misp-circl-feed/feeds/circl/stix-2.1/5e5da86d-bfec-4b9a-ae77-57540a0a020f.json

759 lines
112 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5e5da86d-bfec-4b9a-ae77-57540a0a020f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2021-05-24T10:04:31.000Z",
"modified": "2021-05-24T10:04:31.000Z",
"name": "laskowski-tech.com",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5e5da86d-bfec-4b9a-ae77-57540a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2021-05-24T10:04:31.000Z",
"modified": "2021-05-24T10:04:31.000Z",
"name": "Remcos RAT 02-28-20",
"published": "2020-07-02T09:08:01Z",
"object_refs": [
"observed-data--5e5da928-2128-4c62-837d-11b70a0a020f",
"domain-name--5e5da928-2128-4c62-837d-11b70a0a020f",
"observed-data--5e5da929-019c-48d8-bbab-11b70a0a020f",
"domain-name--5e5da929-019c-48d8-bbab-11b70a0a020f",
"observed-data--5e5da929-6504-4fcf-87d5-11b70a0a020f",
"domain-name--5e5da929-6504-4fcf-87d5-11b70a0a020f",
"observed-data--5e5da929-86cc-4555-8657-11b70a0a020f",
"domain-name--5e5da929-86cc-4555-8657-11b70a0a020f",
"observed-data--5e5da929-5f64-427d-bf21-11b70a0a020f",
"domain-name--5e5da929-5f64-427d-bf21-11b70a0a020f",
"observed-data--5e5da929-b96c-4d0a-8e04-11b70a0a020f",
"domain-name--5e5da929-b96c-4d0a-8e04-11b70a0a020f",
"observed-data--5e5da929-1a18-425c-a0d7-11b70a0a020f",
"domain-name--5e5da929-1a18-425c-a0d7-11b70a0a020f",
"observed-data--5e5da929-2708-4ac3-a2be-11b70a0a020f",
"domain-name--5e5da929-2708-4ac3-a2be-11b70a0a020f",
"observed-data--5e5da929-eba4-4b20-8af6-11b70a0a020f",
"domain-name--5e5da929-eba4-4b20-8af6-11b70a0a020f",
"observed-data--5e5da929-027c-435c-a7ac-11b70a0a020f",
"domain-name--5e5da929-027c-435c-a7ac-11b70a0a020f",
"observed-data--5e5da929-df20-4dd3-9669-11b70a0a020f",
"domain-name--5e5da929-df20-4dd3-9669-11b70a0a020f",
"observed-data--5e5da929-460c-40a6-a502-11b70a0a020f",
"domain-name--5e5da929-460c-40a6-a502-11b70a0a020f",
"observed-data--5e5da929-e748-49af-a038-11b70a0a020f",
"domain-name--5e5da929-e748-49af-a038-11b70a0a020f",
"observed-data--5e5da929-378c-46d1-b83e-11b70a0a020f",
"domain-name--5e5da929-378c-46d1-b83e-11b70a0a020f",
"observed-data--5e5da929-7128-4032-9491-11b70a0a020f",
"domain-name--5e5da929-7128-4032-9491-11b70a0a020f",
"observed-data--5e5da929-27c4-420c-81aa-11b70a0a020f",
"domain-name--5e5da929-27c4-420c-81aa-11b70a0a020f",
"observed-data--5e5da929-af38-4573-9493-11b70a0a020f",
"domain-name--5e5da929-af38-4573-9493-11b70a0a020f",
"observed-data--5e5da929-cc2c-410b-bfe7-11b70a0a020f",
"domain-name--5e5da929-cc2c-410b-bfe7-11b70a0a020f",
"observed-data--5e5da929-b144-49c1-b510-11b70a0a020f",
"domain-name--5e5da929-b144-49c1-b510-11b70a0a020f",
"observed-data--5e5da929-f0b8-4fe3-a0f5-11b70a0a020f",
"domain-name--5e5da929-f0b8-4fe3-a0f5-11b70a0a020f",
"indicator--5e5daaf0-79a8-43aa-a307-57690a0a020f",
"indicator--5e5dab5f-6360-4a90-808f-11ba0a0a020f",
"observed-data--5e5dae8c-bbec-4add-8b3f-14820a0a020f",
"windows-registry-key--5e5dae8c-bbec-4add-8b3f-14820a0a020f",
"observed-data--5e5daf01-461c-4c13-8ed6-11ba0a0a020f",
"url--5e5daf01-461c-4c13-8ed6-11ba0a0a020f",
"indicator--5e5daa68-3b4c-4207-a7b8-11b70a0a020f",
"indicator--5e5daaa5-4044-4e77-afa6-11bb0a0a020f",
"indicator--5e5daaba-4204-45ad-9ed7-11b70a0a020f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:malpedia=\"Remcos\"",
"MalSpam",
"Remcos RAT",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"",
"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"",
"misp-galaxy:mitre-attack-pattern=\"Indicator Blocking - T1054\"",
"misp-galaxy:mitre-attack-pattern=\"Timestomp - T1099\"",
"misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"",
"misp-galaxy:mitre-attack-pattern=\"Indirect Command Execution - T1202\"",
"misp-galaxy:mitre-attack-pattern=\"Uncommonly Used Port - T1065\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da928-2128-4c62-837d-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:36.000Z",
"modified": "2020-03-03T00:47:36.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da928-2128-4c62-837d-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da928-2128-4c62-837d-11b70a0a020f",
"value": "usadroptop1.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-019c-48d8-bbab-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-019c-48d8-bbab-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-019c-48d8-bbab-11b70a0a020f",
"value": "usadroptop2.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-6504-4fcf-87d5-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-6504-4fcf-87d5-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-6504-4fcf-87d5-11b70a0a020f",
"value": "usadroptop3.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-86cc-4555-8657-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-86cc-4555-8657-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-86cc-4555-8657-11b70a0a020f",
"value": "usadroptop4.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-5f64-427d-bf21-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-5f64-427d-bf21-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-5f64-427d-bf21-11b70a0a020f",
"value": "usadroptop5.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-b96c-4d0a-8e04-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-b96c-4d0a-8e04-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-b96c-4d0a-8e04-11b70a0a020f",
"value": "usadroptop6.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-1a18-425c-a0d7-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-1a18-425c-a0d7-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-1a18-425c-a0d7-11b70a0a020f",
"value": "usadroptop7.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-2708-4ac3-a2be-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-2708-4ac3-a2be-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-2708-4ac3-a2be-11b70a0a020f",
"value": "usadroptop8.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-eba4-4b20-8af6-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-eba4-4b20-8af6-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-eba4-4b20-8af6-11b70a0a020f",
"value": "usadroptop9.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-027c-435c-a7ac-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-027c-435c-a7ac-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-027c-435c-a7ac-11b70a0a020f",
"value": "usadroptop10.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-df20-4dd3-9669-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-df20-4dd3-9669-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-df20-4dd3-9669-11b70a0a020f",
"value": "droptop1.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-460c-40a6-a502-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-460c-40a6-a502-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-460c-40a6-a502-11b70a0a020f",
"value": "droptop2.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-e748-49af-a038-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-e748-49af-a038-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-e748-49af-a038-11b70a0a020f",
"value": "droptop3.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-378c-46d1-b83e-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-378c-46d1-b83e-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-378c-46d1-b83e-11b70a0a020f",
"value": "droptop4.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-7128-4032-9491-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-7128-4032-9491-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-7128-4032-9491-11b70a0a020f",
"value": "droptop5.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-27c4-420c-81aa-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-27c4-420c-81aa-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-27c4-420c-81aa-11b70a0a020f",
"value": "droptop6.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-af38-4573-9493-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-af38-4573-9493-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-af38-4573-9493-11b70a0a020f",
"value": "droptop7.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-cc2c-410b-bfe7-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-cc2c-410b-bfe7-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-cc2c-410b-bfe7-11b70a0a020f",
"value": "droptop8.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-b144-49c1-b510-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-b144-49c1-b510-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-b144-49c1-b510-11b70a0a020f",
"value": "droptop9.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5da929-f0b8-4fe3-a0f5-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T00:47:37.000Z",
"modified": "2020-03-03T00:47:37.000Z",
"first_observed": "2020-02-27T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--5e5da929-f0b8-4fe3-a0f5-11b70a0a020f"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5e5da929-f0b8-4fe3-a0f5-11b70a0a020f",
"value": "droptop10.com"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e5daaf0-79a8-43aa-a307-57690a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T01:11:17.000Z",
"modified": "2020-03-03T01:11:17.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.56.113.222' AND network-traffic:dst_port = '2500']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-28T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Command and Control"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e5dab5f-6360-4a90-808f-11ba0a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T01:11:17.000Z",
"modified": "2020-03-03T01:11:17.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.252.74.84' AND network-traffic:dst_port = '2501']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-02-28T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"kill-chain:Command and Control"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5dae8c-bbec-4add-8b3f-14820a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T01:11:06.000Z",
"modified": "2020-03-03T01:11:06.000Z",
"first_observed": "2020-02-28T00:00:00Z",
"last_observed": "2020-02-28T00:00:00Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--5e5dae8c-bbec-4add-8b3f-14820a0a020f"
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Artifacts dropped\"",
"kill-chain:Installation"
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--5e5dae8c-bbec-4add-8b3f-14820a0a020f",
"key": "HKU\\S-1-5-21-1640332003-3587316399-2507620052-2742\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Kronprinser",
"values": [
{
"data": "%USERPROFILE%\\Lrredsskoens4\\TERRICOLE.exe"
}
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e5daf01-461c-4c13-8ed6-11ba0a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T01:12:33.000Z",
"modified": "2020-03-03T01:12:33.000Z",
"first_observed": "2020-03-03T01:12:33Z",
"last_observed": "2020-03-03T01:12:33Z",
"number_observed": 1,
"object_refs": [
"url--5e5daf01-461c-4c13-8ed6-11ba0a0a020f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5e5daf01-461c-4c13-8ed6-11ba0a0a020f",
"value": "https://laskowski-tech.com/2020/03/03/remcos-rat-amsi-killing-in-the-wild-and-defender-evasion/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e5daa68-3b4c-4207-a7b8-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T01:11:54.000Z",
"modified": "2020-03-03T01:11:54.000Z",
"pattern": "[file:hashes.MD5 = 'ce2d6bef0c6cfd91ca0bd692bf070fe7' AND file:hashes.SHA1 = '71866e693115a2267657adbcc64e2680b1d3d602' AND file:hashes.SHA256 = 'ee66c92d54e26d81966c3f8a6ebacf2298fd60696f3f0f67dc675bc61d93d14e' AND file:name = 'TERRICOLE.exe' AND file:size = '61476' AND file:x_misp_fullpath = '\\\\%USERPROFILE\\\\%\\\\Lrredsskoens4\\\\TERRICOLE.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-03-03T01:11:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"kill-chain:Installation"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e5daaa5-4044-4e77-afa6-11bb0a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T01:11:37.000Z",
"modified": "2020-03-03T01:11:37.000Z",
"pattern": "[file:hashes.MD5 = '94a6b123b494cf3990d872d047b0071d' AND file:hashes.SHA1 = '023831f60ab29aae1c0332cb6af80c890f4b9285' AND file:hashes.SHA256 = '9c5d88aa18845bd266819994a6bda3253e2df91e942b1b5428a317ab6e189155' AND file:name = '324.doc' AND file:size = '39424' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAL0GY1D/44lCa3UAAACaAAAgABwAOTRhNmIxMjNiNDk0Y2YzOTkwZDg3MmQwNDdiMDA3MWRVVAkAA6WqXV6lql1edXgLAAEEIQAAAAQhAAAAupJ7553s/zTA7KpN7U7PojxAiRfKpZ2hDG5595+Ip36dZhTAg1XTCYC72fkJ/Hd7zIasXFgosbqYpfWE/9R3n990s6y+mmmPvbO7Y/23pPUnd2W9oevFw/nijZmez9MVkOIUdMQG2I+/f3u+br+tvB9TylbywuOdVMPqDRib0JGlXkpwoHxzz96Dyr4zYqfbFvjF+x8h972M2q8WjUS5Ck5TTdqs13MZdqk6jRgiASrD/ARoAV0wsK4GFV3yTEo4iq8OGeoy8VmB5lCJNQPwC+pZIwsaB4POQBvOBEl0JE5TVpG/3NT8kMyqLN/eREljQfVGlIhZZGk6S1LN7ugovhp691Abaim0OnEeEI0NCQpqVkitjTzdKNVwwSSmfk41OoO/1ckeh5lN+VJcCvjKc4lZzQwvr9UUrnrKlu++D4GacceyWzl675cEGKTTgMxNgIXMK8jZL/jwYlU13k7V8/ubCs5yACnccHJsSauaCs0HEnWlWlbnZA4K3ETmVOYpbC607YzQVmClX8GrcU+HwyYdongr88xkObNpcBScUFCF/2rBybSJLXqNvlSmmuRoPi03SyFwNUB8Q5Nr9WI4AJVUgjOHCU/8cjxwTA6nvpx1MeIY2825MDwvg8vNgaJrKS7SX1/6pqOXciGr7uJInUztQazy0psZswlk8Ct/VIHZLNAj/CLr7YjCloogHJvDDRUUv7dl6Lgn3VCb2bDzmuOH8NJ38IpEX074YiLSzsXHmvz74IIQwlZf/OviKQgeV1+xoKJ1zTKq14O9uNCluKaiG6Rr1iJPQkphH8R2Yn86Vj5fzxzI4V67tV7J1gyC8UOXPQrlvf21b7r6Y/oTpKd6CjoaTocdAtI+QOnSMcn5q7q6Ked8ULu6pFjJz+PP+qSzNFia/FrVwdVtL5cX6+XpWKRPB/9x61W057QZEA+7sySctd27fPMvPKkTjS4ZWswtwwjt5cdZ3JQuBsUcAHjawPvVCqrztAvoZXYm//RFMoN6sLL+gcUVOp1SY8AbuIj4rWXAod4zk98u5rxIqenWe6doH75WTQkXYCPnPBfk3f/gbcnoefct5u09DFSWa/aoPWOx/s3iMBJnVGrXbzn6Qrthf++mmqCA/p9GH7dRQWaBG7oVEqXsWfmFq8JH11C14QhrY3FP+jSjTpXfS/oV6OFxVbfBkQVpiJcKImm8WbLbVkB604C0XuV++RYjwqFhveYqxozy2Mu7/TjR/8XYqQ6bh/9WGre8YrJZKN2ct11fYpGPDmP8L/rSNq9ZyTaL2zizdqfpY8kt0c24u16nubx7x+Vh0vH/pWJbdcHXabLvMfexuUAvxdZ2kJJ/WN2ZJuUH7HYe46776MM8JD08g6FZlCGl0HWykLmv0VRwbR3ZzY1xeQy85FPWm3+bcwS54ZrzcdXKGY2FF5EtSeE/9lUmvT3y1T39CaUIwhJC6zyniQHk/ycjYIVVsSvoDSqeP7xQlLz2NvA+QCWh+MCD317FDm0v2JGSXuUjfqEX9BeIgoRfMk9+yFavy1jF4adASkd3eLyDbUkOmHGQr+fLNPP/XisiomsAxBshM/ZHQh/2iyeVjABqQDTos2CIbdqhXxkYj0OontUGJV+ePVRZGPJFuIJZB6tiNHki2/5X2g8t7jJvHZalUSDMdT8R3NEnM/Ocv++imnP1+pRh2taa9xXMAXyNKevrtlyf8xK5E+3LrBKBHWx1EuAiRHGGtPmbas3J0S9J8RfTa3ZiDGCSs7s7H1UF0vJYaPOlt6xZ7PYW37awENPYOb8zEM/GNlEVwD7Qo7XeimFvSscbN8A0cjQiGRGZjHeIzTpFKWipqznITVHnKSAPaYFNdGixqlvBEcq99dKNBz8TEcc9UrcrxBvzTTRu8hH2KNb0PTDptzIKZLGmzt9RmigT+vNpvMBFp7YyAMetZpuCMNcy6cuXMbOtSL0E0+3c9VuJ91ZLpEzkjy8xTZ0hgwGvhWU6DhGdSpVWTot7kXDRKvqgizqQaNNa/eC8AQdj16VsyvS+4AX0HmpZR4d8eNFvEr+esFKueaJWTNwXshSS12pbhQms/jQF35DTEN/fimtT6cIrCAOuNLwJwmPPB6ojLC5cRdJa3ZyyxMeJFxU1hnMO88clTVKWNAv62Z10fWFTW+P0djgyrjLbNCdEza7DouXiPGzEuc/sF5wtlHn6HOPBliwcQ2sMvNxraUL6rR7F1TOus5qK92Oe8bD9q5HjLCYl9QejbygzmrwuYYdEFGbtU/O5dF1fyezoxrSYzFHmmlEDg6uptPGBWeVwD8p67i/v+KQfpQlBku/BUKEJMTwrYz6qJm7BzgMTxTzHluTwEzHt+9OWWx7tyhMqrDZk/B5nD9gWe2ySB7pgfRbQfph0Dgur0BGwLIstlx00atQtDaIrzOKGGqv3e0NrHDdj6Y4u2jraCdAZ+yYa+994aPKXxugIq0RWfCXqG8qs2FQPyE4NmDEGNFAr619kyJssDDItDCiIUWIpMxaWwyP0GAGupOwHgORxm3D3B7DKhI8b4dvgavHLFB1y2mIbJ+U/wZGLIOY78oD3hZ1Gct+wGvktWxhkxI8c8mIzlsTqXH9rO7QFQeLgB4V3HbSpRx4hKMH5JOFmVEI7Ntx9ZQJWxJeNV88L/k1FSzHj/oY013YzSAtEz6t5sFfi0BVUdnRMp3rhGgFvMneAcy9/45qb5C7Ksp4nkUQAxmV5JCwW9X49HBKkYZRXJGJVpVkf29CK+tIXR0Rim4FYPVN2KPZbduFZhqXoFTgezcxm7JhWzRVbLl2yQmPtCsqrqp0YXTEQ7L4C+YG0RxhquvGJVDCX+7c65h/tS5lUXDXDI/KOm5yIAMjlqsYPszgg3YzPSzahB2jMWpjseuho22xTH6zGLPauUZeQ8EXIxsIVvcDxyLmw8Ykd2NapZ3WmmDqRCIIlpEYeM5rqAN8tcIxvPpkzNhGgo7Tz+m4mqnzhL2ygCJ3Lkcmddp2AunwJqkxXxSaRT6wHZ5d1hstx/4DR9RX+AbBdLkvDHEtOUnt2bxXpZfsJmMe+cbnCKfIOWtk9iwzHLaoxynMWaRrsh06TkTpUTSFuZl1EvjwswG9zC6jRT8uXeXhYhUyoZ+7xFL7ZATORuj+1r3nTtAauu7Oru35AAXUXlc7vR83c/mvxVWLo9XcRkxx7MaPHXAObM+AuXK3DFdKZgD41MqzgT6wTiOwY4CHBQ3g+GKV7OphlKecg0BnGVN977XkrixCcgfPoxlPimZGA4gfqfzTv8EdMl/rVRWk5yULtL8Tm8V5ueCWXoqQOgHHQoPooLgPGYmLmgsYMJh+v3BL4MTNDsjjznEJ5yvkLS6/YGKxCaRnEPlkLsHEFcrrxMTbXzn9pDw3sx7lorlVM9CCVgjZBt4sJqFWmn/Bo6MSqjQU85qCtv4L9bRxGWqMejGSLqWlESOqmXvHB2goKiBn3WmDm7dzwFnBTydd00BLMennnuhQ+AxkPfdanhIHeIF+n3bESqejWwLthO8lnWl83uRPxPTbfMKYEGl3ysQbV+Kv32fG5DsQDG1fT9MwmJI5OwTtvTBVpK4oqVIv3baL738aIlPedOneN7AL7PWWJAbJPIxdNPJMXKL4SmQ7hoVmunEvZdex9s3hNOtsC/HFf
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-03-03T01:11:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e5daaba-4204-45ad-9ed7-11b70a0a020f",
"created_by_ref": "identity--5e157d76-c92c-4acd-a54e-4a01950d210f",
"created": "2020-03-03T01:11:37.000Z",
"modified": "2020-03-03T01:11:37.000Z",
"pattern": "[file:hashes.MD5 = '2481f731acf1c77df7ac4b231821dc71' AND file:hashes.SHA1 = '545cada323b15eeca35a71726d6be830cc7f8b5d' AND file:hashes.SHA256 = '66cc741a61fe877e9698d180c19a47495fd49bd9699726d92d88d5c55fe85d17' AND file:name = '491.doc' AND file:size = '39424' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAMkGY1AvCKmza3UAAACaAAAgABwAMjQ4MWY3MzFhY2YxYzc3ZGY3YWM0YjIzMTgyMWRjNzFVVAkAA7qqXV66ql1edXgLAAEEIQAAAAQhAAAAaAop/ErfL0GdJKWbWf3TMuGZ7+zlwuNHt/lcKieaRQM36uIQ5BSowxn2wc913u1KRsXe9QWV3RGtNmjcS1GY24mKI80mWcN4FqY0DzoYwbyVy5/Sf9C9pRC/YkisZosVdlNzTwKmAL5OePGnVswRQCq+EdIj14htwgOZ4C3rX+vkIkH3BESoJ1TwfLRFJwmiZkUDW3LwZcB7oRyBLS2sVRRRoq8ZLTGuntjDEDld8Gz8+6U9jGtlTpJ0e/L4ueG57+Wa1fBSduv8kF/glC4Jy/07LS0GfA+tkiPQpUpW1RqQH8OMdvEd/JrSXQx8XQJ74kN6B+7noLewH7dVzFZwCpO+mMH1pvKKPavLjIJ6D6TGk9pXQsKAODDF37rAeEr0tYiUYk8Btd3EdqEUBoQJpxVzBoTVbB1l2+owcD80FHAlVBUSNuwozN/zGBrNiuoOZJFZR4DcPO9SqRTVLjZSn68VhoJvpeYPP2vMV/fHgmdGLzwnX7vsvGPnS8Wxsznbo/kd+XRTxnClkhUCrgD4wWj4i5l5nY8A98W/bf3eslxNHXZamHSXhT7C82h9iwI0HK+jSqXHFqTQG700ko7dtUfgAZZVULGtj3g5ZG4zuwfFAZTc0XYe/w+b98zG8VB+bj8NL3t0Kk7xhDHwtfFCrasrc5dQgHs7fNY7w6rTozZrQjeSrce3FK7J2QBXFcyhB0/9UpWZqiEIW0vKlfKE+yqe+srY2YZGt0QKMKTgEsC979HfFYYPbxJSF0BEOcGwe/ZJaPa+hIZDCCph98xvYVIOZc3kPsxbzF0YutFyNG7/UB2flQBncvRbECWzd/sgG9PzCDBQbKGuzJSdxkfX31zBfLO7hpO2gwqDfIokz40iYjsDI3tIiFUDFLkOYnsCdV6lQjVmoUg2sHjAbjsE2x/Oo8ijKFEb7vbIo6EJdN+KHJecck9rrBzMH7PXCoKvbIzRGlhwVsckpwYM/+FKBbGxb7C6i8xrZgacF/8C/kaUoHqs5dOdpT+OhAQ5HEBscSH39xSbnc9BlgKkMUxZJNJi7kYOLcIpIjqUiI4zvBGbgSnjeeA5pBPiDvmOPKE1XqS6l3nPiNfsAVKJ4fT7vOJ21tIpkZJiRastTlXyk3ddtVvbPm6ds5iOmisvKVwBsiJxma2J5fZxm5wpm7X0JXGEiqiQf7O3JPul1O3JfhXZKg0o8miMGYpaznEH3es0mmFIOLQ0RRZFvYTZDdul03KNxwh5ctD5VbvXbESXYRu3mrXwUvUefWVCyiKBt/Fiyq6t6yi/r02MNDZdy8r7ZvsVPwzO4ZKCO9hF7UDXRP3E2pROSyjHlR1ADclP19kXVPGvRLtq/pgYf/KacnaGggHR798aI4Rgo1RZoMOSWG3vk3SzifBAOd0eH8R6pjOviZ7CSHqdT+RJEyoZ+kqIjmJc5myLEOb+XlJzecED9dtbQuosMfAZXonnDAp8vljj6zgiSR65KCxmdqUvK4KimvE5Y6Yxiwk5iV9FbqOXQmrc5+Arhh93jvROBtSg7zWi0fsWQK/27DHUnQ9v84judnpZFD/eXeH81gelmq5mduTr21KSe1nFZ8Bbq/DHSAjVhfuUWXUcL7q5v4783RSBqJzfeaWEqC0t9oIqAHD9ffIUpWg4f79E5gQVq87MUZ7rNzzjS7EJgZpvCy7mIE2/dfS5G0mQ9i9Z/5CN9LcPjF+fqjQV2C6TAkPMoxiNfpVWAg/SWW9bT65QhGy1ORGxiUm/DS7ehx5puQYMLC4ZHw2YdBRdYssmZt6zc8n4wbVxM1/8XlHPUhP9T9hLnTK3LTHWdyHZUKsAMRp6zecinLIh9kOnkN/lfovdNABrmHtIrqg4uGUFmyNurrZeiLHwD7Pvn6ScPwUyUQci7PdFhJPjE26NexVQFs71gmoKz9QB3Biz8U0OXhbA20LDtZa4qFjL8RAMQ1ZsE6qUaISxAHWxJ+tdVy3zgmo9Mi0smcYoUEZ2yxBCQDLFPZDiKy/5eCRdUDiBr7B2WVz+O9ix1iCXhyfSV3j8mUhUyLxQa5L6uGBQ0rIVkL0nzvWM9rHyHHxnhMuNk9/51DMSoqdQONXGSs+CPyMmS3CXzRwdxfwaa7Oh6ZZ5KVbQIGRQ3aX2oVKWgLhlmeF/XxDvxTil9cPfCLYm/ZCveRZBHY8pRj+lF9GKA5P4spxvJ0KCVkOV29nHNZYcgUGM3fpz4tW1UN1A2WI1pz86HX5mmBPFbbgDbYGYLcwykmkVMjUa9jTuS2zMi+913OChO1RyFn8wVZ2DGG5xgd92zBHFxo/x+MTCq8Bp7Sp/uRcIEw7mPCCKbyRK9YLJrLSr6IayIRLiDo+Oggyk8NSpIXUbf9k25Nw3+/nI60jcXRbbzZToqNWWaTq2ELHQUfg31LeeNcuyVGcK9/8kZGa9/hlrWeLBEQrfxaCQMMbtrYbLjqjJE94XPhRbsfvKZ6Zu21wZV5wpx06dSOt37C0aNokBKvk5rUfcTgh36qpjhEIHJ+5Aptpi+ALYmIOJeZflRLu2YsiPLvOwabfMNZyShXKlWgnBosZQzOMpj/sGYYRswrKDoI8OLr/Va22c19GvTagL/xLdALzsZ5NvCHTVWAK9Dv9N1sanZRJIbp4K2ICWGaXS9L3nashpOUAVpkLuiA/bhknbvNGuFQ0sUZCNy9rEQQmIvf5DgjLgmbY8gYKyQ7B8eVRbx2/0Chdoq8MzXJClGWwDE+lcDugrvICyejm/ruOJr1rIizbLN01eMmBMgmwr8iHK+m7uqd4y44s0nau3tWMCIzBjO5uGXEZn52PEVgSB2wlNMQPT0Pw6SPcnoSWdECQUl+Kh1f10WwCScoY++z3v3PrHj4ukNpteSKlspY4Ekry3LPOqXvAsjL1p+Md0PzEESu2nLZncSCU8/B17+8YMdbmYU/nBR7uCKX4ufOTh84WBDl10R2usblVKU5DZoNKVYXesyd+VClU1Nl8m4GByBMC7Llwtn4QaGNZ/OwroY22qgFZqYf913PSluJGF9k5Tyl96Nyvjjl21q6TiLXrrJuI8OoZtGxOwSjaDscV5hPyTe7SUqQZDMJwq73QZ1OmtJobatXHjfBtf51SfMLkschxWHdfEludnB5OuvHsKu/MiFFVV/tVqKoxpA9cV17/1Zz9ys7CZELdLmKZJtzDP56rtC8IedtEc95YPF6r8JzfUwjJW/wvfW3+E+XtNmq/DWIy6UXozQp/GFPL90MhrTw+Sd+NPFsrbooDJ0GQ4SR8XGj7OWqsAyy0gGxp7dtuKnFKfdwdVcWX0lDZj6NxG9X7NJ0KAELQa87nK0eDW4AThEQ2jAMRi27tb46xbsHO8KCKumg9MD6HZpr1tSmhhGF/Jh5g5LvjH4HVeQcHsAKBqdT3GTj2raoZyquPh+KYirqdSrEJS3fizBM9WBjdJy6RGlEwWaTznH1vmSlwwEM3Opv4zzJ/FYY4JZHNa0dkRslVJ3FpIMJYt9OJ7DpG8izSFxnNIMHXiSHClZCSB3K2KDAE7nqKSP7yVwTicwL5JHa3k+MtrPrHnztgYnOGf3JQ7zn0hji7NYRhIro4ALfllWqhPOqtp98p1cmIalUxo0u+IxkKLaC3pmM0d+b2/OOcaQ09toyDkPp184IUbgZTBGpYK
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-03-03T01:11:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"kill-chain:Delivery"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}