[ { "id": 3765533986, "indicator": "CVE-2023-22515", "type": "CVE", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3773905505, "indicator": "CVE-2023-4966", "type": "CVE", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485377, "indicator": "6e8ca501c45a9b85fff2378cffaa24b2", "type": "FileHash-MD5", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485378, "indicator": "d7addb5b6f55eab1686410a17b3c867b", "type": "FileHash-MD5", "created": "2023-11-21T16:17:21", "content": "", "title": "compromised_site_redirector_fromcharcode", "description": "MD5 of 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155", "expiration": null, "is_active": 1 }, { "id": 3778264945, "indicator": "eb842a9509dece779d138d2e6b0f6949", "type": "FileHash-MD5", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485379, "indicator": "a54af16b2702fe0e5c569f6d8f17574a9fdaf197", "type": "FileHash-SHA1", "created": "2023-11-21T16:17:21", "content": "", "title": "compromised_site_redirector_fromcharcode", "description": "SHA1 of 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155", "expiration": null, "is_active": 1 }, { "id": 3784485380, "indicator": "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485381, "indicator": "498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "compromised_site_redirector_fromcharcode", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485382, "indicator": "906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485383, "indicator": "98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485384, "indicator": "9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485385, "indicator": "cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485386, "indicator": "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485387, "indicator": "ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44", "type": "FileHash-SHA256", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485391, "indicator": "http://62.233.50.25/en-us/docs.html", "type": "URL", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485392, "indicator": "http://62.233.50.25/en-us/test.html", "type": "URL", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485393, "indicator": "http://81.19.135.219/F8PtZ87fE8dJWqe.hta", "type": "URL", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485394, "indicator": "http://81.19.135.219:443/q0X5wzEh6P7.hta", "type": "URL", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485395, "indicator": "https://adobe-us-updatefiles.digital/index.php", "type": "URL", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3784485396, "indicator": "0b9b6a9c1eb839e142fc4088ad43bdb4c52c3c9d", "type": "YARA", "created": "2023-11-21T16:17:21", "content": "import \"pe\"\nrule M_Hunting_Backdoor_FREEFIRE \n { \n meta: author = \"Mandiant\" \n description = \"This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord method\" \n md5 = \"eb842a9509dece779d138d2e6b0f6949\" \n malware_family = \"FREEFIRE\" \n strings: $s1 = { 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? ?? \n } \n condition: \n uint16(0) == 0x5A4D \n and filesize >= 5KB \n and pe.imports(\"mscoree.dll\") \n and all of them }", "title": "", "description": "This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord method", "expiration": null, "is_active": 1 }, { "id": 3784485397, "indicator": "0da7ee157236badc4568962b381cce811e0b0c1e", "type": "YARA", "created": "2023-11-21T16:17:21", "content": "rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access { meta: author = \"CISA Code & Media Analysis\" incident = \"10478915\" date = \"2023-11-06\" last_modified = \"20231108_1500\" actor = \"n/a\" family = \"n/a\" capabilities = \"communicates-with-c2\" malware_type = \"backdoor\" tool_type = \"remote-access\" description = \"Detects trojan python samples\" sha256 = \"906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6\" strings: $s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 } $s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a } $s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 } $s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 } condition: all of them }", "title": "", "description": "Detects trojan python samples", "expiration": null, "is_active": 1 }, { "id": 3784485398, "indicator": "3c47ed12de2d5c9d356a046885b867fceed3fdbb", "type": "YARA", "created": "2023-11-21T16:17:21", "content": "import \"pe\"\nrule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation { meta: author = \"CISA Code & Media Analysis\" incident = \"10478915\" date = \"2023-11-06\" last_modified = \"20231108_1500\" actor = \"n/a\" family = \"n/a\" capabilities = \"steals-authentication-credentials\" malware_type = \"trojan\" tool_type = \"credential-exploitation\" description = \"Detects trojan DLL samples\" sha256 = \"17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994\" strings: $s1 = { 64 65 6c 65 74 65 } $s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e } $s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 } $s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 } $s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 } $s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 } condition: uint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of them }", "title": "", "description": "Detects trojan DLL samples", "expiration": null, "is_active": 1 }, { "id": 3784485399, "indicator": "3c67d4f90206e692f9511426ac2bd4becaaa3851", "type": "YARA", "created": "2023-11-21T16:17:21", "content": "rule CISA_10478915_01 : trojan installs_other_components { meta: author = \"CISA Code & Media Analysis\" incident = \"10478915\" date = \"2023-11-06\" last_modified = \"20231108_1500\" actor = \"n/a\" family = \"n/a\" capabilities = \"installs-other-components\" malware_Type = \"trojan\" tool_type = \"information-gathering\" description = \"Detects trojan .bat samples\" sha256 = \"98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9\" strings: $s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 } $s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 65 6d } $s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 } condition: all of them }", "title": "", "description": "Detects trojan .bat samples", "expiration": null, "is_active": 1 }, { "id": 3784485400, "indicator": "d6044e0f131429dc7b234c364349e60bb8ed0876", "type": "YARA", "created": "2023-11-21T16:17:21", "content": "import \"pe\"\nrule CISA_10478915_02 : trojan installs_other_components { meta: author = \"CISA Code & Media Analysis\" incident = \"10478915\" date = \"2023-11-06\" last_modified = \"20231108_1500\" actor = \"n/a\" family = \"n/a\" capabilities = \"installs-other-components\" malware_type = \"trojan\" tool_type = \"unknown\" description = \"Detects trojan PE32 samples\" sha256 = \"e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068\" strings: $s1 = { 57 72 69 74 65 46 69 6c 65 } $s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 } $s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 } $s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 } $s5 = { 64 65 6c 65 74 65 5b 5d } $s6 = { 4e 41 4e 28 49 4e 44 29 } condition: uint16(0) == 0x5a4d and pe.imphash() == \"6e8ca501c45a9b85fff2378cffaa24b2\" and pe.size_of_code == 84480 and all of them }", "title": "", "description": "Detects trojan PE32 samples", "expiration": null, "is_active": 1 }, { "id": 3784485401, "indicator": "adobe-us-updatefiles.digital", "type": "domain", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 2826447688, "indicator": "dns0.org", "type": "domain", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3782300044, "indicator": "fixme.it", "type": "domain", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3204511059, "indicator": "soc@cisecurity.org", "type": "email", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 3782298375, "indicator": "unattended.techninline.net", "type": "hostname", "created": "2023-11-21T16:17:21", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 } ]