misp-circl-feed/feeds/circl/stix-2.1/5bf7ba12-bec4-4d01-8330-4373950d210f.json

{
    "type": "bundle",
    "id": "bundle--5bf7ba12-bec4-4d01-8330-4373950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:40.000Z",
            "modified": "2018-11-23T15:34:40.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--5bf7ba12-bec4-4d01-8330-4373950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:40.000Z",
            "modified": "2018-11-23T15:34:40.000Z",
            "name": "OSINT - Turla PNG Dropper is back",
            "published": "2018-11-23T15:34:53Z",
            "object_refs": [
                "observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
                "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
                "x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f",
                "observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
                "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
                "indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f",
                "indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f",
                "observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
                "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
                "indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f",
                "indicator--5bf7dad4-098c-4666-9e4d-4958950d210f",
                "indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f",
                "indicator--5bf7e05b-4018-4130-afed-4d90950d210f",
                "indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f",
                "indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f",
                "indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f",
                "indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f",
                "indicator--5bf7e186-6c94-4a68-90a1-493a950d210f",
                "indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f",
                "indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f",
                "indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f",
                "indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817",
                "x-misp-object--003ceafa-e652-4272-89f0-356846947659",
                "indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6",
                "x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447",
                "indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc",
                "x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2",
                "indicator--b12e81db-47cb-482e-8deb-e6c98261d878",
                "x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "misp-galaxy:threat-actor=\"Turla Group\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T08:37:10.000Z",
            "modified": "2018-11-23T08:37:10.000Z",
            "first_observed": "2018-11-23T08:37:10Z",
            "last_observed": "2018-11-23T08:37:10Z",
            "number_observed": 1,
            "object_refs": [
                "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
            "value": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T08:37:08.000Z",
            "modified": "2018-11-23T08:37:08.000Z",
            "labels": [
                "misp:type=\"text\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "text",
            "x_misp_value": "This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with a new payload that we have internally named RegRunnerSvc.\r\n\r\nIt\u00e2\u20ac\u2122s worth noting at this point that there are other components to this infection that we have not managed to obtain. There will be a first stage dropper that will drop and install the PNG Dropper/RegRunnerSvc. Nevertheless, we think that this it is worth documenting this new use of the PNG Dropper."
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T08:49:36.000Z",
            "modified": "2018-11-23T08:49:36.000Z",
            "first_observed": "2018-11-23T08:49:36Z",
            "last_observed": "2018-11-23T08:49:36Z",
            "number_observed": 1,
            "object_refs": [
                "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
            "value": "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T10:34:00.000Z",
            "modified": "2018-11-23T10:34:00.000Z",
            "pattern": "[rule turla_png_dropper {\r\n    meta:\r\n        author = \"Ben Humphrey\"\r\n        description = \"Detects the PNG Dropper used by the Turla group\"\r\n        sha256 = \r\n\"6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27\"\r\n\r\n    strings:\r\n        $api0 = \"GdiplusStartup\"\r\n        $api1 = \"GdipAlloc\"\r\n        $api2 = \"GdipCreateBitmapFromStreamICM\"\r\n        $api3 = \"GdipBitmapLockBits\"\r\n        $api4 = \"GdipGetImageWidth\"\r\n        $api5 = \"GdipGetImageHeight\"\r\n        $api6 = \"GdiplusShutdown\"\r\n\r\n        $code32 = {\r\n            8B 46 3C               // mov     eax, [esi+3Ch]\r\n            B9 0B 01 00 00         // mov     ecx, 10Bh\r\n            66 39 4C 30 18         // cmp     [eax+esi+18h], cx\r\n            8B 44 30 28            // mov     eax, [eax+esi+28h]\r\n            6A 00                  // push    0\r\n            B9 AF BE AD DE         // mov     ecx, 0DEADBEAFh\r\n            51                     // push    ecx\r\n            51                     // push    ecx\r\n            03 C6                  // add     eax, esi\r\n            56                     // push    esi\r\n            FF D0                  // call eax\r\n        }\r\n\r\n        $code64 = {\r\n            48 63 43 3C            // movsxd rax, dword ptr [rbx+3Ch]\r\n            B9 0B 01 00 00         // mov ecx, 10Bh\r\n            BA AF BE AD DE         // mov edx, 0DEADBEAFh\r\n            66 39 4C 18 18         // cmp [rax+rbx+18h], cx\r\n            8B 44 18 28            // mov eax, [rax+rbx+28h]\r\n            45 33 C9               // xor r9d, r9d\r\n            44 8B C2               // mov r8d, edx\r\n            48 8B CB               // mov rcx, rbx\r\n            48 03 C3               // add rax, rbx\r\n            FF D0                  // call rax\r\n        }\r\n\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n        all of ($api*) and \r\n        1 of ($code*)\r\n}]",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T10:34:00Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"yara\"",
                "misp:category=\"Payload delivery\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T10:34:54.000Z",
            "modified": "2018-11-23T10:34:54.000Z",
            "pattern": "[rule turla_png_reg_enum_payload {\r\n      meta:\r\n                author = \"Ben Humphrey\"\r\n                description = \"Payload that has most recently been dropped by the\r\nTurla PNG Dropper\"\r\n               shas256 =\r\n\"fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3\"\r\n\r\n      strings:\r\n          $crypt00 = \"Microsoft Software Key Storage Provider\" wide\r\n          $crypt01 = \"ChainingModeCBC\" wide\r\n          $crypt02 = \"AES\" wide\r\n\r\n      condition:\r\n          (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n          pe.imports(\"advapi32.dll\", \"StartServiceCtrlDispatcherA\") and \r\n          pe.imports(\"advapi32.dll\", \"RegEnumValueA\") and \r\n          pe.imports(\"advapi32.dll\", \"RegEnumKeyExA\") and \r\n          pe.imports(\"ncrypt.dll\", \"NCryptOpenStorageProvider\") and \r\n          pe.imports(\"ncrypt.dll\", \"NCryptEnumKeys\") and \r\n          pe.imports(\"ncrypt.dll\", \"NCryptOpenKey\") and \r\n          pe.imports(\"ncrypt.dll\", \"NCryptDecrypt\") and\r\n          pe.imports(\"ncrypt.dll\", \"BCryptGenerateSymmetricKey\") and \r\n          pe.imports(\"ncrypt.dll\", \"BCryptGetProperty\") and \r\n          pe.imports(\"ncrypt.dll\", \"BCryptDecrypt\") and \r\n          pe.imports(\"ncrypt.dll\", \"BCryptEncrypt\") and \r\n          all of them\r\n}]",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T10:34:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"yara\"",
                "misp:category=\"Payload delivery\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T10:50:21.000Z",
            "modified": "2018-11-23T10:50:21.000Z",
            "first_observed": "2018-11-23T10:50:21Z",
            "last_observed": "2018-11-23T10:50:21Z",
            "number_observed": 1,
            "object_refs": [
                "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
            "value": "https://github.com/carbonblack/threat-research-tools/tree/master/png_extract"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:06:02.000Z",
            "modified": "2018-11-23T11:06:02.000Z",
            "pattern": "[rule PNG_dropper:RU TR APT\r\n\r\n{\r\n\r\n   meta:\r\n\r\n      author = \u00e2\u20ac\u0153CarbonBlack Threat Research\u00e2\u20ac\u009d\r\n\r\n      date = \u00e2\u20ac\u01532017-June-11\u00e2\u20ac\u009d\r\n\r\n      description = \u00e2\u20ac\u0153Dropper tool that extracts payload from PNG resources\u00e2\u20ac\u009d\r\n\r\n      yara_version = \u00e2\u20ac\u01533.5.0\u00e2\u20ac\u009d\r\n\r\n      exemplar_hashes = \u00e2\u20ac\u01533a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3, 69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290, eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158 \u00e2\u20ac\u0153\r\n\r\n   strings:\r\n\r\n$s1 = \u00e2\u20ac\u0153GdipGetImageWidth\u00e2\u20ac\u009d\r\n\r\n$s2 = \u00e2\u20ac\u0153GdipGetImageHeight\u00e2\u20ac\u009d\r\n\r\n$s3 = \u00e2\u20ac\u0153GdipCreateBitmapFromStream\u00e2\u20ac\u009d\r\n\r\n$s4 = \u00e2\u20ac\u0153GdipCreateBitmapFromStreamICM\u00e2\u20ac\u009d\r\n\r\n$s5 = \u00e2\u20ac\u0153GdipBitmapLockBits\u00e2\u20ac\u009d\r\n\r\n$s6 = \u00e2\u20ac\u0153GdipBitmapUnlockBits\u00e2\u20ac\u009d\r\n\r\n$s7 = \u00e2\u20ac\u0153LockResource\u00e2\u20ac\u009d\r\n\r\n$s8 = \u00e2\u20ac\u0153LoadResource\u00e2\u20ac\u009d\r\n\r\n$s9 = \u00e2\u20ac\u0153ExpandEnvironmentStringsW\u00e2\u20ac\u009d\r\n\r\n$s10 = \u00e2\u20ac\u0153SetFileTime\u00e2\u20ac\u009d\r\n\r\n$s11 = \u00e2\u20ac\u0153memcmp\u00e2\u20ac\u009d\r\n\r\n$s12 = \u00e2\u20ac\u0153strlen\u00e2\u20ac\u009d\r\n\r\n$s13 = \u00e2\u20ac\u0153memcpy\u00e2\u20ac\u009d\r\n\r\n$s14 = \u00e2\u20ac\u0153memchr\u00e2\u20ac\u009d\r\n\r\n$s15 = \u00e2\u20ac\u0153memmove\u00e2\u20ac\u009d\r\n\r\n$s16 = \u00e2\u20ac\u0153ZwQueryValueKey\u00e2\u20ac\u009d\r\n\r\n$s17 = \u00e2\u20ac\u0153ZwQueryInformationProcess\u00e2\u20ac\u009d\r\n\r\n$s18 = \u00e2\u20ac\u0153FindNextFile\u00e2\u20ac\u009d\r\n\r\n$s19 = \u00e2\u20ac\u0153GetModuleHandle\u00e2\u20ac\u009d\r\n\r\n$s20 = \u00e2\u20ac\u0153VirtualFree\u00e2\u20ac\u009d\r\n\r\n$PNG1 = {89 50 4E 47 [8] 49 48 44 52} //PNG Header\r\n\r\n$bin32_bit1 = {50 68 07 10 06 00 6A 07 8?} //BitmapLockBits_x86\r\n\r\n$bin64_bit1 = {41 B? 07 10 06 00} //BitmapLockBits_x64\r\n\r\n$bin64_bit2 = {41 B? 07 00 00 00}//BitmapLockBits_x64\r\n\r\n$bin32_virt1 = {6A 40 68 00 10 00 00 50 53} //VirtualAlloc_x86\r\n\r\n$bin64_virt1 = {40 41 B? 00 10 00 00}//VirtualAlloc_x64\r\n\r\n   \r\n\r\n    condition:\r\n\r\n    uint16(0) == 0x5A4D and// MZ header check\r\n\r\n    filesize < 6MB and\r\n\r\n    18 of ($s*) and\r\n\r\n    (#PNG1 > 7) and\r\n\r\n//checks for multiple PNG headers\r\n\r\n       ((#bin32_bit1 > 1 and $bin32_virt1) or\r\n\r\n//More than 1 of $bin32_bit and $bi32_virt1\r\n\r\n       (for 1 of ($bin64_bit*) : (# > 2) and $bin64_virt1))\r\n\r\n//1 of $bin64_bit \u00e2\u20ac\u201c present more that 2 times and $bin64_Virt1\r\n\r\n}]",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:06:02Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"yara\"",
                "misp:category=\"Payload delivery\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7dad4-098c-4666-9e4d-4958950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T10:47:48.000Z",
            "modified": "2018-11-23T10:47:48.000Z",
            "description": "PNG Dropper",
            "pattern": "[file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T10:47:48Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T10:49:14.000Z",
            "modified": "2018-11-23T10:49:14.000Z",
            "description": "Payload contained in the PNG dropper",
            "pattern": "[file:hashes.SHA256 = 'fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T10:49:14Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e05b-4018-4130-afed-4d90950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:11:23.000Z",
            "modified": "2018-11-23T11:11:23.000Z",
            "pattern": "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:11:23Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:11:37.000Z",
            "modified": "2018-11-23T11:11:37.000Z",
            "pattern": "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:11:37Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:13:15.000Z",
            "modified": "2018-11-23T11:13:15.000Z",
            "pattern": "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:13:15Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:13:38.000Z",
            "modified": "2018-11-23T11:13:38.000Z",
            "pattern": "[file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:13:38Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:14:43.000Z",
            "modified": "2018-11-23T11:14:43.000Z",
            "pattern": "[file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:14:43Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e186-6c94-4a68-90a1-493a950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:16:22.000Z",
            "modified": "2018-11-23T11:16:22.000Z",
            "pattern": "[file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:16:22Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:17:28.000Z",
            "modified": "2018-11-23T11:17:28.000Z",
            "pattern": "[file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:17:28Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:18:26.000Z",
            "modified": "2018-11-23T11:18:26.000Z",
            "pattern": "[file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:18:26Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T11:18:40.000Z",
            "modified": "2018-11-23T11:18:40.000Z",
            "pattern": "[file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3' AND file:x_misp_state = 'Malicious']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T11:18:40Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:07.000Z",
            "modified": "2018-11-23T15:34:07.000Z",
            "pattern": "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T15:34:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--003ceafa-e652-4272-89f0-356846947659",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:09.000Z",
            "modified": "2018-11-23T15:34:09.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2018-10-17T23:41:05",
                    "category": "Other",
                    "uuid": "ded701b7-f8e5-4a51-94eb-9509c5a5f6c7"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/file/eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158/analysis/1539819665/",
                    "category": "External analysis",
                    "uuid": "2b06642b-d74e-4910-9a74-980fdb5cebb3"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "48/67",
                    "category": "Other",
                    "uuid": "2a5f6f23-8854-48fd-bb7c-dda116812263"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:10.000Z",
            "modified": "2018-11-23T15:34:10.000Z",
            "pattern": "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T15:34:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:11.000Z",
            "modified": "2018-11-23T15:34:11.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2018-09-27T23:11:14",
                    "category": "Other",
                    "uuid": "6443cb5d-0517-4dda-b7b7-7eb5d39ae7fa"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/file/69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290/analysis/1538089874/",
                    "category": "External analysis",
                    "uuid": "3e316cfb-ba54-4612-9ee6-20204adc750d"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "24/68",
                    "category": "Other",
                    "uuid": "e2c20e0f-18f6-4fbf-86ad-f0d025f17266"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:12.000Z",
            "modified": "2018-11-23T15:34:12.000Z",
            "pattern": "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T15:34:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:14.000Z",
            "modified": "2018-11-23T15:34:14.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2018-10-17T04:41:54",
                    "category": "Other",
                    "uuid": "a4daa13a-1374-4259-af44-d8c88ea2cc58"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/file/3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3/analysis/1539751314/",
                    "category": "External analysis",
                    "uuid": "a305ca88-cd28-4233-af68-b4def8e76110"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "45/67",
                    "category": "Other",
                    "uuid": "ad12f987-16cf-453d-8e0f-bd6d3758823d"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--b12e81db-47cb-482e-8deb-e6c98261d878",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:15.000Z",
            "modified": "2018-11-23T15:34:15.000Z",
            "pattern": "[file:hashes.MD5 = 'd2e8e75c30dccd98a95d25b218ba7d2e' AND file:hashes.SHA1 = '72997e699d6c7cd5a2409535bfdef58695ed46fa' AND file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-11-23T15:34:15Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-11-23T15:34:16.000Z",
            "modified": "2018-11-23T15:34:16.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2018-11-23T13:40:06",
                    "category": "Other",
                    "uuid": "9797ab40-8d7c-4a60-ab23-f6f99e9492b0"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/file/6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27/analysis/1542980406/",
                    "category": "External analysis",
                    "uuid": "2817750f-5b18-463e-baa8-19fba2fb0765"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "47/69",
                    "category": "Other",
                    "uuid": "164f9a1b-2a21-40de-be22-762bb37ab16e"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}