diff --git a/2022/12/breaking_the_silence_truebot_activity.json b/2022/12/breaking_the_silence_truebot_activity.json index c032695..266ef59 100644 --- a/2022/12/breaking_the_silence_truebot_activity.json +++ b/2022/12/breaking_the_silence_truebot_activity.json @@ -1 +1 @@ -{"type": "bundle", "spec_version": "2.0", "id": "bundle--52c7940f-41e8-4100-a7d4-69abcd25c6b5", "objects": [{"type": "identity", "id": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Talos", "identity_class": "organization"}, {"type": "report", "id": "report--fd00ed51-66b9-4eba-86f7-d5c34a1fc00a", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Breaking the silence - Recent Truebot activity", "published": "2022-12-08T13:06:35Z", "object_refs": ["x-misp-attribute--00fed327-7537-42f7-9f9e-52f6848da7aa", "observed-data--94ae27e8-336c-4bbb-b688-37331cfe7eb1", "indicator--ec19cc53-3425-49fb-860b-3d9eebefe6c1", "indicator--30f7121b-c9d1-4830-85ff-88fa6d00e82e", "indicator--0d508f29-53b3-4caf-8510-1b8345761057", "indicator--d1a99778-fe84-46ab-ac33-3987e087ee55", "indicator--61415b95-1f8e-4632-84a1-da8fa3da8c37", "indicator--0e36fb1c-424c-4ab9-88d5-698643bb29d0", "indicator--d9f2c1f7-063d-4537-b453-4cf05e0660d6", "indicator--4e408d95-a2c1-4b6c-8229-1dde13559b9a", "indicator--495a4d0d-6f4c-45d1-87ad-c5e78204b18f", "indicator--76335a95-9e9c-4f7c-9e7c-e78b5e116e51", "indicator--ad9e1c7a-0ef8-4457-8e7d-b71c417b358f", "indicator--046fcc66-3152-449d-8c36-ffd0791f7baf", "indicator--990292ff-52d4-4ae5-aa4c-37068ec3a769", "indicator--82403119-fa70-492b-98fc-1ba0ce4ff7c9", "indicator--65b76740-c98d-43b6-8896-4d63154d3c66", "indicator--fe437f9a-3c30-4bcb-aa5a-02abd1def0b9", "indicator--1a3ec459-aba8-4f61-bdc3-35f5266632cb", "indicator--695f990e-34cc-4cf4-8cf4-eb8498400faa", "indicator--1cd653bb-5923-45fe-b3b4-3059dac95885", "indicator--6fe0fa91-6ab7-486b-9e53-44dc64b2f5c7", "indicator--eec7669f-a4ac-4180-874c-4048609ad9bb", "indicator--cb08d4df-f942-483f-9de8-fa09cde9cab8", "indicator--a99d9331-9af6-470c-9a88-099faa8d4eea", "indicator--9a797846-a88e-4d3a-ad32-7f643620a04c", "indicator--7692082b-14fe-485b-8487-728f4fe8f8ac", "indicator--928dfc85-c38b-4f82-9a58-d47b9e29be9a", "indicator--063df29e-e9fa-4bb5-a1fc-fe2e9ca83a34", "indicator--cb9846d6-b2e9-461f-a0bf-e0bc55ac1e1e", "indicator--e8f8e323-1683-4856-a920-e7be3fe0ab4f", "indicator--5e0606eb-e1a3-472b-accc-e49c4ff21001", "indicator--facdbd3a-aef1-451b-a596-8b47bcfcdfa4", "indicator--6b167def-15d7-42ef-96f3-53fadababfd4", "indicator--fc96d051-319b-403e-b3b4-6d62244e8c00", "indicator--291dd35d-3350-4f60-b2db-956b1d3d0cee", "indicator--7efdc4b2-5b2a-4310-a8f9-501f55fd8b06", "indicator--07747cd3-f15b-4681-a38e-26553ad25d8d", "malware--0df52c23-690b-4703-83f7-5befc38ab376", "threat-actor--0d5e17fd-7a71-47fd-b4bc-867cdb833726", "threat-actor--03c80674-35f8-4fe0-be2b-226ed0fcd69f", "malware--cad3ba95-8c89-4146-ab10-08daa813f9de", "malware--43155329-3edf-47a6-9a14-7dac899b01e4", "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391"], "labels": ["Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "Talos_Intel_Blog"], "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"]}, {"type": "x-misp-attribute", "id": "x-misp-attribute--00fed327-7537-42f7-9f9e-52f6848da7aa", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:25:40.000Z", "modified": "2022-12-08T12:25:40.000Z", "labels": ["misp:type=\"text\"", "misp:category=\"Payload type\""], "x_misp_category": "Payload type", "x_misp_comment": "Teleport data exfiltration tool", "x_misp_type": "text", "x_misp_value": "Teleport"}, {"type": "observed-data", "id": "observed-data--94ae27e8-336c-4bbb-b688-37331cfe7eb1", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:27:34.000Z", "modified": "2022-12-08T12:27:34.000Z", "first_observed": "2022-12-08T12:27:34Z", "last_observed": "2022-12-08T12:27:34Z", "number_observed": 1, "objects": {"0": {"type": "url", "value": "https://blog.talosintelligence.com/p/7387780d-2ad3-4370-aca8-a7b3ab81f89e/"}}, "labels": ["misp:type=\"url\"", "misp:category=\"External analysis\""]}, {"type": "indicator", "id": "indicator--ec19cc53-3425-49fb-860b-3d9eebefe6c1", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--30f7121b-c9d1-4830-85ff-88fa6d00e82e", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--0d508f29-53b3-4caf-8510-1b8345761057", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--d1a99778-fe84-46ab-ac33-3987e087ee55", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--61415b95-1f8e-4632-84a1-da8fa3da8c37", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '58b671915e239e9682d50a026e46db0d775624a61a56199f7fd576b0cef4564d']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--0e36fb1c-424c-4ab9-88d5-698643bb29d0", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--d9f2c1f7-063d-4537-b453-4cf05e0660d6", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--4e408d95-a2c1-4b6c-8229-1dde13559b9a", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--495a4d0d-6f4c-45d1-87ad-c5e78204b18f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--76335a95-9e9c-4f7c-9e7c-e78b5e116e51", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--ad9e1c7a-0ef8-4457-8e7d-b71c417b358f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--046fcc66-3152-449d-8c36-ffd0791f7baf", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--990292ff-52d4-4ae5-aa4c-37068ec3a769", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'bf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--82403119-fa70-492b-98fc-1ba0ce4ff7c9", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--65b76740-c98d-43b6-8896-4d63154d3c66", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--fe437f9a-3c30-4bcb-aa5a-02abd1def0b9", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'c6c4f690f0d15b96034b4258bdfaf797432a3ec4f73fbc920384d27903143cb0']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--1a3ec459-aba8-4f61-bdc3-35f5266632cb", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--695f990e-34cc-4cf4-8cf4-eb8498400faa", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--1cd653bb-5923-45fe-b3b4-3059dac95885", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'dd94c2fc46a6670b4600cf439b35dc81a401b09d2c2372139afe7b754d1d24d4']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--6fe0fa91-6ab7-486b-9e53-44dc64b2f5c7", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '27b6e71b4adeada41fb1e411a910872bfad999183d9d43ba6e63602e104d357b']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--eec7669f-a4ac-4180-874c-4048609ad9bb", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://179.60.150.34:80/download/file.ext']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--cb08d4df-f942-483f-9de8-fa09cde9cab8", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://179.60.150.53:80/download/msruntime.dll']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--a99d9331-9af6-470c-9a88-099faa8d4eea", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://179.60.150.53:80/download/GoogleUpdate.dll']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--9a797846-a88e-4d3a-ad32-7f643620a04c", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://tddshht.com/chkds.dll']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--7692082b-14fe-485b-8487-728f4fe8f8ac", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://nefosferta.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--928dfc85-c38b-4f82-9a58-d47b9e29be9a", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://185.55..243.110/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--063df29e-e9fa-4bb5-a1fc-fe2e9ca83a34", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://gbpooolfhbrb.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--cb9846d6-b2e9-461f-a0bf-e0bc55ac1e1e", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://88.214.27.100/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--e8f8e323-1683-4856-a920-e7be3fe0ab4f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://hiperfdhaus.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--5e0606eb-e1a3-472b-accc-e49c4ff21001", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://88.214.27.101/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--facdbd3a-aef1-451b-a596-8b47bcfcdfa4", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://jirostrogud.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--6b167def-15d7-42ef-96f3-53fadababfd4", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.227.253.102']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--fc96d051-319b-403e-b3b4-6d62244e8c00", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.214.27.101']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--291dd35d-3350-4f60-b2db-956b1d3d0cee", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.214.27.100']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--7efdc4b2-5b2a-4310-a8f9-501f55fd8b06", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.60.150.53']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--07747cd3-f15b-4681-a38e-26553ad25d8d", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.60.150.34']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "malware", "id": "malware--0df52c23-690b-4703-83f7-5befc38ab376", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Silence", "description": "Malware galaxy based on Malpedia archive. | ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "malpedia"}], "labels": ["misp:galaxy-name=\"Malpedia\"", "misp:galaxy-type=\"malpedia\"", "misp-galaxy:malpedia=\"Silence\""]}, {"type": "threat-actor", "id": "threat-actor--0d5e17fd-7a71-47fd-b4bc-867cdb833726", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Silence group", "description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour. | a relatively new threat actor that\u2019s been operating since mid-2016\nGroup-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.\nSilence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.", "aliases": ["Silence", "WHISPER SPIDER"], "labels": ["misp:galaxy-name=\"Threat Actor\"", "misp:galaxy-type=\"threat-actor\"", "misp-galaxy:threat-actor=\"Silence group\""]}, {"type": "threat-actor", "id": "threat-actor--03c80674-35f8-4fe0-be2b-226ed0fcd69f", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "TA505", "description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour. | TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.", "aliases": ["SectorJ04 Group", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "ATK103"], "labels": ["misp:galaxy-name=\"Threat Actor\"", "misp:galaxy-type=\"threat-actor\"", "misp-galaxy:threat-actor=\"TA505\""]}, {"type": "malware", "id": "malware--cad3ba95-8c89-4146-ab10-08daa813f9de", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Clop - S0611", "description": "Name of ATT&CK software | [Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021) ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-malware"}], "labels": ["misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"", "misp-galaxy:mitre-malware=\"Clop - S0611\""], "external_references": [{"source_name": "mitre-attack", "external_id": "S0611"}]}, {"type": "malware", "id": "malware--43155329-3edf-47a6-9a14-7dac899b01e4", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "FlawedGrace - S0383", "description": "Name of ATT&CK software | [FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-malware"}], "labels": ["misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"", "misp-galaxy:mitre-malware=\"FlawedGrace - S0383\""], "external_references": [{"source_name": "mitre-attack", "external_id": "S0383"}]}, {"type": "malware", "id": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Cobalt Strike - S0154", "description": "Name of ATT&CK software | [Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-malware"}], "labels": ["misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"", "misp-galaxy:mitre-malware=\"Cobalt Strike - S0154\""], "external_references": [{"source_name": "mitre-attack", "external_id": "S0154"}]}, {"type": "attack-pattern", "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Obfuscated Files or Information - T1027", "description": "ATT&CK Tactic | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-267"}]}, {"type": "attack-pattern", "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Debugger Evasion - T1622", "description": "ATT&CK Tactic | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1622"}]}, {"type": "marking-definition", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "definition": {"tlp": "white"}}]} +{"type": "bundle", "spec_version": "2.0", "id": "bundle--52c7940f-41e8-4100-a7d4-69abcd25c6b5", "objects": [{"type": "identity", "id": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Talos", "identity_class": "organization"}, {"type": "report", "id": "report--fd00ed51-66b9-4eba-86f7-d5c34a1fc00a", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Breaking the silence - Recent Truebot activity", "published": "2022-12-08T13:06:35Z", "object_refs": ["x-misp-attribute--00fed327-7537-42f7-9f9e-52f6848da7aa", "observed-data--94ae27e8-336c-4bbb-b688-37331cfe7eb1", "indicator--ec19cc53-3425-49fb-860b-3d9eebefe6c1", "indicator--30f7121b-c9d1-4830-85ff-88fa6d00e82e", "indicator--0d508f29-53b3-4caf-8510-1b8345761057", "indicator--d1a99778-fe84-46ab-ac33-3987e087ee55", "indicator--61415b95-1f8e-4632-84a1-da8fa3da8c37", "indicator--0e36fb1c-424c-4ab9-88d5-698643bb29d0", "indicator--d9f2c1f7-063d-4537-b453-4cf05e0660d6", "indicator--4e408d95-a2c1-4b6c-8229-1dde13559b9a", "indicator--495a4d0d-6f4c-45d1-87ad-c5e78204b18f", "indicator--76335a95-9e9c-4f7c-9e7c-e78b5e116e51", "indicator--ad9e1c7a-0ef8-4457-8e7d-b71c417b358f", "indicator--046fcc66-3152-449d-8c36-ffd0791f7baf", "indicator--990292ff-52d4-4ae5-aa4c-37068ec3a769", "indicator--82403119-fa70-492b-98fc-1ba0ce4ff7c9", "indicator--65b76740-c98d-43b6-8896-4d63154d3c66", "indicator--fe437f9a-3c30-4bcb-aa5a-02abd1def0b9", "indicator--1a3ec459-aba8-4f61-bdc3-35f5266632cb", "indicator--695f990e-34cc-4cf4-8cf4-eb8498400faa", "indicator--1cd653bb-5923-45fe-b3b4-3059dac95885", "indicator--6fe0fa91-6ab7-486b-9e53-44dc64b2f5c7", "indicator--eec7669f-a4ac-4180-874c-4048609ad9bb", "indicator--cb08d4df-f942-483f-9de8-fa09cde9cab8", "indicator--a99d9331-9af6-470c-9a88-099faa8d4eea", "indicator--9a797846-a88e-4d3a-ad32-7f643620a04c", "indicator--7692082b-14fe-485b-8487-728f4fe8f8ac", "indicator--928dfc85-c38b-4f82-9a58-d47b9e29be9a", "indicator--063df29e-e9fa-4bb5-a1fc-fe2e9ca83a34", "indicator--cb9846d6-b2e9-461f-a0bf-e0bc55ac1e1e", "indicator--e8f8e323-1683-4856-a920-e7be3fe0ab4f", "indicator--5e0606eb-e1a3-472b-accc-e49c4ff21001", "indicator--facdbd3a-aef1-451b-a596-8b47bcfcdfa4", "indicator--6b167def-15d7-42ef-96f3-53fadababfd4", "indicator--fc96d051-319b-403e-b3b4-6d62244e8c00", "indicator--291dd35d-3350-4f60-b2db-956b1d3d0cee", "indicator--7efdc4b2-5b2a-4310-a8f9-501f55fd8b06", "indicator--07747cd3-f15b-4681-a38e-26553ad25d8d", "malware--0df52c23-690b-4703-83f7-5befc38ab376", "threat-actor--0d5e17fd-7a71-47fd-b4bc-867cdb833726", "threat-actor--03c80674-35f8-4fe0-be2b-226ed0fcd69f", "malware--cad3ba95-8c89-4146-ab10-08daa813f9de", "malware--43155329-3edf-47a6-9a14-7dac899b01e4", "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391"], "labels": ["Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "Talos_Intel_Blog"], "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"]}, {"type": "x-misp-attribute", "id": "x-misp-attribute--00fed327-7537-42f7-9f9e-52f6848da7aa", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:25:40.000Z", "modified": "2022-12-08T12:25:40.000Z", "labels": ["misp:type=\"text\"", "misp:category=\"Payload type\""], "x_misp_category": "Payload type", "x_misp_comment": "Teleport data exfiltration tool", "x_misp_type": "text", "x_misp_value": "Teleport"}, {"type": "observed-data", "id": "observed-data--94ae27e8-336c-4bbb-b688-37331cfe7eb1", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:27:34.000Z", "modified": "2022-12-08T12:27:34.000Z", "first_observed": "2022-12-08T12:27:34Z", "last_observed": "2022-12-08T12:27:34Z", "number_observed": 1, "objects": {"0": {"type": "url", "value": "https://blog.talosintelligence.com/p/7387780d-2ad3-4370-aca8-a7b3ab81f89e/"}}, "labels": ["misp:type=\"url\"", "misp:category=\"External analysis\""]}, {"type": "indicator", "id": "indicator--ec19cc53-3425-49fb-860b-3d9eebefe6c1", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--30f7121b-c9d1-4830-85ff-88fa6d00e82e", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--0d508f29-53b3-4caf-8510-1b8345761057", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--d1a99778-fe84-46ab-ac33-3987e087ee55", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--61415b95-1f8e-4632-84a1-da8fa3da8c37", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '58b671915e239e9682d50a026e46db0d775624a61a56199f7fd576b0cef4564d']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--0e36fb1c-424c-4ab9-88d5-698643bb29d0", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--d9f2c1f7-063d-4537-b453-4cf05e0660d6", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--4e408d95-a2c1-4b6c-8229-1dde13559b9a", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--495a4d0d-6f4c-45d1-87ad-c5e78204b18f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--76335a95-9e9c-4f7c-9e7c-e78b5e116e51", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--ad9e1c7a-0ef8-4457-8e7d-b71c417b358f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--046fcc66-3152-449d-8c36-ffd0791f7baf", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--990292ff-52d4-4ae5-aa4c-37068ec3a769", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'bf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--82403119-fa70-492b-98fc-1ba0ce4ff7c9", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--65b76740-c98d-43b6-8896-4d63154d3c66", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--fe437f9a-3c30-4bcb-aa5a-02abd1def0b9", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'c6c4f690f0d15b96034b4258bdfaf797432a3ec4f73fbc920384d27903143cb0']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--1a3ec459-aba8-4f61-bdc3-35f5266632cb", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--695f990e-34cc-4cf4-8cf4-eb8498400faa", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--1cd653bb-5923-45fe-b3b4-3059dac95885", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = 'dd94c2fc46a6670b4600cf439b35dc81a401b09d2c2372139afe7b754d1d24d4']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--6fe0fa91-6ab7-486b-9e53-44dc64b2f5c7", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[file:hashes.SHA256 = '27b6e71b4adeada41fb1e411a910872bfad999183d9d43ba6e63602e104d357b']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--eec7669f-a4ac-4180-874c-4048609ad9bb", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://179.60.150.34:80/download/file.ext']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--cb08d4df-f942-483f-9de8-fa09cde9cab8", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://179.60.150.53:80/download/msruntime.dll']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--a99d9331-9af6-470c-9a88-099faa8d4eea", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://179.60.150.53:80/download/GoogleUpdate.dll']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--9a797846-a88e-4d3a-ad32-7f643620a04c", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://tddshht.com/chkds.dll']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--7692082b-14fe-485b-8487-728f4fe8f8ac", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://nefosferta.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--928dfc85-c38b-4f82-9a58-d47b9e29be9a", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://185.55.243.110/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--063df29e-e9fa-4bb5-a1fc-fe2e9ca83a34", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://gbpooolfhbrb.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--cb9846d6-b2e9-461f-a0bf-e0bc55ac1e1e", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://88.214.27.100/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--e8f8e323-1683-4856-a920-e7be3fe0ab4f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://hiperfdhaus.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--5e0606eb-e1a3-472b-accc-e49c4ff21001", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://88.214.27.101/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--facdbd3a-aef1-451b-a596-8b47bcfcdfa4", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[url:value = 'http://jirostrogud.com/gate.php']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--6b167def-15d7-42ef-96f3-53fadababfd4", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.227.253.102']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--fc96d051-319b-403e-b3b4-6d62244e8c00", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.214.27.101']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--291dd35d-3350-4f60-b2db-956b1d3d0cee", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.214.27.100']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--7efdc4b2-5b2a-4310-a8f9-501f55fd8b06", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.60.150.53']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--07747cd3-f15b-4681-a38e-26553ad25d8d", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2022-12-08T12:33:35.000Z", "modified": "2022-12-08T12:33:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.60.150.34']", "valid_from": "2022-12-08T12:33:35Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "malware", "id": "malware--0df52c23-690b-4703-83f7-5befc38ab376", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Silence", "description": "Malware galaxy based on Malpedia archive. | ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "malpedia"}], "labels": ["misp:galaxy-name=\"Malpedia\"", "misp:galaxy-type=\"malpedia\"", "misp-galaxy:malpedia=\"Silence\""]}, {"type": "threat-actor", "id": "threat-actor--0d5e17fd-7a71-47fd-b4bc-867cdb833726", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Silence group", "description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour. | a relatively new threat actor that\u2019s been operating since mid-2016\nGroup-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.\nSilence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.", "aliases": ["Silence", "WHISPER SPIDER"], "labels": ["misp:galaxy-name=\"Threat Actor\"", "misp:galaxy-type=\"threat-actor\"", "misp-galaxy:threat-actor=\"Silence group\""]}, {"type": "threat-actor", "id": "threat-actor--03c80674-35f8-4fe0-be2b-226ed0fcd69f", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "TA505", "description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour. | TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.", "aliases": ["SectorJ04 Group", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "ATK103"], "labels": ["misp:galaxy-name=\"Threat Actor\"", "misp:galaxy-type=\"threat-actor\"", "misp-galaxy:threat-actor=\"TA505\""]}, {"type": "malware", "id": "malware--cad3ba95-8c89-4146-ab10-08daa813f9de", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Clop - S0611", "description": "Name of ATT&CK software | [Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021) ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-malware"}], "labels": ["misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"", "misp-galaxy:mitre-malware=\"Clop - S0611\""], "external_references": [{"source_name": "mitre-attack", "external_id": "S0611"}]}, {"type": "malware", "id": "malware--43155329-3edf-47a6-9a14-7dac899b01e4", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "FlawedGrace - S0383", "description": "Name of ATT&CK software | [FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-malware"}], "labels": ["misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"", "misp-galaxy:mitre-malware=\"FlawedGrace - S0383\""], "external_references": [{"source_name": "mitre-attack", "external_id": "S0383"}]}, {"type": "malware", "id": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Cobalt Strike - S0154", "description": "Name of ATT&CK software | [Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-malware"}], "labels": ["misp:galaxy-name=\"Malware\"", "misp:galaxy-type=\"mitre-malware\"", "misp-galaxy:mitre-malware=\"Cobalt Strike - S0154\""], "external_references": [{"source_name": "mitre-attack", "external_id": "S0154"}]}, {"type": "attack-pattern", "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Obfuscated Files or Information - T1027", "description": "ATT&CK Tactic | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-267"}]}, {"type": "attack-pattern", "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", "created": "2022-12-08T13:06:35.000Z", "modified": "2022-12-08T13:06:35.000Z", "name": "Debugger Evasion - T1622", "description": "ATT&CK Tactic | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1622"}]}, {"type": "marking-definition", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "definition": {"tlp": "white"}}]} diff --git a/2022/12/breaking_the_silence_truebot_activity.txt b/2022/12/breaking_the_silence_truebot_activity.txt index f20f97a..4fbe18a 100644 --- a/2022/12/breaking_the_silence_truebot_activity.txt +++ b/2022/12/breaking_the_silence_truebot_activity.txt @@ -27,7 +27,7 @@ hxxp://tddshht[.]com/chkds.dll Truebot C2 addresses: hxxp://nefosferta.com/gate.php -hxxp://185[.]55.[.]243[.]110/gate.php +hxxp://185[.]55[.]243[.]110/gate.php hxxp://gbpooolfhbrb[.]com/gate.php hxxp://88[.]214[.]27[.]100/gate.php hxxp://hiperfdhaus.com/gate.php