diff --git a/packages/ti_abusech/_dev/build/docs/README.md b/packages/ti_abusech/_dev/build/docs/README.md index e5222c06060..00b7289e26c 100644 --- a/packages/ti_abusech/_dev/build/docs/README.md +++ b/packages/ti_abusech/_dev/build/docs/README.md @@ -20,4 +20,8 @@ The AbuseCH malware data_stream retrieves threat intelligence indicators from th The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators from the MalwareBazaar API endpoint `https://mb-api.abuse.ch/api/v1/`. -{{fields "malwarebazaar"}} \ No newline at end of file +{{fields "malwarebazaar"}} + +The AbuseCH threatfox data_stream retrieves threat intelligence indicators from the Threat Fox API endpoint `https://threatfox-api.abuse.ch/api/v1/`. + +{{fields "threatfox"}} \ No newline at end of file diff --git a/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml b/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml index be9907f0bfe..2c62b3fe380 100644 --- a/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml +++ b/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml @@ -1,7 +1,7 @@ version: "2.3" services: abusech: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.7.0 ports: - 8080 volumes: @@ -12,3 +12,15 @@ services: - http-server - --addr=:8080 - --config=/files/config.yml + abusech-threatfox: + image: docker.elastic.co/observability/stream:v0.7.0 + ports: + - 8081 + volumes: + - ./files:/files:ro + environment: + PORT: 8081 + command: + - http-server + - --addr=:8081 + - --config=/files/config-threatfox.yml diff --git a/packages/ti_abusech/_dev/deploy/docker/files/config-threatfox.yml b/packages/ti_abusech/_dev/deploy/docker/files/config-threatfox.yml new file mode 100644 index 00000000000..449d1ff47e1 --- /dev/null +++ b/packages/ti_abusech/_dev/deploy/docker/files/config-threatfox.yml @@ -0,0 +1,17 @@ +rules: + - path: /api/v1/ + methods: ["POST"] + request_headers: + Content-Type: "application/json" + body: + query: "get_iocs" + responses: + - status_code: 200 + body: |- + { + "query_status": "ok", + "data": [ + {"id":"841537","ioc":"wizzy.hopto.org","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"domain","ioc_type_desc":"Domain that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 19:43:08 UTC","last_seen":null,"reference":"https://tria.ge/220805-w57pxsgae2","reporter":"AndreGironda","tags":["asyncrat"]}, + {"id":"839586","ioc":"872ff530d50579ae6bdc7cb4d658324b1d0e7a3e","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha1_hash","ioc_type_desc":"SHA1 hash of a malware sample (payload)","malware":"win.vidar","malware_printable":"Vidar","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar","confidence_level":75,"first_seen":"2022-07-25 22:27:09 UTC","last_seen":null,"reference":"","reporter":"crep1x","tags":["Vidar"]} + ] + } diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index ad725f1474c..2be9b38d16d 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.0" + changes: + - description: Add Threat Fox datastream + type: enhancement + link: https://github.com/elastic/integrations/pull/3962 - version: "1.6.0" changes: - description: Update package to ECS 8.4.0 diff --git a/packages/ti_abusech/data_stream/malware/sample_event.json b/packages/ti_abusech/data_stream/malware/sample_event.json index 9b1f6ac7097..f54999bff80 100644 --- a/packages/ti_abusech/data_stream/malware/sample_event.json +++ b/packages/ti_abusech/data_stream/malware/sample_event.json @@ -1,14 +1,14 @@ { - "@timestamp": "2022-04-11T08:43:51.252Z", + "@timestamp": "2022-08-06T00:06:27.079Z", "abusech": { "malware": {} }, "agent": { - "ephemeral_id": "3c096aaa-3fd9-4560-87fe-375b99890402", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "ephemeral_id": "1760e1ca-6974-4a32-80c6-0e7e58a6d573", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.3.0" }, "data_stream": { "dataset": "ti_abusech.malware", @@ -16,19 +16,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "snapshot": false, - "version": "8.0.0" + "version": "8.3.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-11T08:43:51.252Z", + "created": "2022-08-06T00:06:27.079Z", "dataset": "ti_abusech.malware", - "ingested": "2022-04-11T08:43:52Z", + "ingested": "2022-08-06T00:06:30Z", "kind": "enrichment", "original": "{\"file_size\":\"1563\",\"file_type\":\"unknown\",\"firstseen\":\"2021-10-05 04:17:02\",\"imphash\":null,\"md5_hash\":\"9cd5a4f0231a47823c4adba7c8ef370f\",\"sha256_hash\":\"7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2\",\"signature\":null,\"ssdeep\":\"48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n\",\"tlsh\":\"T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2/\",\"virustotal\":null}", "type": "indicator" diff --git a/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json b/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json index 0403fcfacc0..e58965abca4 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json +++ b/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json @@ -1,5 +1,5 @@ { - "@timestamp": "2022-04-11T08:44:21.828Z", + "@timestamp": "2022-08-06T00:08:33.562Z", "abusech": { "malwarebazaar": { "anonymous": 0, @@ -15,11 +15,11 @@ } }, "agent": { - "ephemeral_id": "15657330-8e8b-49be-b82d-529320d9c53c", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "ephemeral_id": "7d65c47e-ccda-4f97-9896-6118ffb92a61", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.3.0" }, "data_stream": { "dataset": "ti_abusech.malwarebazaar", @@ -27,19 +27,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "snapshot": false, - "version": "8.0.0" + "version": "8.3.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-11T08:44:21.828Z", + "created": "2022-08-06T00:08:33.562Z", "dataset": "ti_abusech.malwarebazaar", - "ingested": "2022-04-11T08:44:22Z", + "ingested": "2022-08-06T00:08:36Z", "kind": "enrichment", "original": "{\"anonymous\":0,\"code_sign\":[],\"dhash_icon\":null,\"file_name\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe\",\"file_size\":432640,\"file_type\":\"exe\",\"file_type_mime\":\"application/x-dosexec\",\"first_seen\":\"2021-10-05 14:02:45\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"1fc1c2997c8f55ac10496b88e23f5320\",\"origin_country\":\"FR\",\"reporter\":\"abuse_ch\",\"sha1_hash\":\"42c7153680d7402e56fe022d1024aab49a9901a0\",\"sha256_hash\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28\",\"sha3_384_hash\":\"d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955\",\"signature\":\"RedLineStealer\",\"ssdeep\":\"12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL\",\"tags\":[\"exe\",\"RedLineStealer\"],\"telfhash\":null,\"tlsh\":\"T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479\"}", "type": "indicator" diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-common-config.yml b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log new file mode 100644 index 00000000000..e9b18540989 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log @@ -0,0 +1,75 @@ +{"id":"841508","ioc":"2a02:cf40:1::5:40669","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:40:15 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841507","ioc":"http://malaikahlowry33.top","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.hydra","malware_printable":"Hydra","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra","confidence_level":80,"first_seen":"2022-08-05 11:36:10 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["apk","Hydra"]} +{"id":"841506","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:25:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841505","ioc":"81.2.69.142:8808","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:13 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} +{"id":"841504","ioc":"81.2.69.142:6606","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} +{"id":"841503","ioc":"81.2.69.142:7707","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 11:05:33 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["asyncrat","RAT"]} +{"id":"841502","ioc":"81.2.69.142:38241","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"elf.mirai","malware_printable":"Mirai","malware_alias":"Katana","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai","confidence_level":75,"first_seen":"2022-08-05 10:40:07 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/","reporter":"abuse_ch","tags":["Mirai"]} +{"id":"841501","ioc":"81.2.69.142:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 10:35:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841500","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:28:53 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841499","ioc":"http://72.11.148.153/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:28:52 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841498","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841497","ioc":"http://104.21.75.114/cx","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:45 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841496","ioc":"http://172.67.222.204/ca","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:44 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841495","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841494","ioc":"https://62.182.86.225/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:46 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841493","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:40 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","SERVER4-AS"]} +{"id":"841491","ioc":"https://muwokok.com/us","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","Digital Energy Technologies Ltd."]} +{"id":"841492","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","Digital Energy Technologies Ltd."]} +{"id":"841490","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:23:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841489","ioc":"https://39.105.193.50/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:23:30 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841488","ioc":"http://hasanhaberlerdengelenlerden.co.vu/","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:31 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841487","ioc":"http://where9smym8nd.com","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:30 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841486","ioc":"http://nothingandnothin31.com","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:27 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841485","ioc":"http://baggshdyfsdp.shop","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:25 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841484","ioc":"http://152.228.162.150","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:23 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841483","ioc":"http://5.161.62.171","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:20 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841482","ioc":"http://45.83.122.2","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:02 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841481","ioc":"http://50.17.77.39:4444/fwlink","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:36 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["AMAZON-AES","CobaltStrike"]} +{"id":"841480","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:19 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841479","ioc":"http://1.13.248.119/articles/189948/text.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841478","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:07 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841477","ioc":"http://47.104.88.25/IE9CompatViewList.xml","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:06 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841476","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:58 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","LINODE-AP Linode LLC"]} +{"id":"841475","ioc":"https://45.79.127.214/j.ad","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:57 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","LINODE-AP Linode LLC"]} +{"id":"841474","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841473","ioc":"http://service-akilm85g-1311240945.gz.apigw.tencentcs.com/api/x","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:10 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841472","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:15:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841471","ioc":"https://39.101.184.39/visit.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:15:46 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841470","ioc":"http://lexdavid22.top","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.hydra","malware_printable":"Hydra","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra","confidence_level":80,"first_seen":"2022-08-05 10:13:36 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["apk","Hydra"]} +{"id":"841469","ioc":"81.2.69.142:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.limerat","malware_printable":"LimeRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat","confidence_level":100,"first_seen":"2022-08-05 10:10:26 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["LimeRAT","RAT"]} +{"id":"841468","ioc":"81.2.69.142:7171","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 10:10:23 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} +{"id":"841467","ioc":"81.2.69.142:21330","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 09:55:22 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841466","ioc":"81.2.69.142:22027","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 09:35:25 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} +{"id":"841465","ioc":"81.2.69.142:3398","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.remcos","malware_printable":"Remcos","malware_alias":"RemcosRAT,Remvio,Socmer","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos","confidence_level":75,"first_seen":"2022-08-05 09:35:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/","reporter":"abuse_ch","tags":["remcos"]} +{"id":"841464","ioc":"ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.woody","malware_printable":"woody","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.woody","confidence_level":50,"first_seen":"2022-08-05 09:04:23 UTC","last_seen":null,"reference":"https://twitter.com/JAMESWT_MHT/status/1555479791821791232","reporter":"Virus_Deck","tags":null} +{"id":"841463","ioc":"81.2.69.142:35565","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 08:30:21 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841462","ioc":"http://124.221.206.154:1443/submit.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":75,"first_seen":"2022-08-05 07:55:06 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/","reporter":"abuse_ch","tags":["CobaltStrike"]} +{"id":"841461","ioc":"81.2.69.142:5050","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 07:35:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841460","ioc":"c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"osx.xloader","malware_printable":"Xloader","malware_alias":"Formbook","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader","confidence_level":50,"first_seen":"2022-08-05 07:04:11 UTC","last_seen":null,"reference":"https://twitter.com/JAMESWT_MHT/status/1555445680797270016","reporter":"Virus_Deck","tags":null} +{"id":"841459","ioc":"81.2.69.142:14009","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:40:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841458","ioc":"http://115.55.81.211:33294/Mozi.m","threat_type":"payload_delivery","threat_type_desc":"Indicator that identifies a malware distribution server (payload delivery)","ioc_type":"url","ioc_type_desc":"URL that delivers a malware payload","malware":"elf.mozi","malware_printable":"Mozi","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi","confidence_level":50,"first_seen":"2022-08-05 06:40:03 UTC","last_seen":null,"reference":null,"reporter":"sicehice","tags":null} +{"id":"841457","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:30:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841456","ioc":"81.2.69.142:46278","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:25:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841455","ioc":"http://213.170.133.189/","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.recordbreaker","malware_printable":"RecordBreaker","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker","confidence_level":100,"first_seen":"2022-08-05 06:20:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["recordbreaker"]} +{"id":"841454","ioc":"a695ab311e3449cacf5a2611dffac5bd","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"md5_hash","ioc_type_desc":"MD5 hash of a malware sample (payload)","malware":"win.kutaki","malware_printable":"Kutaki","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki","confidence_level":50,"first_seen":"2022-08-05 06:16:32 UTC","last_seen":null,"reference":"https://twitter.com/pollo290987/status/1555437557298651136","reporter":"Virus_Deck","tags":null} +{"id":"841453","ioc":"7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:21 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} +{"id":"841452","ioc":"b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:19 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} +{"id":"841451","ioc":"0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:18 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} +{"id":"841450","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} +{"id":"841449","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:30 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841448","ioc":"https://119.45.94.71/activity","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:29 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841447","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} +{"id":"841446","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","MICROSOFT-CORP-MSN-AS-BLOCK"]} +{"id":"841445","ioc":"http://20.239.66.2/match","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:13 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","MICROSOFT-CORP-MSN-AS-BLOCK"]} +{"id":"841444","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:34 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841443","ioc":"https://43.155.60.197/dot.gif","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:33 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841441","ioc":"http://service-da5heloj-1312757872.sh.apigw.tencentcs.com/include/template/isx.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841442","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841440","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:11 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841439","ioc":"http://43.138.129.56/cm","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:10 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841438","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:36 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} +{"id":"841437","ioc":"https://194.87.216.182/push","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:35 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} +{"id":"841436","ioc":"https://77.91.102.151/push","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:33 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} +{"id":"841537","ioc":"wizzy.hopto.org","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"domain","ioc_type_desc":"Domain that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 19:43:08 UTC","last_seen":null,"reference":"https://tria.ge/220805-w57pxsgae2","reporter":"AndreGironda","tags":["asyncrat"]} +{"id":"839586","ioc":"872ff530d50579ae6bdc7cb4d658324b1d0e7a3e","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha1_hash","ioc_type_desc":"SHA1 hash of a malware sample (payload)","malware":"win.vidar","malware_printable":"Vidar","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar","confidence_level":75,"first_seen":"2022-07-25 22:27:09 UTC","last_seen":null,"reference":"","reporter":"crep1x","tags":["Vidar"]} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json new file mode 100644 index 00000000000..12b135c5216 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json @@ -0,0 +1,3566 @@ +{ + "expected": [ + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.redline_stealer", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841508", + "kind": "enrichment", + "original": "{\"id\":\"841508\",\"ioc\":\"2a02:cf40:1::5:40669\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:40:15 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T11:40:15.000Z", + "ip": "2a02:cf40:1::5", + "port": 40669, + "provider": "abuse_ch", + "type": "ipv6-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.hydra", + "tags": [ + "apk", + "Hydra" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841507", + "kind": "enrichment", + "original": "{\"id\":\"841507\",\"ioc\":\"http://malaikahlowry33.top\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.hydra\",\"malware_printable\":\"Hydra\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 11:36:10 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"apk\",\"Hydra\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T11:36:10.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "malaikahlowry33.top", + "original": "http://malaikahlowry33.top", + "path": "", + "scheme": "http" + } + }, + "software": { + "name": "Hydra", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.redline_stealer", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841506", + "kind": "enrichment", + "original": "{\"id\":\"841506\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:25:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T11:25:24.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "malware": "win.asyncrat", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841505", + "kind": "enrichment", + "original": "{\"id\":\"841505\",\"ioc\":\"81.2.69.142:8808\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:13 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T11:10:13.000Z", + "ip": "81.2.69.142", + "port": 8808, + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", + "type": "ipv4-addr" + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "malware": "win.asyncrat", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841504", + "kind": "enrichment", + "original": "{\"id\":\"841504\",\"ioc\":\"81.2.69.142:6606\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T11:10:12.000Z", + "ip": "81.2.69.142", + "port": 6606, + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", + "type": "ipv4-addr" + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.asyncrat", + "tags": [ + "asyncrat", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841503", + "kind": "enrichment", + "original": "{\"id\":\"841503\",\"ioc\":\"81.2.69.142:7707\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:05:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T11:05:33.000Z", + "ip": "81.2.69.142", + "port": 7707, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "malware": "elf.mirai", + "tags": [ + "Mirai" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841502", + "kind": "enrichment", + "original": "{\"id\":\"841502\",\"ioc\":\"81.2.69.142:38241\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"elf.mirai\",\"malware_printable\":\"Mirai\",\"malware_alias\":\"Katana\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 10:40:07 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/\",\"reporter\":\"abuse_ch\",\"tags\":[\"Mirai\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:40:07.000Z", + "ip": "81.2.69.142", + "port": 38241, + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Katana" + ], + "name": "Mirai", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.njrat", + "tags": [ + "njrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841501", + "kind": "enrichment", + "original": "{\"id\":\"841501\",\"ioc\":\"81.2.69.142:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:35:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:35:24.000Z", + "ip": "81.2.69.142", + "port": 5552, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Bladabindi" + ], + "name": "NjRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841500", + "kind": "enrichment", + "original": "{\"id\":\"841500\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:28:53 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:28:53.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841499", + "kind": "enrichment", + "original": "{\"id\":\"841499\",\"ioc\":\"http://72.11.148.153/jquery-3.3.1.min.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:28:52 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:28:52.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "72.11.148.153", + "extension": "js", + "original": "http://72.11.148.153/jquery-3.3.1.min.js", + "path": "/jquery-3.3.1.min.js", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841498", + "kind": "enrichment", + "original": "{\"id\":\"841498\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:25:47.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841497", + "kind": "enrichment", + "original": "{\"id\":\"841497\",\"ioc\":\"http://104.21.75.114/cx\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:45 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:25:45.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "104.21.75.114", + "original": "http://104.21.75.114/cx", + "path": "/cx", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841496", + "kind": "enrichment", + "original": "{\"id\":\"841496\",\"ioc\":\"http://172.67.222.204/ca\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:44 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:25:44.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "172.67.222.204", + "original": "http://172.67.222.204/ca", + "path": "/ca", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841495", + "kind": "enrichment", + "original": "{\"id\":\"841495\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:24:47.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841494", + "kind": "enrichment", + "original": "{\"id\":\"841494\",\"ioc\":\"https://62.182.86.225/jquery-3.3.1.min.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:46 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:24:46.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "62.182.86.225", + "extension": "js", + "original": "https://62.182.86.225/jquery-3.3.1.min.js", + "path": "/jquery-3.3.1.min.js", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "SERVER4-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841493", + "kind": "enrichment", + "original": "{\"id\":\"841493\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:40 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"SERVER4-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:24:40.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "Digital Energy Technologies Ltd." + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841491", + "kind": "enrichment", + "original": "{\"id\":\"841491\",\"ioc\":\"https://muwokok.com/us\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"Digital Energy Technologies Ltd.\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:24:31.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "muwokok.com", + "original": "https://muwokok.com/us", + "path": "/us", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "Digital Energy Technologies Ltd." + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841492", + "kind": "enrichment", + "original": "{\"id\":\"841492\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"Digital Energy Technologies Ltd.\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:24:31.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841490", + "kind": "enrichment", + "original": "{\"id\":\"841490\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:23:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:23:31.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841489", + "kind": "enrichment", + "original": "{\"id\":\"841489\",\"ioc\":\"https://39.105.193.50/jquery-3.3.1.min.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:23:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:23:30.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "39.105.193.50", + "extension": "js", + "original": "https://39.105.193.50/jquery-3.3.1.min.js", + "path": "/jquery-3.3.1.min.js", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.alien", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841488", + "kind": "enrichment", + "original": "{\"id\":\"841488\",\"ioc\":\"http://hasanhaberlerdengelenlerden.co.vu/\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:21:31.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "hasanhaberlerdengelenlerden.co.vu", + "original": "http://hasanhaberlerdengelenlerden.co.vu/", + "path": "/", + "scheme": "http" + } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.alien", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841487", + "kind": "enrichment", + "original": "{\"id\":\"841487\",\"ioc\":\"http://where9smym8nd.com\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:21:30.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "where9smym8nd.com", + "original": "http://where9smym8nd.com", + "path": "", + "scheme": "http" + } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.alien", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841486", + "kind": "enrichment", + "original": "{\"id\":\"841486\",\"ioc\":\"http://nothingandnothin31.com\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:27 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:21:27.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "nothingandnothin31.com", + "original": "http://nothingandnothin31.com", + "path": "", + "scheme": "http" + } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.alien", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841485", + "kind": "enrichment", + "original": "{\"id\":\"841485\",\"ioc\":\"http://baggshdyfsdp.shop\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:25 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:21:25.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "baggshdyfsdp.shop", + "original": "http://baggshdyfsdp.shop", + "path": "", + "scheme": "http" + } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.alien", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841484", + "kind": "enrichment", + "original": "{\"id\":\"841484\",\"ioc\":\"http://152.228.162.150\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:23 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:21:23.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "152.228.162.150", + "original": "http://152.228.162.150", + "path": "", + "scheme": "http" + } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.alien", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841483", + "kind": "enrichment", + "original": "{\"id\":\"841483\",\"ioc\":\"http://5.161.62.171\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:20 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:21:20.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "5.161.62.171", + "original": "http://5.161.62.171", + "path": "", + "scheme": "http" + } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.alien", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841482", + "kind": "enrichment", + "original": "{\"id\":\"841482\",\"ioc\":\"http://45.83.122.2\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:02 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:21:02.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "45.83.122.2", + "original": "http://45.83.122.2", + "path": "", + "scheme": "http" + } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "AMAZON-AES", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841481", + "kind": "enrichment", + "original": "{\"id\":\"841481\",\"ioc\":\"http://50.17.77.39:4444/fwlink\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"AMAZON-AES\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:17:36.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "50.17.77.39", + "original": "http://50.17.77.39:4444/fwlink", + "path": "/fwlink", + "port": 4444, + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841480", + "kind": "enrichment", + "original": "{\"id\":\"841480\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:19 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:17:19.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841479", + "kind": "enrichment", + "original": "{\"id\":\"841479\",\"ioc\":\"http://1.13.248.119/articles/189948/text.php\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:17:18.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "1.13.248.119", + "extension": "php", + "original": "http://1.13.248.119/articles/189948/text.php", + "path": "/articles/189948/text.php", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841478", + "kind": "enrichment", + "original": "{\"id\":\"841478\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:07 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:17:07.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841477", + "kind": "enrichment", + "original": "{\"id\":\"841477\",\"ioc\":\"http://47.104.88.25/IE9CompatViewList.xml\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:06 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:17:06.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "47.104.88.25", + "extension": "xml", + "original": "http://47.104.88.25/IE9CompatViewList.xml", + "path": "/IE9CompatViewList.xml", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "LINODE-AP Linode LLC" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841476", + "kind": "enrichment", + "original": "{\"id\":\"841476\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:58 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"LINODE-AP Linode LLC\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:16:58.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "LINODE-AP Linode LLC" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841475", + "kind": "enrichment", + "original": "{\"id\":\"841475\",\"ioc\":\"https://45.79.127.214/j.ad\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:57 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"LINODE-AP Linode LLC\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:16:57.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "45.79.127.214", + "extension": "ad", + "original": "https://45.79.127.214/j.ad", + "path": "/j.ad", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841474", + "kind": "enrichment", + "original": "{\"id\":\"841474\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:16:14.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841473", + "kind": "enrichment", + "original": "{\"id\":\"841473\",\"ioc\":\"http://service-akilm85g-1311240945.gz.apigw.tencentcs.com/api/x\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:10 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:16:10.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "service-akilm85g-1311240945.gz.apigw.tencentcs.com", + "original": "http://service-akilm85g-1311240945.gz.apigw.tencentcs.com/api/x", + "path": "/api/x", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841472", + "kind": "enrichment", + "original": "{\"id\":\"841472\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:15:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:15:47.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841471", + "kind": "enrichment", + "original": "{\"id\":\"841471\",\"ioc\":\"https://39.101.184.39/visit.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:15:46 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:15:46.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "39.101.184.39", + "extension": "js", + "original": "https://39.101.184.39/visit.js", + "path": "/visit.js", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "malware": "apk.hydra", + "tags": [ + "apk", + "Hydra" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841470", + "kind": "enrichment", + "original": "{\"id\":\"841470\",\"ioc\":\"http://lexdavid22.top\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.hydra\",\"malware_printable\":\"Hydra\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:13:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"apk\",\"Hydra\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:13:36.000Z", + "provider": "myonium1", + "type": "url", + "url": { + "domain": "lexdavid22.top", + "original": "http://lexdavid22.top", + "path": "", + "scheme": "http" + } + }, + "software": { + "name": "Hydra", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.limerat", + "tags": [ + "LimeRAT", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841469", + "kind": "enrichment", + "original": "{\"id\":\"841469\",\"ioc\":\"81.2.69.142:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.limerat\",\"malware_printable\":\"LimeRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:26 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"LimeRAT\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:10:26.000Z", + "ip": "81.2.69.142", + "port": 5552, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "name": "LimeRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.nanocore", + "tags": [ + "NanoCore", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841468", + "kind": "enrichment", + "original": "{\"id\":\"841468\",\"ioc\":\"81.2.69.142:7171\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:23 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T10:10:23.000Z", + "ip": "81.2.69.142", + "port": 7171, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Nancrat", + "NanoCore" + ], + "name": "Nanocore RAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.redline_stealer", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841467", + "kind": "enrichment", + "original": "{\"id\":\"841467\",\"ioc\":\"81.2.69.142:21330\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:55:22 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T09:55:22.000Z", + "ip": "81.2.69.142", + "port": 21330, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.nanocore", + "tags": [ + "NanoCore", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841466", + "kind": "enrichment", + "original": "{\"id\":\"841466\",\"ioc\":\"81.2.69.142:22027\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:35:25 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T09:35:25.000Z", + "ip": "81.2.69.142", + "port": 22027, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Nancrat", + "NanoCore" + ], + "name": "Nanocore RAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "malware": "win.remcos", + "tags": [ + "remcos" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841465", + "kind": "enrichment", + "original": "{\"id\":\"841465\",\"ioc\":\"81.2.69.142:3398\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.remcos\",\"malware_printable\":\"Remcos\",\"malware_alias\":\"RemcosRAT,Remvio,Socmer\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 09:35:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/\",\"reporter\":\"abuse_ch\",\"tags\":[\"remcos\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T09:35:12.000Z", + "ip": "81.2.69.142", + "port": 3398, + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "RemcosRAT", + "Remvio", + "Socmer" + ], + "name": "Remcos", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "malware": "win.woody", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841464", + "kind": "enrichment", + "original": "{\"id\":\"841464\",\"ioc\":\"ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.woody\",\"malware_printable\":\"woody\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.woody\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 09:04:23 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/JAMESWT_MHT/status/1555479791821791232\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb" + } + }, + "first_seen": "2022-08-05T09:04:23.000Z", + "provider": "Virus_Deck", + "reference": "https://twitter.com/JAMESWT_MHT/status/1555479791821791232", + "type": "file" + }, + "software": { + "name": "woody", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.njrat", + "tags": [ + "njrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841463", + "kind": "enrichment", + "original": "{\"id\":\"841463\",\"ioc\":\"81.2.69.142:35565\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 08:30:21 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T08:30:21.000Z", + "ip": "81.2.69.142", + "port": 35565, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Bladabindi" + ], + "name": "NjRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841462", + "kind": "enrichment", + "original": "{\"id\":\"841462\",\"ioc\":\"http://124.221.206.154:1443/submit.php\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 07:55:06 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/\",\"reporter\":\"abuse_ch\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T07:55:06.000Z", + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/", + "type": "url", + "url": { + "domain": "124.221.206.154", + "extension": "php", + "original": "http://124.221.206.154:1443/submit.php", + "path": "/submit.php", + "port": 1443, + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.njrat", + "tags": [ + "njrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841461", + "kind": "enrichment", + "original": "{\"id\":\"841461\",\"ioc\":\"81.2.69.142:5050\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 07:35:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T07:35:17.000Z", + "ip": "81.2.69.142", + "port": 5050, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Bladabindi" + ], + "name": "NjRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "malware": "osx.xloader", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841460", + "kind": "enrichment", + "original": "{\"id\":\"841460\",\"ioc\":\"c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"osx.xloader\",\"malware_printable\":\"Xloader\",\"malware_alias\":\"Formbook\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 07:04:11 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/JAMESWT_MHT/status/1555445680797270016\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a" + } + }, + "first_seen": "2022-08-05T07:04:11.000Z", + "provider": "Virus_Deck", + "reference": "https://twitter.com/JAMESWT_MHT/status/1555445680797270016", + "type": "file" + }, + "software": { + "alias": [ + "Formbook" + ], + "name": "Xloader", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.redline_stealer", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841459", + "kind": "enrichment", + "original": "{\"id\":\"841459\",\"ioc\":\"81.2.69.142:14009\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:40:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T06:40:18.000Z", + "ip": "81.2.69.142", + "port": 14009, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "malware": "elf.mozi", + "threat_type": "payload_delivery", + "threat_type_desc": "Indicator that identifies a malware distribution server (payload delivery)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841458", + "kind": "enrichment", + "original": "{\"id\":\"841458\",\"ioc\":\"http://115.55.81.211:33294/Mozi.m\",\"threat_type\":\"payload_delivery\",\"threat_type_desc\":\"Indicator that identifies a malware distribution server (payload delivery)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that delivers a malware payload\",\"malware\":\"elf.mozi\",\"malware_printable\":\"Mozi\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 06:40:03 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"sicehice\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "description": "URL that delivers a malware payload", + "first_seen": "2022-08-05T06:40:03.000Z", + "provider": "sicehice", + "type": "url", + "url": { + "domain": "115.55.81.211", + "extension": "m", + "original": "http://115.55.81.211:33294/Mozi.m", + "path": "/Mozi.m", + "port": 33294, + "scheme": "http" + } + }, + "software": { + "name": "Mozi", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.redline_stealer", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841457", + "kind": "enrichment", + "original": "{\"id\":\"841457\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:30:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T06:30:17.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.redline_stealer", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841456", + "kind": "enrichment", + "original": "{\"id\":\"841456\",\"ioc\":\"81.2.69.142:46278\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:25:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T06:25:18.000Z", + "ip": "81.2.69.142", + "port": 46278, + "provider": "abuse_ch", + "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.recordbreaker", + "tags": [ + "recordbreaker" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841455", + "kind": "enrichment", + "original": "{\"id\":\"841455\",\"ioc\":\"http://213.170.133.189/\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.recordbreaker\",\"malware_printable\":\"RecordBreaker\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:20:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"recordbreaker\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T06:20:17.000Z", + "provider": "abuse_ch", + "type": "url", + "url": { + "domain": "213.170.133.189", + "original": "http://213.170.133.189/", + "path": "/", + "scheme": "http" + } + }, + "software": { + "name": "RecordBreaker", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "malware": "win.kutaki", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841454", + "kind": "enrichment", + "original": "{\"id\":\"841454\",\"ioc\":\"a695ab311e3449cacf5a2611dffac5bd\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"md5_hash\",\"ioc_type_desc\":\"MD5 hash of a malware sample (payload)\",\"malware\":\"win.kutaki\",\"malware_printable\":\"Kutaki\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 06:16:32 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/pollo290987/status/1555437557298651136\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "description": "MD5 hash of a malware sample (payload)", + "file": { + "hash": { + "md5": "a695ab311e3449cacf5a2611dffac5bd" + } + }, + "first_seen": "2022-08-05T06:16:32.000Z", + "provider": "Virus_Deck", + "reference": "https://twitter.com/pollo290987/status/1555437557298651136", + "type": "file" + }, + "software": { + "name": "Kutaki", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "malware": "win.isfb", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841453", + "kind": "enrichment", + "original": "{\"id\":\"841453\",\"ioc\":\"7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.isfb\",\"malware_printable\":\"ISFB\",\"malware_alias\":\"Gozi ISFB,IAP,Pandemyia\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 05:25:21 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/StopMalvertisin/status/1555424657037475840\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59" + } + }, + "first_seen": "2022-08-05T05:25:21.000Z", + "provider": "Virus_Deck", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "type": "file" + }, + "software": { + "alias": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "name": "ISFB", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "malware": "win.isfb", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841452", + "kind": "enrichment", + "original": "{\"id\":\"841452\",\"ioc\":\"b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.isfb\",\"malware_printable\":\"ISFB\",\"malware_alias\":\"Gozi ISFB,IAP,Pandemyia\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 05:25:19 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/StopMalvertisin/status/1555424657037475840\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86" + } + }, + "first_seen": "2022-08-05T05:25:19.000Z", + "provider": "Virus_Deck", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "type": "file" + }, + "software": { + "alias": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "name": "ISFB", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "malware": "win.isfb", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841451", + "kind": "enrichment", + "original": "{\"id\":\"841451\",\"ioc\":\"0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.isfb\",\"malware_printable\":\"ISFB\",\"malware_alias\":\"Gozi ISFB,IAP,Pandemyia\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 05:25:18 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/StopMalvertisin/status/1555424657037475840\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff" + } + }, + "first_seen": "2022-08-05T05:25:18.000Z", + "provider": "Virus_Deck", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "type": "file" + }, + "software": { + "alias": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "name": "ISFB", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "GIR-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841450", + "kind": "enrichment", + "original": "{\"id\":\"841450\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:26:51.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841449", + "kind": "enrichment", + "original": "{\"id\":\"841449\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:26:30.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841448", + "kind": "enrichment", + "original": "{\"id\":\"841448\",\"ioc\":\"https://119.45.94.71/activity\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:29 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:26:29.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "119.45.94.71", + "original": "https://119.45.94.71/activity", + "path": "/activity", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "GIR-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841447", + "kind": "enrichment", + "original": "{\"id\":\"841447\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:25:51.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "MICROSOFT-CORP-MSN-AS-BLOCK" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841446", + "kind": "enrichment", + "original": "{\"id\":\"841446\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"MICROSOFT-CORP-MSN-AS-BLOCK\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:25:14.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "MICROSOFT-CORP-MSN-AS-BLOCK" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841445", + "kind": "enrichment", + "original": "{\"id\":\"841445\",\"ioc\":\"http://20.239.66.2/match\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:13 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"MICROSOFT-CORP-MSN-AS-BLOCK\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:25:13.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "20.239.66.2", + "original": "http://20.239.66.2/match", + "path": "/match", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841444", + "kind": "enrichment", + "original": "{\"id\":\"841444\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:34 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:24:34.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841443", + "kind": "enrichment", + "original": "{\"id\":\"841443\",\"ioc\":\"https://43.155.60.197/dot.gif\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:24:33.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "43.155.60.197", + "extension": "gif", + "original": "https://43.155.60.197/dot.gif", + "path": "/dot.gif", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841441", + "kind": "enrichment", + "original": "{\"id\":\"841441\",\"ioc\":\"http://service-da5heloj-1312757872.sh.apigw.tencentcs.com/include/template/isx.php\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:24:18.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "service-da5heloj-1312757872.sh.apigw.tencentcs.com", + "extension": "php", + "original": "http://service-da5heloj-1312757872.sh.apigw.tencentcs.com/include/template/isx.php", + "path": "/include/template/isx.php", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841442", + "kind": "enrichment", + "original": "{\"id\":\"841442\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:24:18.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841440", + "kind": "enrichment", + "original": "{\"id\":\"841440\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:11 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:24:11.000Z", + "ip": "81.2.69.142", + "port": 80, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841439", + "kind": "enrichment", + "original": "{\"id\":\"841439\",\"ioc\":\"http://43.138.129.56/cm\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:10 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:24:10.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "43.138.129.56", + "original": "http://43.138.129.56/cm", + "path": "/cm", + "scheme": "http" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "STARK-INDUSTRIES-SOLUTIONS-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841438", + "kind": "enrichment", + "original": "{\"id\":\"841438\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:23:36.000Z", + "ip": "81.2.69.142", + "port": 443, + "provider": "drb_ra", + "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "STARK-INDUSTRIES-SOLUTIONS-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841437", + "kind": "enrichment", + "original": "{\"id\":\"841437\",\"ioc\":\"https://194.87.216.182/push\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:35 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:23:35.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "194.87.216.182", + "original": "https://194.87.216.182/push", + "path": "/push", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.cobalt_strike", + "tags": [ + "CobaltStrike", + "STARK-INDUSTRIES-SOLUTIONS-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841436", + "kind": "enrichment", + "original": "{\"id\":\"841436\",\"ioc\":\"https://77.91.102.151/push\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T03:23:33.000Z", + "provider": "drb_ra", + "type": "url", + "url": { + "domain": "77.91.102.151", + "original": "https://77.91.102.151/push", + "path": "/push", + "scheme": "https" + } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.asyncrat", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841537", + "kind": "enrichment", + "original": "{\"id\":\"841537\",\"ioc\":\"wizzy.hopto.org\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"domain\",\"ioc_type_desc\":\"Domain that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 19:43:08 UTC\",\"last_seen\":null,\"reference\":\"https://tria.ge/220805-w57pxsgae2\",\"reporter\":\"AndreGironda\",\"tags\":[\"asyncrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "Domain that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T19:43:08.000Z", + "provider": "AndreGironda", + "reference": "https://tria.ge/220805-w57pxsgae2", + "type": "domain-name", + "url": { + "domain": "wizzy.hopto.org" + } + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "malware": "win.vidar", + "tags": [ + "Vidar" + ], + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "839586", + "kind": "enrichment", + "original": "{\"id\":\"839586\",\"ioc\":\"872ff530d50579ae6bdc7cb4d658324b1d0e7a3e\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha1_hash\",\"ioc_type_desc\":\"SHA1 hash of a malware sample (payload)\",\"malware\":\"win.vidar\",\"malware_printable\":\"Vidar\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar\",\"confidence_level\":75,\"first_seen\":\"2022-07-25 22:27:09 UTC\",\"last_seen\":null,\"reference\":\"\",\"reporter\":\"crep1x\",\"tags\":[\"Vidar\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "SHA1 hash of a malware sample (payload)", + "file": { + "hash": { + "sha1": "872ff530d50579ae6bdc7cb4d658324b1d0e7a3e" + } + }, + "first_seen": "2022-07-25T22:27:09.000Z", + "provider": "crep1x", + "reference": "", + "type": "file" + }, + "software": { + "name": "Vidar", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..ad23868ccd7 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml @@ -0,0 +1,6 @@ +input: httpjson +service: abusech-threatfox +data_stream: + vars: + url: http://{{Hostname}}:{{Port}}/api/v1/ + preserve_original_event: true diff --git a/packages/ti_abusech/data_stream/threatfox/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/data_stream/threatfox/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..61e9d4e88a2 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/agent/stream/httpjson.yml.hbs @@ -0,0 +1,49 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json +- set: + target: body.query + value: "get_iocs" +- set: + target: body.days + value: '[[.cursor.days]]' + default: '{{initial_interval}}' + +response.split: + target: body.data + +cursor: + days: + value: '1' + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..fffebbcb734 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,209 @@ +--- +description: Pipeline for parsing Abuse.ch Threat Fox Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.threatfox + - fingerprint: + fields: + - abusech.threatfox.id + - abusech.threatfox.ioc_type + target_field: "_id" + - rename: + field: abusech.threatfox.id + target_field: event.id + ignore_missing: true + + ##################### + # Threat ECS Fields # + ##################### + - date: + field: abusech.threatfox.first_seen + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.threatfox?.first_seen != null" + - date: + field: abusech.threatfox.last_seen + target_field: threat.indicator.last_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.threatfox?.last_seen != null" + - rename: + field: abusech.threatfox.ioc_type_desc + target_field: threat.indicator.description + ignore_missing: true + - rename: + field: abusech.threatfox.reporter + target_field: threat.indicator.provider + ignore_missing: true + - split: + field: abusech.threatfox.malware_alias + target_field: threat.software.alias + separator: "," + ignore_missing: true + - rename: + field: abusech.threatfox.reporter + target_field: threat.indicator.provider + ignore_missing: true + - rename: + field: abusech.threatfox.reference + target_field: threat.indicator.reference + ignore_missing: true + - rename: + field: abusech.threatfox.malware_printable + target_field: threat.software.name + ignore_missing: true + - rename: + field: abusech.threatfox.malware_malpedia + target_field: threat.software.reference + ignore_missing: true + # + # Convert confidence field (-1..100) to ECS confidence (0..10). + # + - script: + lang: painless + if: ctx.abusech?.threatfox?.confidence_level != null + description: Normalize confidence level. + source: > + def value = ctx.abusech.threatfox.confidence_level; + def confidence = "None"; + if (value > 0 && value < 30) { + confidence = "Low"; + } if (value >= 30.0 && value < 70) { + confidence = "Medium"; + } else if (value >= 70 && value <= 100) { + confidence = "High"; + } + ctx.threat.indicator.put("confidence", confidence) + ## URL/URI indicator operations + - set: + field: threat.indicator.type + value: url + if: "ctx.abusech?.threatfox?.ioc_type != null && ['url'].contains(ctx.abusech.threatfox.ioc_type)" + - uri_parts: + field: abusech.threatfox.ioc + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.abusech?.threatfox?.ioc_type == 'url' + + ## IP/Port indicator operations + - set: + field: threat.indicator.type + value: domain-name + if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech.threatfox.ioc_type)" + - rename: + field: abusech.threatfox.ioc + target_field: threat.indicator.url.domain + ignore_missing: true + if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech.threatfox.ioc_type)" + - set: + field: threat.indicator.type + value: ipv4-addr + if: "ctx.abusech?.threatfox?.ioc_type != null && ['ip:port'].contains(ctx.abusech.threatfox.ioc_type)" + - grok: + field: abusech.threatfox.ioc + patterns: + - "%{IP:threat.indicator.ip}:%{NUMBER:threat.indicator.port:long}" + ignore_missing: true + if: "ctx.abusech?.threatfox?.ioc_type == 'ip:port'" + - set: + field: threat.indicator.type + value: ipv6-addr + if: ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(':') + + ## File/Hash indicator operations + - set: + field: threat.indicator.type + value: file + if: "ctx.abusech?.threatfox?.ioc_type != null && ['md5_hash', 'sha1_hash', 'sha256_hash'].contains(ctx.abusech.threatfox.ioc_type)" + - grok: + field: abusech.threatfox.ioc_type + patterns: + - "%{DATA:_tmp.hashtype}_hash" + ignore_missing: true + if: ctx.abusech?.threatfox?.ioc_type != null && ctx.abusech?.threatfox?.ioc_type.endsWith('_hash') + - rename: + field: abusech.threatfox.ioc + target_field: threat.indicator.file.hash.{{_tmp.hashtype}} + if: "ctx.abusech?.threatfox?.ioc_type != null && ctx.abusech.threatfox.ioc_type.endsWith('_hash') && ctx._tmp.hashtype != null" + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.threatfox.first_seen + - abusech.threatfox.last_seen + - threatintel_indicator_confidence + - abusech.threatfox.malware_alias + - abusech.threatfox.ioc_type + - abusech.threatfox.ioc + - message + - _tmp + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/data_stream/threatfox/fields/agent.yml b/packages/ti_abusech/data_stream/threatfox/fields/agent.yml new file mode 100644 index 00000000000..da4e652c53b --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml new file mode 100644 index 00000000000..8e1145c51e5 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.threatfox +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH Threat Fox +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/data_stream/threatfox/fields/beats.yml b/packages/ti_abusech/data_stream/threatfox/fields/beats.yml new file mode 100644 index 00000000000..cb44bb29442 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml b/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml new file mode 100644 index 00000000000..d66b56b2ed0 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml @@ -0,0 +1,84 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: tags +- external: ecs + name: related.hash +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.category +- external: ecs + name: event.type +- external: ecs + name: event.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: event.created +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.file.size +- external: ecs + name: threat.indicator.file.type +- external: ecs + name: threat.indicator.file.name +- external: ecs + name: threat.indicator.file.extension +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.mime_type +- external: ecs + name: threat.software.alias +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.file.hash.ssdeep +- external: ecs + name: threat.indicator.file.hash.sha384 +- external: ecs + name: threat.indicator.file.hash.tlsh +- external: ecs + name: threat.indicator.file.pe.imphash +- external: ecs + name: threat.indicator.file.elf.telfhash +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.port +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.reference +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.software.name +- external: ecs + name: threat.software.reference diff --git a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml new file mode 100644 index 00000000000..7597989ed98 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml @@ -0,0 +1,28 @@ +- name: abusech.threatfox + type: group + description: All fields related to AbuseCH Threat Fox indicators. + fields: + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware sample. + + - name: confidence_level + type: long + description: > + Confidence level between 0-100 + + - name: malware + type: keyword + description: > + The malware associated with the IOC + + - name: threat_type + type: keyword + description: > + The type of threat + + - name: threat_type_desc + type: keyword + description: >- + The threat descsription diff --git a/packages/ti_abusech/data_stream/threatfox/manifest.yml b/packages/ti_abusech/data_stream/threatfox/manifest.yml new file mode 100644 index 00000000000..3c02c79cb2f --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/manifest.yml @@ -0,0 +1,76 @@ +type: logs +title: AbuseCH Threat Fox logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH Threat Fox API endpoint + multi: false + required: true + show_user: false + default: https://threatfox-api.abuse.ch/api/v1/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 24h + - name: initial_interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: "30" + description: How far back to look for indicators the first time the agent is started. Defaults to 30 days, can be any number between 1-90. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-threatfox + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH Threat Fox logs + description: Collect AbuseCH Threat Fox logs diff --git a/packages/ti_abusech/data_stream/threatfox/sample_event.json b/packages/ti_abusech/data_stream/threatfox/sample_event.json new file mode 100644 index 00000000000..c6744c49d51 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/sample_event.json @@ -0,0 +1,70 @@ +{ + "@timestamp": "2022-08-06T00:10:26.114Z", + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.asyncrat", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "agent": { + "ephemeral_id": "c8fde031-e301-47e0-b688-4e36b951789c", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.0" + }, + "data_stream": { + "dataset": "ti_abusech.threatfox", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", + "snapshot": false, + "version": "8.3.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-08-06T00:10:26.114Z", + "dataset": "ti_abusech.threatfox", + "id": "841537", + "ingested": "2022-08-06T00:10:29Z", + "kind": "enrichment", + "original": "{\"confidence_level\":100,\"first_seen\":\"2022-08-05 19:43:08 UTC\",\"id\":\"841537\",\"ioc\":\"wizzy.hopto.org\",\"ioc_type\":\"domain\",\"ioc_type_desc\":\"Domain that is used for botnet Command\\u0026control (C\\u0026C)\",\"last_seen\":null,\"malware\":\"win.asyncrat\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"reference\":\"https://tria.ge/220805-w57pxsgae2\",\"reporter\":\"AndreGironda\",\"tags\":[\"asyncrat\"],\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\\u0026control server (C\\u0026C)\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-threatfox" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "Domain that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T19:43:08.000Z", + "provider": "AndreGironda", + "reference": "https://tria.ge/220805-w57pxsgae2", + "type": "domain-name", + "url": { + "domain": "wizzy.hopto.org" + } + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/url/sample_event.json b/packages/ti_abusech/data_stream/url/sample_event.json index 9add2167bf4..8a19bfedad6 100644 --- a/packages/ti_abusech/data_stream/url/sample_event.json +++ b/packages/ti_abusech/data_stream/url/sample_event.json @@ -1,5 +1,5 @@ { - "@timestamp": "2022-04-11T08:44:51.227Z", + "@timestamp": "2022-08-06T00:12:22.693Z", "abusech": { "url": { "blacklists": { @@ -13,11 +13,11 @@ } }, "agent": { - "ephemeral_id": "7dd3429b-dcc4-46c1-8b32-b3d1452126fd", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "ephemeral_id": "2945b255-2667-4bac-8930-70eb987c8fef", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.3.0" }, "data_stream": { "dataset": "ti_abusech.url", @@ -25,19 +25,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "snapshot": false, - "version": "8.0.0" + "version": "8.3.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-11T08:44:51.227Z", + "created": "2022-08-06T00:12:22.693Z", "dataset": "ti_abusech.url", - "ingested": "2022-04-11T08:44:52Z", + "ingested": "2022-08-06T00:12:26Z", "kind": "enrichment", "original": "{\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"date_added\":\"2021-10-05 13:57:05 UTC\",\"host\":\"120.85.169.98\",\"id\":\"1656008\",\"larted\":\"true\",\"reporter\":\"tammeto\",\"tags\":null,\"threat\":\"malware_download\",\"url\":\"http://120.85.169.98:55871/mozi.m\",\"url_status\":\"online\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/1656008/\"}", "type": "indicator" diff --git a/packages/ti_abusech/docs/README.md b/packages/ti_abusech/docs/README.md index 25f3fc12b8f..157dd568914 100644 --- a/packages/ti_abusech/docs/README.md +++ b/packages/ti_abusech/docs/README.md @@ -260,3 +260,101 @@ The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators f | threat.indicator.provider | The name of the indicator's provider. | keyword | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | | threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | + + +The AbuseCH threatfox data_stream retrieves threat intelligence indicators from the Threat Fox API endpoint `https://threatfox-api.abuse.ch/api/v1/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.threatfox.confidence_level | Confidence level between 0-100 | long | +| abusech.threatfox.malware | The malware associated with the IOC | keyword | +| abusech.threatfox.tags | A list of tags associated with the queried malware sample. | keyword | +| abusech.threatfox.threat_type | The type of threat | keyword | +| abusech.threatfox.threat_type_desc | The threat descsription | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | +| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | +| threat.indicator.file.hash.tlsh | TLSH hash. | keyword | +| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | +| threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | +| threat.software.reference | The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. | keyword | diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index 21b904a01fa..dc1e2a46c01 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,8 +1,8 @@ name: ti_abusech title: AbuseCH -version: "1.6.0" +version: "1.7.0" release: ga -description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. +description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration format_version: 1.0.0 license: basic @@ -17,10 +17,10 @@ icons: policy_templates: - name: ti_abusech title: AbuseCH API - description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. + description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. inputs: - type: httpjson title: "Collect AbuseCH logs via API" - description: "Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent." + description: "Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent." owner: github: elastic/security-external-integrations