From f4527439177f6e7c6d81af94e9c9427e17bc7979 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 5 Aug 2022 12:17:35 +0000 Subject: [PATCH 1/7] #3949: Initial COmmit --- .../_dev/test/pipeline/test-common-config.yml | 3 + .../test/pipeline/test-threatfox-ndjson.log | 73 + .../test-threatfox-ndjson.log-expected.json | 3176 +++++++++++++++++ .../_dev/test/system/test-default-config.yml | 6 + .../threatfox/agent/stream/httpjson.yml.hbs | 49 + .../elasticsearch/ingest_pipeline/default.yml | 136 + .../data_stream/threatfox/fields/agent.yml | 198 + .../threatfox/fields/base-fields.yml | 28 + .../data_stream/threatfox/fields/beats.yml | 12 + .../data_stream/threatfox/fields/ecs.yml | 74 + .../data_stream/threatfox/fields/fields.yml | 8 + .../data_stream/threatfox/manifest.yml | 76 + packages/ti_abusech/manifest.yml | 6 +- 13 files changed, 3842 insertions(+), 3 deletions(-) create mode 100644 packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log create mode 100644 packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json create mode 100644 packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/agent/stream/httpjson.yml.hbs create mode 100644 packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/fields/agent.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/fields/beats.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/fields/ecs.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/fields/fields.yml create mode 100644 packages/ti_abusech/data_stream/threatfox/manifest.yml diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-common-config.yml b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log new file mode 100644 index 00000000000..7d3416f1505 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log @@ -0,0 +1,73 @@ +{"id":"841508","ioc":"45.142.122.45:40669","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:40:15 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841507","ioc":"http://malaikahlowry33.top","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.hydra","malware_printable":"Hydra","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra","confidence_level":80,"first_seen":"2022-08-05 11:36:10 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["apk","Hydra"]} +{"id":"841506","ioc":"91.203.192.233:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:25:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841505","ioc":"61.14.233.88:8808","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:13 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} +{"id":"841504","ioc":"61.14.233.88:6606","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} +{"id":"841503","ioc":"61.14.233.88:7707","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 11:05:33 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["asyncrat","RAT"]} +{"id":"841502","ioc":"107.182.129.240:38241","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"elf.mirai","malware_printable":"Mirai","malware_alias":"Katana","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai","confidence_level":75,"first_seen":"2022-08-05 10:40:07 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/","reporter":"abuse_ch","tags":["Mirai"]} +{"id":"841501","ioc":"78.173.184.33:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 10:35:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841500","ioc":"72.11.148.153:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:28:53 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841499","ioc":"http://72.11.148.153/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:28:52 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841498","ioc":"8.142.117.220:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841497","ioc":"http://104.21.75.114/cx","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:45 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841496","ioc":"http://172.67.222.204/ca","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:44 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841495","ioc":"62.182.86.225:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841494","ioc":"https://62.182.86.225/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:46 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841493","ioc":"194.87.216.182:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:40 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","SERVER4-AS"]} +{"id":"841491","ioc":"https://muwokok.com/us","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","Digital Energy Technologies Ltd."]} +{"id":"841492","ioc":"185.173.34.75:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","Digital Energy Technologies Ltd."]} +{"id":"841490","ioc":"39.105.193.50:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:23:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841489","ioc":"https://39.105.193.50/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:23:30 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841488","ioc":"http://hasanhaberlerdengelenlerden.co.vu/","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:31 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841487","ioc":"http://where9smym8nd.com","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:30 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841486","ioc":"http://nothingandnothin31.com","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:27 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841485","ioc":"http://baggshdyfsdp.shop","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:25 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841484","ioc":"http://152.228.162.150","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:23 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841483","ioc":"http://5.161.62.171","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:20 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841482","ioc":"http://45.83.122.2","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:02 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} +{"id":"841481","ioc":"http://50.17.77.39:4444/fwlink","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:36 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["AMAZON-AES","CobaltStrike"]} +{"id":"841480","ioc":"1.13.248.119:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:19 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841479","ioc":"http://1.13.248.119/articles/189948/text.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841478","ioc":"47.104.88.25:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:07 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841477","ioc":"http://47.104.88.25/IE9CompatViewList.xml","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:06 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841476","ioc":"45.79.127.214:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:58 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","LINODE-AP Linode LLC"]} +{"id":"841475","ioc":"https://45.79.127.214/j.ad","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:57 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","LINODE-AP Linode LLC"]} +{"id":"841474","ioc":"43.154.109.176:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841473","ioc":"http://service-akilm85g-1311240945.gz.apigw.tencentcs.com/api/x","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:10 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841472","ioc":"39.101.184.39:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:15:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841471","ioc":"https://39.101.184.39/visit.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:15:46 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841470","ioc":"http://lexdavid22.top","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.hydra","malware_printable":"Hydra","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra","confidence_level":80,"first_seen":"2022-08-05 10:13:36 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["apk","Hydra"]} +{"id":"841469","ioc":"102.133.180.23:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.limerat","malware_printable":"LimeRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat","confidence_level":100,"first_seen":"2022-08-05 10:10:26 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["LimeRAT","RAT"]} +{"id":"841468","ioc":"79.134.225.53:7171","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 10:10:23 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} +{"id":"841467","ioc":"116.202.186.151:21330","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 09:55:22 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841466","ioc":"192.169.69.25:22027","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 09:35:25 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} +{"id":"841465","ioc":"37.120.210.219:3398","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.remcos","malware_printable":"Remcos","malware_alias":"RemcosRAT,Remvio,Socmer","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos","confidence_level":75,"first_seen":"2022-08-05 09:35:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/","reporter":"abuse_ch","tags":["remcos"]} +{"id":"841464","ioc":"ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.woody","malware_printable":"woody","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.woody","confidence_level":50,"first_seen":"2022-08-05 09:04:23 UTC","last_seen":null,"reference":"https://twitter.com/JAMESWT_MHT/status/1555479791821791232","reporter":"Virus_Deck","tags":null} +{"id":"841463","ioc":"182.54.238.167:35565","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 08:30:21 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841462","ioc":"http://124.221.206.154:1443/submit.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":75,"first_seen":"2022-08-05 07:55:06 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/","reporter":"abuse_ch","tags":["CobaltStrike"]} +{"id":"841461","ioc":"91.109.186.4:5050","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 07:35:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841460","ioc":"c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"osx.xloader","malware_printable":"Xloader","malware_alias":"Formbook","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader","confidence_level":50,"first_seen":"2022-08-05 07:04:11 UTC","last_seen":null,"reference":"https://twitter.com/JAMESWT_MHT/status/1555445680797270016","reporter":"Virus_Deck","tags":null} +{"id":"841459","ioc":"45.147.199.166:14009","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:40:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841458","ioc":"http://115.55.81.211:33294/Mozi.m","threat_type":"payload_delivery","threat_type_desc":"Indicator that identifies a malware distribution server (payload delivery)","ioc_type":"url","ioc_type_desc":"URL that delivers a malware payload","malware":"elf.mozi","malware_printable":"Mozi","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi","confidence_level":50,"first_seen":"2022-08-05 06:40:03 UTC","last_seen":null,"reference":null,"reporter":"sicehice","tags":null} +{"id":"841457","ioc":"185.185.71.171:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:30:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841456","ioc":"194.87.216.23:46278","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:25:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841455","ioc":"http://213.170.133.189/","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.recordbreaker","malware_printable":"RecordBreaker","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker","confidence_level":100,"first_seen":"2022-08-05 06:20:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["recordbreaker"]} +{"id":"841454","ioc":"a695ab311e3449cacf5a2611dffac5bd","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"md5_hash","ioc_type_desc":"MD5 hash of a malware sample (payload)","malware":"win.kutaki","malware_printable":"Kutaki","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki","confidence_level":50,"first_seen":"2022-08-05 06:16:32 UTC","last_seen":null,"reference":"https://twitter.com/pollo290987/status/1555437557298651136","reporter":"Virus_Deck","tags":null} +{"id":"841453","ioc":"7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:21 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} +{"id":"841452","ioc":"b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:19 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} +{"id":"841451","ioc":"0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:18 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} +{"id":"841450","ioc":"81.19.141.37:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} +{"id":"841449","ioc":"119.45.94.71:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:30 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841448","ioc":"https://119.45.94.71/activity","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:29 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841447","ioc":"81.19.141.37:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} +{"id":"841446","ioc":"20.239.66.2:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","MICROSOFT-CORP-MSN-AS-BLOCK"]} +{"id":"841445","ioc":"http://20.239.66.2/match","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:13 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","MICROSOFT-CORP-MSN-AS-BLOCK"]} +{"id":"841444","ioc":"43.155.60.197:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:34 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841443","ioc":"https://43.155.60.197/dot.gif","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:33 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841441","ioc":"http://service-da5heloj-1312757872.sh.apigw.tencentcs.com/include/template/isx.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841442","ioc":"121.4.45.207:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841440","ioc":"43.138.129.56:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:11 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841439","ioc":"http://43.138.129.56/cm","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:10 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841438","ioc":"77.91.102.151:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:36 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} +{"id":"841437","ioc":"https://194.87.216.182/push","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:35 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} +{"id":"841436","ioc":"https://77.91.102.151/push","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:33 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json new file mode 100644 index 00000000000..d7acaf78a52 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json @@ -0,0 +1,3176 @@ +{ + "expected": [ + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "45.142.122.45:40669", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.redline_stealer", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "malware_printable": "RedLine Stealer", + "reporter": "abuse_ch", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841508", + "kind": "enrichment", + "original": "{\"id\":\"841508\",\"ioc\":\"45.142.122.45:40669\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:40:15 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T11:40:15.000Z", + "ip": "45.142.122.45", + "port": 40669, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.hydra", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", + "malware_printable": "Hydra", + "reporter": "myonium1", + "tags": [ + "apk", + "Hydra" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841507", + "kind": "enrichment", + "original": "{\"id\":\"841507\",\"ioc\":\"http://malaikahlowry33.top\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.hydra\",\"malware_printable\":\"Hydra\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 11:36:10 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"apk\",\"Hydra\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T11:36:10.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "malaikahlowry33.top", + "original": "http://malaikahlowry33.top", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "91.203.192.233:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.redline_stealer", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "malware_printable": "RedLine Stealer", + "reporter": "abuse_ch", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841506", + "kind": "enrichment", + "original": "{\"id\":\"841506\",\"ioc\":\"91.203.192.233:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:25:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T11:25:24.000Z", + "ip": "91.203.192.233", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "ioc": "61.14.233.88:8808", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.asyncrat", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", + "malware_printable": "AsyncRAT", + "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", + "reporter": "abuse_ch", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841505", + "kind": "enrichment", + "original": "{\"id\":\"841505\",\"ioc\":\"61.14.233.88:8808\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:13 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T11:10:13.000Z", + "ip": "61.14.233.88", + "port": 8808, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "ioc": "61.14.233.88:6606", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.asyncrat", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", + "malware_printable": "AsyncRAT", + "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", + "reporter": "abuse_ch", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841504", + "kind": "enrichment", + "original": "{\"id\":\"841504\",\"ioc\":\"61.14.233.88:6606\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T11:10:12.000Z", + "ip": "61.14.233.88", + "port": 6606, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "61.14.233.88:7707", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.asyncrat", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", + "malware_printable": "AsyncRAT", + "reporter": "abuse_ch", + "tags": [ + "asyncrat", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841503", + "kind": "enrichment", + "original": "{\"id\":\"841503\",\"ioc\":\"61.14.233.88:7707\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:05:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T11:05:33.000Z", + "ip": "61.14.233.88", + "port": 7707, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "ioc": "107.182.129.240:38241", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "elf.mirai", + "malware_alias": "Katana", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", + "malware_printable": "Mirai", + "reference": "https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/", + "reporter": "abuse_ch", + "tags": [ + "Mirai" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841502", + "kind": "enrichment", + "original": "{\"id\":\"841502\",\"ioc\":\"107.182.129.240:38241\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"elf.mirai\",\"malware_printable\":\"Mirai\",\"malware_alias\":\"Katana\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 10:40:07 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/\",\"reporter\":\"abuse_ch\",\"tags\":[\"Mirai\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:40:07.000Z", + "ip": "107.182.129.240", + "port": 38241, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "78.173.184.33:5552", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.njrat", + "malware_alias": "Bladabindi", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", + "malware_printable": "NjRAT", + "reporter": "abuse_ch", + "tags": [ + "njrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841501", + "kind": "enrichment", + "original": "{\"id\":\"841501\",\"ioc\":\"78.173.184.33:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:35:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:35:24.000Z", + "ip": "78.173.184.33", + "port": 5552, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "72.11.148.153:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841500", + "kind": "enrichment", + "original": "{\"id\":\"841500\",\"ioc\":\"72.11.148.153:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:28:53 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:28:53.000Z", + "ip": "72.11.148.153", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841499", + "kind": "enrichment", + "original": "{\"id\":\"841499\",\"ioc\":\"http://72.11.148.153/jquery-3.3.1.min.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:28:52 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:28:52.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "72.11.148.153", + "extension": "js", + "original": "http://72.11.148.153/jquery-3.3.1.min.js", + "path": "/jquery-3.3.1.min.js", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "8.142.117.220:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841498", + "kind": "enrichment", + "original": "{\"id\":\"841498\",\"ioc\":\"8.142.117.220:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:25:47.000Z", + "ip": "8.142.117.220", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841497", + "kind": "enrichment", + "original": "{\"id\":\"841497\",\"ioc\":\"http://104.21.75.114/cx\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:45 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:25:45.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "104.21.75.114", + "original": "http://104.21.75.114/cx", + "path": "/cx", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841496", + "kind": "enrichment", + "original": "{\"id\":\"841496\",\"ioc\":\"http://172.67.222.204/ca\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:44 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:25:44.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "172.67.222.204", + "original": "http://172.67.222.204/ca", + "path": "/ca", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "62.182.86.225:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841495", + "kind": "enrichment", + "original": "{\"id\":\"841495\",\"ioc\":\"62.182.86.225:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:24:47.000Z", + "ip": "62.182.86.225", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841494", + "kind": "enrichment", + "original": "{\"id\":\"841494\",\"ioc\":\"https://62.182.86.225/jquery-3.3.1.min.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:46 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:24:46.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "62.182.86.225", + "extension": "js", + "original": "https://62.182.86.225/jquery-3.3.1.min.js", + "path": "/jquery-3.3.1.min.js", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "194.87.216.182:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "SERVER4-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841493", + "kind": "enrichment", + "original": "{\"id\":\"841493\",\"ioc\":\"194.87.216.182:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:40 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"SERVER4-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:24:40.000Z", + "ip": "194.87.216.182", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "Digital Energy Technologies Ltd." + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841491", + "kind": "enrichment", + "original": "{\"id\":\"841491\",\"ioc\":\"https://muwokok.com/us\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"Digital Energy Technologies Ltd.\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:24:31.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "muwokok.com", + "original": "https://muwokok.com/us", + "path": "/us", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "185.173.34.75:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "Digital Energy Technologies Ltd." + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841492", + "kind": "enrichment", + "original": "{\"id\":\"841492\",\"ioc\":\"185.173.34.75:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"Digital Energy Technologies Ltd.\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:24:31.000Z", + "ip": "185.173.34.75", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "39.105.193.50:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841490", + "kind": "enrichment", + "original": "{\"id\":\"841490\",\"ioc\":\"39.105.193.50:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:23:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:23:31.000Z", + "ip": "39.105.193.50", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841489", + "kind": "enrichment", + "original": "{\"id\":\"841489\",\"ioc\":\"https://39.105.193.50/jquery-3.3.1.min.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:23:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:23:30.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "39.105.193.50", + "extension": "js", + "original": "https://39.105.193.50/jquery-3.3.1.min.js", + "path": "/jquery-3.3.1.min.js", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.alien", + "malware_alias": "AlienBot", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "malware_printable": "Alien", + "reporter": "myonium1", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841488", + "kind": "enrichment", + "original": "{\"id\":\"841488\",\"ioc\":\"http://hasanhaberlerdengelenlerden.co.vu/\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:21:31.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "hasanhaberlerdengelenlerden.co.vu", + "original": "http://hasanhaberlerdengelenlerden.co.vu/", + "path": "/", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.alien", + "malware_alias": "AlienBot", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "malware_printable": "Alien", + "reporter": "myonium1", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841487", + "kind": "enrichment", + "original": "{\"id\":\"841487\",\"ioc\":\"http://where9smym8nd.com\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:21:30.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "where9smym8nd.com", + "original": "http://where9smym8nd.com", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.alien", + "malware_alias": "AlienBot", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "malware_printable": "Alien", + "reporter": "myonium1", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841486", + "kind": "enrichment", + "original": "{\"id\":\"841486\",\"ioc\":\"http://nothingandnothin31.com\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:27 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:21:27.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "nothingandnothin31.com", + "original": "http://nothingandnothin31.com", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.alien", + "malware_alias": "AlienBot", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "malware_printable": "Alien", + "reporter": "myonium1", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841485", + "kind": "enrichment", + "original": "{\"id\":\"841485\",\"ioc\":\"http://baggshdyfsdp.shop\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:25 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:21:25.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "baggshdyfsdp.shop", + "original": "http://baggshdyfsdp.shop", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.alien", + "malware_alias": "AlienBot", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "malware_printable": "Alien", + "reporter": "myonium1", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841484", + "kind": "enrichment", + "original": "{\"id\":\"841484\",\"ioc\":\"http://152.228.162.150\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:23 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:21:23.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "152.228.162.150", + "original": "http://152.228.162.150", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.alien", + "malware_alias": "AlienBot", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "malware_printable": "Alien", + "reporter": "myonium1", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841483", + "kind": "enrichment", + "original": "{\"id\":\"841483\",\"ioc\":\"http://5.161.62.171\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:20 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:21:20.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "5.161.62.171", + "original": "http://5.161.62.171", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.alien", + "malware_alias": "AlienBot", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "malware_printable": "Alien", + "reporter": "myonium1", + "tags": [ + "Alien", + "apk" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841482", + "kind": "enrichment", + "original": "{\"id\":\"841482\",\"ioc\":\"http://45.83.122.2\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.alien\",\"malware_printable\":\"Alien\",\"malware_alias\":\"AlienBot\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:21:02 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"Alien\",\"apk\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:21:02.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "45.83.122.2", + "original": "http://45.83.122.2", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "AMAZON-AES", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841481", + "kind": "enrichment", + "original": "{\"id\":\"841481\",\"ioc\":\"http://50.17.77.39:4444/fwlink\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"AMAZON-AES\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:17:36.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "50.17.77.39", + "original": "http://50.17.77.39:4444/fwlink", + "path": "/fwlink", + "port": 4444, + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "1.13.248.119:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841480", + "kind": "enrichment", + "original": "{\"id\":\"841480\",\"ioc\":\"1.13.248.119:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:19 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:17:19.000Z", + "ip": "1.13.248.119", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841479", + "kind": "enrichment", + "original": "{\"id\":\"841479\",\"ioc\":\"http://1.13.248.119/articles/189948/text.php\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:17:18.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "1.13.248.119", + "extension": "php", + "original": "http://1.13.248.119/articles/189948/text.php", + "path": "/articles/189948/text.php", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "47.104.88.25:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841478", + "kind": "enrichment", + "original": "{\"id\":\"841478\",\"ioc\":\"47.104.88.25:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:07 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:17:07.000Z", + "ip": "47.104.88.25", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841477", + "kind": "enrichment", + "original": "{\"id\":\"841477\",\"ioc\":\"http://47.104.88.25/IE9CompatViewList.xml\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:06 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:17:06.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "47.104.88.25", + "extension": "xml", + "original": "http://47.104.88.25/IE9CompatViewList.xml", + "path": "/IE9CompatViewList.xml", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "45.79.127.214:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "LINODE-AP Linode LLC" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841476", + "kind": "enrichment", + "original": "{\"id\":\"841476\",\"ioc\":\"45.79.127.214:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:58 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"LINODE-AP Linode LLC\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:16:58.000Z", + "ip": "45.79.127.214", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "LINODE-AP Linode LLC" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841475", + "kind": "enrichment", + "original": "{\"id\":\"841475\",\"ioc\":\"https://45.79.127.214/j.ad\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:57 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"LINODE-AP Linode LLC\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:16:57.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "45.79.127.214", + "extension": "ad", + "original": "https://45.79.127.214/j.ad", + "path": "/j.ad", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "43.154.109.176:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841474", + "kind": "enrichment", + "original": "{\"id\":\"841474\",\"ioc\":\"43.154.109.176:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:16:14.000Z", + "ip": "43.154.109.176", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841473", + "kind": "enrichment", + "original": "{\"id\":\"841473\",\"ioc\":\"http://service-akilm85g-1311240945.gz.apigw.tencentcs.com/api/x\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:10 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:16:10.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "service-akilm85g-1311240945.gz.apigw.tencentcs.com", + "original": "http://service-akilm85g-1311240945.gz.apigw.tencentcs.com/api/x", + "path": "/api/x", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "39.101.184.39:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841472", + "kind": "enrichment", + "original": "{\"id\":\"841472\",\"ioc\":\"39.101.184.39:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:15:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:15:47.000Z", + "ip": "39.101.184.39", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841471", + "kind": "enrichment", + "original": "{\"id\":\"841471\",\"ioc\":\"https://39.101.184.39/visit.js\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:15:46 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:15:46.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "39.101.184.39", + "extension": "js", + "original": "https://39.101.184.39/visit.js", + "path": "/visit.js", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 80, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "apk.hydra", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", + "malware_printable": "Hydra", + "reporter": "myonium1", + "tags": [ + "apk", + "Hydra" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841470", + "kind": "enrichment", + "original": "{\"id\":\"841470\",\"ioc\":\"http://lexdavid22.top\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"apk.hydra\",\"malware_printable\":\"Hydra\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra\",\"confidence_level\":80,\"first_seen\":\"2022-08-05 10:13:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"myonium1\",\"tags\":[\"apk\",\"Hydra\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:13:36.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "lexdavid22.top", + "original": "http://lexdavid22.top", + "path": "", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "102.133.180.23:5552", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.limerat", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", + "malware_printable": "LimeRAT", + "reporter": "abuse_ch", + "tags": [ + "LimeRAT", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841469", + "kind": "enrichment", + "original": "{\"id\":\"841469\",\"ioc\":\"102.133.180.23:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.limerat\",\"malware_printable\":\"LimeRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:26 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"LimeRAT\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:10:26.000Z", + "ip": "102.133.180.23", + "port": 5552, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "79.134.225.53:7171", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.nanocore", + "malware_alias": "Nancrat,NanoCore", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", + "malware_printable": "Nanocore RAT", + "reporter": "abuse_ch", + "tags": [ + "NanoCore", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841468", + "kind": "enrichment", + "original": "{\"id\":\"841468\",\"ioc\":\"79.134.225.53:7171\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:23 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T10:10:23.000Z", + "ip": "79.134.225.53", + "port": 7171, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "116.202.186.151:21330", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.redline_stealer", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "malware_printable": "RedLine Stealer", + "reporter": "abuse_ch", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841467", + "kind": "enrichment", + "original": "{\"id\":\"841467\",\"ioc\":\"116.202.186.151:21330\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:55:22 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T09:55:22.000Z", + "ip": "116.202.186.151", + "port": 21330, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "192.169.69.25:22027", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.nanocore", + "malware_alias": "Nancrat,NanoCore", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", + "malware_printable": "Nanocore RAT", + "reporter": "abuse_ch", + "tags": [ + "NanoCore", + "RAT" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841466", + "kind": "enrichment", + "original": "{\"id\":\"841466\",\"ioc\":\"192.169.69.25:22027\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:35:25 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T09:35:25.000Z", + "ip": "192.169.69.25", + "port": 22027, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "ioc": "37.120.210.219:3398", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.remcos", + "malware_alias": "RemcosRAT,Remvio,Socmer", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", + "malware_printable": "Remcos", + "reference": "https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/", + "reporter": "abuse_ch", + "tags": [ + "remcos" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841465", + "kind": "enrichment", + "original": "{\"id\":\"841465\",\"ioc\":\"37.120.210.219:3398\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.remcos\",\"malware_printable\":\"Remcos\",\"malware_alias\":\"RemcosRAT,Remvio,Socmer\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 09:35:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/\",\"reporter\":\"abuse_ch\",\"tags\":[\"remcos\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T09:35:12.000Z", + "ip": "37.120.210.219", + "port": 3398, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "ioc": "ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb", + "ioc_type": "sha256_hash", + "ioc_type_desc": "SHA256 hash of a malware sample (payload)", + "malware": "win.woody", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", + "malware_printable": "woody", + "reference": "https://twitter.com/JAMESWT_MHT/status/1555479791821791232", + "reporter": "Virus_Deck", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841464", + "kind": "enrichment", + "original": "{\"id\":\"841464\",\"ioc\":\"ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.woody\",\"malware_printable\":\"woody\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.woody\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 09:04:23 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/JAMESWT_MHT/status/1555479791821791232\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T09:04:23.000Z", + "provider": "AbuseCH Threat Fox", + "type": "unknown" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "182.54.238.167:35565", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.njrat", + "malware_alias": "Bladabindi", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", + "malware_printable": "NjRAT", + "reporter": "abuse_ch", + "tags": [ + "njrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841463", + "kind": "enrichment", + "original": "{\"id\":\"841463\",\"ioc\":\"182.54.238.167:35565\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 08:30:21 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T08:30:21.000Z", + "ip": "182.54.238.167", + "port": 35565, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reference": "https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/", + "reporter": "abuse_ch", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841462", + "kind": "enrichment", + "original": "{\"id\":\"841462\",\"ioc\":\"http://124.221.206.154:1443/submit.php\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 07:55:06 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/\",\"reporter\":\"abuse_ch\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T07:55:06.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "124.221.206.154", + "extension": "php", + "original": "http://124.221.206.154:1443/submit.php", + "path": "/submit.php", + "port": 1443, + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "91.109.186.4:5050", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.njrat", + "malware_alias": "Bladabindi", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", + "malware_printable": "NjRAT", + "reporter": "abuse_ch", + "tags": [ + "njrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841461", + "kind": "enrichment", + "original": "{\"id\":\"841461\",\"ioc\":\"91.109.186.4:5050\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 07:35:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T07:35:17.000Z", + "ip": "91.109.186.4", + "port": 5050, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "ioc": "c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a", + "ioc_type": "sha256_hash", + "ioc_type_desc": "SHA256 hash of a malware sample (payload)", + "malware": "osx.xloader", + "malware_alias": "Formbook", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader", + "malware_printable": "Xloader", + "reference": "https://twitter.com/JAMESWT_MHT/status/1555445680797270016", + "reporter": "Virus_Deck", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841460", + "kind": "enrichment", + "original": "{\"id\":\"841460\",\"ioc\":\"c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"osx.xloader\",\"malware_printable\":\"Xloader\",\"malware_alias\":\"Formbook\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 07:04:11 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/JAMESWT_MHT/status/1555445680797270016\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T07:04:11.000Z", + "provider": "AbuseCH Threat Fox", + "type": "unknown" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "45.147.199.166:14009", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.redline_stealer", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "malware_printable": "RedLine Stealer", + "reporter": "abuse_ch", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841459", + "kind": "enrichment", + "original": "{\"id\":\"841459\",\"ioc\":\"45.147.199.166:14009\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:40:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T06:40:18.000Z", + "ip": "45.147.199.166", + "port": 14009, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "ioc_type": "url", + "ioc_type_desc": "URL that delivers a malware payload", + "malware": "elf.mozi", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", + "malware_printable": "Mozi", + "reporter": "sicehice", + "threat_type": "payload_delivery", + "threat_type_desc": "Indicator that identifies a malware distribution server (payload delivery)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841458", + "kind": "enrichment", + "original": "{\"id\":\"841458\",\"ioc\":\"http://115.55.81.211:33294/Mozi.m\",\"threat_type\":\"payload_delivery\",\"threat_type_desc\":\"Indicator that identifies a malware distribution server (payload delivery)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that delivers a malware payload\",\"malware\":\"elf.mozi\",\"malware_printable\":\"Mozi\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 06:40:03 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"sicehice\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T06:40:03.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "115.55.81.211", + "extension": "m", + "original": "http://115.55.81.211:33294/Mozi.m", + "path": "/Mozi.m", + "port": 33294, + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "185.185.71.171:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.redline_stealer", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "malware_printable": "RedLine Stealer", + "reporter": "abuse_ch", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841457", + "kind": "enrichment", + "original": "{\"id\":\"841457\",\"ioc\":\"185.185.71.171:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:30:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T06:30:17.000Z", + "ip": "185.185.71.171", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "194.87.216.23:46278", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.redline_stealer", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "malware_printable": "RedLine Stealer", + "reporter": "abuse_ch", + "tags": [ + "RedLineStealer" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841456", + "kind": "enrichment", + "original": "{\"id\":\"841456\",\"ioc\":\"194.87.216.23:46278\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:25:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T06:25:18.000Z", + "ip": "194.87.216.23", + "port": 46278, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.recordbreaker", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker", + "malware_printable": "RecordBreaker", + "reporter": "abuse_ch", + "tags": [ + "recordbreaker" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841455", + "kind": "enrichment", + "original": "{\"id\":\"841455\",\"ioc\":\"http://213.170.133.189/\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.recordbreaker\",\"malware_printable\":\"RecordBreaker\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:20:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"recordbreaker\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T06:20:17.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "213.170.133.189", + "original": "http://213.170.133.189/", + "path": "/", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "ioc": "a695ab311e3449cacf5a2611dffac5bd", + "ioc_type": "md5_hash", + "ioc_type_desc": "MD5 hash of a malware sample (payload)", + "malware": "win.kutaki", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", + "malware_printable": "Kutaki", + "reference": "https://twitter.com/pollo290987/status/1555437557298651136", + "reporter": "Virus_Deck", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841454", + "kind": "enrichment", + "original": "{\"id\":\"841454\",\"ioc\":\"a695ab311e3449cacf5a2611dffac5bd\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"md5_hash\",\"ioc_type_desc\":\"MD5 hash of a malware sample (payload)\",\"malware\":\"win.kutaki\",\"malware_printable\":\"Kutaki\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 06:16:32 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/pollo290987/status/1555437557298651136\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T06:16:32.000Z", + "provider": "AbuseCH Threat Fox", + "type": "unknown" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "ioc": "7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59", + "ioc_type": "sha256_hash", + "ioc_type_desc": "SHA256 hash of a malware sample (payload)", + "malware": "win.isfb", + "malware_alias": "Gozi ISFB,IAP,Pandemyia", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", + "malware_printable": "ISFB", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "reporter": "Virus_Deck", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841453", + "kind": "enrichment", + "original": "{\"id\":\"841453\",\"ioc\":\"7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.isfb\",\"malware_printable\":\"ISFB\",\"malware_alias\":\"Gozi ISFB,IAP,Pandemyia\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 05:25:21 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/StopMalvertisin/status/1555424657037475840\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T05:25:21.000Z", + "provider": "AbuseCH Threat Fox", + "type": "unknown" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "ioc": "b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86", + "ioc_type": "sha256_hash", + "ioc_type_desc": "SHA256 hash of a malware sample (payload)", + "malware": "win.isfb", + "malware_alias": "Gozi ISFB,IAP,Pandemyia", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", + "malware_printable": "ISFB", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "reporter": "Virus_Deck", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841452", + "kind": "enrichment", + "original": "{\"id\":\"841452\",\"ioc\":\"b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.isfb\",\"malware_printable\":\"ISFB\",\"malware_alias\":\"Gozi ISFB,IAP,Pandemyia\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 05:25:19 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/StopMalvertisin/status/1555424657037475840\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T05:25:19.000Z", + "provider": "AbuseCH Threat Fox", + "type": "unknown" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 50, + "ioc": "0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff", + "ioc_type": "sha256_hash", + "ioc_type_desc": "SHA256 hash of a malware sample (payload)", + "malware": "win.isfb", + "malware_alias": "Gozi ISFB,IAP,Pandemyia", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", + "malware_printable": "ISFB", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "reporter": "Virus_Deck", + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841451", + "kind": "enrichment", + "original": "{\"id\":\"841451\",\"ioc\":\"0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha256_hash\",\"ioc_type_desc\":\"SHA256 hash of a malware sample (payload)\",\"malware\":\"win.isfb\",\"malware_printable\":\"ISFB\",\"malware_alias\":\"Gozi ISFB,IAP,Pandemyia\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb\",\"confidence_level\":50,\"first_seen\":\"2022-08-05 05:25:18 UTC\",\"last_seen\":null,\"reference\":\"https://twitter.com/StopMalvertisin/status/1555424657037475840\",\"reporter\":\"Virus_Deck\",\"tags\":null}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T05:25:18.000Z", + "provider": "AbuseCH Threat Fox", + "type": "unknown" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "81.19.141.37:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "GIR-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841450", + "kind": "enrichment", + "original": "{\"id\":\"841450\",\"ioc\":\"81.19.141.37:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:26:51.000Z", + "ip": "81.19.141.37", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "119.45.94.71:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841449", + "kind": "enrichment", + "original": "{\"id\":\"841449\",\"ioc\":\"119.45.94.71:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:26:30.000Z", + "ip": "119.45.94.71", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841448", + "kind": "enrichment", + "original": "{\"id\":\"841448\",\"ioc\":\"https://119.45.94.71/activity\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:29 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:26:29.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "119.45.94.71", + "original": "https://119.45.94.71/activity", + "path": "/activity", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "81.19.141.37:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "GIR-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841447", + "kind": "enrichment", + "original": "{\"id\":\"841447\",\"ioc\":\"81.19.141.37:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:25:51.000Z", + "ip": "81.19.141.37", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "20.239.66.2:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "MICROSOFT-CORP-MSN-AS-BLOCK" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841446", + "kind": "enrichment", + "original": "{\"id\":\"841446\",\"ioc\":\"20.239.66.2:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"MICROSOFT-CORP-MSN-AS-BLOCK\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:25:14.000Z", + "ip": "20.239.66.2", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "MICROSOFT-CORP-MSN-AS-BLOCK" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841445", + "kind": "enrichment", + "original": "{\"id\":\"841445\",\"ioc\":\"http://20.239.66.2/match\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:13 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"MICROSOFT-CORP-MSN-AS-BLOCK\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:25:13.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "20.239.66.2", + "original": "http://20.239.66.2/match", + "path": "/match", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "43.155.60.197:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841444", + "kind": "enrichment", + "original": "{\"id\":\"841444\",\"ioc\":\"43.155.60.197:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:34 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:24:34.000Z", + "ip": "43.155.60.197", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841443", + "kind": "enrichment", + "original": "{\"id\":\"841443\",\"ioc\":\"https://43.155.60.197/dot.gif\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:24:33.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "43.155.60.197", + "extension": "gif", + "original": "https://43.155.60.197/dot.gif", + "path": "/dot.gif", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841441", + "kind": "enrichment", + "original": "{\"id\":\"841441\",\"ioc\":\"http://service-da5heloj-1312757872.sh.apigw.tencentcs.com/include/template/isx.php\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:24:18.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "service-da5heloj-1312757872.sh.apigw.tencentcs.com", + "extension": "php", + "original": "http://service-da5heloj-1312757872.sh.apigw.tencentcs.com/include/template/isx.php", + "path": "/include/template/isx.php", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "121.4.45.207:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841442", + "kind": "enrichment", + "original": "{\"id\":\"841442\",\"ioc\":\"121.4.45.207:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:24:18.000Z", + "ip": "121.4.45.207", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "43.138.129.56:80", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841440", + "kind": "enrichment", + "original": "{\"id\":\"841440\",\"ioc\":\"43.138.129.56:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:11 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:24:11.000Z", + "ip": "43.138.129.56", + "port": 80, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841439", + "kind": "enrichment", + "original": "{\"id\":\"841439\",\"ioc\":\"http://43.138.129.56/cm\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:10 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:24:10.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "43.138.129.56", + "original": "http://43.138.129.56/cm", + "path": "/cm", + "scheme": "http" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc": "77.91.102.151:443", + "ioc_type": "ip:port", + "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "STARK-INDUSTRIES-SOLUTIONS-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841438", + "kind": "enrichment", + "original": "{\"id\":\"841438\",\"ioc\":\"77.91.102.151:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:23:36.000Z", + "ip": "77.91.102.151", + "port": 443, + "provider": "AbuseCH Threat Fox", + "type": "ipv4-addr" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "STARK-INDUSTRIES-SOLUTIONS-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841437", + "kind": "enrichment", + "original": "{\"id\":\"841437\",\"ioc\":\"https://194.87.216.182/push\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:35 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:23:35.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "194.87.216.182", + "original": "https://194.87.216.182/push", + "path": "/push", + "scheme": "https" + } + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "ioc_type": "url", + "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", + "malware": "win.cobalt_strike", + "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", + "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "malware_printable": "Cobalt Strike", + "reporter": "drb_ra", + "tags": [ + "CobaltStrike", + "STARK-INDUSTRIES-SOLUTIONS-AS" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841436", + "kind": "enrichment", + "original": "{\"id\":\"841436\",\"ioc\":\"https://77.91.102.151/push\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"url\",\"ioc_type_desc\":\"URL that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "first_seen": "2022-08-05T03:23:33.000Z", + "provider": "AbuseCH Threat Fox", + "type": "url", + "url": { + "domain": "77.91.102.151", + "original": "https://77.91.102.151/push", + "path": "/push", + "scheme": "https" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..06ac86316a7 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml @@ -0,0 +1,6 @@ +input: httpjson +service: abusech +data_stream: + vars: + url: http://{{Hostname}}:{{Port}}/api/v1/ + preserve_original_event: true diff --git a/packages/ti_abusech/data_stream/threatfox/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/data_stream/threatfox/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..61e9d4e88a2 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/agent/stream/httpjson.yml.hbs @@ -0,0 +1,49 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json +- set: + target: body.query + value: "get_iocs" +- set: + target: body.days + value: '[[.cursor.days]]' + default: '{{initial_interval}}' + +response.split: + target: body.data + +cursor: + days: + value: '1' + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..191ff8031d6 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,136 @@ +--- +description: Pipeline for parsing Abuse.ch Threat Fox Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.threatfox + - fingerprint: + fields: + - abusech.threatfox.id + - abusech.threatfox.ioc_type + target_field: "_id" + - rename: + field: abusech.threatfox.id + target_field: event.id + ignore_missing: true + + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threat.indicator.provider + value: AbuseCH Threat Fox + - date: + field: abusech.threatfox.first_seen + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.threatfox?.first_seen != null" + - date: + field: abusech.threatfox.last_seen + target_field: threat.indicator.last_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.threatfox?.last_seen != null" + + ## URL/URI indicator operations + - set: + field: threat.indicator.type + value: url + if: "ctx.abusech?.threatfox?.ioc_type != null && ['url'].contains(ctx.abusech?.threatfox?.ioc_type)" + - uri_parts: + field: abusech.threatfox.ioc + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.abusech?.threatfox?.ioc_type == 'url' + + ## URL/URI indicator operations + - set: + field: threat.indicator.type + value: ipv4-addr + if: "ctx.abusech?.threatfox?.ioc_type != null && ['ip:port'].contains(ctx.abusech?.threatfox?.ioc_type)" + - set: + field: threat.indicator.type + value: domain + if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech?.threatfox?.ioc_type)" + - grok: + field: abusech.threatfox.ioc + patterns: + - "%{IP:threat.indicator.ip}:%{NUMBER:threat.indicator.port:long}" + ignore_missing: true + if: "ctx.abusech?.threatfox?.ioc_type == 'ip:port'" + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.threatfox.first_seen + - abusech.threatfox.last_seen + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/data_stream/threatfox/fields/agent.yml b/packages/ti_abusech/data_stream/threatfox/fields/agent.yml new file mode 100644 index 00000000000..da4e652c53b --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml new file mode 100644 index 00000000000..d71e6e59d4c --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.malwarebazaar +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH MalwareBazaar +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/data_stream/threatfox/fields/beats.yml b/packages/ti_abusech/data_stream/threatfox/fields/beats.yml new file mode 100644 index 00000000000..cb44bb29442 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml b/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml new file mode 100644 index 00000000000..1dc31c6e2d3 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml @@ -0,0 +1,74 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: tags +- external: ecs + name: related.hash +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.category +- external: ecs + name: event.type +- external: ecs + name: event.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: event.created +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.file.size +- external: ecs + name: threat.indicator.file.type +- external: ecs + name: threat.indicator.file.name +- external: ecs + name: threat.indicator.file.extension +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.mime_type +- external: ecs + name: threat.software.alias +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.file.hash.ssdeep +- name: threat.indicator.file.hash.sha384 + type: keyword + description: "The file's sha384 hash, if available." +- name: threat.indicator.file.hash.tlsh + type: keyword + description: "The file's import tlsh, if available." +- external: ecs + name: threat.indicator.file.pe.imphash +- external: ecs + name: threat.indicator.file.elf.telfhash +- name: threat.indicator.file.x509.subject.common_name + external: ecs +- name: threat.indicator.file.x509.issuer.common_name + external: ecs +- name: threat.indicator.file.x509.public_key_algorithm + external: ecs +- name: threat.indicator.file.x509.not_before + external: ecs +- name: threat.indicator.file.x509.not_after + external: ecs +- name: threat.indicator.file.x509.serial_number + external: ecs +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.geo.country_iso_code diff --git a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml new file mode 100644 index 00000000000..516d5d1f598 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml @@ -0,0 +1,8 @@ +- name: abusech.threatfox + type: group + description: All fields related to AbuseCH Threat Fox indicators. + fields: + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware sample. \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/threatfox/manifest.yml b/packages/ti_abusech/data_stream/threatfox/manifest.yml new file mode 100644 index 00000000000..0089cee9c00 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/manifest.yml @@ -0,0 +1,76 @@ +type: logs +title: AbuseCH Threat Fox logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH Threat Fox API endpoint + multi: false + required: true + show_user: false + default: https://threatfox-api.abuse.ch/api/v1/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: initial_interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 30 + description: How far back to look for indicators the first time the agent is started. Defaults to 30 days, can be any number between 1-90. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-threatfox + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH Threat Fox logs + description: Collect AbuseCH Threat Fox logs diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index 21b904a01fa..f8160271651 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -2,7 +2,7 @@ name: ti_abusech title: AbuseCH version: "1.6.0" release: ga -description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. +description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration format_version: 1.0.0 license: basic @@ -17,10 +17,10 @@ icons: policy_templates: - name: ti_abusech title: AbuseCH API - description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. + description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. inputs: - type: httpjson title: "Collect AbuseCH logs via API" - description: "Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent." + description: "Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent." owner: github: elastic/security-external-integrations From c8926fd602706f325f71bc3c44d4f038a1696707 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 5 Aug 2022 17:34:39 +0000 Subject: [PATCH 2/7] more parsing --- .../test-threatfox-ndjson.log-expected.json | 365 ++++++++++++++---- .../elasticsearch/ingest_pipeline/default.yml | 9 +- 2 files changed, 299 insertions(+), 75 deletions(-) diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json index d7acaf78a52..d69be2a8b0e 100644 --- a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json @@ -6,7 +6,6 @@ "confidence_level": 100, "ioc": "45.142.122.45:40669", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.redline_stealer", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "malware_printable": "RedLine Stealer", @@ -32,7 +31,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:40:15.000Z", "ip": "45.142.122.45", "port": 40669, @@ -46,7 +49,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.hydra", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", "malware_printable": "Hydra", @@ -73,7 +75,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:36:10.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -92,7 +98,6 @@ "confidence_level": 100, "ioc": "91.203.192.233:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.redline_stealer", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "malware_printable": "RedLine Stealer", @@ -118,7 +123,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:25:24.000Z", "ip": "91.203.192.233", "port": 80, @@ -133,7 +142,6 @@ "confidence_level": 75, "ioc": "61.14.233.88:8808", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.asyncrat", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "malware_printable": "AsyncRAT", @@ -160,7 +168,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:10:13.000Z", "ip": "61.14.233.88", "port": 8808, @@ -175,7 +187,6 @@ "confidence_level": 75, "ioc": "61.14.233.88:6606", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.asyncrat", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "malware_printable": "AsyncRAT", @@ -202,7 +213,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:10:12.000Z", "ip": "61.14.233.88", "port": 6606, @@ -217,7 +232,6 @@ "confidence_level": 100, "ioc": "61.14.233.88:7707", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.asyncrat", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "malware_printable": "AsyncRAT", @@ -244,7 +258,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:05:33.000Z", "ip": "61.14.233.88", "port": 7707, @@ -259,7 +277,6 @@ "confidence_level": 75, "ioc": "107.182.129.240:38241", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "elf.mirai", "malware_alias": "Katana", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", @@ -287,7 +304,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:40:07.000Z", "ip": "107.182.129.240", "port": 38241, @@ -302,7 +323,6 @@ "confidence_level": 100, "ioc": "78.173.184.33:5552", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.njrat", "malware_alias": "Bladabindi", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", @@ -329,7 +349,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:35:24.000Z", "ip": "78.173.184.33", "port": 5552, @@ -344,7 +368,6 @@ "confidence_level": 100, "ioc": "72.11.148.153:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -371,7 +394,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:28:53.000Z", "ip": "72.11.148.153", "port": 80, @@ -385,7 +412,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -412,7 +438,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:28:52.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -432,7 +462,6 @@ "confidence_level": 100, "ioc": "8.142.117.220:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -460,7 +489,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:25:47.000Z", "ip": "8.142.117.220", "port": 80, @@ -474,7 +507,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -502,7 +534,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:25:45.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -520,7 +556,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -548,7 +583,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:25:44.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -567,7 +606,6 @@ "confidence_level": 100, "ioc": "62.182.86.225:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -594,7 +632,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:47.000Z", "ip": "62.182.86.225", "port": 443, @@ -608,7 +650,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -635,7 +676,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:46.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -655,7 +700,6 @@ "confidence_level": 100, "ioc": "194.87.216.182:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -683,7 +727,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:40.000Z", "ip": "194.87.216.182", "port": 443, @@ -697,7 +745,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -725,7 +772,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:31.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -744,7 +795,6 @@ "confidence_level": 100, "ioc": "185.173.34.75:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -772,7 +822,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:31.000Z", "ip": "185.173.34.75", "port": 443, @@ -787,7 +841,6 @@ "confidence_level": 100, "ioc": "39.105.193.50:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -814,7 +867,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:23:31.000Z", "ip": "39.105.193.50", "port": 443, @@ -828,7 +885,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -855,7 +911,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:23:30.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -874,7 +934,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.alien", "malware_alias": "AlienBot", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", @@ -902,7 +961,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:31.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -920,7 +983,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.alien", "malware_alias": "AlienBot", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", @@ -948,7 +1010,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:30.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -966,7 +1032,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.alien", "malware_alias": "AlienBot", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", @@ -994,7 +1059,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:27.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1012,7 +1081,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.alien", "malware_alias": "AlienBot", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", @@ -1040,7 +1108,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:25.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1058,7 +1130,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.alien", "malware_alias": "AlienBot", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", @@ -1086,7 +1157,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:23.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1104,7 +1179,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.alien", "malware_alias": "AlienBot", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", @@ -1132,7 +1206,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:20.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1150,7 +1228,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.alien", "malware_alias": "AlienBot", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", @@ -1178,7 +1255,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:02.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1196,7 +1277,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1224,7 +1304,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:36.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1244,7 +1328,6 @@ "confidence_level": 100, "ioc": "1.13.248.119:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1271,7 +1354,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:19.000Z", "ip": "1.13.248.119", "port": 80, @@ -1285,7 +1372,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1312,7 +1398,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:18.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1332,7 +1422,6 @@ "confidence_level": 100, "ioc": "47.104.88.25:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1360,7 +1449,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:07.000Z", "ip": "47.104.88.25", "port": 80, @@ -1374,7 +1467,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1402,7 +1494,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:06.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1422,7 +1518,6 @@ "confidence_level": 100, "ioc": "45.79.127.214:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1450,7 +1545,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:58.000Z", "ip": "45.79.127.214", "port": 443, @@ -1464,7 +1563,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1492,7 +1590,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:57.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1512,7 +1614,6 @@ "confidence_level": 100, "ioc": "43.154.109.176:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1540,7 +1641,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:14.000Z", "ip": "43.154.109.176", "port": 80, @@ -1554,7 +1659,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1582,7 +1686,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:10.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1601,7 +1709,6 @@ "confidence_level": 100, "ioc": "39.101.184.39:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1629,7 +1736,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:15:47.000Z", "ip": "39.101.184.39", "port": 443, @@ -1643,7 +1754,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -1671,7 +1781,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:15:46.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1690,7 +1804,6 @@ "threatfox": { "confidence_level": 80, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "apk.hydra", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", "malware_printable": "Hydra", @@ -1717,7 +1830,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:13:36.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -1736,7 +1853,6 @@ "confidence_level": 100, "ioc": "102.133.180.23:5552", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.limerat", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", "malware_printable": "LimeRAT", @@ -1763,7 +1879,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:10:26.000Z", "ip": "102.133.180.23", "port": 5552, @@ -1778,7 +1898,6 @@ "confidence_level": 100, "ioc": "79.134.225.53:7171", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.nanocore", "malware_alias": "Nancrat,NanoCore", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", @@ -1806,7 +1925,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:10:23.000Z", "ip": "79.134.225.53", "port": 7171, @@ -1821,7 +1944,6 @@ "confidence_level": 100, "ioc": "116.202.186.151:21330", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.redline_stealer", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "malware_printable": "RedLine Stealer", @@ -1847,7 +1969,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T09:55:22.000Z", "ip": "116.202.186.151", "port": 21330, @@ -1862,7 +1988,6 @@ "confidence_level": 100, "ioc": "192.169.69.25:22027", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.nanocore", "malware_alias": "Nancrat,NanoCore", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", @@ -1890,7 +2015,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T09:35:25.000Z", "ip": "192.169.69.25", "port": 22027, @@ -1905,7 +2034,6 @@ "confidence_level": 75, "ioc": "37.120.210.219:3398", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.remcos", "malware_alias": "RemcosRAT,Remvio,Socmer", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", @@ -1933,7 +2061,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T09:35:12.000Z", "ip": "37.120.210.219", "port": 3398, @@ -1948,7 +2080,6 @@ "confidence_level": 50, "ioc": "ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb", "ioc_type": "sha256_hash", - "ioc_type_desc": "SHA256 hash of a malware sample (payload)", "malware": "win.woody", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", "malware_printable": "woody", @@ -1972,7 +2103,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "SHA256 hash of a malware sample (payload)", "first_seen": "2022-08-05T09:04:23.000Z", "provider": "AbuseCH Threat Fox", "type": "unknown" @@ -1985,7 +2120,6 @@ "confidence_level": 100, "ioc": "182.54.238.167:35565", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.njrat", "malware_alias": "Bladabindi", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", @@ -2012,7 +2146,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T08:30:21.000Z", "ip": "182.54.238.167", "port": 35565, @@ -2026,7 +2164,6 @@ "threatfox": { "confidence_level": 75, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2054,7 +2191,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T07:55:06.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -2075,7 +2216,6 @@ "confidence_level": 100, "ioc": "91.109.186.4:5050", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.njrat", "malware_alias": "Bladabindi", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", @@ -2102,7 +2242,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T07:35:17.000Z", "ip": "91.109.186.4", "port": 5050, @@ -2117,7 +2261,6 @@ "confidence_level": 50, "ioc": "c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a", "ioc_type": "sha256_hash", - "ioc_type_desc": "SHA256 hash of a malware sample (payload)", "malware": "osx.xloader", "malware_alias": "Formbook", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader", @@ -2142,7 +2285,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "SHA256 hash of a malware sample (payload)", "first_seen": "2022-08-05T07:04:11.000Z", "provider": "AbuseCH Threat Fox", "type": "unknown" @@ -2155,7 +2302,6 @@ "confidence_level": 100, "ioc": "45.147.199.166:14009", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.redline_stealer", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "malware_printable": "RedLine Stealer", @@ -2181,7 +2327,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:40:18.000Z", "ip": "45.147.199.166", "port": 14009, @@ -2195,7 +2345,6 @@ "threatfox": { "confidence_level": 50, "ioc_type": "url", - "ioc_type_desc": "URL that delivers a malware payload", "malware": "elf.mozi", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", "malware_printable": "Mozi", @@ -2218,7 +2367,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that delivers a malware payload", "first_seen": "2022-08-05T06:40:03.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -2239,7 +2392,6 @@ "confidence_level": 100, "ioc": "185.185.71.171:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.redline_stealer", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "malware_printable": "RedLine Stealer", @@ -2265,7 +2417,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:30:17.000Z", "ip": "185.185.71.171", "port": 80, @@ -2280,7 +2436,6 @@ "confidence_level": 100, "ioc": "194.87.216.23:46278", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.redline_stealer", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "malware_printable": "RedLine Stealer", @@ -2306,7 +2461,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:25:18.000Z", "ip": "194.87.216.23", "port": 46278, @@ -2320,7 +2479,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.recordbreaker", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker", "malware_printable": "RecordBreaker", @@ -2346,7 +2504,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:20:17.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -2365,7 +2527,6 @@ "confidence_level": 50, "ioc": "a695ab311e3449cacf5a2611dffac5bd", "ioc_type": "md5_hash", - "ioc_type_desc": "MD5 hash of a malware sample (payload)", "malware": "win.kutaki", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", "malware_printable": "Kutaki", @@ -2389,7 +2550,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "MD5 hash of a malware sample (payload)", "first_seen": "2022-08-05T06:16:32.000Z", "provider": "AbuseCH Threat Fox", "type": "unknown" @@ -2402,7 +2567,6 @@ "confidence_level": 50, "ioc": "7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59", "ioc_type": "sha256_hash", - "ioc_type_desc": "SHA256 hash of a malware sample (payload)", "malware": "win.isfb", "malware_alias": "Gozi ISFB,IAP,Pandemyia", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", @@ -2427,7 +2591,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "SHA256 hash of a malware sample (payload)", "first_seen": "2022-08-05T05:25:21.000Z", "provider": "AbuseCH Threat Fox", "type": "unknown" @@ -2440,7 +2608,6 @@ "confidence_level": 50, "ioc": "b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86", "ioc_type": "sha256_hash", - "ioc_type_desc": "SHA256 hash of a malware sample (payload)", "malware": "win.isfb", "malware_alias": "Gozi ISFB,IAP,Pandemyia", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", @@ -2465,7 +2632,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "SHA256 hash of a malware sample (payload)", "first_seen": "2022-08-05T05:25:19.000Z", "provider": "AbuseCH Threat Fox", "type": "unknown" @@ -2478,7 +2649,6 @@ "confidence_level": 50, "ioc": "0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff", "ioc_type": "sha256_hash", - "ioc_type_desc": "SHA256 hash of a malware sample (payload)", "malware": "win.isfb", "malware_alias": "Gozi ISFB,IAP,Pandemyia", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", @@ -2503,7 +2673,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "SHA256 hash of a malware sample (payload)", "first_seen": "2022-08-05T05:25:18.000Z", "provider": "AbuseCH Threat Fox", "type": "unknown" @@ -2516,7 +2690,6 @@ "confidence_level": 100, "ioc": "81.19.141.37:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2544,7 +2717,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:26:51.000Z", "ip": "81.19.141.37", "port": 80, @@ -2559,7 +2736,6 @@ "confidence_level": 100, "ioc": "119.45.94.71:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2586,7 +2762,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:26:30.000Z", "ip": "119.45.94.71", "port": 443, @@ -2600,7 +2780,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2627,7 +2806,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:26:29.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -2646,7 +2829,6 @@ "confidence_level": 100, "ioc": "81.19.141.37:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2674,7 +2856,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:25:51.000Z", "ip": "81.19.141.37", "port": 443, @@ -2689,7 +2875,6 @@ "confidence_level": 100, "ioc": "20.239.66.2:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2717,7 +2902,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:25:14.000Z", "ip": "20.239.66.2", "port": 80, @@ -2731,7 +2920,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2759,7 +2947,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:25:13.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -2778,7 +2970,6 @@ "confidence_level": 100, "ioc": "43.155.60.197:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2806,7 +2997,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:34.000Z", "ip": "43.155.60.197", "port": 443, @@ -2820,7 +3015,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2848,7 +3042,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:33.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -2867,7 +3065,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2894,7 +3091,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:18.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -2914,7 +3115,6 @@ "confidence_level": 100, "ioc": "121.4.45.207:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2941,7 +3141,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:18.000Z", "ip": "121.4.45.207", "port": 80, @@ -2956,7 +3160,6 @@ "confidence_level": 100, "ioc": "43.138.129.56:80", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -2983,7 +3186,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:11.000Z", "ip": "43.138.129.56", "port": 80, @@ -2997,7 +3204,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -3024,7 +3230,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:10.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -3043,7 +3253,6 @@ "confidence_level": 100, "ioc": "77.91.102.151:443", "ioc_type": "ip:port", - "ioc_type_desc": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -3071,7 +3280,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:23:36.000Z", "ip": "77.91.102.151", "port": 443, @@ -3085,7 +3298,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -3113,7 +3325,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:23:35.000Z", "provider": "AbuseCH Threat Fox", "type": "url", @@ -3131,7 +3347,6 @@ "threatfox": { "confidence_level": 100, "ioc_type": "url", - "ioc_type_desc": "URL that is used for botnet Command\u0026control (C\u0026C)", "malware": "win.cobalt_strike", "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", @@ -3159,7 +3374,11 @@ "preserve_original_event" ], "threat": { + "feed": { + "name": "AbuseCH Threat Fox" + }, "indicator": { + "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:23:33.000Z", "provider": "AbuseCH Threat Fox", "type": "url", diff --git a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml index 191ff8031d6..2f9c5372833 100644 --- a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml @@ -43,6 +43,9 @@ processors: - set: field: threat.indicator.provider value: AbuseCH Threat Fox + - set: + field: threat.feed.name + value: "AbuseCH Threat Fox" - date: field: abusech.threatfox.first_seen target_field: threat.indicator.first_seen @@ -59,7 +62,10 @@ processors: - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" if: "ctx.abusech?.threatfox?.last_seen != null" - + - rename: + field: abusech.threatfox.ioc_type_desc + target_field: threat.indicator.description + ignore_missing: true ## URL/URI indicator operations - set: field: threat.indicator.type @@ -87,7 +93,6 @@ processors: - "%{IP:threat.indicator.ip}:%{NUMBER:threat.indicator.port:long}" ignore_missing: true if: "ctx.abusech?.threatfox?.ioc_type == 'ip:port'" - ###################### # Cleanup processors # ###################### From c82296c091fb54d370322b213aac3a2abb816e12 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 5 Aug 2022 23:38:38 +0000 Subject: [PATCH 3/7] Update IOC types --- packages/ti_abusech/_dev/build/docs/README.md | 6 +- .../test/pipeline/test-threatfox-ndjson.log | 76 +- .../test-threatfox-ndjson.log-expected.json | 1717 +++++++++-------- .../elasticsearch/ingest_pipeline/default.yml | 92 +- .../threatfox/fields/base-fields.yml | 4 +- .../data_stream/threatfox/fields/ecs.yml | 48 +- .../data_stream/threatfox/fields/fields.yml | 18 +- packages/ti_abusech/docs/README.md | 98 + 8 files changed, 1214 insertions(+), 845 deletions(-) diff --git a/packages/ti_abusech/_dev/build/docs/README.md b/packages/ti_abusech/_dev/build/docs/README.md index e5222c06060..00b7289e26c 100644 --- a/packages/ti_abusech/_dev/build/docs/README.md +++ b/packages/ti_abusech/_dev/build/docs/README.md @@ -20,4 +20,8 @@ The AbuseCH malware data_stream retrieves threat intelligence indicators from th The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators from the MalwareBazaar API endpoint `https://mb-api.abuse.ch/api/v1/`. -{{fields "malwarebazaar"}} \ No newline at end of file +{{fields "malwarebazaar"}} + +The AbuseCH threatfox data_stream retrieves threat intelligence indicators from the Threat Fox API endpoint `https://threatfox-api.abuse.ch/api/v1/`. + +{{fields "threatfox"}} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log index 7d3416f1505..e9b18540989 100644 --- a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log @@ -1,22 +1,22 @@ -{"id":"841508","ioc":"45.142.122.45:40669","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:40:15 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841508","ioc":"2a02:cf40:1::5:40669","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:40:15 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} {"id":"841507","ioc":"http://malaikahlowry33.top","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.hydra","malware_printable":"Hydra","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra","confidence_level":80,"first_seen":"2022-08-05 11:36:10 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["apk","Hydra"]} -{"id":"841506","ioc":"91.203.192.233:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:25:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} -{"id":"841505","ioc":"61.14.233.88:8808","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:13 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} -{"id":"841504","ioc":"61.14.233.88:6606","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} -{"id":"841503","ioc":"61.14.233.88:7707","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 11:05:33 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["asyncrat","RAT"]} -{"id":"841502","ioc":"107.182.129.240:38241","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"elf.mirai","malware_printable":"Mirai","malware_alias":"Katana","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai","confidence_level":75,"first_seen":"2022-08-05 10:40:07 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/","reporter":"abuse_ch","tags":["Mirai"]} -{"id":"841501","ioc":"78.173.184.33:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 10:35:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} -{"id":"841500","ioc":"72.11.148.153:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:28:53 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841506","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 11:25:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841505","ioc":"81.2.69.142:8808","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:13 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} +{"id":"841504","ioc":"81.2.69.142:6606","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":75,"first_seen":"2022-08-05 11:10:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/","reporter":"abuse_ch","tags":["asyncrat"]} +{"id":"841503","ioc":"81.2.69.142:7707","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 11:05:33 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["asyncrat","RAT"]} +{"id":"841502","ioc":"81.2.69.142:38241","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"elf.mirai","malware_printable":"Mirai","malware_alias":"Katana","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai","confidence_level":75,"first_seen":"2022-08-05 10:40:07 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/","reporter":"abuse_ch","tags":["Mirai"]} +{"id":"841501","ioc":"81.2.69.142:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 10:35:24 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841500","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:28:53 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} {"id":"841499","ioc":"http://72.11.148.153/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:28:52 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} -{"id":"841498","ioc":"8.142.117.220:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841498","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} {"id":"841497","ioc":"http://104.21.75.114/cx","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:45 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} {"id":"841496","ioc":"http://172.67.222.204/ca","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:25:44 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} -{"id":"841495","ioc":"62.182.86.225:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841495","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} {"id":"841494","ioc":"https://62.182.86.225/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:46 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} -{"id":"841493","ioc":"194.87.216.182:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:40 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","SERVER4-AS"]} +{"id":"841493","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:40 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","SERVER4-AS"]} {"id":"841491","ioc":"https://muwokok.com/us","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","Digital Energy Technologies Ltd."]} -{"id":"841492","ioc":"185.173.34.75:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","Digital Energy Technologies Ltd."]} -{"id":"841490","ioc":"39.105.193.50:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:23:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841492","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:24:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","Digital Energy Technologies Ltd."]} +{"id":"841490","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:23:31 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} {"id":"841489","ioc":"https://39.105.193.50/jquery-3.3.1.min.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:23:30 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} {"id":"841488","ioc":"http://hasanhaberlerdengelenlerden.co.vu/","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:31 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} {"id":"841487","ioc":"http://where9smym8nd.com","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:30 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} @@ -26,48 +26,50 @@ {"id":"841483","ioc":"http://5.161.62.171","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:20 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} {"id":"841482","ioc":"http://45.83.122.2","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.alien","malware_printable":"Alien","malware_alias":"AlienBot","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien","confidence_level":80,"first_seen":"2022-08-05 10:21:02 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["Alien","apk"]} {"id":"841481","ioc":"http://50.17.77.39:4444/fwlink","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:36 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["AMAZON-AES","CobaltStrike"]} -{"id":"841480","ioc":"1.13.248.119:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:19 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841480","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:19 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} {"id":"841479","ioc":"http://1.13.248.119/articles/189948/text.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} -{"id":"841478","ioc":"47.104.88.25:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:07 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841478","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:07 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} {"id":"841477","ioc":"http://47.104.88.25/IE9CompatViewList.xml","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:17:06 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} -{"id":"841476","ioc":"45.79.127.214:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:58 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","LINODE-AP Linode LLC"]} +{"id":"841476","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:58 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","LINODE-AP Linode LLC"]} {"id":"841475","ioc":"https://45.79.127.214/j.ad","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:57 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","LINODE-AP Linode LLC"]} -{"id":"841474","ioc":"43.154.109.176:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841474","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} {"id":"841473","ioc":"http://service-akilm85g-1311240945.gz.apigw.tencentcs.com/api/x","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:16:10 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} -{"id":"841472","ioc":"39.101.184.39:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:15:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} +{"id":"841472","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:15:47 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} {"id":"841471","ioc":"https://39.101.184.39/visit.js","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 10:15:46 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.","CobaltStrike"]} {"id":"841470","ioc":"http://lexdavid22.top","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"apk.hydra","malware_printable":"Hydra","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra","confidence_level":80,"first_seen":"2022-08-05 10:13:36 UTC","last_seen":null,"reference":null,"reporter":"myonium1","tags":["apk","Hydra"]} -{"id":"841469","ioc":"102.133.180.23:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.limerat","malware_printable":"LimeRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat","confidence_level":100,"first_seen":"2022-08-05 10:10:26 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["LimeRAT","RAT"]} -{"id":"841468","ioc":"79.134.225.53:7171","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 10:10:23 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} -{"id":"841467","ioc":"116.202.186.151:21330","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 09:55:22 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} -{"id":"841466","ioc":"192.169.69.25:22027","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 09:35:25 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} -{"id":"841465","ioc":"37.120.210.219:3398","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.remcos","malware_printable":"Remcos","malware_alias":"RemcosRAT,Remvio,Socmer","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos","confidence_level":75,"first_seen":"2022-08-05 09:35:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/","reporter":"abuse_ch","tags":["remcos"]} +{"id":"841469","ioc":"81.2.69.142:5552","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.limerat","malware_printable":"LimeRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat","confidence_level":100,"first_seen":"2022-08-05 10:10:26 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["LimeRAT","RAT"]} +{"id":"841468","ioc":"81.2.69.142:7171","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 10:10:23 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} +{"id":"841467","ioc":"81.2.69.142:21330","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 09:55:22 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841466","ioc":"81.2.69.142:22027","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.nanocore","malware_printable":"Nanocore RAT","malware_alias":"Nancrat,NanoCore","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore","confidence_level":100,"first_seen":"2022-08-05 09:35:25 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["NanoCore","RAT"]} +{"id":"841465","ioc":"81.2.69.142:3398","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.remcos","malware_printable":"Remcos","malware_alias":"RemcosRAT,Remvio,Socmer","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos","confidence_level":75,"first_seen":"2022-08-05 09:35:12 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/","reporter":"abuse_ch","tags":["remcos"]} {"id":"841464","ioc":"ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.woody","malware_printable":"woody","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.woody","confidence_level":50,"first_seen":"2022-08-05 09:04:23 UTC","last_seen":null,"reference":"https://twitter.com/JAMESWT_MHT/status/1555479791821791232","reporter":"Virus_Deck","tags":null} -{"id":"841463","ioc":"182.54.238.167:35565","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 08:30:21 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841463","ioc":"81.2.69.142:35565","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 08:30:21 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} {"id":"841462","ioc":"http://124.221.206.154:1443/submit.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":75,"first_seen":"2022-08-05 07:55:06 UTC","last_seen":null,"reference":"https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/","reporter":"abuse_ch","tags":["CobaltStrike"]} -{"id":"841461","ioc":"91.109.186.4:5050","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 07:35:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} +{"id":"841461","ioc":"81.2.69.142:5050","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.njrat","malware_printable":"NjRAT","malware_alias":"Bladabindi","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat","confidence_level":100,"first_seen":"2022-08-05 07:35:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["njrat"]} {"id":"841460","ioc":"c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"osx.xloader","malware_printable":"Xloader","malware_alias":"Formbook","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader","confidence_level":50,"first_seen":"2022-08-05 07:04:11 UTC","last_seen":null,"reference":"https://twitter.com/JAMESWT_MHT/status/1555445680797270016","reporter":"Virus_Deck","tags":null} -{"id":"841459","ioc":"45.147.199.166:14009","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:40:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841459","ioc":"81.2.69.142:14009","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:40:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} {"id":"841458","ioc":"http://115.55.81.211:33294/Mozi.m","threat_type":"payload_delivery","threat_type_desc":"Indicator that identifies a malware distribution server (payload delivery)","ioc_type":"url","ioc_type_desc":"URL that delivers a malware payload","malware":"elf.mozi","malware_printable":"Mozi","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi","confidence_level":50,"first_seen":"2022-08-05 06:40:03 UTC","last_seen":null,"reference":null,"reporter":"sicehice","tags":null} -{"id":"841457","ioc":"185.185.71.171:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:30:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} -{"id":"841456","ioc":"194.87.216.23:46278","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:25:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841457","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:30:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} +{"id":"841456","ioc":"81.2.69.142:46278","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.redline_stealer","malware_printable":"RedLine Stealer","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer","confidence_level":100,"first_seen":"2022-08-05 06:25:18 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["RedLineStealer"]} {"id":"841455","ioc":"http://213.170.133.189/","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.recordbreaker","malware_printable":"RecordBreaker","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker","confidence_level":100,"first_seen":"2022-08-05 06:20:17 UTC","last_seen":null,"reference":null,"reporter":"abuse_ch","tags":["recordbreaker"]} {"id":"841454","ioc":"a695ab311e3449cacf5a2611dffac5bd","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"md5_hash","ioc_type_desc":"MD5 hash of a malware sample (payload)","malware":"win.kutaki","malware_printable":"Kutaki","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki","confidence_level":50,"first_seen":"2022-08-05 06:16:32 UTC","last_seen":null,"reference":"https://twitter.com/pollo290987/status/1555437557298651136","reporter":"Virus_Deck","tags":null} {"id":"841453","ioc":"7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:21 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} {"id":"841452","ioc":"b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:19 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} {"id":"841451","ioc":"0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha256_hash","ioc_type_desc":"SHA256 hash of a malware sample (payload)","malware":"win.isfb","malware_printable":"ISFB","malware_alias":"Gozi ISFB,IAP,Pandemyia","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb","confidence_level":50,"first_seen":"2022-08-05 05:25:18 UTC","last_seen":null,"reference":"https://twitter.com/StopMalvertisin/status/1555424657037475840","reporter":"Virus_Deck","tags":null} -{"id":"841450","ioc":"81.19.141.37:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} -{"id":"841449","ioc":"119.45.94.71:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:30 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841450","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} +{"id":"841449","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:30 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} {"id":"841448","ioc":"https://119.45.94.71/activity","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:26:29 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} -{"id":"841447","ioc":"81.19.141.37:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} -{"id":"841446","ioc":"20.239.66.2:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","MICROSOFT-CORP-MSN-AS-BLOCK"]} +{"id":"841447","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:51 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","GIR-AS"]} +{"id":"841446","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:14 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","MICROSOFT-CORP-MSN-AS-BLOCK"]} {"id":"841445","ioc":"http://20.239.66.2/match","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:25:13 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","MICROSOFT-CORP-MSN-AS-BLOCK"]} -{"id":"841444","ioc":"43.155.60.197:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:34 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} +{"id":"841444","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:34 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} {"id":"841443","ioc":"https://43.155.60.197/dot.gif","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:33 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue"]} {"id":"841441","ioc":"http://service-da5heloj-1312757872.sh.apigw.tencentcs.com/include/template/isx.php","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} -{"id":"841442","ioc":"121.4.45.207:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} -{"id":"841440","ioc":"43.138.129.56:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:11 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841442","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:18 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} +{"id":"841440","ioc":"81.2.69.142:80","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:11 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} {"id":"841439","ioc":"http://43.138.129.56/cm","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:24:10 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike"]} -{"id":"841438","ioc":"77.91.102.151:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:36 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} +{"id":"841438","ioc":"81.2.69.142:443","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"ip:port","ioc_type_desc":"ip:port combination that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:36 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} {"id":"841437","ioc":"https://194.87.216.182/push","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:35 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} -{"id":"841436","ioc":"https://77.91.102.151/push","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:33 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} \ No newline at end of file +{"id":"841436","ioc":"https://77.91.102.151/push","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"url","ioc_type_desc":"URL that is used for botnet Command&control (C&C)","malware":"win.cobalt_strike","malware_printable":"Cobalt Strike","malware_alias":"Agentemis,BEACON,CobaltStrike,cobeacon","malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike","confidence_level":100,"first_seen":"2022-08-05 03:23:33 UTC","last_seen":null,"reference":null,"reporter":"drb_ra","tags":["CobaltStrike","STARK-INDUSTRIES-SOLUTIONS-AS"]} +{"id":"841537","ioc":"wizzy.hopto.org","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"domain","ioc_type_desc":"Domain that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 19:43:08 UTC","last_seen":null,"reference":"https://tria.ge/220805-w57pxsgae2","reporter":"AndreGironda","tags":["asyncrat"]} +{"id":"839586","ioc":"872ff530d50579ae6bdc7cb4d658324b1d0e7a3e","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha1_hash","ioc_type_desc":"SHA1 hash of a malware sample (payload)","malware":"win.vidar","malware_printable":"Vidar","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar","confidence_level":75,"first_seen":"2022-07-25 22:27:09 UTC","last_seen":null,"reference":"","reporter":"crep1x","tags":["Vidar"]} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json index d69be2a8b0e..12b135c5216 100644 --- a/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/pipeline/test-threatfox-ndjson.log-expected.json @@ -4,12 +4,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "45.142.122.45:40669", - "ioc_type": "ip:port", "malware": "win.redline_stealer", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "malware_printable": "RedLine Stealer", - "reporter": "abuse_ch", "tags": [ "RedLineStealer" ], @@ -24,23 +19,25 @@ "category": "threat", "id": "841508", "kind": "enrichment", - "original": "{\"id\":\"841508\",\"ioc\":\"45.142.122.45:40669\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:40:15 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "original": "{\"id\":\"841508\",\"ioc\":\"2a02:cf40:1::5:40669\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:40:15 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:40:15.000Z", - "ip": "45.142.122.45", + "ip": "2a02:cf40:1::5", "port": 40669, - "provider": "AbuseCH Threat Fox", - "type": "ipv4-addr" + "provider": "abuse_ch", + "type": "ipv6-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" } } }, @@ -48,11 +45,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.hydra", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", - "malware_printable": "Hydra", - "reporter": "myonium1", "tags": [ "apk", "Hydra" @@ -75,13 +68,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:36:10.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "malaikahlowry33.top", @@ -89,6 +80,10 @@ "path": "", "scheme": "http" } + }, + "software": { + "name": "Hydra", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra" } } }, @@ -96,12 +91,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "91.203.192.233:80", - "ioc_type": "ip:port", "malware": "win.redline_stealer", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "malware_printable": "RedLine Stealer", - "reporter": "abuse_ch", "tags": [ "RedLineStealer" ], @@ -116,23 +106,25 @@ "category": "threat", "id": "841506", "kind": "enrichment", - "original": "{\"id\":\"841506\",\"ioc\":\"91.203.192.233:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:25:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "original": "{\"id\":\"841506\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:25:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:25:24.000Z", - "ip": "91.203.192.233", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" } } }, @@ -140,13 +132,7 @@ "abusech": { "threatfox": { "confidence_level": 75, - "ioc": "61.14.233.88:8808", - "ioc_type": "ip:port", "malware": "win.asyncrat", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", - "malware_printable": "AsyncRAT", - "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", - "reporter": "abuse_ch", "tags": [ "asyncrat" ], @@ -161,23 +147,26 @@ "category": "threat", "id": "841505", "kind": "enrichment", - "original": "{\"id\":\"841505\",\"ioc\":\"61.14.233.88:8808\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:13 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", + "original": "{\"id\":\"841505\",\"ioc\":\"81.2.69.142:8808\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:13 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:10:13.000Z", - "ip": "61.14.233.88", + "ip": "81.2.69.142", "port": 8808, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", "type": "ipv4-addr" + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" } } }, @@ -185,13 +174,7 @@ "abusech": { "threatfox": { "confidence_level": 75, - "ioc": "61.14.233.88:6606", - "ioc_type": "ip:port", "malware": "win.asyncrat", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", - "malware_printable": "AsyncRAT", - "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", - "reporter": "abuse_ch", "tags": [ "asyncrat" ], @@ -206,23 +189,26 @@ "category": "threat", "id": "841504", "kind": "enrichment", - "original": "{\"id\":\"841504\",\"ioc\":\"61.14.233.88:6606\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", + "original": "{\"id\":\"841504\",\"ioc\":\"81.2.69.142:6606\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 11:10:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/\",\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:10:12.000Z", - "ip": "61.14.233.88", + "ip": "81.2.69.142", "port": 6606, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe/", "type": "ipv4-addr" + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" } } }, @@ -230,12 +216,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "61.14.233.88:7707", - "ioc_type": "ip:port", "malware": "win.asyncrat", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", - "malware_printable": "AsyncRAT", - "reporter": "abuse_ch", "tags": [ "asyncrat", "RAT" @@ -251,23 +232,25 @@ "category": "threat", "id": "841503", "kind": "enrichment", - "original": "{\"id\":\"841503\",\"ioc\":\"61.14.233.88:7707\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:05:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\",\"RAT\"]}", + "original": "{\"id\":\"841503\",\"ioc\":\"81.2.69.142:7707\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 11:05:33 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"asyncrat\",\"RAT\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T11:05:33.000Z", - "ip": "61.14.233.88", + "ip": "81.2.69.142", "port": 7707, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" } } }, @@ -275,14 +258,7 @@ "abusech": { "threatfox": { "confidence_level": 75, - "ioc": "107.182.129.240:38241", - "ioc_type": "ip:port", "malware": "elf.mirai", - "malware_alias": "Katana", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", - "malware_printable": "Mirai", - "reference": "https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/", - "reporter": "abuse_ch", "tags": [ "Mirai" ], @@ -297,23 +273,29 @@ "category": "threat", "id": "841502", "kind": "enrichment", - "original": "{\"id\":\"841502\",\"ioc\":\"107.182.129.240:38241\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"elf.mirai\",\"malware_printable\":\"Mirai\",\"malware_alias\":\"Katana\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 10:40:07 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/\",\"reporter\":\"abuse_ch\",\"tags\":[\"Mirai\"]}", + "original": "{\"id\":\"841502\",\"ioc\":\"81.2.69.142:38241\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"elf.mirai\",\"malware_printable\":\"Mirai\",\"malware_alias\":\"Katana\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 10:40:07 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/\",\"reporter\":\"abuse_ch\",\"tags\":[\"Mirai\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:40:07.000Z", - "ip": "107.182.129.240", + "ip": "81.2.69.142", "port": 38241, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/2373eac488f89172263c8ea1d996d74d90803c54762cedf5808f05b9d6d341f1/", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Katana" + ], + "name": "Mirai", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai" } } }, @@ -321,13 +303,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "78.173.184.33:5552", - "ioc_type": "ip:port", "malware": "win.njrat", - "malware_alias": "Bladabindi", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", - "malware_printable": "NjRAT", - "reporter": "abuse_ch", "tags": [ "njrat" ], @@ -342,23 +318,28 @@ "category": "threat", "id": "841501", "kind": "enrichment", - "original": "{\"id\":\"841501\",\"ioc\":\"78.173.184.33:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:35:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "original": "{\"id\":\"841501\",\"ioc\":\"81.2.69.142:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:35:24 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:35:24.000Z", - "ip": "78.173.184.33", + "ip": "81.2.69.142", "port": 5552, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Bladabindi" + ], + "name": "NjRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat" } } }, @@ -366,13 +347,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "72.11.148.153:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -387,23 +362,31 @@ "category": "threat", "id": "841500", "kind": "enrichment", - "original": "{\"id\":\"841500\",\"ioc\":\"72.11.148.153:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:28:53 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "original": "{\"id\":\"841500\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:28:53 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:28:53.000Z", - "ip": "72.11.148.153", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -411,12 +394,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -438,13 +416,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:28:52.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "72.11.148.153", @@ -453,6 +429,16 @@ "path": "/jquery-3.3.1.min.js", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -460,13 +446,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "8.142.117.220:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", "CobaltStrike" @@ -482,23 +462,31 @@ "category": "threat", "id": "841498", "kind": "enrichment", - "original": "{\"id\":\"841498\",\"ioc\":\"8.142.117.220:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "original": "{\"id\":\"841498\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:25:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:25:47.000Z", - "ip": "8.142.117.220", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -506,12 +494,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", "CobaltStrike" @@ -534,13 +517,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:25:45.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "104.21.75.114", @@ -548,6 +529,16 @@ "path": "/cx", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -555,12 +546,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", "CobaltStrike" @@ -583,13 +569,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:25:44.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "172.67.222.204", @@ -597,6 +581,16 @@ "path": "/ca", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -604,13 +598,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "62.182.86.225:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -625,23 +613,31 @@ "category": "threat", "id": "841495", "kind": "enrichment", - "original": "{\"id\":\"841495\",\"ioc\":\"62.182.86.225:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "original": "{\"id\":\"841495\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:47.000Z", - "ip": "62.182.86.225", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -649,12 +645,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -676,13 +667,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:46.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "62.182.86.225", @@ -691,6 +680,16 @@ "path": "/jquery-3.3.1.min.js", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -698,13 +697,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "194.87.216.182:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "SERVER4-AS" @@ -720,23 +713,31 @@ "category": "threat", "id": "841493", "kind": "enrichment", - "original": "{\"id\":\"841493\",\"ioc\":\"194.87.216.182:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:40 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"SERVER4-AS\"]}", + "original": "{\"id\":\"841493\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:40 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"SERVER4-AS\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:40.000Z", - "ip": "194.87.216.182", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -744,12 +745,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "Digital Energy Technologies Ltd." @@ -772,13 +768,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:31.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "muwokok.com", @@ -786,6 +780,16 @@ "path": "/us", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -793,13 +797,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "185.173.34.75:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "Digital Energy Technologies Ltd." @@ -815,23 +813,31 @@ "category": "threat", "id": "841492", "kind": "enrichment", - "original": "{\"id\":\"841492\",\"ioc\":\"185.173.34.75:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"Digital Energy Technologies Ltd.\"]}", + "original": "{\"id\":\"841492\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:24:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"Digital Energy Technologies Ltd.\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:24:31.000Z", - "ip": "185.173.34.75", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -839,13 +845,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "39.105.193.50:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -860,23 +860,31 @@ "category": "threat", "id": "841490", "kind": "enrichment", - "original": "{\"id\":\"841490\",\"ioc\":\"39.105.193.50:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:23:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "original": "{\"id\":\"841490\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:23:31 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:23:31.000Z", - "ip": "39.105.193.50", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -884,12 +892,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -911,13 +914,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:23:30.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "39.105.193.50", @@ -926,6 +927,16 @@ "path": "/jquery-3.3.1.min.js", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -933,12 +944,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.alien", - "malware_alias": "AlienBot", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "malware_printable": "Alien", - "reporter": "myonium1", "tags": [ "Alien", "apk" @@ -961,13 +967,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:31.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "hasanhaberlerdengelenlerden.co.vu", @@ -975,6 +979,13 @@ "path": "/", "scheme": "http" } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" } } }, @@ -982,12 +993,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.alien", - "malware_alias": "AlienBot", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "malware_printable": "Alien", - "reporter": "myonium1", "tags": [ "Alien", "apk" @@ -1010,13 +1016,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:30.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "where9smym8nd.com", @@ -1024,6 +1028,13 @@ "path": "", "scheme": "http" } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" } } }, @@ -1031,12 +1042,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.alien", - "malware_alias": "AlienBot", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "malware_printable": "Alien", - "reporter": "myonium1", "tags": [ "Alien", "apk" @@ -1059,13 +1065,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:27.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "nothingandnothin31.com", @@ -1073,6 +1077,13 @@ "path": "", "scheme": "http" } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" } } }, @@ -1080,12 +1091,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.alien", - "malware_alias": "AlienBot", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "malware_printable": "Alien", - "reporter": "myonium1", "tags": [ "Alien", "apk" @@ -1108,13 +1114,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:25.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "baggshdyfsdp.shop", @@ -1122,6 +1126,13 @@ "path": "", "scheme": "http" } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" } } }, @@ -1129,12 +1140,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.alien", - "malware_alias": "AlienBot", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "malware_printable": "Alien", - "reporter": "myonium1", "tags": [ "Alien", "apk" @@ -1157,13 +1163,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:23.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "152.228.162.150", @@ -1171,6 +1175,13 @@ "path": "", "scheme": "http" } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" } } }, @@ -1178,12 +1189,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.alien", - "malware_alias": "AlienBot", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "malware_printable": "Alien", - "reporter": "myonium1", "tags": [ "Alien", "apk" @@ -1206,13 +1212,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:20.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "5.161.62.171", @@ -1220,6 +1224,13 @@ "path": "", "scheme": "http" } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" } } }, @@ -1227,12 +1238,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.alien", - "malware_alias": "AlienBot", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "malware_printable": "Alien", - "reporter": "myonium1", "tags": [ "Alien", "apk" @@ -1255,13 +1261,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:21:02.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "45.83.122.2", @@ -1269,6 +1273,13 @@ "path": "", "scheme": "http" } + }, + "software": { + "alias": [ + "AlienBot" + ], + "name": "Alien", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien" } } }, @@ -1276,12 +1287,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "AMAZON-AES", "CobaltStrike" @@ -1304,13 +1310,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:36.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "50.17.77.39", @@ -1319,6 +1323,16 @@ "port": 4444, "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1326,13 +1340,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "1.13.248.119:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -1347,23 +1355,31 @@ "category": "threat", "id": "841480", "kind": "enrichment", - "original": "{\"id\":\"841480\",\"ioc\":\"1.13.248.119:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:19 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "original": "{\"id\":\"841480\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:19 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:19.000Z", - "ip": "1.13.248.119", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1371,12 +1387,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -1398,13 +1409,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:18.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "1.13.248.119", @@ -1413,6 +1422,16 @@ "path": "/articles/189948/text.php", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1420,13 +1439,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "47.104.88.25:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", "CobaltStrike" @@ -1442,23 +1455,31 @@ "category": "threat", "id": "841478", "kind": "enrichment", - "original": "{\"id\":\"841478\",\"ioc\":\"47.104.88.25:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:07 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "original": "{\"id\":\"841478\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:17:07 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:07.000Z", - "ip": "47.104.88.25", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1466,12 +1487,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", "CobaltStrike" @@ -1494,13 +1510,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:17:06.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "47.104.88.25", @@ -1509,6 +1523,16 @@ "path": "/IE9CompatViewList.xml", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1516,13 +1540,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "45.79.127.214:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "LINODE-AP Linode LLC" @@ -1538,23 +1556,31 @@ "category": "threat", "id": "841476", "kind": "enrichment", - "original": "{\"id\":\"841476\",\"ioc\":\"45.79.127.214:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:58 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"LINODE-AP Linode LLC\"]}", + "original": "{\"id\":\"841476\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:58 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"LINODE-AP Linode LLC\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:58.000Z", - "ip": "45.79.127.214", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1562,12 +1588,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "LINODE-AP Linode LLC" @@ -1590,13 +1611,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:57.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "45.79.127.214", @@ -1605,6 +1624,16 @@ "path": "/j.ad", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1612,13 +1641,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "43.154.109.176:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" @@ -1634,23 +1657,31 @@ "category": "threat", "id": "841474", "kind": "enrichment", - "original": "{\"id\":\"841474\",\"ioc\":\"43.154.109.176:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "original": "{\"id\":\"841474\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:16:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:14.000Z", - "ip": "43.154.109.176", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1658,12 +1689,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" @@ -1686,13 +1712,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:16:10.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "service-akilm85g-1311240945.gz.apigw.tencentcs.com", @@ -1700,6 +1724,16 @@ "path": "/api/x", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1707,13 +1741,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "39.101.184.39:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", "CobaltStrike" @@ -1729,23 +1757,31 @@ "category": "threat", "id": "841472", "kind": "enrichment", - "original": "{\"id\":\"841472\",\"ioc\":\"39.101.184.39:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:15:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", + "original": "{\"id\":\"841472\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:15:47 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.\",\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:15:47.000Z", - "ip": "39.101.184.39", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1753,12 +1789,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.Ltd.", "CobaltStrike" @@ -1781,13 +1812,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:15:46.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "39.101.184.39", @@ -1796,6 +1825,16 @@ "path": "/visit.js", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -1803,11 +1842,7 @@ "abusech": { "threatfox": { "confidence_level": 80, - "ioc_type": "url", "malware": "apk.hydra", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", - "malware_printable": "Hydra", - "reporter": "myonium1", "tags": [ "apk", "Hydra" @@ -1830,13 +1865,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:13:36.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "myonium1", "type": "url", "url": { "domain": "lexdavid22.top", @@ -1844,6 +1877,10 @@ "path": "", "scheme": "http" } + }, + "software": { + "name": "Hydra", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra" } } }, @@ -1851,12 +1888,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "102.133.180.23:5552", - "ioc_type": "ip:port", "malware": "win.limerat", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", - "malware_printable": "LimeRAT", - "reporter": "abuse_ch", "tags": [ "LimeRAT", "RAT" @@ -1872,23 +1904,25 @@ "category": "threat", "id": "841469", "kind": "enrichment", - "original": "{\"id\":\"841469\",\"ioc\":\"102.133.180.23:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.limerat\",\"malware_printable\":\"LimeRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:26 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"LimeRAT\",\"RAT\"]}", + "original": "{\"id\":\"841469\",\"ioc\":\"81.2.69.142:5552\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.limerat\",\"malware_printable\":\"LimeRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:26 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"LimeRAT\",\"RAT\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:10:26.000Z", - "ip": "102.133.180.23", + "ip": "81.2.69.142", "port": 5552, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "name": "LimeRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat" } } }, @@ -1896,13 +1930,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "79.134.225.53:7171", - "ioc_type": "ip:port", "malware": "win.nanocore", - "malware_alias": "Nancrat,NanoCore", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", - "malware_printable": "Nanocore RAT", - "reporter": "abuse_ch", "tags": [ "NanoCore", "RAT" @@ -1918,23 +1946,29 @@ "category": "threat", "id": "841468", "kind": "enrichment", - "original": "{\"id\":\"841468\",\"ioc\":\"79.134.225.53:7171\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:23 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", + "original": "{\"id\":\"841468\",\"ioc\":\"81.2.69.142:7171\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 10:10:23 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T10:10:23.000Z", - "ip": "79.134.225.53", + "ip": "81.2.69.142", "port": 7171, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Nancrat", + "NanoCore" + ], + "name": "Nanocore RAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore" } } }, @@ -1942,12 +1976,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "116.202.186.151:21330", - "ioc_type": "ip:port", "malware": "win.redline_stealer", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "malware_printable": "RedLine Stealer", - "reporter": "abuse_ch", "tags": [ "RedLineStealer" ], @@ -1962,23 +1991,25 @@ "category": "threat", "id": "841467", "kind": "enrichment", - "original": "{\"id\":\"841467\",\"ioc\":\"116.202.186.151:21330\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:55:22 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "original": "{\"id\":\"841467\",\"ioc\":\"81.2.69.142:21330\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:55:22 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T09:55:22.000Z", - "ip": "116.202.186.151", + "ip": "81.2.69.142", "port": 21330, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" } } }, @@ -1986,13 +2017,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "192.169.69.25:22027", - "ioc_type": "ip:port", "malware": "win.nanocore", - "malware_alias": "Nancrat,NanoCore", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", - "malware_printable": "Nanocore RAT", - "reporter": "abuse_ch", "tags": [ "NanoCore", "RAT" @@ -2008,23 +2033,29 @@ "category": "threat", "id": "841466", "kind": "enrichment", - "original": "{\"id\":\"841466\",\"ioc\":\"192.169.69.25:22027\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:35:25 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", + "original": "{\"id\":\"841466\",\"ioc\":\"81.2.69.142:22027\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.nanocore\",\"malware_printable\":\"Nanocore RAT\",\"malware_alias\":\"Nancrat,NanoCore\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 09:35:25 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"NanoCore\",\"RAT\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T09:35:25.000Z", - "ip": "192.169.69.25", + "ip": "81.2.69.142", "port": 22027, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Nancrat", + "NanoCore" + ], + "name": "Nanocore RAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore" } } }, @@ -2032,14 +2063,7 @@ "abusech": { "threatfox": { "confidence_level": 75, - "ioc": "37.120.210.219:3398", - "ioc_type": "ip:port", "malware": "win.remcos", - "malware_alias": "RemcosRAT,Remvio,Socmer", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", - "malware_printable": "Remcos", - "reference": "https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/", - "reporter": "abuse_ch", "tags": [ "remcos" ], @@ -2054,23 +2078,31 @@ "category": "threat", "id": "841465", "kind": "enrichment", - "original": "{\"id\":\"841465\",\"ioc\":\"37.120.210.219:3398\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.remcos\",\"malware_printable\":\"Remcos\",\"malware_alias\":\"RemcosRAT,Remvio,Socmer\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 09:35:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/\",\"reporter\":\"abuse_ch\",\"tags\":[\"remcos\"]}", + "original": "{\"id\":\"841465\",\"ioc\":\"81.2.69.142:3398\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.remcos\",\"malware_printable\":\"Remcos\",\"malware_alias\":\"RemcosRAT,Remvio,Socmer\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\",\"confidence_level\":75,\"first_seen\":\"2022-08-05 09:35:12 UTC\",\"last_seen\":null,\"reference\":\"https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/\",\"reporter\":\"abuse_ch\",\"tags\":[\"remcos\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T09:35:12.000Z", - "ip": "37.120.210.219", + "ip": "81.2.69.142", "port": 3398, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b/", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "RemcosRAT", + "Remvio", + "Socmer" + ], + "name": "Remcos", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos" } } }, @@ -2078,13 +2110,7 @@ "abusech": { "threatfox": { "confidence_level": 50, - "ioc": "ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb", - "ioc_type": "sha256_hash", "malware": "win.woody", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", - "malware_printable": "woody", - "reference": "https://twitter.com/JAMESWT_MHT/status/1555479791821791232", - "reporter": "Virus_Deck", "threat_type": "payload", "threat_type_desc": "Indicator that identifies a malware sample (payload)" } @@ -2103,14 +2129,22 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "Medium", "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb" + } + }, "first_seen": "2022-08-05T09:04:23.000Z", - "provider": "AbuseCH Threat Fox", - "type": "unknown" + "provider": "Virus_Deck", + "reference": "https://twitter.com/JAMESWT_MHT/status/1555479791821791232", + "type": "file" + }, + "software": { + "name": "woody", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody" } } }, @@ -2118,13 +2152,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "182.54.238.167:35565", - "ioc_type": "ip:port", "malware": "win.njrat", - "malware_alias": "Bladabindi", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", - "malware_printable": "NjRAT", - "reporter": "abuse_ch", "tags": [ "njrat" ], @@ -2139,23 +2167,28 @@ "category": "threat", "id": "841463", "kind": "enrichment", - "original": "{\"id\":\"841463\",\"ioc\":\"182.54.238.167:35565\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 08:30:21 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "original": "{\"id\":\"841463\",\"ioc\":\"81.2.69.142:35565\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 08:30:21 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T08:30:21.000Z", - "ip": "182.54.238.167", + "ip": "81.2.69.142", "port": 35565, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Bladabindi" + ], + "name": "NjRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat" } } }, @@ -2163,13 +2196,7 @@ "abusech": { "threatfox": { "confidence_level": 75, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reference": "https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/", - "reporter": "abuse_ch", "tags": [ "CobaltStrike" ], @@ -2191,13 +2218,12 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T07:55:06.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", + "reference": "https://bazaar.abuse.ch/sample/eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d/", "type": "url", "url": { "domain": "124.221.206.154", @@ -2207,6 +2233,16 @@ "port": 1443, "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -2214,13 +2250,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "91.109.186.4:5050", - "ioc_type": "ip:port", "malware": "win.njrat", - "malware_alias": "Bladabindi", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", - "malware_printable": "NjRAT", - "reporter": "abuse_ch", "tags": [ "njrat" ], @@ -2235,23 +2265,28 @@ "category": "threat", "id": "841461", "kind": "enrichment", - "original": "{\"id\":\"841461\",\"ioc\":\"91.109.186.4:5050\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 07:35:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", + "original": "{\"id\":\"841461\",\"ioc\":\"81.2.69.142:5050\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.njrat\",\"malware_printable\":\"NjRAT\",\"malware_alias\":\"Bladabindi\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 07:35:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"njrat\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T07:35:17.000Z", - "ip": "91.109.186.4", + "ip": "81.2.69.142", "port": 5050, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Bladabindi" + ], + "name": "NjRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat" } } }, @@ -2259,14 +2294,7 @@ "abusech": { "threatfox": { "confidence_level": 50, - "ioc": "c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a", - "ioc_type": "sha256_hash", "malware": "osx.xloader", - "malware_alias": "Formbook", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader", - "malware_printable": "Xloader", - "reference": "https://twitter.com/JAMESWT_MHT/status/1555445680797270016", - "reporter": "Virus_Deck", "threat_type": "payload", "threat_type_desc": "Indicator that identifies a malware sample (payload)" } @@ -2285,14 +2313,25 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "Medium", "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a" + } + }, "first_seen": "2022-08-05T07:04:11.000Z", - "provider": "AbuseCH Threat Fox", - "type": "unknown" + "provider": "Virus_Deck", + "reference": "https://twitter.com/JAMESWT_MHT/status/1555445680797270016", + "type": "file" + }, + "software": { + "alias": [ + "Formbook" + ], + "name": "Xloader", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader" } } }, @@ -2300,12 +2339,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "45.147.199.166:14009", - "ioc_type": "ip:port", "malware": "win.redline_stealer", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "malware_printable": "RedLine Stealer", - "reporter": "abuse_ch", "tags": [ "RedLineStealer" ], @@ -2320,23 +2354,25 @@ "category": "threat", "id": "841459", "kind": "enrichment", - "original": "{\"id\":\"841459\",\"ioc\":\"45.147.199.166:14009\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:40:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "original": "{\"id\":\"841459\",\"ioc\":\"81.2.69.142:14009\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:40:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:40:18.000Z", - "ip": "45.147.199.166", + "ip": "81.2.69.142", "port": 14009, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" } } }, @@ -2344,11 +2380,7 @@ "abusech": { "threatfox": { "confidence_level": 50, - "ioc_type": "url", "malware": "elf.mozi", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", - "malware_printable": "Mozi", - "reporter": "sicehice", "threat_type": "payload_delivery", "threat_type_desc": "Indicator that identifies a malware distribution server (payload delivery)" } @@ -2367,13 +2399,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "Medium", "description": "URL that delivers a malware payload", "first_seen": "2022-08-05T06:40:03.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "sicehice", "type": "url", "url": { "domain": "115.55.81.211", @@ -2383,6 +2413,10 @@ "port": 33294, "scheme": "http" } + }, + "software": { + "name": "Mozi", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi" } } }, @@ -2390,12 +2424,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "185.185.71.171:80", - "ioc_type": "ip:port", "malware": "win.redline_stealer", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "malware_printable": "RedLine Stealer", - "reporter": "abuse_ch", "tags": [ "RedLineStealer" ], @@ -2410,23 +2439,25 @@ "category": "threat", "id": "841457", "kind": "enrichment", - "original": "{\"id\":\"841457\",\"ioc\":\"185.185.71.171:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:30:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "original": "{\"id\":\"841457\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:30:17 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:30:17.000Z", - "ip": "185.185.71.171", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" } } }, @@ -2434,12 +2465,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "194.87.216.23:46278", - "ioc_type": "ip:port", "malware": "win.redline_stealer", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "malware_printable": "RedLine Stealer", - "reporter": "abuse_ch", "tags": [ "RedLineStealer" ], @@ -2454,23 +2480,25 @@ "category": "threat", "id": "841456", "kind": "enrichment", - "original": "{\"id\":\"841456\",\"ioc\":\"194.87.216.23:46278\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:25:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", + "original": "{\"id\":\"841456\",\"ioc\":\"81.2.69.142:46278\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.redline_stealer\",\"malware_printable\":\"RedLine Stealer\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 06:25:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"abuse_ch\",\"tags\":[\"RedLineStealer\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:25:18.000Z", - "ip": "194.87.216.23", + "ip": "81.2.69.142", "port": 46278, - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "ipv4-addr" + }, + "software": { + "name": "RedLine Stealer", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer" } } }, @@ -2478,11 +2506,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.recordbreaker", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker", - "malware_printable": "RecordBreaker", - "reporter": "abuse_ch", "tags": [ "recordbreaker" ], @@ -2504,13 +2528,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T06:20:17.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "abuse_ch", "type": "url", "url": { "domain": "213.170.133.189", @@ -2518,6 +2540,10 @@ "path": "/", "scheme": "http" } + }, + "software": { + "name": "RecordBreaker", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker" } } }, @@ -2525,13 +2551,7 @@ "abusech": { "threatfox": { "confidence_level": 50, - "ioc": "a695ab311e3449cacf5a2611dffac5bd", - "ioc_type": "md5_hash", "malware": "win.kutaki", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", - "malware_printable": "Kutaki", - "reference": "https://twitter.com/pollo290987/status/1555437557298651136", - "reporter": "Virus_Deck", "threat_type": "payload", "threat_type_desc": "Indicator that identifies a malware sample (payload)" } @@ -2550,14 +2570,22 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "Medium", "description": "MD5 hash of a malware sample (payload)", + "file": { + "hash": { + "md5": "a695ab311e3449cacf5a2611dffac5bd" + } + }, "first_seen": "2022-08-05T06:16:32.000Z", - "provider": "AbuseCH Threat Fox", - "type": "unknown" + "provider": "Virus_Deck", + "reference": "https://twitter.com/pollo290987/status/1555437557298651136", + "type": "file" + }, + "software": { + "name": "Kutaki", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki" } } }, @@ -2565,14 +2593,7 @@ "abusech": { "threatfox": { "confidence_level": 50, - "ioc": "7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59", - "ioc_type": "sha256_hash", "malware": "win.isfb", - "malware_alias": "Gozi ISFB,IAP,Pandemyia", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", - "malware_printable": "ISFB", - "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", - "reporter": "Virus_Deck", "threat_type": "payload", "threat_type_desc": "Indicator that identifies a malware sample (payload)" } @@ -2591,14 +2612,27 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "Medium", "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "7768d132668a2eb1a86a04b249fab7e5b0790b6a61927ae6db283950f4cc7d59" + } + }, "first_seen": "2022-08-05T05:25:21.000Z", - "provider": "AbuseCH Threat Fox", - "type": "unknown" + "provider": "Virus_Deck", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "type": "file" + }, + "software": { + "alias": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "name": "ISFB", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" } } }, @@ -2606,14 +2640,7 @@ "abusech": { "threatfox": { "confidence_level": 50, - "ioc": "b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86", - "ioc_type": "sha256_hash", "malware": "win.isfb", - "malware_alias": "Gozi ISFB,IAP,Pandemyia", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", - "malware_printable": "ISFB", - "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", - "reporter": "Virus_Deck", "threat_type": "payload", "threat_type_desc": "Indicator that identifies a malware sample (payload)" } @@ -2632,14 +2659,27 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "Medium", "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86" + } + }, "first_seen": "2022-08-05T05:25:19.000Z", - "provider": "AbuseCH Threat Fox", - "type": "unknown" + "provider": "Virus_Deck", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "type": "file" + }, + "software": { + "alias": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "name": "ISFB", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" } } }, @@ -2647,14 +2687,7 @@ "abusech": { "threatfox": { "confidence_level": 50, - "ioc": "0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff", - "ioc_type": "sha256_hash", "malware": "win.isfb", - "malware_alias": "Gozi ISFB,IAP,Pandemyia", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", - "malware_printable": "ISFB", - "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", - "reporter": "Virus_Deck", "threat_type": "payload", "threat_type_desc": "Indicator that identifies a malware sample (payload)" } @@ -2673,14 +2706,27 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "Medium", "description": "SHA256 hash of a malware sample (payload)", + "file": { + "hash": { + "sha256": "0989361dd7c8739827009be27579080b37430dbbb35ac9673b5e33f61505fdff" + } + }, "first_seen": "2022-08-05T05:25:18.000Z", - "provider": "AbuseCH Threat Fox", - "type": "unknown" + "provider": "Virus_Deck", + "reference": "https://twitter.com/StopMalvertisin/status/1555424657037475840", + "type": "file" + }, + "software": { + "alias": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "name": "ISFB", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" } } }, @@ -2688,13 +2734,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "81.19.141.37:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "GIR-AS" @@ -2710,23 +2750,31 @@ "category": "threat", "id": "841450", "kind": "enrichment", - "original": "{\"id\":\"841450\",\"ioc\":\"81.19.141.37:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", + "original": "{\"id\":\"841450\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:26:51.000Z", - "ip": "81.19.141.37", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -2734,13 +2782,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "119.45.94.71:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -2755,23 +2797,31 @@ "category": "threat", "id": "841449", "kind": "enrichment", - "original": "{\"id\":\"841449\",\"ioc\":\"119.45.94.71:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "original": "{\"id\":\"841449\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:26:30 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:26:30.000Z", - "ip": "119.45.94.71", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -2779,12 +2829,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -2806,13 +2851,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:26:29.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "119.45.94.71", @@ -2820,6 +2863,16 @@ "path": "/activity", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -2827,13 +2880,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "81.19.141.37:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "GIR-AS" @@ -2849,23 +2896,31 @@ "category": "threat", "id": "841447", "kind": "enrichment", - "original": "{\"id\":\"841447\",\"ioc\":\"81.19.141.37:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", + "original": "{\"id\":\"841447\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:51 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"GIR-AS\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:25:51.000Z", - "ip": "81.19.141.37", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -2873,13 +2928,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "20.239.66.2:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "MICROSOFT-CORP-MSN-AS-BLOCK" @@ -2895,23 +2944,31 @@ "category": "threat", "id": "841446", "kind": "enrichment", - "original": "{\"id\":\"841446\",\"ioc\":\"20.239.66.2:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"MICROSOFT-CORP-MSN-AS-BLOCK\"]}", + "original": "{\"id\":\"841446\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:25:14 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"MICROSOFT-CORP-MSN-AS-BLOCK\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:25:14.000Z", - "ip": "20.239.66.2", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -2919,12 +2976,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "MICROSOFT-CORP-MSN-AS-BLOCK" @@ -2947,13 +2999,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:25:13.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "20.239.66.2", @@ -2961,6 +3011,16 @@ "path": "/match", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -2968,13 +3028,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "43.155.60.197:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" @@ -2990,23 +3044,31 @@ "category": "threat", "id": "841444", "kind": "enrichment", - "original": "{\"id\":\"841444\",\"ioc\":\"43.155.60.197:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:34 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", + "original": "{\"id\":\"841444\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:34 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:34.000Z", - "ip": "43.155.60.197", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3014,12 +3076,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "TENCENT-NET-AP-CN Tencent Building Kejizhongyi Avenue" @@ -3042,13 +3099,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:33.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "43.155.60.197", @@ -3057,6 +3112,16 @@ "path": "/dot.gif", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3064,12 +3129,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -3091,13 +3151,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:18.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "service-da5heloj-1312757872.sh.apigw.tencentcs.com", @@ -3106,6 +3164,16 @@ "path": "/include/template/isx.php", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3113,13 +3181,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "121.4.45.207:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -3134,23 +3196,31 @@ "category": "threat", "id": "841442", "kind": "enrichment", - "original": "{\"id\":\"841442\",\"ioc\":\"121.4.45.207:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "original": "{\"id\":\"841442\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:18 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:18.000Z", - "ip": "121.4.45.207", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3158,13 +3228,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "43.138.129.56:80", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -3179,23 +3243,31 @@ "category": "threat", "id": "841440", "kind": "enrichment", - "original": "{\"id\":\"841440\",\"ioc\":\"43.138.129.56:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:11 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", + "original": "{\"id\":\"841440\",\"ioc\":\"81.2.69.142:80\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:24:11 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:11.000Z", - "ip": "43.138.129.56", + "ip": "81.2.69.142", "port": 80, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3203,12 +3275,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike" ], @@ -3230,13 +3297,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:24:10.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "43.138.129.56", @@ -3244,6 +3309,16 @@ "path": "/cm", "scheme": "http" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3251,13 +3326,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc": "77.91.102.151:443", - "ioc_type": "ip:port", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "STARK-INDUSTRIES-SOLUTIONS-AS" @@ -3273,23 +3342,31 @@ "category": "threat", "id": "841438", "kind": "enrichment", - "original": "{\"id\":\"841438\",\"ioc\":\"77.91.102.151:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", + "original": "{\"id\":\"841438\",\"ioc\":\"81.2.69.142:443\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"ip:port\",\"ioc_type_desc\":\"ip:port combination that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.cobalt_strike\",\"malware_printable\":\"Cobalt Strike\",\"malware_alias\":\"Agentemis,BEACON,CobaltStrike,cobeacon\",\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 03:23:36 UTC\",\"last_seen\":null,\"reference\":null,\"reporter\":\"drb_ra\",\"tags\":[\"CobaltStrike\",\"STARK-INDUSTRIES-SOLUTIONS-AS\"]}", "type": "indicator" }, "tags": [ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "ip:port combination that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:23:36.000Z", - "ip": "77.91.102.151", + "ip": "81.2.69.142", "port": 443, - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "ipv4-addr" + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3297,12 +3374,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "STARK-INDUSTRIES-SOLUTIONS-AS" @@ -3325,13 +3397,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:23:35.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "194.87.216.182", @@ -3339,6 +3409,16 @@ "path": "/push", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" } } }, @@ -3346,12 +3426,7 @@ "abusech": { "threatfox": { "confidence_level": 100, - "ioc_type": "url", "malware": "win.cobalt_strike", - "malware_alias": "Agentemis,BEACON,CobaltStrike,cobeacon", - "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "malware_printable": "Cobalt Strike", - "reporter": "drb_ra", "tags": [ "CobaltStrike", "STARK-INDUSTRIES-SOLUTIONS-AS" @@ -3374,13 +3449,11 @@ "preserve_original_event" ], "threat": { - "feed": { - "name": "AbuseCH Threat Fox" - }, "indicator": { + "confidence": "High", "description": "URL that is used for botnet Command\u0026control (C\u0026C)", "first_seen": "2022-08-05T03:23:33.000Z", - "provider": "AbuseCH Threat Fox", + "provider": "drb_ra", "type": "url", "url": { "domain": "77.91.102.151", @@ -3388,6 +3461,104 @@ "path": "/push", "scheme": "https" } + }, + "software": { + "alias": [ + "Agentemis", + "BEACON", + "CobaltStrike", + "cobeacon" + ], + "name": "Cobalt Strike", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.asyncrat", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "841537", + "kind": "enrichment", + "original": "{\"id\":\"841537\",\"ioc\":\"wizzy.hopto.org\",\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\u0026control server (C\u0026C)\",\"ioc_type\":\"domain\",\"ioc_type_desc\":\"Domain that is used for botnet Command\u0026control (C\u0026C)\",\"malware\":\"win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"confidence_level\":100,\"first_seen\":\"2022-08-05 19:43:08 UTC\",\"last_seen\":null,\"reference\":\"https://tria.ge/220805-w57pxsgae2\",\"reporter\":\"AndreGironda\",\"tags\":[\"asyncrat\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "Domain that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T19:43:08.000Z", + "provider": "AndreGironda", + "reference": "https://tria.ge/220805-w57pxsgae2", + "type": "domain-name", + "url": { + "domain": "wizzy.hopto.org" + } + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + } + } + }, + { + "abusech": { + "threatfox": { + "confidence_level": 75, + "malware": "win.vidar", + "tags": [ + "Vidar" + ], + "threat_type": "payload", + "threat_type_desc": "Indicator that identifies a malware sample (payload)" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": "threat", + "id": "839586", + "kind": "enrichment", + "original": "{\"id\":\"839586\",\"ioc\":\"872ff530d50579ae6bdc7cb4d658324b1d0e7a3e\",\"threat_type\":\"payload\",\"threat_type_desc\":\"Indicator that identifies a malware sample (payload)\",\"ioc_type\":\"sha1_hash\",\"ioc_type_desc\":\"SHA1 hash of a malware sample (payload)\",\"malware\":\"win.vidar\",\"malware_printable\":\"Vidar\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar\",\"confidence_level\":75,\"first_seen\":\"2022-07-25 22:27:09 UTC\",\"last_seen\":null,\"reference\":\"\",\"reporter\":\"crep1x\",\"tags\":[\"Vidar\"]}", + "type": "indicator" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "SHA1 hash of a malware sample (payload)", + "file": { + "hash": { + "sha1": "872ff530d50579ae6bdc7cb4d658324b1d0e7a3e" + } + }, + "first_seen": "2022-07-25T22:27:09.000Z", + "provider": "crep1x", + "reference": "", + "type": "file" + }, + "software": { + "name": "Vidar", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" } } } diff --git a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml index 2f9c5372833..f5ad129da4b 100644 --- a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml @@ -40,12 +40,6 @@ processors: ##################### # Threat ECS Fields # ##################### - - set: - field: threat.indicator.provider - value: AbuseCH Threat Fox - - set: - field: threat.feed.name - value: "AbuseCH Threat Fox" - date: field: abusech.threatfox.first_seen target_field: threat.indicator.first_seen @@ -65,7 +59,50 @@ processors: - rename: field: abusech.threatfox.ioc_type_desc target_field: threat.indicator.description - ignore_missing: true + ignore_missing: true + - rename: + field: abusech.threatfox.reporter + target_field: threat.indicator.provider + ignore_missing: true + - split: + field: abusech.threatfox.malware_alias + target_field: threat.software.alias + separator: "," + ignore_missing: true + - rename: + field: abusech.threatfox.reporter + target_field: threat.indicator.provider + ignore_missing: true + - rename: + field: abusech.threatfox.reference + target_field: threat.indicator.reference + ignore_missing: true + - rename: + field: abusech.threatfox.malware_printable + target_field: threat.software.name + ignore_missing: true + - rename: + field: abusech.threatfox.malware_malpedia + target_field: threat.software.reference + ignore_missing: true + # + # Convert confidence field (-1..100) to ECS confidence (0..10). + # + - script: + lang: painless + if: ctx.abusech?.threatfox?.confidence_level != null + description: Normalize confidence level. + source: > + def value = ctx.abusech.threatfox.confidence_level; + def confidence = "None"; + if (value > 0 && value < 30) { + confidence = "Low"; + } if (value >= 30.0 && value < 70) { + confidence = "Medium"; + } else if (value >= 70 && value <= 100) { + confidence = "High"; + } + ctx.threat.indicator.put("confidence", confidence) ## URL/URI indicator operations - set: field: threat.indicator.type @@ -78,21 +115,47 @@ processors: remove_if_successful: true if: ctx.abusech?.threatfox?.ioc_type == 'url' - ## URL/URI indicator operations + ## IP/Port indicator operations - set: field: threat.indicator.type - value: ipv4-addr - if: "ctx.abusech?.threatfox?.ioc_type != null && ['ip:port'].contains(ctx.abusech?.threatfox?.ioc_type)" + value: domain-name + if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech?.threatfox?.ioc_type)" + - rename: + field: abusech.threatfox.ioc + target_field: threat.indicator.url.domain + ignore_missing: true + if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech?.threatfox?.ioc_type)" - set: field: threat.indicator.type - value: domain - if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech?.threatfox?.ioc_type)" + value: ipv4-addr + if: "ctx.abusech?.threatfox?.ioc_type != null && ['ip:port'].contains(ctx.abusech?.threatfox?.ioc_type)" - grok: field: abusech.threatfox.ioc patterns: - "%{IP:threat.indicator.ip}:%{NUMBER:threat.indicator.port:long}" ignore_missing: true if: "ctx.abusech?.threatfox?.ioc_type == 'ip:port'" + - set: + field: threat.indicator.type + value: ipv6-addr + if: ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(':') + + ## File/Hash indicator operations + - set: + field: threat.indicator.type + value: file + if: "ctx.abusech?.threatfox?.ioc_type != null && ['md5_hash', 'sha1_hash', 'sha256_hash'].contains(ctx.abusech.threatfox.ioc_type)" + - grok: + field: abusech.threatfox.ioc_type + patterns: + - "%{DATA:_tmp.hashtype}_hash" + ignore_missing: true + if: ctx.abusech?.threatfox?.ioc_type != null && ctx.abusech?.threatfox?.ioc_type.endsWith('_hash') + - rename: + field: abusech.threatfox.ioc + target_field: threat.indicator.file.hash.{{_tmp.hashtype}} + if: "ctx.abusech?.threatfox?.ioc_type != null && ctx.abusech.threatfox.ioc_type.endsWith('_hash') && ctx._tmp.hashtype != null" + ###################### # Cleanup processors # ###################### @@ -133,7 +196,12 @@ processors: field: - abusech.threatfox.first_seen - abusech.threatfox.last_seen + - threatintel_indicator_confidence + - abusech.threatfox.malware_alias + - abusech.threatfox.ioc_type + - abusech.threatfox.ioc - message + - _tmp ignore_missing: true on_failure: - set: diff --git a/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml index d71e6e59d4c..8e1145c51e5 100644 --- a/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml +++ b/packages/ti_abusech/data_stream/threatfox/fields/base-fields.yml @@ -14,11 +14,11 @@ - name: event.dataset type: constant_keyword description: Event dataset - value: ti_abusech.malwarebazaar + value: ti_abusech.threatfox - name: threat.feed.name type: constant_keyword description: Display friendly feed name - value: AbuseCH MalwareBazaar + value: AbuseCH Threat Fox - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI diff --git a/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml b/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml index 1dc31c6e2d3..d66b56b2ed0 100644 --- a/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml +++ b/packages/ti_abusech/data_stream/threatfox/fields/ecs.yml @@ -46,29 +46,39 @@ name: threat.indicator.file.hash.sha256 - external: ecs name: threat.indicator.file.hash.ssdeep -- name: threat.indicator.file.hash.sha384 - type: keyword - description: "The file's sha384 hash, if available." -- name: threat.indicator.file.hash.tlsh - type: keyword - description: "The file's import tlsh, if available." +- external: ecs + name: threat.indicator.file.hash.sha384 +- external: ecs + name: threat.indicator.file.hash.tlsh - external: ecs name: threat.indicator.file.pe.imphash - external: ecs name: threat.indicator.file.elf.telfhash -- name: threat.indicator.file.x509.subject.common_name - external: ecs -- name: threat.indicator.file.x509.issuer.common_name - external: ecs -- name: threat.indicator.file.x509.public_key_algorithm - external: ecs -- name: threat.indicator.file.x509.not_before - external: ecs -- name: threat.indicator.file.x509.not_after - external: ecs -- name: threat.indicator.file.x509.serial_number - external: ecs - external: ecs name: threat.indicator.provider - external: ecs - name: threat.indicator.geo.country_iso_code + name: threat.indicator.port +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.reference +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.software.name +- external: ecs + name: threat.software.reference diff --git a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml index 516d5d1f598..73865c101f2 100644 --- a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml +++ b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml @@ -5,4 +5,20 @@ - name: tags type: keyword description: > - A list of tags associated with the queried malware sample. \ No newline at end of file + A list of tags associated with the queried malware sample. + - name: confidence_level + type: long + description: > + Confidence level between 0-100 + - name: malware + type: keyword + description: > + The malware associated with the IOC + - name: threat_type + type: keyword + description: > + The type of threat + - name: threat_type_desc + type: keyword + description: > + The threat descsription \ No newline at end of file diff --git a/packages/ti_abusech/docs/README.md b/packages/ti_abusech/docs/README.md index 25f3fc12b8f..157dd568914 100644 --- a/packages/ti_abusech/docs/README.md +++ b/packages/ti_abusech/docs/README.md @@ -260,3 +260,101 @@ The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators f | threat.indicator.provider | The name of the indicator's provider. | keyword | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | | threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | + + +The AbuseCH threatfox data_stream retrieves threat intelligence indicators from the Threat Fox API endpoint `https://threatfox-api.abuse.ch/api/v1/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.threatfox.confidence_level | Confidence level between 0-100 | long | +| abusech.threatfox.malware | The malware associated with the IOC | keyword | +| abusech.threatfox.tags | A list of tags associated with the queried malware sample. | keyword | +| abusech.threatfox.threat_type | The type of threat | keyword | +| abusech.threatfox.threat_type_desc | The threat descsription | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | +| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | +| threat.indicator.file.hash.tlsh | TLSH hash. | keyword | +| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | +| threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | +| threat.software.reference | The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. | keyword | From 2d9ddb5325740868f3ef0f1268f02c7c3db7f894 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 5 Aug 2022 23:43:11 +0000 Subject: [PATCH 4/7] add system test --- .../_dev/deploy/docker/docker-compose.yml | 14 +++++++++++++- .../deploy/docker/files/config-threatfox.yml | 17 +++++++++++++++++ .../_dev/test/system/test-default-config.yml | 2 +- .../data_stream/threatfox/fields/fields.yml | 10 ++++++---- .../data_stream/threatfox/manifest.yml | 4 ++-- 5 files changed, 39 insertions(+), 8 deletions(-) create mode 100644 packages/ti_abusech/_dev/deploy/docker/files/config-threatfox.yml diff --git a/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml b/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml index be9907f0bfe..2c62b3fe380 100644 --- a/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml +++ b/packages/ti_abusech/_dev/deploy/docker/docker-compose.yml @@ -1,7 +1,7 @@ version: "2.3" services: abusech: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.7.0 ports: - 8080 volumes: @@ -12,3 +12,15 @@ services: - http-server - --addr=:8080 - --config=/files/config.yml + abusech-threatfox: + image: docker.elastic.co/observability/stream:v0.7.0 + ports: + - 8081 + volumes: + - ./files:/files:ro + environment: + PORT: 8081 + command: + - http-server + - --addr=:8081 + - --config=/files/config-threatfox.yml diff --git a/packages/ti_abusech/_dev/deploy/docker/files/config-threatfox.yml b/packages/ti_abusech/_dev/deploy/docker/files/config-threatfox.yml new file mode 100644 index 00000000000..449d1ff47e1 --- /dev/null +++ b/packages/ti_abusech/_dev/deploy/docker/files/config-threatfox.yml @@ -0,0 +1,17 @@ +rules: + - path: /api/v1/ + methods: ["POST"] + request_headers: + Content-Type: "application/json" + body: + query: "get_iocs" + responses: + - status_code: 200 + body: |- + { + "query_status": "ok", + "data": [ + {"id":"841537","ioc":"wizzy.hopto.org","threat_type":"botnet_cc","threat_type_desc":"Indicator that identifies a botnet command&control server (C&C)","ioc_type":"domain","ioc_type_desc":"Domain that is used for botnet Command&control (C&C)","malware":"win.asyncrat","malware_printable":"AsyncRAT","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat","confidence_level":100,"first_seen":"2022-08-05 19:43:08 UTC","last_seen":null,"reference":"https://tria.ge/220805-w57pxsgae2","reporter":"AndreGironda","tags":["asyncrat"]}, + {"id":"839586","ioc":"872ff530d50579ae6bdc7cb4d658324b1d0e7a3e","threat_type":"payload","threat_type_desc":"Indicator that identifies a malware sample (payload)","ioc_type":"sha1_hash","ioc_type_desc":"SHA1 hash of a malware sample (payload)","malware":"win.vidar","malware_printable":"Vidar","malware_alias":null,"malware_malpedia":"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar","confidence_level":75,"first_seen":"2022-07-25 22:27:09 UTC","last_seen":null,"reference":"","reporter":"crep1x","tags":["Vidar"]} + ] + } diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml index 06ac86316a7..ad23868ccd7 100644 --- a/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml @@ -1,5 +1,5 @@ input: httpjson -service: abusech +service: abusech-threatfox data_stream: vars: url: http://{{Hostname}}:{{Port}}/api/v1/ diff --git a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml index 73865c101f2..60e502daa2d 100644 --- a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml +++ b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml @@ -6,19 +6,21 @@ type: keyword description: > A list of tags associated with the queried malware sample. + - name: confidence_level type: long - description: > - Confidence level between 0-100 + description: "Confidence level between 0-100 \n" - name: malware type: keyword description: > The malware associated with the IOC + - name: threat_type type: keyword description: > The type of threat + - name: threat_type_desc type: keyword - description: > - The threat descsription \ No newline at end of file + description: >- + The threat descsription diff --git a/packages/ti_abusech/data_stream/threatfox/manifest.yml b/packages/ti_abusech/data_stream/threatfox/manifest.yml index 0089cee9c00..1a0adf1b684 100644 --- a/packages/ti_abusech/data_stream/threatfox/manifest.yml +++ b/packages/ti_abusech/data_stream/threatfox/manifest.yml @@ -30,14 +30,14 @@ streams: multi: false required: true show_user: true - default: 10m + default: 1d - name: initial_interval type: text title: Interval multi: false required: true show_user: true - default: 30 + default: "30" description: How far back to look for indicators the first time the agent is started. Defaults to 30 days, can be any number between 1-90. - name: ssl type: yaml From d606eb47da61652487de4f622b41c9f974fa70c3 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Sat, 6 Aug 2022 00:19:23 +0000 Subject: [PATCH 5/7] Update sample events --- .../data_stream/malware/sample_event.json | 18 ++--- .../malwarebazaar/sample_event.json | 18 ++--- .../data_stream/threatfox/manifest.yml | 2 +- .../data_stream/threatfox/sample_event.json | 70 +++++++++++++++++++ .../data_stream/url/sample_event.json | 18 ++--- 5 files changed, 98 insertions(+), 28 deletions(-) create mode 100644 packages/ti_abusech/data_stream/threatfox/sample_event.json diff --git a/packages/ti_abusech/data_stream/malware/sample_event.json b/packages/ti_abusech/data_stream/malware/sample_event.json index 9b1f6ac7097..f54999bff80 100644 --- a/packages/ti_abusech/data_stream/malware/sample_event.json +++ b/packages/ti_abusech/data_stream/malware/sample_event.json @@ -1,14 +1,14 @@ { - "@timestamp": "2022-04-11T08:43:51.252Z", + "@timestamp": "2022-08-06T00:06:27.079Z", "abusech": { "malware": {} }, "agent": { - "ephemeral_id": "3c096aaa-3fd9-4560-87fe-375b99890402", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "ephemeral_id": "1760e1ca-6974-4a32-80c6-0e7e58a6d573", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.3.0" }, "data_stream": { "dataset": "ti_abusech.malware", @@ -16,19 +16,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "snapshot": false, - "version": "8.0.0" + "version": "8.3.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-11T08:43:51.252Z", + "created": "2022-08-06T00:06:27.079Z", "dataset": "ti_abusech.malware", - "ingested": "2022-04-11T08:43:52Z", + "ingested": "2022-08-06T00:06:30Z", "kind": "enrichment", "original": "{\"file_size\":\"1563\",\"file_type\":\"unknown\",\"firstseen\":\"2021-10-05 04:17:02\",\"imphash\":null,\"md5_hash\":\"9cd5a4f0231a47823c4adba7c8ef370f\",\"sha256_hash\":\"7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2\",\"signature\":null,\"ssdeep\":\"48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n\",\"tlsh\":\"T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2/\",\"virustotal\":null}", "type": "indicator" diff --git a/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json b/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json index 0403fcfacc0..e58965abca4 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json +++ b/packages/ti_abusech/data_stream/malwarebazaar/sample_event.json @@ -1,5 +1,5 @@ { - "@timestamp": "2022-04-11T08:44:21.828Z", + "@timestamp": "2022-08-06T00:08:33.562Z", "abusech": { "malwarebazaar": { "anonymous": 0, @@ -15,11 +15,11 @@ } }, "agent": { - "ephemeral_id": "15657330-8e8b-49be-b82d-529320d9c53c", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "ephemeral_id": "7d65c47e-ccda-4f97-9896-6118ffb92a61", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.3.0" }, "data_stream": { "dataset": "ti_abusech.malwarebazaar", @@ -27,19 +27,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "snapshot": false, - "version": "8.0.0" + "version": "8.3.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-11T08:44:21.828Z", + "created": "2022-08-06T00:08:33.562Z", "dataset": "ti_abusech.malwarebazaar", - "ingested": "2022-04-11T08:44:22Z", + "ingested": "2022-08-06T00:08:36Z", "kind": "enrichment", "original": "{\"anonymous\":0,\"code_sign\":[],\"dhash_icon\":null,\"file_name\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe\",\"file_size\":432640,\"file_type\":\"exe\",\"file_type_mime\":\"application/x-dosexec\",\"first_seen\":\"2021-10-05 14:02:45\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"1fc1c2997c8f55ac10496b88e23f5320\",\"origin_country\":\"FR\",\"reporter\":\"abuse_ch\",\"sha1_hash\":\"42c7153680d7402e56fe022d1024aab49a9901a0\",\"sha256_hash\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28\",\"sha3_384_hash\":\"d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955\",\"signature\":\"RedLineStealer\",\"ssdeep\":\"12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL\",\"tags\":[\"exe\",\"RedLineStealer\"],\"telfhash\":null,\"tlsh\":\"T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479\"}", "type": "indicator" diff --git a/packages/ti_abusech/data_stream/threatfox/manifest.yml b/packages/ti_abusech/data_stream/threatfox/manifest.yml index 1a0adf1b684..3c02c79cb2f 100644 --- a/packages/ti_abusech/data_stream/threatfox/manifest.yml +++ b/packages/ti_abusech/data_stream/threatfox/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: true show_user: true - default: 1d + default: 24h - name: initial_interval type: text title: Interval diff --git a/packages/ti_abusech/data_stream/threatfox/sample_event.json b/packages/ti_abusech/data_stream/threatfox/sample_event.json new file mode 100644 index 00000000000..c6744c49d51 --- /dev/null +++ b/packages/ti_abusech/data_stream/threatfox/sample_event.json @@ -0,0 +1,70 @@ +{ + "@timestamp": "2022-08-06T00:10:26.114Z", + "abusech": { + "threatfox": { + "confidence_level": 100, + "malware": "win.asyncrat", + "tags": [ + "asyncrat" + ], + "threat_type": "botnet_cc", + "threat_type_desc": "Indicator that identifies a botnet command\u0026control server (C\u0026C)" + } + }, + "agent": { + "ephemeral_id": "c8fde031-e301-47e0-b688-4e36b951789c", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.0" + }, + "data_stream": { + "dataset": "ti_abusech.threatfox", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", + "snapshot": false, + "version": "8.3.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-08-06T00:10:26.114Z", + "dataset": "ti_abusech.threatfox", + "id": "841537", + "ingested": "2022-08-06T00:10:29Z", + "kind": "enrichment", + "original": "{\"confidence_level\":100,\"first_seen\":\"2022-08-05 19:43:08 UTC\",\"id\":\"841537\",\"ioc\":\"wizzy.hopto.org\",\"ioc_type\":\"domain\",\"ioc_type_desc\":\"Domain that is used for botnet Command\\u0026control (C\\u0026C)\",\"last_seen\":null,\"malware\":\"win.asyncrat\",\"malware_alias\":null,\"malware_malpedia\":\"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\",\"malware_printable\":\"AsyncRAT\",\"reference\":\"https://tria.ge/220805-w57pxsgae2\",\"reporter\":\"AndreGironda\",\"tags\":[\"asyncrat\"],\"threat_type\":\"botnet_cc\",\"threat_type_desc\":\"Indicator that identifies a botnet command\\u0026control server (C\\u0026C)\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-threatfox" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "Domain that is used for botnet Command\u0026control (C\u0026C)", + "first_seen": "2022-08-05T19:43:08.000Z", + "provider": "AndreGironda", + "reference": "https://tria.ge/220805-w57pxsgae2", + "type": "domain-name", + "url": { + "domain": "wizzy.hopto.org" + } + }, + "software": { + "name": "AsyncRAT", + "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/data_stream/url/sample_event.json b/packages/ti_abusech/data_stream/url/sample_event.json index 9add2167bf4..8a19bfedad6 100644 --- a/packages/ti_abusech/data_stream/url/sample_event.json +++ b/packages/ti_abusech/data_stream/url/sample_event.json @@ -1,5 +1,5 @@ { - "@timestamp": "2022-04-11T08:44:51.227Z", + "@timestamp": "2022-08-06T00:12:22.693Z", "abusech": { "url": { "blacklists": { @@ -13,11 +13,11 @@ } }, "agent": { - "ephemeral_id": "7dd3429b-dcc4-46c1-8b32-b3d1452126fd", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "ephemeral_id": "2945b255-2667-4bac-8930-70eb987c8fef", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.3.0" }, "data_stream": { "dataset": "ti_abusech.url", @@ -25,19 +25,19 @@ "type": "logs" }, "ecs": { - "version": "8.3.0" + "version": "8.4.0" }, "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "id": "87d4d8f8-b034-42ba-a5bb-33ff670e619e", "snapshot": false, - "version": "8.0.0" + "version": "8.3.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-11T08:44:51.227Z", + "created": "2022-08-06T00:12:22.693Z", "dataset": "ti_abusech.url", - "ingested": "2022-04-11T08:44:52Z", + "ingested": "2022-08-06T00:12:26Z", "kind": "enrichment", "original": "{\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"date_added\":\"2021-10-05 13:57:05 UTC\",\"host\":\"120.85.169.98\",\"id\":\"1656008\",\"larted\":\"true\",\"reporter\":\"tammeto\",\"tags\":null,\"threat\":\"malware_download\",\"url\":\"http://120.85.169.98:55871/mozi.m\",\"url_status\":\"online\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/1656008/\"}", "type": "indicator" From 097e2f097f5bce923810c9a4abba2030e136b827 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Sat, 6 Aug 2022 00:20:33 +0000 Subject: [PATCH 6/7] update changelog --- packages/ti_abusech/changelog.yml | 5 +++++ packages/ti_abusech/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index ad725f1474c..2be9b38d16d 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.0" + changes: + - description: Add Threat Fox datastream + type: enhancement + link: https://github.com/elastic/integrations/pull/3962 - version: "1.6.0" changes: - description: Update package to ECS 8.4.0 diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index f8160271651..dc1e2a46c01 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,6 +1,6 @@ name: ti_abusech title: AbuseCH -version: "1.6.0" +version: "1.7.0" release: ga description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration From b4a4021b3db65e5a8b58735a3564114f75eb7f36 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Mon, 8 Aug 2022 11:49:08 +0000 Subject: [PATCH 7/7] updates per comments --- .../threatfox/elasticsearch/ingest_pipeline/default.yml | 8 ++++---- .../ti_abusech/data_stream/threatfox/fields/fields.yml | 4 +++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml index f5ad129da4b..fffebbcb734 100644 --- a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml @@ -107,7 +107,7 @@ processors: - set: field: threat.indicator.type value: url - if: "ctx.abusech?.threatfox?.ioc_type != null && ['url'].contains(ctx.abusech?.threatfox?.ioc_type)" + if: "ctx.abusech?.threatfox?.ioc_type != null && ['url'].contains(ctx.abusech.threatfox.ioc_type)" - uri_parts: field: abusech.threatfox.ioc target_field: threat.indicator.url @@ -119,16 +119,16 @@ processors: - set: field: threat.indicator.type value: domain-name - if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech?.threatfox?.ioc_type)" + if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech.threatfox.ioc_type)" - rename: field: abusech.threatfox.ioc target_field: threat.indicator.url.domain ignore_missing: true - if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech?.threatfox?.ioc_type)" + if: "ctx.abusech?.threatfox?.ioc_type != null && ['domain'].contains(ctx.abusech.threatfox.ioc_type)" - set: field: threat.indicator.type value: ipv4-addr - if: "ctx.abusech?.threatfox?.ioc_type != null && ['ip:port'].contains(ctx.abusech?.threatfox?.ioc_type)" + if: "ctx.abusech?.threatfox?.ioc_type != null && ['ip:port'].contains(ctx.abusech.threatfox.ioc_type)" - grok: field: abusech.threatfox.ioc patterns: diff --git a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml index 60e502daa2d..7597989ed98 100644 --- a/packages/ti_abusech/data_stream/threatfox/fields/fields.yml +++ b/packages/ti_abusech/data_stream/threatfox/fields/fields.yml @@ -9,7 +9,9 @@ - name: confidence_level type: long - description: "Confidence level between 0-100 \n" + description: > + Confidence level between 0-100 + - name: malware type: keyword description: >