misp-circl-feed/feeds/circl/stix-2.1/596f7d10-18f4-44d9-ae66-48d3950d210f.json

894 lines
39 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--596f7d10-18f4-44d9-ae66-48d3950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--596f7d10-18f4-44d9-ae66-48d3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"name": "OSINT - Unravelling .NET with the Help of WinDBG",
"published": "2017-07-19T15:41:41Z",
"object_refs": [
"indicator--596f7d56-5c0c-413f-8958-1ab5950d210f",
"indicator--596f7d56-08f0-412f-9788-1ab5950d210f",
"indicator--596f7d56-7c10-41fc-a418-1ab5950d210f",
"indicator--596f7d56-a90c-432e-a36a-1ab5950d210f",
"indicator--596f7d56-0600-4335-9d3f-1ab5950d210f",
"indicator--596f7d56-4b20-4277-a0b1-1ab5950d210f",
"indicator--596f7d56-c7d4-40a6-b2cb-1ab5950d210f",
"indicator--596f7d6c-a324-4766-acf1-4cef950d210f",
"indicator--596f7d6c-a9a8-4ebc-87d8-4c26950d210f",
"indicator--596f7d6c-e270-4fde-a868-4e26950d210f",
"indicator--596f7d6c-debc-4e8b-80e6-4a86950d210f",
"x-misp-attribute--596f7d8c-f2cc-49e4-a58c-4a71950d210f",
"observed-data--596f7d9c-b988-4564-be72-4a94950d210f",
"url--596f7d9c-b988-4564-be72-4a94950d210f",
"indicator--596f7da5-6420-4837-a04a-408302de0b81",
"indicator--596f7da5-2974-499b-a794-4c4802de0b81",
"observed-data--596f7da5-3070-40f2-923b-429f02de0b81",
"url--596f7da5-3070-40f2-923b-429f02de0b81",
"indicator--596f7da5-0884-4f33-b7a1-47e102de0b81",
"indicator--596f7da5-2838-4086-8f90-4ff202de0b81",
"observed-data--596f7da5-8ba4-4f72-ae5f-425402de0b81",
"url--596f7da5-8ba4-4f72-ae5f-425402de0b81",
"indicator--596f7da5-3f64-44a5-8f9f-435602de0b81",
"indicator--596f7da5-8ad8-4107-8023-4dc102de0b81",
"observed-data--596f7da5-a064-4660-a94e-4e4402de0b81",
"url--596f7da5-a064-4660-a94e-4e4402de0b81",
"indicator--596f7da5-7170-4554-bc97-4dd202de0b81",
"indicator--596f7da5-b960-43a9-866a-4f9e02de0b81",
"observed-data--596f7da5-05a4-4ad1-b112-454602de0b81",
"url--596f7da5-05a4-4ad1-b112-454602de0b81",
"indicator--596f7da5-70fc-4bbf-8736-419f02de0b81",
"indicator--596f7da5-67c0-4b36-bd23-4c2702de0b81",
"observed-data--596f7da5-8df4-4fef-b6cb-4a0402de0b81",
"url--596f7da5-8df4-4fef-b6cb-4a0402de0b81",
"indicator--596f7da5-9850-4e16-87be-434d02de0b81",
"indicator--596f7da5-e298-4951-8ba0-408702de0b81",
"observed-data--596f7da5-3f20-423b-98c8-403302de0b81",
"url--596f7da5-3f20-423b-98c8-403302de0b81",
"indicator--596f7da5-34a4-40c4-92e6-421202de0b81",
"indicator--596f7da5-6074-46b0-a001-401002de0b81",
"observed-data--596f7da5-0f84-4357-94cc-424a02de0b81",
"url--596f7da5-0f84-4357-94cc-424a02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d56-5c0c-413f-8958-1ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = '21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d56-08f0-412f-9788-1ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = '344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d56-7c10-41fc-a418-1ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = '45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d56-a90c-432e-a36a-1ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = '61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d56-0600-4335-9d3f-1ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = 'ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d56-4b20-4277-a0b1-1ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = 'b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d56-c7d4-40a6-b2cb-1ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = 'e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d6c-a324-4766-acf1-4cef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "UNPACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = '35dee9106e4521e5adf295cc945355d72eb359d610230142e5dd4adda9678dee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d6c-a9a8-4ebc-87d8-4c26950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "UNPACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = 'b5ce02ee3dfccf28e86f737a6dde85e9d30ff0549ec611d115a1d575b5291c2e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d6c-e270-4fde-a868-4e26950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "UNPACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = 'd9a732dcf87764a87f17c95466f557fac33f041ac6f244dba006ba155d8e9aea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7d6c-debc-4e8b-80e6-4a86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "UNPACKED SAMPLES",
"pattern": "[file:hashes.SHA256 = 'fe068ce56b258762c10cc66525c309e79026c0e44103ca9b223c51382722cb09']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--596f7d8c-f2cc-49e4-a58c-4a71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": ".NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other administrative functions rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform.\r\n\r\nAnalysis tools such as ILSpy help researchers decompile code from applications, but cannot be used to automate the analysis of many samples. In this article we will examine how to use WinDBG to analyse .NET applications using the SOS extension provided by Microsoft.\r\n\r\nThis article describes:\r\nHow to analyse PowerShell scripts by inserting a breakpoint in the .NET API.\r\nHow to easily create a script to automatically unpack .NET samples following analysis of the packer logic."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7d9c-b988-4564-be72-4a94950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7d9c-b988-4564-be72-4a94950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7d9c-b988-4564-be72-4a94950d210f",
"value": "http://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-6420-4837-a04a-408302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504",
"pattern": "[file:hashes.SHA1 = '23b1f6dda828dc50963ea841414eab633bfc7dde']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-2974-499b-a794-4c4802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504",
"pattern": "[file:hashes.MD5 = 'd8c5268ff36bec6ef67522e407c99847']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7da5-3070-40f2-923b-429f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7da5-3070-40f2-923b-429f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7da5-3070-40f2-923b-429f02de0b81",
"value": "https://www.virustotal.com/file/e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504/analysis/1493454070/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-0884-4f33-b7a1-47e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320",
"pattern": "[file:hashes.SHA1 = 'a0e1c6c4c0469d28e889e15cb4fd1698d580c8b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-2838-4086-8f90-4ff202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320",
"pattern": "[file:hashes.MD5 = 'aeefcc7e278e54fc6ee71fa6075fdc48']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7da5-8ba4-4f72-ae5f-425402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7da5-8ba4-4f72-ae5f-425402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7da5-8ba4-4f72-ae5f-425402de0b81",
"value": "https://www.virustotal.com/file/b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320/analysis/1491852495/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-3f64-44a5-8f9f-435602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6",
"pattern": "[file:hashes.SHA1 = 'e79e302f43bfe18fe777e06d321a369a6fbebcb4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-8ad8-4107-8023-4dc102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6",
"pattern": "[file:hashes.MD5 = 'c61f4b7fab51bb78a635518cd1dd6bb5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7da5-a064-4660-a94e-4e4402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7da5-a064-4660-a94e-4e4402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7da5-a064-4660-a94e-4e4402de0b81",
"value": "https://www.virustotal.com/file/ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6/analysis/1498156633/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-7170-4554-bc97-4dd202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773",
"pattern": "[file:hashes.SHA1 = '36fce94a8feb925becdb6708ed01e3b6fa1c32a4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-b960-43a9-866a-4f9e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773",
"pattern": "[file:hashes.MD5 = '8a8c90f2f65bdab3fc1ada60d0767d3f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7da5-05a4-4ad1-b112-454602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7da5-05a4-4ad1-b112-454602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7da5-05a4-4ad1-b112-454602de0b81",
"value": "https://www.virustotal.com/file/61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773/analysis/1497280580/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-70fc-4bbf-8736-419f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f",
"pattern": "[file:hashes.SHA1 = '6bb562395254d750e418357e59b57061e32022cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-67c0-4b36-bd23-4c2702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f",
"pattern": "[file:hashes.MD5 = '0c814ae689b229063ee7f0045cd36bae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7da5-8df4-4fef-b6cb-4a0402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7da5-8df4-4fef-b6cb-4a0402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7da5-8df4-4fef-b6cb-4a0402de0b81",
"value": "https://www.virustotal.com/file/45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f/analysis/1493177175/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-9850-4e16-87be-434d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051",
"pattern": "[file:hashes.SHA1 = '8ac7418803efac76bf5d64cbad35332f0ddc8982']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-e298-4951-8ba0-408702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051",
"pattern": "[file:hashes.MD5 = '5480488e9f961e1cb1020fa48db5d038']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7da5-3f20-423b-98c8-403302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7da5-3f20-423b-98c8-403302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7da5-3f20-423b-98c8-403302de0b81",
"value": "https://www.virustotal.com/file/344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051/analysis/1492133502/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-34a4-40c4-92e6-421202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe",
"pattern": "[file:hashes.SHA1 = 'ca460d04d93e535441bcc4ea3de313645eb7b817']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7da5-6074-46b0-a001-401002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"description": "PACKED SAMPLES - Xchecked via VT: 21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe",
"pattern": "[file:hashes.MD5 = 'bed8aca8dc2ea2e8fafa2f56db06ba69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:41:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7da5-0f84-4357-94cc-424a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:41:25.000Z",
"modified": "2017-07-19T15:41:25.000Z",
"first_observed": "2017-07-19T15:41:25Z",
"last_observed": "2017-07-19T15:41:25Z",
"number_observed": 1,
"object_refs": [
"url--596f7da5-0f84-4357-94cc-424a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7da5-0f84-4357-94cc-424a02de0b81",
"value": "https://www.virustotal.com/file/21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe/analysis/1490674431/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}