[ { "id": 15595222, "indicator": "http://autodiscover.2bunny.com/K5om", "type": "URL", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595223, "indicator": "http://lyncdiscover.2bunny.com/Autodiscover", "type": "URL", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595224, "indicator": "http://sfo02s01-in-f2.cloudsend.net/IE9CompatViewList.xml", "type": "URL", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595225, "indicator": "http://sfo02s01-in-f2.cloudsend.net/submit.php", "type": "URL", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595226, "indicator": "http://tk-in-f156.2bunny.com/Agreement.doc", "type": "URL", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595227, "indicator": "autodiscover.2bunny.com", "type": "hostname", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595228, "indicator": "lyncdiscover.2bunny.com", "type": "hostname", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595229, "indicator": "tf-in-f167.2bunny.com", "type": "hostname", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595230, "indicator": "tk-in-f156.2bunny.com", "type": "hostname", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595231, "indicator": "0bef39d0e10b1edfe77617f494d733a8", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595232, "indicator": "0e6da59f10e1c4685bb5b35a30fc8fb6", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595233, "indicator": "1151619d06a461456b310096db6bc548", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595234, "indicator": "30f149479c02b741e897cdb9ecd22da7", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595235, "indicator": "38125a991efc6ab02f7134db0ebe21b6", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595236, "indicator": "3a1dca21bfe72368f2dd46eb4d9b48c4", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595237, "indicator": "bae0b39197a1ac9e24bdf9a9483b18ea", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595238, "indicator": "cebd0e9e05749665d893e78c452607e2", "type": "FileHash-MD5", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595239, "indicator": "angela.suh@cloudsend.net", "type": "email", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595240, "indicator": "ashley.safronoff@cloudsend.net", "type": "email", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595241, "indicator": "infodept@cloudsend.net", "type": "email", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595242, "indicator": "lindsey.hersh@cloudsend.net", "type": "email", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595243, "indicator": "noreply@cloudsend.net", "type": "email", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 15595244, "indicator": "sarah.roberto@cloudsend.net", "type": "email", "created": "2017-06-06T23:06:56", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 9419289, "indicator": "CVE-2017-0199", "type": "CVE", "created": "2017-06-06T23:07:18", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 31076041, "indicator": "c57de3b161f6a0c449b9aae07599dc014e6292cf", "type": "YARA", "created": "2017-07-25T22:48:42", "content": "rule FE_LEGALSTRIKE_RTF { \n meta: \n version=\".1\" \n filetype=\"MACRO\" \n author=\"joshua.kim@FireEye.com\" \n date=\"2017-06-02\" \n description=\"Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom\" \n \n strings: \n $header = \"{\\\\rt\" \n \n $lnkinfo = \"4c0069006e006b0049006e0066006f\" \n \n $encoded1 = \"4f4c45324c696e6b\" \n $encoded2 = \"52006f006f007400200045006e007400720079\" \n $encoded3 = \"4f0062006a0049006e0066006f\" \n $encoded4 = \"4f006c0065\" \n \n $http1 = \"68{\" \n $http2 = \"74{\" \n $http3 = \"07{\" \n \n // 2bunny.com \n $domain1 = \"32{\\\\\" \n $domain2 = \"62{\\\\\" \n $domain3 = \"75{\\\\\" \n $domain4 = \"6e{\\\\\" \n $domain5 = \"79{\\\\\" \n $domain6 = \"2e{\\\\\" \n $domain7 = \"63{\\\\\" \n $domain8 = \"6f{\\\\\" \n $domain9 = \"6d{\\\\\" \n \n $datastore = \"\\\\*\\\\datastore\" \n \n condition: \n $header at 0 and all of them \n }", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 575212641, "indicator": "87b1cbd501e24498247313f4961dbd1582ae496c", "type": "YARA", "created": "2018-04-10T17:21:17", "content": "rule FE_LEGALSTRIKE_MACRO { \n meta:version=\".1\" \n filetype=\"MACRO\" \n author=\"Ian.Ahl@fireeye.com @TekDefense\" \n date=\"2017-06-02\" \n description=\"This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7.\" \n strings: \n // OBSFUCATION \n $ob1 = \"ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)\" ascii wide \n $ob2 = \"ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)\" ascii wide \n $ob3 = \"ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)\" ascii wide \n $ob4 = \"ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)\" ascii wide \n $ob5 = \"ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)\" ascii wide \n $ob6 = \"ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)\" ascii wide \n $ob7 = \"ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)\" ascii wide \n $ob8 = \"ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)\" ascii wide \n $obreg2 = /(Chrw\\(\\d{1,3}\\)\\s&\\s){7}/ \n // wscript \n $wsobj1 = \"Set Obj = CreateObject(\\\"WScript.Shell\\\")\" ascii wide \n $wsobj2 = \"Obj.Run \" ascii wide \n \n condition: \n ( \n ( \n (uint16(0) != 0x5A4D) \n ) \n and \n ( \n all of ($wsobj*) and 3 of ($ob*) \n or \n all of ($wsobj*) and all of ($obreg*) \n ) \n ) \n }", "title": "FE_LEGALSTRIKE_MACRO", "description": "This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7.", "expiration": null, "is_active": 1 }, { "id": 575212645, "indicator": "909de46c299d3a923d08ef24e5fd0f27a9071263", "type": "YARA", "created": "2018-04-10T17:24:55", "content": "rule FE_LEGALSTRIKE_MACRO_2 { \n meta:version=\".1\" \n filetype=\"MACRO\" \n author=\"Ian.Ahl@fireeye.com @TekDefense\" \n date=\"2017-06-02\" \n description=\"This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4.\" \n strings: \n // Setting the environment \n $env1 = \"Arch = Environ(\\\"PROCESSOR_ARCHITECTURE\\\")\" ascii wide \n $env2 = \"windir = Environ(\\\"windir\\\")\" ascii wide \n $env3 = \"windir + \\\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\\\"\" ascii wide \n // powershell command fragments \n $ps1 = \"-NoP\" ascii wide \n $ps2 = \"-NonI\" ascii wide \n $ps3 = \"-W Hidden\" ascii wide \n $ps4 = \"-Command\" ascii wide \n $ps5 = \"New-Object IO.StreamReader\" ascii wide \n $ps6 = \"IO.Compression.DeflateStream\" ascii wide \n $ps7 = \"IO.MemoryStream\" ascii wide \n $ps8 = \",$([Convert]::FromBase64String\" ascii wide \n $ps9 = \"ReadToEnd();\" ascii wide \n \n condition: \n ( \n ( \n (uint16(0) != 0x5A4D) \n ) \n and \n ( \n all of ($env*) and 6 of ($ps*) \n or \n all of ($env*) and 4 of ($ps*)\n ) \n ) \n }", "title": "FE_LEGALSTRIKE_MACRO_2", "description": "This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4.", "expiration": null, "is_active": 1 }, { "id": 2185205835, "indicator": "www.2bunny.com", "type": "hostname", "created": "2019-12-06T19:51:49", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 } ]