misp-circl-feed/feeds/circl/stix-2.1/5880bb50-2330-42a3-a253-4c08950d210f.json

831 lines
35 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5880bb50-2330-42a3-a253-4c08950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:38:11.000Z",
"modified": "2017-01-19T13:38:11.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5880bb50-2330-42a3-a253-4c08950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:38:11.000Z",
"modified": "2017-01-19T13:38:11.000Z",
"name": "OSINT - FINDING THE RAT\u00e2\u20ac\u2122S NEST",
"published": "2017-01-19T13:38:32Z",
"object_refs": [
"observed-data--5880bb6a-6a00-411b-9395-1d0e950d210f",
"url--5880bb6a-6a00-411b-9395-1d0e950d210f",
"x-misp-attribute--5880bb83-31b4-4906-a648-4447950d210f",
"indicator--5880be6d-4ce0-4a6c-af3c-4fc3950d210f",
"observed-data--5880be8e-ab60-4d26-80cd-4828950d210f",
"domain-name--5880be8e-ab60-4d26-80cd-4828950d210f",
"observed-data--5880be8e-8278-46e7-925b-47b2950d210f",
"network-traffic--5880be8e-8278-46e7-925b-47b2950d210f",
"ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f",
"indicator--5880beae-2e70-43f9-be6b-48ad950d210f",
"indicator--5880befd-2c2c-4308-8871-47e3950d210f",
"indicator--5880befe-0c6c-49d7-90a0-440c950d210f",
"indicator--5880bf2f-f570-4cd5-93d9-1d0e950d210f",
"indicator--5880bf30-10f0-40c2-bc95-1d0e950d210f",
"indicator--5880bf31-d0b0-4c41-bb57-1d0e950d210f",
"indicator--5880bfc0-2bb4-4903-9700-4807950d210f",
"indicator--5880bfc1-0bdc-4713-bfba-483f950d210f",
"indicator--5880bfc2-4618-4d45-b874-43dc950d210f",
"indicator--5880bfc3-75bc-4e71-a80b-420c950d210f",
"indicator--5880bfc3-65c4-4815-951a-4fbd950d210f",
"indicator--5880c003-3ce8-45ef-8a6d-4eb0950d210f",
"indicator--5880c0b7-2e18-4ae8-8a66-425c950d210f",
"indicator--5880c0b8-a8a8-4966-9a76-46ab950d210f",
"indicator--5880c0ff-72f4-4679-891b-402e02de0b81",
"indicator--5880c100-9e5c-477d-bd00-4d6102de0b81",
"observed-data--5880c100-5da8-4221-8728-44d102de0b81",
"url--5880c100-5da8-4221-8728-44d102de0b81",
"indicator--5880c101-32a8-4abd-a7c5-4e3d02de0b81",
"indicator--5880c102-3094-4160-b109-4b7402de0b81",
"observed-data--5880c103-9c50-4447-8d6f-4eb202de0b81",
"url--5880c103-9c50-4447-8d6f-4eb202de0b81",
"indicator--5880c103-47c4-4c29-b062-451502de0b81",
"indicator--5880c104-b694-4afe-96e4-415902de0b81",
"observed-data--5880c105-8f14-42d1-a7e4-43fd02de0b81",
"url--5880c105-8f14-42d1-a7e4-43fd02de0b81",
"indicator--5880c106-6e2c-4db5-b5f7-453202de0b81",
"indicator--5880c106-c7f0-4262-aea9-4a4802de0b81",
"observed-data--5880c107-5c20-412b-8b7c-4c5802de0b81",
"url--5880c107-5c20-412b-8b7c-4c5802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"LuminosityLink\"",
"osint:source-type=\"blog-post\"",
"ms-caro-malware:malware-type=\"RemoteAccess\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5880bb6a-6a00-411b-9395-1d0e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:13:14.000Z",
"modified": "2017-01-19T13:13:14.000Z",
"first_observed": "2017-01-19T13:13:14Z",
"last_observed": "2017-01-19T13:13:14Z",
"number_observed": 1,
"object_refs": [
"url--5880bb6a-6a00-411b-9395-1d0e950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5880bb6a-6a00-411b-9395-1d0e950d210f",
"value": "https://blog.opendns.com/2017/01/18/finding-the-rats-nest/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5880bb83-31b4-4906-a648-4447950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:13:39.000Z",
"modified": "2017-01-19T13:13:39.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "We\u00e2\u20ac\u2122ve spotted a Remote Access Trojan(RAT) and are headed down into the unknown. In this blog post we\u00e2\u20ac\u2122re going to examine some malicious infrastructure that we\u00e2\u20ac\u2122ve found by pivoting through domains delivering and communicating with RATs.\r\n\r\nA RAT is malware that creates a back door to gain access to the target and its connected resources in order to spy/steal information, drop additional malware such as ransomware, or to enlist the target into a botnet for DDoS purposes. A RAT can basically give all of the same access to a system that the attacker would have if they were physically accessing the target. A RAT has many functionalities: remote desktop control, webcam and microphone control, keylogger, remote shell, crypto miner, download and execute functionalities, screen capturing."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880be6d-4ce0-4a6c-af3c-4fc3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:26:05.000Z",
"modified": "2017-01-19T13:26:05.000Z",
"pattern": "[url:value = 'http://onsitepowersystems.com/invoice86291320.zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:26:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5880be8e-ab60-4d26-80cd-4828950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:26:38.000Z",
"modified": "2017-01-19T13:26:38.000Z",
"first_observed": "2017-01-19T13:26:38Z",
"last_observed": "2017-01-19T13:26:38Z",
"number_observed": 1,
"object_refs": [
"domain-name--5880be8e-ab60-4d26-80cd-4828950d210f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5880be8e-ab60-4d26-80cd-4828950d210f",
"value": "onsitepowersystems.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5880be8e-8278-46e7-925b-47b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:26:38.000Z",
"modified": "2017-01-19T13:26:38.000Z",
"first_observed": "2017-01-19T13:26:38Z",
"last_observed": "2017-01-19T13:26:38Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5880be8e-8278-46e7-925b-47b2950d210f",
"ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5880be8e-8278-46e7-925b-47b2950d210f",
"dst_ref": "ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f",
"value": "191.101.22.47"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880beae-2e70-43f9-be6b-48ad950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:27:10.000Z",
"modified": "2017-01-19T13:27:10.000Z",
"description": "Sample",
"pattern": "[file:hashes.SHA256 = '083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:27:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880befd-2c2c-4308-8871-47e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:28:29.000Z",
"modified": "2017-01-19T13:28:29.000Z",
"description": "C2",
"pattern": "[domain-name:value = 'thevm2.biz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:28:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880befe-0c6c-49d7-90a0-440c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:28:30.000Z",
"modified": "2017-01-19T13:28:30.000Z",
"description": "C2",
"pattern": "[domain-name:value = 'blackhills.ddns.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:28:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bf2f-f570-4cd5-93d9-1d0e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:29:19.000Z",
"modified": "2017-01-19T13:29:19.000Z",
"description": "Malware dropped (after RAT installation)",
"pattern": "[file:hashes.SHA256 = '0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bf30-10f0-40c2-bc95-1d0e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:29:20.000Z",
"modified": "2017-01-19T13:29:20.000Z",
"description": "Malware dropped (after RAT installation)",
"pattern": "[file:hashes.SHA256 = '1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bf31-d0b0-4c41-bb57-1d0e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:29:21.000Z",
"modified": "2017-01-19T13:29:21.000Z",
"description": "Malware dropped (after RAT installation)",
"pattern": "[file:hashes.SHA256 = 'ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bfc0-2bb4-4903-9700-4807950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:31:44.000Z",
"modified": "2017-01-19T13:31:44.000Z",
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
"pattern": "[domain-name:value = 'marciaguthke.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:31:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bfc1-0bdc-4713-bfba-483f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:31:45.000Z",
"modified": "2017-01-19T13:31:45.000Z",
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
"pattern": "[domain-name:value = 'email-hosting.us']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:31:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bfc2-4618-4d45-b874-43dc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:31:46.000Z",
"modified": "2017-01-19T13:31:46.000Z",
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
"pattern": "[domain-name:value = 'emailhostings.in']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:31:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bfc3-75bc-4e71-a80b-420c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:31:47.000Z",
"modified": "2017-01-19T13:31:47.000Z",
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
"pattern": "[domain-name:value = 'myvm2.biz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:31:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880bfc3-65c4-4815-951a-4fbd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:31:47.000Z",
"modified": "2017-01-19T13:31:47.000Z",
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
"pattern": "[domain-name:value = 'vm2online.biz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:31:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c003-3ce8-45ef-8a6d-4eb0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:32:51.000Z",
"modified": "2017-01-19T13:32:51.000Z",
"description": "which has the nameservers that are hosting these panels currently, and hosted some in the past.",
"pattern": "[domain-name:value = 'hackcom.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:32:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c0b7-2e18-4ae8-8a66-425c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:35:51.000Z",
"modified": "2017-01-19T13:35:51.000Z",
"description": "fake AV support domains",
"pattern": "[domain-name:value = 'irus-os-77h7ft.pw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:35:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c0b8-a8a8-4966-9a76-46ab950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:35:52.000Z",
"modified": "2017-01-19T13:35:52.000Z",
"description": "fake AV support domains",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.111.155.6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:35:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c0ff-72f4-4679-891b-402e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:03.000Z",
"modified": "2017-01-19T13:37:03.000Z",
"description": "Sample - Xchecked via VT: 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0",
"pattern": "[file:hashes.SHA1 = '81d77e94b1ba8462b81eb27f3fed6faa5b0b7da9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c100-9e5c-477d-bd00-4d6102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:04.000Z",
"modified": "2017-01-19T13:37:04.000Z",
"description": "Sample - Xchecked via VT: 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0",
"pattern": "[file:hashes.MD5 = '9d30dbac68b18b3a12994a10ff685f40']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5880c100-5da8-4221-8728-44d102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:04.000Z",
"modified": "2017-01-19T13:37:04.000Z",
"first_observed": "2017-01-19T13:37:04Z",
"last_observed": "2017-01-19T13:37:04Z",
"number_observed": 1,
"object_refs": [
"url--5880c100-5da8-4221-8728-44d102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5880c100-5da8-4221-8728-44d102de0b81",
"value": "https://www.virustotal.com/file/083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0/analysis/1482557009/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c101-32a8-4abd-a7c5-4e3d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:05.000Z",
"modified": "2017-01-19T13:37:05.000Z",
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87",
"pattern": "[file:hashes.SHA1 = '7547d0ec26695ecd8a9e696b6e1a1e5485330662']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c102-3094-4160-b109-4b7402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:06.000Z",
"modified": "2017-01-19T13:37:06.000Z",
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87",
"pattern": "[file:hashes.MD5 = '7e5dd95f50dd0df531c8bb9069b8f350']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5880c103-9c50-4447-8d6f-4eb202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:07.000Z",
"modified": "2017-01-19T13:37:07.000Z",
"first_observed": "2017-01-19T13:37:07Z",
"last_observed": "2017-01-19T13:37:07Z",
"number_observed": 1,
"object_refs": [
"url--5880c103-9c50-4447-8d6f-4eb202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5880c103-9c50-4447-8d6f-4eb202de0b81",
"value": "https://www.virustotal.com/file/0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87/analysis/1483722136/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c103-47c4-4c29-b062-451502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:07.000Z",
"modified": "2017-01-19T13:37:07.000Z",
"description": "Malware dropped (after RAT installation) - Xchecked via VT: ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9",
"pattern": "[file:hashes.SHA1 = 'bc9d26c387cc938c3c50f2a14042fbf6524f3b9f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c104-b694-4afe-96e4-415902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:08.000Z",
"modified": "2017-01-19T13:37:08.000Z",
"description": "Malware dropped (after RAT installation) - Xchecked via VT: ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9",
"pattern": "[file:hashes.MD5 = 'edc94982e4b857a58947c235acb762f6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5880c105-8f14-42d1-a7e4-43fd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:09.000Z",
"modified": "2017-01-19T13:37:09.000Z",
"first_observed": "2017-01-19T13:37:09Z",
"last_observed": "2017-01-19T13:37:09Z",
"number_observed": 1,
"object_refs": [
"url--5880c105-8f14-42d1-a7e4-43fd02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5880c105-8f14-42d1-a7e4-43fd02de0b81",
"value": "https://www.virustotal.com/file/ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9/analysis/1484664762/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c106-6e2c-4db5-b5f7-453202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:10.000Z",
"modified": "2017-01-19T13:37:10.000Z",
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a",
"pattern": "[file:hashes.SHA1 = '9ae528cd78a02a989fa91c841c5792fff30e7271']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880c106-c7f0-4262-aea9-4a4802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:10.000Z",
"modified": "2017-01-19T13:37:10.000Z",
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a",
"pattern": "[file:hashes.MD5 = 'c505995c2c79d7d4f484fc1bba828c9a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T13:37:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5880c107-5c20-412b-8b7c-4c5802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T13:37:11.000Z",
"modified": "2017-01-19T13:37:11.000Z",
"first_observed": "2017-01-19T13:37:11Z",
"last_observed": "2017-01-19T13:37:11Z",
"number_observed": 1,
"object_refs": [
"url--5880c107-5c20-412b-8b7c-4c5802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5880c107-5c20-412b-8b7c-4c5802de0b81",
"value": "https://www.virustotal.com/file/1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a/analysis/1484297083/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}