misp-circl-feed/feeds/circl/stix-2.1/571de8da-be78-4d1d-851f-448d950d210f.json

822 lines
36 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--571de8da-be78-4d1d-851f-448d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T13:09:32.000Z",
"modified": "2016-04-25T13:09:32.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--571de8da-be78-4d1d-851f-448d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T13:09:32.000Z",
"modified": "2016-04-25T13:09:32.000Z",
"name": "OSINT - New FAREIT Strain Abuses PowerShell",
"published": "2016-04-25T14:01:44Z",
"object_refs": [
"x-misp-attribute--571de8e8-be8c-4f59-b5b2-4aad950d210f",
"observed-data--571de8fa-f540-4df1-ab19-460a950d210f",
"url--571de8fa-f540-4df1-ab19-460a950d210f",
"indicator--571deb15-7a84-4ad5-99fe-4804950d210f",
"indicator--571deb15-4824-409d-86e8-4692950d210f",
"indicator--571deb15-6290-4e20-8792-4738950d210f",
"indicator--571deb15-b778-4440-acbf-4bf6950d210f",
"indicator--571deb15-a658-458b-95f5-4654950d210f",
"indicator--571deb15-7dfc-44be-896f-43ff950d210f",
"indicator--571deb15-6974-4675-9e90-43bf950d210f",
"indicator--571deb22-78c0-40ea-8d6c-4e3502de0b81",
"indicator--571deb22-ca5c-4862-80cc-48e002de0b81",
"observed-data--571deb22-9160-47d9-9637-408002de0b81",
"url--571deb22-9160-47d9-9637-408002de0b81",
"indicator--571deb22-1348-4179-ab26-444502de0b81",
"indicator--571deb22-f794-4e33-9143-49f502de0b81",
"observed-data--571deb22-4568-49b2-a586-425902de0b81",
"url--571deb22-4568-49b2-a586-425902de0b81",
"indicator--571deb22-fe80-4838-a1b4-41c702de0b81",
"indicator--571deb23-9980-4ec2-9c3f-498e02de0b81",
"observed-data--571deb23-cbf0-45dd-8657-40bd02de0b81",
"url--571deb23-cbf0-45dd-8657-40bd02de0b81",
"indicator--571deb23-3e40-4959-9562-462202de0b81",
"indicator--571deb23-19c0-4d9c-af16-487902de0b81",
"observed-data--571deb23-512c-4434-a828-48f002de0b81",
"url--571deb23-512c-4434-a828-48f002de0b81",
"indicator--571deb23-a7f0-4248-b820-46d502de0b81",
"indicator--571deb23-3eec-43fe-b73a-4f7802de0b81",
"observed-data--571deb24-d2c8-4866-9b32-448802de0b81",
"url--571deb24-d2c8-4866-9b32-448802de0b81",
"indicator--571deb24-b0c8-4bdc-9b40-443c02de0b81",
"indicator--571deb24-4c08-4a14-a26b-498402de0b81",
"observed-data--571deb24-2ce8-44f5-9c39-442302de0b81",
"url--571deb24-2ce8-44f5-9c39-442302de0b81",
"indicator--571deb24-d6e8-4a42-81a0-483f02de0b81",
"indicator--571deb24-2bd8-4613-a160-40fc02de0b81",
"observed-data--571deb25-dc48-496f-9cb9-401d02de0b81",
"url--571deb25-dc48-496f-9cb9-401d02de0b81",
"observed-data--571e170d-e06c-4485-9a7a-40e802de0b81",
"url--571e170d-e06c-4485-9a7a-40e802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--571de8e8-be8c-4f59-b5b2-4aad950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T09:52:40.000Z",
"modified": "2016-04-25T09:52:40.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "In 2014, we began seeing attacks that abused the Windows PowerShell. Back then, it was uncommon for malware to use this particular feature of Windows. However, there are several good reasons for an attacker to use this particular feature.\r\n\r\nFirst, users cannot easily spot any malicious behavior since PowerShell runs in the background. Secondly, PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it a powerful tool for attackers.\r\n\r\nLast March 2016, we noted that PowerWare crypto-ransomware also abused PowerShell. Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant. This particular family of information stealers has been around since 2011."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571de8fa-f540-4df1-ab19-460a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T09:52:58.000Z",
"modified": "2016-04-25T09:52:58.000Z",
"first_observed": "2016-04-25T09:52:58Z",
"last_observed": "2016-04-25T09:52:58Z",
"number_observed": 1,
"object_refs": [
"url--571de8fa-f540-4df1-ab19-460a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571de8fa-f540-4df1-ab19-460a950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/new-fareit-strain-delivered-abusing-powershell/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-7a84-4ad5-99fe-4804950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = 'acaeb29abf2458b862646366917f44e987176ec9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-4824-409d-86e8-4692950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = 'cfd1a77155b9af917e22a8ac0fe16eeb26e00c6e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-6290-4e20-8792-4738950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = 'da3b7c89ec9ca4157af52d40db76b2c23a62a15e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-b778-4440-acbf-4bf6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '03798dc7221efdcec95b991735f38b49dff29542']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-a658-458b-95f5-4654950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '04fffc28bed615d7da50c0286290d452b9c5ee50']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-7dfc-44be-896f-43ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '125156e24958f18ad86cc406868948dc100791d4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-6974-4675-9e90-43bf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '4f739261372d4adce7f152f16fbf20a5c18b8903']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-78c0-40ea-8d6c-4e3502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 4f739261372d4adce7f152f16fbf20a5c18b8903",
"pattern": "[file:hashes.SHA256 = '6dceceeb1aff7b613f7bdf9259173d30cabda4a1d142af5f52e03c291c8adb9f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-ca5c-4862-80cc-48e002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 4f739261372d4adce7f152f16fbf20a5c18b8903",
"pattern": "[file:hashes.MD5 = 'b3dbdb86a443be3d6e310ceb84bb4c2c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb22-9160-47d9-9637-408002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"first_observed": "2016-04-25T10:02:10Z",
"last_observed": "2016-04-25T10:02:10Z",
"number_observed": 1,
"object_refs": [
"url--571deb22-9160-47d9-9637-408002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb22-9160-47d9-9637-408002de0b81",
"value": "https://www.virustotal.com/file/6dceceeb1aff7b613f7bdf9259173d30cabda4a1d142af5f52e03c291c8adb9f/analysis/1461305595/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-1348-4179-ab26-444502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 125156e24958f18ad86cc406868948dc100791d4",
"pattern": "[file:hashes.SHA256 = '658b0994a6ccfde063293ffbc3f2b85c4cdab2489ed5351f85011e3957e1e143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-f794-4e33-9143-49f502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 125156e24958f18ad86cc406868948dc100791d4",
"pattern": "[file:hashes.MD5 = '1eeb67994aae158dc8486269728fc177']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb22-4568-49b2-a586-425902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"first_observed": "2016-04-25T10:02:10Z",
"last_observed": "2016-04-25T10:02:10Z",
"number_observed": 1,
"object_refs": [
"url--571deb22-4568-49b2-a586-425902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb22-4568-49b2-a586-425902de0b81",
"value": "https://www.virustotal.com/file/658b0994a6ccfde063293ffbc3f2b85c4cdab2489ed5351f85011e3957e1e143/analysis/1461303615/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-fe80-4838-a1b4-41c702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 04fffc28bed615d7da50c0286290d452b9c5ee50",
"pattern": "[file:hashes.SHA256 = '30bcc5a700e08c91095c3a8e6c52495a6b60f9ff07ac3c0b96e75befc44b1f5a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-9980-4ec2-9c3f-498e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 04fffc28bed615d7da50c0286290d452b9c5ee50",
"pattern": "[file:hashes.MD5 = '8ce49433b0442f3d9d81662f9f3c9342']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb23-cbf0-45dd-8657-40bd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"first_observed": "2016-04-25T10:02:11Z",
"last_observed": "2016-04-25T10:02:11Z",
"number_observed": 1,
"object_refs": [
"url--571deb23-cbf0-45dd-8657-40bd02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb23-cbf0-45dd-8657-40bd02de0b81",
"value": "https://www.virustotal.com/file/30bcc5a700e08c91095c3a8e6c52495a6b60f9ff07ac3c0b96e75befc44b1f5a/analysis/1461393556/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-3e40-4959-9562-462202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 03798dc7221efdcec95b991735f38b49dff29542",
"pattern": "[file:hashes.SHA256 = '300a50991cb2c6eb16b7e14ba5ef72a3a83c9f2b7d6cd7da259b866fbc527985']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-19c0-4d9c-af16-487902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 03798dc7221efdcec95b991735f38b49dff29542",
"pattern": "[file:hashes.MD5 = 'f43c1178362caf94e7670208b054d285']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb23-512c-4434-a828-48f002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"first_observed": "2016-04-25T10:02:11Z",
"last_observed": "2016-04-25T10:02:11Z",
"number_observed": 1,
"object_refs": [
"url--571deb23-512c-4434-a828-48f002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb23-512c-4434-a828-48f002de0b81",
"value": "https://www.virustotal.com/file/300a50991cb2c6eb16b7e14ba5ef72a3a83c9f2b7d6cd7da259b866fbc527985/analysis/1460188306/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-a7f0-4248-b820-46d502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: da3b7c89ec9ca4157af52d40db76b2c23a62a15e",
"pattern": "[file:hashes.SHA256 = '5f6cfc97884476c469b11ef2c22d0d181879ba9ac1d26176f9f1b35b009a6646']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-3eec-43fe-b73a-4f7802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: da3b7c89ec9ca4157af52d40db76b2c23a62a15e",
"pattern": "[file:hashes.MD5 = 'c04d18f4e9e8fd4ffba04a9ced5c27bc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb24-d2c8-4866-9b32-448802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"first_observed": "2016-04-25T10:02:12Z",
"last_observed": "2016-04-25T10:02:12Z",
"number_observed": 1,
"object_refs": [
"url--571deb24-d2c8-4866-9b32-448802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb24-d2c8-4866-9b32-448802de0b81",
"value": "https://www.virustotal.com/file/5f6cfc97884476c469b11ef2c22d0d181879ba9ac1d26176f9f1b35b009a6646/analysis/1461206794/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-b0c8-4bdc-9b40-443c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: cfd1a77155b9af917e22a8ac0fe16eeb26e00c6e",
"pattern": "[file:hashes.SHA256 = '933e8206dd259578c14ffecf9166ac937c6f2c49f0fb8a126283f7211a442fe5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-4c08-4a14-a26b-498402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: cfd1a77155b9af917e22a8ac0fe16eeb26e00c6e",
"pattern": "[file:hashes.MD5 = '10492d71bf833499217c0a3f48278dc0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb24-2ce8-44f5-9c39-442302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"first_observed": "2016-04-25T10:02:12Z",
"last_observed": "2016-04-25T10:02:12Z",
"number_observed": 1,
"object_refs": [
"url--571deb24-2ce8-44f5-9c39-442302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb24-2ce8-44f5-9c39-442302de0b81",
"value": "https://www.virustotal.com/file/933e8206dd259578c14ffecf9166ac937c6f2c49f0fb8a126283f7211a442fe5/analysis/1461238630/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-d6e8-4a42-81a0-483f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: acaeb29abf2458b862646366917f44e987176ec9",
"pattern": "[file:hashes.SHA256 = 'c8ec0981f22303b81f5463dce7e9bb3d34f9c162710be9fb766ecaad86a9afa3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-2bd8-4613-a160-40fc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: acaeb29abf2458b862646366917f44e987176ec9",
"pattern": "[file:hashes.MD5 = 'f0e55995b81e974e9df4d1c060bc4bcc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb25-dc48-496f-9cb9-401d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"first_observed": "2016-04-25T10:02:12Z",
"last_observed": "2016-04-25T10:02:12Z",
"number_observed": 1,
"object_refs": [
"url--571deb25-dc48-496f-9cb9-401d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb25-dc48-496f-9cb9-401d02de0b81",
"value": "https://www.virustotal.com/file/c8ec0981f22303b81f5463dce7e9bb3d34f9c162710be9fb766ecaad86a9afa3/analysis/1461421373/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571e170d-e06c-4485-9a7a-40e802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T13:09:33.000Z",
"modified": "2016-04-25T13:09:33.000Z",
"first_observed": "2016-04-25T13:09:33Z",
"last_observed": "2016-04-25T13:09:33Z",
"number_observed": 1,
"object_refs": [
"url--571e170d-e06c-4485-9a7a-40e802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571e170d-e06c-4485-9a7a-40e802de0b81",
"value": "https://www.virustotal.com/file/30bcc5a700e08c91095c3a8e6c52495a6b60f9ff07ac3c0b96e75befc44b1f5a/analysis/1461585661/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}