2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5cc209b3-82e0-4d0e-980d-4a6002de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:32:04.000Z" ,
"modified" : "2019-04-25T19:32:04.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5cc209b3-82e0-4d0e-980d-4a6002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:32:04.000Z" ,
"modified" : "2019-04-25T19:32:04.000Z" ,
"name" : "OSINT - Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware" ,
"published" : "2019-04-25T19:34:52Z" ,
"object_refs" : [
"indicator--5cc20a1e-8ef4-4468-bd53-48ca02de0b81" ,
"indicator--5cc20a1e-20b0-4f51-a8f5-45cc02de0b81" ,
"indicator--5cc20a1e-1184-4ed9-9d66-409a02de0b81" ,
"indicator--5cc20a1e-0bb8-401f-9cbd-45a002de0b81" ,
"indicator--5cc20a1e-35f8-49e0-b7d2-49a302de0b81" ,
"indicator--5cc20a1e-7e0c-40f1-b9dd-429c02de0b81" ,
"indicator--5cc20a1e-cfe4-459a-8837-4ce702de0b81" ,
"indicator--5cc20a1e-0e98-4860-acf2-48e602de0b81" ,
"observed-data--5cc20a2e-6408-4271-a41f-41da02de0b81" ,
"url--5cc20a2e-6408-4271-a41f-41da02de0b81" ,
"x-misp-attribute--5cc20a3f-8e84-4d6c-b3b0-47d702de0b81" ,
"observed-data--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"indicator--2f52d11d-5df6-44ca-8934-12cce8d33395" ,
"x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a" ,
"indicator--60c23628-c767-4b08-9cb4-0d55c6432479" ,
"x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072" ,
"indicator--b278e19f-e981-47bc-be90-072138554a61" ,
"x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c" ,
"indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87" ,
"x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd" ,
2024-04-05 12:15:17 +00:00
"relationship--8a6d3f36-6ce4-4611-8bf7-aae01d18fd00" ,
"relationship--3598d32e-a267-4927-924e-82b9928df600" ,
"relationship--329b977e-fa83-4cdb-9991-692d1d388743" ,
"relationship--3c7cdbd9-caac-4a0b-98f0-41fc37c032e4"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:threat-actor=\"TA505\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"" ,
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-8ef4-4468-bd53-48ca02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"description" : "011042019.xls" ,
"pattern" : "[file:hashes.SHA1 = '880b383532534e32f3fa49692d676d9488aabac1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-20b0-4f51-a8f5-45cc02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"pattern" : "[file:hashes.SHA1 = '63aeb16b5d001cbd94b636e9f557fe97b8467c8d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-1184-4ed9-9d66-409a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"description" : "msie988.tmp" ,
"pattern" : "[file:hashes.SHA1 = 'ad35fa0b3799562931b4bfa3abd057214b8721ff']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-0bb8-401f-9cbd-45a002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"description" : "pegas.dll" ,
"pattern" : "[file:hashes.SHA1 = '06f232210e507f09f01155e7d0cb5389b8a31042']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-35f8-49e0-b7d2-49a302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"description" : "First C2" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '79.141.171.160']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-7e0c-40f1-b9dd-429c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"description" : "Second C2" ,
"pattern" : "[domain-name:value = 'aasdkkkdsa3442.icu']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-cfe4-459a-8837-4ce702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"description" : "Second C2" ,
"pattern" : "[domain-name:value = 'joisf333.icu']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc20a1e-0e98-4860-acf2-48e602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:26.000Z" ,
"modified" : "2019-04-25T19:27:26.000Z" ,
"description" : "Second C2" ,
"pattern" : "[domain-name:value = 'zxskjkkjsk3232.pw']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cc20a2e-6408-4271-a41f-41da02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:42.000Z" ,
"modified" : "2019-04-25T19:27:42.000Z" ,
"first_observed" : "2019-04-25T19:27:42Z" ,
"last_observed" : "2019-04-25T19:27:42Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5cc20a2e-6408-4271-a41f-41da02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5cc20a2e-6408-4271-a41f-41da02de0b81" ,
"value" : "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5cc20a3f-8e84-4d6c-b3b0-47d702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:27:59.000Z" ,
"modified" : "2019-04-25T19:27:59.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "The cybersecurity community has long known that any information technology tool that is used for legitimate purposes can also be manipulated by attackers to enhance their malware. Recently, however, many native Windows OS processes are being used for malicious purposes as well. \r\n\r\nIn this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019. This advanced operation combines a targeted phishing attack with advanced tools that gather intel on the environment. The operation chooses whether or not to create persistence and installs a sophisticated backdoor called ServHelper used to take over the network.\r\nKey Aspects of TA505\u00e2\u20ac\u2122s Operation\r\n\r\n Highly targeted phishing campaign to a small number of specific accounts within the company.\r\n Signed and verified malicious code. This is an extra percussion taken to avoid detection.\r\n A deliberate timeline, indicated by the timing of the phishing attack and signing of the malicious code.\r\n A selective persistence mechanism and self destruct commands based on autonomous reconnaissance.\r\n Large emphasis on removal of evidence using self destruct commands and deleting scripts.\r\n Multiple C2 domains, in the event of blacklisting or inability to connect for another reason.\r\n The operation integrates four different LOLBins, which indicates the attackers continued, advanced attempts to avoid detection."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:34:31.000Z" ,
"modified" : "2019-04-25T19:34:31.000Z" ,
"first_observed" : "2019-04-25T19:34:31Z" ,
"last_observed" : "2019-04-25T19:34:31Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"src_ref" : "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ,
"value" : "195.123.227.79"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2f52d11d-5df6-44ca-8934-12cce8d33395" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"pattern" : "[file:hashes.MD5 = '4ca90e372982c864b8eae6d95161a213' AND file:hashes.SHA1 = 'ad35fa0b3799562931b4bfa3abd057214b8721ff' AND file:hashes.SHA256 = '843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:28:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-22T09:26:21" ,
"category" : "Other" ,
"comment" : "msie988.tmp" ,
"uuid" : "39e083d0-2e54-439d-92e0-bd5ceb8a6603"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c/analysis/1555925181/" ,
"category" : "Payload delivery" ,
"comment" : "msie988.tmp" ,
"uuid" : "a83aa4df-1f72-4b3a-bdb2-cef656e4a0dc"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "48/70" ,
"category" : "Payload delivery" ,
"comment" : "msie988.tmp" ,
"uuid" : "cebb4a53-f987-4755-b609-f65fc6721b4f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--60c23628-c767-4b08-9cb4-0d55c6432479" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"pattern" : "[file:hashes.MD5 = '4acd155b901884134f01b383eb035c23' AND file:hashes.SHA1 = '63aeb16b5d001cbd94b636e9f557fe97b8467c8d' AND file:hashes.SHA256 = 'cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:28:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-25T13:10:17" ,
"category" : "Other" ,
"uuid" : "e018eb15-af9b-422d-8d19-cfb07e16b0c6"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40/analysis/1556197817/" ,
"category" : "Payload delivery" ,
"uuid" : "0097e14c-21ec-49da-b18d-d24ad3cb346c"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "37/60" ,
"category" : "Payload delivery" ,
"uuid" : "3087c659-8379-415a-9da4-23b7eb460be2"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b278e19f-e981-47bc-be90-072138554a61" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"pattern" : "[file:hashes.MD5 = '2d3238185537429ea693a81a1c6ca4c0' AND file:hashes.SHA1 = '880b383532534e32f3fa49692d676d9488aabac1' AND file:hashes.SHA256 = 'c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:28:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-25T16:23:40" ,
"category" : "Other" ,
"comment" : "011042019.xls" ,
"uuid" : "6cdfbbe1-b251-4207-84c5-870c9d1369ca"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169/analysis/1556209420/" ,
"category" : "Payload delivery" ,
"comment" : "011042019.xls" ,
"uuid" : "202d31f1-719e-4245-a692-bdab4419e08e"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "28/59" ,
"category" : "Payload delivery" ,
"comment" : "011042019.xls" ,
"uuid" : "4c3e9b5e-41d5-4fa6-8ed3-38a17934b789"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"pattern" : "[file:hashes.MD5 = '4a8198fca604a78dd210803aebd5cbba' AND file:hashes.SHA1 = '06f232210e507f09f01155e7d0cb5389b8a31042' AND file:hashes.SHA256 = '9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-25T19:28:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-25T19:28:25.000Z" ,
"modified" : "2019-04-25T19:28:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-22T13:10:47" ,
"category" : "Other" ,
"comment" : "pegas.dll" ,
"uuid" : "f0b9cbb0-ecd0-4c07-8d12-8d57a3086e89"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e/analysis/1555938647/" ,
"category" : "Payload delivery" ,
"comment" : "pegas.dll" ,
"uuid" : "ebbf25ae-2093-4f10-a4fe-742ed2f9c82f"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "39/66" ,
"category" : "Payload delivery" ,
"comment" : "pegas.dll" ,
"uuid" : "30c4a904-f9c8-489f-ac44-b89617fd734b"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--8a6d3f36-6ce4-4611-8bf7-aae01d18fd00" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-25T19:28:26.000Z" ,
"modified" : "2019-04-25T19:28:26.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--2f52d11d-5df6-44ca-8934-12cce8d33395" ,
"target_ref" : "x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--3598d32e-a267-4927-924e-82b9928df600" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-25T19:28:26.000Z" ,
"modified" : "2019-04-25T19:28:26.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--60c23628-c767-4b08-9cb4-0d55c6432479" ,
"target_ref" : "x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--329b977e-fa83-4cdb-9991-692d1d388743" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-25T19:28:26.000Z" ,
"modified" : "2019-04-25T19:28:26.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--b278e19f-e981-47bc-be90-072138554a61" ,
"target_ref" : "x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--3c7cdbd9-caac-4a0b-98f0-41fc37c032e4" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-25T19:28:26.000Z" ,
"modified" : "2019-04-25T19:28:26.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87" ,
"target_ref" : "x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
