misp-circl-feed/feeds/circl/stix-2.1/5c706a30-8ad4-4fcc-9e17-4d3d02de0b81.json

1285 lines
241 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5c706a30-8ad4-4fcc-9e17-4d3d02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-24T14:45:36.000Z",
"modified": "2019-02-24T14:45:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5c706a30-8ad4-4fcc-9e17-4d3d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-24T14:45:36.000Z",
"modified": "2019-02-24T14:45:36.000Z",
"name": "OSINT - New BabyShark Malware Targets U.S. National Security Think Tanks",
"published": "2019-02-24T14:45:43Z",
"object_refs": [
"observed-data--5c706a3f-bfc4-43aa-8158-4ba702de0b81",
"url--5c706a3f-bfc4-43aa-8158-4ba702de0b81",
"x-misp-attribute--5c706a50-24a0-41c5-abcc-4a8c02de0b81",
"indicator--5c706a6a-e8dc-4bdd-b4a6-455002de0b81",
"indicator--5c706aa9-6d34-4e8e-9eee-4baf02de0b81",
"indicator--5c706aa9-5228-42ab-9124-429e02de0b81",
"indicator--5c706aa9-c114-48bf-ad10-414e02de0b81",
"indicator--5c706aa9-633c-4553-a6d5-4f6002de0b81",
"indicator--5c706aaa-033c-4199-abb5-47d502de0b81",
"indicator--5c706aaa-e2bc-4506-85f2-4af102de0b81",
"indicator--5c706aaa-65e8-447c-bc54-46a502de0b81",
"indicator--5c706aaa-4ca8-4489-bbde-4c2f02de0b81",
"indicator--5c706aaa-090c-47e7-b8ca-4c8f02de0b81",
"indicator--5c706ada-4610-4c99-a616-416a02de0b81",
"indicator--5c706b8e-91f8-4722-ac8b-4aff02de0b81",
"indicator--5c706b8e-f1a4-404c-9a5d-41a902de0b81",
"indicator--5c706b8e-e198-4d15-a8d6-4f9702de0b81",
"indicator--5c706b8e-f3ec-4eb9-9829-4f3f02de0b81",
"observed-data--5c706dae-90f4-4374-b312-489102de0b81",
"file--5c706dae-90f4-4374-b312-489102de0b81",
"artifact--5c706dae-90f4-4374-b312-489102de0b81",
"indicator--5c72ae10-aa9c-4068-853b-4b4602de0b81",
"indicator--1db36cab-7b13-4758-b16a-9e9862d0973e",
"x-misp-object--aea77d6f-2193-40e9-82c5-59726e0dfd2d",
"indicator--3b8f6a45-0b7f-4bea-ad61-0369f01cc306",
"x-misp-object--7ba926a9-161b-4412-99ff-cee104b6a329",
"indicator--8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a",
"x-misp-object--5de67962-66f3-48c8-b33f-734e4b8dc989",
"indicator--89e0ad73-a186-4959-b978-2311ee49e4af",
"x-misp-object--99e0b99b-e1cf-4451-8eec-972978c821d8",
"indicator--4dbf697b-11ce-447f-85c6-cd02a2365a7f",
"x-misp-object--1d288045-6e66-43a6-94b7-600044369fa7",
"indicator--6860e975-938c-413d-b144-74cde72c25dc",
"x-misp-object--ee3df33a-a5df-4f0a-887d-9fe0aba2d90a",
"indicator--df5dd372-ecd6-4595-ab34-45bff1decb63",
"x-misp-object--f2146c3b-d6f7-471c-bb4a-2b831e2849f6",
"indicator--3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc",
"x-misp-object--a6c1afed-624f-4d81-b96a-4ff02a693e66",
"indicator--fd57be37-61cc-4452-85b5-518d55586335",
"x-misp-object--e59804a1-c4d9-4228-93bb-1a1f626c25ef",
"indicator--56b391e4-f005-4caa-ae12-a90db6664ebd",
"x-misp-object--fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d",
2024-08-07 08:13:15 +00:00
"relationship--2c833c47-a267-409d-b1c5-b21c4e44d7dd",
"relationship--3273f225-5101-4410-80b6-10ce5abb21b1",
"relationship--914661d2-eeb6-4199-bea9-1fb0979d9f3e",
"relationship--82ec8fa7-eb9f-48cb-9a1c-b5aa40ff89f5",
"relationship--62d81f51-b02f-46e0-a9f5-af1b7175cfc5",
"relationship--812751cd-9da1-4acc-8d0d-dd207d3514b5",
"relationship--b6fc61ad-e466-4f61-9729-15d9a76e4c30",
"relationship--5e844f03-bdf4-4f7d-8d26-75e142ae1fcf",
"relationship--3aa3cfdb-45d5-4308-be70-9458fdafaf18",
"relationship--3c1357c1-28cb-4213-899e-826fdae02df5"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"misp-galaxy:mitre-attack-pattern=\"Stolen Developer Credentials or Signing Keys - T1441\"",
"misp-galaxy:tool=\"BabyShark\"",
"misp-galaxy:threat-actor=\"STOLEN PENCIL\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c706a3f-bfc4-43aa-8158-4ba702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:31:43.000Z",
"modified": "2019-02-22T21:31:43.000Z",
"first_observed": "2019-02-22T21:31:43Z",
"last_observed": "2019-02-22T21:31:43Z",
"number_observed": 1,
"object_refs": [
"url--5c706a3f-bfc4-43aa-8158-4ba702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c706a3f-bfc4-43aa-8158-4ba702de0b81",
"value": "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5c706a50-24a0-41c5-abcc-4a8c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:32:00.000Z",
"modified": "2019-02-22T21:32:00.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert\u00e2\u20ac\u2122s name and had a subject referencing North Korea\u00e2\u20ac\u2122s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing \u00e2\u20ac\u0153BabyShark\u00e2\u20ac\u009d.\r\n\r\nBabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706a6a-e8dc-4bdd-b4a6-455002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:32:26.000Z",
"modified": "2019-02-22T21:32:26.000Z",
"pattern": "[url:value = 'https://tdalpacafarm.com/files/kr/contents/Vkggy0.hta']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:32:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aa9-6d34-4e8e-9eee-4baf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:29.000Z",
"modified": "2019-02-22T21:33:29.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aa9-5228-42ab-9124-429e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:29.000Z",
"modified": "2019-02-22T21:33:29.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aa9-c114-48bf-ad10-414e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:29.000Z",
"modified": "2019-02-22T21:33:29.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aa9-633c-4553-a6d5-4f6002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:29.000Z",
"modified": "2019-02-22T21:33:29.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aaa-033c-4199-abb5-47d502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:29.000Z",
"modified": "2019-02-22T21:33:29.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aaa-e2bc-4506-85f2-4af102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:30.000Z",
"modified": "2019-02-22T21:33:30.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aaa-65e8-447c-bc54-46a502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:30.000Z",
"modified": "2019-02-22T21:33:30.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aaa-4ca8-4489-bbde-4c2f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:30.000Z",
"modified": "2019-02-22T21:33:30.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = 'dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706aaa-090c-47e7-b8ca-4c8f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:30.000Z",
"modified": "2019-02-22T21:33:30.000Z",
"description": "Malicious Documents",
"pattern": "[file:hashes.SHA256 = '94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706ada-4610-4c99-a616-416a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:34:18.000Z",
"modified": "2019-02-22T21:34:18.000Z",
"description": "PE version loader, signed with stolen certificate:",
"pattern": "[file:hashes.SHA256 = '6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:34:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706b8e-91f8-4722-ac8b-4aff02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:37:18.000Z",
"modified": "2019-02-22T21:37:18.000Z",
"description": "Decoy Filename",
"pattern": "[file:name = 'Kendall-AFA 2014 Conference-17Sept14.pdf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:37:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706b8e-f1a4-404c-9a5d-41a902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:37:18.000Z",
"modified": "2019-02-22T21:37:18.000Z",
"description": "Decoy Filename",
"pattern": "[file:name = 'U.S. Nuclear Deterrence.pdf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:37:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706b8e-e198-4d15-a8d6-4f9702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:37:18.000Z",
"modified": "2019-02-22T21:37:18.000Z",
"description": "Decoy Filename",
"pattern": "[file:name = '\u00ec\u00a0\u015330\u00ec\u00b0\u00a8\u00ed\u2022\u0153\u00eb\u00af\u00b8\u00ec\u2022\u02c6\u00eb\u00b3\u00b4 \u00ec\u2022\u02c6\u00eb\u201a\u00b4\u00ec\u017e\u00a5 ENKO.fdp.etadpU.scr (translates to 30th Korea-U.S. National Security Invitation Update)']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:37:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c706b8e-f3ec-4eb9-9829-4f3f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:37:18.000Z",
"modified": "2019-02-22T21:37:18.000Z",
"description": "Decoy Filename",
"pattern": "[file:name = 'Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:37:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c706dae-90f4-4374-b312-489102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:46:22.000Z",
"modified": "2019-02-22T21:46:22.000Z",
"first_observed": "2019-02-22T21:46:22Z",
"last_observed": "2019-02-22T21:46:22Z",
"number_observed": 1,
"object_refs": [
"file--5c706dae-90f4-4374-b312-489102de0b81",
"artifact--5c706dae-90f4-4374-b312-489102de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c706dae-90f4-4374-b312-489102de0b81",
"name": "Figure-1-BabyShark-execution-flow.png",
"content_ref": "artifact--5c706dae-90f4-4374-b312-489102de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5c706dae-90f4-4374-b312-489102de0b81",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAABc4AAAOKCAYAAAHVbvP3AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAIdUAACHVAQSctJ0AAP+lSURBVHhe7N0HuBNF+zbwvyi9SZEivVlAFCwgKIIFRVEUC/aGUhRRwN4Vu4INsIEVRPEVEQUUpKioFEEQaUpHkN6Rjvt993PmyZns2bRzkpxNcv+ua67dmS3ZJJvJk83szP85RBmAJzplBJ7olBF4olNG4IlOGYEnOmUEnuiUEXiiU0bgiU4ZIeSJXr169ZCJIvu//2Md4ich3w28UZ07d3Y6deoUlFDONzEyvEbly5d3ChcubEooP4U90b2gvEKFCjzZI9DXZ+/evXytfCBXJzpUqlQpI99APOdonre9TsuWLZ0DBw6YXGTYFt8G4YQ7hilTppg5x/nvv/+cefPmmVzu6ePNmTNH5gsWLBj2GPwm5JGGehIod6dME83zdi+P5XXCuvXr15d5nKheevbsKdMNGzbIFHbt2iXb4kTXx5swYYJMYd++fWbOcQ4ePCjT/fv3y1TzvXv3dr7//nvnr7/+crp06RLYj+5X51NNyCOO9smk4pMOJ5rn0759ezkx3OuWK1dOypAeffRRU5oFJ+ztt98eWI60ceNGszQYlsGAAQNkavvss8/MXLYdO3bIdNasWTK1T/SJEyfKNFoNGzY0c8F0f4D5X375RV6Dl156yZT6W8h31X5i4URaD8tTMUWi60S7fijYdvfu3SYXWV4eK1qo5ZPxOMkU8tnoE61SpYrMeyXQaSjubVIphaPLBw4cKNO8qFatmpmjRAn5buobWa9ePadYsWKeCaI5IVIxhWOv9/nnn0dcX9nb6TbRbkt5E/JVjvYNSLc3Kprn89Zbb5m5bNju77//NrnQ9BsAP/h4kidPxBO9RYsWUqt7JeCblfUa6OuAacmSJWXe/cNx586dQetS8kQ80atWrRp4c9wJdEo5Pfjgg2aOr1N+i3iiR8I3MDRWBv4R9kTHnxGREt9Eb3hdNFH+C3uiR5uI/I5nKWUEnuiUEXiiU0YIeaLjh2asDjvsMDPnOOPHj3cWL15scuFpnI9t4gH7mzFjhvPqq6+aEsp0nie6/r2Plm84aXDS23fK6ImJ6erVqwPzJUqUcCZPnizzOGkvueSSwLp33nmnzF944YUyLVq0qJRjXtc59NBDpXmq5tHmeevWrYH1Mf3nn39kmf4pA/Y+APM1a9Z0XnvtNZnHn15afv7558v8tm3bnOLFi8s82vPAcccdJ1NKP9lnh0VPGtw6B17NSdu0aWPmsunJCDjRL7vsMplH2ZFHHinz7dq1k6lNtylUqJDMjx49WvIrV66UDx3KNNm6du0qUy23WwHWqVNHTnSbrvf0008727dvl3nbuHHjzFze9O/fP5DIH4LPnAwxaNAgzxM9XkJ9MCn/8J1IAJ7o/pOrd2LUqFFmLvn69u1r5uJPbyfLK57o/hP2nfj333+dPn36yHyDBg2cM844Q+Zxy9jzzz8vt1HpPY3oGQCee+455+yzz3bmz5/vrF+/Xsp0CvrmlypVSqbqm2++kel3330n01NPPdXp1auXrH/ttdcG+pMZOnSoTAEhCITap5v+6MQJ/fjjjwd+YMf7hMT+NJE/eL4T5513nkxxor/77rtyNQQnur55ONHvuOOOHDUglnXr1i3QhFd/xOqJ/sMPP8gUN/F6wQ9VXKLEfq655hrnqquuMktycp9E+IHpxV5P5ytWrCgfntNPP13y8YbH0UT+EPU7sWLFCmfmzJlyfRrXx7ds2RJ0V7nehLtnzx5n3bp1ztq1ayUPS5cuNXOO88Ybb8h05MiRMv3iiy9kCthu7ty5Mo8bfO1r+WPHjpUpruysWbNG5pVe3dB9hmJ/MO2bJLxupMgLnuj+w3ciAXii+0++vBPx+tHnVzzR/SfsO4EYHbTfEDeU46TVcANhjS3aO+TRixX+qUT3bW7awxVCJ/j9999lqvCnEkS6Lo57NAHhVyLZJzlPdv/wfBf0zdETHTp06JDjzStSpIjz/vvvO8uWLZO8/qUOWAcnunsbm7vcaz2v7SKpXbu23AIIus/p06dL3paobxZ9zNwcOyVG2HcClw7xZmnbF/wAPeSQQ2QePTrhR+Dy5csljx+f+sZedNFFMv3ggw+cSy+9VC5Lut90fCg++eQTuQKCXq2wHGVDhgwJdMeGMt3Ovb3yKsdVnxo1aphc9jr41gi1n3hL1uNQdPhuUEbgiU4ZIeyJ3qhRIzMXmv4zan9Vh/ra/umnn8xcsGi/5u1r87nFkCIzeb7rdvNSnBh6crhPksGDBwd+0GGZtj9HQpz+8MMP59gGtMx9BcWG3wJNmzYNxO+AP5RCwfqtWrUyOccZM2aMmXOcl19+2cxlrUeZJ+dZaMFJgZMM7bwxtU9abVeiZfYUCe1IcOME/tLXfzi1/25N2s0y9lW6dGnn1ltvlfXQ3EDpjRpLliyRE/3nn3+W8saNG0s56LRt27YyhZNPPlmmuAFDHwP/0Oq6lFmS+q7r3+4ffvihTImShdUbZQSe6AmCEAktJMkfeKIniPv3A+UvvgsJYp/gPNnzH9+BGOGkjebEda+Du65i8eKLLzqzZ882udhhyEV32yPbE088IW38Qz2XSHdraWO6VMETPRdwcuCuK9xlFYr7BEIel0ijhfVxRxbaCek4UoAWoujmQ/OhhmfEcpzMOq/rv/POO87mzZtlHo3ytNzNPtFxswzWw0AGgFarw4cPlz58UoX3s6SI0GcNrv1rXzKHH3544ISKNPhWs2bNAuuGgsZt2DduKdT/DNAaFJ1E6bZ6H60X/c/CXl+HSjziiCPkeHXIey840fW/CNzHi/V0tLrTTjuNJ3qm0BME01hqarcCBQqEPNkofvgK5xJOTq3p8qJfv37OokWLTI4ShSd6LuDkRtK2+NGe7LqdJrQTinZbyhu+yrmkJ6jeXaXtgqKFdRPV3QblxBM9j3DCIqGDVDuP1Lp1aykD9I+j5UcddZQppWThiZ4L9smMFErlypXNXNY2lH/46ueCfYKHO4GjWYeSg+9ALuiJrsmLLtM+JSl/8USnjMATnTICT3TKCDzRKSPwRKeMwBOdMgJPdMoIPNETBG29NSVauI6dKAtP9AQJ9YeSV1koEyZMkCkGI65Vq5Y0573xxhtlOBx0DPXbb7/J2E0YBgd0v9HuP5PwFUkQPaHtky7aE/DLL7+UqZ7ouCMIt9BNnTrV+fHHH6UMUI4uNTACIPY9bdo0Z+HChWYp2XiiJ0heTvTcCjUyCfFET5hQJ7pXOSUeX+0E8TqhMY/hKd3llHh8tRNET2b7hLbL7PJQEKPrAGaPPPJIYBzVOXPmBLq50G6we/ToIVNAlxZw1113yRR69uwp07vvvlumbr1795ZRudHacsSIEaY0m44Vq+PEphqe6AkSywntptvgRK9UqZJTpkwZOdHRFTf6YsGVF/w4xXp6ons9jpbZg5KhTGN5+4etvT3m0W/N6tWrZV6XpXLf8jlfHYoLPUH0JMkN+woK+lFp0qSJDLaAka5xY7Y98IFdoyu9ZQ8nuo7Sp8PXQ5cuXcycE1iOTo/wGPgwbN26VTpQgo8++kimqYonegLYJ3leT3aKD74DCcKT3F/4LiQQT3L/4DtBGYEnOmUEnuhpQruWDpUyHV+BNIETPRSe7DzR0wZP9PB4oqcJPdG9Tmqe6DzR00Yya3TdXzTJL3iiJxDeaB0vKNGSfaKjyYDuE9N///038Dh28mK3mdFmCJdeeqlMYfz48TLVZgdoxKbdc2PImtzgiZ5AeKPDjfwWT+4TXU80jE6n8/Gi+4smeRk1apSZyxofSb322ms5tsM87onVcjRoyw2e6AnkfsMSKZk1Olo26j4jpVDKly8vrTKRAN989evXl3mM66S05SWe39y5c517771X8rHiiZ4Lkd5EZa9jtxpMFD0ur/Tee++ZtcLDjSGRYH86wgeaEmP6ySefBB7LTn7BEz2Xonkj7QFtAesj3oxFsk8WPJ7e7BGKPvdokl/wRM+lunX
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c72ae10-aa9c-4068-853b-4b4602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-24T14:45:36.000Z",
"modified": "2019-02-24T14:45:36.000Z",
"pattern": "[import \"pe\"\r\n\r\nrule MAL_PE_Type_BabyShark_Loader {\r\n meta:\r\n description = \"Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks\"\r\n author = \"Florian Roth\"\r\n reference = \"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\"\r\n date = \"2019-02-24\"\r\n hash1 = \"6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c\"\r\n strings:\r\n $x1 = \"reg add \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Command Processor\\\" /v AutoRun /t REG_SZ /d \\\"%s\\\" /f\" fullword ascii\r\n $x2 = /mshta\\.exe http:\\/\\/[a-z0-9\\.\\/]{5,30}\\.hta/\r\n\r\n $xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32\r\n 2E 44 4C 4C 00 00 00 00 } /* WinExec kernel32.DLL */\r\n condition:\r\n uint16(0) == 0x5a4d and (\r\n pe.imphash() == \"57b6d88707d9cd1c87169076c24f962e\" or\r\n 1 of them or\r\n for any i in (0 .. pe.number_of_signatures) : (\r\n pe.signatures[i].issuer contains \"thawte SHA256 Code Signing CA\" and\r\n pe.signatures[i].serial == \"0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d\"\r\n )\r\n )\r\n}]",
"pattern_type": "yara",
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
2023-04-21 14:44:17 +00:00
"valid_from": "2019-02-24T14:45:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1db36cab-7b13-4758-b16a-9e9862d0973e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:48.000Z",
"modified": "2019-02-22T21:33:48.000Z",
"pattern": "[file:hashes.MD5 = '404ab5a93767a986b47c9fec33eb8be9' AND file:hashes.SHA1 = '0a631b0072cee1e20854b187276a0ba560d6d4f8' AND file:hashes.SHA256 = '94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--aea77d6f-2193-40e9-82c5-59726e0dfd2d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:48.000Z",
"modified": "2019-02-22T21:33:48.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:12:18",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "4eb49e21-42c9-4653-93da-600ca773ffa9"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0/analysis/1550866338/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "0a0bda5b-9761-44e3-a0da-c365c6fbab76"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "25/60",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "6fa3c325-b92c-41bd-8ab3-283272c6b440"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3b8f6a45-0b7f-4bea-ad61-0369f01cc306",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:48.000Z",
"modified": "2019-02-22T21:33:48.000Z",
"pattern": "[file:hashes.MD5 = 'd40c20a77371309045f5123af76637b2' AND file:hashes.SHA1 = 'd1207b7b846b80418b459e9d03e1b5afbd3e97a7' AND file:hashes.SHA256 = '66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7ba926a9-161b-4412-99ff-cee104b6a329",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:48.000Z",
"modified": "2019-02-22T21:33:48.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:07:15",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "6e483df8-fa53-4b98-b6da-100b79de2663"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2/analysis/1550866035/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "ce797b8c-fa71-4267-a4ee-94eb6e873e88"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "20/60",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "86a138ea-5eba-4594-a3fb-e8af55be9dbe"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:48.000Z",
"modified": "2019-02-22T21:33:48.000Z",
"pattern": "[file:hashes.MD5 = '093ecb712d438ab01b3f07718428dcc7' AND file:hashes.SHA1 = '89b9b7f2c3eb275eabe78c04a30dc09281a201e6' AND file:hashes.SHA256 = '7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5de67962-66f3-48c8-b33f-734e4b8dc989",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:48.000Z",
"modified": "2019-02-22T21:33:48.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:03:13",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "0bd77c93-27ad-47e8-bd9d-c38732323fd5"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa/analysis/1550865793/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "155a8b3c-e603-4283-91b2-1a6258b93bf8"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "22/60",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "162fe627-abe9-4abb-8095-c39dee340f84"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--89e0ad73-a186-4959-b978-2311ee49e4af",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"pattern": "[file:hashes.MD5 = '711eb1d89764d45f4ff2622143f744c2' AND file:hashes.SHA1 = '548b64c0f904733dd5433f6f3878487eeda54fa1' AND file:hashes.SHA256 = '1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--99e0b99b-e1cf-4451-8eec-972978c821d8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-11-27T12:07:50",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "f2a9431e-464e-4ae7-a53f-e24685f03b82"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0/analysis/1543320470/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "2ce90e53-a834-4ac6-9db6-6213d7629ccc"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "22/60",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "99bd1115-adc9-42b0-9500-878f593f001c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4dbf697b-11ce-447f-85c6-cd02a2365a7f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"pattern": "[file:hashes.MD5 = '6b116d471a787eb520869ed5c6965fa8' AND file:hashes.SHA1 = 'ec4bd72fcb440f47912d06c75a9d56ad86953f70' AND file:hashes.SHA256 = 'dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--1d288045-6e66-43a6-94b7-600044369fa7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:11:49",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "2ca3b301-e08c-4cfa-b005-90ff52d13af0"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a/analysis/1550866309/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "1082dea9-353d-4932-a02c-3f87fe6c059a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "22/58",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "9675abe7-0743-435a-881d-bfd772c55225"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6860e975-938c-413d-b144-74cde72c25dc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"pattern": "[file:hashes.MD5 = '1f1f44a01d5784028302d6ad5e7133aa' AND file:hashes.SHA1 = 'cb1125d5a57a529bf88bf590c0cb675f37261839' AND file:hashes.SHA256 = '2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ee3df33a-a5df-4f0a-887d-9fe0aba2d90a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:04:58",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "03562590-3096-4587-b05d-11a6e257b5d9"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e/analysis/1550865898/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "bf0ca902-1a55-4640-a8d9-41f0e0f7a29d"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "21/55",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "68ed8acc-bb3c-4654-b65b-c25b8a3c37cd"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--df5dd372-ecd6-4595-ab34-45bff1decb63",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"pattern": "[file:hashes.MD5 = '76e71cf45e99d03a92c8271998a1caee' AND file:hashes.SHA1 = '818bfc1fdb8126b58835e77f13afa9435e883919' AND file:hashes.SHA256 = '331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f2146c3b-d6f7-471c-bb4a-2b831e2849f6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:10:06",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "b1e2fbea-a39d-41ce-a748-bc257b01aa2b"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7/analysis/1550866206/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "9c2da65e-0e42-454e-9b9f-0daafbb29344"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "9/61",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "3e79140e-f74f-4b0b-8e17-496f1058e477"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"pattern": "[file:hashes.MD5 = '1a6f9190e7c53cd4e9ca4532547131af' AND file:hashes.SHA1 = '88708e9562a8c4ee4601b3990a664bc63b378753' AND file:hashes.SHA256 = '9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a6c1afed-624f-4d81-b96a-4ff02a693e66",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:49.000Z",
"modified": "2019-02-22T21:33:49.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:03:34",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "741b8b1f-d387-4dff-9809-a2a5cc0e76f8"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8/analysis/1550865814/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "b55b0030-557e-4368-9429-5e431a631b7e"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "22/60",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "0f619020-6f30-4b40-a3c0-9f13b13fc9b3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fd57be37-61cc-4452-85b5-518d55586335",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"pattern": "[file:hashes.MD5 = '056b178bbeea109d705439aa4e203d09' AND file:hashes.SHA1 = '5ae5ca0daccfa21706e157a19bdb67e48cbfe137' AND file:hashes.SHA256 = '8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:33:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e59804a1-c4d9-4228-93bb-1a1f626c25ef",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:08:55",
"category": "Other",
"comment": "Malicious Documents",
"uuid": "d2f63c18-56a3-44a8-83b8-bf9bbfe22b05"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6/analysis/1550866135/",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "c077dd9c-a1a5-4941-94a7-b69610709486"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "23/60",
"category": "Payload delivery",
"comment": "Malicious Documents",
"uuid": "c248a416-67d8-4f60-ab77-8d537265a29a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56b391e4-f005-4caa-ae12-a90db6664ebd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:34:30.000Z",
"modified": "2019-02-22T21:34:30.000Z",
"pattern": "[file:hashes.MD5 = '9f76d2f73020064374efe67dc28fa006' AND file:hashes.SHA1 = 'd96c04952ba0cb61b64bc7f08d7257913d8b7968' AND file:hashes.SHA256 = '6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-02-22T21:34:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-02-22T21:34:30.000Z",
"modified": "2019-02-22T21:34:30.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-02-22T20:15:46",
"category": "Other",
"comment": "PE version loader, signed with stolen certificate:",
"uuid": "17038529-b686-4618-946f-6ac94dddf423"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c/analysis/1550866546/",
"category": "Payload delivery",
"comment": "PE version loader, signed with stolen certificate:",
"uuid": "45431bd9-aea9-46b1-a9e3-ed17d1fcf05f"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "15/68",
"category": "Payload delivery",
"comment": "PE version loader, signed with stolen certificate:",
"uuid": "f4343cea-ba6d-4c9b-99e8-d7a157be74f3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--2c833c47-a267-409d-b1c5-b21c4e44d7dd",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--1db36cab-7b13-4758-b16a-9e9862d0973e",
"target_ref": "x-misp-object--aea77d6f-2193-40e9-82c5-59726e0dfd2d"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--3273f225-5101-4410-80b6-10ce5abb21b1",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--3b8f6a45-0b7f-4bea-ad61-0369f01cc306",
"target_ref": "x-misp-object--7ba926a9-161b-4412-99ff-cee104b6a329"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--914661d2-eeb6-4199-bea9-1fb0979d9f3e",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a",
"target_ref": "x-misp-object--5de67962-66f3-48c8-b33f-734e4b8dc989"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--82ec8fa7-eb9f-48cb-9a1c-b5aa40ff89f5",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--89e0ad73-a186-4959-b978-2311ee49e4af",
"target_ref": "x-misp-object--99e0b99b-e1cf-4451-8eec-972978c821d8"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--62d81f51-b02f-46e0-a9f5-af1b7175cfc5",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--4dbf697b-11ce-447f-85c6-cd02a2365a7f",
"target_ref": "x-misp-object--1d288045-6e66-43a6-94b7-600044369fa7"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--812751cd-9da1-4acc-8d0d-dd207d3514b5",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--6860e975-938c-413d-b144-74cde72c25dc",
"target_ref": "x-misp-object--ee3df33a-a5df-4f0a-887d-9fe0aba2d90a"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--b6fc61ad-e466-4f61-9729-15d9a76e4c30",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--df5dd372-ecd6-4595-ab34-45bff1decb63",
"target_ref": "x-misp-object--f2146c3b-d6f7-471c-bb4a-2b831e2849f6"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--5e844f03-bdf4-4f7d-8d26-75e142ae1fcf",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc",
"target_ref": "x-misp-object--a6c1afed-624f-4d81-b96a-4ff02a693e66"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--3aa3cfdb-45d5-4308-be70-9458fdafaf18",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:33:50.000Z",
"modified": "2019-02-22T21:33:50.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--fd57be37-61cc-4452-85b5-518d55586335",
"target_ref": "x-misp-object--e59804a1-c4d9-4228-93bb-1a1f626c25ef"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--3c1357c1-28cb-4213-899e-826fdae02df5",
2023-04-21 14:44:17 +00:00
"created": "2019-02-22T21:34:31.000Z",
"modified": "2019-02-22T21:34:31.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--56b391e4-f005-4caa-ae12-a90db6664ebd",
"target_ref": "x-misp-object--fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}