misp-circl-feed/feeds/circl/stix-2.1/5720bf21-9d4c-40b2-9088-45e6950d210f.json

1082 lines
45 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5720bf21-9d4c-40b2-9088-45e6950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T07:37:12.000Z",
"modified": "2016-04-28T07:37:12.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5720bf21-9d4c-40b2-9088-45e6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T07:37:12.000Z",
"modified": "2016-04-28T07:37:12.000Z",
"name": "OSINT - New Downloader for Locky",
"published": "2016-05-07T05:15:16Z",
"object_refs": [
"observed-data--5720bf30-342c-46e3-bbdd-49d2950d210f",
"url--5720bf30-342c-46e3-bbdd-49d2950d210f",
"x-misp-attribute--5720bf3e-32fc-4d28-9a3a-45cc950d210f",
"observed-data--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
"email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
"observed-data--5720bfb2-7df0-4ffe-af65-472b950d210f",
"email-message--5720bfb2-7df0-4ffe-af65-472b950d210f",
"file--5720bfb2-7df0-4ffe-af65-472b950d210f",
"indicator--5720bfc6-86bc-4717-b4b8-4d86950d210f",
"indicator--5720c036-f4b8-497c-ad91-45dc950d210f",
"indicator--5720c036-f710-4da1-8d4c-4a7c950d210f",
"indicator--5720c04c-a8bc-451d-9fe4-4e48950d210f",
"indicator--5720c04c-3a88-4a9e-b201-4d39950d210f",
"indicator--5720c04d-1d90-42ff-a0ef-4908950d210f",
"indicator--5720c04d-54fc-4671-9e61-4f48950d210f",
"indicator--5720c04d-3fc0-4c67-9c91-47a8950d210f",
"indicator--5720c0fc-b0d8-4fe9-bcc8-41b4950d210f",
"indicator--5720c0fd-a6a4-46e2-9458-4a9c950d210f",
"indicator--5720c0fd-5da4-4b5f-95ea-4aeb950d210f",
"indicator--5720c0fd-4d60-4474-b651-40ce950d210f",
"indicator--5720c0fe-dd94-46d5-a54a-4777950d210f",
"indicator--5720c0fe-8dcc-4d81-8b03-4f6c950d210f",
"indicator--5720d993-f430-46d3-8fa5-0fab02de0b81",
"indicator--5720d994-4600-4933-8dd4-0fab02de0b81",
"observed-data--5720d994-7ca4-455e-9f2e-0fab02de0b81",
"url--5720d994-7ca4-455e-9f2e-0fab02de0b81",
"indicator--5720d995-11b0-43a0-b5cc-0fab02de0b81",
"indicator--5720d995-8004-4dda-a959-0fab02de0b81",
"observed-data--5720d995-3140-46e7-b65a-0fab02de0b81",
"url--5720d995-3140-46e7-b65a-0fab02de0b81",
"indicator--5720d996-dce4-4184-ad02-0fab02de0b81",
"indicator--5720d996-99a0-4376-a595-0fab02de0b81",
"observed-data--5720d997-a6e8-44a7-b706-0fab02de0b81",
"url--5720d997-a6e8-44a7-b706-0fab02de0b81",
"indicator--5720d997-6b7c-4b03-a65b-0fab02de0b81",
"indicator--5720d998-7e78-4485-91c8-0fab02de0b81",
"observed-data--5720d998-f688-4bcc-88e6-0fab02de0b81",
"url--5720d998-f688-4bcc-88e6-0fab02de0b81",
"indicator--5720d998-d3b0-4521-ae7a-0fab02de0b81",
"indicator--5720d999-bb0c-4cf0-893b-0fab02de0b81",
"observed-data--5720d999-1650-4442-aca5-0fab02de0b81",
"url--5720d999-1650-4442-aca5-0fab02de0b81",
"indicator--5720d99a-15e8-4e7a-9fe5-0fab02de0b81",
"indicator--5720d99b-5644-4574-9a56-0fab02de0b81",
"observed-data--5720d99b-82fc-49a4-9701-0fab02de0b81",
"url--5720d99b-82fc-49a4-9701-0fab02de0b81",
"indicator--5721bda7-9dfc-4984-b012-4e32950d210f",
"indicator--5721bda6-8408-401a-96fe-40f3950d210f",
"indicator--5721bda5-90e4-460c-b362-4667950d210f",
"indicator--5721bda6-4520-4e2d-9136-4bd3950d210f",
"indicator--5721bda7-d424-4f46-8138-4133950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"ecsirt:malicious-code=\"ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720bf30-342c-46e3-bbdd-49d2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:31:28.000Z",
"modified": "2016-04-27T13:31:28.000Z",
"first_observed": "2016-04-27T13:31:28Z",
"last_observed": "2016-04-27T13:31:28Z",
"number_observed": 1,
"object_refs": [
"url--5720bf30-342c-46e3-bbdd-49d2950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5720bf30-342c-46e3-bbdd-49d2950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5720bf3e-32fc-4d28-9a3a-45cc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:31:42.000Z",
"modified": "2016-04-27T13:31:42.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was downloaded by a macro-based downloader or a JavaScript downloader. However, in April 2016, FireEye Labs observed a new development in the way this ransomware is downloaded onto a compromised system."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:33:18.000Z",
"modified": "2016-04-27T13:33:18.000Z",
"first_observed": "2016-04-27T13:33:18Z",
"last_observed": "2016-04-27T13:33:18Z",
"number_observed": 1,
"object_refs": [
"email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f"
],
"labels": [
"misp:type=\"email-subject\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
"is_multipart": false,
"subject": "Photos"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720bfb2-7df0-4ffe-af65-472b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:33:38.000Z",
"modified": "2016-04-27T13:33:38.000Z",
"first_observed": "2016-04-27T13:33:38Z",
"last_observed": "2016-04-27T13:33:38Z",
"number_observed": 1,
"object_refs": [
"email-message--5720bfb2-7df0-4ffe-af65-472b950d210f",
"file--5720bfb2-7df0-4ffe-af65-472b950d210f"
],
"labels": [
"misp:type=\"email-attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--5720bfb2-7df0-4ffe-af65-472b950d210f",
"is_multipart": true,
"body_multipart": [
{
"body_raw_ref": "file--5720bfb2-7df0-4ffe-af65-472b950d210f",
"content_disposition": "attachment; filename='Photos.zip'"
}
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5720bfb2-7df0-4ffe-af65-472b950d210f",
"name": "Photos.zip"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720bfc6-86bc-4717-b4b8-4d86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:33:58.000Z",
"modified": "2016-04-27T13:33:58.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'http://mrsweeter.ru/87h78rf33g']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:33:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c036-f4b8-497c-ad91-45dc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:35:50.000Z",
"modified": "2016-04-27T13:35:50.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA256 = '7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:35:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c036-f710-4da1-8d4c-4a7c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:35:50.000Z",
"modified": "2016-04-27T13:35:50.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA256 = '9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:35:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c04c-a8bc-451d-9fe4-4e48950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:36:12.000Z",
"modified": "2016-04-27T13:36:12.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = 'b0ca8c5881c1d27684c23db7a88d11e1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:36:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c04c-3a88-4a9e-b201-4d39950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:36:12.000Z",
"modified": "2016-04-27T13:36:12.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = 'c5ad81d8d986c92f90d0462bc06ac9c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:36:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c04d-1d90-42ff-a0ef-4908950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:36:13.000Z",
"modified": "2016-04-27T13:36:13.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = 'ebf1f8951ec79f2e6bf40e6981c7dbfc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:36:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c04d-54fc-4671-9e61-4f48950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:36:13.000Z",
"modified": "2016-04-27T13:36:13.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA256 = '357c162a35c3623d1a1791c18e9f56e72bcd76f6ef9f4cbcf5952f62b9bc8a08']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:36:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c04d-3fc0-4c67-9c91-47a8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:36:13.000Z",
"modified": "2016-04-27T13:36:13.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = 'c325dcf4c6c1e2b62a7c5b1245985083']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:36:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c0fc-b0d8-4fe9-bcc8-41b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:39:08.000Z",
"modified": "2016-04-27T13:39:08.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'http://185.130.7.22/files/sBpFSa.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:39:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c0fd-a6a4-46e2-9458-4a9c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:39:09.000Z",
"modified": "2016-04-27T13:39:09.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'http://185.130.7.22/files/WRwe3X.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:39:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c0fd-5da4-4b5f-95ea-4aeb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:39:09.000Z",
"modified": "2016-04-27T13:39:09.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'http://slater.chat.ru/gvtg77996']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:39:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c0fd-4d60-4474-b651-40ce950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:39:09.000Z",
"modified": "2016-04-27T13:39:09.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'http://hundeschulegoerg.de/gvtg77996']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:39:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c0fe-dd94-46d5-a54a-4777950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:39:10.000Z",
"modified": "2016-04-27T13:39:10.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'http://buhjolk.at/files/dIseJh.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:39:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720c0fe-8dcc-4d81-8b03-4f6c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T13:39:10.000Z",
"modified": "2016-04-27T13:39:10.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'http://buhjolk.at/files/aY5TFn.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T13:39:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d993-f430-46d3-8fa5-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:03.000Z",
"modified": "2016-04-27T15:24:03.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10",
"pattern": "[file:hashes.SHA1 = '39ad2102512f2d3b30e038354289b5b734d0d33f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d994-4600-4933-8dd4-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:04.000Z",
"modified": "2016-04-27T15:24:04.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10",
"pattern": "[file:hashes.MD5 = '4df0079da5e37378b15bacc9e0631c33']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720d994-7ca4-455e-9f2e-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:04.000Z",
"modified": "2016-04-27T15:24:04.000Z",
"first_observed": "2016-04-27T15:24:04Z",
"last_observed": "2016-04-27T15:24:04Z",
"number_observed": 1,
"object_refs": [
"url--5720d994-7ca4-455e-9f2e-0fab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5720d994-7ca4-455e-9f2e-0fab02de0b81",
"value": "https://www.virustotal.com/file/9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10/analysis/1460046851/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d995-11b0-43a0-b5cc-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:05.000Z",
"modified": "2016-04-27T15:24:05.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660",
"pattern": "[file:hashes.SHA1 = '626d2953e329debdd9ad3feda65341413094fed6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d995-8004-4dda-a959-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:05.000Z",
"modified": "2016-04-27T15:24:05.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660",
"pattern": "[file:hashes.MD5 = '829653e8f2a9453b440ca11975c9aaa0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720d995-3140-46e7-b65a-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:05.000Z",
"modified": "2016-04-27T15:24:05.000Z",
"first_observed": "2016-04-27T15:24:05Z",
"last_observed": "2016-04-27T15:24:05Z",
"number_observed": 1,
"object_refs": [
"url--5720d995-3140-46e7-b65a-0fab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5720d995-3140-46e7-b65a-0fab02de0b81",
"value": "https://www.virustotal.com/file/7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660/analysis/1459558891/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d996-dce4-4184-ad02-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:06.000Z",
"modified": "2016-04-27T15:24:06.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083",
"pattern": "[file:hashes.SHA256 = 'f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d996-99a0-4376-a595-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:06.000Z",
"modified": "2016-04-27T15:24:06.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083",
"pattern": "[file:hashes.SHA1 = 'e701ff37e06e63232c0c47ae5867e7b05536ee36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720d997-a6e8-44a7-b706-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:07.000Z",
"modified": "2016-04-27T15:24:07.000Z",
"first_observed": "2016-04-27T15:24:07Z",
"last_observed": "2016-04-27T15:24:07Z",
"number_observed": 1,
"object_refs": [
"url--5720d997-a6e8-44a7-b706-0fab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5720d997-a6e8-44a7-b706-0fab02de0b81",
"value": "https://www.virustotal.com/file/f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360/analysis/1461736669/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d997-6b7c-4b03-a65b-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:07.000Z",
"modified": "2016-04-27T15:24:07.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc",
"pattern": "[file:hashes.SHA256 = 'a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d998-7e78-4485-91c8-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:08.000Z",
"modified": "2016-04-27T15:24:08.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc",
"pattern": "[file:hashes.SHA1 = 'b3a7f553c32a551786d873fa26047170f6f9c2e1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720d998-f688-4bcc-88e6-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:08.000Z",
"modified": "2016-04-27T15:24:08.000Z",
"first_observed": "2016-04-27T15:24:08Z",
"last_observed": "2016-04-27T15:24:08Z",
"number_observed": 1,
"object_refs": [
"url--5720d998-f688-4bcc-88e6-0fab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5720d998-f688-4bcc-88e6-0fab02de0b81",
"value": "https://www.virustotal.com/file/a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae/analysis/1461571429/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d998-d3b0-4521-ae7a-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:08.000Z",
"modified": "2016-04-27T15:24:08.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6",
"pattern": "[file:hashes.SHA256 = '5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d999-bb0c-4cf0-893b-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:09.000Z",
"modified": "2016-04-27T15:24:09.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6",
"pattern": "[file:hashes.SHA1 = '21ac04e0d5acff88c83151a0e774001c0c06a744']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720d999-1650-4442-aca5-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:09.000Z",
"modified": "2016-04-27T15:24:09.000Z",
"first_observed": "2016-04-27T15:24:09Z",
"last_observed": "2016-04-27T15:24:09Z",
"number_observed": 1,
"object_refs": [
"url--5720d999-1650-4442-aca5-0fab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5720d999-1650-4442-aca5-0fab02de0b81",
"value": "https://www.virustotal.com/file/5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1/analysis/1460448282/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d99a-15e8-4e7a-9fe5-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:10.000Z",
"modified": "2016-04-27T15:24:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1",
"pattern": "[file:hashes.SHA256 = 'e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5720d99b-5644-4574-9a56-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:11.000Z",
"modified": "2016-04-27T15:24:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1",
"pattern": "[file:hashes.SHA1 = 'b85a45350bc7c98bb9bae572cc861af51789ce69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-27T15:24:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5720d99b-82fc-49a4-9701-0fab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-27T15:24:11.000Z",
"modified": "2016-04-27T15:24:11.000Z",
"first_observed": "2016-04-27T15:24:11Z",
"last_observed": "2016-04-27T15:24:11Z",
"number_observed": 1,
"object_refs": [
"url--5720d99b-82fc-49a4-9701-0fab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5720d99b-82fc-49a4-9701-0fab02de0b81",
"value": "https://www.virustotal.com/file/e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9/analysis/1461052381/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5721bda7-9dfc-4984-b012-4e32950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T07:37:11.000Z",
"modified": "2016-04-28T07:37:11.000Z",
"pattern": "[domain-name:value = 'slater.chat.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T07:37:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5721bda6-8408-401a-96fe-40f3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T07:37:10.000Z",
"modified": "2016-04-28T07:37:10.000Z",
"pattern": "[domain-name:value = 'hundeschulegoerg.de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T07:37:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5721bda5-90e4-460c-b362-4667950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T07:37:09.000Z",
"modified": "2016-04-28T07:37:09.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.130.7.22']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T07:37:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5721bda6-4520-4e2d-9136-4bd3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T07:37:10.000Z",
"modified": "2016-04-28T07:37:10.000Z",
"pattern": "[domain-name:value = 'buhjolk.at']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T07:37:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5721bda7-d424-4f46-8138-4133950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T07:37:11.000Z",
"modified": "2016-04-28T07:37:11.000Z",
"pattern": "[domain-name:value = 'mrsweeter.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T07:37:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}