[ { "id": 3529955991, "indicator": "19068e8228b6b8f5528489fa70779b2b", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955992, "indicator": "23643b7bd48a200889a4613a0e0a86e4", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955993, "indicator": "3633b3d69060a5882656b69f81655f0a", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955994, "indicator": "38e0fa41e9519d4783766992c203e794", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955995, "indicator": "3a1033cb1eb06c2cd5e91c539cf8a519", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955996, "indicator": "44d1c75815724523a58b566d95378825", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955997, "indicator": "49d72f9212d5653f5be9f764d8c9df24", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "Win32:Dh-A\\ [Heur]", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955998, "indicator": "5cc183702fae8cc23a55037c1efab5e5", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529955999, "indicator": "779940f675ff4ab4e8cab7a1b7cf5d3c", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956000, "indicator": "77a369e5e49e7e62d8eef2c00cd02950", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_strings", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956001, "indicator": "7a77c2930f0457ed2dd622e9739c7d3d", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956002, "indicator": "7b71764236f244ae971742ee1bc6b098", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "ALF:Trojan:Win32/Jooblash.D!dha", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956003, "indicator": "7f6db4493c6a76eb44534306291ea85f", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956005, "indicator": "8c8bbe3a4a23cd4cc96c12af5fb1199b", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956006, "indicator": "92c61e3047297136701c25deb658b35a", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_string", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956007, "indicator": "9c09d147dfbc98d5e6e051fe1ed0033d", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956008, "indicator": "bbe983dba3bf319621b447618548b740", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_string", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956009, "indicator": "df9ab47726001883b5fcf58b56b34b41", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956010, "indicator": "f3c977830bf616b9061d7aee5ce0b2f2", "type": "FileHash-MD5", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956011, "indicator": "5c31d1f89e55b88ee964cd0a951204ec751afb3b", "type": "FileHash-SHA1", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_string", "description": "SHA1 of 92c61e3047297136701c25deb658b35a", "expiration": null, "is_active": 1 }, { "id": 3529956012, "indicator": "5d117d8ef075f3f8ed1d4edcc0771a2a0886a376", "type": "FileHash-SHA1", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_string", "description": "SHA1 of bbe983dba3bf319621b447618548b740", "expiration": null, "is_active": 1 }, { "id": 3529956013, "indicator": "9b020dd3a60a60613d9d4a42408d317cc3cda4b3", "type": "FileHash-SHA1", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_strings", "description": "SHA1 of 77a369e5e49e7e62d8eef2c00cd02950\nSHA1 of 77a369e5e49e7e62d8eef2c00cd02950", "expiration": null, "is_active": 1 }, { "id": 3529956014, "indicator": "f1f28bb361734bff3ca5715cc2b8dca54f0e2595", "type": "FileHash-SHA1", "created": "2022-08-05T10:18:05", "content": "", "title": "Win32:Dh-A\\ [Heur]", "description": "SHA1 of 49d72f9212d5653f5be9f764d8c9df24", "expiration": null, "is_active": 1 }, { "id": 3529956015, "indicator": "f22a7ec80fbfdc4d8ed796119c76bfac01e0a908", "type": "FileHash-SHA1", "created": "2022-08-05T10:18:05", "content": "", "title": "ALF:Trojan:Win32/Jooblash.D!dha", "description": "SHA1 of 7b71764236f244ae971742ee1bc6b098", "expiration": null, "is_active": 1 }, { "id": 3091956302, "indicator": "29e9fd62b86cb3ba6a5e0bd0189ef2567538f8a8d925effdeac6487a72556b54", "type": "FileHash-SHA256", "created": "2022-08-05T10:18:05", "content": "", "title": "Win32:Dh-A\\ [Heur]", "description": "SHA256 of 49d72f9212d5653f5be9f764d8c9df24", "expiration": null, "is_active": 1 }, { "id": 3529956016, "indicator": "3d0d93f651ee7b407024e5ad51b4e79408b72fb77bfd71cddeac8be3642439d7", "type": "FileHash-SHA256", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_strings", "description": "SHA256 of 77a369e5e49e7e62d8eef2c00cd02950\nSHA256 of 77a369e5e49e7e62d8eef2c00cd02950", "expiration": null, "is_active": 1 }, { "id": 3529956017, "indicator": "88b013c5fbd2751fbd9f2184a8892c71ffca69843e7de53e826c6bd658ae8d72", "type": "FileHash-SHA256", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_string", "description": "SHA256 of 92c61e3047297136701c25deb658b35a", "expiration": null, "is_active": 1 }, { "id": 3529956018, "indicator": "e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0", "type": "FileHash-SHA256", "created": "2022-08-05T10:18:05", "content": "", "title": "ALF:Trojan:Win32/Jooblash.D!dha", "description": "SHA256 of 7b71764236f244ae971742ee1bc6b098", "expiration": null, "is_active": 1 }, { "id": 3529956019, "indicator": "f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5", "type": "FileHash-SHA256", "created": "2022-08-05T10:18:05", "content": "", "title": "stack_string", "description": "SHA256 of bbe983dba3bf319621b447618548b740", "expiration": null, "is_active": 1 }, { "id": 3529956020, "indicator": "http://avira.ltd/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956021, "indicator": "http://cloud-avira.com/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956022, "indicator": "http://server-avira.com/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956023, "indicator": "http://skype.se.net/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956024, "indicator": "http://telegram-update.com/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956025, "indicator": "http://uk2privat.com/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956026, "indicator": "http://update-pgp.com/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "ASCII text, with no line terminators", "description": "7d04f7431bbfa41a04bcc7e6b98b9de0d919756c4c671c5785c99fff45f16402", "expiration": null, "is_active": 1 }, { "id": 3529956027, "indicator": "http://update-real.com/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956028, "indicator": "http://windowsupadates.com/cm.php", "type": "URL", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956029, "indicator": "6d47541cf740a63ee905bad775acb7c83b0f0370", "type": "YARA", "created": "2022-08-05T10:18:05", "content": "rule M_Disrupt_ZEROCLEAR_1 { \n \n meta: \n \n author = \"Mandiant\" \n \n description = \"Identifies code sequences in ZEROCLEAR\" \n \n \n \n strings: \n \n $ = \"B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D\" wide \n \n $ = \"wp starts!\" \n \n $ = \"un start!\" \n \n $ = \"in start!\" \n \n \n \n condition: \n \n all of them \n \n }", "title": "", "description": "Identifies code sequences in ZEROCLEAR", "expiration": null, "is_active": 1 }, { "id": 3529956030, "indicator": "6f43ef70dd53ad5b241c26c32aeb4c7bb95098d3", "type": "YARA", "created": "2022-08-05T10:18:05", "content": "rule M_Backdoor_CHIMNEYSWEEP_1 \n \n { \n \n meta: \n \n author = \"Mandiant\" \n \n description = \"Detects strings found in CHIMNEYSWEEP\" \n \n \n \n strings: \n \n $ = \"%sAPPX.%x%x%x%x%x.tmp\" \n \n $ = \"rerunadmn\" \n \n $ = \"runupdate\" \n \n $ = \"runupdateok\" \n \n $ = \"baserun\" \n \n $ = \"heyirunadmn\" \n \n $ = \"subttoadmn\" \n \n $ = \"ttrundll\" \n \n $ = \"{\\\"ok\\\":false,\" \n \n $ = \"TL_%s-%s\" \n \n $ = \"|**|Net1NOFILE|**|\" \n \n $ = \"%s:---:%s-%s:---:%s:---:www:---:MNEW\" \n \n \n \n condition: \n \n uint16(0) == 0x5A4D and 8 of them \n \n }", "title": "", "description": "Detects strings found in CHIMNEYSWEEP", "expiration": null, "is_active": 1 }, { "id": 3529956031, "indicator": "9a24bf79f5ed726c37a5a45150a813f4aa36bd98", "type": "YARA", "created": "2022-08-05T10:18:05", "content": "rule M_Disrupt_ROADSWEEP_1 \n \n { \n \n meta: \n \n author = \"Mandiant\" \n \n description = \"Identifies the encryption key used within ROADSWEEP\" \n \n \n \n strings: \n \n $ = {C6 45 D5 E4 C6 45 D6 B1 C6 45 D7 6B C6 45 D8 22 C6 45 D9 B5 C6 45 DA 88 C6 45 DB 94 C6 45 DC AA C6 45 DD 86 C6 45 DE C4 C6 45 DF 21 C6 45 E0 E8 C6 45 E1 75 C6 45 E2 9D C6 45 E3 F3 C7 44 24 10 00 00 00 F0} \n \n \n \n condition: \n \n all of them \n \n }", "title": "", "description": "Identifies the encryption key used within ROADSWEEP", "expiration": null, "is_active": 1 }, { "id": 3529956032, "indicator": "ce7009366563991ec70afd5e20071b93527478c2", "type": "YARA", "created": "2022-08-05T10:18:05", "content": "import \"pe\"\nrule M_Backdoor_CHIMNEYSWEEP_2 \n \n { \n \n meta: \n \n author = \"Mandiant\" \n \n description = \"Detects encrypted data found in CHIMNEYSWEEP\" \n \n \n \n strings: \n \n $key = {C6 45 D5 E4 C6 45 D6 B1 C6 45 D7 6B C6 45 D8 22 C6 45 D9 B5 C6 45 DA 88 C6 45 DB 94 C6 45 DC AA C6 45 DD 86 C6 45 DE C4 C6 45 DF 21 C6 45 E0 E8 C6 45 E1 75 C6 45 E2 9D C6 45 E3 F3 C7 44 24 10 00 00 00 F0} \n \n $encoded_config = {FA c0 c7 e5} \n \n $encoded_bot = {AE E0 ED D6} \n \n \n \n condition: \n \n uint16(0) == 0x5A4D and all of them and (pe.exports(\"RatingSetupUI\") or pe.exports(\"A\")) \n \n }", "title": "", "description": "Detects encrypted data found in CHIMNEYSWEEP", "expiration": null, "is_active": 1 }, { "id": 3529956033, "indicator": "avira.ltd", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956034, "indicator": "cloud-avira.com", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956035, "indicator": "homelandjustice.ru", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956036, "indicator": "server-avira.com", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956037, "indicator": "telegram-update.com", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956038, "indicator": "uk2privat.com", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3529956039, "indicator": "update-pgp.com", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2928557469, "indicator": "update-real.com", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 1635575575, "indicator": "windowsupadates.com", "type": "domain", "created": "2022-08-05T10:18:05", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 } ]