELh4On0L/HN7fDn779xEX2c/4Ozy2TkZTzogSiPg:GoODCGBM4WI0L/pyZGZ/NSiPn4ULT+8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274475", "to_ids": false, "type": "size-in-bytes", "uuid": "2ca5be9e-051b-4228-9e3b-a7476c5c53ec", "value": "2195968" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274475", "to_ids": true, "type": "vhash", "uuid": "43195391-de62-46e3-bc71-4b6c557472b2", "value": "126076655d156515155143z72z7ajz11zb4z17z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274475", "to_ids": true, "type": "filename", "uuid": "f1c4be11-9090-4fc2-8338-12d634430524", "value": "avpui.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 05/06/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274475", "to_ids": false, "type": "text", "uuid": "9cbfd9ba-63f2-4c27-8a57-db92ecfe33bc", "value": "FunnyDream Backdoor\r\nType Description: Win32 DLL\n\nMicrosoft: None\nVT Total Detection:40/73" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277148", "uuid": "42572af4-2556-4127-85e0-895f5fe7ee7a", "Attribute": [ { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277148", "to_ids": true, "type": "md5", "uuid": "8d819de8-17e9-432c-bb42-879162f9084a", "value": "23d4cfceb70d19cf5dc15ea0e8ea1acd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274785", "to_ids": true, "type": "sha1", "uuid": "fe072cef-b8e7-4cbe-90e9-7cf9abec5ccb", "value": "66ca178a7f66ea0b69abd5c9645267f46948e95e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "FunnyDream Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274785", "to_ids": true, "type": "sha256", "uuid": "5158e3ef-e179-4b58-879f-46682482eb9f", "value": "d12582262c06d6e0f68c62c891f469d819e18e0498fa2e9d277981f25eee93a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274497", "to_ids": true, "type": "ssdeep", "uuid": "d6172aa1-7275-4f29-bb80-ead22a5b995d", "value": "49152:gN22GmEky9vxh1XoOuG6PTyKPpQSGW/3sKSL:gNJyd1XPuByKPpP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274497", "to_ids": false, "type": "size-in-bytes", "uuid": "4807d4ad-57c7-427a-b6ae-a6587b73de6e", "value": "1775616" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274497", "to_ids": true, "type": "vhash", "uuid": "f1e2e6b6-c84a-4dfd-968a-88000c444189", "value": "016066656d1515156153z72z7bjz11zc4z18z" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 24/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274497", "to_ids": false, "type": "text", "uuid": "24173abc-9895-42c3-98ae-5b7e7f8cca01", "value": "FunnyDream Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: None\nVT Total Detection:53/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277169", "uuid": "5afade20-0754-4b81-bac7-0464a09e1f9a", "Attribute": [ { "category": "Payload delivery", "comment": "RoyalRoad", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277169", "to_ids": true, "type": "md5", "uuid": "2deebcc8-921b-4828-ae4f-c61819cc3c62", "value": "40cfeb699d239652dd4a79c18b1c7366", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RoyalRoad", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274786", "to_ids": true, "type": "sha1", "uuid": "c2399d42-87c9-4fda-987d-59a121d3a508", "value": "ebf199532f0b433419bc33a8da65ab8ccacf7cd6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RoyalRoad", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274786", "to_ids": true, "type": "sha256", "uuid": "5e05d260-0949-4a13-84ad-de8b21f8fbfb", "value": "130daacff74d57bb2319fc5cf815e783c6505883f69e4adcd4c2b1cac3e598ce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274518", "to_ids": true, "type": "ssdeep", "uuid": "d154de56-d9cc-4567-9ec3-39153991bf0e", "value": "12288:brpkMt1aC4oO/f0O5kRly9j4hhycmDXEWXk8+K7Z3TblYITe7jy+88XAzfEOMVd9:brpkMt1aCnc0O5ka9j4zyZQL8l9DbCIg" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274518", "to_ids": false, "type": "size-in-bytes", "uuid": "07dfff33-ea8a-4157-a623-c3a6d7138145", "value": "710442" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274518", "to_ids": true, "type": "vhash", "uuid": "19fcff7c-42b5-4226-b554-e069d55afa8b", "value": "8390fd113aefe73f1909c66de0bbfa93d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274518", "to_ids": true, "type": "filename", "uuid": "0999520f-e031-43b7-827f-3b55ea947a69", "value": "VirusShare_40cfeb699d239652dd4a79c18b1c7366" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 23/12/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274518", "to_ids": false, "type": "text", "uuid": "fec95123-f0d9-46eb-a16d-b62d39208a59", "value": "RoyalRoad\r\nType Description: Rich Text Format\n\nMicrosoft: Exploit:O97M/DDEDownloader.T\nVT Total Detection:38/61" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277191", "uuid": "a49db5e4-43a3-4867-9cb0-02c0bb499109", "Attribute": [ { "category": "Payload delivery", "comment": "Newcore RAT", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277191", "to_ids": true, "type": "md5", "uuid": "b2e9a14d-7a3b-446d-9966-9d5550fecb32", "value": "6d2e6a61eede06fa9d633ce151208831", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Newcore RAT", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274788", "to_ids": true, "type": "sha1", "uuid": "9b0d6b5f-6e3e-42c7-a169-7e4c6306a5cb", "value": "f764163f3912376ebcabaf1cf3a60b6bc74561be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Newcore RAT", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274788", "to_ids": true, "type": "sha256", "uuid": "597789fb-16fe-44a0-8165-7d29c93eb0d7", "value": "207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274541", "to_ids": true, "type": "ssdeep", "uuid": "cbb04d47-6228-4fef-b7be-87384260af34", "value": "768:69yTkCP8AwKU4hm6kksgG6TvED0KncdG2pnNTG513J:60kG8im6kAnZEKnNTG5RJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274541", "to_ids": false, "type": "size-in-bytes", "uuid": "5721c66c-6d25-4299-9465-3551778d2a9a", "value": "50688" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274541", "to_ids": true, "type": "vhash", "uuid": "84a9ccec-6a80-4baf-98d7-cfc04e80b4dc", "value": "154056655d15551az43jz1jz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274541", "to_ids": true, "type": "filename", "uuid": "823629db-ab28-491f-ade4-17178de78ff4", "value": "QcLite.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 23/12/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274541", "to_ids": false, "type": "text", "uuid": "39729201-1d12-4eae-980c-81fcbd5e5506", "value": "Newcore RAT\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Pango\nVT Total Detection:55/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740277212", "uuid": "a04196c3-a831-4311-9485-03aa6ca5ceda", "Attribute": [ { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740277212", "to_ids": true, "type": "md5", "uuid": "724660e7-a46c-4306-b39a-edf308ece777", "value": "b9fecf531ebd323cd25b4dbb179a8969", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274789", "to_ids": true, "type": "sha1", "uuid": "34aab447-3960-4dc9-ab34-091669f3db7e", "value": "982df98a04ec484005eab09171cf5ba727666bfd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274789", "to_ids": true, "type": "sha256", "uuid": "e2614a04-9fc6-49d6-98f2-83c38e0c876c", "value": "47b12169eb9933b8481327a9775d1efd4fa077881f023892938056ff06e4f2b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274562", "to_ids": true, "type": "ssdeep", "uuid": "70a54652-8723-444f-9eb7-17741c83740f", "value": "3072:GEboKigt97s1cufJTdtnmcKNwo/Mf9jDfdy5rqMrZ9dGs9UZZ4K0LJtP:GTisVfJTdZtKyuYDguITfLJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274562", "to_ids": false, "type": "size-in-bytes", "uuid": "285df08b-d1b8-4fab-a899-885fd6ec9e8b", "value": "229376" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274562", "to_ids": true, "type": "vhash", "uuid": "8921e370-41bb-40b1-adc0-6c791cee4533", "value": "0250875d151c0d1d1d1e7az1a1c=z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274562", "to_ids": true, "type": "filename", "uuid": "0645d89d-75f0-4a6c-8b6c-ebbaa1f0a85d", "value": "cobaltstrike_shellcode.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 29/05/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274562", "to_ids": false, "type": "text", "uuid": "2e170299-6ef9-49b9-8f79-462567f84a29", "value": "Cobalt Strike\r\nType Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/CobaltStrike!pz\nVT Total Detection:68/74" } ] } ] } }