misp-circl-feed/feeds/circl/stix-2.1/572f0929-9b8c-42de-adc6-450202de0b81.json

836 lines
36 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--572f0929-9b8c-42de-adc6-450202de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T12:11:34.000Z",
"modified": "2016-05-08T12:11:34.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--572f0929-9b8c-42de-adc6-450202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T12:11:34.000Z",
"modified": "2016-05-08T12:11:34.000Z",
"name": "OSINT - New Infostealer Trojan uses Fiddler Proxy & Json.NET",
"published": "2016-05-08T14:30:36Z",
"object_refs": [
"observed-data--572f0959-382c-40fd-a1ef-417802de0b81",
"url--572f0959-382c-40fd-a1ef-417802de0b81",
"x-misp-attribute--572f096a-b6e4-4a00-a516-4b5202de0b81",
"indicator--572f0994-2888-4cb2-bef4-4cdc02de0b81",
"indicator--572f0994-1398-43d7-a3c7-40f302de0b81",
"indicator--572f0994-b168-4cec-ae39-44a802de0b81",
"indicator--572f0995-4b48-4a6a-b4e5-488a02de0b81",
"indicator--572f0995-32bc-4e5f-9a94-4dd502de0b81",
"indicator--572f0995-0434-4e12-bb42-497502de0b81",
"indicator--572f09a5-abf4-4a2c-8adf-4a2802de0b81",
"indicator--572f09a5-19cc-4ae4-8937-41d802de0b81",
"observed-data--572f09a6-a9f0-4f63-b764-40b102de0b81",
"url--572f09a6-a9f0-4f63-b764-40b102de0b81",
"indicator--572f09a6-d610-4e53-8d4b-48cb02de0b81",
"indicator--572f09a6-87ec-4208-938d-40ce02de0b81",
"observed-data--572f09a7-d788-4203-882c-423f02de0b81",
"url--572f09a7-d788-4203-882c-423f02de0b81",
"indicator--572f09a7-9a88-42fe-b27d-41ca02de0b81",
"indicator--572f09a7-4cec-4efe-a023-4dc702de0b81",
"observed-data--572f09a8-0d5c-4d48-ad67-469602de0b81",
"url--572f09a8-0d5c-4d48-ad67-469602de0b81",
"indicator--572f09a8-51cc-43de-ab98-4ffa02de0b81",
"indicator--572f09a8-1ed0-48e0-b1ac-42e202de0b81",
"observed-data--572f09a9-ec50-477e-81f2-4fd302de0b81",
"url--572f09a9-ec50-477e-81f2-4fd302de0b81",
"indicator--572f09a9-b624-4ab2-9562-4df802de0b81",
"indicator--572f09a9-0000-4636-8c8a-4ff802de0b81",
"observed-data--572f09aa-7b58-46ee-87ef-411b02de0b81",
"url--572f09aa-7b58-46ee-87ef-411b02de0b81",
"indicator--572f09aa-40a0-4602-9f82-4fac02de0b81",
"indicator--572f09aa-a274-4fec-9a5c-4e8f02de0b81",
"observed-data--572f09ab-ff50-46d6-b513-447002de0b81",
"url--572f09ab-ff50-46d6-b513-447002de0b81",
"indicator--572f09ca-4264-41c4-8427-448a02de0b81",
"indicator--572f09cb-5de8-455e-8cae-4a6f02de0b81",
"indicator--572f09cb-d388-4330-9fef-49ae02de0b81",
"indicator--572f09cb-4d0c-43b9-81b0-444902de0b81",
"indicator--572f09cc-f888-45d5-804d-492302de0b81",
"x-misp-attribute--572f09eb-6ed0-4642-a2bb-4bb102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572f0959-382c-40fd-a1ef-417802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:39:37.000Z",
"modified": "2016-05-08T09:39:37.000Z",
"first_observed": "2016-05-08T09:39:37Z",
"last_observed": "2016-05-08T09:39:37Z",
"number_observed": 1,
"object_refs": [
"url--572f0959-382c-40fd-a1ef-417802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572f0959-382c-40fd-a1ef-417802de0b81",
"value": "https://www.zscaler.com/blogs/research/new-infostealer-trojan-uses-fiddler-proxy-jsonnet"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--572f096a-b6e4-4a00-a516-4b5202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:39:54.000Z",
"modified": "2016-05-08T09:39:54.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Zscaler ThreatLabZ came across a new Infostealer Trojan written in .NET that utilizes popular tools like Fiddler & Json.NET for its operation. In April, the new Infostealer family of Spanish origin was first noted targeting users in the U.S. and Mexico.\r\n\r\nThe malware authors are currently targeting users of Mexico's second largest bank, Banamex, but it is capable of updating the configuration file to include more financial institutions."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f0994-2888-4cb2-bef4-4cdc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:36.000Z",
"modified": "2016-05-08T09:40:36.000Z",
"description": "Infostealer installer payload",
"pattern": "[file:hashes.MD5 = '123f4c1d2d3d691c2427aca42289fe85']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f0994-1398-43d7-a3c7-40f302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:36.000Z",
"modified": "2016-05-08T09:40:36.000Z",
"description": "Infostealer installer payload",
"pattern": "[file:hashes.MD5 = '070ab6aa63e658ff8a56ea05426a71b4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f0994-b168-4cec-ae39-44a802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:36.000Z",
"modified": "2016-05-08T09:40:36.000Z",
"description": "Infostealer installer payload",
"pattern": "[file:hashes.MD5 = 'ac6027d316070dc6d2fd3b273162f2ee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f0995-4b48-4a6a-b4e5-488a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:37.000Z",
"modified": "2016-05-08T09:40:37.000Z",
"description": "Infostealer installer payload",
"pattern": "[file:hashes.MD5 = '98bbc1917613c4a73b1fe35e3ba9a8d9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f0995-32bc-4e5f-9a94-4dd502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:37.000Z",
"modified": "2016-05-08T09:40:37.000Z",
"description": "Infostealer installer payload",
"pattern": "[file:hashes.MD5 = '06f3da0adf8a18679d51c6adaa100bd4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f0995-0434-4e12-bb42-497502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:37.000Z",
"modified": "2016-05-08T09:40:37.000Z",
"description": "Infostealer installer payload",
"pattern": "[file:hashes.MD5 = '8c9896440fb0c8f2d36aff0382c9c2e4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a5-abf4-4a2c-8adf-4a2802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:53.000Z",
"modified": "2016-05-08T09:40:53.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 8c9896440fb0c8f2d36aff0382c9c2e4",
"pattern": "[file:hashes.SHA256 = 'fe7da12c96c2be9c0ab8e1ad3a069787be50d138e7c9b96ba73803b0ed8dd401']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a5-19cc-4ae4-8937-41d802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:53.000Z",
"modified": "2016-05-08T09:40:53.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 8c9896440fb0c8f2d36aff0382c9c2e4",
"pattern": "[file:hashes.SHA1 = '5fdf01ca8ae47bdd65a2423e0ac7bfb9d80ef73e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572f09a6-a9f0-4f63-b764-40b102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:54.000Z",
"modified": "2016-05-08T09:40:54.000Z",
"first_observed": "2016-05-08T09:40:54Z",
"last_observed": "2016-05-08T09:40:54Z",
"number_observed": 1,
"object_refs": [
"url--572f09a6-a9f0-4f63-b764-40b102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572f09a6-a9f0-4f63-b764-40b102de0b81",
"value": "https://www.virustotal.com/file/fe7da12c96c2be9c0ab8e1ad3a069787be50d138e7c9b96ba73803b0ed8dd401/analysis/1462520987/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a6-d610-4e53-8d4b-48cb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:54.000Z",
"modified": "2016-05-08T09:40:54.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 06f3da0adf8a18679d51c6adaa100bd4",
"pattern": "[file:hashes.SHA256 = '66d1130a801e0f698d38af5e597c3607415fd33902ab8516984b4e398e4f7baf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a6-87ec-4208-938d-40ce02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:54.000Z",
"modified": "2016-05-08T09:40:54.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 06f3da0adf8a18679d51c6adaa100bd4",
"pattern": "[file:hashes.SHA1 = '8182d4eb88e9958039438c72e9b872d21e8af1d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572f09a7-d788-4203-882c-423f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:55.000Z",
"modified": "2016-05-08T09:40:55.000Z",
"first_observed": "2016-05-08T09:40:55Z",
"last_observed": "2016-05-08T09:40:55Z",
"number_observed": 1,
"object_refs": [
"url--572f09a7-d788-4203-882c-423f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572f09a7-d788-4203-882c-423f02de0b81",
"value": "https://www.virustotal.com/file/66d1130a801e0f698d38af5e597c3607415fd33902ab8516984b4e398e4f7baf/analysis/1462538557/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a7-9a88-42fe-b27d-41ca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:55.000Z",
"modified": "2016-05-08T09:40:55.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 98bbc1917613c4a73b1fe35e3ba9a8d9",
"pattern": "[file:hashes.SHA256 = '9bf35a7318909b7eea0cc2a8201d378bbd35559a2399a0107017a902bd3bcc43']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a7-4cec-4efe-a023-4dc702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:55.000Z",
"modified": "2016-05-08T09:40:55.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 98bbc1917613c4a73b1fe35e3ba9a8d9",
"pattern": "[file:hashes.SHA1 = '42bfe35afbcea775d5bdbc8bfeb25e928f76d4b7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572f09a8-0d5c-4d48-ad67-469602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:56.000Z",
"modified": "2016-05-08T09:40:56.000Z",
"first_observed": "2016-05-08T09:40:56Z",
"last_observed": "2016-05-08T09:40:56Z",
"number_observed": 1,
"object_refs": [
"url--572f09a8-0d5c-4d48-ad67-469602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572f09a8-0d5c-4d48-ad67-469602de0b81",
"value": "https://www.virustotal.com/file/9bf35a7318909b7eea0cc2a8201d378bbd35559a2399a0107017a902bd3bcc43/analysis/1462525662/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a8-51cc-43de-ab98-4ffa02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:56.000Z",
"modified": "2016-05-08T09:40:56.000Z",
"description": "Infostealer installer payload - Xchecked via VT: ac6027d316070dc6d2fd3b273162f2ee",
"pattern": "[file:hashes.SHA256 = '87ddb2c79b9edc81443f5df5a6fb57101fba35dfcfb86a2c2bbfb08884dcf6e6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a8-1ed0-48e0-b1ac-42e202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:56.000Z",
"modified": "2016-05-08T09:40:56.000Z",
"description": "Infostealer installer payload - Xchecked via VT: ac6027d316070dc6d2fd3b273162f2ee",
"pattern": "[file:hashes.SHA1 = '1733cac501b28a6498a69d3f8fc24e0cc58b7cbb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572f09a9-ec50-477e-81f2-4fd302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:57.000Z",
"modified": "2016-05-08T09:40:57.000Z",
"first_observed": "2016-05-08T09:40:57Z",
"last_observed": "2016-05-08T09:40:57Z",
"number_observed": 1,
"object_refs": [
"url--572f09a9-ec50-477e-81f2-4fd302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572f09a9-ec50-477e-81f2-4fd302de0b81",
"value": "https://www.virustotal.com/file/87ddb2c79b9edc81443f5df5a6fb57101fba35dfcfb86a2c2bbfb08884dcf6e6/analysis/1462004459/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a9-b624-4ab2-9562-4df802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:57.000Z",
"modified": "2016-05-08T09:40:57.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 070ab6aa63e658ff8a56ea05426a71b4",
"pattern": "[file:hashes.SHA256 = 'be6cbe01f409d3299c20e87dd6bc0ede12a7cb2b9abfb20241f46df210a57241']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09a9-0000-4636-8c8a-4ff802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:57.000Z",
"modified": "2016-05-08T09:40:57.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 070ab6aa63e658ff8a56ea05426a71b4",
"pattern": "[file:hashes.SHA1 = '8e5029121123c46bd673119e9dfe93f40d6f3b32']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572f09aa-7b58-46ee-87ef-411b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:58.000Z",
"modified": "2016-05-08T09:40:58.000Z",
"first_observed": "2016-05-08T09:40:58Z",
"last_observed": "2016-05-08T09:40:58Z",
"number_observed": 1,
"object_refs": [
"url--572f09aa-7b58-46ee-87ef-411b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572f09aa-7b58-46ee-87ef-411b02de0b81",
"value": "https://www.virustotal.com/file/be6cbe01f409d3299c20e87dd6bc0ede12a7cb2b9abfb20241f46df210a57241/analysis/1462552657/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09aa-40a0-4602-9f82-4fac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:58.000Z",
"modified": "2016-05-08T09:40:58.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 123f4c1d2d3d691c2427aca42289fe85",
"pattern": "[file:hashes.SHA256 = 'ac93f5fdc3b2ca4708794e19642e565d06912613499bbb2f48c174a20e3db8d3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09aa-a274-4fec-9a5c-4e8f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:58.000Z",
"modified": "2016-05-08T09:40:58.000Z",
"description": "Infostealer installer payload - Xchecked via VT: 123f4c1d2d3d691c2427aca42289fe85",
"pattern": "[file:hashes.SHA1 = 'ad56435e072b8c9da6cf8c0ed9ccedec9dd0bbb3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:40:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572f09ab-ff50-46d6-b513-447002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:40:59.000Z",
"modified": "2016-05-08T09:40:59.000Z",
"first_observed": "2016-05-08T09:40:59Z",
"last_observed": "2016-05-08T09:40:59Z",
"number_observed": 1,
"object_refs": [
"url--572f09ab-ff50-46d6-b513-447002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572f09ab-ff50-46d6-b513-447002de0b81",
"value": "https://www.virustotal.com/file/ac93f5fdc3b2ca4708794e19642e565d06912613499bbb2f48c174a20e3db8d3/analysis/1462552657/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09ca-4264-41c4-8427-448a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:41:30.000Z",
"modified": "2016-05-08T09:41:30.000Z",
"description": "Sample URLs that we have seen serving installer payloads in last two weeks",
"pattern": "[url:value = 'cigm.co/js/slick/curp.pdf.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:41:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09cb-5de8-455e-8cae-4a6f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:41:31.000Z",
"modified": "2016-05-08T09:41:31.000Z",
"description": "Sample URLs that we have seen serving installer payloads in last two weeks",
"pattern": "[url:value = 'saysa.com.co/js/rfc.pdf.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:41:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09cb-d388-4330-9fef-49ae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:41:31.000Z",
"modified": "2016-05-08T09:41:31.000Z",
"description": "Sample URLs that we have seen serving installer payloads in last two weeks",
"pattern": "[url:value = 'saysa.com.co/js/curp.pdf.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:41:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09cb-4d0c-43b9-81b0-444902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:41:31.000Z",
"modified": "2016-05-08T09:41:31.000Z",
"description": "Sample URLs that we have seen serving installer payloads in last two weeks",
"pattern": "[url:value = 'bestdentalimplants.co.in/js/curp.pdf.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:41:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572f09cc-f888-45d5-804d-492302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:41:32.000Z",
"modified": "2016-05-08T09:41:32.000Z",
"description": "Sample URLs that we have seen serving installer payloads in last two weeks",
"pattern": "[url:value = 'denticenter.com.co/js/slick/curp.pdf.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T09:41:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--572f09eb-6ed0-4642-a2bb-4bb102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T09:42:03.000Z",
"modified": "2016-05-08T09:42:03.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Banamex"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}