misp-circl-feed/feeds/circl/stix-2.1/5b191ead-fac0-4f21-aaef-b9700acd0835.json

374 lines
18 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5b191ead-fac0-4f21-aaef-b9700acd0835",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"name": "Synovus Financial",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b191ead-fac0-4f21-aaef-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"name": "New Phishing Attacks Abuse Excel Internet Query Files",
"published": "2018-06-07T12:18:02Z",
"object_refs": [
"indicator--5b191ead-1204-434b-975c-b9700acd0835",
"indicator--5b191ead-0c64-4e9e-8f04-b9700acd0835",
"indicator--5b191ead-3238-4a16-8029-b9700acd0835",
"indicator--5b191ead-500c-42f1-bea4-b9700acd0835",
"indicator--5b191ead-c060-48f7-8455-b9700acd0835",
"indicator--5b191ead-e354-4b19-ba79-b9700acd0835",
"indicator--5b191ead-7e98-49b6-ae1c-b9700acd0835",
"indicator--5b191ead-8dfc-4b2c-b6cc-b9700acd0835",
"indicator--5b191ead-90d0-429b-b96c-b9700acd0835",
"indicator--5b191ead-ca94-45d9-8517-b9700acd0835",
"indicator--5b191ead-1230-4020-809a-b9700acd0835",
"indicator--5b191ead-dfe4-4d54-8427-b9700acd0835",
"observed-data--5b191fd4-8598-4cf5-a279-b9700acd0835",
"url--5b191fd4-8598-4cf5-a279-b9700acd0835"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"veris:action:social:variety=\"Phishing\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:tool=\"Necurs\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-1204-434b-975c-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"pattern": "[file:hashes.MD5 = '08bb85f5bff52d2605ddd8a19a5465fd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-0c64-4e9e-8f04-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"description": "clodflarechk",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.119.150.29']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-3238-4a16-8029-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"description": "DomainTools Risk Score 100",
"pattern": "[domain-name:value = 'clodflarechk.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-500c-42f1-bea4-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"pattern": "[file:hashes.MD5 = '418aa2d43b1e4a841d4769463b12fa3b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"misp-galaxy:tool=\"Necurs\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-c060-48f7-8455-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"pattern": "[file:hashes.MD5 = 'd2a63814440f8d054d78b03b48f7a3df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:malware:variety=\"Downloader\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-e354-4b19-ba79-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"pattern": "[file:hashes.MD5 = '3a86ffce06d029730ad89cb233079d64']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-7e98-49b6-ae1c-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.",
"pattern": "[url:value = 'http://clodflarechk.com/1.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-8dfc-4b2c-b6cc-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.",
"pattern": "[url:value = 'http://clodflarechk.com/cloud.png']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-90d0-429b-b96c-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.",
"pattern": "[url:value = 'http://clodflarechk.com/2.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-ca94-45d9-8517-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.",
"pattern": "[url:value = 'http://clodflarechk.com/data.xls']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-1230-4020-809a-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"description": "clodflarechk",
"pattern": "[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '103.208.86.69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b191ead-dfe4-4d54-8427-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"pattern": "[file:hashes.MD5 = '172bc98dbe0f6c4ac59857c071cd8673']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-07T12:17:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"misp-galaxy:tool=\"Necurs\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b191fd4-8598-4cf5-a279-b9700acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-07T12:17:43.000Z",
"modified": "2018-06-07T12:17:43.000Z",
"first_observed": "2018-06-07T12:17:43Z",
"last_observed": "2018-06-07T12:17:43Z",
"number_observed": 1,
"object_refs": [
"url--5b191fd4-8598-4cf5-a279-b9700acd0835"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b191fd4-8598-4cf5-a279-b9700acd0835",
"value": "https://myonlinesecurity.co.uk/necurs-delivering-flawed-ammy-rat-via-iqy-excel-web-query-files/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}