From ed4d0e33db3d063ad9330292d811f18ef1ed474f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 22 Oct 2023 12:32:41 +0000 Subject: [PATCH] Update Recorded_Future snapshots --- Recorded_Future/Snapshot-with-domain.json | 2 +- Recorded_Future/Snapshot-with-ip.json | 2 +- Recorded_Future/Snapshot-with-md5.json | 2 +- Recorded_Future/Snapshot-with-sha1.json | 2 +- Recorded_Future/Snapshot-with-sha256.json | 2 +- Recorded_Future/Snapshot-with-url.json | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Recorded_Future/Snapshot-with-domain.json b/Recorded_Future/Snapshot-with-domain.json index d529c513..10fa7a8b 100644 --- a/Recorded_Future/Snapshot-with-domain.json +++ b/Recorded_Future/Snapshot-with-domain.json @@ -1 +1 @@ -{"schema_version": "1.1.3", "type": "investigation", "search-txt": "domain:\"detail43.myfirewall.org\"", "actions": "[{\"arg\":{\"text\":\"detail43.myfirewall.org\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:04:50.685Z\",\"id\":\"collect-8096ddcc\",\"result\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:04:50.879Z\",\"uuid\":\"da1e5f2a-687f-4628-9097-6e7555f5f9c4\"},{\"arg\":{\"type\":\"domain\",\"value\":\"detail43.myfirewall.org\"},\"created\":\"2021-07-09T12:04:50.910Z\",\"id\":\"investigate-cae19cc4\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"judgement_id\":\"transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-22T12:04:51.181Z\",\"end_time\":\"2023-10-22T12:04:51.181Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:04:51.181Z\",\"end_time\":\"2023-10-22T12:04:51.181Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":5,\"reason\":\"Neutral Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=detail43.myfirewall.org\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96\",\"severity\":\"Low\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2\",\"valid_time\":{\"start_time\":\"2018-02-22T21:33:30.912Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported by Insikt Group\",\"title\":\"Historically Reported by Insikt Group\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"},{\"description\":\"2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf\",\"valid_time\":{\"start_time\":\"2018-02-22T21:33:30.912Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged DNS Name\",\"title\":\"Historically Reported as a Defanged DNS Name\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":1,\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"judgement_id\":\"transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-22T12:04:59.000Z\",\"end_time\":\"2023-10-22T12:04:59.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989\",\"id\":\"transient:relationship-54cf74d2-78e9-493e-b405-f318c00753ba\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0\",\"id\":\"transient:relationship-784c1f5e-3039-4693-9f91-a8461d3caf9d\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662\",\"id\":\"transient:relationship-cc23b07b-9285-40e3-83be-056bba020e00\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c\",\"id\":\"transient:relationship-261467c0-71e9-4112-a435-b25cd0a97c4d\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":2,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:04:59.000Z\",\"end_time\":\"2023-10-22T12:04:59.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:04:59.000Z\",\"end_time\":\"2023-10-22T12:04:59.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":5,\"docs\":[{\"description\":\"Seen by Malwr.com\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by Malwr.com\",\"title\":\"Malwr.com [MjhkZDdmY2JiMzdjNDk4MzkwZmE0ODUxM2M1ZDgyOTM]\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-c553bcff-88d6-4320-89ad-127b295c0421\",\"count\":1,\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-02-22T14:10:00.000Z\"}},{\"description\":\"1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported by Insikt Group\",\"title\":\"Historically Reported by Insikt Group\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-04-08T00:00:00.000Z\"}},{\"description\":\"2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged DNS Name\",\"title\":\"Historically Reported as a Defanged DNS Name\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2019-02-13T14:24:00.013Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"scarlet-mimic-full-report_Palo Alto Networks\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-41908404-3fb5-4f5f-8588-2c8e4d4ae4d5\",\"count\":1,\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-01-25T02:00:58.000Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"scarlet-mimic-full-report_Palo Alto Networks\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-b60bab41-274a-42b8-9f00-7c3694ea03ff\",\"count\":1,\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-01-25T02:00:58.000Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:04:59.909Z\",\"uuid\":\"432f05ee-ded3-4e93-b6eb-448067c2923e\"}]", "short_description": "Snapshot-with-domain", "omittedObservables": [], "archivedObservables": [{"key": "a6d0706d-6464-4721-b5fb-9e9e7acbc231", "value": "detail43.myfirewall.org", "indicators": [{"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "97f2bc93-9e25-43ad-b0cf-a92f90848504", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "dede3bd1-0ea8-4681-95e4-b431336774d0", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}], "type": "domain", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "21babf58-9c8a-416f-8710-f0a236e0da6e", "judgement_id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e5e34d3e-540a-452b-9493-e88f46011325", "judgement_id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 0, "label": "detail43.myfirewall.org", "id": "9e7154d7", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "2e08deaa-fb34-47eb-9ae6-8230d1c1575b", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e08c597f-4681-4a10-a0a2-0edd777eadbf", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "schema_version": "1.1.3", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=detail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "severity": "Low", "tlp": "white", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "f2351818-e80a-4a21-8f7f-9e3ba70df08c", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-b60bab41-274a-42b8-9f00-7c3694ea03ff", "count": 1, "observable_type": "domain", "ctr_uuid": "d3ee6199-2655-45cd-9fab-e9a269812e5a", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-41908404-3fb5-4f5f-8588-2c8e4d4ae4d5", "count": 1, "observable_type": "domain", "ctr_uuid": "352e36ff-3355-4e2b-b26b-a1caf2aa89a6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "dfe3ddd6-fea6-439f-ae1e-6e21343d4d97", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-11-30T14:24:00.013Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "e86b276b-5912-417a-b438-a504f0f5dbe6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-01-24T00:00:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Malwr.com", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Malwr.com", "title": "Malwr.com [MjhkZDdmY2JiMzdjNDk4MzkwZmE0ODUxM2M1ZDgyOTM]", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-c553bcff-88d6-4320-89ad-127b295c0421", "count": 1, "observable_type": "domain", "ctr_uuid": "9931d53c-de83-4800-8788-c0b0bb5c7431", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2015-12-10T14:10:00.000Z"}, "ctr_hide": false}], "revListOrder": 5}], "selectedObservables": [{"uuid": "1001713d-c687-415d-b7f4-0bd3bf6fa0e3", "observable": {"key": "a6d0706d-6464-4721-b5fb-9e9e7acbc231", "value": "detail43.myfirewall.org", "indicators": [{"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "97f2bc93-9e25-43ad-b0cf-a92f90848504", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "dede3bd1-0ea8-4681-95e4-b431336774d0", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}], "type": "domain", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "21babf58-9c8a-416f-8710-f0a236e0da6e", "judgement_id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e5e34d3e-540a-452b-9493-e88f46011325", "judgement_id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 0, "label": "detail43.myfirewall.org", "id": "9e7154d7", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "2e08deaa-fb34-47eb-9ae6-8230d1c1575b", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e08c597f-4681-4a10-a0a2-0edd777eadbf", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "schema_version": "1.1.3", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=detail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "severity": "Low", "tlp": "white", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "f2351818-e80a-4a21-8f7f-9e3ba70df08c", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-b60bab41-274a-42b8-9f00-7c3694ea03ff", "count": 1, "observable_type": "domain", "ctr_uuid": "d3ee6199-2655-45cd-9fab-e9a269812e5a", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-41908404-3fb5-4f5f-8588-2c8e4d4ae4d5", "count": 1, "observable_type": "domain", "ctr_uuid": "352e36ff-3355-4e2b-b26b-a1caf2aa89a6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "dfe3ddd6-fea6-439f-ae1e-6e21343d4d97", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-11-30T14:24:00.013Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "e86b276b-5912-417a-b438-a504f0f5dbe6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-01-24T00:00:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Malwr.com", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Malwr.com", "title": "Malwr.com [MjhkZDdmY2JiMzdjNDk4MzkwZmE0ODUxM2M1ZDgyOTM]", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-c553bcff-88d6-4320-89ad-127b295c0421", "count": 1, "observable_type": "domain", "ctr_uuid": "9931d53c-de83-4800-8788-c0b0bb5c7431", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2015-12-10T14:10:00.000Z"}, "ctr_hide": false}], "revListOrder": 5}, "notifications": [], "disposition_name": "Clean", "disposition": 1, "type": "domain", "value": "detail43.myfirewall.org", "id": "9e7154d7"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-43302a61-896d-4390-9c66-165b927c06db", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:05:26.659Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file +{"schema_version": "1.1.3", "type": "investigation", "search-txt": "domain:\"detail43.myfirewall.org\"", "actions": "[{\"arg\":{\"text\":\"detail43.myfirewall.org\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:04:50.685Z\",\"id\":\"collect-8096ddcc\",\"result\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:04:50.879Z\",\"uuid\":\"da1e5f2a-687f-4628-9097-6e7555f5f9c4\"},{\"arg\":{\"type\":\"domain\",\"value\":\"detail43.myfirewall.org\"},\"created\":\"2021-07-09T12:04:50.910Z\",\"id\":\"investigate-cae19cc4\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"judgement_id\":\"transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-29T12:04:51.181Z\",\"end_time\":\"2023-10-29T12:04:51.181Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:04:51.181Z\",\"end_time\":\"2023-10-29T12:04:51.181Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":5,\"reason\":\"Neutral Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=detail43.myfirewall.org\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96\",\"severity\":\"Low\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2\",\"valid_time\":{\"start_time\":\"2018-03-01T21:33:30.912Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported by Insikt Group\",\"title\":\"Historically Reported by Insikt Group\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"},{\"description\":\"2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf\",\"valid_time\":{\"start_time\":\"2018-03-01T21:33:30.912Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged DNS Name\",\"title\":\"Historically Reported as a Defanged DNS Name\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":1,\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"judgement_id\":\"transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-29T12:04:59.000Z\",\"end_time\":\"2023-10-29T12:04:59.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989\",\"id\":\"transient:relationship-54cf74d2-78e9-493e-b405-f318c00753ba\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0\",\"id\":\"transient:relationship-784c1f5e-3039-4693-9f91-a8461d3caf9d\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662\",\"id\":\"transient:relationship-cc23b07b-9285-40e3-83be-056bba020e00\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c\",\"id\":\"transient:relationship-261467c0-71e9-4112-a435-b25cd0a97c4d\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":2,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:04:59.000Z\",\"end_time\":\"2023-10-29T12:04:59.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:04:59.000Z\",\"end_time\":\"2023-10-29T12:04:59.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":5,\"docs\":[{\"description\":\"Seen by Malwr.com\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by Malwr.com\",\"title\":\"Malwr.com [MjhkZDdmY2JiMzdjNDk4MzkwZmE0ODUxM2M1ZDgyOTM]\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-c553bcff-88d6-4320-89ad-127b295c0421\",\"count\":1,\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-03-01T14:10:00.000Z\"}},{\"description\":\"1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported by Insikt Group\",\"title\":\"Historically Reported by Insikt Group\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-04-15T00:00:00.000Z\"}},{\"description\":\"2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged DNS Name\",\"title\":\"Historically Reported as a Defanged DNS Name\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2019-02-20T14:24:00.013Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"scarlet-mimic-full-report_Palo Alto Networks\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-41908404-3fb5-4f5f-8588-2c8e4d4ae4d5\",\"count\":1,\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-02-01T02:00:58.000Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"detail43.myfirewall.org\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"scarlet-mimic-full-report_Palo Alto Networks\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org\",\"id\":\"transient:sighting-b60bab41-274a-42b8-9f00-7c3694ea03ff\",\"count\":1,\"timestamp\":\"2021-07-09T12:04:59.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-02-01T02:00:58.000Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:04:59.909Z\",\"uuid\":\"432f05ee-ded3-4e93-b6eb-448067c2923e\"}]", "short_description": "Snapshot-with-domain", "omittedObservables": [], "archivedObservables": [{"key": "a6d0706d-6464-4721-b5fb-9e9e7acbc231", "value": "detail43.myfirewall.org", "indicators": [{"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "97f2bc93-9e25-43ad-b0cf-a92f90848504", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "dede3bd1-0ea8-4681-95e4-b431336774d0", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}], "type": "domain", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "21babf58-9c8a-416f-8710-f0a236e0da6e", "judgement_id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e5e34d3e-540a-452b-9493-e88f46011325", "judgement_id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 0, "label": "detail43.myfirewall.org", "id": "9e7154d7", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "2e08deaa-fb34-47eb-9ae6-8230d1c1575b", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e08c597f-4681-4a10-a0a2-0edd777eadbf", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "schema_version": "1.1.3", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=detail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "severity": "Low", "tlp": "white", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "f2351818-e80a-4a21-8f7f-9e3ba70df08c", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-b60bab41-274a-42b8-9f00-7c3694ea03ff", "count": 1, "observable_type": "domain", "ctr_uuid": "d3ee6199-2655-45cd-9fab-e9a269812e5a", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-41908404-3fb5-4f5f-8588-2c8e4d4ae4d5", "count": 1, "observable_type": "domain", "ctr_uuid": "352e36ff-3355-4e2b-b26b-a1caf2aa89a6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "dfe3ddd6-fea6-439f-ae1e-6e21343d4d97", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-11-30T14:24:00.013Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "e86b276b-5912-417a-b438-a504f0f5dbe6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-01-24T00:00:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Malwr.com", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Malwr.com", "title": "Malwr.com [MjhkZDdmY2JiMzdjNDk4MzkwZmE0ODUxM2M1ZDgyOTM]", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-c553bcff-88d6-4320-89ad-127b295c0421", "count": 1, "observable_type": "domain", "ctr_uuid": "9931d53c-de83-4800-8788-c0b0bb5c7431", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2015-12-10T14:10:00.000Z"}, "ctr_hide": false}], "revListOrder": 5}], "selectedObservables": [{"uuid": "1001713d-c687-415d-b7f4-0bd3bf6fa0e3", "observable": {"key": "a6d0706d-6464-4721-b5fb-9e9e7acbc231", "value": "detail43.myfirewall.org", "indicators": [{"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-8a2750e3-57a9-467a-a6b1-bab3b7964ad4", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "97f2bc93-9e25-43ad-b0cf-a92f90848504", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "valid_time": {"start_time": "2015-12-10T21:33:30.912Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:indicator-84dbebf3-4d76-4297-b44a-caeb48ec435b", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "dede3bd1-0ea8-4681-95e4-b431336774d0", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_hide": false}], "type": "domain", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "21babf58-9c8a-416f-8710-f0a236e0da6e", "judgement_id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:9e7154d7", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e5e34d3e-540a-452b-9493-e88f46011325", "judgement_id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 0, "label": "detail43.myfirewall.org", "id": "9e7154d7", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9ff840c0-9e6f-423e-8cfc-d45e6691c662", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "2e08deaa-fb34-47eb-9ae6-8230d1c1575b", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:59.000Z", "end_time": "2021-08-08T12:04:59.000Z"}, "schema_version": "1.1.6", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1a49ef48-aba4-4000-ae85-420461b5fc7c", "severity": "Low", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "e08c597f-4681-4a10-a0a2-0edd777eadbf", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:04:51.181Z", "end_time": "2021-08-08T12:04:51.181Z"}, "schema_version": "1.1.3", "observable": {"value": "detail43.myfirewall.org", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=detail43.myfirewall.org", "disposition_name": "Unknown", "priority": 90, "id": "transient:e7b73e08-7b59-4bb3-8480-829d78d6fe96", "severity": "Low", "tlp": "white", "action": "432f05ee-ded3-4e93-b6eb-448067c2923e", "ctr_uuid": "f2351818-e80a-4a21-8f7f-9e3ba70df08c", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-b60bab41-274a-42b8-9f00-7c3694ea03ff", "count": 1, "observable_type": "domain", "ctr_uuid": "d3ee6199-2655-45cd-9fab-e9a269812e5a", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "scarlet-mimic-full-report_Palo Alto Networks", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-41908404-3fb5-4f5f-8588-2c8e4d4ae4d5", "count": 1, "observable_type": "domain", "ctr_uuid": "352e36ff-3355-4e2b-b26b-a1caf2aa89a6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-12T02:00:58.000Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: Guided Collection, ThreatMiner. Most recent link (Nov 30, 2016): https://trushieldinc.com/wp-content/uploads/2016/02/TS_Advisory_02012016.pdf", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged DNS Name", "title": "Historically Reported as a Defanged DNS Name", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-f71b38a0-ff73-496f-8b01-f7cfc22339f0", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "dfe3ddd6-fea6-439f-ae1e-6e21343d4d97", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-11-30T14:24:00.013Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: Insikt Group. 1 report: Scarlet Mimic. Most recent link (Jan 24, 2016): https://app.recordedfuture.com/live/sc/61yEj9wvi3N2", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported by Insikt Group", "title": "Historically Reported by Insikt Group", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-09c81e8f-3b7f-4817-a156-1193d05a2989", "count": 1, "severity": "Low", "observable_type": "domain", "ctr_uuid": "e86b276b-5912-417a-b438-a504f0f5dbe6", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2016-01-24T00:00:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Malwr.com", "schema_version": "1.1.6", "observable_value": "detail43.myfirewall.org", "observables": [{"value": "detail43.myfirewall.org", "type": "domain"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Malwr.com", "title": "Malwr.com [MjhkZDdmY2JiMzdjNDk4MzkwZmE0ODUxM2M1ZDgyOTM]", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/idn%3Adetail43.myfirewall.org", "id": "transient:sighting-c553bcff-88d6-4320-89ad-127b295c0421", "count": 1, "observable_type": "domain", "ctr_uuid": "9931d53c-de83-4800-8788-c0b0bb5c7431", "timestamp": "2021-07-09T12:04:59.000Z", "confidence": "High", "observed_time": {"start_time": "2015-12-10T14:10:00.000Z"}, "ctr_hide": false}], "revListOrder": 5}, "notifications": [], "disposition_name": "Clean", "disposition": 1, "type": "domain", "value": "detail43.myfirewall.org", "id": "9e7154d7"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-43302a61-896d-4390-9c66-165b927c06db", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:05:26.659Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file diff --git a/Recorded_Future/Snapshot-with-ip.json b/Recorded_Future/Snapshot-with-ip.json index c0f03905..bd20d784 100644 --- a/Recorded_Future/Snapshot-with-ip.json +++ b/Recorded_Future/Snapshot-with-ip.json @@ -1 +1 @@ -{"schema_version": "1.1.3", "type": "investigation", "search-txt": "ip:\"139.196.240.144\"", "actions": "[{\"arg\":{\"text\":\"139.196.240.144\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:13:53.875Z\",\"id\":\"collect-19540c87\",\"result\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:13:54.083Z\",\"uuid\":\"2691aee2-218a-47bf-9033-664405b28aba\"},{\"arg\":{\"type\":\"ip\",\"value\":\"139.196.240.144\"},\"created\":\"2021-07-09T12:13:54.110Z\",\"id\":\"investigate-bd6316b3\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":3,\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"judgement_id\":\"transient:fc3088c8-d22d-4002-93c9-0165e542bbe2\",\"disposition_name\":\"Suspicious\",\"valid_time\":{\"start_time\":\"2023-09-22T12:13:54.340Z\",\"end_time\":\"2023-10-22T12:13:54.340Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:13:54.340Z\",\"end_time\":\"2023-10-22T12:13:54.340Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":3,\"reason\":\"Low Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=139.196.240.144\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:fc3088c8-d22d-4002-93c9-0165e542bbe2\",\"severity\":\"Medium\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":3,\"docs\":[{\"description\":\"5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.\",\"valid_time\":{\"start_time\":\"2023-06-30T23:25:28.274Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Current C&C Server\",\"title\":\"Current C&C Server\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"description\":\"1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD\",\"valid_time\":{\"start_time\":\"2023-06-30T23:25:28.274Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Linked to Intrusion Method\",\"title\":\"Historically Linked to Intrusion Method\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"description\":\"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.\",\"valid_time\":{\"start_time\":\"2023-06-30T23:25:28.274Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Actively Communicating C&C Server\",\"title\":\"Actively Communicating C&C Server\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":4,\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"judgement_id\":\"transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-22T12:13:55.000Z\",\"end_time\":\"2023-10-22T12:13:55.000Z\"}}]},\"relationships\":{\"count\":6,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3\",\"id\":\"transient:relationship-e26121e7-8b5e-4f1d-a2b8-788090bd5767\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec\",\"id\":\"transient:relationship-5cc023fe-f472-494c-b65f-1170328d7146\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036\",\"id\":\"transient:relationship-6925290d-e374-4187-b5e3-01bcead32da3\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9\",\"id\":\"transient:relationship-7eccaeae-b81f-4ded-8ca8-67eb841b1091\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb\",\"id\":\"transient:relationship-f4b85b37-6054-42d3-8549-251b14ef421a\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb\",\"id\":\"transient:relationship-d62a314f-f7e7-4feb-8a5c-42376d543dd9\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":3,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:13:55.000Z\",\"end_time\":\"2023-10-22T12:13:55.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:13:55.000Z\",\"end_time\":\"2023-10-22T12:13:55.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":4,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:13:55.000Z\",\"end_time\":\"2023-10-22T12:13:55.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":4,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":7,\"docs\":[{\"description\":\"5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Current C&C Server\",\"title\":\"Current C&C Server\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-21T20:29:25.816Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"CobaltStrikeStage2_1625774220\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-f2fca3aa-dd0f-4c19-939e-f05a6723175f\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-21T19:57:02.000Z\"}},{\"description\":\"Seen by Recorded Future Command & Control List\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by Recorded Future Command & Control List\",\"title\":\"Threat List Recorded Future Command & Control List : data downloaded at 2021-07-05 08:04:23\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-92d5eec2-0e4a-4cd9-934b-6306ceb246b8\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-18T08:04:23.139Z\"}},{\"description\":\"1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Linked to Intrusion Method\",\"title\":\"Historically Linked to Intrusion Method\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-06T09:51:00.000Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"CobaltStrikeStage2_1625774220\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-222985f4-3b34-47d8-a559-d59b803bc294\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-21T19:57:02.000Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"CobaltStrikeStage2_1618615493\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-750e1092-8efc-451d-a5a7-ed4bfb8e3b15\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-30T23:24:55.000Z\"}},{\"description\":\"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Actively Communicating C&C Server\",\"title\":\"Actively Communicating C&C Server\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-21T20:29:25.819Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:13:55.847Z\",\"uuid\":\"0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576\"}]", "short_description": "Snapshot-with-ip", "omittedObservables": [], "archivedObservables": [{"key": "e31f95a8-1624-463a-9638-5411ff73cbd1", "value": "139.196.240.144", "indicators": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "f546a45e-3ad3-4d41-aa94-f1b4377b4100", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "5bafc85f-67dc-4feb-9864-c4a5b5bb45c1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "680116b7-92f5-4fac-ba0b-9a92e4823300", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}], "type": "ip", "state": "investigated", "targets": [], "disposition": 3, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 4, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "7621fdb7-27cf-4dd7-9db7-39db7182d773", "judgement_id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Talos Intelligence:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "1f96c7d0-7618-40dd-bed0-a077005bbd6e", "judgement_id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "ctr_hide": false}], "notifications": [], "disposition_name": "Suspicious", "obsListSortOrder": 2, "listOrder": 0, "label": "139.196.240.144", "id": "4d77f166", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "0e1aa1b9-ae12-480c-be9d-cb82df397659", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "6a5c76cd-5afa-4d3f-8dc0-caa83ec45b01", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "573732f3-0db5-424f-8104-7eb5fbedfb1d", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "schema_version": "1.1.3", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "reason": "Low Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=139.196.240.144", "disposition_name": "Suspicious", "priority": 90, "id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "severity": "Medium", "tlp": "white", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "531716dc-dcc8-41ef-b801-5c36dc6e338a", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}], "sightings": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "3e556102-ef7a-4164-89b5-a506c0b0bdc1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.819Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1618615493", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-750e1092-8efc-451d-a5a7-ed4bfb8e3b15", "count": 1, "observable_type": "ip", "ctr_uuid": "f8e06c8c-8f88-4bcb-a074-c221c808ab3e", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-16T23:24:55.000Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-222985f4-3b34-47d8-a559-d59b803bc294", "count": 1, "observable_type": "ip", "ctr_uuid": "427fc053-86f3-4196-9b30-e5b934e4547a", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9", "count": 1, "severity": "Low", "observable_type": "ip", "ctr_uuid": "bdad1ca0-b30f-4a6b-8fa2-64bf9af17e11", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-22T09:51:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Recorded Future Command & Control List", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Recorded Future Command & Control List", "title": "Threat List Recorded Future Command & Control List : data downloaded at 2021-07-05 08:04:23", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-92d5eec2-0e4a-4cd9-934b-6306ceb246b8", "count": 1, "observable_type": "ip", "ctr_uuid": "d0def5d8-b384-43e8-99ca-7d442fb8b683", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-05T08:04:23.139Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-f2fca3aa-dd0f-4c19-939e-f05a6723175f", "count": 1, "observable_type": "ip", "ctr_uuid": "87baefe5-f93f-4bfc-bdfb-74e990a02d24", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "9c303754-e26f-4ce2-8b2d-c1f91be5a6e5", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.816Z"}, "ctr_hide": false}], "revListOrder": 2}], "selectedObservables": [{"uuid": "cae15fed-15b9-4bc2-af05-868b2ee23607", "observable": {"key": "e31f95a8-1624-463a-9638-5411ff73cbd1", "value": "139.196.240.144", "indicators": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "f546a45e-3ad3-4d41-aa94-f1b4377b4100", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "5bafc85f-67dc-4feb-9864-c4a5b5bb45c1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "680116b7-92f5-4fac-ba0b-9a92e4823300", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}], "type": "ip", "state": "investigated", "targets": [], "disposition": 3, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 4, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "7621fdb7-27cf-4dd7-9db7-39db7182d773", "judgement_id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Talos Intelligence:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "1f96c7d0-7618-40dd-bed0-a077005bbd6e", "judgement_id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "ctr_hide": false}], "notifications": [], "disposition_name": "Suspicious", "obsListSortOrder": 2, "listOrder": 0, "label": "139.196.240.144", "id": "4d77f166", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "0e1aa1b9-ae12-480c-be9d-cb82df397659", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "6a5c76cd-5afa-4d3f-8dc0-caa83ec45b01", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "573732f3-0db5-424f-8104-7eb5fbedfb1d", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "schema_version": "1.1.3", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "reason": "Low Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=139.196.240.144", "disposition_name": "Suspicious", "priority": 90, "id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "severity": "Medium", "tlp": "white", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "531716dc-dcc8-41ef-b801-5c36dc6e338a", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}], "sightings": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "3e556102-ef7a-4164-89b5-a506c0b0bdc1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.819Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1618615493", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-750e1092-8efc-451d-a5a7-ed4bfb8e3b15", "count": 1, "observable_type": "ip", "ctr_uuid": "f8e06c8c-8f88-4bcb-a074-c221c808ab3e", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-16T23:24:55.000Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-222985f4-3b34-47d8-a559-d59b803bc294", "count": 1, "observable_type": "ip", "ctr_uuid": "427fc053-86f3-4196-9b30-e5b934e4547a", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9", "count": 1, "severity": "Low", "observable_type": "ip", "ctr_uuid": "bdad1ca0-b30f-4a6b-8fa2-64bf9af17e11", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-22T09:51:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Recorded Future Command & Control List", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Recorded Future Command & Control List", "title": "Threat List Recorded Future Command & Control List : data downloaded at 2021-07-05 08:04:23", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-92d5eec2-0e4a-4cd9-934b-6306ceb246b8", "count": 1, "observable_type": "ip", "ctr_uuid": "d0def5d8-b384-43e8-99ca-7d442fb8b683", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-05T08:04:23.139Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-f2fca3aa-dd0f-4c19-939e-f05a6723175f", "count": 1, "observable_type": "ip", "ctr_uuid": "87baefe5-f93f-4bfc-bdfb-74e990a02d24", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "9c303754-e26f-4ce2-8b2d-c1f91be5a6e5", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.816Z"}, "ctr_hide": false}], "revListOrder": 2}, "notifications": [], "disposition_name": "Suspicious", "disposition": 3, "type": "ip", "value": "139.196.240.144", "id": "4d77f166"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-00c05c45-c0f0-4186-a3ea-dc7e43a90b57", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:14:25.023Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file +{"schema_version": "1.1.3", "type": "investigation", "search-txt": "ip:\"139.196.240.144\"", "actions": "[{\"arg\":{\"text\":\"139.196.240.144\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:13:53.875Z\",\"id\":\"collect-19540c87\",\"result\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:13:54.083Z\",\"uuid\":\"2691aee2-218a-47bf-9033-664405b28aba\"},{\"arg\":{\"type\":\"ip\",\"value\":\"139.196.240.144\"},\"created\":\"2021-07-09T12:13:54.110Z\",\"id\":\"investigate-bd6316b3\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":3,\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"judgement_id\":\"transient:fc3088c8-d22d-4002-93c9-0165e542bbe2\",\"disposition_name\":\"Suspicious\",\"valid_time\":{\"start_time\":\"2023-09-29T12:13:54.340Z\",\"end_time\":\"2023-10-29T12:13:54.340Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:13:54.340Z\",\"end_time\":\"2023-10-29T12:13:54.340Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":3,\"reason\":\"Low Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=139.196.240.144\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:fc3088c8-d22d-4002-93c9-0165e542bbe2\",\"severity\":\"Medium\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":3,\"docs\":[{\"description\":\"5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.\",\"valid_time\":{\"start_time\":\"2023-07-07T23:25:28.274Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Current C&C Server\",\"title\":\"Current C&C Server\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"description\":\"1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD\",\"valid_time\":{\"start_time\":\"2023-07-07T23:25:28.274Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Linked to Intrusion Method\",\"title\":\"Historically Linked to Intrusion Method\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"description\":\"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.\",\"valid_time\":{\"start_time\":\"2023-07-07T23:25:28.274Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Actively Communicating C&C Server\",\"title\":\"Actively Communicating C&C Server\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":4,\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"judgement_id\":\"transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-29T12:13:55.000Z\",\"end_time\":\"2023-10-29T12:13:55.000Z\"}}]},\"relationships\":{\"count\":6,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3\",\"id\":\"transient:relationship-e26121e7-8b5e-4f1d-a2b8-788090bd5767\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec\",\"id\":\"transient:relationship-5cc023fe-f472-494c-b65f-1170328d7146\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036\",\"id\":\"transient:relationship-6925290d-e374-4187-b5e3-01bcead32da3\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9\",\"id\":\"transient:relationship-7eccaeae-b81f-4ded-8ca8-67eb841b1091\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb\",\"id\":\"transient:relationship-f4b85b37-6054-42d3-8549-251b14ef421a\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb\",\"id\":\"transient:relationship-d62a314f-f7e7-4feb-8a5c-42376d543dd9\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":3,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:13:55.000Z\",\"end_time\":\"2023-10-29T12:13:55.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:13:55.000Z\",\"end_time\":\"2023-10-29T12:13:55.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":4,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:13:55.000Z\",\"end_time\":\"2023-10-29T12:13:55.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"139.196.240.144\",\"type\":\"ip\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":4,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":7,\"docs\":[{\"description\":\"5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Current C&C Server\",\"title\":\"Current C&C Server\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-28T20:29:25.816Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"CobaltStrikeStage2_1625774220\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-f2fca3aa-dd0f-4c19-939e-f05a6723175f\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-28T19:57:02.000Z\"}},{\"description\":\"Seen by Recorded Future Command & Control List\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by Recorded Future Command & Control List\",\"title\":\"Threat List Recorded Future Command & Control List : data downloaded at 2021-07-05 08:04:23\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-92d5eec2-0e4a-4cd9-934b-6306ceb246b8\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-25T08:04:23.139Z\"}},{\"description\":\"1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Linked to Intrusion Method\",\"title\":\"Historically Linked to Intrusion Method\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-13T09:51:00.000Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"CobaltStrikeStage2_1625774220\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-222985f4-3b34-47d8-a559-d59b803bc294\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-28T19:57:02.000Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"CobaltStrikeStage2_1618615493\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-750e1092-8efc-451d-a5a7-ed4bfb8e3b15\",\"count\":1,\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-07T23:24:55.000Z\"}},{\"description\":\"1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"139.196.240.144\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Actively Communicating C&C Server\",\"title\":\"Actively Communicating C&C Server\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144\",\"id\":\"transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:13:55.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-09-28T20:29:25.819Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:13:55.847Z\",\"uuid\":\"0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576\"}]", "short_description": "Snapshot-with-ip", "omittedObservables": [], "archivedObservables": [{"key": "e31f95a8-1624-463a-9638-5411ff73cbd1", "value": "139.196.240.144", "indicators": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "f546a45e-3ad3-4d41-aa94-f1b4377b4100", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "5bafc85f-67dc-4feb-9864-c4a5b5bb45c1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "680116b7-92f5-4fac-ba0b-9a92e4823300", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}], "type": "ip", "state": "investigated", "targets": [], "disposition": 3, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 4, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "7621fdb7-27cf-4dd7-9db7-39db7182d773", "judgement_id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Talos Intelligence:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "1f96c7d0-7618-40dd-bed0-a077005bbd6e", "judgement_id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "ctr_hide": false}], "notifications": [], "disposition_name": "Suspicious", "obsListSortOrder": 2, "listOrder": 0, "label": "139.196.240.144", "id": "4d77f166", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "0e1aa1b9-ae12-480c-be9d-cb82df397659", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "6a5c76cd-5afa-4d3f-8dc0-caa83ec45b01", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "573732f3-0db5-424f-8104-7eb5fbedfb1d", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "schema_version": "1.1.3", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "reason": "Low Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=139.196.240.144", "disposition_name": "Suspicious", "priority": 90, "id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "severity": "Medium", "tlp": "white", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "531716dc-dcc8-41ef-b801-5c36dc6e338a", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}], "sightings": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "3e556102-ef7a-4164-89b5-a506c0b0bdc1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.819Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1618615493", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-750e1092-8efc-451d-a5a7-ed4bfb8e3b15", "count": 1, "observable_type": "ip", "ctr_uuid": "f8e06c8c-8f88-4bcb-a074-c221c808ab3e", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-16T23:24:55.000Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-222985f4-3b34-47d8-a559-d59b803bc294", "count": 1, "observable_type": "ip", "ctr_uuid": "427fc053-86f3-4196-9b30-e5b934e4547a", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9", "count": 1, "severity": "Low", "observable_type": "ip", "ctr_uuid": "bdad1ca0-b30f-4a6b-8fa2-64bf9af17e11", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-22T09:51:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Recorded Future Command & Control List", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Recorded Future Command & Control List", "title": "Threat List Recorded Future Command & Control List : data downloaded at 2021-07-05 08:04:23", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-92d5eec2-0e4a-4cd9-934b-6306ceb246b8", "count": 1, "observable_type": "ip", "ctr_uuid": "d0def5d8-b384-43e8-99ca-7d442fb8b683", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-05T08:04:23.139Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-f2fca3aa-dd0f-4c19-939e-f05a6723175f", "count": 1, "observable_type": "ip", "ctr_uuid": "87baefe5-f93f-4bfc-bdfb-74e990a02d24", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "9c303754-e26f-4ce2-8b2d-c1f91be5a6e5", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.816Z"}, "ctr_hide": false}], "revListOrder": 2}], "selectedObservables": [{"uuid": "cae15fed-15b9-4bc2-af05-868b2ee23607", "observable": {"key": "e31f95a8-1624-463a-9638-5411ff73cbd1", "value": "139.196.240.144", "indicators": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-242bd74b-f104-45ca-9236-b82f553d4041", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "f546a45e-3ad3-4d41-aa94-f1b4377b4100", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-5d65dc89-c900-4daa-9927-8c6b49fbc3f0", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "5bafc85f-67dc-4feb-9864-c4a5b5bb45c1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "valid_time": {"start_time": "2021-04-16T23:25:28.274Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:indicator-71e80230-01ab-48fd-814a-0cbb5d8718f3", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "680116b7-92f5-4fac-ba0b-9a92e4823300", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_hide": false}], "type": "ip", "state": "investigated", "targets": [], "disposition": 3, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 4, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "7621fdb7-27cf-4dd7-9db7-39db7182d773", "judgement_id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "verdict", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Talos Intelligence:4d77f166", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "1f96c7d0-7618-40dd-bed0-a077005bbd6e", "judgement_id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "ctr_hide": false}], "notifications": [], "disposition_name": "Suspicious", "obsListSortOrder": 2, "listOrder": 0, "label": "139.196.240.144", "id": "4d77f166", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-7459e0c2-8007-4109-ad83-97d1c18bd036", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "0e1aa1b9-ae12-480c-be9d-cb82df397659", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 4, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-62cdfbff-3353-4106-bc81-463d89f751ec", "severity": "High", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "6a5c76cd-5afa-4d3f-8dc0-caa83ec45b01", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 3, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:55.000Z", "end_time": "2021-08-08T12:13:55.000Z"}, "schema_version": "1.1.6", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-1fe3a1dd-eb97-401a-b11b-0629372128bb", "severity": "Low", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "573732f3-0db5-424f-8104-7eb5fbedfb1d", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:13:54.340Z", "end_time": "2021-08-08T12:13:54.340Z"}, "schema_version": "1.1.3", "observable": {"value": "139.196.240.144", "type": "ip"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 3, "module": "Talos Intelligence", "module-type": null, "reason": "Low Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=139.196.240.144", "disposition_name": "Suspicious", "priority": 90, "id": "transient:fc3088c8-d22d-4002-93c9-0165e542bbe2", "severity": "Medium", "tlp": "white", "action": "0ab2dd4a-84b1-4e7c-a8d6-eb08a8401576", "ctr_uuid": "531716dc-dcc8-41ef-b801-5c36dc6e338a", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}], "sightings": [{"description": "1 sighting on 1 source: Recorded Future Network Traffic Analysis. Identified as C&C server for 1 malware family: Cobalt Strike. Communication observed on TCP:443. Last observed on Jul 7, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Actively Communicating C&C Server", "title": "Actively Communicating C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-97f43f50-579d-4474-b2ea-c094394bb1cb", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "3e556102-ef7a-4164-89b5-a506c0b0bdc1", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.819Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1618615493", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-750e1092-8efc-451d-a5a7-ed4bfb8e3b15", "count": 1, "observable_type": "ip", "ctr_uuid": "f8e06c8c-8f88-4bcb-a074-c221c808ab3e", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-16T23:24:55.000Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-222985f4-3b34-47d8-a559-d59b803bc294", "count": 1, "observable_type": "ip", "ctr_uuid": "427fc053-86f3-4196-9b30-e5b934e4547a", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "1 sighting on 1 source: PasteBin. 2 related intrusion methods: Cobalt Strike, Offensive Security Tools (OST). Most recent link (Apr 22, 2021): https://pastebin.com/ba0wwMWD", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Linked to Intrusion Method", "title": "Historically Linked to Intrusion Method", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-0de7795e-2276-4a50-84b1-0226ba1c22c9", "count": 1, "severity": "Low", "observable_type": "ip", "ctr_uuid": "bdad1ca0-b30f-4a6b-8fa2-64bf9af17e11", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-04-22T09:51:00.000Z"}, "ctr_hide": false}, {"description": "Seen by Recorded Future Command & Control List", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by Recorded Future Command & Control List", "title": "Threat List Recorded Future Command & Control List : data downloaded at 2021-07-05 08:04:23", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-92d5eec2-0e4a-4cd9-934b-6306ceb246b8", "count": 1, "observable_type": "ip", "ctr_uuid": "d0def5d8-b384-43e8-99ca-7d442fb8b683", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-05T08:04:23.139Z"}, "ctr_hide": false}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "CobaltStrikeStage2_1625774220", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-f2fca3aa-dd0f-4c19-939e-f05a6723175f", "count": 1, "observable_type": "ip", "ctr_uuid": "87baefe5-f93f-4bfc-bdfb-74e990a02d24", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T19:57:02.000Z"}, "ctr_hide": false}, {"description": "5 sightings on 2 sources: Recorded Future Command & Control List, Cobalt Strike Default Certificate Detected - Shodan / Recorded Future. Command & Control host identified on Apr 25, 2021.", "schema_version": "1.1.6", "observable_value": "139.196.240.144", "observables": [{"value": "139.196.240.144", "type": "ip"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Current C&C Server", "title": "Current C&C Server", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/ip%3A139.196.240.144", "id": "transient:sighting-c814618e-6eb7-46fe-8f2c-b1645669a2c3", "count": 1, "severity": "High", "observable_type": "ip", "ctr_uuid": "9c303754-e26f-4ce2-8b2d-c1f91be5a6e5", "timestamp": "2021-07-09T12:13:55.000Z", "confidence": "High", "observed_time": {"start_time": "2021-07-08T20:29:25.816Z"}, "ctr_hide": false}], "revListOrder": 2}, "notifications": [], "disposition_name": "Suspicious", "disposition": 3, "type": "ip", "value": "139.196.240.144", "id": "4d77f166"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-00c05c45-c0f0-4186-a3ea-dc7e43a90b57", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:14:25.023Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file diff --git a/Recorded_Future/Snapshot-with-md5.json b/Recorded_Future/Snapshot-with-md5.json index b0237c10..1a74ad0b 100644 --- a/Recorded_Future/Snapshot-with-md5.json +++ b/Recorded_Future/Snapshot-with-md5.json @@ -1 +1 @@ -{"schema_version": "1.1.3", "type": "investigation", "search-txt": "md5:\"8b83fc5d3a6a80281269f9e337fe3fff\"", "actions": "[{\"arg\":{\"text\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:27:51.755Z\",\"id\":\"collect-67b47865\",\"result\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:27:51.953Z\",\"uuid\":\"ce2aea7b-4899-45aa-ab68-525401e99121\"},{\"arg\":{\"type\":\"md5\",\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\"},\"created\":\"2021-07-09T12:27:51.981Z\",\"id\":\"investigate-d79f63b3\",\"result\":{\"data\":[{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"valid_time\":{\"start_time\":\"2018-06-17T03:00:35.157Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:indicator-aa693112-d069-487c-8537-ea457c61c35a\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"},{\"description\":\"1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"valid_time\":{\"start_time\":\"2018-06-17T03:00:35.157Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"},\"judgement_id\":\"transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994\",\"disposition_name\":\"Suspicious\",\"valid_time\":{\"start_time\":\"2023-09-22T12:27:54.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-aa693112-d069-487c-8537-ea457c61c35a\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06\",\"id\":\"transient:relationship-1509d085-1748-4946-9e02-a2f3dcb4a6d1\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994\",\"id\":\"transient:relationship-f704e0d3-1447-410a-b7cd-5a436934ba47\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f\",\"id\":\"transient:relationship-5ba28fdd-78b4-46d0-926b-798da27e2860\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-aa693112-d069-487c-8537-ea457c61c35a\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698\",\"id\":\"transient:relationship-7aac6e11-e687-4f84-bb89-52ab3ff7d299\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":2,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:27:54.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:27:54.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":6,\"docs\":[{\"description\":\"1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-17T03:00:33.606Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-c6fa0a65-c358-45c8-8718-d9fe90d2f854\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2019-03-08T09:48:17.000Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"21/11\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-ef15a3bb-f5f3-46b8-afc4-34de56efae7f\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-02-03T09:03:34.000Z\"}},{\"description\":\"1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-17T03:00:33.606Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"21/11\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-cff31b40-6264-4bc7-b850-eaba85012720\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-02-03T09:03:34.000Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"Shifting Tactics_ Tracking changes in years-long espionage campaign against Tibetans - The Citizen Lab\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-04de95fd-59ee-45c5-8940-f70a18721096\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-17T03:00:33.606Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:27:54.381Z\",\"uuid\":\"c18e710e-2898-494f-b07b-cf1283087a1b\"}]", "short_description": "Snapshot-with-md5", "omittedObservables": [], "archivedObservables": [{"key": "6d7edaad-e37b-4d3a-b240-8310bcc8c6f4", "value": "8b83fc5d3a6a80281269f9e337fe3fff", "indicators": [{"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-aa693112-d069-487c-8537-ea457c61c35a", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Recorded Future", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Recorded Future:55901e03", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "judgement_id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "8b83fc5d3a6a80281269f9e337fe3fff", "id": "55901e03", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "1faf0efb-d8a3-4333-ae39-bec39422910f", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "85330040-7715-4e40-92bf-b0ccb0f6fefd", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "Shifting Tactics_ Tracking changes in years-long espionage campaign against Tibetans - The Citizen Lab", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-04de95fd-59ee-45c5-8940-f70a18721096", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-cff31b40-6264-4bc7-b850-eaba85012720", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-ef15a3bb-f5f3-46b8-afc4-34de56efae7f", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "8b83fc5d3a6a80281269f9e337fe3fff", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-c6fa0a65-c358-45c8-8718-d9fe90d2f854", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-12-23T09:48:17.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}], "revListOrder": 1}], "selectedObservables": [{"uuid": "b3adc8a4-53d3-412a-8e56-1e26348622f5", "observable": {"key": "6d7edaad-e37b-4d3a-b240-8310bcc8c6f4", "value": "8b83fc5d3a6a80281269f9e337fe3fff", "indicators": [{"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-aa693112-d069-487c-8537-ea457c61c35a", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Recorded Future", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Recorded Future:55901e03", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "judgement_id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "8b83fc5d3a6a80281269f9e337fe3fff", "id": "55901e03", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "1faf0efb-d8a3-4333-ae39-bec39422910f", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "85330040-7715-4e40-92bf-b0ccb0f6fefd", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "Shifting Tactics_ Tracking changes in years-long espionage campaign against Tibetans - The Citizen Lab", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-04de95fd-59ee-45c5-8940-f70a18721096", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-cff31b40-6264-4bc7-b850-eaba85012720", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-ef15a3bb-f5f3-46b8-afc4-34de56efae7f", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "8b83fc5d3a6a80281269f9e337fe3fff", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-c6fa0a65-c358-45c8-8718-d9fe90d2f854", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-12-23T09:48:17.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "md5", "value": "8b83fc5d3a6a80281269f9e337fe3fff", "id": "55901e03"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-2cec8a59-6e17-4aeb-8c28-1bde80a1b5a6", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:28:15.810Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file +{"schema_version": "1.1.3", "type": "investigation", "search-txt": "md5:\"8b83fc5d3a6a80281269f9e337fe3fff\"", "actions": "[{\"arg\":{\"text\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:27:51.755Z\",\"id\":\"collect-67b47865\",\"result\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:27:51.953Z\",\"uuid\":\"ce2aea7b-4899-45aa-ab68-525401e99121\"},{\"arg\":{\"type\":\"md5\",\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\"},\"created\":\"2021-07-09T12:27:51.981Z\",\"id\":\"investigate-d79f63b3\",\"result\":{\"data\":[{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"valid_time\":{\"start_time\":\"2018-06-24T03:00:35.157Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:indicator-aa693112-d069-487c-8537-ea457c61c35a\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"},{\"description\":\"1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"valid_time\":{\"start_time\":\"2018-06-24T03:00:35.157Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"},\"judgement_id\":\"transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994\",\"disposition_name\":\"Suspicious\",\"valid_time\":{\"start_time\":\"2023-09-29T12:27:54.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-aa693112-d069-487c-8537-ea457c61c35a\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06\",\"id\":\"transient:relationship-1509d085-1748-4946-9e02-a2f3dcb4a6d1\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994\",\"id\":\"transient:relationship-f704e0d3-1447-410a-b7cd-5a436934ba47\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f\",\"id\":\"transient:relationship-5ba28fdd-78b4-46d0-926b-798da27e2860\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-aa693112-d069-487c-8537-ea457c61c35a\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698\",\"id\":\"transient:relationship-7aac6e11-e687-4f84-bb89-52ab3ff7d299\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":2,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:27:54.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:27:54.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":6,\"docs\":[{\"description\":\"1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-24T03:00:33.606Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-c6fa0a65-c358-45c8-8718-d9fe90d2f854\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2019-03-15T09:48:17.000Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"21/11\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-ef15a3bb-f5f3-46b8-afc4-34de56efae7f\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-02-10T09:03:34.000Z\"}},{\"description\":\"1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-24T03:00:33.606Z\"}},{\"description\":\"Seen by PasteBin\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PasteBin\",\"title\":\"21/11\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-cff31b40-6264-4bc7-b850-eaba85012720\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2021-02-10T09:03:34.000Z\"}},{\"description\":\"Seen by ThreatMiner\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"8b83fc5d3a6a80281269f9e337fe3fff\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ThreatMiner\",\"title\":\"Shifting Tactics_ Tracking changes in years-long espionage campaign against Tibetans - The Citizen Lab\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff\",\"id\":\"transient:sighting-04de95fd-59ee-45c5-8940-f70a18721096\",\"count\":1,\"timestamp\":\"2021-07-09T12:27:54.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-24T03:00:33.606Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:27:54.381Z\",\"uuid\":\"c18e710e-2898-494f-b07b-cf1283087a1b\"}]", "short_description": "Snapshot-with-md5", "omittedObservables": [], "archivedObservables": [{"key": "6d7edaad-e37b-4d3a-b240-8310bcc8c6f4", "value": "8b83fc5d3a6a80281269f9e337fe3fff", "indicators": [{"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-aa693112-d069-487c-8537-ea457c61c35a", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Recorded Future", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Recorded Future:55901e03", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "judgement_id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "8b83fc5d3a6a80281269f9e337fe3fff", "id": "55901e03", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "1faf0efb-d8a3-4333-ae39-bec39422910f", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "85330040-7715-4e40-92bf-b0ccb0f6fefd", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "Shifting Tactics_ Tracking changes in years-long espionage campaign against Tibetans - The Citizen Lab", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-04de95fd-59ee-45c5-8940-f70a18721096", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-cff31b40-6264-4bc7-b850-eaba85012720", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-ef15a3bb-f5f3-46b8-afc4-34de56efae7f", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "8b83fc5d3a6a80281269f9e337fe3fff", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-c6fa0a65-c358-45c8-8718-d9fe90d2f854", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-12-23T09:48:17.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}], "revListOrder": 1}], "selectedObservables": [{"uuid": "b3adc8a4-53d3-412a-8e56-1e26348622f5", "observable": {"key": "6d7edaad-e37b-4d3a-b240-8310bcc8c6f4", "value": "8b83fc5d3a6a80281269f9e337fe3fff", "indicators": [{"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-c7b323ba-638d-4116-bfce-371d0acf5054", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "valid_time": {"start_time": "2016-04-03T03:00:35.157Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:indicator-aa693112-d069-487c-8537-ea457c61c35a", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High"}], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Recorded Future", "module-type": null, "disposition_name": "Suspicious", "id": "verdict:Recorded Future:55901e03", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "judgement_id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "8b83fc5d3a6a80281269f9e337fe3fff", "id": "55901e03", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-b36669da-6e20-493e-a471-6a5d1a25c994", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "1faf0efb-d8a3-4333-ae39-bec39422910f", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:27:54.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-13ea96aa-5ed6-4d92-b06c-4881a5922698", "severity": "Medium", "action": "c18e710e-2898-494f-b07b-cf1283087a1b", "ctr_uuid": "85330040-7715-4e40-92bf-b0ccb0f6fefd", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "Shifting Tactics_ Tracking changes in years-long espionage campaign against Tibetans - The Citizen Lab", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-04de95fd-59ee-45c5-8940-f70a18721096", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-cff31b40-6264-4bc7-b850-eaba85012720", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. 2 related malwares: FakeM, Remote Access Trojan. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8c30293-ad07-43d8-b82b-496a97ddae06", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PasteBin", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PasteBin", "title": "21/11", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-ef15a3bb-f5f3-46b8-afc4-34de56efae7f", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2018-11-21T09:03:34.000Z"}}, {"description": "Seen by ThreatMiner", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ThreatMiner", "title": "8b83fc5d3a6a80281269f9e337fe3fff", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-c6fa0a65-c358-45c8-8718-d9fe90d2f854", "count": 1, "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-12-23T09:48:17.000Z"}}, {"description": "1 sighting on 1 source: ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2016/Shifting%20Tactics_%20Tracking%20changes%20in%20years-long%20espionage%20campaign%20against%20Tibetans%20-%20The%20Citizen%20Lab.pdf", "schema_version": "1.1.6", "observable_value": "8b83fc5d3a6a80281269f9e337fe3fff", "observables": [{"value": "8b83fc5d3a6a80281269f9e337fe3fff", "type": "md5"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A8b83fc5d3a6a80281269f9e337fe3fff", "id": "transient:sighting-b8e2c0f3-a774-46c2-8950-f9b859de6d3f", "count": 1, "severity": "Medium", "observable_type": "md5", "timestamp": "2021-07-09T12:27:54.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "md5", "value": "8b83fc5d3a6a80281269f9e337fe3fff", "id": "55901e03"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-2cec8a59-6e17-4aeb-8c28-1bde80a1b5a6", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:28:15.810Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file diff --git a/Recorded_Future/Snapshot-with-sha1.json b/Recorded_Future/Snapshot-with-sha1.json index 1aeed421..8fbcd5e1 100644 --- a/Recorded_Future/Snapshot-with-sha1.json +++ b/Recorded_Future/Snapshot-with-sha1.json @@ -1 +1 @@ -{"schema_version": "1.1.3", "type": "investigation", "search-txt": "sha1:\"42e6da9a08802b5ce5d1f754d4567665637b47bc\"", "actions": "[{\"arg\":{\"text\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:18:51.576Z\",\"id\":\"collect-bb5de819\",\"result\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:18:51.776Z\",\"uuid\":\"73640ee9-4868-4d17-8e2d-13735f333c5e\"},{\"arg\":{\"type\":\"sha1\",\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\"},\"created\":\"2021-07-09T12:18:51.802Z\",\"id\":\"investigate-e942ec36\",\"result\":{\"data\":[{\"module\":\"AMP Global Intelligence\",\"module_instance_id\":\"b37ff2ee-0ca1-4dbc-936d-a35bf7d5e18f\",\"module_type_id\":\"87563e81-ddc5-5f61-b4f8-dbe71252c922\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.\",\"tags\":[\"file\",\"antivirus\"],\"valid_time\":{\"start_time\":\"2018-09-05T00:00:00.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Threat Grid\",\"schema_version\":\"1.0.19\",\"type\":\"indicator\",\"source\":\"Threat Grid Indicators\",\"external_ids\":[\"hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88\"],\"short_description\":\"Artifact Flagged Malicious by Antivirus Service\",\"title\":\"antivirus-service-flagged-artifact\",\"source_uri\":\"https://panacea.threatgrid.com\",\"id\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"tlp\":\"green\",\"timestamp\":\"2020-10-28T20:37:25.082Z\",\"confidence\":\"High\"},{\"description\":\"An antivirus engine flagged an artifact as a Trojan. A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly installed by drive-by downloads or embedded into games or Internet driven applications.\",\"tags\":[\"trojan\",\"RAT\"],\"valid_time\":{\"start_time\":\"2015-12-24T00:00:00.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Threat Grid\",\"schema_version\":\"1.0.19\",\"type\":\"indicator\",\"source\":\"Threat Grid Indicators\",\"external_ids\":[\"hydrant-412c0f2e3e1998445f7fea4fbad7c95f06b57ddf8675b04d866f88d7e807468e\"],\"short_description\":\"Artifact Flagged as Known Trojan by Antivirus\",\"title\":\"malware-known-trojan-av\",\"source_uri\":\"https://panacea.threatgrid.com\",\"id\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51\",\"tlp\":\"green\",\"timestamp\":\"2020-10-28T20:37:25.082Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"judgement_id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-01-13T03:26:57.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-08b69d01688d8965db5ab09f988e3ab8258b5901\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-9370e99d-afc0-48b1-895f-9e5758a5e5c9\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.195Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-871ae7e48c1c768565235448dee9bc5632f36cca\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-e9e8ac57-0c90-4f4e-b32c-aca33a71a0d3\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.281Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-cf4e0138b46e8efb3c2892429bd2ec6a1d9e823a\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-52860bc5-b198-4e4f-a8eb-c4224c8f108c\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.150Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-99ce9b71b33936eaca48bcb99f47302e7b09f339\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-9b4e6cd8-0622-4b74-ac7f-4d9b15badb3a\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.238Z\",\"relationship_type\":\"indicates\"}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-01-13T03:26:57.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.0.22\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"reason_uri\":\"https://panacea.threatgrid.com/samples/fb9d7ead920c8be662d36f6541676d32\",\"type\":\"judgement\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-disposition-judgement-sha1-42e6da9a08802b5ce5d1f754d4567665637b47bc\"],\"disposition\":2,\"reason\":\"AMP Threat Grid Sample Analysis\",\"source_uri\":\"https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"severity\":\"High\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.021Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":1,\"docs\":[{\"description\":\"AMP Threat Grid Sample Analysis\",\"schema_version\":\"1.0.22\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-file-sighting-fb9d7ead920c8be662d36f6541676d32\"],\"source_uri\":\"https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"id\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d\",\"count\":1,\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.103Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-01-13T03:20:45.000Z\",\"end_time\":\"2023-01-13T03:26:57.000Z\"}}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":5,\"docs\":[{\"description\":\"13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf\",\"valid_time\":{\"start_time\":\"2017-10-11T15:03:37.227Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"valid_time\":{\"start_time\":\"2017-10-11T15:03:37.227Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.\",\"valid_time\":{\"start_time\":\"2017-10-11T15:03:37.227Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf\",\"valid_time\":{\"start_time\":\"2017-10-11T15:03:37.227Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Attack Vector\",\"title\":\"Linked to Attack Vector\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf\",\"valid_time\":{\"start_time\":\"2017-10-11T15:03:37.227Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Threat Researcher\",\"title\":\"Threat Researcher\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":3,\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"judgement_id\":\"transient:judgement-76113189-367a-4c6c-b179-6087ece74760\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-22T12:18:53.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"}}]},\"relationships\":{\"count\":10,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4\",\"id\":\"transient:relationship-b96c4cfc-2b1a-42b9-9baf-47d8bb583f0d\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-76113189-367a-4c6c-b179-6087ece74760\",\"id\":\"transient:relationship-10f458c4-4d6d-4314-a487-1477a150b4b0\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-7b105694-dd88-45f2-8132-79146b849dca\",\"id\":\"transient:relationship-77d71b37-f539-410d-b316-a24d552884f7\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727\",\"id\":\"transient:relationship-2b435a54-f907-4077-bf31-eb1107fcdc7f\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-a8743276-3f0e-488f-b25c-84db52637646\",\"id\":\"transient:relationship-5fb79e9e-65c8-4fb0-98f9-8a850c27e270\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1\",\"id\":\"transient:relationship-39f1000f-51e5-42d1-a8a3-1710cc5d61bf\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282\",\"id\":\"transient:relationship-db0ada07-65ed-410c-864d-ef2996a19a26\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd\",\"id\":\"transient:relationship-0cbf4ec6-10e9-45e7-b925-4f09ac4eb921\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-01cacf10-350c-492b-a074-170a1b38a117\",\"id\":\"transient:relationship-8cc3a3e8-36b8-4f8a-9e19-68beb2d67017\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-05567717-79dc-430e-bf24-7a882d507e32\",\"id\":\"transient:relationship-b102bd97-ae77-4b79-87fd-7092b11bed82\",\"relationship_type\":\"member-of\"}]},\"judgements\":{\"count\":5,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:18:53.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-a8743276-3f0e-488f-b25c-84db52637646\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:18:53.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:18:53.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:18:53.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":3,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-76113189-367a-4c6c-b179-6087ece74760\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:18:53.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":8,\"docs\":[{\"description\":\"Seen by PolySwarm\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PolySwarm\",\"title\":\"PolySwarm report for 8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-6b4fb0af-f99c-4bab-9637-4000ef5ed172\",\"count\":1,\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-14T01:20:01.037Z\"}},{\"description\":\"13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-01cacf10-350c-492b-a074-170a1b38a117\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-17T03:00:33.606Z\"}},{\"description\":\"Seen by contagioblog PH\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by contagioblog PH\",\"title\":\"Part II. APT29 Russian APT including Fancy Bear\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-f501a5ac-23c3-4c41-bfe4-0a61dfdeff21\",\"count\":1,\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2019-06-14T06:02:00.000Z\"}},{\"description\":\"Seen by GitHub\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by GitHub\",\"title\":\"\\n Add Fireeye's report on APT29 HammerToss\\n \",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-76d79ebb-5dde-43e9-a789-9c2d6cd7adc6\",\"count\":1,\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2017-10-11T14:57:04.000Z\"}},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-09T16:44:23.000Z\"}},{\"description\":\"41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Threat Researcher\",\"title\":\"Threat Researcher\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-7b105694-dd88-45f2-8132-79146b849dca\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2022-09-30T08:04:15.203Z\"}},{\"description\":\"11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Attack Vector\",\"title\":\"Linked to Attack Vector\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2017-11-28T10:19:24.000Z\"}},{\"description\":\"51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-05567717-79dc-430e-bf24-7a882d507e32\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-14T01:20:01.037Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:18:53.978Z\",\"uuid\":\"62ca9445-49b4-4f03-a48b-1722f8d4bb38\"}]", "short_description": "Snapshot-with-sha1", "omittedObservables": [], "archivedObservables": [{"key": "02790701-eaa9-432f-8d49-73f3a5f3d1f9", "value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "indicators": [{"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "An antivirus engine flagged an artifact as a Trojan. A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly installed by drive-by downloads or embedded into games or Internet driven applications.", "tags": ["trojan", "RAT"], "valid_time": {"start_time": "2013-10-10T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-412c0f2e3e1998445f7fea4fbad7c95f06b57ddf8675b04d866f88d7e807468e"], "short_description": "Artifact Flagged as Known Trojan by Antivirus", "title": "malware-known-trojan-av", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}], "type": "sha1", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760"}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "d0e3affc", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "1fc522ae-f297-4ad8-a611-178068b5d52c", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "133a7a2d-9d66-4d9b-9778-2543771e7fd6", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "7ecd785b-f6f2-4dad-bf48-12e671d46722", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "6444180b-18fc-4500-b40d-117963c22fbb", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-a8743276-3f0e-488f-b25c-84db52637646", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "c298f17b-9a96-4fa4-9046-fc77d6a9de28", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.22", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "reason_uri": "https://panacea.threatgrid.com/samples/fb9d7ead920c8be662d36f6541676d32", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha1-42e6da9a08802b5ce5d1f754d4567665637b47bc"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98", "severity": "High", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "aace039e-414f-4215-b15b-3775a6e877c3", "timestamp": "2020-12-01T04:49:10.021Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-05567717-79dc-430e-bf24-7a882d507e32", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-09-15T10:19:24.000Z"}}, {"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-7b105694-dd88-45f2-8132-79146b849dca", "count": 1, "severity": "Low", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2020-07-17T08:04:15.203Z"}}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727", "count": 1, "severity": "High", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-23T16:44:23.000Z"}}, {"description": "Seen by GitHub", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by GitHub", "title": "\n Add Fireeye's report on APT29 HammerToss\n ", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-76d79ebb-5dde-43e9-a789-9c2d6cd7adc6", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-07-29T14:57:04.000Z"}}, {"description": "Seen by contagioblog PH", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by contagioblog PH", "title": "Part II. APT29 Russian APT including Fancy Bear", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-f501a5ac-23c3-4c41-bfe4-0a61dfdeff21", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2017-03-31T06:02:00.000Z"}}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-01cacf10-350c-492b-a074-170a1b38a117", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-6b4fb0af-f99c-4bab-9637-4000ef5ed172", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.22", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-fb9d7ead920c8be662d36f6541676d32"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d", "count": 1, "tlp": "green", "observable_type": "sha1", "timestamp": "2020-12-01T04:49:10.103Z", "confidence": "High", "observed_time": {"start_time": "2020-10-30T03:20:45.000Z", "end_time": "2020-10-30T03:26:57.000Z"}}], "revListOrder": 1}], "selectedObservables": [{"uuid": "63608680-a43a-4552-9d8b-91a8de54e22d", "observable": {"key": "02790701-eaa9-432f-8d49-73f3a5f3d1f9", "value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "indicators": [{"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "An antivirus engine flagged an artifact as a Trojan. A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly installed by drive-by downloads or embedded into games or Internet driven applications.", "tags": ["trojan", "RAT"], "valid_time": {"start_time": "2013-10-10T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-412c0f2e3e1998445f7fea4fbad7c95f06b57ddf8675b04d866f88d7e807468e"], "short_description": "Artifact Flagged as Known Trojan by Antivirus", "title": "malware-known-trojan-av", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}], "type": "sha1", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760"}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "d0e3affc", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "1fc522ae-f297-4ad8-a611-178068b5d52c", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "133a7a2d-9d66-4d9b-9778-2543771e7fd6", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "7ecd785b-f6f2-4dad-bf48-12e671d46722", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "6444180b-18fc-4500-b40d-117963c22fbb", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-a8743276-3f0e-488f-b25c-84db52637646", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "c298f17b-9a96-4fa4-9046-fc77d6a9de28", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.22", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "reason_uri": "https://panacea.threatgrid.com/samples/fb9d7ead920c8be662d36f6541676d32", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha1-42e6da9a08802b5ce5d1f754d4567665637b47bc"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98", "severity": "High", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "aace039e-414f-4215-b15b-3775a6e877c3", "timestamp": "2020-12-01T04:49:10.021Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-05567717-79dc-430e-bf24-7a882d507e32", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-09-15T10:19:24.000Z"}}, {"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-7b105694-dd88-45f2-8132-79146b849dca", "count": 1, "severity": "Low", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2020-07-17T08:04:15.203Z"}}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727", "count": 1, "severity": "High", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-23T16:44:23.000Z"}}, {"description": "Seen by GitHub", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by GitHub", "title": "\n Add Fireeye's report on APT29 HammerToss\n ", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-76d79ebb-5dde-43e9-a789-9c2d6cd7adc6", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-07-29T14:57:04.000Z"}}, {"description": "Seen by contagioblog PH", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by contagioblog PH", "title": "Part II. APT29 Russian APT including Fancy Bear", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-f501a5ac-23c3-4c41-bfe4-0a61dfdeff21", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2017-03-31T06:02:00.000Z"}}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-01cacf10-350c-492b-a074-170a1b38a117", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-6b4fb0af-f99c-4bab-9637-4000ef5ed172", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.22", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-fb9d7ead920c8be662d36f6541676d32"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d", "count": 1, "tlp": "green", "observable_type": "sha1", "timestamp": "2020-12-01T04:49:10.103Z", "confidence": "High", "observed_time": {"start_time": "2020-10-30T03:20:45.000Z", "end_time": "2020-10-30T03:26:57.000Z"}}], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "sha1", "value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "d0e3affc"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-57f5923f-5e3f-4eab-859b-4de8dea8f5e9", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:19:21.648Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file +{"schema_version": "1.1.3", "type": "investigation", "search-txt": "sha1:\"42e6da9a08802b5ce5d1f754d4567665637b47bc\"", "actions": "[{\"arg\":{\"text\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:18:51.576Z\",\"id\":\"collect-bb5de819\",\"result\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:18:51.776Z\",\"uuid\":\"73640ee9-4868-4d17-8e2d-13735f333c5e\"},{\"arg\":{\"type\":\"sha1\",\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\"},\"created\":\"2021-07-09T12:18:51.802Z\",\"id\":\"investigate-e942ec36\",\"result\":{\"data\":[{\"module\":\"AMP Global Intelligence\",\"module_instance_id\":\"b37ff2ee-0ca1-4dbc-936d-a35bf7d5e18f\",\"module_type_id\":\"87563e81-ddc5-5f61-b4f8-dbe71252c922\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.\",\"tags\":[\"file\",\"antivirus\"],\"valid_time\":{\"start_time\":\"2018-09-12T00:00:00.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Threat Grid\",\"schema_version\":\"1.0.19\",\"type\":\"indicator\",\"source\":\"Threat Grid Indicators\",\"external_ids\":[\"hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88\"],\"short_description\":\"Artifact Flagged Malicious by Antivirus Service\",\"title\":\"antivirus-service-flagged-artifact\",\"source_uri\":\"https://panacea.threatgrid.com\",\"id\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"tlp\":\"green\",\"timestamp\":\"2020-10-28T20:37:25.082Z\",\"confidence\":\"High\"},{\"description\":\"An antivirus engine flagged an artifact as a Trojan. A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly installed by drive-by downloads or embedded into games or Internet driven applications.\",\"tags\":[\"trojan\",\"RAT\"],\"valid_time\":{\"start_time\":\"2015-12-31T00:00:00.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Threat Grid\",\"schema_version\":\"1.0.19\",\"type\":\"indicator\",\"source\":\"Threat Grid Indicators\",\"external_ids\":[\"hydrant-412c0f2e3e1998445f7fea4fbad7c95f06b57ddf8675b04d866f88d7e807468e\"],\"short_description\":\"Artifact Flagged as Known Trojan by Antivirus\",\"title\":\"malware-known-trojan-av\",\"source_uri\":\"https://panacea.threatgrid.com\",\"id\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51\",\"tlp\":\"green\",\"timestamp\":\"2020-10-28T20:37:25.082Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"judgement_id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-01-20T03:26:57.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-08b69d01688d8965db5ab09f988e3ab8258b5901\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-9370e99d-afc0-48b1-895f-9e5758a5e5c9\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.195Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-871ae7e48c1c768565235448dee9bc5632f36cca\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-e9e8ac57-0c90-4f4e-b32c-aca33a71a0d3\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.281Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-cf4e0138b46e8efb3c2892429bd2ec6a1d9e823a\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-52860bc5-b198-4e4f-a8eb-c4224c8f108c\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.150Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.22\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-99ce9b71b33936eaca48bcb99f47302e7b09f339\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-9b4e6cd8-0622-4b74-ac7f-4d9b15badb3a\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.238Z\",\"relationship_type\":\"indicates\"}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-01-20T03:26:57.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.0.22\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"reason_uri\":\"https://panacea.threatgrid.com/samples/fb9d7ead920c8be662d36f6541676d32\",\"type\":\"judgement\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-disposition-judgement-sha1-42e6da9a08802b5ce5d1f754d4567665637b47bc\"],\"disposition\":2,\"reason\":\"AMP Threat Grid Sample Analysis\",\"source_uri\":\"https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98\",\"severity\":\"High\",\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.021Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":1,\"docs\":[{\"description\":\"AMP Threat Grid Sample Analysis\",\"schema_version\":\"1.0.22\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-file-sighting-fb9d7ead920c8be662d36f6541676d32\"],\"source_uri\":\"https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"id\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d\",\"count\":1,\"tlp\":\"green\",\"timestamp\":\"2020-12-01T04:49:10.103Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-01-20T03:20:45.000Z\",\"end_time\":\"2023-01-20T03:26:57.000Z\"}}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":5,\"docs\":[{\"description\":\"13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf\",\"valid_time\":{\"start_time\":\"2017-10-18T15:03:37.227Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"valid_time\":{\"start_time\":\"2017-10-18T15:03:37.227Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.\",\"valid_time\":{\"start_time\":\"2017-10-18T15:03:37.227Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf\",\"valid_time\":{\"start_time\":\"2017-10-18T15:03:37.227Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Attack Vector\",\"title\":\"Linked to Attack Vector\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"description\":\"41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf\",\"valid_time\":{\"start_time\":\"2017-10-18T15:03:37.227Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Threat Researcher\",\"title\":\"Threat Researcher\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":3,\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"judgement_id\":\"transient:judgement-76113189-367a-4c6c-b179-6087ece74760\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-29T12:18:53.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"}}]},\"relationships\":{\"count\":10,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4\",\"id\":\"transient:relationship-b96c4cfc-2b1a-42b9-9baf-47d8bb583f0d\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-76113189-367a-4c6c-b179-6087ece74760\",\"id\":\"transient:relationship-10f458c4-4d6d-4314-a487-1477a150b4b0\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-7b105694-dd88-45f2-8132-79146b849dca\",\"id\":\"transient:relationship-77d71b37-f539-410d-b316-a24d552884f7\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727\",\"id\":\"transient:relationship-2b435a54-f907-4077-bf31-eb1107fcdc7f\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-a8743276-3f0e-488f-b25c-84db52637646\",\"id\":\"transient:relationship-5fb79e9e-65c8-4fb0-98f9-8a850c27e270\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1\",\"id\":\"transient:relationship-39f1000f-51e5-42d1-a8a3-1710cc5d61bf\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282\",\"id\":\"transient:relationship-db0ada07-65ed-410c-864d-ef2996a19a26\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd\",\"id\":\"transient:relationship-0cbf4ec6-10e9-45e7-b925-4f09ac4eb921\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-01cacf10-350c-492b-a074-170a1b38a117\",\"id\":\"transient:relationship-8cc3a3e8-36b8-4f8a-9e19-68beb2d67017\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-05567717-79dc-430e-bf24-7a882d507e32\",\"id\":\"transient:relationship-b102bd97-ae77-4b79-87fd-7092b11bed82\",\"relationship_type\":\"member-of\"}]},\"judgements\":{\"count\":5,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:18:53.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-a8743276-3f0e-488f-b25c-84db52637646\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:18:53.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:18:53.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:18:53.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":3,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-76113189-367a-4c6c-b179-6087ece74760\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:18:53.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":8,\"docs\":[{\"description\":\"Seen by PolySwarm\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PolySwarm\",\"title\":\"PolySwarm report for 8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-6b4fb0af-f99c-4bab-9637-4000ef5ed172\",\"count\":1,\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-21T01:20:01.037Z\"}},{\"description\":\"13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Cyber Attack\",\"title\":\"Linked to Cyber Attack\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-01cacf10-350c-492b-a074-170a1b38a117\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2018-06-24T03:00:33.606Z\"}},{\"description\":\"Seen by contagioblog PH\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by contagioblog PH\",\"title\":\"Part II. APT29 Russian APT including Fancy Bear\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-f501a5ac-23c3-4c41-bfe4-0a61dfdeff21\",\"count\":1,\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2019-06-21T06:02:00.000Z\"}},{\"description\":\"Seen by GitHub\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by GitHub\",\"title\":\"\\n Add Fireeye's report on APT29 HammerToss\\n \",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-76d79ebb-5dde-43e9-a789-9c2d6cd7adc6\",\"count\":1,\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2017-10-18T14:57:04.000Z\"}},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-16T16:44:23.000Z\"}},{\"description\":\"41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Threat Researcher\",\"title\":\"Threat Researcher\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-7b105694-dd88-45f2-8132-79146b849dca\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2022-10-07T08:04:15.203Z\"}},{\"description\":\"11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Attack Vector\",\"title\":\"Linked to Attack Vector\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2017-12-05T10:19:24.000Z\"}},{\"description\":\"51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"type\":\"sha1\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc\",\"id\":\"transient:sighting-05567717-79dc-430e-bf24-7a882d507e32\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:18:53.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-21T01:20:01.037Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:18:53.978Z\",\"uuid\":\"62ca9445-49b4-4f03-a48b-1722f8d4bb38\"}]", "short_description": "Snapshot-with-sha1", "omittedObservables": [], "archivedObservables": [{"key": "02790701-eaa9-432f-8d49-73f3a5f3d1f9", "value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "indicators": [{"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "An antivirus engine flagged an artifact as a Trojan. A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly installed by drive-by downloads or embedded into games or Internet driven applications.", "tags": ["trojan", "RAT"], "valid_time": {"start_time": "2013-10-10T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-412c0f2e3e1998445f7fea4fbad7c95f06b57ddf8675b04d866f88d7e807468e"], "short_description": "Artifact Flagged as Known Trojan by Antivirus", "title": "malware-known-trojan-av", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}], "type": "sha1", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760"}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "d0e3affc", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "1fc522ae-f297-4ad8-a611-178068b5d52c", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "133a7a2d-9d66-4d9b-9778-2543771e7fd6", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "7ecd785b-f6f2-4dad-bf48-12e671d46722", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "6444180b-18fc-4500-b40d-117963c22fbb", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-a8743276-3f0e-488f-b25c-84db52637646", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "c298f17b-9a96-4fa4-9046-fc77d6a9de28", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.22", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "reason_uri": "https://panacea.threatgrid.com/samples/fb9d7ead920c8be662d36f6541676d32", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha1-42e6da9a08802b5ce5d1f754d4567665637b47bc"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98", "severity": "High", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "aace039e-414f-4215-b15b-3775a6e877c3", "timestamp": "2020-12-01T04:49:10.021Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-05567717-79dc-430e-bf24-7a882d507e32", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-09-15T10:19:24.000Z"}}, {"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-7b105694-dd88-45f2-8132-79146b849dca", "count": 1, "severity": "Low", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2020-07-17T08:04:15.203Z"}}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727", "count": 1, "severity": "High", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-23T16:44:23.000Z"}}, {"description": "Seen by GitHub", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by GitHub", "title": "\n Add Fireeye's report on APT29 HammerToss\n ", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-76d79ebb-5dde-43e9-a789-9c2d6cd7adc6", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-07-29T14:57:04.000Z"}}, {"description": "Seen by contagioblog PH", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by contagioblog PH", "title": "Part II. APT29 Russian APT including Fancy Bear", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-f501a5ac-23c3-4c41-bfe4-0a61dfdeff21", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2017-03-31T06:02:00.000Z"}}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-01cacf10-350c-492b-a074-170a1b38a117", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-6b4fb0af-f99c-4bab-9637-4000ef5ed172", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.22", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-fb9d7ead920c8be662d36f6541676d32"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d", "count": 1, "tlp": "green", "observable_type": "sha1", "timestamp": "2020-12-01T04:49:10.103Z", "confidence": "High", "observed_time": {"start_time": "2020-10-30T03:20:45.000Z", "end_time": "2020-10-30T03:26:57.000Z"}}], "revListOrder": 1}], "selectedObservables": [{"uuid": "63608680-a43a-4552-9d8b-91a8de54e22d", "observable": {"key": "02790701-eaa9-432f-8d49-73f3a5f3d1f9", "value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "indicators": [{"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-01782c49-068c-4fb6-b886-2e74bd96d51b", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-3dde9243-070d-43a9-8f48-5507f80125f1", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-a34b6bcb-a501-4c79-993e-3f6e3e1f0391", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-f19ed0c9-10bf-4b12-93a7-1b81d5aa1454", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "valid_time": {"start_time": "2015-07-29T15:03:37.227Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:indicator-fe07ab69-ba10-4a23-9aa6-356e26954f19", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High"}, {"description": "An antivirus engine flagged an artifact as a Trojan. A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly installed by drive-by downloads or embedded into games or Internet driven applications.", "tags": ["trojan", "RAT"], "valid_time": {"start_time": "2013-10-10T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-412c0f2e3e1998445f7fea4fbad7c95f06b57ddf8675b04d866f88d7e807468e"], "short_description": "Artifact Flagged as Known Trojan by Antivirus", "title": "malware-known-trojan-av", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-1e12d77b-2dab-4ec4-bf20-b5ec827e0a51", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High"}], "type": "sha1", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760"}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:d0e3affc", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "d0e3affc", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-9931a48c-2b2b-41a3-aab9-a7d27edd8282", "severity": "Low", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "1fc522ae-f297-4ad8-a611-178068b5d52c", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-76113189-367a-4c6c-b179-6087ece74760", "severity": "High", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "133a7a2d-9d66-4d9b-9778-2543771e7fd6", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-593894dc-8ff5-48e0-b979-0bdcabe5b0b4", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "7ecd785b-f6f2-4dad-bf48-12e671d46722", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-6713384e-a73a-4462-aed3-716bb6772dfd", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "6444180b-18fc-4500-b40d-117963c22fbb", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:18:53.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-a8743276-3f0e-488f-b25c-84db52637646", "severity": "Medium", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "c298f17b-9a96-4fa4-9046-fc77d6a9de28", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-10-30T03:26:57.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.22", "observable": {"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}, "reason_uri": "https://panacea.threatgrid.com/samples/fb9d7ead920c8be662d36f6541676d32", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha1-42e6da9a08802b5ce5d1f754d4567665637b47bc"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-b8c2ce76-4a8e-4cdf-af6d-dd03866e6a98", "severity": "High", "tlp": "green", "action": "62ca9445-49b4-4f03-a48b-1722f8d4bb38", "ctr_uuid": "aace039e-414f-4215-b15b-3775a6e877c3", "timestamp": "2020-12-01T04:49:10.021Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "51 sightings on 8 sources including: Ver007 APT Tools, F-Secure, www2.fireeye.com, t.co, PolySwarm. 13 related malwares including Seaduke, Trojan, Duke APT Family, Backdoor, Remote Access Trojan. Most recent link (Feb 28, 2021): https://polyswarm.network/scan/results/file/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-05567717-79dc-430e-bf24-7a882d507e32", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "11 sightings on 2 sources: F-Secure, wordpress.com. 1 related attack vector: Cyber spying. Most recent link (Sep 15, 2015): https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Attack Vector", "title": "Linked to Attack Vector", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-0c545f99-2b1d-4ca0-a8fd-209d6af325d1", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-09-15T10:19:24.000Z"}}, {"description": "41 sightings on 3 sources: FireEye Threat Research Blog, F-Secure, www2.fireeye.com. Most recent link (Jul 17, 2020): https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Threat Researcher", "title": "Threat Researcher", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-7b105694-dd88-45f2-8132-79146b849dca", "count": 1, "severity": "Low", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2020-07-17T08:04:15.203Z"}}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 11, 2015): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-89b93477-5b24-4edd-a27a-565cc7a81727", "count": 1, "severity": "High", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-23T16:44:23.000Z"}}, {"description": "Seen by GitHub", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by GitHub", "title": "\n Add Fireeye's report on APT29 HammerToss\n ", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-76d79ebb-5dde-43e9-a789-9c2d6cd7adc6", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2015-07-29T14:57:04.000Z"}}, {"description": "Seen by contagioblog PH", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by contagioblog PH", "title": "Part II. APT29 Russian APT including Fancy Bear", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-f501a5ac-23c3-4c41-bfe4-0a61dfdeff21", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2017-03-31T06:02:00.000Z"}}, {"description": "13 sightings on 3 sources: Ver007 APT Tools, www2.fireeye.com, ThreatMiner. Most recent link (Apr 3, 2016): https://www.threatminer.org/_reports/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Cyber Attack", "title": "Linked to Cyber Attack", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-01cacf10-350c-492b-a074-170a1b38a117", "count": 1, "severity": "Medium", "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2016-04-03T03:00:33.606Z"}}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "transient:sighting-6b4fb0af-f99c-4bab-9637-4000ef5ed172", "count": 1, "observable_type": "sha1", "timestamp": "2021-07-09T12:18:53.000Z", "confidence": "High", "observed_time": {"start_time": "2021-02-28T01:20:01.037Z"}}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.22", "observable_value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "observables": [{"value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "type": "sha1"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-fb9d7ead920c8be662d36f6541676d32"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/8995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-703f308a-662f-4eeb-b58a-c67fa457ab2d", "count": 1, "tlp": "green", "observable_type": "sha1", "timestamp": "2020-12-01T04:49:10.103Z", "confidence": "High", "observed_time": {"start_time": "2020-10-30T03:20:45.000Z", "end_time": "2020-10-30T03:26:57.000Z"}}], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "sha1", "value": "42e6da9a08802b5ce5d1f754d4567665637b47bc", "id": "d0e3affc"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-57f5923f-5e3f-4eab-859b-4de8dea8f5e9", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:19:21.648Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file diff --git a/Recorded_Future/Snapshot-with-sha256.json b/Recorded_Future/Snapshot-with-sha256.json index a8b6bb35..370ca4bc 100644 --- a/Recorded_Future/Snapshot-with-sha256.json +++ b/Recorded_Future/Snapshot-with-sha256.json @@ -1 +1 @@ -{"schema_version": "1.1.3", "type": "investigation", "search-txt": "sha256:\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\"", "actions": "[{\"arg\":{\"text\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:23:46.503Z\",\"id\":\"collect-2e6d3d03\",\"result\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:23:46.693Z\",\"uuid\":\"ec8765fc-16de-457a-998b-df1346a4dca1\"},{\"arg\":{\"type\":\"sha256\",\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\"},\"created\":\"2021-07-09T12:23:46.722Z\",\"id\":\"investigate-6bd9d3b8\",\"result\":{\"data\":[{\"module\":\"AMP Global Intelligence\",\"module_instance_id\":\"b37ff2ee-0ca1-4dbc-936d-a35bf7d5e18f\",\"module_type_id\":\"87563e81-ddc5-5f61-b4f8-dbe71252c922\",\"data\":{\"indicators\":{\"count\":1,\"docs\":[{\"description\":\"An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.\",\"tags\":[\"file\",\"antivirus\"],\"valid_time\":{\"start_time\":\"2018-09-05T00:00:00.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Threat Grid\",\"schema_version\":\"1.0.19\",\"type\":\"indicator\",\"source\":\"Threat Grid Indicators\",\"external_ids\":[\"hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88\"],\"short_description\":\"Artifact Flagged Malicious by Antivirus Service\",\"title\":\"antivirus-service-flagged-artifact\",\"source_uri\":\"https://panacea.threatgrid.com\",\"id\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"tlp\":\"green\",\"timestamp\":\"2020-10-28T20:37:25.082Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"judgement_id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2022-07-12T17:25:30.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"}}]},\"relationships\":{\"count\":2,\"docs\":[{\"schema_version\":\"1.0.16\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-6b38c8cdadc2c83c892d147bcaea9a36e9a868dc\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-96b583bd-b42a-4ac1-a35e-84687cf7763d\",\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.627Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.16\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-1441e0ab308a1f9dcfd2a02581238dcd37bd5699\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-8b143030-ac62-4d39-bfe3-4361069f7c00\",\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.609Z\",\"relationship_type\":\"indicates\"}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2022-07-12T17:25:30.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.0.16\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"reason_uri\":\"https://panacea.threatgrid.com/samples/6717c7ad74de3c065c4f840223a23ed3\",\"type\":\"judgement\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-disposition-judgement-sha256-323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\"],\"disposition\":2,\"reason\":\"AMP Threat Grid Sample Analysis\",\"source_uri\":\"https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2\",\"severity\":\"High\",\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.569Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":1,\"docs\":[{\"description\":\"AMP Threat Grid Sample Analysis\",\"schema_version\":\"1.0.16\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-file-sighting-6717c7ad74de3c065c4f840223a23ed3\"],\"source_uri\":\"https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1\",\"count\":1,\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.589Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2022-07-12T17:19:26.000Z\",\"end_time\":\"2022-07-12T17:25:30.000Z\"}}]}}},{\"module\":\"AMP File Reputation\",\"module_instance_id\":\"ddcf41a2-3ecb-43e8-b5b2-0e36ad2e16f3\",\"module_type_id\":\"1898d0e8-45f7-550d-8ab5-915f064426dd\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-22T12:23:46.926Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:23:46.926Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"type\":\"judgement\",\"source\":\"AMP Protect DB\",\"disposition\":2,\"reason\":\"AMP ProtectDB Conviction\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:6d0a848b-c809-40cb-acef-86507e40abd5\",\"severity\":\"High\",\"tlp\":\"amber\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"valid_time\":{\"start_time\":\"2022-09-08T16:35:36.004Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.\",\"valid_time\":{\"start_time\":\"2022-09-08T16:35:36.004Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":3,\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"judgement_id\":\"transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-22T12:23:48.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35\",\"id\":\"transient:relationship-444ae80e-8335-4454-9161-c2525b6105c6\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056\",\"id\":\"transient:relationship-32c8d982-47cc-4502-913a-5281d284393e\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff\",\"id\":\"transient:relationship-9b06184b-4b95-4161-98f7-dc63333e2edd\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865\",\"id\":\"transient:relationship-af1b6ce7-5dab-4b5a-994b-79574d251f67\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":2,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T12:23:48.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-22T12:23:48.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":3,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":4,\"docs\":[{\"description\":\"9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-27T12:04:35.279Z\"}},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-24T10:56:08.000Z\"}},{\"description\":\"Seen by PolySwarm\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PolySwarm\",\"title\":\"PolySwarm report for 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-2a8ffe87-f010-4be7-937b-d0799159aae4\",\"count\":1,\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-27T12:04:35.279Z\"}},{\"description\":\"Seen by ReversingLabs\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ReversingLabs\",\"title\":\"ReversingLabs scan for SHA-256 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-99e967b5-4b67-4a83-acf6-a4c9b2a83aaa\",\"count\":1,\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2022-07-01T06:45:00.000Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:23:48.829Z\",\"uuid\":\"0f589b9a-a087-4a87-8a3a-c0ac69a53d50\"}]", "short_description": "Snapshot-with-sha256", "omittedObservables": [], "archivedObservables": [{"key": "f0933a42-ae74-4352-87fe-08f0e4fc777b", "value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "indicators": [{"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "205f85a0-e98a-44cd-b792-e2e50c843a2f", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6c7d7881-dddf-4698-a84d-26fa9c09137e", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "3bf9c4cc-4b83-4dfb-a57d-135cfb77c765", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High", "ctr_hide": false}], "type": "sha256", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "b7783206-2d2f-4b96-ba61-97b596ae6682", "judgement_id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP File Reputation:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "698f4dd1-8748-4ff2-862b-410c6793066e", "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "d721173c-adf4-44a7-95a5-ca6f5d2d4c3a", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "ctr_hide": false}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "b4dd6f8b", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "2c37471e-0bd4-453d-aaf2-f3d805cb7221", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6cc99614-fa2b-4ff6-8e2e-71a8a6d23362", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.3", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "AMP Protect DB", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "reason": "AMP ProtectDB Conviction", "disposition_name": "Malicious", "priority": 90, "id": "transient:6d0a848b-c809-40cb-acef-86507e40abd5", "severity": "High", "tlp": "amber", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "33a51412-a697-49fd-b25d-ed05c0f54693", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.16", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "reason_uri": "https://panacea.threatgrid.com/samples/6717c7ad74de3c065c4f840223a23ed3", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha256-323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "severity": "High", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "91ad75cd-a7ad-426b-8e3b-3f5f90c2f9f9", "timestamp": "2020-04-29T07:23:28.569Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ReversingLabs", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ReversingLabs", "title": "ReversingLabs scan for SHA-256 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-99e967b5-4b67-4a83-acf6-a4c9b2a83aaa", "count": 1, "observable_type": "sha256", "ctr_uuid": "87c50aa0-53f2-453f-afc7-cb1977c3f56c", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2020-04-17T06:45:00.000Z"}, "ctr_hide": false}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-2a8ffe87-f010-4be7-937b-d0799159aae4", "count": 1, "observable_type": "sha256", "ctr_uuid": "0cd0ee57-e288-4ad9-b85e-bbaf21738e5d", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056", "count": 1, "severity": "High", "observable_type": "sha256", "ctr_uuid": "28ad11bb-80e3-476a-84a8-57c71c19bcd7", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-10T10:56:08.000Z"}, "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff", "count": 1, "severity": "Medium", "observable_type": "sha256", "ctr_uuid": "f19d3fae-61fa-4660-bfe3-88490c4f6b8b", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.16", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-6717c7ad74de3c065c4f840223a23ed3"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1", "count": 1, "tlp": "green", "observable_type": "sha256", "ctr_uuid": "5e386fd1-ed5a-4efc-b256-23ad719aa164", "timestamp": "2020-04-29T07:23:28.589Z", "confidence": "High", "observed_time": {"start_time": "2020-04-28T17:19:26.000Z", "end_time": "2020-04-28T17:25:30.000Z"}, "ctr_hide": false}], "revListOrder": 1}], "selectedObservables": [{"uuid": "71d6a4aa-3729-4976-a93c-bcf72a7fac28", "observable": {"key": "f0933a42-ae74-4352-87fe-08f0e4fc777b", "value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "indicators": [{"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "205f85a0-e98a-44cd-b792-e2e50c843a2f", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6c7d7881-dddf-4698-a84d-26fa9c09137e", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "3bf9c4cc-4b83-4dfb-a57d-135cfb77c765", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High", "ctr_hide": false}], "type": "sha256", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "b7783206-2d2f-4b96-ba61-97b596ae6682", "judgement_id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP File Reputation:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "698f4dd1-8748-4ff2-862b-410c6793066e", "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "d721173c-adf4-44a7-95a5-ca6f5d2d4c3a", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "ctr_hide": false}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "b4dd6f8b", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "2c37471e-0bd4-453d-aaf2-f3d805cb7221", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6cc99614-fa2b-4ff6-8e2e-71a8a6d23362", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.3", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "AMP Protect DB", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "reason": "AMP ProtectDB Conviction", "disposition_name": "Malicious", "priority": 90, "id": "transient:6d0a848b-c809-40cb-acef-86507e40abd5", "severity": "High", "tlp": "amber", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "33a51412-a697-49fd-b25d-ed05c0f54693", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.16", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "reason_uri": "https://panacea.threatgrid.com/samples/6717c7ad74de3c065c4f840223a23ed3", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha256-323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "severity": "High", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "91ad75cd-a7ad-426b-8e3b-3f5f90c2f9f9", "timestamp": "2020-04-29T07:23:28.569Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ReversingLabs", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ReversingLabs", "title": "ReversingLabs scan for SHA-256 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-99e967b5-4b67-4a83-acf6-a4c9b2a83aaa", "count": 1, "observable_type": "sha256", "ctr_uuid": "87c50aa0-53f2-453f-afc7-cb1977c3f56c", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2020-04-17T06:45:00.000Z"}, "ctr_hide": false}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-2a8ffe87-f010-4be7-937b-d0799159aae4", "count": 1, "observable_type": "sha256", "ctr_uuid": "0cd0ee57-e288-4ad9-b85e-bbaf21738e5d", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056", "count": 1, "severity": "High", "observable_type": "sha256", "ctr_uuid": "28ad11bb-80e3-476a-84a8-57c71c19bcd7", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-10T10:56:08.000Z"}, "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff", "count": 1, "severity": "Medium", "observable_type": "sha256", "ctr_uuid": "f19d3fae-61fa-4660-bfe3-88490c4f6b8b", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.16", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-6717c7ad74de3c065c4f840223a23ed3"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1", "count": 1, "tlp": "green", "observable_type": "sha256", "ctr_uuid": "5e386fd1-ed5a-4efc-b256-23ad719aa164", "timestamp": "2020-04-29T07:23:28.589Z", "confidence": "High", "observed_time": {"start_time": "2020-04-28T17:19:26.000Z", "end_time": "2020-04-28T17:25:30.000Z"}, "ctr_hide": false}], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "sha256", "value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "b4dd6f8b"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-c3d01b6a-77b1-404c-b029-913123269fc5", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:24:33.909Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file +{"schema_version": "1.1.3", "type": "investigation", "search-txt": "sha256:\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\"", "actions": "[{\"arg\":{\"text\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T12:23:46.503Z\",\"id\":\"collect-2e6d3d03\",\"result\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T12:23:46.693Z\",\"uuid\":\"ec8765fc-16de-457a-998b-df1346a4dca1\"},{\"arg\":{\"type\":\"sha256\",\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\"},\"created\":\"2021-07-09T12:23:46.722Z\",\"id\":\"investigate-6bd9d3b8\",\"result\":{\"data\":[{\"module\":\"AMP Global Intelligence\",\"module_instance_id\":\"b37ff2ee-0ca1-4dbc-936d-a35bf7d5e18f\",\"module_type_id\":\"87563e81-ddc5-5f61-b4f8-dbe71252c922\",\"data\":{\"indicators\":{\"count\":1,\"docs\":[{\"description\":\"An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.\",\"tags\":[\"file\",\"antivirus\"],\"valid_time\":{\"start_time\":\"2018-09-12T00:00:00.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Threat Grid\",\"schema_version\":\"1.0.19\",\"type\":\"indicator\",\"source\":\"Threat Grid Indicators\",\"external_ids\":[\"hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88\"],\"short_description\":\"Artifact Flagged Malicious by Antivirus Service\",\"title\":\"antivirus-service-flagged-artifact\",\"source_uri\":\"https://panacea.threatgrid.com\",\"id\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"tlp\":\"green\",\"timestamp\":\"2020-10-28T20:37:25.082Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"judgement_id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2022-07-19T17:25:30.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"}}]},\"relationships\":{\"count\":2,\"docs\":[{\"schema_version\":\"1.0.16\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-6b38c8cdadc2c83c892d147bcaea9a36e9a868dc\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-96b583bd-b42a-4ac1-a35e-84687cf7763d\",\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.627Z\",\"relationship_type\":\"indicates\"},{\"schema_version\":\"1.0.16\",\"target_ref\":\"https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc\",\"type\":\"relationship\",\"source\":\"AMP Threat Grid Sample Analysis\",\"external_ids\":[\"relationship-1441e0ab308a1f9dcfd2a02581238dcd37bd5699\"],\"source_ref\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2\",\"id\":\"https://intel.amp.cisco.com:443/ctia/relationship/relationship-8b143030-ac62-4d39-bfe3-4361069f7c00\",\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.609Z\",\"relationship_type\":\"indicates\"}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2022-07-19T17:25:30.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.0.16\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"reason_uri\":\"https://panacea.threatgrid.com/samples/6717c7ad74de3c065c4f840223a23ed3\",\"type\":\"judgement\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-disposition-judgement-sha256-323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\"],\"disposition\":2,\"reason\":\"AMP Threat Grid Sample Analysis\",\"source_uri\":\"https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2\",\"severity\":\"High\",\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.569Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":1,\"docs\":[{\"description\":\"AMP Threat Grid Sample Analysis\",\"schema_version\":\"1.0.16\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"AMP Threat Grid File Dispositions\",\"external_ids\":[\"TG-file-sighting-6717c7ad74de3c065c4f840223a23ed3\"],\"source_uri\":\"https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1\",\"count\":1,\"tlp\":\"green\",\"timestamp\":\"2020-04-29T07:23:28.589Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2022-07-19T17:19:26.000Z\",\"end_time\":\"2022-07-19T17:25:30.000Z\"}}]}}},{\"module\":\"AMP File Reputation\",\"module_instance_id\":\"ddcf41a2-3ecb-43e8-b5b2-0e36ad2e16f3\",\"module_type_id\":\"1898d0e8-45f7-550d-8ab5-915f064426dd\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-29T12:23:46.926Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:23:46.926Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"type\":\"judgement\",\"source\":\"AMP Protect DB\",\"disposition\":2,\"reason\":\"AMP ProtectDB Conviction\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:6d0a848b-c809-40cb-acef-86507e40abd5\",\"severity\":\"High\",\"tlp\":\"amber\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":2,\"docs\":[{\"description\":\"9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"valid_time\":{\"start_time\":\"2022-09-15T16:35:36.004Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.\",\"valid_time\":{\"start_time\":\"2022-09-15T16:35:36.004Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":3,\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"judgement_id\":\"transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-29T12:23:48.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"}}]},\"relationships\":{\"count\":4,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35\",\"id\":\"transient:relationship-444ae80e-8335-4454-9161-c2525b6105c6\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056\",\"id\":\"transient:relationship-32c8d982-47cc-4502-913a-5281d284393e\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff\",\"id\":\"transient:relationship-9b06184b-4b95-4161-98f7-dc63333e2edd\",\"relationship_type\":\"member-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865\",\"id\":\"transient:relationship-af1b6ce7-5dab-4b5a-994b-79574d251f67\",\"relationship_type\":\"element-of\"}]},\"judgements\":{\"count\":2,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T12:23:48.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":2,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"disposition_name\":\"Suspicious\",\"priority\":90,\"id\":\"transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35\",\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"},{\"valid_time\":{\"start_time\":\"2023-09-29T12:23:48.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":3,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865\",\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":4,\"docs\":[{\"description\":\"9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Linked to Malware\",\"title\":\"Linked to Malware\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff\",\"count\":1,\"severity\":\"Medium\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-03T12:04:35.279Z\"}},{\"description\":\"2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Positive Malware Verdict\",\"title\":\"Positive Malware Verdict\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056\",\"count\":1,\"severity\":\"High\",\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-05-31T10:56:08.000Z\"}},{\"description\":\"Seen by PolySwarm\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by PolySwarm\",\"title\":\"PolySwarm report for 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-2a8ffe87-f010-4be7-937b-d0799159aae4\",\"count\":1,\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-03T12:04:35.279Z\"}},{\"description\":\"Seen by ReversingLabs\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Recent Reference\",\"short_description\":\"Seen by ReversingLabs\",\"title\":\"ReversingLabs scan for SHA-256 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"internal\":false,\"source_uri\":\"https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba\",\"id\":\"transient:sighting-99e967b5-4b67-4a83-acf6-a4c9b2a83aaa\",\"count\":1,\"timestamp\":\"2021-07-09T12:23:48.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2022-07-08T06:45:00.000Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T12:23:48.829Z\",\"uuid\":\"0f589b9a-a087-4a87-8a3a-c0ac69a53d50\"}]", "short_description": "Snapshot-with-sha256", "omittedObservables": [], "archivedObservables": [{"key": "f0933a42-ae74-4352-87fe-08f0e4fc777b", "value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "indicators": [{"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "205f85a0-e98a-44cd-b792-e2e50c843a2f", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6c7d7881-dddf-4698-a84d-26fa9c09137e", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "3bf9c4cc-4b83-4dfb-a57d-135cfb77c765", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High", "ctr_hide": false}], "type": "sha256", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "b7783206-2d2f-4b96-ba61-97b596ae6682", "judgement_id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP File Reputation:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "698f4dd1-8748-4ff2-862b-410c6793066e", "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "d721173c-adf4-44a7-95a5-ca6f5d2d4c3a", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "ctr_hide": false}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "b4dd6f8b", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "2c37471e-0bd4-453d-aaf2-f3d805cb7221", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6cc99614-fa2b-4ff6-8e2e-71a8a6d23362", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.3", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "AMP Protect DB", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "reason": "AMP ProtectDB Conviction", "disposition_name": "Malicious", "priority": 90, "id": "transient:6d0a848b-c809-40cb-acef-86507e40abd5", "severity": "High", "tlp": "amber", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "33a51412-a697-49fd-b25d-ed05c0f54693", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.16", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "reason_uri": "https://panacea.threatgrid.com/samples/6717c7ad74de3c065c4f840223a23ed3", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha256-323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "severity": "High", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "91ad75cd-a7ad-426b-8e3b-3f5f90c2f9f9", "timestamp": "2020-04-29T07:23:28.569Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ReversingLabs", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ReversingLabs", "title": "ReversingLabs scan for SHA-256 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-99e967b5-4b67-4a83-acf6-a4c9b2a83aaa", "count": 1, "observable_type": "sha256", "ctr_uuid": "87c50aa0-53f2-453f-afc7-cb1977c3f56c", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2020-04-17T06:45:00.000Z"}, "ctr_hide": false}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-2a8ffe87-f010-4be7-937b-d0799159aae4", "count": 1, "observable_type": "sha256", "ctr_uuid": "0cd0ee57-e288-4ad9-b85e-bbaf21738e5d", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056", "count": 1, "severity": "High", "observable_type": "sha256", "ctr_uuid": "28ad11bb-80e3-476a-84a8-57c71c19bcd7", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-10T10:56:08.000Z"}, "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff", "count": 1, "severity": "Medium", "observable_type": "sha256", "ctr_uuid": "f19d3fae-61fa-4660-bfe3-88490c4f6b8b", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.16", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-6717c7ad74de3c065c4f840223a23ed3"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1", "count": 1, "tlp": "green", "observable_type": "sha256", "ctr_uuid": "5e386fd1-ed5a-4efc-b256-23ad719aa164", "timestamp": "2020-04-29T07:23:28.589Z", "confidence": "High", "observed_time": {"start_time": "2020-04-28T17:19:26.000Z", "end_time": "2020-04-28T17:25:30.000Z"}, "ctr_hide": false}], "revListOrder": 1}], "selectedObservables": [{"uuid": "71d6a4aa-3729-4976-a93c-bcf72a7fac28", "observable": {"key": "f0933a42-ae74-4352-87fe-08f0e4fc777b", "value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "indicators": [{"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-80a306e5-bae1-423a-b962-972c0b44d173", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "205f85a0-e98a-44cd-b792-e2e50c843a2f", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "valid_time": {"start_time": "2020-06-25T16:35:36.004Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:indicator-ba9ee85b-ca1d-4360-ac2d-7e05565886dd", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6c7d7881-dddf-4698-a84d-26fa9c09137e", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_hide": false}, {"description": "An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.", "tags": ["file", "antivirus"], "valid_time": {"start_time": "2016-06-22T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Threat Grid", "schema_version": "1.0.19", "type": "indicator", "source": "Threat Grid Indicators", "external_ids": ["hydrant-ef8735e087cb3449b42e75de0c4b9cee68f481d16defd9b1b374325a2da6fe88"], "short_description": "Artifact Flagged Malicious by Antivirus Service", "title": "antivirus-service-flagged-artifact", "module": "AMP Global Intelligence", "module-type": null, "source_uri": "https://panacea.threatgrid.com", "id": "https://intel.amp.cisco.com:443/ctia/indicator/indicator-0b627b13-6481-4b39-b240-42db3b652acc", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "3bf9c4cc-4b83-4dfb-a57d-135cfb77c765", "timestamp": "2020-10-28T20:37:25.082Z", "confidence": "High", "ctr_hide": false}], "type": "sha256", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 3, "module": "Recorded Future", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Recorded Future:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "b7783206-2d2f-4b96-ba61-97b596ae6682", "judgement_id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP File Reputation:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "698f4dd1-8748-4ff2-862b-410c6793066e", "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "verdict", "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:AMP Global Intelligence:b4dd6f8b", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "d721173c-adf4-44a7-95a5-ca6f5d2d4c3a", "judgement_id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "ctr_hide": false}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "b4dd6f8b", "judgements": [{"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 3, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "transient:judgement-df859341-bd97-4d89-9b37-7db2d3a7b865", "severity": "High", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "2c37471e-0bd4-453d-aaf2-f3d805cb7221", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 2, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:48.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 2, "module": "Recorded Future", "module-type": null, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Suspicious", "priority": 90, "id": "transient:judgement-9fcebc6c-ac18-4fc2-b836-901903023d35", "severity": "Medium", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "6cc99614-fa2b-4ff6-8e2e-71a8a6d23362", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T12:23:46.926Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.3", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "type": "judgement", "source": "AMP Protect DB", "disposition": 2, "module": "AMP File Reputation", "module-type": null, "reason": "AMP ProtectDB Conviction", "disposition_name": "Malicious", "priority": 90, "id": "transient:6d0a848b-c809-40cb-acef-86507e40abd5", "severity": "High", "tlp": "amber", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "33a51412-a697-49fd-b25d-ed05c0f54693", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}, {"valid_time": {"start_time": "2020-04-28T17:25:30.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.0.16", "observable": {"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}, "reason_uri": "https://panacea.threatgrid.com/samples/6717c7ad74de3c065c4f840223a23ed3", "type": "judgement", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-disposition-judgement-sha256-323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba"], "disposition": 2, "module": "AMP Global Intelligence", "module-type": null, "reason": "AMP Threat Grid Sample Analysis", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "disposition_name": "Malicious", "priority": 90, "id": "https://intel.amp.cisco.com:443/ctia/judgement/judgement-0f25870d-52c7-4e9f-a907-41c1f070bdd2", "severity": "High", "tlp": "green", "action": "0f589b9a-a087-4a87-8a3a-c0ac69a53d50", "ctr_uuid": "91ad75cd-a7ad-426b-8e3b-3f5f90c2f9f9", "timestamp": "2020-04-29T07:23:28.569Z", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "Seen by ReversingLabs", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by ReversingLabs", "title": "ReversingLabs scan for SHA-256 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-99e967b5-4b67-4a83-acf6-a4c9b2a83aaa", "count": 1, "observable_type": "sha256", "ctr_uuid": "87c50aa0-53f2-453f-afc7-cb1977c3f56c", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2020-04-17T06:45:00.000Z"}, "ctr_hide": false}, {"description": "Seen by PolySwarm", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Recent Reference", "short_description": "Seen by PolySwarm", "title": "PolySwarm report for 323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-2a8ffe87-f010-4be7-937b-d0799159aae4", "count": 1, "observable_type": "sha256", "ctr_uuid": "0cd0ee57-e288-4ad9-b85e-bbaf21738e5d", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "2 sightings on 2 sources: ReversingLabs, PolySwarm. Most recent link (Apr 17, 2020): ReversingLabs malware file analysis.", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Positive Malware Verdict", "title": "Positive Malware Verdict", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-6071097f-7834-4241-a6ff-5e41b212f056", "count": 1, "severity": "High", "observable_type": "sha256", "ctr_uuid": "28ad11bb-80e3-476a-84a8-57c71c19bcd7", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-10T10:56:08.000Z"}, "ctr_hide": false}, {"description": "9 sightings on 2 sources: PolySwarm, ReversingLabs. 2 related malwares: Trojan, GenericKD. Most recent link (Mar 13, 2021): https://polyswarm.network/scan/results/file/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "schema_version": "1.1.6", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Linked to Malware", "title": "Linked to Malware", "module": "Recorded Future", "internal": false, "source_uri": "https://app.recordedfuture.com/live/sc/entity/hash%3A323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "transient:sighting-7259d81d-02ac-4bcb-b84c-d47206ab77ff", "count": 1, "severity": "Medium", "observable_type": "sha256", "ctr_uuid": "f19d3fae-61fa-4660-bfe3-88490c4f6b8b", "timestamp": "2021-07-09T12:23:48.000Z", "confidence": "High", "observed_time": {"start_time": "2021-03-13T12:04:35.279Z"}, "ctr_hide": false}, {"description": "AMP Threat Grid Sample Analysis", "schema_version": "1.0.16", "observable_value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "observables": [{"value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "type": "sha256"}], "type": "sighting", "source": "AMP Threat Grid File Dispositions", "external_ids": ["TG-file-sighting-6717c7ad74de3c065c4f840223a23ed3"], "module": "AMP Global Intelligence", "source_uri": "https://panacea.threatgrid.com/artifacts/323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "https://intel.amp.cisco.com:443/ctia/sighting/sighting-3e42e17a-8554-43ac-9cdd-023e042143a1", "count": 1, "tlp": "green", "observable_type": "sha256", "ctr_uuid": "5e386fd1-ed5a-4efc-b256-23ad719aa164", "timestamp": "2020-04-29T07:23:28.589Z", "confidence": "High", "observed_time": {"start_time": "2020-04-28T17:19:26.000Z", "end_time": "2020-04-28T17:25:30.000Z"}, "ctr_hide": false}], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "sha256", "value": "323d0cf9ac1c750761f66482154dbd3144dae7336c955a4576cb4cce6438a6ba", "id": "b4dd6f8b"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-c3d01b6a-77b1-404c-b029-913123269fc5", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T12:24:33.909Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file diff --git a/Recorded_Future/Snapshot-with-url.json b/Recorded_Future/Snapshot-with-url.json index 8793a0af..c244b71c 100644 --- a/Recorded_Future/Snapshot-with-url.json +++ b/Recorded_Future/Snapshot-with-url.json @@ -1 +1 @@ -{"schema_version": "1.1.3", "type": "investigation", "search-txt": "url:\"https://portal.sbn.co.th/rss.php\"\ndomain:\"portal.sbn.co.th\"", "actions": "[{\"arg\":{\"text\":\"https://portal.sbn.co.th/rss.php\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T11:54:00.506Z\",\"id\":\"collect-1e16f65e\",\"result\":[{\"value\":\"portal.sbn.co.th\",\"type\":\"domain\"},{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T11:54:00.705Z\",\"uuid\":\"247f5145-7778-452d-89a6-ea13810868b1\"},{\"arg\":{\"type\":\"domain\",\"value\":\"portal.sbn.co.th\"},\"created\":\"2021-07-09T11:54:00.733Z\",\"id\":\"investigate-c0577f11\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"portal.sbn.co.th\",\"type\":\"domain\"},\"judgement_id\":\"transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-22T11:54:01.038Z\",\"end_time\":\"2023-10-22T11:54:01.038Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T11:54:01.038Z\",\"end_time\":\"2023-10-22T11:54:01.038Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"portal.sbn.co.th\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":5,\"reason\":\"Neutral Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=portal.sbn.co.th\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21\",\"severity\":\"Low\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T11:54:02.710Z\",\"uuid\":\"51d6e68f-c944-4915-a3d5-fc548cc9a812\"},{\"arg\":{\"type\":\"url\",\"value\":\"https://portal.sbn.co.th/rss.php\"},\"created\":\"2021-07-09T11:54:00.757Z\",\"id\":\"investigate-1b868101\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"judgement_id\":\"transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-22T11:54:01.033Z\",\"end_time\":\"2023-10-22T11:54:01.033Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T11:54:01.033Z\",\"end_time\":\"2023-10-22T11:54:01.033Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":2,\"reason\":\"Poor Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=https%3A%2F%2Fportal.sbn.co.th%2Frss.php\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc\",\"severity\":\"High\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":1,\"docs\":[{\"description\":\"19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt\",\"valid_time\":{\"start_time\":\"2023-09-01T00:00:00.000Z\",\"end_time\":\"2527-03-17T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged URL\",\"title\":\"Historically Reported as a Defanged URL\",\"id\":\"transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T11:54:02.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":1,\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"judgement_id\":\"transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-22T11:54:02.000Z\",\"end_time\":\"2023-10-22T11:54:02.000Z\"}}]},\"relationships\":{\"count\":2,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd\",\"id\":\"transient:relationship-5e1c8f62-c524-4773-977c-a0cd2f78dc78\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8\",\"id\":\"transient:relationship-0e8c7612-66b1-4bb2-bf5f-1f3383d1ba83\",\"relationship_type\":\"member-of\"}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-22T11:54:02.000Z\",\"end_time\":\"2023-10-22T11:54:02.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T11:54:02.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":1,\"docs\":[{\"description\":\"19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged URL\",\"title\":\"Historically Reported as a Defanged URL\",\"internal\":false,\"id\":\"transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T11:54:02.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-03-02T00:02:11.834Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T11:54:02.670Z\",\"uuid\":\"63930cae-0a61-402c-b75b-6e4d300d4f12\"}]", "short_description": "Snapshot-with-url", "omittedObservables": [], "archivedObservables": [{"key": "74c5640b-f5c3-4be6-942a-15a36241d011", "value": "portal.sbn.co.th", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:ae1e984d", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "judgement_id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21"}], "notifications": [], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "portal.sbn.co.th", "id": "ae1e984d", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "schema_version": "1.1.3", "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=portal.sbn.co.th", "disposition_name": "Unknown", "priority": 90, "id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21", "severity": "Low", "tlp": "white", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "confidence": "High"}], "sightings": [], "revListOrder": 4}, {"key": "0ee0368a-3a97-4490-874e-ea5d0cf5c5e1", "value": "https://portal.sbn.co.th/rss.php", "indicators": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "valid_time": {"start_time": "2021-06-18T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "module-type": null, "id": "transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "cc1228f3-0e6d-4cef-990f-8267592a40ab", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_hide": false}], "type": "url", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "68217845-e05e-49d3-be41-3e62d1615172", "judgement_id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Talos Intelligence:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "6dc2f277-47bd-465f-8c76-1afde1a60032", "judgement_id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 1, "label": "https://portal.sbn.co.th/rss.php", "id": "165c2f02", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "schema_version": "1.1.6", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "b8cb8351-8206-4e1f-ac0e-d83a1b0edba1", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "schema_version": "1.1.3", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "reason": "Poor Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=https%3A%2F%2Fportal.sbn.co.th%2Frss.php", "disposition_name": "Malicious", "priority": 90, "id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "severity": "High", "tlp": "white", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "fa39e79b-55ef-4148-a171-6febff4266a2", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "schema_version": "1.1.6", "observable_value": "https://portal.sbn.co.th/rss.php", "observables": [{"value": "https://portal.sbn.co.th/rss.php", "type": "url"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "internal": false, "id": "transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8", "count": 1, "severity": "Low", "observable_type": "url", "ctr_uuid": "58e58eeb-0041-49c9-9f11-c29b5c304308", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "observed_time": {"start_time": "2020-12-17T00:02:11.834Z"}, "ctr_hide": false}], "revListOrder": 5}], "selectedObservables": [{"uuid": "b6ba7f52-02f3-4c1a-8295-3c3ee10de00b", "observable": {"key": "74c5640b-f5c3-4be6-942a-15a36241d011", "value": "portal.sbn.co.th", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:ae1e984d", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "judgement_id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21"}], "notifications": [], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "portal.sbn.co.th", "id": "ae1e984d", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "schema_version": "1.1.3", "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=portal.sbn.co.th", "disposition_name": "Unknown", "priority": 90, "id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21", "severity": "Low", "tlp": "white", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "confidence": "High"}], "sightings": [], "revListOrder": 4}, "notifications": [], "disposition_name": "Unknown", "disposition": 5, "type": "domain", "value": "portal.sbn.co.th", "id": "ae1e984d"}, {"uuid": "66b39f89-2126-4a1b-8e90-1148b5193c6a", "observable": {"key": "0ee0368a-3a97-4490-874e-ea5d0cf5c5e1", "value": "https://portal.sbn.co.th/rss.php", "indicators": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "valid_time": {"start_time": "2021-06-18T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "module-type": null, "id": "transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "cc1228f3-0e6d-4cef-990f-8267592a40ab", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_hide": false}], "type": "url", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "68217845-e05e-49d3-be41-3e62d1615172", "judgement_id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Talos Intelligence:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "6dc2f277-47bd-465f-8c76-1afde1a60032", "judgement_id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 1, "label": "https://portal.sbn.co.th/rss.php", "id": "165c2f02", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "schema_version": "1.1.6", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "b8cb8351-8206-4e1f-ac0e-d83a1b0edba1", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "schema_version": "1.1.3", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "reason": "Poor Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=https%3A%2F%2Fportal.sbn.co.th%2Frss.php", "disposition_name": "Malicious", "priority": 90, "id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "severity": "High", "tlp": "white", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "fa39e79b-55ef-4148-a171-6febff4266a2", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "schema_version": "1.1.6", "observable_value": "https://portal.sbn.co.th/rss.php", "observables": [{"value": "https://portal.sbn.co.th/rss.php", "type": "url"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "internal": false, "id": "transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8", "count": 1, "severity": "Low", "observable_type": "url", "ctr_uuid": "58e58eeb-0041-49c9-9f11-c29b5c304308", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "observed_time": {"start_time": "2020-12-17T00:02:11.834Z"}, "ctr_hide": false}], "revListOrder": 5}, "notifications": [], "disposition_name": "Clean", "disposition": 1, "type": "url", "value": "https://portal.sbn.co.th/rss.php", "id": "165c2f02"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-238f8142-da87-483f-8676-55662b7721c7", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T11:54:55.958Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file +{"schema_version": "1.1.3", "type": "investigation", "search-txt": "url:\"https://portal.sbn.co.th/rss.php\"\ndomain:\"portal.sbn.co.th\"", "actions": "[{\"arg\":{\"text\":\"https://portal.sbn.co.th/rss.php\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-09T11:54:00.506Z\",\"id\":\"collect-1e16f65e\",\"result\":[{\"value\":\"portal.sbn.co.th\",\"type\":\"domain\"},{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-09T11:54:00.705Z\",\"uuid\":\"247f5145-7778-452d-89a6-ea13810868b1\"},{\"arg\":{\"type\":\"domain\",\"value\":\"portal.sbn.co.th\"},\"created\":\"2021-07-09T11:54:00.733Z\",\"id\":\"investigate-c0577f11\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"portal.sbn.co.th\",\"type\":\"domain\"},\"judgement_id\":\"transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-29T11:54:01.038Z\",\"end_time\":\"2023-10-29T11:54:01.038Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T11:54:01.038Z\",\"end_time\":\"2023-10-29T11:54:01.038Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"portal.sbn.co.th\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":5,\"reason\":\"Neutral Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=portal.sbn.co.th\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21\",\"severity\":\"Low\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T11:54:02.710Z\",\"uuid\":\"51d6e68f-c944-4915-a3d5-fc548cc9a812\"},{\"arg\":{\"type\":\"url\",\"value\":\"https://portal.sbn.co.th/rss.php\"},\"created\":\"2021-07-09T11:54:00.757Z\",\"id\":\"investigate-1b868101\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"judgement_id\":\"transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-09-29T11:54:01.033Z\",\"end_time\":\"2023-10-29T11:54:01.033Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T11:54:01.033Z\",\"end_time\":\"2023-10-29T11:54:01.033Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":2,\"reason\":\"Poor Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=https%3A%2F%2Fportal.sbn.co.th%2Frss.php\",\"disposition_name\":\"Malicious\",\"priority\":90,\"id\":\"transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc\",\"severity\":\"High\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Recorded Future\",\"module_instance_id\":\"a0e3111a-8afa-4b58-bcf6-b6d0a6eb1d84\",\"module_type_id\":\"9be41a6a-40e4-42ad-93a6-fd3416ddb794\",\"data\":{\"indicators\":{\"count\":1,\"docs\":[{\"description\":\"19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt\",\"valid_time\":{\"start_time\":\"2023-09-08T00:00:00.000Z\",\"end_time\":\"2527-03-24T00:00:00.000Z\"},\"producer\":\"Recorded Future\",\"schema_version\":\"1.1.6\",\"type\":\"indicator\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged URL\",\"title\":\"Historically Reported as a Defanged URL\",\"id\":\"transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T11:54:02.000Z\",\"confidence\":\"High\"}]},\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":1,\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"judgement_id\":\"transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-09-29T11:54:02.000Z\",\"end_time\":\"2023-10-29T11:54:02.000Z\"}}]},\"relationships\":{\"count\":2,\"docs\":[{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0\",\"type\":\"relationship\",\"source_ref\":\"transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd\",\"id\":\"transient:relationship-5e1c8f62-c524-4773-977c-a0cd2f78dc78\",\"relationship_type\":\"element-of\"},{\"schema_version\":\"1.1.6\",\"target_ref\":\"transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0\",\"type\":\"relationship\",\"source_ref\":\"transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8\",\"id\":\"transient:relationship-0e8c7612-66b1-4bb2-bf5f-1f3383d1ba83\",\"relationship_type\":\"member-of\"}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-09-29T11:54:02.000Z\",\"end_time\":\"2023-10-29T11:54:02.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"},\"type\":\"judgement\",\"source\":\"Recorded Future Intelligence Card\",\"disposition\":1,\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd\",\"severity\":\"Low\",\"timestamp\":\"2021-07-09T11:54:02.000Z\",\"confidence\":\"High\"}]},\"sightings\":{\"count\":1,\"docs\":[{\"description\":\"19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"https://portal.sbn.co.th/rss.php\",\"type\":\"url\"}],\"type\":\"sighting\",\"source\":\"Recorded Future Intelligence Card\",\"short_description\":\"Historically Reported as a Defanged URL\",\"title\":\"Historically Reported as a Defanged URL\",\"internal\":false,\"id\":\"transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8\",\"count\":1,\"severity\":\"Low\",\"timestamp\":\"2021-07-09T11:54:02.000Z\",\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-03-09T00:02:11.834Z\"}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-09T11:54:02.670Z\",\"uuid\":\"63930cae-0a61-402c-b75b-6e4d300d4f12\"}]", "short_description": "Snapshot-with-url", "omittedObservables": [], "archivedObservables": [{"key": "74c5640b-f5c3-4be6-942a-15a36241d011", "value": "portal.sbn.co.th", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:ae1e984d", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "judgement_id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21"}], "notifications": [], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "portal.sbn.co.th", "id": "ae1e984d", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "schema_version": "1.1.3", "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=portal.sbn.co.th", "disposition_name": "Unknown", "priority": 90, "id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21", "severity": "Low", "tlp": "white", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "confidence": "High"}], "sightings": [], "revListOrder": 4}, {"key": "0ee0368a-3a97-4490-874e-ea5d0cf5c5e1", "value": "https://portal.sbn.co.th/rss.php", "indicators": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "valid_time": {"start_time": "2021-06-18T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "module-type": null, "id": "transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "cc1228f3-0e6d-4cef-990f-8267592a40ab", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_hide": false}], "type": "url", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "68217845-e05e-49d3-be41-3e62d1615172", "judgement_id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Talos Intelligence:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "6dc2f277-47bd-465f-8c76-1afde1a60032", "judgement_id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 1, "label": "https://portal.sbn.co.th/rss.php", "id": "165c2f02", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "schema_version": "1.1.6", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "b8cb8351-8206-4e1f-ac0e-d83a1b0edba1", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "schema_version": "1.1.3", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "reason": "Poor Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=https%3A%2F%2Fportal.sbn.co.th%2Frss.php", "disposition_name": "Malicious", "priority": 90, "id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "severity": "High", "tlp": "white", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "fa39e79b-55ef-4148-a171-6febff4266a2", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "schema_version": "1.1.6", "observable_value": "https://portal.sbn.co.th/rss.php", "observables": [{"value": "https://portal.sbn.co.th/rss.php", "type": "url"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "internal": false, "id": "transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8", "count": 1, "severity": "Low", "observable_type": "url", "ctr_uuid": "58e58eeb-0041-49c9-9f11-c29b5c304308", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "observed_time": {"start_time": "2020-12-17T00:02:11.834Z"}, "ctr_hide": false}], "revListOrder": 5}], "selectedObservables": [{"uuid": "b6ba7f52-02f3-4c1a-8295-3c3ee10de00b", "observable": {"key": "74c5640b-f5c3-4be6-942a-15a36241d011", "value": "portal.sbn.co.th", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:ae1e984d", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "judgement_id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21"}], "notifications": [], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "portal.sbn.co.th", "id": "ae1e984d", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:01.038Z", "end_time": "2021-08-08T11:54:01.038Z"}, "schema_version": "1.1.3", "observable": {"value": "portal.sbn.co.th", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=portal.sbn.co.th", "disposition_name": "Unknown", "priority": 90, "id": "transient:53b1a4a9-b1e6-4015-b0a1-e458a4386d21", "severity": "Low", "tlp": "white", "action": "51d6e68f-c944-4915-a3d5-fc548cc9a812", "confidence": "High"}], "sightings": [], "revListOrder": 4}, "notifications": [], "disposition_name": "Unknown", "disposition": 5, "type": "domain", "value": "portal.sbn.co.th", "id": "ae1e984d"}, {"uuid": "66b39f89-2126-4a1b-8e90-1148b5193c6a", "observable": {"key": "0ee0368a-3a97-4490-874e-ea5d0cf5c5e1", "value": "https://portal.sbn.co.th/rss.php", "indicators": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "valid_time": {"start_time": "2021-06-18T00:00:00.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "producer": "Recorded Future", "schema_version": "1.1.6", "type": "indicator", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "module-type": null, "id": "transient:indicator-5852d7e0-ef61-4597-8166-95a6a6b637b0", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "cc1228f3-0e6d-4cef-990f-8267592a40ab", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_hide": false}], "type": "url", "state": "investigated", "targets": [], "disposition": 1, "verdicts": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Recorded Future:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "68217845-e05e-49d3-be41-3e62d1615172", "judgement_id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "verdict", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Talos Intelligence:165c2f02", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "6dc2f277-47bd-465f-8c76-1afde1a60032", "judgement_id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "ctr_hide": false}], "notifications": [], "disposition_name": "Clean", "obsListSortOrder": 5, "listOrder": 1, "label": "https://portal.sbn.co.th/rss.php", "id": "165c2f02", "judgements": [{"valid_time": {"start_time": "2021-07-09T11:54:02.000Z", "end_time": "2021-08-08T11:54:02.000Z"}, "schema_version": "1.1.6", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Recorded Future Intelligence Card", "disposition": 1, "module": "Recorded Future", "module-type": null, "disposition_name": "Unknown", "priority": 90, "id": "transient:judgement-b2f08934-2eee-4f44-9659-0ba74bc9f6dd", "severity": "Low", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "b8cb8351-8206-4e1f-ac0e-d83a1b0edba1", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "ctr_dispositionOrder": 5, "ctr_hide": false}, {"valid_time": {"start_time": "2021-07-09T11:54:01.033Z", "end_time": "2021-08-08T11:54:01.033Z"}, "schema_version": "1.1.3", "observable": {"value": "https://portal.sbn.co.th/rss.php", "type": "url"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 2, "module": "Talos Intelligence", "module-type": null, "reason": "Poor Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=https%3A%2F%2Fportal.sbn.co.th%2Frss.php", "disposition_name": "Malicious", "priority": 90, "id": "transient:fd92f0e6-2607-4ec3-aeb0-6af5a5cd5ddc", "severity": "High", "tlp": "white", "action": "63930cae-0a61-402c-b75b-6e4d300d4f12", "ctr_uuid": "fa39e79b-55ef-4148-a171-6febff4266a2", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [{"description": "19 sightings on 6 sources including: f-secure.jp, GitHub, CITEC - Computer Security Community - World Hacking/Security News, Ver007 APT Tools, F-Secure. Most recent link (Dec 17, 2020): https://github.com/basel-a/secureNLP/blob/master/data/MalwareTextDB-2.0/data/train/annotations/Duke_cloud_Linux.txt", "schema_version": "1.1.6", "observable_value": "https://portal.sbn.co.th/rss.php", "observables": [{"value": "https://portal.sbn.co.th/rss.php", "type": "url"}], "type": "sighting", "source": "Recorded Future Intelligence Card", "short_description": "Historically Reported as a Defanged URL", "title": "Historically Reported as a Defanged URL", "module": "Recorded Future", "internal": false, "id": "transient:sighting-04248f07-d4ea-4e97-ad49-2543b2adffb8", "count": 1, "severity": "Low", "observable_type": "url", "ctr_uuid": "58e58eeb-0041-49c9-9f11-c29b5c304308", "timestamp": "2021-07-09T11:54:02.000Z", "confidence": "High", "observed_time": {"start_time": "2020-12-17T00:02:11.834Z"}, "ctr_hide": false}], "revListOrder": 5}, "notifications": [], "disposition_name": "Clean", "disposition": 1, "type": "url", "value": "https://portal.sbn.co.th/rss.php", "id": "165c2f02"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-238f8142-da87-483f-8676-55662b7721c7", "tlp": "amber", "groups": ["3b19921d-7d82-4567-9034-332a19aab33d"], "timestamp": "2021-07-09T11:54:55.958Z", "owner": "7ac9b7c6-ecfd-42bb-afd2-b5aae7efb090", "source": "Taras Mal"} \ No newline at end of file