misp-circl-feed/feeds/circl/stix-2.1/57aaeefd-0bd4-4a41-87ad-4e17950d210f.json

252 lines
11 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--57aaeefd-0bd4-4a41-87ad-4e17950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:40:36.000Z",
"modified": "2016-08-10T09:40:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57aaeefd-0bd4-4a41-87ad-4e17950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:40:36.000Z",
"modified": "2016-08-10T09:40:36.000Z",
"name": "OSINT - Cracking Orcus RAT",
"published": "2016-08-10T09:50:13Z",
"object_refs": [
"observed-data--57aaef08-62dc-4948-ac44-473b950d210f",
"url--57aaef08-62dc-4948-ac44-473b950d210f",
"x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f",
"indicator--57aaef5f-1808-4585-a00b-497c950d210f",
"indicator--57aaf016-8cf0-439a-b2a6-441002de0b81",
"indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81",
"observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81",
"url--57aaf016-ade0-4582-afcc-4d4602de0b81",
"observed-data--57aaf05f-b420-419c-bcc6-477d950d210f",
"url--57aaf05f-b420-419c-bcc6-477d950d210f",
"indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f",
"indicator--57aaf0e7-6fec-409e-9459-46ee950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"ms-caro-malware:malware-type=\"RemoteAccess\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaef08-62dc-4948-ac44-473b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:08:23.000Z",
"modified": "2016-08-10T09:08:23.000Z",
"first_observed": "2016-08-10T09:08:23Z",
"last_observed": "2016-08-10T09:08:23Z",
"number_observed": 1,
"object_refs": [
"url--57aaef08-62dc-4948-ac44-473b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaef08-62dc-4948-ac44-473b950d210f",
"value": "http://blog.deniable.org/blog/2016/08/09/cracking-orcus-rat/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:09:15.000Z",
"modified": "2016-08-10T09:09:15.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "At first I thought I could be dealing with someone trying to \u00e2\u20ac\u02dcphish\u00e2\u20ac\u2122 me, but the offer was legit. Challenge accepted. The zip file I got is for version 1.4.2 (which is the latest version available at the \u00e2\u20ac\u02dcOrcus RAT\u00e2\u20ac\u2122 website, at the time of this writing). The zip file is massive. Here\u00e2\u20ac\u2122s the whole contents of the zip file."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaef5f-1808-4585-a00b-497c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:09:51.000Z",
"modified": "2016-08-10T09:09:51.000Z",
"description": "Orcus.Administration.exe",
"pattern": "[file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:09:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf016-8cf0-439a-b2a6-441002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
"pattern": "[file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:12:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
"pattern": "[file:hashes.MD5 = 'd2140d8c9eb3889dee164f09014380d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:12:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"first_observed": "2016-08-10T09:12:54Z",
"last_observed": "2016-08-10T09:12:54Z",
"number_observed": 1,
"object_refs": [
"url--57aaf016-ade0-4582-afcc-4d4602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaf016-ade0-4582-afcc-4d4602de0b81",
"value": "https://www.virustotal.com/file/4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea/analysis/1467970246/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaf05f-b420-419c-bcc6-477d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:14:07.000Z",
"modified": "2016-08-10T09:14:07.000Z",
"first_observed": "2016-08-10T09:14:07Z",
"last_observed": "2016-08-10T09:14:07Z",
"number_observed": 1,
"object_refs": [
"url--57aaf05f-b420-419c-bcc6-477d950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaf05f-b420-419c-bcc6-477d950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:16:22.000Z",
"modified": "2016-08-10T09:16:22.000Z",
"description": "Sample",
"pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:16:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf0e7-6fec-409e-9459-46ee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:16:23.000Z",
"modified": "2016-08-10T09:16:23.000Z",
"description": "Sample",
"pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:16:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
}
]
}