misp-circl-feed/feeds/circl/stix-2.1/5e4886b7-3f14-4ab0-867f-4ea30a0a020f.json

538 lines
958 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5e4886b7-3f14-4ab0-867f-4ea30a0a020f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2021-05-24T10:04:03.000Z",
"modified": "2021-05-24T10:04:03.000Z",
"name": "laskowski-tech.com",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5e4886b7-3f14-4ab0-867f-4ea30a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2021-05-24T10:04:03.000Z",
"modified": "2021-05-24T10:04:03.000Z",
"name": "IRS Doc Malware",
"published": "2020-07-02T04:13:31Z",
"object_refs": [
"indicator--5e4886d0-aa58-46fb-9e0d-49e10a0a020f",
"observed-data--5e48871a-d484-402c-af72-4ce50a0a020f",
"network-traffic--5e48871a-d484-402c-af72-4ce50a0a020f",
"ipv4-addr--5e48871a-d484-402c-af72-4ce50a0a020f",
"indicator--5e48880c-0c00-401e-9e4b-4b3474656a8a",
"indicator--5e48882f-b1c4-4e46-a8e1-4b2074656a8a",
"indicator--5e49291d-119c-48dd-83c5-4b5374656a8a",
"indicator--5e4929ef-e944-47ed-91ea-472e74656a8a",
"indicator--5e4ae75c-ecfc-49f8-8cf5-03f60a0a020f",
"indicator--5e4ae7a3-e4f8-4bb2-859f-155674656a8a",
"indicator--5e4ae7a3-47e4-4d8c-815b-155674656a8a",
"indicator--5e4ae7a3-e910-4288-9170-155674656a8a",
"indicator--5e4ae7a3-ef8c-49f1-8f58-155674656a8a",
"observed-data--5e4ae897-bb28-47fe-811d-04470a0a020f",
"windows-registry-key--5e4ae897-bb28-47fe-811d-04470a0a020f",
"observed-data--5e4aea88-9e20-4d2d-9b04-421b0a0a020f",
"url--5e4aea88-9e20-4d2d-9b04-421b0a0a020f",
"indicator--5e4afc46-fc7c-4164-819a-44c7950d210f",
"indicator--5e488f03-b2f8-4607-93af-4e030a0a020f",
"indicator--5e488f10-027c-49ed-a39f-4f3e0a0a020f",
"indicator--5e488f1f-6f84-4eec-8d89-4b990a0a020f",
"x-misp-object--5e4aea3d-a5f8-42b5-9539-457e0a0a020f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"",
"misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"",
"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"",
"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"",
"misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"",
"misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"",
"misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"",
"maldoc"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4886d0-aa58-46fb-9e0d-49e10a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:21.000Z",
"modified": "2020-02-17T19:23:21.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '199.188.200.112' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-15T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Command and Control"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e48871a-d484-402c-af72-4ce50a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:22:14.000Z",
"modified": "2020-02-17T19:22:14.000Z",
"first_observed": "2020-02-15T00:00:00Z",
"last_observed": "2020-02-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5e48871a-d484-402c-af72-4ce50a0a020f",
"ipv4-addr--5e48871a-d484-402c-af72-4ce50a0a020f"
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5e48871a-d484-402c-af72-4ce50a0a020f",
"dst_ref": "ipv4-addr--5e48871a-d484-402c-af72-4ce50a0a020f",
"dst_port": 80,
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5e48871a-d484-402c-af72-4ce50a0a020f",
"value": "151.139.128.14"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e48880c-0c00-401e-9e4b-4b3474656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"pattern": "[url:value = 'http://siliconmadeinhk.com/Server2_36B4.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:23:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e48882f-b1c4-4e46-a8e1-4b2074656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"pattern": "[domain-name:value = 'siliconmadeinhk.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:23:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e49291d-119c-48dd-83c5-4b5374656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:22:32.000Z",
"modified": "2020-02-17T19:22:32.000Z",
"pattern": "[domain-name:value = 'binupload.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:22:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Command and Control"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4929ef-e944-47ed-91ea-472e74656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:22:32.000Z",
"modified": "2020-02-17T19:22:32.000Z",
"description": "tied to \t\r\nbinupload.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '199.188.200.112']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:22:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Command and Control"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4ae75c-ecfc-49f8-8cf5-03f60a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"description": "tied to siliconmadeinhk.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.222.202.237']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-16T00:00:00Z",
"valid_until": "2020-02-17T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4ae7a3-e4f8-4bb2-859f-155674656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"description": "tied to siliconmadeinhk.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.208.229.55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:23:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4ae7a3-47e4-4d8c-815b-155674656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"description": "tied to siliconmadeinhk.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.105.81.149']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:23:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4ae7a3-e910-4288-9170-155674656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"description": "tied to siliconmadeinhk.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.105.154.72']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:23:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4ae7a3-ef8c-49f1-8f58-155674656a8a",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"description": "tied to siliconmadeinhk.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.208.196.16']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:23:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e4ae897-bb28-47fe-811d-04470a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:25:56.000Z",
"modified": "2020-02-17T19:25:56.000Z",
"first_observed": "2020-02-17T19:25:56Z",
"last_observed": "2020-02-17T19:25:56Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--5e4ae897-bb28-47fe-811d-04470a0a020f"
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Artifacts dropped\"",
"kill-chain:Installation"
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--5e4ae897-bb28-47fe-811d-04470a0a020f",
"key": "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"values": [
{
"data": "%USERPROFILE%\\PROTOZOA.vbs"
}
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e4aea88-9e20-4d2d-9b04-421b0a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:33:28.000Z",
"modified": "2020-02-17T19:33:28.000Z",
"first_observed": "2020-02-17T19:33:28Z",
"last_observed": "2020-02-17T19:33:28Z",
"number_observed": 1,
"object_refs": [
"url--5e4aea88-9e20-4d2d-9b04-421b0a0a020f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5e4aea88-9e20-4d2d-9b04-421b0a0a020f",
"value": "https://laskowski-tech.com/2020/02/17/what-is-this-bad-for-sure-racoon-stealer-maybe/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e4afc46-fc7c-4164-819a-44c7950d210f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T20:49:10.000Z",
"modified": "2020-02-17T20:49:10.000Z",
"pattern": "[domain-name:value = 'server237-5.web-hosting.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-15T00:00:00Z",
"valid_until": "2020-02-17T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e488f03-b2f8-4607-93af-4e030a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:26:15.000Z",
"modified": "2020-02-17T19:26:15.000Z",
"pattern": "[file:hashes.MD5 = '9dec963dd964716405adbe9ef9006de7' AND file:hashes.SHA1 = '452d05a5ad2fdd2b8f45b878b2078900b9f072b2' AND file:hashes.SHA256 = '585f829c600736a9613d0870c6460068d9461a7be35c07149fe58143b2f24b6f' AND file:name = 'PROTOZOA.exe' AND file:size = '36864' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAM4EUFDxOO1nmzIAAACQAAAgABwAOWRlYzk2M2RkOTY0NzE2NDA1YWRiZTllZjkwMDZkZTdVVAkAAwOPSF4Dj0hedXgLAAEEIQAAAAQhAAAAcE7xtZVZojZIjqK8INqNFa7zQSvcr0ZVL2DV1pIZXdCCdow35xaW5qjpFwraToSKjZ+sfYRXqBNz6086guOg9N20qcT6Jk57Mr48wAPUaKFCgw7neBJ3GDw4lWNB8ArPm8ukoySoJBaXXG96sMpQw10wE1BTBau7YWp3DwSoC2D45KoCNa/5IObxkYbDkHrKH80rcJLTAu++UXy7ummD6bBo8v0/Bh/128X3FETbasdsRQOJIbuSL79Xs95YswVZzzBIC2DZ3lniw0DOCb8mnPsU7XI+rE6l3Aab8yc3RhU9WFyJl31zezItkpv4JoHE/mWKcog218y+Abi5v3gtQ9cVuwx9MeSO7HmtZmG9Yooq3PwtuLbZVYg4HfR0KD4FSZAc1i5i7eHT4Yhwe1SxC7GEHrVAhlMvwuBLUUCo4PlZw3sK/dL405KbZGb7n7yyLv5zots+yywwchO76BrrMmTlzKy/rF0IB6ee2mX3t8HzeV0r+twzI48NQrMSMXlF9Y0hfYxDUFIRuRB0jQYgOKKTncxnlqDkLyHp3KBVFM+Z2PrTuQwse8ogR82E99IE3iBuEuBM5DDXN3SDNbRPxhlnX2DNmM59pO/0hUT6H+U4eOV/G/F3Xcbj0lLFVFZRDjYIYodhTReyg8UpIHVW6Vl0gBVuzuB6azp5DkndNvyUzS+DTAG+5ucLlbINi0ehmykSQvciW3g/IoGrUpLxVU0S9tAAtK+XDISjwD9s7vK2Z/9uT1OIFbDetBpsyydlQ7KtRrDt399MrNz2ijwkpVe8h4PxJLCk4/SUas1Uivv67ep7oIDZCrA+Nt7jnIGoL9vRFa0H7rwMQ1pFrKwW87HKYyUZpSqEcikBOEi+/YqfNVg2VWATEMUvgfpZtGV9wKZcRl7fHx5TdV+XZxtFPr5wT1ECWQbuBWYpy9ff9wrZhKeZUqlkqFteyO3ood8u4ZvdmIYrbOkpojYvVuoLR4rNyI0kKwLebVVbG50bNIpCU0DVqQFOfegYqX1FhwwCYqq9qq7jvBEU2Iut6ie+2Rcg6igZ47MT9+nwd7au1YFNGQQ0q5pqR7cMobfVrNB5al4D6hFW4Qo4XqQlHUb7gnGcbbnabL8Bb0m3WpBUQJIhZQZG2WV/ax/qgNB7tAItYKTFq9osKGpLcn9DDDdd8IJQh2i73xkXDp+JS53lssWx7MbcmVSLtNmLKpKM6SgijisM0kgEcfxQSUkGgxQhpd4buOmUTbMwodD+OJCo1/sGjbe6lp19m/esauVohKjxWzLKFS0Nxi3DCu1/1tFZC1b6dwZ563THIKhLBHedi1RzgwSHiB9Z0SZX0EruCqttS8fzqMi2Nw3J07uij98hlxlsarrFkUpFAk3eEp+qQCTCmcLQ9sKybtU7ogRwPN7hsZATtFvVFRFfKSZuteOdZdI1+fIBeZoeGrFF1rN/Rx96NeWLWJSkHHZWXbT/Bl5/DykS9T0ldBwaW12Dtacj6MvjNp++qrZB17jrvf1LYTvaRnkZbFbuA4v+Z7LCMd6zHQBvnAc6gD8HQPtyxhqWaCNVxgTw4HI6/0Ngxry5xhB90owA2fNNKZ4hyzn7xZeUv+onxmlsteq4wOWGh/vfooYb4gM8DAId0vTg/Hhccr7dQYS+B2arW3ex2xnp5VlJ8nDmNxmLrJKZ90eAeua1WghC2R8gg3GLu6mhw9LBIetrEEW1fJZeihoS/ZjFpwhprWVgfqlerIDOhtn7xF7vWMh2D+LVncPLyW6V6Iqey7e5RNalCZznmyINjf9fTVYC8cgSUXJil19SuqoIXa/fPQEfGgaDs6K6gGmRQQgLHEnfoEMczGWabGNnFih/YFVnyQj5rPDg15Az42I8uo00k3947f5ggfg/JUDS7UjQsBGYhimuOHObO5Yrh5zhi/P1nWY0Ve7xCPyymaOjDjAH6PFNsaSm9ZjAkDhbOEuHI3J6xJbyFNXqjpqbpdmEF73GoQjvJGT5PmDTfsPPyjfgrhoiU1LPBbNsBGl+LVvuPRlxx9EuhM1l70nPz3f7+aIdXiFouuAHHu+20rPDrm6MAD/70/cgOplahZGUGPFWhv9KDHt1PKqvujODemwMbvTN7RVTMkWRGzEl8BAAWdV89ZdCfVia44DvD01oBroaNb4TrvRLOs1tAc70KoEg4KnYwi2YN4VdDMARG7dz3VkJCJTRTVPK05RcRHpBoC/XBZvmCfow2sjE1iigndP+WQyEXR9jz0zz5e0aLuRDFU8yIFzJRGsTDFMCIsdHrukTdssCJyBo8NuhC86bozu4c7K08mjJ9KE/epGeHUbKX6cVH7WYA3JGyUarHT18bjiOqjHce/BNTLSS1GzqZLfxb6s1iA2zHAnyqsG0dpuH97deyvd8MPXkOC7+qqIjznKQAOXpQ67Pvl5PhIl5tdnZUqfZk9CTb/QmXdXWeSfDo9r9OsPkWOzfpuP37ltFYpKJ4EpQsSk/ytzvCdm1ISlKcTVpscv/0ice2dx4Y3JZn52m7xYwCBAwageSqyN+X2AFn8KCMYWuzg2N79garblJQGH6KoPPwvFK4WJ31RYF9xOf+6miDyrKl2SW9YHnSU/MSvDrIJtu2avMxhcMF5UdCK2V+Me+86mtjMTIPQW8W1NHXzSv3j/VfGaQIOuCQFGjJGs3glokjW+m+3ECY/9W11Yl3GkjRUh1jLJJ1yUJsbFXV6PXw3zDhFXJ/YOQmhPq9SHoZllAK1GXjOmOLCbBtusC3gMSgLQDrAOuhABqrSgajl73jV/0m9KR3fZ5qKY1LR1t6xzEZhlcXFTwRfZ3EI88n6UyU6VKc3udiuHLp2ueM4A0iklnegaseWEBdlC5gsm3x7Q3iIiUTE4uq4JRroZoOngh+MMkNMp4dQiCjtTf0XyNsOEjZydD897hE1g3peNgYEW4B9SuudIXRGrpwmW6tLxrND/cEovkrD8yxxaWOjOc9CxzEpXjU0b8ZJ73w+zOA4bo2bB9ODiRVhEyZxgwMHK2XHrAhKhJbVB9LLT4XMWHxsWam6SwGUs4FhDXxcedYluKPcv1xpP6algZ0bsCBFNqQCI35m6aLYgiqk77Cqxzbt5jbaeawIJn3aW/P8oT+3Jd5Atu0GawKFFFHNUpB3pf6paFWtcmvsYGjNpuZM/znhiLLzTFZ5RCEPTIxwggwmEDy88SWnNX2sRzcgAXG7YMhP0vrUE+iWCXmJW9fQab+dFZNVnsAeXO8snBeW+oDI/iScHJf3CKk7hZ0eWgw+OxM+maDTIO9sYmLb62KEv+BjeDNjT8ihzgEwzeZMFM/7NNe0ykc/UOEuzk2L7JnjYTc9IWyHPvQIIONs9d0rwos7BssMAH6GM2A2fpUoE9AwZJ2nuXPPmBOt2Dg05/9IRb+aAMD9JhlzqhV4LrfjCu1DS8KxEg9einzdJ5okCTUXrNzyzipNLe4Qw1/OfD3V1/JWQ12umBCgh3zpy+PhTP0pZ131zsU64eq7hNJULsqstrMq/LrFQsVDE3eInrAyuawfC8R5YiP3v0IOxGnixZCCg8DcfSftB60Xd0bsj78uSoDIIShIsK+jMMNBDh/GW8o2Yrp1ciEk7Z8+lgbuXsPTd5mUc36cSK5N6KJKHTcRUfIfpJmdp9OzSLb18
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:26:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"kill-chain:Installation"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e488f10-027c-49ed-a39f-4f3e0a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:26:15.000Z",
"modified": "2020-02-17T19:26:15.000Z",
"pattern": "[file:hashes.MD5 = '701a346228708332063529695210309a' AND file:hashes.SHA1 = '651daa1d0e25c515d8ec9e40627efa0e572de9b7' AND file:hashes.SHA256 = 'ea755fc9ed86a2a8fd8712e76e1a8ebc2d871ec143b53f4abd3ef4d9150263fa' AND file:name = 'PROTOZOA.vbs' AND file:size = '104' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIANQEUFAoHxDscgAAAGgAAAAgABwANzAxYTM0NjIyODcwODMzMjA2MzUyOTY5NTIxMDMwOWFVVAkAAxCPSF4Qj0hedXgLAAEEIQAAAAQhAAAA8ZIOsoPrG3Z5XHKyWGdvFkoV6A/eOpsiE50ZIXk3a+3v2/CbxATtYK3Uu+y14Fu/YmQaYlNX40Ve2ap7va0Q37FtGNRW8s5VcoewoIi7J5i52LY26na/9UmJkUmU5a6VZroEMS5t9DK0XST9gJm0Qmd3UEsHCCgfEOxyAAAAaAAAAFBLAwQKAAkAAADUBFBQZf6gRRgAAAAMAAAALQAcADcwMWEzNDYyMjg3MDgzMzIwNjM1Mjk2OTUyMTAzMDlhLmZpbGVuYW1lLnR4dFVUCQADEI9IXhCPSF51eAsAAQQhAAAABCEAAAAshUppe3PJz0V4VKaGN7Y2Q5D+kJs0v3BQSwcIZf6gRRgAAAAMAAAAUEsBAh4DFAAJAAgA1ARQUCgfEOxyAAAAaAAAACAAGAAAAAAAAQAAAKSBAAAAADcwMWEzNDYyMjg3MDgzMzIwNjM1Mjk2OTUyMTAzMDlhVVQFAAMQj0hedXgLAAEEIQAAAAQhAAAAUEsBAh4DCgAJAAAA1ARQUGX+oEUYAAAADAAAAC0AGAAAAAAAAQAAAKSB3AAAADcwMWEzNDYyMjg3MDgzMzIwNjM1Mjk2OTUyMTAzMDlhLmZpbGVuYW1lLnR4dFVUBQADEI9IXnV4CwABBCEAAAAEIQAAAFBLBQYAAAAAAgACANkAAABrAQAAAAA=' AND file:content_ref.x_misp_filename = 'PROTOZOA.vbs' AND file:content_ref.hashes.MD5 = '701a346228708332063529695210309a' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:26:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"kill-chain:Installation"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e488f1f-6f84-4eec-8d89-4b990a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:23:06.000Z",
"modified": "2020-02-17T19:23:06.000Z",
"pattern": "[file:hashes.MD5 = 'b102452e6d92a217995f4ca5523d0b85' AND file:hashes.SHA1 = 'ce297b51992a43698b61467beb7b1bae55605037' AND file:hashes.SHA256 = '5be14f4258ed8d96da626dff4c8980f121208c45595639ba1fbeb9f895debaa4' AND file:name = 'Irs letter with W2.doc' AND file:size = '717585' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIANsEUFA9RU3GvbkKABHzCgAgABwAYjEwMjQ1MmU2ZDkyYTIxNzk5NWY0Y2E1NTIzZDBiODVVVAkAAx6PSF4fj0hedXgLAAEEIQAAAAQhAAAA66dnqTFtPkgwb6gQdYmaap+AF6tpMfhSxDuZXOKpvSr9V0+6EAIC2aMuC8chh+QooE7FKJV3t1JgC0dMnFn+bMcYKh8ZCCW9yPrqYTiSFEVe1DRg83Tn/penbiBmRNBz1/rVXPssmFu+KuzV76Xi306sX+niLPDVZUnf4KaxU379/R9UyBIGJz4eXjr6J8ulmiEVso0feqWWZ80juJd3Anu/X8qBqfLYetnxpW6+xlV2NAcllvANbsG08K/TVIeNRqMnaMI8QsDQmZBkuPdyNYuIaBKOcTx9SIYIIwVZDSjq2hO/f7KzTC+qUlykiQZOuZgh8A9oQRZ+Law7zhMQyylU7YM78jKHfaGPimSbx3WHL2W7V7oLF+c/xPPeVc8eCoVWCA7ZeBm8B2zgIitjlZjH78v2CkLfldQnu3OGPw8GvFZF0p588U3hD5gfjYhNrGaUPrHICrmBUtgkskKrpOfQwV0bvuXCm8ZKf2AZml5INi1/bhUI4039MJZsLoGk5ICr2OURnphYpw3ns1ctLsbWy+JjfkdKt8ScNxUwe1LYQe9hpivnepvrc6WCY85PZ9BKfeeUPxCdNbPTLST3SR3oG+BSp0KBBiV7pYp2nkp2L+5pEk/vNTCqNqXlCiaa1qpz8RRDGFGTwN2uQR4y5ufdfwcg4Qm64NQ4GAeuUONurITizyO8K4P9AZ+Pp3/u/4MVHqamdTyg6HTEfjy1ukHXBqztetFr26KVX5aAhXrXTDAd0uQJEdO3+9s1udow08GPWOmTp0jWxIVto3lwypNGjadG8EKx/04o8bdGe9U6cfQxrSpp5eGd5BHQjh8KfhK8a0ya2o39Kg+8ilY+rqcv6pbiVs/IkUp1vlOefABVSQgDXF+JE0tYt2Xw2cbwI2gXNbiJ4QySEgmR876nOIRmjNih2nEEo+qPPwh0f7ckw/0Ph6AK27WdCZGgYefz/AeN0NfiZAqvuXACXH2KF9xRNayU353vrwRLMxTaKZo8pVVbc988BUJBO5F7dCvMrAS52BItIMBS4cGM5zY6Xb0bWtwQV3R/JhDGw5Z0QfGtgd3ECCJSOdET+u0ajkzwp5HXPo55rL/VKmb2P2sxmHyMlaWLUbVNzv15jhmOi8Ldv4kyEBtft8cqVaEHpN5EzFb6+5JOmJtn0dtYXk59CoqkOVJeEE3l3zvRyhJKisgQaD+BP5o/SE5URV6nqHG1yoHUWNfsbs9qXGjUy69yrvk6/TfrkD19iFSIlAOjcXMhkLNfZgNbwSRK1LFIxXbLeEj7uDeJSLw4Tp0z7RFKtkUjZJKDzBepb5pnzTF022f1JGTyX06TPgeBCdpH594TS7OAUiDOlLl6XZYYcqqwJVy/qZk7V8m8XVFBZMTUzIRiRCcGboLvMQZC1L8uGJ90pl4VYdcGP4hHkgphEyS+xNNk9qk5Kyuag2wJvyaEe+lCze0bYVu4DCD8MD9yZP3tgM7fA6M4ZjbDSXduOgLAklxz+UjD8B3iUKCm7nw37f3vP38H6faQjzMhqn+RqS5RCoOdV24OBnmILpP8S6Md+0dDaZwNuKv8XaifYaU7Cnc7ck+IyEi+ib2y90PPFvHHbxnGlTqoSJ0R6A9n/sEpjLSYhj7SMpAQclVw6bVOWAXjcKjnjWGI4EAeAz8AsYSPxKx0Mrt52tgmibXzcqvUJxH6FVAC8jHDbuGQoodHiyt1fjfz+k5mIA2/LISv4htTz3mtoPxtmMfIJTR8aJF0o3NF6jcpTM+KPdGlr6AwvMzsIo6OgU4+cLojsJegWEywgbOtHNu7par02FxhPfIvxkwoxkNylnCU9TaVwMle9UKMt1Krdj/jmIZU+RXT3fTf2yS5iu6w84YtLPgIls/f5A1h/K4yx2Wj+ujQHc8JLgZkRZ786AEpH4AMjj1Ycora08qL826TVfaCl3VRhNrVwLosrN8Mw9QX02CamYzmV6HgtqvnmkhNTBxHlXeLpZYbaAP8kcvcyeatEXsJ7LAecCC4to21Z9s+8NvtYOeOEXm+ftNBaRGuTcm5rg5Ujv/kE2NGRpgZ2Ogp3arr6hQEjPkoiOLaVPis6g813uiXXbabWjxhAeIyjjwe+I3NdxE6PUAfwoue8lLjHQ9KvHHZqGShZNP6rFblJuWyON2EWEqwE1MW35KlvHvpa/YOou74nXd4N1tiOL9b4aeeC6W5cNAJGSbGKkL1FCfO1B9VdjiTVUhZ/rO/Brkc7yNx+Qn6HPLDqGXwzS68VrSUkXc4oMRw7I7gkrJRe1QiRbkV6cyPrN1hNVfKMOsT7VdP+zQnSIGpn8nKNTUqUR8eBkFpHXExWjngefle/MCIcrOjApvHlFJJtvqBcLysQj93ussw1uYJcg2a1KKFyUL0AP0b/Flplq86jqQM47VKklOdT17fTRXn9qkQauplWlKyTtH+v70/thNb11zJ5ch/4ovYfUcu+rEHYEODLNKWKX15h0BMuAq5oLsT9mucjKBzLB7TBBXB1PeRmXeNP5hg87S8/jb5moXbtooShjGwAKoBeRJlwz+PZKoBBhC7bV9jZ34LKjQNbB78RPUl7XYZmEe8hijVYK+SSxM+sBy2hN5ev9u76aqMKV+E5DXkPv68U+TTCiwY4kfeJgj1Lkc0LX0Q2jGKsWZ4Pj6f2Fx8SW2DIVWTamC2nhI9LAKRXpSAc7dFil4Ww5GS0136wJKn9louRzeZiJXXJT+102TX19dvDBHfEPcmsrr3hqGtemyCtXpTVw7Ic2BKwzZ3RjlZv1xSCrug/yy8vQq6sWoJPwviFduktcKKAJ4yX06QNCOm3Pge+rVl4FmD8Hq7x/4AjPhanQteeLTXjQ8ftc93FxpYoXoL2RIRD4TVLoQknYeY4NOeGb1E0I0qj6dRs/kuiP44cQosDAPvzLn7iWcKJhP0PvtLThzu+MMoLGW7enE+VHDpOeyxQJ2FHAHK3NETlCRqTQO9Lip4DQ1XekTDuMMMOVIFB2LlclhX6a9VLsjokpcm9Harf3LXfQSbLeJd7r8Xl6jns1s9eZ4waAuE+pPt9uv83HxUobrpApsz2yS8/mIEtu6VDAM7Xxq78eNVBvcVCGnBtS04g3coN94eiIIHC5RR9Am0zTEx7s4N1tVTI1eh+7UQ0iEMCa09GyNMagcW7AKEcCDmwMRpsD9lKldPfIurSWpWn1VI2qq8y414iJ7D5bBCnVVHYDHxkvShYqztiUfUS9Sf/oCgMwFkSGrPEnMPd31WR49m85YIwNheJjPgotzBLUnhBUTYcP4mAl+gaMgNj4/C2S7H1N7n6z2RMnhx5peEoanO0H9CICe+eoN57Y8s12+Z1GFZ34KaE6MTtKcBBxoJhY1FaCavNJAGbH47/H5H+3YeyRnZm7kw82z+AgOENHJEcNpbYxLAAOZgjbnmuAYb5ImJGEO8HUknj8yWAXuERVtRW7kTP5aOQ6HbJnWlIYuDVxxUS+h4tabL3etvMLULE4Yg3Ep8Q3jWlxe94RctOqBdqZJDssUDQ+L7PZqyFi5os560TMlZaMM+HMthksYxYsrHR6oq4YQldYidYgeZRR23qmQ64akVLVSK4Ul/PgBJYQ8l79e+gIVEUp0wEq+xWpSyb5q67qJpDCxpNOVxP1VN
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-17T19:23:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5e4aea3d-a5f8-42b5-9539-457e0a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-02-17T19:32:13.000Z",
"modified": "2020-02-17T19:32:13.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/585f829c600736a9613d0870c6460068d9461a7be35c07149fe58143b2f24b6f/detection",
"category": "External analysis",
"uuid": "5e4aea3d-deb0-46df-9a69-41200a0a020f"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "7/72 initially, later 38/70",
"category": "External analysis",
"uuid": "5e4aea3d-2798-4a11-aed6-45810a0a020f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}