misp-circl-feed/feeds/circl/stix-2.1/5718c835-f58c-4f8e-8da4-452a950d210f.json

1627 lines
70 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5718c835-f58c-4f8e-8da4-452a950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:40.000Z",
"modified": "2016-04-21T15:04:40.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5718c835-f58c-4f8e-8da4-452a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:40.000Z",
"modified": "2016-04-21T15:04:40.000Z",
"name": "CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler",
"published": "2016-04-21T15:05:28Z",
"object_refs": [
"observed-data--5718c848-2c34-4d55-a27f-47a7950d210f",
"url--5718c848-2c34-4d55-a27f-47a7950d210f",
"x-misp-attribute--5718c862-de50-4d77-9195-450c950d210f",
"indicator--5718c9b2-98dc-4310-8a5d-4dff950d210f",
"indicator--5718c9b2-a384-45fa-ba7f-4e32950d210f",
"indicator--5718c9b3-b180-4c09-b026-4010950d210f",
"indicator--5718c9b3-b1ec-4bde-9de2-4eaa950d210f",
"indicator--5718ca39-5404-495b-a24b-45a6950d210f",
"indicator--5718ca39-4744-4e5b-afa4-4449950d210f",
"indicator--5718ca39-d1d0-4775-b006-4e70950d210f",
"indicator--5718ca3a-9598-449b-8fb9-4e4e950d210f",
"indicator--5718ca3a-e5a0-4afb-954f-4e39950d210f",
"indicator--5718cb52-4df8-47fb-aaaa-4367950d210f",
"indicator--5718cb52-77ec-495e-87da-4831950d210f",
"indicator--5718cb68-e624-45fd-aa89-4a29950d210f",
"indicator--5718cb68-0760-46b9-9987-4596950d210f",
"indicator--5718cbde-58c0-40b2-be07-4b82950d210f",
"indicator--5718cbde-0fc4-4c28-85a1-46ee950d210f",
"indicator--5718cbde-9158-4737-8278-4d3b950d210f",
"indicator--5718cbdf-cd08-4ec1-9cc1-4fe5950d210f",
"indicator--5718cbdf-bcd0-4e91-8ba0-424f950d210f",
"indicator--5718cbfd-0d9c-4f42-ba85-454f950d210f",
"indicator--5718cbfe-c5e4-4c77-bfdf-4ec3950d210f",
"indicator--5718cbfe-760c-4f40-9ca2-49b8950d210f",
"indicator--5718cbfe-5b80-4d79-8a87-479f950d210f",
"indicator--5718cbff-9790-406a-aca4-4b5a950d210f",
"indicator--5718cbff-bfd4-4f0b-9704-46c0950d210f",
"indicator--5718cc81-eda0-46c5-9008-45d6950d210f",
"indicator--5718cc82-b3f0-4c5a-b661-4461950d210f",
"indicator--5718cc82-8504-4d59-8540-47a1950d210f",
"indicator--5718cc82-b7ac-4b18-abfe-4746950d210f",
"indicator--5718cc83-2e60-41aa-ba90-43ec950d210f",
"indicator--5718cc83-bcbc-4afa-a0b0-47e3950d210f",
"indicator--5718cc84-0dc4-4f65-bbaa-4c79950d210f",
"indicator--5718cc84-6a50-40aa-853e-465a950d210f",
"indicator--5718cc84-3584-49c1-8236-4601950d210f",
"indicator--5718cc84-2eac-4ccf-a8c7-4c04950d210f",
"indicator--5718ec08-17e8-4e4f-bc91-4dc002de0b81",
"observed-data--5718ec09-0a94-4850-95dd-42e402de0b81",
"url--5718ec09-0a94-4850-95dd-42e402de0b81",
"indicator--5718ec09-9708-4e77-b8e1-444c02de0b81",
"observed-data--5718ec09-a8b8-47fa-b41a-481102de0b81",
"url--5718ec09-a8b8-47fa-b41a-481102de0b81",
"indicator--5718ec0a-a808-4a5b-8dd6-4de802de0b81",
"observed-data--5718ec0a-e65c-4944-ba24-415f02de0b81",
"url--5718ec0a-e65c-4944-ba24-415f02de0b81",
"indicator--5718ec0b-1cfc-449d-8b92-439602de0b81",
"observed-data--5718ec0b-2f3c-4ce3-a20e-489e02de0b81",
"url--5718ec0b-2f3c-4ce3-a20e-489e02de0b81",
"indicator--5718ec0b-991c-4adf-83ad-4f5402de0b81",
"observed-data--5718ec0c-9290-4654-8052-441e02de0b81",
"url--5718ec0c-9290-4654-8052-441e02de0b81",
"indicator--5718ec0c-f468-49fb-9ba3-472f02de0b81",
"observed-data--5718ec0c-bff4-422c-ab48-403202de0b81",
"url--5718ec0c-bff4-422c-ab48-403202de0b81",
"indicator--5718ec0d-4f74-4871-b896-43a102de0b81",
"observed-data--5718ec0d-2b70-41f4-87f7-445902de0b81",
"url--5718ec0d-2b70-41f4-87f7-445902de0b81",
"indicator--5718ec0e-d908-428b-bba4-4c4802de0b81",
"observed-data--5718ec0e-22f0-48d2-b7bb-499102de0b81",
"url--5718ec0e-22f0-48d2-b7bb-499102de0b81",
"indicator--5718ec0e-5244-4e01-814e-401c02de0b81",
"observed-data--5718ec0f-30f8-402c-bda5-4aba02de0b81",
"url--5718ec0f-30f8-402c-bda5-4aba02de0b81",
"indicator--5718ec0f-a46c-4586-9ce8-484902de0b81",
"observed-data--5718ec0f-b980-4e86-bc98-468602de0b81",
"url--5718ec0f-b980-4e86-bc98-468602de0b81",
"indicator--5718ec10-4cf4-44af-9f1d-4e9f02de0b81",
"observed-data--5718ec10-c750-4490-958d-427902de0b81",
"url--5718ec10-c750-4490-958d-427902de0b81",
"indicator--5718ec11-7160-45ce-aa3c-4f8f02de0b81",
"observed-data--5718ec11-c674-4178-8bb7-48bb02de0b81",
"url--5718ec11-c674-4178-8bb7-48bb02de0b81",
"indicator--5718ec11-4c84-4afb-818a-43a402de0b81",
"indicator--5718ec12-bb6c-4b99-b685-470b02de0b81",
"observed-data--5718ec12-fd54-4b04-8e9f-4e0f02de0b81",
"url--5718ec12-fd54-4b04-8e9f-4e0f02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718c848-2c34-4d55-a27f-47a7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:32:08.000Z",
"modified": "2016-04-21T12:32:08.000Z",
"first_observed": "2016-04-21T12:32:08Z",
"last_observed": "2016-04-21T12:32:08Z",
"number_observed": 1,
"object_refs": [
"url--5718c848-2c34-4d55-a27f-47a7950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718c848-2c34-4d55-a27f-47a7950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5718c862-de50-4d77-9195-450c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:32:34.000Z",
"modified": "2016-04-21T12:32:34.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Proofpoint researchers recently found a previously undocumented ransomware spreading since the end of March through Bedep after infection via the Angler Exploit Kit (EK). Combining our findings with intelligence shared by Frank Ruiz (Fox IT InTELL) lead us to the same conclusion: this project is conducted by the same group that was driving Reveton ransomware operations and is closely tied to Angler/Bedep. Dubbed \"CryptXXX\", this new ransomware is currently asking a relatively high $500 per computer to unlock encrypted files. Angler is the number one exploit kit by volume, making the potential impact of new ransomware in the hands of experienced actors with access to this vector quite significant."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718c9b2-98dc-4310-8a5d-4dff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:38:10.000Z",
"modified": "2016-04-21T12:38:10.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{C3F31E62-344D-4056-BF01-BF77B94E0254}\\\\api-ms-win-system-softpub-l1-1-0.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:38:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718c9b2-a384-45fa-ba7f-4e32950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:38:10.000Z",
"modified": "2016-04-21T12:38:10.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{D075E5D0-4442-4108-850E-3AD2874B270C}\\\\api-ms-win-system-provsvc-l1-1-0.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:38:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718c9b3-b180-4c09-b026-4010950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:38:11.000Z",
"modified": "2016-04-21T12:38:11.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\\\\api-ms-win-system-wer-l1-1-0.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:38:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718c9b3-b1ec-4bde-9de2-4eaa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:38:11.000Z",
"modified": "2016-04-21T12:38:11.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{FD68402A-8F8F-4B3D-9808-174323767296}\\\\api-ms-win-system-advpack-l1-1-0.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:38:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ca39-5404-495b-a24b-45a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:40:25.000Z",
"modified": "2016-04-21T12:40:25.000Z",
"description": "CryptXXX checkin server",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '146.0.42.68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:40:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ca39-4744-4e5b-afa4-4449950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:40:25.000Z",
"modified": "2016-04-21T12:40:25.000Z",
"description": "CryptXXX payment site",
"pattern": "[url:value = 'rp4roxeuhcf2vgft.onion.to']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:40:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ca39-d1d0-4775-b006-4e70950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:40:25.000Z",
"modified": "2016-04-21T12:40:25.000Z",
"description": "CryptXXX payment site",
"pattern": "[url:value = 'rp4roxeuhcf2vgft.onion.cab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:40:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ca3a-9598-449b-8fb9-4e4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:40:26.000Z",
"modified": "2016-04-21T12:40:26.000Z",
"description": "CryptXXX payment site",
"pattern": "[url:value = 'rp4roxeuhcf2vgft.onion.city']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:40:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ca3a-e5a0-4afb-954f-4e39950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:40:26.000Z",
"modified": "2016-04-21T12:40:26.000Z",
"description": "Bedep C&C IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.193.252.245']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:40:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cb52-4df8-47fb-aaaa-4367950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:45:06.000Z",
"modified": "2016-04-21T12:45:06.000Z",
"description": "Zip archive with most of the mentioned content",
"pattern": "[file:hashes.MD5 = '3776ec795ef3aa649ff48fcf83c87713']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:45:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cb52-77ec-495e-87da-4831950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:45:06.000Z",
"modified": "2016-04-21T12:45:06.000Z",
"description": "Zip archive with most of the mentioned content",
"pattern": "[file:hashes.SHA256 = '41dbbc60b8921709c5eb187cf03e60701e3b172e6deebdb67dd66c8cb3666b90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:45:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cb68-e624-45fd-aa89-4a29950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:45:28.000Z",
"modified": "2016-04-21T12:45:28.000Z",
"description": "Bedep 1809 first stream dll CryptXXX",
"pattern": "[file:hashes.MD5 = '17697e1829f0d18d2051a67bc2bca134']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:45:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cb68-0760-46b9-9987-4596950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:45:28.000Z",
"modified": "2016-04-21T12:45:28.000Z",
"description": "Bedep 1809 first stream dll CryptXXX",
"pattern": "[file:hashes.SHA256 = 'ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:45:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbde-58c0-40b2-be07-4b82950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:26.000Z",
"modified": "2016-04-21T12:47:26.000Z",
"description": "Bedep 1809 update stream dll1",
"pattern": "[file:hashes.MD5 = 'd4439055d2d63e52ffc23c6d24d89194']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbde-0fc4-4c28-85a1-46ee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:26.000Z",
"modified": "2016-04-21T12:47:26.000Z",
"description": "Bedep 1809 update stream dll1 || Bedep 1809 update stream exe2 - Dridex 222",
"pattern": "[file:hashes.SHA256 = '1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbde-9158-4737-8278-4d3b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:26.000Z",
"modified": "2016-04-21T12:47:26.000Z",
"description": "Bedep 1809 update stream exe2 - Dridex 222",
"pattern": "[file:hashes.MD5 = '3e75e8238a6bbd8817164658696198af']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbdf-cd08-4ec1-9cc1-4fe5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:27.000Z",
"modified": "2016-04-21T12:47:27.000Z",
"description": "Bedep 1809 update stream dll3",
"pattern": "[file:hashes.MD5 = 'de882c049be133a950b6917562bb2313']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbdf-bcd0-4e91-8ba0-424f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:27.000Z",
"modified": "2016-04-21T12:47:27.000Z",
"description": "Bedep 1809 update stream dll3",
"pattern": "[file:hashes.SHA256 = 'e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbfd-0d9c-4f42-ba85-454f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:57.000Z",
"modified": "2016-04-21T12:47:57.000Z",
"description": "CryptXXX",
"pattern": "[file:hashes.MD5 = 'bfb8f7f6cbe24330a310e5c7cbe99ed4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbfe-c5e4-4c77-bfdf-4ec3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:58.000Z",
"modified": "2016-04-21T12:47:58.000Z",
"description": "CryptXXX",
"pattern": "[file:hashes.SHA256 = 'a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbfe-760c-4f40-9ca2-49b8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:58.000Z",
"modified": "2016-04-21T12:47:58.000Z",
"description": "CryptXXX",
"pattern": "[file:hashes.MD5 = '0c3431dbb8cd0478250eb4357257880e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbfe-5b80-4d79-8a87-479f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:58.000Z",
"modified": "2016-04-21T12:47:58.000Z",
"description": "CryptXXX",
"pattern": "[file:hashes.SHA256 = '565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbff-9790-406a-aca4-4b5a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:59.000Z",
"modified": "2016-04-21T12:47:59.000Z",
"description": "CryptXXX",
"pattern": "[file:hashes.MD5 = 'cd2d085998a289134ffaf27fbdcbc8cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cbff-bfd4-4f0b-9704-46c0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:47:59.000Z",
"modified": "2016-04-21T12:47:59.000Z",
"description": "CryptXXX",
"pattern": "[file:hashes.SHA256 = '0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:47:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc81-eda0-46c5-9008-45d6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:09.000Z",
"modified": "2016-04-21T12:50:09.000Z",
"description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d",
"pattern": "[file:hashes.MD5 = 'd65f155381d26f8ddfa304c83b1ad95a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc82-b3f0-4c5a-b661-4461950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:10.000Z",
"modified": "2016-04-21T12:50:10.000Z",
"description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d",
"pattern": "[file:hashes.SHA256 = 'eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc82-8504-4d59-8540-47a1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:10.000Z",
"modified": "2016-04-21T12:50:10.000Z",
"description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d",
"pattern": "[file:hashes.MD5 = 'b824d94af0f981106ec2a12d0c4cc1c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc82-b7ac-4b18-abfe-4746950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:10.000Z",
"modified": "2016-04-21T12:50:10.000Z",
"description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d",
"pattern": "[file:hashes.SHA256 = '5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc83-2e60-41aa-ba90-43ec950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:11.000Z",
"modified": "2016-04-21T12:50:11.000Z",
"description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (May 2015)",
"pattern": "[file:hashes.MD5 = '971c578c9dea43f91bfb44ceac0ee01d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc83-bcbc-4afa-a0b0-47e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:11.000Z",
"modified": "2016-04-21T12:50:11.000Z",
"description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (May 2015)",
"pattern": "[file:hashes.SHA256 = '59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc84-0dc4-4f65-bbaa-4c79950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:12.000Z",
"modified": "2016-04-21T12:50:12.000Z",
"description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (December 2015)",
"pattern": "[file:hashes.MD5 = '70a377690917a98e6ee682f7941eb565']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc84-6a50-40aa-853e-465a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:12.000Z",
"modified": "2016-04-21T12:50:12.000Z",
"description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (December 2015)",
"pattern": "[file:hashes.SHA256 = 'ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc84-3584-49c1-8236-4601950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:12.000Z",
"modified": "2016-04-21T12:50:12.000Z",
"description": "Reveton - 2015-04-14",
"pattern": "[file:hashes.MD5 = '728733095fe2c66f91a19ebde412dd25']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718cc84-2eac-4ccf-a8c7-4c04950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T12:50:12.000Z",
"modified": "2016-04-21T12:50:12.000Z",
"description": "Reveton - 2015-04-14",
"pattern": "[file:hashes.SHA256 = 'dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T12:50:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec08-17e8-4e4f-bc91-4dc002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:40.000Z",
"modified": "2016-04-21T15:04:40.000Z",
"description": "Reveton - 2015-04-14 - Xchecked via VT: dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3",
"pattern": "[file:hashes.SHA1 = 'fd1ae96536ef9f29f336425b83022d2beab767a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec09-0a94-4850-95dd-42e402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:41.000Z",
"modified": "2016-04-21T15:04:41.000Z",
"first_observed": "2016-04-21T15:04:41Z",
"last_observed": "2016-04-21T15:04:41Z",
"number_observed": 1,
"object_refs": [
"url--5718ec09-0a94-4850-95dd-42e402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec09-0a94-4850-95dd-42e402de0b81",
"value": "https://www.virustotal.com/file/dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3/analysis/1461131947/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec09-9708-4e77-b8e1-444c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:41.000Z",
"modified": "2016-04-21T15:04:41.000Z",
"description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (December 2015) - Xchecked via VT: ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de",
"pattern": "[file:hashes.SHA1 = '246b1e0d01772a47a5f2032c8642d33d47a11c57']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec09-a8b8-47fa-b41a-481102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:41.000Z",
"modified": "2016-04-21T15:04:41.000Z",
"first_observed": "2016-04-21T15:04:41Z",
"last_observed": "2016-04-21T15:04:41Z",
"number_observed": 1,
"object_refs": [
"url--5718ec09-a8b8-47fa-b41a-481102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec09-a8b8-47fa-b41a-481102de0b81",
"value": "https://www.virustotal.com/file/ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de/analysis/1461131953/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0a-a808-4a5b-8dd6-4de802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:42.000Z",
"modified": "2016-04-21T15:04:42.000Z",
"description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (May 2015) - Xchecked via VT: 59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa",
"pattern": "[file:hashes.SHA1 = '0487c3856c5e44d3a5c2dcee29c63cb644a4fc52']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0a-e65c-4944-ba24-415f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:42.000Z",
"modified": "2016-04-21T15:04:42.000Z",
"first_observed": "2016-04-21T15:04:42Z",
"last_observed": "2016-04-21T15:04:42Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0a-e65c-4944-ba24-415f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0a-e65c-4944-ba24-415f02de0b81",
"value": "https://www.virustotal.com/file/59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa/analysis/1461131974/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0b-1cfc-449d-8b92-439602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:42.000Z",
"modified": "2016-04-21T15:04:42.000Z",
"description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d - Xchecked via VT: 5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd",
"pattern": "[file:hashes.SHA1 = 'b4e17ebe8b07727e7ce6ae8580b97d1129e7c6ce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0b-2f3c-4ce3-a20e-489e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:43.000Z",
"modified": "2016-04-21T15:04:43.000Z",
"first_observed": "2016-04-21T15:04:43Z",
"last_observed": "2016-04-21T15:04:43Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0b-2f3c-4ce3-a20e-489e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0b-2f3c-4ce3-a20e-489e02de0b81",
"value": "https://www.virustotal.com/file/5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd/analysis/1461163306/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0b-991c-4adf-83ad-4f5402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:43.000Z",
"modified": "2016-04-21T15:04:43.000Z",
"description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d - Xchecked via VT: eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d",
"pattern": "[file:hashes.SHA1 = '87d7a85b4ea7d4041ade140576b4d6fd2c5aa403']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0c-9290-4654-8052-441e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:44.000Z",
"modified": "2016-04-21T15:04:44.000Z",
"first_observed": "2016-04-21T15:04:44Z",
"last_observed": "2016-04-21T15:04:44Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0c-9290-4654-8052-441e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0c-9290-4654-8052-441e02de0b81",
"value": "https://www.virustotal.com/file/eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d/analysis/1461131964/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0c-f468-49fb-9ba3-472f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:44.000Z",
"modified": "2016-04-21T15:04:44.000Z",
"description": "CryptXXX - Xchecked via VT: 0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e",
"pattern": "[file:hashes.SHA1 = 'e22678fe4bd0b209b14d5ed061ae61bb52e79df1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0c-bff4-422c-ab48-403202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:44.000Z",
"modified": "2016-04-21T15:04:44.000Z",
"first_observed": "2016-04-21T15:04:44Z",
"last_observed": "2016-04-21T15:04:44Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0c-bff4-422c-ab48-403202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0c-bff4-422c-ab48-403202de0b81",
"value": "https://www.virustotal.com/file/0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e/analysis/1461160828/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0d-4f74-4871-b896-43a102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:45.000Z",
"modified": "2016-04-21T15:04:45.000Z",
"description": "CryptXXX - Xchecked via VT: 565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0",
"pattern": "[file:hashes.SHA1 = '0a1d2182f272ff4e4321b41f6bf65f8320d9e88c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0d-2b70-41f4-87f7-445902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:45.000Z",
"modified": "2016-04-21T15:04:45.000Z",
"first_observed": "2016-04-21T15:04:45Z",
"last_observed": "2016-04-21T15:04:45Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0d-2b70-41f4-87f7-445902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0d-2b70-41f4-87f7-445902de0b81",
"value": "https://www.virustotal.com/file/565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0/analysis/1461162322/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0e-d908-428b-bba4-4c4802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:46.000Z",
"modified": "2016-04-21T15:04:46.000Z",
"description": "CryptXXX - Xchecked via VT: a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05",
"pattern": "[file:hashes.SHA1 = 'cfb97a66c90bff92b5d72eb9e81b2e9d8013b66d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0e-22f0-48d2-b7bb-499102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:46.000Z",
"modified": "2016-04-21T15:04:46.000Z",
"first_observed": "2016-04-21T15:04:46Z",
"last_observed": "2016-04-21T15:04:46Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0e-22f0-48d2-b7bb-499102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0e-22f0-48d2-b7bb-499102de0b81",
"value": "https://www.virustotal.com/file/a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05/analysis/1461225821/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0e-5244-4e01-814e-401c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:46.000Z",
"modified": "2016-04-21T15:04:46.000Z",
"description": "Bedep 1809 update stream dll3 - Xchecked via VT: e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06",
"pattern": "[file:hashes.SHA1 = '93e9e42eba18e83811b4e9858be5cd09b9c50e5d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0f-30f8-402c-bda5-4aba02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:47.000Z",
"modified": "2016-04-21T15:04:47.000Z",
"first_observed": "2016-04-21T15:04:47Z",
"last_observed": "2016-04-21T15:04:47Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0f-30f8-402c-bda5-4aba02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0f-30f8-402c-bda5-4aba02de0b81",
"value": "https://www.virustotal.com/file/e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06/analysis/1461164621/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec0f-a46c-4586-9ce8-484902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:47.000Z",
"modified": "2016-04-21T15:04:47.000Z",
"description": "Bedep 1809 update stream dll1 || Bedep 1809 update stream exe2 - Dridex 222 - Xchecked via VT: 1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df",
"pattern": "[file:hashes.SHA1 = '92a35105a3cf19a183ef9ca9e66cb9063fffecf1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec0f-b980-4e86-bc98-468602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:47.000Z",
"modified": "2016-04-21T15:04:47.000Z",
"first_observed": "2016-04-21T15:04:47Z",
"last_observed": "2016-04-21T15:04:47Z",
"number_observed": 1,
"object_refs": [
"url--5718ec0f-b980-4e86-bc98-468602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec0f-b980-4e86-bc98-468602de0b81",
"value": "https://www.virustotal.com/file/1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df/analysis/1461131970/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec10-4cf4-44af-9f1d-4e9f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:48.000Z",
"modified": "2016-04-21T15:04:48.000Z",
"description": "Bedep 1809 first stream dll CryptXXX - Xchecked via VT: ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67",
"pattern": "[file:hashes.SHA1 = 'd3f6bd8b57a8c353fd3f25d66e0690d9f578d35e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec10-c750-4490-958d-427902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:48.000Z",
"modified": "2016-04-21T15:04:48.000Z",
"first_observed": "2016-04-21T15:04:48Z",
"last_observed": "2016-04-21T15:04:48Z",
"number_observed": 1,
"object_refs": [
"url--5718ec10-c750-4490-958d-427902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec10-c750-4490-958d-427902de0b81",
"value": "https://www.virustotal.com/file/ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67/analysis/1461226696/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec11-7160-45ce-aa3c-4f8f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:49.000Z",
"modified": "2016-04-21T15:04:49.000Z",
"description": "Zip archive with most of the mentioned content - Xchecked via VT: 41dbbc60b8921709c5eb187cf03e60701e3b172e6deebdb67dd66c8cb3666b90",
"pattern": "[file:hashes.SHA1 = '8b2771240fdcb3ca11c0ea1b77a313484154a85f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec11-c674-4178-8bb7-48bb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:49.000Z",
"modified": "2016-04-21T15:04:49.000Z",
"first_observed": "2016-04-21T15:04:49Z",
"last_observed": "2016-04-21T15:04:49Z",
"number_observed": 1,
"object_refs": [
"url--5718ec11-c674-4178-8bb7-48bb02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec11-c674-4178-8bb7-48bb02de0b81",
"value": "https://www.virustotal.com/file/41dbbc60b8921709c5eb187cf03e60701e3b172e6deebdb67dd66c8cb3666b90/analysis/1461162315/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec11-4c84-4afb-818a-43a402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:49.000Z",
"modified": "2016-04-21T15:04:49.000Z",
"description": "Bedep 1809 update stream exe2 - Dridex 222 - Xchecked via VT: 3e75e8238a6bbd8817164658696198af",
"pattern": "[file:hashes.SHA256 = '669ae51d73a3fac117ec39195efb969cb41a16fadecfe412ad83b767b25ae2ae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ec12-bb6c-4b99-b685-470b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:50.000Z",
"modified": "2016-04-21T15:04:50.000Z",
"description": "Bedep 1809 update stream exe2 - Dridex 222 - Xchecked via VT: 3e75e8238a6bbd8817164658696198af",
"pattern": "[file:hashes.SHA1 = '3c0246b41063f5ea26de9d96301774836270eff3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:04:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ec12-fd54-4b04-8e9f-4e0f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:04:50.000Z",
"modified": "2016-04-21T15:04:50.000Z",
"first_observed": "2016-04-21T15:04:50Z",
"last_observed": "2016-04-21T15:04:50Z",
"number_observed": 1,
"object_refs": [
"url--5718ec12-fd54-4b04-8e9f-4e0f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ec12-fd54-4b04-8e9f-4e0f02de0b81",
"value": "https://www.virustotal.com/file/669ae51d73a3fac117ec39195efb969cb41a16fadecfe412ad83b767b25ae2ae/analysis/1461160978/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}