SEKOIAIntelligenceCenter
This Integration is part of the SEKOIAIntelligenceCenter Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
Fetch Indicator and Observables from SEKOIA.IO Intelligence Center. To use this integration, please create an API Key with the right permissions.
This integration was integrated and tested with version 2.20220712 of SEKOIA.IO Intelligence Center.
Configure SEKOIAIntelligenceCenter in Cortex#
Parameter | Description | Required |
---|---|---|
Your server URL | True | |
None | The API Key to use for connection | True |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Source Reliability | Reliability of the source providing the intelligence data. |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
GetObservable#
Query SEKOIA.IO Intelligence Center for information about this observable.
Base Command#
GetObservable
Input#
Argument Name | Description | Required |
---|---|---|
value | Indicator value. | Required |
type | Indicator type. | Required |
Context Output#
Path | Type | Description |
---|---|---|
GetObservable.Output | String | SEKOIA.IO returned data |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
SEKOIAIntelligenceCenter.total | Number | Total number of object returned |
SEKOIAIntelligenceCenter.items.x_inthreat_short_display | String | Short display name of the observable |
SEKOIAIntelligenceCenter.items.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.created | Date | Observable creation date |
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.value | String | Value of the item |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
Command example#
!GetObservable value="eicar@sekoia.io" type="email-addr"
Context Example#
Human Readable Output#
Observable eicar@sekoia.io#
modified created 2020-11-04T00:27:15.9801Z 2020-11-04T00:27:15.9801Z
Associated tags#
No entries. Please consult the dedicated page for more information.
GetIndicator#
Query SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC). STIX IDs can be resolved from SEKOIA.IO Intelligence Center application.
Base Command#
GetIndicator
Input#
Argument Name | Description | Required |
---|---|---|
value | Indicator value. | Required |
type | Indicator type. | Required |
Context Output#
Path | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
SEKOIAIntelligenceCenter.items.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.x_inthreat_sources_refs | String | Source references of the observable |
SEKOIAIntelligenceCenter.items.spec_version | String | STIX specification version used |
SEKOIAIntelligenceCenter.items.description | String | Item description |
SEKOIAIntelligenceCenter.items.modified | Date | Last modification date of the item |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.pattern | String | STIX pattern of the item |
SEKOIAIntelligenceCenter.items.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.object_marking_refs | String | Unique identifier of the marking reference (TLP) |
SEKOIAIntelligenceCenter.items.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.indicator_types | String | STIX indicator types |
Command example#
!GetIndicator value="eicar@sekoia.io" type="email-addr"
Context Example#
Human Readable Output#
Indicator eicar@sekoia.io is categorized as ['benign']#
SEKOIA EICAR unit is known to have used in the past this email address to distribute EICAR dropper during phishing campaign.
Kill chain#
kill_chain_name phase_name lockheed-martin-cyber-kill-chain delivery Please consult the dedicated page for more information.
ip#
Query SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC). STIX IDs can be resolved from SEKOIA.IO Intelligence Center application.
Base Command#
ip
Input#
Argument Name | Description | Required |
---|---|---|
ip | Indicator value. | Required |
Context Output#
Path | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.objects.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.objects.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.objects.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locations | String | UUID of the impacted locations |
SEKOIAIntelligenceCenter.items.objects.id | String | UUID of the objects |
SEKOIAIntelligenceCenter.items.objects.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.objects.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.objects.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.objects.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.objects.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.objects.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.objects.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.objects.pattern | String | STIX pattern |
SEKOIAIntelligenceCenter.items.objects.indicator_types | String | STIX indicator types |
SEKOIAIntelligenceCenter.items.objects.object_marking_refs | String | Unique identifier of the Object Marking reference (TLP) |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectors | String | UUID of the impacted sectors |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.objects.confidence | Number | Indicator confidence score |
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.objects.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refs | String | External references |
SEKOIAIntelligenceCenter.items.objects.first_seen | Date | Item first seen date |
SEKOIAIntelligenceCenter.items.objects.aliases | String | Item aliases names |
SEKOIAIntelligenceCenter.items.objects.is_family | Boolean | Is the item part of a family |
SEKOIAIntelligenceCenter.items.objects.external_references.description | String | Object external references description |
SEKOIAIntelligenceCenter.items.objects.external_references.source_name | String | Object external references source name |
SEKOIAIntelligenceCenter.items.objects.external_references.url | String | Object external references URL |
SEKOIAIntelligenceCenter.items.objects.capabilities | String | Malware capabilities |
SEKOIAIntelligenceCenter.items.objects.malware_types | String | Malware type |
SEKOIAIntelligenceCenter.items.objects.implementation_languages | String | Malware implementation languages |
SEKOIAIntelligenceCenter.items.objects.description | String | Item description |
SEKOIAIntelligenceCenter.items.objects.stop_time | Date | Stop time date |
SEKOIAIntelligenceCenter.items.objects.relationship_type | String | STIX object relationship type |
SEKOIAIntelligenceCenter.items.objects.target_ref | String | Target reference UUID |
SEKOIAIntelligenceCenter.items.objects.source_ref | String | Source reference UUID |
SEKOIAIntelligenceCenter.items.objects.start_time | Date | Object start time |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sector | Boolean | Is the object a sector |
SEKOIAIntelligenceCenter.items.objects.contact_information | String | Object contact information |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_source | Boolean | Is the object a source |
SEKOIAIntelligenceCenter.items.objects.sectors | String | Associated sectors |
SEKOIAIntelligenceCenter.items.objects.identity_class | String | Object identity class |
SEKOIAIntelligenceCenter.items.objects.definition_type | String | Object definition type |
SEKOIAIntelligenceCenter.items.objects.definition.tlp | String | TLP type |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
IP.Address | String | IP address |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command example#
!ip ip="206.189.85.18"
Context Example#
Human Readable Output#
Indicator 206.189.85.18 is linked to the following:#
name description type aliases goals revoked created modified more_info FinFisher FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018) malware FinFisher false 2019-07-19T15:25:38.820741Z 2021-11-23T09:13:59.891896Z More info about FinFisher on SEKOIA.IO
url#
Query SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC). STIX IDs can be resolved from SEKOIA.IO Intelligence Center application.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command#
url
Input#
Argument Name | Description | Required |
---|---|---|
url | Indicator value. | Required |
Context Output#
Path | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.objects.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.objects.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.objects.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locations | String | UUID of the impacted locations |
SEKOIAIntelligenceCenter.items.objects.id | String | UUID of the objects |
SEKOIAIntelligenceCenter.items.objects.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.objects.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.objects.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.objects.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.objects.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.objects.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.objects.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.objects.pattern | String | STIX pattern |
SEKOIAIntelligenceCenter.items.objects.indicator_types | String | STIX indicator types |
SEKOIAIntelligenceCenter.items.objects.object_marking_refs | String | Unique identifier of the Object Marking reference (TLP) |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectors | String | UUID of the impacted sectors |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.objects.confidence | Number | Indicator confidence score |
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.objects.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refs | String | External references |
SEKOIAIntelligenceCenter.items.objects.first_seen | Date | Item first seen date |
SEKOIAIntelligenceCenter.items.objects.aliases | String | Item aliases names |
SEKOIAIntelligenceCenter.items.objects.is_family | Boolean | Is the item part of a family |
SEKOIAIntelligenceCenter.items.objects.external_references.description | String | Object external references description |
SEKOIAIntelligenceCenter.items.objects.external_references.source_name | String | Object external references source name |
SEKOIAIntelligenceCenter.items.objects.external_references.url | String | Object external references URL |
SEKOIAIntelligenceCenter.items.objects.capabilities | String | Malware capabilities |
SEKOIAIntelligenceCenter.items.objects.malware_types | String | Malware type |
SEKOIAIntelligenceCenter.items.objects.implementation_languages | String | Malware implementation languages |
SEKOIAIntelligenceCenter.items.objects.description | String | Item description |
SEKOIAIntelligenceCenter.items.objects.stop_time | Date | Stop time date |
SEKOIAIntelligenceCenter.items.objects.relationship_type | String | STIX object relationship type |
SEKOIAIntelligenceCenter.items.objects.target_ref | String | Target reference UUID |
SEKOIAIntelligenceCenter.items.objects.source_ref | String | Source reference UUID |
SEKOIAIntelligenceCenter.items.objects.start_time | Date | Object start time |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sector | Boolean | Is the object a sector |
SEKOIAIntelligenceCenter.items.objects.contact_information | String | Object contact information |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_source | Boolean | Is the object a source |
SEKOIAIntelligenceCenter.items.objects.sectors | String | Associated sectors |
SEKOIAIntelligenceCenter.items.objects.identity_class | String | Object identity class |
SEKOIAIntelligenceCenter.items.objects.definition_type | String | Object definition type |
SEKOIAIntelligenceCenter.items.objects.definition.tlp | String | TLP type |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
URL.Data | String | The URL |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command example#
!url url="http://truesec.pro/"
Context Example#
Human Readable Output#
Indicator http://truesec.pro/ is linked to the following:#
name description type aliases goals revoked created modified more_info Phishing Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of Valid Accounts. Phishing may also be conducted via third-party services, like social media platforms.attack-pattern false 2020-08-27T16:06:57.165806Z 2022-01-28T08:06:15.568392Z More info about Phishing on SEKOIA.IO
domain#
Query SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC). STIX IDs can be resolved from SEKOIA.IO Intelligence Center application.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command#
domain
Input#
Argument Name | Description | Required |
---|---|---|
domain | Indicator value. | Required |
Context Output#
Path | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.objects.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.objects.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.objects.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locations | String | UUID of the impacted locations |
SEKOIAIntelligenceCenter.items.objects.id | String | UUID of the objects |
SEKOIAIntelligenceCenter.items.objects.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.objects.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.objects.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.objects.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.objects.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.objects.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.objects.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.objects.pattern | String | STIX pattern |
SEKOIAIntelligenceCenter.items.objects.indicator_types | String | STIX indicator types |
SEKOIAIntelligenceCenter.items.objects.object_marking_refs | String | Unique identifier of the Object Marking reference (TLP) |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectors | String | UUID of the impacted sectors |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.objects.confidence | Number | Indicator confidence score |
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.objects.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refs | String | External references |
SEKOIAIntelligenceCenter.items.objects.first_seen | Date | Item first seen date |
SEKOIAIntelligenceCenter.items.objects.aliases | String | Item aliases names |
SEKOIAIntelligenceCenter.items.objects.is_family | Boolean | Is the item part of a family |
SEKOIAIntelligenceCenter.items.objects.external_references.description | String | Object external references description |
SEKOIAIntelligenceCenter.items.objects.external_references.source_name | String | Object external references source name |
SEKOIAIntelligenceCenter.items.objects.external_references.url | String | Object external references URL |
SEKOIAIntelligenceCenter.items.objects.capabilities | String | Malware capabilities |
SEKOIAIntelligenceCenter.items.objects.malware_types | String | Malware type |
SEKOIAIntelligenceCenter.items.objects.implementation_languages | String | Malware implementation languages |
SEKOIAIntelligenceCenter.items.objects.description | String | Item description |
SEKOIAIntelligenceCenter.items.objects.stop_time | Date | Stop time date |
SEKOIAIntelligenceCenter.items.objects.relationship_type | String | STIX object relationship type |
SEKOIAIntelligenceCenter.items.objects.target_ref | String | Target reference UUID |
SEKOIAIntelligenceCenter.items.objects.source_ref | String | Source reference UUID |
SEKOIAIntelligenceCenter.items.objects.start_time | Date | Object start time |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sector | Boolean | Is the object a sector |
SEKOIAIntelligenceCenter.items.objects.contact_information | String | Object contact information |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_source | Boolean | Is the object a source |
SEKOIAIntelligenceCenter.items.objects.sectors | String | Associated sectors |
SEKOIAIntelligenceCenter.items.objects.identity_class | String | Object identity class |
SEKOIAIntelligenceCenter.items.objects.definition_type | String | Object definition type |
SEKOIAIntelligenceCenter.items.objects.definition.tlp | String | TLP type |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
Domain.Name | String | The domain name, for example: "google.com". |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command example#
!domain domain="eicar.sekoia.io"
Context Example#
Human Readable Output#
Indicator eicar.sekoia.io is linked to the following:#
name description type aliases goals revoked created modified more_info Dropper TEST EICAR SEKOIA.IO Context
This Dropper is used by SEKOIA Red Team as a demonstration to illustrate how an inoculated file could also be used as a malicious file to install dangerous content onto the corporate environment.
Execution stages
This dropper is known to be distributed as a Powershell script.
- At execution, it drops a text payload (inoculated payload part of the EICAR campaign)
- If Internet connectivity is available, the dropper contacts a Command and control server to install additional modules (deactivated in the EICAR campaign)malware EICAR,
Malware TEST EICAR SEKOIA.IO,
Dropper TEST EICAR SEKOIA.IOfalse 2020-05-26T13:19:41.236073Z 2020-06-22T09:09:28.349981Z More info about Dropper TEST EICAR SEKOIA.IO on SEKOIA.IO
file#
Query SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC). STIX IDs can be resolved from SEKOIA.IO Intelligence Center application.
Base Command#
file
Input#
Argument Name | Description | Required |
---|---|---|
file | Indicator value. | Required |
Context Output#
Path | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.objects.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.objects.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.objects.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locations | String | UUID of the impacted locations |
SEKOIAIntelligenceCenter.items.objects.id | String | UUID of the objects |
SEKOIAIntelligenceCenter.items.objects.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.objects.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.objects.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.objects.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.objects.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.objects.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.objects.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.objects.pattern | String | STIX pattern |
SEKOIAIntelligenceCenter.items.objects.indicator_types | String | STIX indicator types |
SEKOIAIntelligenceCenter.items.objects.object_marking_refs | String | Unique identifier of the Object Marking reference (TLP) |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectors | String | UUID of the impacted sectors |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.objects.confidence | Number | Indicator confidence score |
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.objects.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refs | String | External references |
SEKOIAIntelligenceCenter.items.objects.first_seen | Date | Item first seen date |
SEKOIAIntelligenceCenter.items.objects.aliases | String | Item aliases names |
SEKOIAIntelligenceCenter.items.objects.is_family | Boolean | Is the item part of a family |
SEKOIAIntelligenceCenter.items.objects.external_references.description | String | Object external references description |
SEKOIAIntelligenceCenter.items.objects.external_references.source_name | String | Object external references source name |
SEKOIAIntelligenceCenter.items.objects.external_references.url | String | Object external references URL |
SEKOIAIntelligenceCenter.items.objects.capabilities | String | Malware capabilities |
SEKOIAIntelligenceCenter.items.objects.malware_types | String | Malware type |
SEKOIAIntelligenceCenter.items.objects.implementation_languages | String | Malware implementation languages |
SEKOIAIntelligenceCenter.items.objects.description | String | Item description |
SEKOIAIntelligenceCenter.items.objects.stop_time | Date | Stop time date |
SEKOIAIntelligenceCenter.items.objects.relationship_type | String | STIX object relationship type |
SEKOIAIntelligenceCenter.items.objects.target_ref | String | Target reference UUID |
SEKOIAIntelligenceCenter.items.objects.source_ref | String | Source reference UUID |
SEKOIAIntelligenceCenter.items.objects.start_time | Date | Object start time |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sector | Boolean | Is the object a sector |
SEKOIAIntelligenceCenter.items.objects.contact_information | String | Object contact information |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_source | Boolean | Is the object a source |
SEKOIAIntelligenceCenter.items.objects.sectors | String | Associated sectors |
SEKOIAIntelligenceCenter.items.objects.identity_class | String | Object identity class |
SEKOIAIntelligenceCenter.items.objects.definition_type | String | Object definition type |
SEKOIAIntelligenceCenter.items.objects.definition.tlp | String | TLP type |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command example#
!file file="e1d4d2e829885b322f7e619cbfc2615f"
Context Example#
Human Readable Output#
Indicator [file:hashes.'SHA-256' = '8fdc11e44341c3df5a8020b3313eb0a33b2d77fa05d4af0168f911b3a4d3b74a' OR file:hashes.MD5 = 'e1d4d2e829885b322f7e619cbfc2615f' OR file:hashes.'SHA-1' = 'cb6dfb7d8732a74187f61db80aa9f31a29c10888'] is linked to the following:#
name description type aliases goals revoked created modified more_info Agent Tesla # Resume
Agent Tesla is a spyware that steals passwords and collects information about the actions of its victims by recording keystrokes and user interactions. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers. The spyware has been observed in the world since 2014 and has become extremely popular in the cybercriminal community in recent years.
# Chain of infection
The most widespread delivery method for Agent Tesla is malicious spam, via Microsoft Word documents that contain an embedded executed file or exploit. The email accounts used to spread the spyware are often legitimate accounts that have been compromised. Agent Tesla operators act out of opportunism and lack the sophistication seen in elaborate operations such as big game hunting.
Once the user has clicked on the malicious document, the executable is downloaded and renamed. The downloaded file runs itself and creates a child process. Before taking actions on objectives, Agent Tesla checks the environment of the compromised machine to avoid being deployed in a Virtual Machine and therefore bypass sandbox analysis. Multiple sandbox evasion techniques are performed - such as reading hardware parameters, disabling AMSI scans, checking for user input or using sleeping functions.
Agent Tesla establishes persistence by creating a registry RUN key to run at boot, or creating a scheduled task via schtasks.exe. Once well installed, the malware takes actions on objectives and sends data to the Command & Control server. Latest Agent Tesla versions offer different means of communication - over SMTP, FTP or HTTP, but also using Telegram, Discord or Tor network.
According to SEKOIA research, most Agent Tesla operators employ SMTP communications on port 587 using compromised email accounts.
# Capacity
Taking fingerprint:
For example, it corresponds to the footprint of an infected machine:
```
Time: 02/11/2021 08:45:53
User Name: JohnDoe
Computer Name: ACME-JOHN-DOE-PC
OSFullName: Microsoft Windows 7 Édition Intégrale
CPU: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
RAM: 3931,59 MB
IP Address:
```
In some cases, Agent Tesla requests `api.ipify[.]org`, a simple public IP address API, to retrieve the victim IP address.
The body of each email sent to C2 begins with the fingerprint.
Stealing password (from many applications):
Those information are sent by email whose subject is `PW_JohnDoe/ACME-JOHN-DOE-PC`, `PW` for password.
Keystroke logging:
The subject of the email is `KL_JohnDoe/ACME-JOHN-DOE-PC`, `KL` for Keystroke logging.
Stealing cookies:
Agent Tesla archives the directories that store the cookies of different browsers, e.g.: `C:\Users\JohnDoe\AppData\Local\Google\Chrome\User Data\Default`, and adds it as attachment to emails whose subject is `CO_JohnDoe/ACME-JOHN-DOE-PC`, `CO` for Cookies.
* Capturing clipboard:
Screenshots are taken by the spyware and sent by email whose subject is `SC_JohnDoe/ACME-JOHN-DOE-PC`, `SC` for SCreenshot.
Other capabilities are available, but are less used.malware Agent Tesla,
AgentTesla,
AgenTesla,
Negastealfalse 2019-07-19T15:25:33.745282Z 2021-12-23T19:52:16.428429Z More info about Agent Tesla on SEKOIA.IO
Indicator [file:hashes.MD5 = 'e1d4d2e829885b322f7e619cbfc2615f' OR file:hashes.'SHA-1' = 'cb6dfb7d8732a74187f61db80aa9f31a29c10888' OR file:hashes.'SHA-256' = '8fdc11e44341c3df5a8020b3313eb0a33b2d77fa05d4af0168f911b3a4d3b74a' OR file:hashes.'SHA-512' = '346c463b203b4aa72b5a6a3dee547d29aa03b85027f8dbb6ae61b4a81dd1f3c939f0e21b041124a0a070c1d82ef39820e191bc551d44bde8153df9a24e2f002b'] is linked to the following:#
name description type aliases goals revoked created modified more_info Agent Tesla # Resume
Agent Tesla is a spyware that steals passwords and collects information about the actions of its victims by recording keystrokes and user interactions. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers. The spyware has been observed in the world since 2014 and has become extremely popular in the cybercriminal community in recent years.
# Chain of infection
The most widespread delivery method for Agent Tesla is malicious spam, via Microsoft Word documents that contain an embedded executed file or exploit. The email accounts used to spread the spyware are often legitimate accounts that have been compromised. Agent Tesla operators act out of opportunism and lack the sophistication seen in elaborate operations such as big game hunting.
Once the user has clicked on the malicious document, the executable is downloaded and renamed. The downloaded file runs itself and creates a child process. Before taking actions on objectives, Agent Tesla checks the environment of the compromised machine to avoid being deployed in a Virtual Machine and therefore bypass sandbox analysis. Multiple sandbox evasion techniques are performed - such as reading hardware parameters, disabling AMSI scans, checking for user input or using sleeping functions.
Agent Tesla establishes persistence by creating a registry RUN key to run at boot, or creating a scheduled task via schtasks.exe. Once well installed, the malware takes actions on objectives and sends data to the Command & Control server. Latest Agent Tesla versions offer different means of communication - over SMTP, FTP or HTTP, but also using Telegram, Discord or Tor network.
According to SEKOIA research, most Agent Tesla operators employ SMTP communications on port 587 using compromised email accounts.
# Capacity
Taking fingerprint:
For example, it corresponds to the footprint of an infected machine:
```
Time: 02/11/2021 08:45:53
User Name: JohnDoe
Computer Name: ACME-JOHN-DOE-PC
OSFullName: Microsoft Windows 7 Édition Intégrale
CPU: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
RAM: 3931,59 MB
IP Address:
```
In some cases, Agent Tesla requests `api.ipify[.]org`, a simple public IP address API, to retrieve the victim IP address.
The body of each email sent to C2 begins with the fingerprint.
Stealing password (from many applications):
Those information are sent by email whose subject is `PW_JohnDoe/ACME-JOHN-DOE-PC`, `PW` for password.
Keystroke logging:
The subject of the email is `KL_JohnDoe/ACME-JOHN-DOE-PC`, `KL` for Keystroke logging.
Stealing cookies:
Agent Tesla archives the directories that store the cookies of different browsers, e.g.: `C:\Users\JohnDoe\AppData\Local\Google\Chrome\User Data\Default`, and adds it as attachment to emails whose subject is `CO_JohnDoe/ACME-JOHN-DOE-PC`, `CO` for Cookies.
* Capturing clipboard:
Screenshots are taken by the spyware and sent by email whose subject is `SC_JohnDoe/ACME-JOHN-DOE-PC`, `SC` for SCreenshot.
Other capabilities are available, but are less used.malware Agent Tesla,
AgentTesla,
AgenTesla,
Negastealfalse 2019-07-19T15:25:33.745282Z 2021-12-23T19:52:16.428429Z More info about Agent Tesla on SEKOIA.IO
email#
Query SEKOIA.IO Intelligence Center for information about this indicator. No information is returned if the value is not a known by SEKOIA.IO as an indicator (IoC). STIX IDs can be resolved from SEKOIA.IO Intelligence Center application.
Base Command#
email
Input#
Argument Name | Description | Required |
---|---|---|
Indicator value. | Required |
Context Output#
Path | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.objects.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.objects.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.objects.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locations | String | UUID of the impacted locations |
SEKOIAIntelligenceCenter.items.objects.id | String | UUID of the objects |
SEKOIAIntelligenceCenter.items.objects.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.objects.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.objects.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.objects.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.objects.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.objects.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.objects.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.objects.pattern | String | STIX pattern |
SEKOIAIntelligenceCenter.items.objects.indicator_types | String | STIX indicator types |
SEKOIAIntelligenceCenter.items.objects.object_marking_refs | String | Unique identifier of the Object Marking reference (TLP) |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectors | String | UUID of the impacted sectors |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.objects.confidence | Number | Indicator confidence score |
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.objects.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refs | String | External references |
SEKOIAIntelligenceCenter.items.objects.first_seen | Date | Item first seen date |
SEKOIAIntelligenceCenter.items.objects.aliases | String | Item aliases names |
SEKOIAIntelligenceCenter.items.objects.is_family | Boolean | Is the item part of a family |
SEKOIAIntelligenceCenter.items.objects.external_references.description | String | Object external references description |
SEKOIAIntelligenceCenter.items.objects.external_references.source_name | String | Object external references source name |
SEKOIAIntelligenceCenter.items.objects.external_references.url | String | Object external references URL |
SEKOIAIntelligenceCenter.items.objects.capabilities | String | Malware capabilities |
SEKOIAIntelligenceCenter.items.objects.malware_types | String | Malware type |
SEKOIAIntelligenceCenter.items.objects.implementation_languages | String | Malware implementation languages |
SEKOIAIntelligenceCenter.items.objects.description | String | Item description |
SEKOIAIntelligenceCenter.items.objects.stop_time | Date | Stop time date |
SEKOIAIntelligenceCenter.items.objects.relationship_type | String | STIX object relationship type |
SEKOIAIntelligenceCenter.items.objects.target_ref | String | Target reference UUID |
SEKOIAIntelligenceCenter.items.objects.source_ref | String | Source reference UUID |
SEKOIAIntelligenceCenter.items.objects.start_time | Date | Object start time |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sector | Boolean | Is the object a sector |
SEKOIAIntelligenceCenter.items.objects.contact_information | String | Object contact information |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_source | Boolean | Is the object a source |
SEKOIAIntelligenceCenter.items.objects.sectors | String | Associated sectors |
SEKOIAIntelligenceCenter.items.objects.identity_class | String | Object identity class |
SEKOIAIntelligenceCenter.items.objects.definition_type | String | Object definition type |
SEKOIAIntelligenceCenter.items.objects.definition.tlp | String | TLP type |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
IP.Address | String | IP address |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Command example#
!email email="eicar@sekoia.io"
Context Example#
Human Readable Output#
Indicator eicar@sekoia.io is linked to the following:#
name description type aliases goals revoked created modified more_info EICAR Unit of SEKOIA This Intrusion Set is known to be operated by SEKOIA by its EICAR unit. This unit aims at creating fictitious environment mimicking real attackers to present how threat intelligence can help real organizations to protect themselves. intrusion-set EICAR,
TEST EICAR SEKOIA.IO,
EICAR Unit of SEKOIASimulation of real Threat Actor for Test purpose false 2020-05-26T13:18:26.429787Z 2020-06-02T13:28:51.131904Z More info about EICAR Unit of SEKOIA on SEKOIA.IO
GetIndicatorContext#
Query SEKOIA.IO Intelligence Center for context around this indicator
Base Command#
GetIndicatorContext
Input#
Argument Name | Description | Required |
---|---|---|
value | Indicator value. | Required |
type | Indicator type. | Required |
Context Output#
Path | Type | Description |
---|---|---|
SEKOIAIntelligenceCenter.items.type | String | Observable type |
SEKOIAIntelligenceCenter.items.id | String | Unique identifier of the item |
SEKOIAIntelligenceCenter.items.objects.valid_from | Date | Beginning of the item validity date |
SEKOIAIntelligenceCenter.items.objects.x_inthreat_sources_refs | String | Unique identifier of the observable source |
SEKOIAIntelligenceCenter.items.objects.spec_version | String | STIX specification version |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_in_flint | Boolean | Is this indicator from a SEKOIA FLINT report |
SEKOIAIntelligenceCenter.items.objects.lang | String | Language of the indicator data |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_locations | String | UUID of the impacted locations |
SEKOIAIntelligenceCenter.items.objects.id | String | UUID of the objects |
SEKOIAIntelligenceCenter.items.objects.created_by_ref | String | Unique identifier of the creator of the item |
SEKOIAIntelligenceCenter.items.objects.modified | Date | Modification date of the observable |
SEKOIAIntelligenceCenter.items.objects.type | String | STIX Object type |
SEKOIAIntelligenceCenter.items.objects.revoked | Boolean | Is this item revoked |
SEKOIAIntelligenceCenter.items.objects.created | Date | Creation date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_observable_types | String | Intelligence Center observable types |
SEKOIAIntelligenceCenter.items.objects.pattern_type | String | STIX pattern type |
SEKOIAIntelligenceCenter.items.objects.name | String | Name of the item |
SEKOIAIntelligenceCenter.items.objects.pattern | String | STIX pattern |
SEKOIAIntelligenceCenter.items.objects.indicator_types | String | STIX indicator types |
SEKOIAIntelligenceCenter.items.objects.object_marking_refs | String | Unique identifier of the Object Marking reference (TLP) |
SEKOIAIntelligenceCenter.items.objects.x_ic_impacted_sectors | String | UUID of the impacted sectors |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.kill_chain_name | String | Name of the kill chain used |
SEKOIAIntelligenceCenter.items.objects.kill_chain_phases.phase_name | String | Name of the kill chain phase |
SEKOIAIntelligenceCenter.items.objects.confidence | Number | Indicator confidence score |
SEKOIAIntelligenceCenter.items.objects.x_ic_deprecated | Boolean | Is the item deprecated |
SEKOIAIntelligenceCenter.items.objects.valid_until | Date | Expiration date of the item |
SEKOIAIntelligenceCenter.items.objects.x_ic_external_refs | String | External references |
SEKOIAIntelligenceCenter.items.objects.first_seen | Date | Item first seen date |
SEKOIAIntelligenceCenter.items.objects.aliases | String | Item aliases names |
SEKOIAIntelligenceCenter.items.objects.is_family | Boolean | Is the item part of a family |
SEKOIAIntelligenceCenter.items.objects.external_references.description | String | Object external references description |
SEKOIAIntelligenceCenter.items.objects.external_references.source_name | String | Object external references source name |
SEKOIAIntelligenceCenter.items.objects.external_references.url | String | Object external references URL |
SEKOIAIntelligenceCenter.items.objects.capabilities | String | Malware capabilities |
SEKOIAIntelligenceCenter.items.objects.malware_types | String | Malware type |
SEKOIAIntelligenceCenter.items.objects.implementation_languages | String | Malware implementation languages |
SEKOIAIntelligenceCenter.items.objects.description | String | Item description |
SEKOIAIntelligenceCenter.items.objects.stop_time | Date | Stop time date |
SEKOIAIntelligenceCenter.items.objects.relationship_type | String | STIX object relationship type |
SEKOIAIntelligenceCenter.items.objects.target_ref | String | Target reference UUID |
SEKOIAIntelligenceCenter.items.objects.source_ref | String | Source reference UUID |
SEKOIAIntelligenceCenter.items.objects.start_time | Date | Object start time |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_sector | Boolean | Is the object a sector |
SEKOIAIntelligenceCenter.items.objects.contact_information | String | Object contact information |
SEKOIAIntelligenceCenter.items.objects.x_ic_is_source | Boolean | Is the object a source |
SEKOIAIntelligenceCenter.items.objects.sectors | String | Associated sectors |
SEKOIAIntelligenceCenter.items.objects.identity_class | String | Object identity class |
SEKOIAIntelligenceCenter.items.objects.definition_type | String | Object definition type |
SEKOIAIntelligenceCenter.items.objects.definition.tlp | String | TLP type |
SEKOIAIntelligenceCenter.has_more | Boolean | Is more information available |
IP.Address | String | IP address |
URL.Data | String | The URL |
Domain.Name | String | The domain name, for example: "google.com". |
DBotScore.Indicator | String | The indicator name. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
Command example#
!GetIndicatorContext value="eicar@sekoia.io" type="email-addr"
Context Example#
Human Readable Output#
Indicator eicar@sekoia.io is linked to the following:#
name description type aliases goals revoked created modified more_info EICAR Unit of SEKOIA This Intrusion Set is known to be operated by SEKOIA by its EICAR unit. This unit aims at creating fictitious environment mimicking real attackers to present how threat intelligence can help real organizations to protect themselves. intrusion-set EICAR,
TEST EICAR SEKOIA.IO,
EICAR Unit of SEKOIASimulation of real Threat Actor for Test purpose false 2020-05-26T13:18:26.429787Z 2020-06-02T13:28:51.131904Z More info about EICAR Unit of SEKOIA on SEKOIA.IO