misp-circl-feed/feeds/circl/stix-2.1/575d6784-4218-4756-84f8-49e0950d210f.json

{
    "type": "bundle",
    "id": "bundle--575d6784-4218-4756-84f8-49e0950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:07.000Z",
            "modified": "2016-06-12T13:54:07.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--575d6784-4218-4756-84f8-49e0950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:07.000Z",
            "modified": "2016-06-12T13:54:07.000Z",
            "name": "OSINT -  Communications of the Bolek Trojan",
            "published": "2016-06-12T13:58:46Z",
            "object_refs": [
                "x-misp-attribute--575d67aa-fc44-4d26-9f32-4ff4950d210f",
                "observed-data--575d67b7-dc10-4016-bca5-48b0950d210f",
                "url--575d67b7-dc10-4016-bca5-48b0950d210f",
                "indicator--575d67fc-1ee8-4ff0-b7ca-4cb0950d210f",
                "indicator--575d682d-79f4-44b6-a83d-4b69950d210f",
                "indicator--575d682e-d210-4432-aa46-4c44950d210f",
                "indicator--575d682e-c8f0-4638-8049-4bf4950d210f",
                "indicator--575d6858-055c-4383-a7ab-4d74950d210f",
                "indicator--575d68a0-aac0-4130-91e7-4611950d210f",
                "indicator--575d68d0-9474-464d-ad4f-49ea950d210f",
                "indicator--575d697f-dd88-475d-9f9d-413f02de0b81",
                "indicator--575d6980-f344-428b-8cfd-405502de0b81",
                "observed-data--575d6980-3638-4e16-9fb9-4b5402de0b81",
                "url--575d6980-3638-4e16-9fb9-4b5402de0b81",
                "indicator--575d6981-af88-4ab2-900f-4ab702de0b81",
                "indicator--575d6981-3da0-415e-8c6e-4f9702de0b81",
                "observed-data--575d6982-a5bc-439d-843f-448202de0b81",
                "url--575d6982-a5bc-439d-843f-448202de0b81",
                "indicator--575d6982-a958-452f-a484-44a402de0b81",
                "indicator--575d6982-c768-41c1-99a9-41c302de0b81",
                "observed-data--575d6983-1c8c-44c2-ad87-476d02de0b81",
                "url--575d6983-1c8c-44c2-ad87-476d02de0b81",
                "indicator--575d6983-b4e0-439c-ba07-4bca02de0b81",
                "indicator--575d6984-f800-4594-b574-480402de0b81",
                "observed-data--575d6984-a494-4181-8019-40e802de0b81",
                "url--575d6984-a494-4181-8019-40e802de0b81"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "type:OSINT",
                "circl:incident-classification=\"malware\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--575d67aa-fc44-4d26-9f32-4ff4950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:46:18.000Z",
            "modified": "2016-06-12T13:46:18.000Z",
            "labels": [
                "misp:type=\"comment\"",
                "misp:category=\"External analysis\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "comment",
            "x_misp_value": "A few weeks ago CERT Polska released a short blog post introducing a new malware family now known as Bolek. PhishMe and Dr.Web have since added some additional insight into the family. Browsing through a memory dump of the malware, a Webinjects section sticks out. Webinjects usually imply banking malware, so it seems Bolek picks up where its predecessor, Carberp, leaves off. This post takes a closer look at its command and control (C2) mechanism and what it takes to elicit a configuration file from its C2 servers."
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--575d67b7-dc10-4016-bca5-48b0950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:46:31.000Z",
            "modified": "2016-06-12T13:46:31.000Z",
            "first_observed": "2016-06-12T13:46:31Z",
            "last_observed": "2016-06-12T13:46:31Z",
            "number_observed": 1,
            "object_refs": [
                "url--575d67b7-dc10-4016-bca5-48b0950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--575d67b7-dc10-4016-bca5-48b0950d210f",
            "value": "https://www.arbornetworks.com/blog/asert/communications-bolek-trojan/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d67fc-1ee8-4ff0-b7ca-4cb0950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:47:40.000Z",
            "modified": "2016-06-12T13:47:40.000Z",
            "description": "The sample used for reverse engineering",
            "pattern": "[file:hashes.SHA256 = '62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:47:40Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d682d-79f4-44b6-a83d-4b69950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:48:29.000Z",
            "modified": "2016-06-12T13:48:29.000Z",
            "description": "Imported via the Freetext Import Tool",
            "pattern": "[domain-name:value = 'mensabuxus.net']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:48:29Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d682e-d210-4432-aa46-4c44950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:48:30.000Z",
            "modified": "2016-06-12T13:48:30.000Z",
            "description": "Imported via the Freetext Import Tool",
            "pattern": "[domain-name:value = 'ogrthuvwfdcfri5euwg.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:48:30Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d682e-c8f0-4638-8049-4bf4950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:48:30.000Z",
            "modified": "2016-06-12T13:48:30.000Z",
            "description": "Imported via the Freetext Import Tool",
            "pattern": "[domain-name:value = 'ogrthuvfewfdcfri5euwg.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:48:30Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6858-055c-4383-a7ab-4d74950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:49:12.000Z",
            "modified": "2016-06-12T13:49:12.000Z",
            "description": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used.",
            "pattern": "[file:hashes.SHA256 = 'cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:49:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload installation"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload installation\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d68a0-aac0-4130-91e7-4611950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:50:24.000Z",
            "modified": "2016-06-12T13:50:24.000Z",
            "description": "278028 bytes of binary data. Contains a PE file starting at offset 524.",
            "pattern": "[file:hashes.SHA256 = 'a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:50:24Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d68d0-9474-464d-ad4f-49ea950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:51:12.000Z",
            "modified": "2016-06-12T13:51:12.000Z",
            "description": "323084 bytes of binary data. Contains a PE file starting at offset 524.",
            "pattern": "[file:hashes.SHA256 = '000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:51:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload installation"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload installation\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d697f-dd88-475d-9f9d-413f02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:07.000Z",
            "modified": "2016-06-12T13:54:07.000Z",
            "description": "323084 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: 000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12",
            "pattern": "[file:hashes.SHA1 = 'd85668e9ba963bb476f7b919d22bbf24bf993835']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload installation"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload installation\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6980-f344-428b-8cfd-405502de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:08.000Z",
            "modified": "2016-06-12T13:54:08.000Z",
            "description": "323084 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: 000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12",
            "pattern": "[file:hashes.MD5 = 'a3de5ad2f5de15f66ca32ac23869fe24']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload installation"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload installation\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--575d6980-3638-4e16-9fb9-4b5402de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:08.000Z",
            "modified": "2016-06-12T13:54:08.000Z",
            "first_observed": "2016-06-12T13:54:08Z",
            "last_observed": "2016-06-12T13:54:08Z",
            "number_observed": 1,
            "object_refs": [
                "url--575d6980-3638-4e16-9fb9-4b5402de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--575d6980-3638-4e16-9fb9-4b5402de0b81",
            "value": "https://www.virustotal.com/file/000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12/analysis/1465310991/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6981-af88-4ab2-900f-4ab702de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:09.000Z",
            "modified": "2016-06-12T13:54:09.000Z",
            "description": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used. - Xchecked via VT: cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875",
            "pattern": "[file:hashes.SHA1 = 'a8d843c3ddb881e69a4c9986c37a0ce582639da6']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload installation"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload installation\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6981-3da0-415e-8c6e-4f9702de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:09.000Z",
            "modified": "2016-06-12T13:54:09.000Z",
            "description": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used. - Xchecked via VT: cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875",
            "pattern": "[file:hashes.MD5 = '6f24daf8ef6245563afdd095e27408b5']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload installation"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload installation\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--575d6982-a5bc-439d-843f-448202de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:10.000Z",
            "modified": "2016-06-12T13:54:10.000Z",
            "first_observed": "2016-06-12T13:54:10Z",
            "last_observed": "2016-06-12T13:54:10Z",
            "number_observed": 1,
            "object_refs": [
                "url--575d6982-a5bc-439d-843f-448202de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--575d6982-a5bc-439d-843f-448202de0b81",
            "value": "https://www.virustotal.com/file/cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875/analysis/1465655808/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6982-a958-452f-a484-44a402de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:10.000Z",
            "modified": "2016-06-12T13:54:10.000Z",
            "description": "278028 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885",
            "pattern": "[file:hashes.SHA1 = '145c9b79efd10718118ce5c58cf0af2618c9e39c']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6982-c768-41c1-99a9-41c302de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:10.000Z",
            "modified": "2016-06-12T13:54:10.000Z",
            "description": "278028 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885",
            "pattern": "[file:hashes.MD5 = '3b10ebf43e537f93c4c7ed0c11a2b7db']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--575d6983-1c8c-44c2-ad87-476d02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:11.000Z",
            "modified": "2016-06-12T13:54:11.000Z",
            "first_observed": "2016-06-12T13:54:11Z",
            "last_observed": "2016-06-12T13:54:11Z",
            "number_observed": 1,
            "object_refs": [
                "url--575d6983-1c8c-44c2-ad87-476d02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--575d6983-1c8c-44c2-ad87-476d02de0b81",
            "value": "https://www.virustotal.com/file/a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885/analysis/1465310749/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6983-b4e0-439c-ba07-4bca02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:11.000Z",
            "modified": "2016-06-12T13:54:11.000Z",
            "description": "The sample used for reverse engineering - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
            "pattern": "[file:hashes.SHA1 = 'ea127bb4e0c58902524e11740e15acd46ea71494']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--575d6984-f800-4594-b574-480402de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:12.000Z",
            "modified": "2016-06-12T13:54:12.000Z",
            "description": "The sample used for reverse engineering - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
            "pattern": "[file:hashes.MD5 = 'e89ff40a8832cd27d2aae48ff7cd67d2']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-06-12T13:54:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--575d6984-a494-4181-8019-40e802de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-06-12T13:54:12.000Z",
            "modified": "2016-06-12T13:54:12.000Z",
            "first_observed": "2016-06-12T13:54:12Z",
            "last_observed": "2016-06-12T13:54:12Z",
            "number_observed": 1,
            "object_refs": [
                "url--575d6984-a494-4181-8019-40e802de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--575d6984-a494-4181-8019-40e802de0b81",
            "value": "https://www.virustotal.com/file/62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9/analysis/1465505769/"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}
chg: [misp-stix] STIX 2.1 export added 2023-04-21 14:44:17 +00:00			`{`
			`"type": "bundle",`
			`"id": "bundle--575d6784-4218-4756-84f8-49e0950d210f",`
			`"objects": [`
			`{`
			`"type": "identity",`
			`"spec_version": "2.1",`
			`"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:07.000Z",`
			`"modified": "2016-06-12T13:54:07.000Z",`
			`"name": "CIRCL",`
			`"identity_class": "organization"`
			`},`
			`{`
			`"type": "report",`
			`"spec_version": "2.1",`
			`"id": "report--575d6784-4218-4756-84f8-49e0950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:07.000Z",`
			`"modified": "2016-06-12T13:54:07.000Z",`
			`"name": "OSINT - Communications of the Bolek Trojan",`
			`"published": "2016-06-12T13:58:46Z",`
			`"object_refs": [`
			`"x-misp-attribute--575d67aa-fc44-4d26-9f32-4ff4950d210f",`
			`"observed-data--575d67b7-dc10-4016-bca5-48b0950d210f",`
			`"url--575d67b7-dc10-4016-bca5-48b0950d210f",`
			`"indicator--575d67fc-1ee8-4ff0-b7ca-4cb0950d210f",`
			`"indicator--575d682d-79f4-44b6-a83d-4b69950d210f",`
			`"indicator--575d682e-d210-4432-aa46-4c44950d210f",`
			`"indicator--575d682e-c8f0-4638-8049-4bf4950d210f",`
			`"indicator--575d6858-055c-4383-a7ab-4d74950d210f",`
			`"indicator--575d68a0-aac0-4130-91e7-4611950d210f",`
			`"indicator--575d68d0-9474-464d-ad4f-49ea950d210f",`
			`"indicator--575d697f-dd88-475d-9f9d-413f02de0b81",`
			`"indicator--575d6980-f344-428b-8cfd-405502de0b81",`
			`"observed-data--575d6980-3638-4e16-9fb9-4b5402de0b81",`
			`"url--575d6980-3638-4e16-9fb9-4b5402de0b81",`
			`"indicator--575d6981-af88-4ab2-900f-4ab702de0b81",`
			`"indicator--575d6981-3da0-415e-8c6e-4f9702de0b81",`
			`"observed-data--575d6982-a5bc-439d-843f-448202de0b81",`
			`"url--575d6982-a5bc-439d-843f-448202de0b81",`
			`"indicator--575d6982-a958-452f-a484-44a402de0b81",`
			`"indicator--575d6982-c768-41c1-99a9-41c302de0b81",`
			`"observed-data--575d6983-1c8c-44c2-ad87-476d02de0b81",`
			`"url--575d6983-1c8c-44c2-ad87-476d02de0b81",`
			`"indicator--575d6983-b4e0-439c-ba07-4bca02de0b81",`
			`"indicator--575d6984-f800-4594-b574-480402de0b81",`
			`"observed-data--575d6984-a494-4181-8019-40e802de0b81",`
			`"url--575d6984-a494-4181-8019-40e802de0b81"`
			`],`
			`"labels": [`
			`"Threat-Report",`
			`"misp:tool=\"MISP-STIX-Converter\"",`
			`"type:OSINT",`
			`"circl:incident-classification=\"malware\""`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"`
			`]`
			`},`
			`{`
			`"type": "x-misp-attribute",`
			`"spec_version": "2.1",`
			`"id": "x-misp-attribute--575d67aa-fc44-4d26-9f32-4ff4950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:46:18.000Z",`
			`"modified": "2016-06-12T13:46:18.000Z",`
			`"labels": [`
			`"misp:type=\"comment\"",`
			`"misp:category=\"External analysis\""`
			`],`
			`"x_misp_category": "External analysis",`
			`"x_misp_type": "comment",`
			"x_misp_value": "A few weeks ago CERT Polska released a short blog post introducing a new malware family now known as Bolek. PhishMe and Dr.Web have since added some additional insight into the family. Browsing through a memory dump of the malware, a Webinjects section sticks out. Webinjects usually imply banking malware, so it seems Bolek picks up where its predecessor, Carberp, leaves off. This post takes a closer look at its command and control (C2) mechanism and what it takes to elicit a configuration file from its C2 servers."
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--575d67b7-dc10-4016-bca5-48b0950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:46:31.000Z",`
			`"modified": "2016-06-12T13:46:31.000Z",`
			`"first_observed": "2016-06-12T13:46:31Z",`
			`"last_observed": "2016-06-12T13:46:31Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--575d67b7-dc10-4016-bca5-48b0950d210f"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--575d67b7-dc10-4016-bca5-48b0950d210f",`
			`"value": "https://www.arbornetworks.com/blog/asert/communications-bolek-trojan/"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d67fc-1ee8-4ff0-b7ca-4cb0950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:47:40.000Z",`
			`"modified": "2016-06-12T13:47:40.000Z",`
			`"description": "The sample used for reverse engineering",`
			`"pattern": "[file:hashes.SHA256 = '62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:47:40Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d682d-79f4-44b6-a83d-4b69950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:48:29.000Z",`
			`"modified": "2016-06-12T13:48:29.000Z",`
			`"description": "Imported via the Freetext Import Tool",`
			`"pattern": "[domain-name:value = 'mensabuxus.net']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:48:29Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"domain\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d682e-d210-4432-aa46-4c44950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:48:30.000Z",`
			`"modified": "2016-06-12T13:48:30.000Z",`
			`"description": "Imported via the Freetext Import Tool",`
			`"pattern": "[domain-name:value = 'ogrthuvwfdcfri5euwg.com']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:48:30Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"domain\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d682e-c8f0-4638-8049-4bf4950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:48:30.000Z",`
			`"modified": "2016-06-12T13:48:30.000Z",`
			`"description": "Imported via the Freetext Import Tool",`
			`"pattern": "[domain-name:value = 'ogrthuvfewfdcfri5euwg.com']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:48:30Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"domain\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6858-055c-4383-a7ab-4d74950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:49:12.000Z",`
			`"modified": "2016-06-12T13:49:12.000Z",`
			`"description": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used.",`
			`"pattern": "[file:hashes.SHA256 = 'cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:49:12Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload installation"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload installation\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d68a0-aac0-4130-91e7-4611950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:50:24.000Z",`
			`"modified": "2016-06-12T13:50:24.000Z",`
			`"description": "278028 bytes of binary data. Contains a PE file starting at offset 524.",`
			`"pattern": "[file:hashes.SHA256 = 'a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:50:24Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d68d0-9474-464d-ad4f-49ea950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:51:12.000Z",`
			`"modified": "2016-06-12T13:51:12.000Z",`
			`"description": "323084 bytes of binary data. Contains a PE file starting at offset 524.",`
			`"pattern": "[file:hashes.SHA256 = '000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:51:12Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload installation"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload installation\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d697f-dd88-475d-9f9d-413f02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:07.000Z",`
			`"modified": "2016-06-12T13:54:07.000Z",`
			`"description": "323084 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: 000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12",`
			`"pattern": "[file:hashes.SHA1 = 'd85668e9ba963bb476f7b919d22bbf24bf993835']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:07Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload installation"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload installation\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6980-f344-428b-8cfd-405502de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:08.000Z",`
			`"modified": "2016-06-12T13:54:08.000Z",`
			`"description": "323084 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: 000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12",`
			`"pattern": "[file:hashes.MD5 = 'a3de5ad2f5de15f66ca32ac23869fe24']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:08Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload installation"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload installation\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--575d6980-3638-4e16-9fb9-4b5402de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:08.000Z",`
			`"modified": "2016-06-12T13:54:08.000Z",`
			`"first_observed": "2016-06-12T13:54:08Z",`
			`"last_observed": "2016-06-12T13:54:08Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--575d6980-3638-4e16-9fb9-4b5402de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--575d6980-3638-4e16-9fb9-4b5402de0b81",`
			`"value": "https://www.virustotal.com/file/000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12/analysis/1465310991/"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6981-af88-4ab2-900f-4ab702de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:09.000Z",`
			`"modified": "2016-06-12T13:54:09.000Z",`
			`"description": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used. - Xchecked via VT: cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875",`
			`"pattern": "[file:hashes.SHA1 = 'a8d843c3ddb881e69a4c9986c37a0ce582639da6']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:09Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload installation"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload installation\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6981-3da0-415e-8c6e-4f9702de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:09.000Z",`
			`"modified": "2016-06-12T13:54:09.000Z",`
			`"description": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used. - Xchecked via VT: cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875",`
			`"pattern": "[file:hashes.MD5 = '6f24daf8ef6245563afdd095e27408b5']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:09Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload installation"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload installation\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--575d6982-a5bc-439d-843f-448202de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:10.000Z",`
			`"modified": "2016-06-12T13:54:10.000Z",`
			`"first_observed": "2016-06-12T13:54:10Z",`
			`"last_observed": "2016-06-12T13:54:10Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--575d6982-a5bc-439d-843f-448202de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--575d6982-a5bc-439d-843f-448202de0b81",`
			`"value": "https://www.virustotal.com/file/cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875/analysis/1465655808/"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6982-a958-452f-a484-44a402de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:10.000Z",`
			`"modified": "2016-06-12T13:54:10.000Z",`
			`"description": "278028 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885",`
			`"pattern": "[file:hashes.SHA1 = '145c9b79efd10718118ce5c58cf0af2618c9e39c']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:10Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6982-c768-41c1-99a9-41c302de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:10.000Z",`
			`"modified": "2016-06-12T13:54:10.000Z",`
			`"description": "278028 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885",`
			`"pattern": "[file:hashes.MD5 = '3b10ebf43e537f93c4c7ed0c11a2b7db']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:10Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--575d6983-1c8c-44c2-ad87-476d02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:11.000Z",`
			`"modified": "2016-06-12T13:54:11.000Z",`
			`"first_observed": "2016-06-12T13:54:11Z",`
			`"last_observed": "2016-06-12T13:54:11Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--575d6983-1c8c-44c2-ad87-476d02de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--575d6983-1c8c-44c2-ad87-476d02de0b81",`
			`"value": "https://www.virustotal.com/file/a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885/analysis/1465310749/"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6983-b4e0-439c-ba07-4bca02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:11.000Z",`
			`"modified": "2016-06-12T13:54:11.000Z",`
			`"description": "The sample used for reverse engineering - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",`
			`"pattern": "[file:hashes.SHA1 = 'ea127bb4e0c58902524e11740e15acd46ea71494']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:11Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--575d6984-f800-4594-b574-480402de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:12.000Z",`
			`"modified": "2016-06-12T13:54:12.000Z",`
			`"description": "The sample used for reverse engineering - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",`
			`"pattern": "[file:hashes.MD5 = 'e89ff40a8832cd27d2aae48ff7cd67d2']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-06-12T13:54:12Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--575d6984-a494-4181-8019-40e802de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-06-12T13:54:12.000Z",`
			`"modified": "2016-06-12T13:54:12.000Z",`
			`"first_observed": "2016-06-12T13:54:12Z",`
			`"last_observed": "2016-06-12T13:54:12Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--575d6984-a494-4181-8019-40e802de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--575d6984-a494-4181-8019-40e802de0b81",`
			`"value": "https://www.virustotal.com/file/62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9/analysis/1465505769/"`
			`},`
			`{`
			`"type": "marking-definition",`
			`"spec_version": "2.1",`
			`"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",`
			`"created": "2017-01-20T00:00:00.000Z",`
			`"definition_type": "tlp",`
			`"name": "TLP:WHITE",`
			`"definition": {`
			`"tlp": "white"`
			`}`
			`}`
			`]`
			`}`