misp-circl-feed/feeds/circl/stix-2.1/5824e43f-9370-463b-9681-452b950d210f.json

{
    "type": "bundle",
    "id": "bundle--5824e43f-9370-463b-9681-452b950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:36.000Z",
            "modified": "2016-11-10T21:21:36.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--5824e43f-9370-463b-9681-452b950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:36.000Z",
            "modified": "2016-11-10T21:21:36.000Z",
            "name": "OSINT - Floki Bot and the stealthy dropper",
            "published": "2016-11-10T21:36:04Z",
            "object_refs": [
                "observed-data--5824e452-b3a0-4edd-8102-45ff950d210f",
                "url--5824e452-b3a0-4edd-8102-45ff950d210f",
                "x-misp-attribute--5824e470-175c-4fc9-b8ca-48f1950d210f",
                "indicator--5824e4ac-0070-4ea1-b3ec-44c6950d210f",
                "indicator--5824e4ad-3450-453f-8fa8-4506950d210f",
                "indicator--5824e4ad-fedc-4697-90e7-46f5950d210f",
                "indicator--5824e4e0-9608-4753-8cb8-4eea02de0b81",
                "indicator--5824e4e1-e038-4976-b573-49df02de0b81",
                "observed-data--5824e4e1-6e98-430a-aae0-46cb02de0b81",
                "url--5824e4e1-6e98-430a-aae0-46cb02de0b81",
                "indicator--5824e4e2-12f4-4f88-bd09-49d302de0b81",
                "indicator--5824e4e3-2ecc-4f5a-9348-46a902de0b81",
                "observed-data--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
                "url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
                "indicator--5824e4e4-77c4-4c25-b06e-412402de0b81",
                "indicator--5824e4e4-0ca8-47a7-aeec-4e4102de0b81",
                "observed-data--5824e4e4-5228-4344-8a68-474a02de0b81",
                "url--5824e4e4-5228-4344-8a68-474a02de0b81"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "osint:source-type=\"blog-post\"",
                "circl:incident-classification=\"malware\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5824e452-b3a0-4edd-8102-45ff950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:19:14.000Z",
            "modified": "2016-11-10T21:19:14.000Z",
            "first_observed": "2016-11-10T21:19:14Z",
            "last_observed": "2016-11-10T21:19:14Z",
            "number_observed": 1,
            "object_refs": [
                "url--5824e452-b3a0-4edd-8102-45ff950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5824e452-b3a0-4edd-8102-45ff950d210f",
            "value": "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--5824e470-175c-4fc9-b8ca-48f1950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:19:44.000Z",
            "modified": "2016-11-10T21:19:44.000Z",
            "labels": [
                "misp:type=\"comment\"",
                "misp:category=\"External analysis\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "comment",
            "x_misp_value": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.\r\n\r\nAccording to the advertisements announced on the black market, this bot is capable of making very stealthy injections, evading many mechanisms of detection. We decided to take a look at what are the tricks behind it. It turned out, that although the injection method that the dropper uses is not novel by itself, but it comes with few interesting twists, that are not so commonly used in malware."
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4ac-0070-4ea1-b3ec-44c6950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:20:44.000Z",
            "modified": "2016-11-10T21:20:44.000Z",
            "description": "dropper <- main focus of this analysis",
            "pattern": "[file:hashes.MD5 = '5649e7a200df2fb85ad1fb5a723bef22']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:20:44Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4ad-3450-453f-8fa8-4506950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:20:45.000Z",
            "modified": "2016-11-10T21:20:45.000Z",
            "description": "core module \u00e2\u20ac\u201c  bot 32bit",
            "pattern": "[file:hashes.MD5 = 'e54d28a24c976348c438f45281d68c54']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:20:45Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4ad-fedc-4697-90e7-46f5950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:20:45.000Z",
            "modified": "2016-11-10T21:20:45.000Z",
            "description": "core module \u00e2\u20ac\u201c  bot 64bit",
            "pattern": "[file:hashes.MD5 = 'd4c5384da41fd391d16eff60abc21405']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:20:45Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4e0-9608-4753-8cb8-4eea02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:36.000Z",
            "modified": "2016-11-10T21:21:36.000Z",
            "description": "core module \u00e2\u20ac\u201c  bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",
            "pattern": "[file:hashes.SHA256 = '0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:21:36Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4e1-e038-4976-b573-49df02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:37.000Z",
            "modified": "2016-11-10T21:21:37.000Z",
            "description": "core module \u00e2\u20ac\u201c  bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",
            "pattern": "[file:hashes.SHA1 = '75f47640299fc2b33492c3640128d58ac2dc1463']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:21:37Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5824e4e1-6e98-430a-aae0-46cb02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:37.000Z",
            "modified": "2016-11-10T21:21:37.000Z",
            "first_observed": "2016-11-10T21:21:37Z",
            "last_observed": "2016-11-10T21:21:37Z",
            "number_observed": 1,
            "object_refs": [
                "url--5824e4e1-6e98-430a-aae0-46cb02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5824e4e1-6e98-430a-aae0-46cb02de0b81",
            "value": "https://www.virustotal.com/file/0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63/analysis/1478618112/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4e2-12f4-4f88-bd09-49d302de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:38.000Z",
            "modified": "2016-11-10T21:21:38.000Z",
            "description": "core module \u00e2\u20ac\u201c  bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",
            "pattern": "[file:hashes.SHA256 = '5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:21:38Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4e3-2ecc-4f5a-9348-46a902de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:39.000Z",
            "modified": "2016-11-10T21:21:39.000Z",
            "description": "core module \u00e2\u20ac\u201c  bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",
            "pattern": "[file:hashes.SHA1 = '3cd014e2ebdb8dd679deb70cd1005b0a2b8283e7']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:21:39Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:39.000Z",
            "modified": "2016-11-10T21:21:39.000Z",
            "first_observed": "2016-11-10T21:21:39Z",
            "last_observed": "2016-11-10T21:21:39Z",
            "number_observed": 1,
            "object_refs": [
                "url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
            "value": "https://www.virustotal.com/file/5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23/analysis/1478618090/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4e4-77c4-4c25-b06e-412402de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:40.000Z",
            "modified": "2016-11-10T21:21:40.000Z",
            "description": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",
            "pattern": "[file:hashes.SHA256 = '5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:21:40Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5824e4e4-0ca8-47a7-aeec-4e4102de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:40.000Z",
            "modified": "2016-11-10T21:21:40.000Z",
            "description": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",
            "pattern": "[file:hashes.SHA1 = 'b057d20122048001850afeca671fd31dbcdd1c76']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-10T21:21:40Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5824e4e4-5228-4344-8a68-474a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-10T21:21:40.000Z",
            "modified": "2016-11-10T21:21:40.000Z",
            "first_observed": "2016-11-10T21:21:40Z",
            "last_observed": "2016-11-10T21:21:40Z",
            "number_observed": 1,
            "object_refs": [
                "url--5824e4e4-5228-4344-8a68-474a02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5824e4e4-5228-4344-8a68-474a02de0b81",
            "value": "https://www.virustotal.com/file/5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e/analysis/1478549521/"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}
chg: [misp-stix] STIX 2.1 export added 2023-04-21 14:44:17 +00:00			`{`
			`"type": "bundle",`
			`"id": "bundle--5824e43f-9370-463b-9681-452b950d210f",`
			`"objects": [`
			`{`
			`"type": "identity",`
			`"spec_version": "2.1",`
			`"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:36.000Z",`
			`"modified": "2016-11-10T21:21:36.000Z",`
			`"name": "CIRCL",`
			`"identity_class": "organization"`
			`},`
			`{`
			`"type": "report",`
			`"spec_version": "2.1",`
			`"id": "report--5824e43f-9370-463b-9681-452b950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:36.000Z",`
			`"modified": "2016-11-10T21:21:36.000Z",`
			`"name": "OSINT - Floki Bot and the stealthy dropper",`
			`"published": "2016-11-10T21:36:04Z",`
			`"object_refs": [`
			`"observed-data--5824e452-b3a0-4edd-8102-45ff950d210f",`
			`"url--5824e452-b3a0-4edd-8102-45ff950d210f",`
			`"x-misp-attribute--5824e470-175c-4fc9-b8ca-48f1950d210f",`
			`"indicator--5824e4ac-0070-4ea1-b3ec-44c6950d210f",`
			`"indicator--5824e4ad-3450-453f-8fa8-4506950d210f",`
			`"indicator--5824e4ad-fedc-4697-90e7-46f5950d210f",`
			`"indicator--5824e4e0-9608-4753-8cb8-4eea02de0b81",`
			`"indicator--5824e4e1-e038-4976-b573-49df02de0b81",`
			`"observed-data--5824e4e1-6e98-430a-aae0-46cb02de0b81",`
			`"url--5824e4e1-6e98-430a-aae0-46cb02de0b81",`
			`"indicator--5824e4e2-12f4-4f88-bd09-49d302de0b81",`
			`"indicator--5824e4e3-2ecc-4f5a-9348-46a902de0b81",`
			`"observed-data--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",`
			`"url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",`
			`"indicator--5824e4e4-77c4-4c25-b06e-412402de0b81",`
			`"indicator--5824e4e4-0ca8-47a7-aeec-4e4102de0b81",`
			`"observed-data--5824e4e4-5228-4344-8a68-474a02de0b81",`
			`"url--5824e4e4-5228-4344-8a68-474a02de0b81"`
			`],`
			`"labels": [`
			`"Threat-Report",`
			`"misp:tool=\"MISP-STIX-Converter\"",`
			`"osint:source-type=\"blog-post\"",`
			`"circl:incident-classification=\"malware\""`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--5824e452-b3a0-4edd-8102-45ff950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:19:14.000Z",`
			`"modified": "2016-11-10T21:19:14.000Z",`
			`"first_observed": "2016-11-10T21:19:14Z",`
			`"last_observed": "2016-11-10T21:19:14Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--5824e452-b3a0-4edd-8102-45ff950d210f"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--5824e452-b3a0-4edd-8102-45ff950d210f",`
			`"value": "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"`
			`},`
			`{`
			`"type": "x-misp-attribute",`
			`"spec_version": "2.1",`
			`"id": "x-misp-attribute--5824e470-175c-4fc9-b8ca-48f1950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:19:44.000Z",`
			`"modified": "2016-11-10T21:19:44.000Z",`
			`"labels": [`
			`"misp:type=\"comment\"",`
			`"misp:category=\"External analysis\""`
			`],`
			`"x_misp_category": "External analysis",`
			`"x_misp_type": "comment",`
			"x_misp_value": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.\r\n\r\nAccording to the advertisements announced on the black market, this bot is capable of making very stealthy injections, evading many mechanisms of detection. We decided to take a look at what are the tricks behind it. It turned out, that although the injection method that the dropper uses is not novel by itself, but it comes with few interesting twists, that are not so commonly used in malware."
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4ac-0070-4ea1-b3ec-44c6950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:20:44.000Z",`
			`"modified": "2016-11-10T21:20:44.000Z",`
			`"description": "dropper <- main focus of this analysis",`
			`"pattern": "[file:hashes.MD5 = '5649e7a200df2fb85ad1fb5a723bef22']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:20:44Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4ad-3450-453f-8fa8-4506950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:20:45.000Z",`
			`"modified": "2016-11-10T21:20:45.000Z",`
			`"description": "core module \u00e2\u20ac\u201c bot 32bit",`
			`"pattern": "[file:hashes.MD5 = 'e54d28a24c976348c438f45281d68c54']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:20:45Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4ad-fedc-4697-90e7-46f5950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:20:45.000Z",`
			`"modified": "2016-11-10T21:20:45.000Z",`
			`"description": "core module \u00e2\u20ac\u201c bot 64bit",`
			`"pattern": "[file:hashes.MD5 = 'd4c5384da41fd391d16eff60abc21405']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:20:45Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4e0-9608-4753-8cb8-4eea02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:36.000Z",`
			`"modified": "2016-11-10T21:21:36.000Z",`
			`"description": "core module \u00e2\u20ac\u201c bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",`
			`"pattern": "[file:hashes.SHA256 = '0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:21:36Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4e1-e038-4976-b573-49df02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:37.000Z",`
			`"modified": "2016-11-10T21:21:37.000Z",`
			`"description": "core module \u00e2\u20ac\u201c bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",`
			`"pattern": "[file:hashes.SHA1 = '75f47640299fc2b33492c3640128d58ac2dc1463']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:21:37Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--5824e4e1-6e98-430a-aae0-46cb02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:37.000Z",`
			`"modified": "2016-11-10T21:21:37.000Z",`
			`"first_observed": "2016-11-10T21:21:37Z",`
			`"last_observed": "2016-11-10T21:21:37Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--5824e4e1-6e98-430a-aae0-46cb02de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--5824e4e1-6e98-430a-aae0-46cb02de0b81",`
			`"value": "https://www.virustotal.com/file/0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63/analysis/1478618112/"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4e2-12f4-4f88-bd09-49d302de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:38.000Z",`
			`"modified": "2016-11-10T21:21:38.000Z",`
			`"description": "core module \u00e2\u20ac\u201c bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",`
			`"pattern": "[file:hashes.SHA256 = '5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:21:38Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4e3-2ecc-4f5a-9348-46a902de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:39.000Z",`
			`"modified": "2016-11-10T21:21:39.000Z",`
			`"description": "core module \u00e2\u20ac\u201c bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",`
			`"pattern": "[file:hashes.SHA1 = '3cd014e2ebdb8dd679deb70cd1005b0a2b8283e7']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:21:39Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:39.000Z",`
			`"modified": "2016-11-10T21:21:39.000Z",`
			`"first_observed": "2016-11-10T21:21:39Z",`
			`"last_observed": "2016-11-10T21:21:39Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",`
			`"value": "https://www.virustotal.com/file/5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23/analysis/1478618090/"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4e4-77c4-4c25-b06e-412402de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:40.000Z",`
			`"modified": "2016-11-10T21:21:40.000Z",`
			`"description": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",`
			`"pattern": "[file:hashes.SHA256 = '5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:21:40Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--5824e4e4-0ca8-47a7-aeec-4e4102de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:40.000Z",`
			`"modified": "2016-11-10T21:21:40.000Z",`
			`"description": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",`
			`"pattern": "[file:hashes.SHA1 = 'b057d20122048001850afeca671fd31dbcdd1c76']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-10T21:21:40Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--5824e4e4-5228-4344-8a68-474a02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-10T21:21:40.000Z",`
			`"modified": "2016-11-10T21:21:40.000Z",`
			`"first_observed": "2016-11-10T21:21:40Z",`
			`"last_observed": "2016-11-10T21:21:40Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--5824e4e4-5228-4344-8a68-474a02de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--5824e4e4-5228-4344-8a68-474a02de0b81",`
			`"value": "https://www.virustotal.com/file/5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e/analysis/1478549521/"`
			`},`
			`{`
			`"type": "marking-definition",`
			`"spec_version": "2.1",`
			`"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",`
			`"created": "2017-01-20T00:00:00.000Z",`
			`"definition_type": "tlp",`
			`"name": "TLP:WHITE",`
			`"definition": {`
			`"tlp": "white"`
			`}`
			`}`
			`]`
			`}`