2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5c4458f2-6270-4c17-8fe2-992402de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-28T09:18:28.000Z" ,
"modified" : "2019-02-28T09:18:28.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5c4458f2-6270-4c17-8fe2-992402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-28T09:18:28.000Z" ,
"modified" : "2019-02-28T09:18:28.000Z" ,
"name" : "OSINT - BitterRAT PATCHWORK" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"indicator--5c4459da-6374-4f25-9bb6-a83202de0b81" ,
"indicator--5c4459db-214c-4cf3-8bfc-a83202de0b81" ,
"indicator--5c4459db-4f5c-4f63-8d30-a83202de0b81" ,
"observed-data--5c445ae0-8b4c-44cf-973f-98d302de0b81" ,
"url--5c445ae0-8b4c-44cf-973f-98d302de0b81" ,
"observed-data--5c445ae0-af98-460b-b37c-98d302de0b81" ,
"url--5c445ae0-af98-460b-b37c-98d302de0b81" ,
"observed-data--5c445ae0-86f0-40ca-a041-98d302de0b81" ,
"url--5c445ae0-86f0-40ca-a041-98d302de0b81" ,
"indicator--5c445b0a-f430-49fb-9097-468002de0b81" ,
"indicator--5c445b0a-ae24-4bed-8e2d-416e02de0b81" ,
"indicator--5c445b0b-8f78-4d23-8027-46ab02de0b81" ,
"indicator--5c445b0b-01d8-4b1d-81bb-472f02de0b81" ,
"indicator--5c445b2d-b2ec-4067-8891-98d302de0b81" ,
"indicator--5c445b2e-1280-4f6b-a51f-98d302de0b81" ,
"indicator--5c445b54-b390-4847-8585-4c9802de0b81" ,
"indicator--5c445b55-eff0-4fe7-aaff-427c02de0b81" ,
"observed-data--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"observed-data--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"indicator--5c76b08c-f724-4322-a531-418e02de0b81" ,
"indicator--5c77a701-6ed0-4e6b-a497-47cb02de0b81" ,
"indicator--5c77a724-a98c-43d6-9335-452402de0b81" ,
"x-misp-object--5c445998-17e4-4411-ac90-4c8902de0b81" ,
"indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e" ,
"x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c" ,
"indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa" ,
"x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f" ,
"indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87" ,
"x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676" ,
"indicator--5c445a91-96e4-4a76-81bf-4bb302de0b81" ,
"indicator--db8c563d-74f7-492a-ab64-12d646b305ef" ,
"x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a" ,
"indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c" ,
"x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b" ,
"indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70" ,
"x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d" ,
"indicator--e1137dbb-bedf-4093-8391-b598b22d0a87" ,
"x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af" ,
"indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902" ,
"x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2" ,
"indicator--5a403b39-3b33-41e6-852f-277fe242197e" ,
"x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536" ,
2024-04-05 12:15:17 +00:00
"relationship--5d85dfec-62b8-4ad8-a4c6-b1786a266b0d" ,
"relationship--ac13cc58-3ec1-42e9-a1a6-b484b6c71451" ,
"relationship--9205e761-bd3f-487a-abe4-65c622a9df08" ,
"relationship--e190bef9-59ea-4c5b-951e-5841dc87f599" ,
"relationship--cfe670c4-6074-4c8b-8823-6fac0d22e684" ,
"relationship--9323d648-59e5-4bae-b1f1-9ab5c8a3d72c" ,
"relationship--f5030abd-867c-4aa9-8acd-92339b883b00" ,
"relationship--9bafa589-ebed-4a43-bd1e-961ad1ec7304" ,
"relationship--f0cf22a3-eb6a-411c-a8f9-d2413e0f6a95"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:threat-actor=\"Dropping Elephant\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c4459da-6374-4f25-9bb6-a83202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:02.000Z" ,
"modified" : "2019-01-20T11:22:02.000Z" ,
"description" : "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group." ,
"pattern" : "[file:hashes.MD5 = '7845d817e021db8cde06a8437693b3b2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:22:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c4459db-214c-4cf3-8bfc-a83202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:03.000Z" ,
"modified" : "2019-01-20T11:22:03.000Z" ,
"description" : "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group." ,
"pattern" : "[file:hashes.MD5 = 'd34fc3a5df544d90ed1933b79deb1868']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:22:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c4459db-4f5c-4f63-8d30-a83202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:03.000Z" ,
"modified" : "2019-01-20T11:22:03.000Z" ,
"description" : "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group." ,
"pattern" : "[file:hashes.MD5 = '59ca69647eeceab0193d88b8b72e3d60']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:22:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c445ae0-8b4c-44cf-973f-98d302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:26:24.000Z" ,
"modified" : "2019-01-20T11:26:24.000Z" ,
"first_observed" : "2019-01-20T11:26:24Z" ,
"last_observed" : "2019-01-20T11:26:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5c445ae0-8b4c-44cf-973f-98d302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5c445ae0-8b4c-44cf-973f-98d302de0b81" ,
"value" : "https://analyze.intezer.com/#/analyses/314c7fb5-7d2e-4e3c-93d8-84c2064672d3"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c445ae0-af98-460b-b37c-98d302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:26:24.000Z" ,
"modified" : "2019-01-20T11:26:24.000Z" ,
"first_observed" : "2019-01-20T11:26:24Z" ,
"last_observed" : "2019-01-20T11:26:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5c445ae0-af98-460b-b37c-98d302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5c445ae0-af98-460b-b37c-98d302de0b81" ,
"value" : "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c445ae0-86f0-40ca-a041-98d302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:26:24.000Z" ,
"modified" : "2019-01-20T11:26:24.000Z" ,
"first_observed" : "2019-01-20T11:26:24Z" ,
"last_observed" : "2019-01-20T11:26:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5c445ae0-86f0-40ca-a041-98d302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5c445ae0-86f0-40ca-a041-98d302de0b81" ,
"value" : "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b0a-f430-49fb-9097-468002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:27:06.000Z" ,
"modified" : "2019-01-20T11:27:06.000Z" ,
"description" : "RTF file" ,
"pattern" : "[file:hashes.MD5 = 'e4abdd40f7d1adb3f139940438484695']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:27:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b0a-ae24-4bed-8e2d-416e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:27:06.000Z" ,
"modified" : "2019-01-20T11:27:06.000Z" ,
"description" : "Payload" ,
"pattern" : "[file:hashes.MD5 = 'a098d91f04eb259bf27432e81a9c523b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:27:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b0b-8f78-4d23-8027-46ab02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:27:07.000Z" ,
"modified" : "2019-01-20T11:27:07.000Z" ,
"description" : "Payload" ,
"pattern" : "[file:hashes.MD5 = '53d6ed9a3e56785ccbee9b73b14ec62c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:27:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b0b-01d8-4b1d-81bb-472f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:27:07.000Z" ,
"modified" : "2019-01-20T11:27:07.000Z" ,
"description" : "Payload" ,
"pattern" : "[file:hashes.MD5 = '26d175ac27b4554885b5c3d2ec9c6769']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:27:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b2d-b2ec-4067-8891-98d302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:27:41.000Z" ,
"modified" : "2019-01-20T11:27:41.000Z" ,
"description" : "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders." ,
"pattern" : "[file:hashes.MD5 = '3dcc9ac06cd5318f247be0d73c8c1d1d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:27:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b2e-1280-4f6b-a51f-98d302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:27:42.000Z" ,
"modified" : "2019-01-20T11:27:42.000Z" ,
"description" : "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders." ,
"pattern" : "[domain-name:value = 'wcnsservice.ddns.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:27:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b54-b390-4847-8585-4c9802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:20.000Z" ,
"modified" : "2019-01-20T11:28:20.000Z" ,
"description" : "Additional URL - Couldn't find it in any writeups:" ,
"pattern" : "[url:value = 'rmmun.org.pk/svch']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445b55-eff0-4fe7-aaff-427c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:21.000Z" ,
"modified" : "2019-01-20T11:28:21.000Z" ,
"description" : "Additional URL - Couldn't find it in any writeups:" ,
"pattern" : "[file:hashes.MD5 = 'b694f3b1ef7ff302c339a51c3f0f50f3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:29:07.000Z" ,
"modified" : "2019-01-20T11:29:07.000Z" ,
"first_observed" : "2019-01-20T11:29:07Z" ,
"last_observed" : "2019-01-20T11:29:07Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"src_ref" : "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9" ,
"value" : "185.45.193.10"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:29:08.000Z" ,
"modified" : "2019-01-20T11:29:08.000Z" ,
"first_observed" : "2019-01-20T11:29:08Z" ,
"last_observed" : "2019-01-20T11:29:08Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"src_ref" : "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ,
"value" : "185.121.139.53"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c76b08c-f724-4322-a531-418e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-27T15:45:16.000Z" ,
"modified" : "2019-02-27T15:45:16.000Z" ,
"description" : "rtf exploit" ,
"pattern" : "[rule dropper_elephant {\r\n\tstrings:\r\n\t\t$head = \"{\\\\rt\"\r\n\t\t$water = { 33 35 33 32 33 34 36 36 36 31 33 36 33 33 36 31 33 35 33 30 30 30}\r\n\tcondition:\r\n\t\t$head at 0 and $water \r\n\r\n}]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2019-02-27T15:45:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c77a701-6ed0-4e6b-a497-47cb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-28T09:16:49.000Z" ,
"modified" : "2019-02-28T09:16:49.000Z" ,
"description" : "rtf file" ,
"pattern" : "[file:hashes.SHA256 = 'd3122d94a7fde33bc1f35ab49f56408a19a46847cce3686ff40c7a5f2ff71ca1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-28T09:16:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c77a724-a98c-43d6-9335-452402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-28T09:17:24.000Z" ,
"modified" : "2019-02-28T09:17:24.000Z" ,
"description" : "rtf file" ,
"pattern" : "[file:hashes.SHA256 = '52c10f300f15e6b4f7e3e1989a35c7d2719217f4d3d64fe0afcf83bb922ec61f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-28T09:17:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5c445998-17e4-4411-ac90-4c8902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:20:56.000Z" ,
"modified" : "2019-01-20T11:20:56.000Z" ,
"labels" : [
"misp:name=\"microblog\"" ,
"misp:meta-category=\"misc\"" ,
2023-12-14 14:30:15 +00:00
"osint:certainty=\"93\"" ,
"osint:source-type=\"microblog-post\""
2023-04-21 14:44:17 +00:00
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "post" ,
"value" : "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group. Hashes: 7845d817e021db8cde06a8437693b3b2 d34fc3a5df544d90ed1933b79deb1868 59ca69647eeceab0193d88b8b72e3d60" ,
"category" : "Other" ,
"uuid" : "5c445998-bcb8-4f80-8d60-437002de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Twitter" ,
"category" : "Other" ,
"uuid" : "5c445998-e110-4f97-917a-4f0802de0b81"
} ,
{
"type" : "url" ,
"object_relation" : "url" ,
"value" : "https://twitter.com/shotgunner101/status/1086792700114948096" ,
"category" : "Network activity" ,
"to_ids" : true ,
"uuid" : "5c445998-ea68-4dae-a03e-492f02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "username" ,
"value" : "shotgunner101" ,
"category" : "Other" ,
"uuid" : "5c445999-3450-4150-8196-459102de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "microblog"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:32.000Z" ,
"modified" : "2019-01-20T11:22:32.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd34fc3a5df544d90ed1933b79deb1868' AND file:hashes.SHA1 = '6c5d2012f58ee390500c515506f67e43e491818f' AND file:hashes.SHA256 = '386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:22:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:34.000Z" ,
"modified" : "2019-01-20T11:22:34.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-12-17 11:42:39" ,
"category" : "Other" ,
"uuid" : "cd5abe05-07bc-49f1-834b-984f412fd69b"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55/analysis/1545046959/" ,
"category" : "External analysis" ,
"uuid" : "b46db101-5b99-4641-bacc-c1488b6b1c13"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "40/70" ,
"category" : "Other" ,
"uuid" : "7e191cc5-c4b9-41b7-9370-30af876f9087"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:35.000Z" ,
"modified" : "2019-01-20T11:22:35.000Z" ,
"pattern" : "[file:hashes.MD5 = '59ca69647eeceab0193d88b8b72e3d60' AND file:hashes.SHA1 = '4d441ba024b5fba0c2d02a30c00cd1ba63aaa1f0' AND file:hashes.SHA256 = '80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:22:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:37.000Z" ,
"modified" : "2019-01-20T11:22:37.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-01-20 05:28:41" ,
"category" : "Other" ,
"uuid" : "b6767065-40ce-4769-b41d-d80c76e36f6b"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377/analysis/1547962121/" ,
"category" : "External analysis" ,
"uuid" : "dd19c19d-8f28-4860-9592-8899a91a9f44"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "42/67" ,
"category" : "Other" ,
"uuid" : "a5e53653-a585-48dc-a595-12b67dae1846"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:38.000Z" ,
"modified" : "2019-01-20T11:22:38.000Z" ,
"pattern" : "[file:hashes.MD5 = '7845d817e021db8cde06a8437693b3b2' AND file:hashes.SHA1 = 'bdb21b57c572744b58f8dc4f4020e32e1787f46d' AND file:hashes.SHA256 = '57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:22:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:22:40.000Z" ,
"modified" : "2019-01-20T11:22:40.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-01-20 05:31:17" ,
"category" : "Other" ,
"uuid" : "263b4bfc-fee6-4604-8ad6-3e718c0bbd60"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e/analysis/1547962277/" ,
"category" : "External analysis" ,
"uuid" : "2a347a59-cf7a-4973-bd1c-5fb4c1b1488d"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "32/70" ,
"category" : "Other" ,
"uuid" : "6fb014a0-3fbe-4f2a-9ab4-e54bf354e276"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c445a91-96e4-4a76-81bf-4bb302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:25:05.000Z" ,
"modified" : "2019-01-20T11:25:05.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.45.193.10') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'netwareservice.ddns.net') AND network-traffic:x_misp_text = 'There is also another domain and IP Address that I couldn\\'t find linked with any PATCHWORK/Bitter RAT reports.']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:25:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--db8c563d-74f7-492a-ab64-12d646b305ef" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:30.000Z" ,
"modified" : "2019-01-20T11:28:30.000Z" ,
"pattern" : "[file:hashes.MD5 = 'a098d91f04eb259bf27432e81a9c523b' AND file:hashes.SHA1 = 'a359d15c1055fe8574eb0a68f429c6ee4f0894ff' AND file:hashes.SHA256 = 'b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:32.000Z" ,
"modified" : "2019-01-20T11:28:32.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-01-10 01:04:42" ,
"category" : "Other" ,
"uuid" : "a044a306-15d0-435d-aeec-dd77d24f9e2e"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42/analysis/1547082282/" ,
"category" : "External analysis" ,
"uuid" : "50958fd2-c56f-44ea-999e-03c8428dc48b"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "43/70" ,
"category" : "Other" ,
"uuid" : "cc0dce63-893d-4ba6-ba93-d620445ebc17"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:33.000Z" ,
"modified" : "2019-01-20T11:28:33.000Z" ,
"pattern" : "[file:hashes.MD5 = '26d175ac27b4554885b5c3d2ec9c6769' AND file:hashes.SHA1 = '205e77e7f708b5c2f3f6370547255ae4c6b61b5b' AND file:hashes.SHA256 = '4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:34.000Z" ,
"modified" : "2019-01-20T11:28:34.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-12-26 06:32:20" ,
"category" : "Other" ,
"uuid" : "13e649fd-ebb4-4f6e-a7e5-4cd02ab8e4df"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4/analysis/1545805940/" ,
"category" : "External analysis" ,
"uuid" : "ab8369e4-bd22-4d44-9904-59d1520d6b88"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "42/69" ,
"category" : "Other" ,
"uuid" : "4aaec601-7d0d-45f8-9c5f-6018bb4cf450"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:37.000Z" ,
"modified" : "2019-01-20T11:28:37.000Z" ,
"pattern" : "[file:hashes.MD5 = 'b694f3b1ef7ff302c339a51c3f0f50f3' AND file:hashes.SHA1 = '02a5aaa1956b437f1066a4793cc079201c02603b' AND file:hashes.SHA256 = '523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:38.000Z" ,
"modified" : "2019-01-20T11:28:38.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-12-20 20:38:41" ,
"category" : "Other" ,
"uuid" : "bd626c6a-66b1-41d4-9803-d7be0957d811"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4/analysis/1545338321/" ,
"category" : "External analysis" ,
"uuid" : "542b3ccc-7a07-4b00-9213-a1287036339e"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "46/70" ,
"category" : "Other" ,
"uuid" : "f69ec892-9c22-4f81-9fba-9c59c550efab"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e1137dbb-bedf-4093-8391-b598b22d0a87" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:39.000Z" ,
"modified" : "2019-01-20T11:28:39.000Z" ,
"pattern" : "[file:hashes.MD5 = 'e4abdd40f7d1adb3f139940438484695' AND file:hashes.SHA1 = 'fddfb467c6d04f7333206591a2105881be985d5c' AND file:hashes.SHA256 = 'e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:41.000Z" ,
"modified" : "2019-01-20T11:28:41.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-01-17 11:33:07" ,
"category" : "Other" ,
"uuid" : "4800929b-92d6-42d9-a7e0-a3390c4f821e"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db/analysis/1547724787/" ,
"category" : "External analysis" ,
"uuid" : "294505dc-8126-4e47-9eef-3721f0086fbf"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "25/57" ,
"category" : "Other" ,
"uuid" : "e83fe184-6c74-4558-97de-f741bc1b94ba"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:42.000Z" ,
"modified" : "2019-01-20T11:28:42.000Z" ,
"pattern" : "[file:hashes.MD5 = '53d6ed9a3e56785ccbee9b73b14ec62c' AND file:hashes.SHA1 = '2075cddc453492a349de81e4aae309a376c1147a' AND file:hashes.SHA256 = 'aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:43.000Z" ,
"modified" : "2019-01-20T11:28:43.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-01-20 05:27:08" ,
"category" : "Other" ,
"uuid" : "ce177d9a-fdaf-447f-9628-969f55f142eb"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75/analysis/1547962028/" ,
"category" : "External analysis" ,
"uuid" : "41820a0e-61aa-4b65-8672-b2985cdf6a1a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "38/66" ,
"category" : "Other" ,
"uuid" : "88ad0b3d-a8ab-45f8-b782-228493b9ad39"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a403b39-3b33-41e6-852f-277fe242197e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:45.000Z" ,
"modified" : "2019-01-20T11:28:45.000Z" ,
"pattern" : "[file:hashes.MD5 = '3dcc9ac06cd5318f247be0d73c8c1d1d' AND file:hashes.SHA1 = '969fc7f9b770215ce2ad3fe38451d286fda4e7cb' AND file:hashes.SHA256 = '5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-01-20T11:28:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-01-20T11:28:47.000Z" ,
"modified" : "2019-01-20T11:28:47.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-01-18 18:25:53" ,
"category" : "Other" ,
"uuid" : "896b9522-f5fa-4ffd-8ef2-76826c41225b"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299/analysis/1547835953/" ,
"category" : "External analysis" ,
"uuid" : "cfa6606b-9b09-4da3-8675-1f1e9b067030"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "16/70" ,
"category" : "Other" ,
"uuid" : "6269f302-e585-4ca1-8cab-bed4ad17f06b"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--5d85dfec-62b8-4ad8-a4c6-b1786a266b0d" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:22:41.000Z" ,
"modified" : "2019-01-20T11:22:41.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e" ,
"target_ref" : "x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--ac13cc58-3ec1-42e9-a1a6-b484b6c71451" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:22:41.000Z" ,
"modified" : "2019-01-20T11:22:41.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa" ,
"target_ref" : "x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--9205e761-bd3f-487a-abe4-65c622a9df08" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:22:41.000Z" ,
"modified" : "2019-01-20T11:22:41.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87" ,
"target_ref" : "x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--e190bef9-59ea-4c5b-951e-5841dc87f599" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:28:48.000Z" ,
"modified" : "2019-01-20T11:28:48.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--db8c563d-74f7-492a-ab64-12d646b305ef" ,
"target_ref" : "x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--cfe670c4-6074-4c8b-8823-6fac0d22e684" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:28:48.000Z" ,
"modified" : "2019-01-20T11:28:48.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c" ,
"target_ref" : "x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--9323d648-59e5-4bae-b1f1-9ab5c8a3d72c" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:28:48.000Z" ,
"modified" : "2019-01-20T11:28:48.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70" ,
"target_ref" : "x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--f5030abd-867c-4aa9-8acd-92339b883b00" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:28:48.000Z" ,
"modified" : "2019-01-20T11:28:48.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--e1137dbb-bedf-4093-8391-b598b22d0a87" ,
"target_ref" : "x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--9bafa589-ebed-4a43-bd1e-961ad1ec7304" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:28:48.000Z" ,
"modified" : "2019-01-20T11:28:48.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902" ,
"target_ref" : "x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--f0cf22a3-eb6a-411c-a8f9-d2413e0f6a95" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-01-20T11:28:48.000Z" ,
"modified" : "2019-01-20T11:28:48.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--5a403b39-3b33-41e6-852f-277fe242197e" ,
"target_ref" : "x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}