2023-06-14 17:31:25 +00:00
{
"type" : "bundle" ,
"id" : "bundle--04e8bb1e-b445-40a6-a68a-1ce85e32d229" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-22T12:33:04.000Z" ,
"modified" : "2023-04-22T12:33:04.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--04e8bb1e-b445-40a6-a68a-1ce85e32d229" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-22T12:33:04.000Z" ,
"modified" : "2023-04-22T12:33:04.000Z" ,
"name" : "QUARTERRIG - Malware Analysis Report" ,
"published" : "2023-04-22T12:33:17Z" ,
"object_refs" : [
"observed-data--be23fc18-9ba2-41ba-b517-52b492232869" ,
"file--be23fc18-9ba2-41ba-b517-52b492232869" ,
"artifact--be23fc18-9ba2-41ba-b517-52b492232869" ,
"observed-data--62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"file--62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"observed-data--e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"file--e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"indicator--768398f7-2ecd-4752-b4d4-e22de7a17c9f" ,
"indicator--4f3a3552-4374-4692-be62-2dac7a60ea12" ,
"indicator--1980ede0-18fe-4e78-a433-d85419354fdf" ,
"indicator--37294cb6-221f-4348-a3a6-ab46ed3adc83" ,
"indicator--f99cfe00-4d03-4ed2-8112-9a89d16d9251" ,
"indicator--3084badc-4ea2-4550-a683-0c6088c4b2ba" ,
"indicator--df942350-ff5f-4008-ad1d-14cecf33fabd" ,
"x-misp-object--740c4b3b-f5d6-42dc-9264-c225348060f5" ,
"indicator--4a911505-85c5-4496-8eb6-75cea522ed00" ,
"indicator--7d3d282a-c84f-48a1-9af5-8c0b43a0851e" ,
"indicator--10cee96e-441a-48ea-8585-049029d4c157" ,
"indicator--204c3d9f-6da0-426d-9609-db8c99dd8f8c" ,
"indicator--7546b1a9-3633-4f46-99e2-d27bb8db276a" ,
"indicator--20d5700b-21da-4c3e-9425-c5b87b5f83aa" ,
"indicator--f80de271-05af-4413-8087-9d553c54805e" ,
"indicator--0d5b228d-17ff-48e1-bb83-24e34292ea06" ,
"indicator--d940713b-8e68-4bbd-9164-ed43afc83c11" ,
"indicator--21b857c6-1d55-4625-9b08-56c9fdc205da" ,
"indicator--c75bccc6-e3ca-4a25-b0ff-5aea24f1c0b8" ,
"indicator--202f9cfd-1b59-4f2d-a113-27e6822b693d" ,
"indicator--553fd38b-e053-4632-867f-377e6746a81d" ,
"indicator--b0de75d1-a729-49aa-a586-1fe80813422b" ,
"indicator--e659ce38-dba5-438c-a7c7-900052726ad8" ,
2023-12-14 13:47:04 +00:00
"relationship--8d14dded-c265-485c-8696-06c3d235e934"
2023-06-14 17:31:25 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:tool=\"QUARTERRIG\"" ,
"misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"" ,
"misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"" ,
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"" ,
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"" ,
"misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"" ,
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" ,
"misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"tlp:clear"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--be23fc18-9ba2-41ba-b517-52b492232869" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T07:13:27.000Z" ,
"modified" : "2023-04-20T07:13:27.000Z" ,
"first_observed" : "2023-04-20T07:13:27Z" ,
"last_observed" : "2023-04-20T07:13:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--be23fc18-9ba2-41ba-b517-52b492232869" ,
"artifact--be23fc18-9ba2-41ba-b517-52b492232869"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--be23fc18-9ba2-41ba-b517-52b492232869" ,
"name" : "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG.png" ,
"content_ref" : "artifact--be23fc18-9ba2-41ba-b517-52b492232869"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--be23fc18-9ba2-41ba-b517-52b492232869" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A l A A A A F Q C A Y A A A B w C k D Y A A A A B H N C S V Q I C A g I f A h k i A A A I A B J R E F U e J z s 3 X e c F F W + 8 P / P q e o 0 e Q Y G m C G N 5 G A g C 6 I I s k o w I w Y U B W R 5 U A E D r F 6 z u O q u 6 y K C o o I S B E y 4 i m F A C S p J E E E Q l C B 5 y J N T T + p Q d c 7 z R 0 + 3 P T C 4 c q / z / L z 7 O + 99 z f Z M V 9 U 5 p 6 p L 6 t s n C i m l 4 n e m 1 C 9 J C i E i f 5 / 6 + x + L Q i k Q I v S K E g g B n E 0 5 p Q 1 C Y G M A Y N q A B A y F M h Q I E M K o P f f w d U G F 8 g 79 B q L 653 c i V f U p K R A K F A p h / L Y M b N s m a A W p C l Q S H x u P I U x Q Y J r m 71 d A T d M 0 T f t f Q N R V A C W l D G V w S g A S D q I M o / Z A 4 v 87 C q k s l B I I J E L Y I N w I f n s 5 r e p L a U g b J R S y O l o x D S N y z r U F U O H g y b Y l p j J B K Y R T h I I b A b 9 r B G U p Q K A U K K E Q 5 t k F s 0 o p h B R I p V B C V p / T H y 0 Y 1 j R N 0 7 S 65 a i r h H N z c 1 m / f j 0 + n 4 + Y m B g A g s E g D R s 25 L L L L g s 9 i O v w w a u i / l + o U / I J V b 1 U //7LAbnZFbz11kcMuPxiuvVoH9qmQhtVOJAJxR/Vm1RkF6FCQUmgymbHlgNs/mEvxUWVJHrcZLROpc+l51MvLZFQZY9CVOevqmuYpC3JPlnIV0u/5ebbBhOb5EKKIAbOM56dUAIlasa/QtU8p9CbkRPBDkq2bdmBJ9bNuZ06gARlhncWvxwfSfaX9JUAIQVFuV5O5mXT4dw22MioGigVdWh1WpFrV122cOFqfCTqlGOq86rOXv1ycOijq75vQr+fcu7Rx2qapmlaHamzaqCUlPpYlmTSpAdp2rQ57dq1o169esyZMwfLslDVsciv/fxPSAVBbJTyo6REKhtbKgKAUhLs6loY6UdioSSUCZu3v8vjaJEPIRVSAkqhpAwlKCWquqbKUgpb2SBtbFWJlDbZx3OZ9uoH/OT1culNvRn9yE1cf88gRHpDps/+nOM7c1FShSqBlCQobCxAKkkQReb3BTz17lYK/UEUEpQTvwCFjSKIX4BEoWyFkgGUVASxQUqElKAkKBuwQscoCwiCCoKUSGz25hby+Kyv+PDrHWBYIGR16qFcVCgHbFSo+dH+5bwVfsqtIC98+A13PvUvvFYQIQxsFcpRIUFaKKqqy1J9/VQQlAVKIuzTP1mlQKogtgJsO5Rv9ekQShWpVOg8lAztzy83ilX9eaNCzZ7yd7h/NE3TNO3X1FkNlNvtonnz5ng8Htq2bUO9eimcf/75xMfH/7LTr1UT/A+fgKYC03ZimQ4MZUOVwjQUhjuAwIE0LAJ+G4cNptuJNCVNG9YjNSUVw+VEGSAMi4ByYFRKDAcINxioUJAScBJ0CZSQOGQsRbllzFywkWuHD+DC5qkYwiZolWN6kmh2SSs6tEvn/Q82MKldGtIlcCiBYdmhfkRCgKm48uKmTJ9pIhQY0gAkpjRBGKBMPNW1OUoYGMqBbdqYmASFgUvaSGGBcGBKo/riSpSykMKBwsAMKto3SaVr5w6UKT9+w4FTSkwpcIT7XCmFIIAy3NW1WwopBKZtoIQHp0txw+CefLFsG0IZmBbgCKJwIIVB0FAI5YnULiplYiBASKRQYFgIZdZoGhXVVUamCmI5JA4ZxLBdobwdCoWJqQQoB5ZpYwMmBsoIBUuhykGFLezqv8x/c3NpmqZp2v9MnQRQ4YfnLw/RUN+ZzZs306tXL3Jzc1n6+ec0bNSQHTt20KtXL/r27cuKFSvYuXMnUkpuG3YrGRkZ7Nu3j2XLljFw4EBWrVqF1+vl7rvvZtu2bXz11VcMHTqUbt26IaUkMzOT5ORkLrvsMqQATAtTwYeL1vDzwSICgSq6XdCca4f246vPv2PjzqOUllTRt2Ua144egMOhQjVKUmIh8BcG+OzjDRw8mUtMVQV/vud6ktOT+WL5Tr7beoh4l0HvC5rQ68rOvJ25nj6DOnFhiwbYtmT9V7v46eAxUhPrcWzvfv488RbSMhI4lldIRlo8y1bs5uChQqyqMm4ZcjH1WjUChxOCAUzTpLQ8wLpvtpORnIy3pIwfv9/H9cP7Yztt1n68iYx29ehzxYUoh5P8rCK2bDmIr6SY8y9oQbse7cAU+Iuq+G7tTmTQR8s26TiTY0hr3hiFjRObrC1H2LFhOxcN6kZ6m1Qqiyx+/vEgTds2Yvf3h+jzp05IJflpQxbeonK69DuH+k0a4DYsnCpAWX4Ze37YRbM2zUjv0ASQ+Isq2f/zSfwBP207tiClUTwBn+L4oeOkNUjjyL6DtO7aDtNjRvrBWQIKj5WTl51HalwSDdo3wjRABATHjxdQmFtCi1ZpxNbzYEgDWVZBpdciITmB44eP06BRKrFJMeRn5WMri4at0sHpOLsBAJqmaZp2FuqsCS8cPAUCAT755GPeeOMNXnrpJZRSlJSU8Nb8t5gxYwa5ubns3buX+fPn8+2333L33XeTlpbG7bffTkFBAdu3b+ef//wnCxcuJCkpiQ8//JAHHniAPXv2IKVk3LhxVFRUoJRixYoVbNy4ESllqC+OsMgp8TP3w/UMv2cwfYddzm6/TX5hFc+9u5lrhw3iqlsG8Nf311JcWo4SEmWAZdkY0mD6619gJCQybMRgvj0hef7Vj8ktqeL1t5Zw+7grOOeiDqw5XoavDIoDNn/q1AKhAnzw3jdkbtjHjSMHcqjC5pNth3DEmrRo3pijJ4rZ/FMOr3+4houu681x4OmX38NlC5wBkEGFbSh2Hy9k8owV/P3t7/gqr4rPT1jc+fgC3lm5jx89cYz/x+fsOVRKlQUPvvAp5Wn1KM1oxp1Pz6a0wkJagkenLCA3xYPZsS03PzSbaW+vpbDciwObrTtyeeOrHSzcXsjdT8wiaDn5YNlWbpowh8mvrWXSm2vZ8HMO06Z9xr4AbCmuYNjIaeTmlmEZBrneAA/N+ISJC7Zw5cgXWbXyRyyfyZ/v/ydrcsv5dOsJ7n5oOr6AYsnyHVxzx195ePpKhj35Lzb9tD80mACFUoqda3fx+pwlbDzpZeRDs/h65RaginffX8krC9fzxZ6j3HnvLH7afJSyyiCTnvmU0Q/NZurCjdz7zHvcfs8UVm48wv3TVzJkwius+3YPugZK0zRNq0t1FkApJREC3G4nF17Ygx49etCmTRsMw6Bjx46c26EjVw4azCvTX2bkHSOYO2cONw69keTEJG69ZRh+v59PPvmE/v37k5yczKg7RzH89tu56pqrqZdan3vGjWP8+PF4vV68Xi8Oh4MZM2bw8MMPYxhGdc8ZG1wmhcTw7GNvkHgihxEDupOQYHDXmKuxsvPYtmYrBQVVlPsCGMJCBBROw6S4vJJPv/qe3Udy+Oyzb0ltmU5Rg4ZYpsE+r4+3p7xHp5Q4hl5zAYdzvWS0aYJw2hw97GXm4m8Yf++VNPQIcnJz6Xt5T+LckkpvBbZT4EhO5LohA4gt8RL02uw6XorfoQg4JbYIYBiKbh3SyDgnnQt7tuKh0b25b2xfDhV5GTPiUp4ZdwX1mqez61gePqVo1KM1FzdPp5ktOZlbRG5RKTneSpZ8s59Lu2ZwaftGZLRM5ZzWzamXnIx0uGnXsgF/+8tV/O3JIfx0KJ+yKotrr74QI8XJdVf24P25E3A5LDbtPIydn0+My8NefxyrtxzE9oPL6eCJe4fw8fv3ceHQQbw+dxV5/gDlSc2544pOXP+nrny/p5SSiiB9Lz8fO7khF/TJYNab93Puea2QQmEriT9oM/nVpVx9+wBuH9KVXkP7s7vU4kRWJbM/Wc9/PXA1E0ZdzmVDLuXBKW/jNl2079Keo+Vwww3dmf7qRLaeFOwr8DJ16giuuPpyFi/7sa5ua03TNE0D6jCAglALitPppGnTpnTp0oUHH3ywxrB3j8eDYRiUl5eTn5cfmvJICDweD+eccw6lpaWRaQ9M0xHqJ2OamKYZ2e+XvAQulwuHwxFKXxgI5SEtxs3Ml/9MsFlL/s8zi1jxwWqwYO/a1azfe4RuAy/ClWjgMJ1IHBj4cDgEhVUW/mCQUcO6M+Hegbz89ACm3z+QJoluZk+9hy3lsQw
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T07:15:16.000Z" ,
"modified" : "2023-04-20T07:15:16.000Z" ,
"first_observed" : "2023-04-20T07:15:16Z" ,
"last_observed" : "2023-04-20T07:15:16Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"name" : "PDF containing a link to ENVYSCOUT.png" ,
"content_ref" : "artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 6 A A A A J J C A Y A A A C 0 + V p P A A A A B H N C S V Q I C A g I f A h k i A A A I A B J R E F U e J z s 3 X d 0 V N X a w O H f t P T e e w h J C B B K Q u + 9 K Y g o o G J D U B Q E Q R S x A F I E E U F Q F J D e O w r S Q X q x U E I I T W o K k E B 6 Q u q 0 8 / 0 R G A g J i l c F P n 2 f t e 66 z N n 77 L P P n p l 43 t l N p S i K g h B C C C G E E E I I 8 Q 9 T P + w K C C G E E E I I I Y T 4 b 5 A A V A g h h B B C C C H E A y E B q B B C C C G E E E K I B 0 I C U C G E E E I I I Y Q Q D 4 Q E o E I I I Y Q Q Q g g h H g g J Q I U Q Q g g h h B B C P B A S g A o h h B B C C C G E e C A k A B V C C C G E E E I I 8 U B I A C q E E E I I I Y Q Q 4 o H Q P u w K C P G w p a e n k 5 e X 97 C r I Y Q Q Q o h y O D o 64 u 7 u / r C r I Y T 4 m 6 g U R V E e d i W E e J h 69 e r F g g U L H n Y 1 h B B C C F G O v n 37 M m P G j I d d D S H E 30 R 6 Q I U A o q O j e f v t t 3 F 2 d n 7 Y V R H i g T p //jwjRozggw8+ICoq6mFXRwghLLKyspg8efLDroYQ4m8mAagQgKenJ+3bt8fb2/thV0WIB+rQoUNotVoaNWpE27ZtH3Z1hBDCIjk5mUWLFj3saggh/mayCJEQQgghhBBCiAdCAlAhhBBCCCGEEA+EBKBCCCGEEEIIIR4ICUCFEEIIIYQQQjwQEoAKIYQQQgghhHggJAAVQgghhBBCCPFASAAqhBBCCCGEEOKBkABUCCGEEEIIIcQDIQGoEEIIIYQQQogHQgJQIYQQQgghhBAPhASgQgghhBBCCCEeCAlAhfiXuZGby5BBb/FC96f5btWKh10dIYQQQgghLCQAFeJfZvPGDeTn5dJ/0ACmfTkFs9n8sKskhBBCCCEEIAGoEP86tra2XE5KIjMjA5MEn0IIIYQQ4hEiAagQ/zKR1auj1VmRm5tL0xYtHnZ1hBBCCCGEsJAAVIj/5xRFwWw2oygKJpOJrZs2kpJ8Fa1Wy8YffuD8ubMAmM1mGY4rhBBCCCEeKu3DroAQ4s9TFIW8vDwuXjjPxfPnycrKxNnZBTd3d3JzsnmiyxPcuHGDWrVrcfrECRIuXSIlORmT2UxgUBBhYWEEBgWjs7J62LcihBBCCCH+QyQAFeL/AUVRSv3754MH2PDDOs6eOc31a9fQqNXY2NpiMBgsc0ANBgMA2dm55ORkU1hQgJWVFQa9AV9/P9q070DHzk8SEBBY6loqleqB3psQQgghhPjvkABUiEeQoigUFhZy+tRJUq9dJzsrE4PBiJWVjoLCAhbMnkWxXk9RYSE+vr7Y2dmj1xeTmZlJbk4u9vb2FOuL0emsSLh0EVs7Ozw9vVAUhbS0NM6fPUvCpUsc3LeXrs88R15eHgX5+bi5u+Pj64efv19JD6lO97CbQgghhBBC/ItIACrEI0ZRFA798jNrVq4g5shhzGYzRcXFqFUqjEYjapWK3NxcKoaF8dob/YioUgU7Wzv0Bj3JV68yd9ZMDv/6C46ODhQUFPJ6v/40btYMd3d3FAXS0lLZt3sXSxYu4PixYyTEx2MwGsCsYGNji1anw9nFhcZNm/HKq6/h5u7+sJtECCGEEEL8S0gAKsQjJC0tlTUrVzJ/9reoUJFfUICnlxeBgUGAwpXLl8nMzKRqZDWmz5mHj49PqfNDw8JJTEjg2NEj5ObmYm1lzQs9X8HNzc2Sp0JICHXq1iMsvBLD3n+PjPR0gkNCcHR0wqDXc/36Na5evUJaWiq7tm/jzbff5rGOT8jQXCGEEEII8ZdJACrEI6K4uJj5s2bx3eqV5ObmElG5Ci+90pvwiAg8PDywtram36u9yczIoEHDhqWCT0VRyMrMJDEhgdMnT+Du4Y5iMqPVadmxbSt169cnKCgYjbbkK69Sqahdtx5BwcFcuXKFbs88yxNPdSXvxg3SUq+zb/du1qxawcXUVKZP/QoPD0/qNWj4sJpGCCGEEEL8S0gAKsQjIi72GMuWLKKooJBOTz7J0OEj8PT0KtXzaFbMqNVqsnOyuX7tGleSEjl+/BhnTp3CbDbh5e1NUlICKODg6IDBYGDf7p2cPhlLRnoGgUEVqFWnLhXDwijIL8BoMKK5Wb6XlxdeXl5UDA2lTr36PN65M31efolLFy8wc9o0QsPCcffweEitI4QQQggh/g0kABXiEbFh3VpMJhMqtYrX+r2Jl5c3BoOB+EuXOBkXS25OLjdyc0EF+/fsBgU8vNwJrxRO4yav4ebuRmFhIYd+/QWDQY+9ozeXExPx9vWm34A3KSwsJCkxidOnTnPk8C/EX0rgWkoyZrOZ47HHWLJwPhVCKlKteg1cXF2pGlmNrs8+y/SpX3Hp0nniYo/Rsk3bh91MQgghhBDi/zEJQIV4BGRmpHPh/HmsdDoURcHR0YntWzaz88ft2DnYElktEl9/L7o+241lC5eQnZ1NZmY6PXu/jLvH7UWCNGoNPt4+XDp/kYRL8Wg0anx9fQGwtbUlonIE4ZXCOXrkKN+vXo3JZKJ6zRq07dAGjUrNieNH+X71SipVrkKTZs3x8vZBAUwGEydOxNGsZSs0Gs1DaiUhhBBCCPH/nQSgQjwCzGYFrVaDg6Mjqvx8Jk/4lIqhIbzc6yW8vG8Pw42sFklOdg4rli4nMCgAW1vbUuXorKyoEVWT/IICIqtVZemiJdRvUL9UHrVaTWhoKH7+/lxPSaHnq69Qt149AOo1bIC+WM+Rw4f5ftUKTp44gaurK2bFjEatfiBtIYQQQggh/r3kiVKIR4C9vT2eXl44u7hga2vDhQvnadysKd4+3qXmgBbkF5CUkETN6Jps2biFkydOkJ2dDYDJZGLzhg0kJiTi4+NNaFgY4eHhbN+2nWMxMSiKAkB6WhpbN2+hqKiY4JAQjh+LtaQBWFlb0bBxI2pG1+TE8eN4eXthb2+Hf0AgaglChRBCCCHEXyA9oEI8Amzt7KhVpx47t29Hr9fTpl07vLy9yuQ7c/o0aWmp2NrZ4uzizPer1qDWanju+R6kJCdz+NfDOLk4E3PkKMlXk7G2seVyUhKJCQkoZoXi4mKWLV6K0WDA3d2NvLwbpKelc+niRSqGhlqCXZVKRXStaCpUDCEpPpHwiEpUrVZdtmIRQgghhBB/iXRnCPGIeLxTJ0LDK5WsZJuYxJyZszl37hy7duzkRm4uVy5fZtniJahVarKzsnB0cqRewwYUFRWxZdNmNvywnrS0NPz9/HB2dkGlVuPt44mDowOXzl9k7Xffs+67tYSFhxEUHISdnR0Gg4GU5BRWLV9JZmYmKckpbNm4mTNnzjBl4hfY2tri6ORIoyZNCQ0Le9hNJIQQQggh/p+THlAhHhFOzi70fPU1jvzyM95+Pvx0YD/XUlIoLiril59/wUqnA1S4e7hz+tQ1TEYzsceO4erqio+PD2dOn6F6zRpkZWXh5+/HqZOnCAoOpLiomHoN63Nw3wE6PfkEMUdjMBgMFBYUYDKa8A/w5+L5C6xctpzLiZfR6/WYzCYqVYrAx9eXrKwcOj35lCw+JIQQQggh/jLpARXiEaHRaGjX4TEGDH6Xa8nXOH3iFOGVKpGfn09+Xh4///QzlatUJjAokPoNG5KVlUXF0DCee+F5iouLyc7Kxmwy4efvz+XLSRQVFpJ8NZlq1auRkJCAWqPG1s6Wl17piZOzM1qdjiZNm2Jvb4+7pwd7d+3BZDKi02kJ8A9g29at+PgG8P6wEYRHRDzs5hFCCCGEEP8C0gMqxCPExsYGGxsbunR7hitXLjN/zlwiq0XSum0bTsadoKi4mIDAAHb8uAO9Xs/CefNZvngJhUVFAOzY9iO7d+xCUcy4uLoRd+w4J2LjMBqNFOuL+XLSFKysrQEFKysrrK2tadKsKefPn8dkMvP4E52YOf1bThw/Sb0GDXiqe3ecnJwfbqMIIYQQQoh/DQlAhXhATp88wbjRo5g6YybuHh6/mzcqOprR4z7jwyGDyUhPY+WyFRQVFbFh3XpQFHQ6Kzy9PbG3t6e4uBgnZydQqTAajJiMRoqKiki9nopGq8be3h5rrHGzccdg0GM0mrC3s0dv0BNz9ChHDx8BFTg5ObFy2QpUqOj
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T07:19:46.000Z" ,
"modified" : "2023-04-20T07:19:46.000Z" ,
"first_observed" : "2023-04-20T07:19:46Z" ,
"last_observed" : "2023-04-20T07:19:46Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"name" : "PDF containing a link to ENVYSCOUT2.png" ,
"content_ref" : "artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 2 k A A A J Z C A Y A A A A z h X 2 / A A A A B H N C S V Q I C A g I f A h k i A A A I A B J R E F U e J z s 3 X t Y F O X 7 P / D 3 L i C H R U B F E A H F M C Q J 9 Z M i i K h c C q G Z J 0 Q x z T O m f U w T 7 W u Z Z Z m W d v n 9 Z H k o T 1 C S K Y S H r 4 c 8 m 1 K Z Z 9E8 K y i o H A S 1 P K C o y P 37 g 9 / O h 2 U X m J k 9 M O j 9 u i 6 v S 5595 t l 7 n r n n m X l 2 d 2 Z U R E R g j D H G G G O M M a Y I 6 p o O g D H G G G O M M c b Y f / E k j T H G G G O M M c Y U h C d p j D H G G G O M M a Y g P E l j j D H G G G O M M Q X h S R p j j D H G G G O M K Q h P 0 h h j j D H G G G N M Q X i S x h h j j D H G G G M K w p M 0 x h h j j D H G G F M Q n q Q x x h h j j D H G m I L w J I 0 x x h h j j D H G F I Q n a Y w x x h h j j D G m I D x J Y 4 w x x h h j j D E F 4 U k a Y 4 w x x h h j j C k I T 9 I Y Y 4 w x x h h j T E F 4 k s Y Y Y 4 w x x h h j C s K T N M Y Y Y 4 w x x h h T E O u a D q A q p a W l K C 0 t h V q t h l q t N v i a l Z U V V C p V j c U m 9 v 2 J C E + f P o V K p Y K V l Z X B O v f v 38 f l y 5 d x 69 Y t e H p 6 w s / P r 9 L 2 p N Q 1 l p j Y K 9 L 2 j 7 W 1 f o p J j b 2 w s B D n z p 2 D o 6 M j W r d u X W U M U t q + f f s 2 r l y 5 g j t 37 q B x 48 Z o 0 a K F S X K p p K Q E A A z m x t O n T 0 F E Q l 9 q + 7 Y q F e s a 2 h 8 q t m + o 3 x l j j D H G W C 1 B C t a n T x 8 C Q I 0 b N 6 Y n T 57 o v P b u u + 8 S A N q 2 b Z v F 4 t m x Y w e 9 / f b b 9 M o r r 5 C 1 t T U B o B 9 //FHUshEREQSA2rZtq/fa8ePHqVevXkKb2n/+/v60d+9e2XVNparYDXny5Ak1bdqUmjRporPdpMb+5MkTGj9+vE59Ly8v+vXXX/XqSmn78OHD5Ofnp1MPAL3wwgu0detWSX1TUXp6utDe9OnTdV4rLi4mJycnAkBdunQhIqLU1FS9OCr+69ixIxERrV+/ngDQ0KFDDb737du3Sa1Wk6enp1HrwBhjjDHGalat+Lg9NzcXmzZtQnR0dI3G8e2332Ljxo1wc3ODp6cnsrOzRS23cuVK/Pbbb5W+vmfPHuzcuRN9+/ZFeHg46tatiz///BMrVqxA9+7dsX//frRt21ZyXVOoLnZDVq9ejezsbHzzzTc63+hIjf3jjz/G4sWLERERgcmTJ+PatWt4//330bt3b5w4cQK+vr6y2i4oKIBarUZ8fDx8fX3h5OSEEydOYMmSJejduzf27duHjh07GtVvderUQUpKCmbPni2Ubd26FcXFxTr1mjdvjvHjxxts488//0R6ejq8vb0BAJGRkahTpw727NljsP6vv/6K0tJS9OzZ06jYGWOMMcZYDavpWWJVtN+kOTs7U0REhM5rNfFN2v79++nSpUtERDR9+nRR36QVFBRQgwYN6MMPP6z026ijR49Sbm6uXvncuXMJAMXExMiqaywxsVdUWlpKAQEB5OrqSkVFRTqvSYm9sLCQ7OzsyNvbmx4+fCiUJycnEwAaPXq07LafPn1qMPYffviBANCAAQOqXc/KaL9J69WrFwGgY8eOCa8NHDhQKNd+k1aZgoICcnV1JWdnZ7p+/bpQrv1W8+zZs3rLjBs3jgDQxo0bZcfPGGOMMcZqXq24cciwYcOwZ88eXLx4UVT9I0eOYNy4cYiIiEDv3r0xb9483L9/3+g4QkND0bx5c0nLxMfHw9PTE//+978rrdO2bVt4eHjolffr1w8AcO7cOVl1jSUm9oq2bNmCM2fOYMKECXBwcNB5TUrs27ZtQ3FxMYYMGQI7OzuhvH///nB2dsaGDRtQWloqq+3Krufq0qULAODatWvVrmd1/Pz80KZNG6SkpAAAHjx4gC1btiA2NlbU8hMmTMDNmzcxf/58eHp6CuXab8l2796tt8zu3btha2uLbt26GR0/Y4wxxhirObVikjZ8+HDY29tjyZIl1dZNTExEcHAwVq1aBbVajWvXrmHq1Klo27YtCgoKLBDtf+3YsQOrV6/GokWLRN9wo7wHDx4AANzc3ExaVwy5sX/55ZfQaDR45513RC9jKPZjx44BANq1a6dT19raGv/6179w+/ZtZGVlyWq7Mn/++ScAICAgQFTc1YmNjcXPP/8MANi0aRNKS0vRu3fvapfbtGkTUlJS0KNHD4wcOVLntcomaVevXkVGRgbCw8Oh0WhMEj9jjDHGGKsZtWKS5uzsjDfeeAM//PADHj58WGm93NxcvPPOO3B3d8e5c+ewc+dOpKen46uvvsLFixfx3nvvWSzmBw8eYNy4cRgyZAg6deokq42VK1cCAAYOHGjSutWRG/vvv/+O/fv3Y8yYMahfv77o5QzFrr3eT3s91oEDB5Cfnw8AwjdLYq4JrKpfCgsLsX37dqxfvx4ffvghxo4dCx8fH8yYMUN07FWJjY1FVlYWDh06JEy66tatW+Uyd+7cwdtvvw1nZ2csW7ZM7/UXX3wRL774Ivbt26dzV8hdu3YBAF+PxhhjjDH2DKgVkzQAePvtt/H3338LPx8z5Oeff8bDhw8xfvx44eQeACZOnAgvLy/8/PPPwjcr5jZjxgzcvn0b8+bNk7X8gQMHsGjRIvzrX/9CXFycyeqKITf2uXPnwsbGBpMnTxa9TGWxa3+eqtFosHbtWoSGhqJdu3YgIjg6OgIA7t27J6ttrUOHDqFHjx7o378/5syZg5deegn79+9HkyZNRMdflWbNmiEoKAjLli3Dtm3bRE2g33vvPeTm5uKrr76Cl5eXwTo9e/bE3bt3ceTIEaFM+80aT9IYY4wxxmq/WjNJa9u2LYKCgvDdd99VWuf48eMAgM6dO+uUW1lZISwsDI8ePcLZs2fNGqc2jq+//hqffvopGjVqJHn5a9euYcCAAXBxccG6deuqfOaV2LpPnjxBcXGxzj8iMlnsp06dwtatWzFkyBCdCXJVxMauvSbNwcEBKpVKiLuqZ5qJaTs4OBjbtm3Dzz//jKlTp+Ls2bMIDg6uNEfE9mF5sbGx+P7772FlZYVevXpVWXfv3r1ISEhA9+7dMWrUqErrVfzJIxHh119/hb+/P1544YUq34MxxhhjjClfrZmkAWXfph0+fFiYjFX0999/AwDc3d31XtOW3bp1y3wBouwhzmPGjIG/vz8mTJggeflbt24hKioKd+7cwS+//IJmzZqZpO7QoUNhb2+v82///v0mi/3LL7+ESqXC1KlTRdWvLnbtt2VFRUV4/fXXcenSJeE6taKiIp06UtvWatiwIbp3744BAwbgyy+/xPbt25Gbm4sxY8YYrC+mDyvSfnv22muvVXmt2IMHDzBmzBg4OTlh+fLlVbbZuXNn1K1bV7gV/19//YWCggL+Fo0xxhhj7BlRK56TpjVo0CBMmTIF3333ncETXhsbGwD/PYkvT1tma2tr1hgfPHiA48ePo27duvDx8RHKtXci/Ouvv+Dl5YU+ffpg8eLFOsvev38fr732GjIzM/HLL7+gffv2lb6PlLoAEBMTA39/f52yij/rkxt7VlYWUlJS0Lt3b7z00ktVxiE29qZNmwIo+0asffv2OnfVzMnJ0akjte3KhIWFoUWLFvjzzz9x7949vevHxPRhRd7e3jp3oazMRx99hMzMTKxYsaLSnzlq1alTBxEREfjll1/w4MED/qkjY4wxxtgzplZN0uzt7TF8+HAsW7bM4PU92onFlStX8Morr+i8dvnyZQCGT+xNycbGxuBt1ouLi7Fx40Y4OjoKk4GKr/fu3RvHjh1DamoqIiIiKn0PKXW1YmJiEBMTY5bY//d//xclJSX44IMPqo1DbOzaB08fPXoU/fv3F8pLSkqQnp6O+vXr60wkpbRdlZKSEgCodJJWXR/KcfjwYXzzzTeIiorC6NGjRS3Ts2dPbNiwAX/88Qd2794NJycnhIWFmTw2xhhjjDFWA2r0KW3V0D7MWvsAaSKi8+fPEwBycnLSe5j11q1bCQD17t1bp50rV66QWq0mX19fg++zevVq8vX1pVatWomOTezDrLXy8vIqfSD048eP6fXXXyeVSkUrV66ssh0pdU2lqtgLCgrI3t6+2oczE0mLXerDrKW0nZWVZbB8z549pFKpyN3
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--768398f7-2ecd-4752-b4d4-e22de7a17c9f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:26.000Z" ,
"modified" : "2023-04-20T13:13:26.000Z" ,
"description" : "QUARTERRIG C2 URL" ,
"pattern" : "[url:value = 'pateke.com/auth/login.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4f3a3552-4374-4692-be62-2dac7a60ea12" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:26.000Z" ,
"modified" : "2023-04-20T13:13:26.000Z" ,
"description" : "QUARTERRIG C2 URL" ,
"pattern" : "[url:value = 'pateke.com/index.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1980ede0-18fe-4e78-a433-d85419354fdf" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:26.000Z" ,
"modified" : "2023-04-20T13:13:26.000Z" ,
"description" : "COBALT STRIKE Handler URL" ,
"pattern" : "[url:value = 'gatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--37294cb6-221f-4348-a3a6-ab46ed3adc83" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:26.000Z" ,
"modified" : "2023-04-20T13:13:26.000Z" ,
"description" : "COBALT STRIKE Handler URL" ,
"pattern" : "[url:value = 'gatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f99cfe00-4d03-4ed2-8112-9a89d16d9251" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:26.000Z" ,
"modified" : "2023-04-20T13:13:26.000Z" ,
"description" : "QUARTERRIG C2 URL" ,
"pattern" : "[url:value = 'sharpledge.com/login.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3084badc-4ea2-4550-a683-0c6088c4b2ba" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:27.000Z" ,
"modified" : "2023-04-20T13:13:27.000Z" ,
"description" : "URL to ENYVYSCOUT used to deliver QUARTERRIG" ,
"pattern" : "[url:value = 'sylvio.com.br/form.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--df942350-ff5f-4008-ad1d-14cecf33fabd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:27.000Z" ,
"modified" : "2023-04-20T13:13:27.000Z" ,
"description" : "Domain used to host ENVYSCOUT" ,
"pattern" : "[domain-name:value = 'sylvio.com.br']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--740c4b3b-f5d6-42dc-9264-c225348060f5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-19T13:16:12.000Z" ,
"modified" : "2023-04-19T13:16:12.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77" ,
"category" : "External analysis" ,
"uuid" : "4d5a0f62-4b12-4a01-93c9-f7bfd2bcf2e7"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "QUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries." ,
"category" : "Other" ,
"uuid" : "09ecf644-ca85-46d2-82c8-2c8071ec53dd"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Report" ,
"category" : "Other" ,
"uuid" : "614630de-e0c1-47df-b8e3-bec6d33033f2"
} ,
{
"type" : "attachment" ,
"object_relation" : "report-file" ,
"value" : "QUARTERRIG_.pdf" ,
"category" : "External analysis" ,
"uuid" : "02357ebb-25a1-41d6-9d4d-13f9da6885e5" ,
"data" : " J V B E R i 0 x L j c N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D E 1 O C A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D E 1 N T I g M C B S L 1 Z p Z X d l c l B y Z W Z l c m V u Y 2 V z I D E 1 N T M g M C B S P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A z N i 9 L a W R z W y A z I D A g U i A x N S A w I F I g M j Q g M C B S I D I 2 I D A g U i A y N y A w I F I g M z E g M C B S I D M z I D A g U i A 0 M C A w I F I g N D E g M C B S I D Q y I D A g U i A 0 N C A w I F I g N D Y g M C B S I D Q 3 I D A g U i A 0 O C A w I F I g N T A g M C B S I D U x I D A g U i A 1 M i A w I F I g N T M g M C B S I D U 0 I D A g U i A 1 N S A w I F I g N T c g M C B S I D U 4 I D A g U i A 1 O S A w I F I g N j A g M C B S I D Y z I D A g U i A 2 N C A w I F I g N j Y g M C B S I D Y 3 I D A g U i A 2 O S A w I F I g N z A g M C B S I D c y I D A g U i A 3 N S A w I F I g N z Y g M C B S I D c 4 I D A g U i A x N T E g M C B S I D E 1 M y A w I F J d I D 4 + D Q p l b m R v Y m o N C j M g M C B v Y m o N C j w 8 L 1 R 5 c G U v U G F n Z S 9 Q Y X J l b n Q g M i A w I F I v U m V z b 3 V y Y 2 V z P D w v R m 9 u d D w 8 L 0 Y x I D U g M C B S L 0 Y y I D k g M C B S L 0 Y z I D E x I D A g U i 9 G N C A x M y A w I F I + P i 9 F e H R H U 3 R h d G U 8 P C 9 H U z c g N y A w I F I v R 1 M 4 I D g g M C B S P j 4 v U H J v Y 1 N l d F s v U E R G L 1 R l e H Q v S W 1 h Z 2 V C L 0 l t Y W d l Q y 9 J b W F n Z U l d I D 4 + L 0 1 l Z G l h Q m 94 W y A w I D A g N T k 1 L j M y I D g 0 M S 45 M l 0 g L 0 N v b n R l b n R z I D Q g M C B S L 0 d y b 3 V w P D w v V H l w Z S 9 H c m 91 c C 9 T L 1 R y Y W 5 z c G F y Z W 5 j e S 9 D U y 9 E Z X Z p Y 2 V S R 0 I + P i 9 U Y W J z L 1 M v U 3 R y d W N 0 U G F y Z W 50 c y A w P j 4 N C m V u Z G 9 i a g 0 K N C A w I G 9 i a g 0 K P D w v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 x l b m d 0 a C A x M D Y y P j 4 N C n N 0 c m V h b Q 0 K e J y 9 W E t v 2 z g Q v g v w f + B p I R U w z e G b R V H A d b P Z F h s g j b 3 o I e h B T R T X g N d J F T e F //3OyI/KlhQ/oq4PgkkONd98M5wZsdfP55O79GbO3rzp9efz9OZbdsuue6P7hy+90eIh612m48ksnU/uZ73hj69zmvorS2+z/O1b9u79gH3vRIIL+nnvgAlmguFKMq+BB8nyrBN9fsVmnejdqBP1/gQGwIVmo7tORNKCAZPBceuYC5Y2jv5FufOhY+NHfDUbFyO/Gp13ouuYJV2ND1v+84WNPnaiM9TxqRO1gEmB5ArKmAooGwSn6UNZdnYxYKx3SYRfDD68Z6I9Ip3gXmrmrKAde0BXgMBpQCQDw4OtBSIN9/ZoILJ9IMJyfTwjqj0gSlnuArPe8uCPBqJbZ8Rax40+Gog5DYh6BogOXB2Nw7aPQ3oejsbhTsWhakEYH2pAfEoA4n8S0HE/ARNfJSDjEQ3PElDLYfH4QMPzPYh9S4ilxiMFDYj30RZOA6EZ+FraMOGZFQpujCtW83F5dFXgukinP9M8Y/1ZOl08UvWYJC5+ZFfZw32eqHj+ojpSgSeN5tocDm9vhi7Viu4SGUjp/BoQKthGON1MFNLgFQBNbm3eXloaVDizQYXEwmNLGrbErBKkDqe/daK7V2safzdapO/lcIcNrEOVde0hHGyHlMKVNAthrN1ZWtnBPdCKF371pCiRWvGA2qznOhQWWV1MaMe1L16sPLUCRhfhRhMm4ASeTmu4to3e+L+soOhuzYwmL8mKl0RQ4eBoExaEMiUDtXfW766VToehrpV1g+cO1/D1yv8aTtfrgH2kd00e+I0IifITIDaxq6pnAKyFU6NHOS1dQ/SUMyQhNIZJDAtUYbXgGmu4Bb48/kph7LAubHTKoLmRaCMGzm4aqhq1bquA/Km04c5gP6K5ckxivxYwqLDIFXme3iFo/SeldyL3efnhSt93erHlQIKeK10IKrQBPIX0rxKyBazUZh22e1OA5HbXaRRHVztjuK02ex/vJ0lXxjMqfCy9fVrWQ5x5xGLYVfGCfaXR4nWlKr4IlEZvSdkEam8NtC1zIzW31W+UCyKgIGNKj+LfPM0XbHD/Y5boeJ5h45BPSKrgj4bTbfFxliwXb7LExGyY5U/FPA5b5dPIwDEPNBiyl0/XMp8i1H1q/dGuzQpbKvycalC212bfrs0Ws46oUj84I3df0WOEYcAxbC7/bpmHAOT0BgA7PNRSsW7FqZWm08AtggFHXT0eUMy96+wXPStRyncOs7OnWwi0QBeCimGNt7oh28lSV3vI3g0V1fsPpNDTgqr5JgFV3Bb18Sw+oCfyyXR5e7Trj5dBIN3YV9ZBYFT7qOyNbq5jKaRqW7UydLdQb/3eOxdo2Qlec1+T3p+AE+2iZdup1RCNShvOwX9tHwzpDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTUyNiAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDE1MjQgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTUyNyAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxNTI4IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDE1MzIgMCBSPj4NCmVuZG9iag
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4a911505-85c5-4496-8eb6-75cea522ed00" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T11:49:55.000Z" ,
"modified" : "2023-04-20T11:49:55.000Z" ,
"name" : "apt29_QUARTERRIG" ,
"description" : "A rule that can be used to scan for QUARTERRIG" ,
"pattern" : "rule apt29_QUARTERRIG {\r\nstrings:\r\n$str_dll_name = \\\\\"hijacker.dll\\\\\"\r\n$str_import_name = \\\\\"VCRUNTIME140.dll\\\\\"\r\n// 48 8B 15 39 6A 00 00\r\nmov\r\nrdx, cs:api_stuff.OpenThread\r\n// 48 8D 0D FA 68 00 00\r\nlea\r\nrcx, api_stuff\r\n// 8B D8\r\nmov\r\nebx, eax\r\n// E8 3F 25 00 00\r\ncall\r\nload_api_addr\r\n// 44 8B C3\r\nmov\r\nr8d, ebx\r\n// 33 D2\r\nxor\r\nedx, edx\r\n// B9 FF FF 1F 00\r\nmov\r\necx, 1FFFFFh\r\n// FF D0\r\ncall\r\nrax\r\n$op_resolve_and_call_openthread = { 48 [6] 48 [6] 8B D8 E8 [4] [3] 33 D2 B9 FF FF 1F 00 FF D0 }\r\n// E8 A0 25 00 00\r\ncall\r\nload_api_addr\r\n// 48 8B CB\r\nmov\r\nrcx, rbx\r\n// FF D0\r\ncall\r\nrax\r\n// 83 F8 FF\r\ncmp\r\neax, 0FFFFFFFFh\r\n$op_resolve_and_call_suspendthread = { E8 [4] 48 8B CB FF D0 83 F8 FF }\r\ncondition:\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T11:49:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_reference" : "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--7d3d282a-c84f-48a1-9af5-8c0b43a0851e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-21T06:39:42.000Z" ,
"modified" : "2023-04-21T06:39:42.000Z" ,
"description" : "Virtual disc container\r\n" ,
"pattern" : "[file:hashes.MD5 = '22adbffd1dbf3e13d036f936049a2e98' AND file:hashes.SHA1 = '52932be0bd8e381127aab9c639e6699fd1ecf268' AND file:hashes.SHA256 = 'c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1' AND file:name = 'Note.iso' AND file:size = '2624000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-21T06:39:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--10cee96e-441a-48ea-8585-049029d4c157" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:03:41.000Z" ,
"modified" : "2023-04-20T12:03:41.000Z" ,
"description" : "Legitimate executable used to load the malicious DLL" ,
"pattern" : "[file:hashes.MD5 = 'b1820abc3a1ce2d32af04c18f9d2bfc3' AND file:hashes.SHA1 = 'b260d80fa81885d63565773480ca1e436ab657a0' AND file:hashes.SHA256 = '6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3' AND file:name = 'Note.exe' AND file:size = '1600000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:03:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--204c3d9f-6da0-426d-9609-db8c99dd8f8c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:16:48.000Z" ,
"modified" : "2023-04-20T12:16:48.000Z" ,
"description" : "QUARTERRIG - loader\r\n" ,
"pattern" : "[file:hashes.MD5 = 'db2d9d2704d320ecbd606a8720c22559' AND file:hashes.SHA1 = 'ca1ef3aeed9c0c5cfa355b6255a5ab238229a051' AND file:hashes.SHA256 = '18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '28000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:16:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--7546b1a9-3633-4f46-99e2-d27bb8db276a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:39:31.000Z" ,
"modified" : "2023-04-20T12:39:31.000Z" ,
"pattern" : "[file:hashes.MD5 = '166f7269c2a69d8d1294a753f9e53214' AND file:hashes.SHA1 = '02cd4148754c9337dfa2c3b0c31d9fdd064616a0' AND file:hashes.SHA256 = '3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a' AND file:name = 'bdcmetadataresource.xsd' AND file:size = '456000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:39:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--20d5700b-21da-4c3e-9425-c5b87b5f83aa" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:42:19.000Z" ,
"modified" : "2023-04-20T12:42:19.000Z" ,
"description" : "Virtual disc container" ,
"pattern" : "[file:hashes.MD5 = '1609bcb75babd9a3e823811b4329b3b9' AND file:hashes.SHA1 = '86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3' AND file:hashes.SHA256 = '91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0' AND file:name = 'Invite.iso' AND file:size = '6464000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:42:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f80de271-05af-4413-8087-9d553c54805e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:46:29.000Z" ,
"modified" : "2023-04-20T12:46:29.000Z" ,
"description" : "Legitimate executable used to load the malicious DLL" ,
"pattern" : "[file:hashes.MD5 = 'd2027751280330559d1b42867e063a0f' AND file:hashes.SHA1 = '15511f1944d96b6b51291e3a68a2a1a560d95305' AND file:hashes.SHA256 = '35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0' AND file:name = 'Invite.exe' AND file:size = '5380000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:46:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0d5b228d-17ff-48e1-bb83-24e34292ea06" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:47:14.000Z" ,
"modified" : "2023-04-20T12:47:14.000Z" ,
"description" : "QUATERRIG loader" ,
"pattern" : "[file:hashes.MD5 = 'bd4cbcd9161e365067d0279b63a784ac' AND file:hashes.SHA1 = 'b91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386' AND file:hashes.SHA256 = '673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28' AND file:name = 'winhttp.dll' AND file:size = '32000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:47:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d940713b-8e68-4bbd-9164-ed43afc83c11" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:48:40.000Z" ,
"modified" : "2023-04-20T12:48:40.000Z" ,
"description" : "Encrypted resource containing the second stage" ,
"pattern" : "[file:hashes.MD5 = '8dcac7513d569ca41126987d876a9940' AND file:hashes.SHA1 = '1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5' AND file:hashes.SHA256 = '9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14' AND file:name = 'Stamp.aapp' AND file:size = '460000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:48:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--21b857c6-1d55-4625-9b08-56c9fdc205da" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:53:18.000Z" ,
"modified" : "2023-04-20T12:53:18.000Z" ,
"description" : "Virtual disc container" ,
"pattern" : "[file:hashes.MD5 = '3aca0abdd7ec958a539705d5a4244196' AND file:hashes.SHA1 = 'bacb46d2ce5dfcaf8544125903f69f01091bc3d6' AND file:hashes.SHA256 = '10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d' AND file:name = 'Note.iso' AND file:size = '2688000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:53:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c75bccc6-e3ca-4a25-b0ff-5aea24f1c0b8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T12:55:16.000Z" ,
"modified" : "2023-04-20T12:55:16.000Z" ,
"description" : "QUATERRIG loader" ,
"pattern" : "[file:hashes.MD5 = '9159d3c58c5d970ed25c2db9c9487d7a' AND file:hashes.SHA1 = '6382ae2061c865ddcb9337f155ae2d036e232dfe' AND file:hashes.SHA256 = 'a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '26000']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T12:55:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--202f9cfd-1b59-4f2d-a113-27e6822b693d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:11:07.000Z" ,
"modified" : "2023-04-20T13:11:07.000Z" ,
"description" : "Encrypted resource containing the second stage" ,
"pattern" : "[file:hashes.MD5 = 'bc4b0bd5da76b683cc28849b1eed504d' AND file:hashes.SHA1 = 'b3ff6376baa180cff13ae76672c669cc8f45c130' AND file:hashes.SHA256 = '15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38' AND file:name = 'bdcmetadataresource.xsd' AND file:size = '489757']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:11:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--553fd38b-e053-4632-867f-377e6746a81d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:13:51.000Z" ,
"modified" : "2023-04-20T13:13:51.000Z" ,
"pattern" : "[domain-name:value = 'sharpledge.com' AND domain-name:resolves_to_refs[*].value = '51.75.210.218']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:13:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b0de75d1-a729-49aa-a586-1fe80813422b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:14:14.000Z" ,
"modified" : "2023-04-20T13:14:14.000Z" ,
"pattern" : "[domain-name:value = 'pateke.com' AND domain-name:resolves_to_refs[*].value = '85.195.89.91']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:14:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e659ce38-dba5-438c-a7c7-900052726ad8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-04-20T13:14:25.000Z" ,
"modified" : "2023-04-20T13:14:25.000Z" ,
"pattern" : "[domain-name:value = 'gatewan.com' AND domain-name:resolves_to_refs[*].value = '91.218.183.90']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-04-20T13:14:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 13:47:04 +00:00
"id" : "relationship--8d14dded-c265-485c-8696-06c3d235e934" ,
2023-06-14 17:31:25 +00:00
"created" : "2023-04-20T12:03:58.000Z" ,
"modified" : "2023-04-20T12:03:58.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "indicator--7d3d282a-c84f-48a1-9af5-8c0b43a0851e" ,
"target_ref" : "indicator--10cee96e-441a-48ea-8585-049029d4c157"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
