misp-circl-feed/feeds/circl/misp/5720bf21-9d4c-40b2-9088-45e6950d210f.json

{
    "type": "bundle",
    "id": "bundle--5720bf21-9d4c-40b2-9088-45e6950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-28T07:37:12.000Z",
            "modified": "2016-04-28T07:37:12.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--5720bf21-9d4c-40b2-9088-45e6950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-28T07:37:12.000Z",
            "modified": "2016-04-28T07:37:12.000Z",
            "name": "OSINT - New Downloader for Locky",
            "published": "2016-05-07T05:15:16Z",
            "object_refs": [
                "observed-data--5720bf30-342c-46e3-bbdd-49d2950d210f",
                "url--5720bf30-342c-46e3-bbdd-49d2950d210f",
                "x-misp-attribute--5720bf3e-32fc-4d28-9a3a-45cc950d210f",
                "observed-data--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
                "email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
                "observed-data--5720bfb2-7df0-4ffe-af65-472b950d210f",
                "email-message--5720bfb2-7df0-4ffe-af65-472b950d210f",
                "file--5720bfb2-7df0-4ffe-af65-472b950d210f",
                "indicator--5720bfc6-86bc-4717-b4b8-4d86950d210f",
                "indicator--5720c036-f4b8-497c-ad91-45dc950d210f",
                "indicator--5720c036-f710-4da1-8d4c-4a7c950d210f",
                "indicator--5720c04c-a8bc-451d-9fe4-4e48950d210f",
                "indicator--5720c04c-3a88-4a9e-b201-4d39950d210f",
                "indicator--5720c04d-1d90-42ff-a0ef-4908950d210f",
                "indicator--5720c04d-54fc-4671-9e61-4f48950d210f",
                "indicator--5720c04d-3fc0-4c67-9c91-47a8950d210f",
                "indicator--5720c0fc-b0d8-4fe9-bcc8-41b4950d210f",
                "indicator--5720c0fd-a6a4-46e2-9458-4a9c950d210f",
                "indicator--5720c0fd-5da4-4b5f-95ea-4aeb950d210f",
                "indicator--5720c0fd-4d60-4474-b651-40ce950d210f",
                "indicator--5720c0fe-dd94-46d5-a54a-4777950d210f",
                "indicator--5720c0fe-8dcc-4d81-8b03-4f6c950d210f",
                "indicator--5720d993-f430-46d3-8fa5-0fab02de0b81",
                "indicator--5720d994-4600-4933-8dd4-0fab02de0b81",
                "observed-data--5720d994-7ca4-455e-9f2e-0fab02de0b81",
                "url--5720d994-7ca4-455e-9f2e-0fab02de0b81",
                "indicator--5720d995-11b0-43a0-b5cc-0fab02de0b81",
                "indicator--5720d995-8004-4dda-a959-0fab02de0b81",
                "observed-data--5720d995-3140-46e7-b65a-0fab02de0b81",
                "url--5720d995-3140-46e7-b65a-0fab02de0b81",
                "indicator--5720d996-dce4-4184-ad02-0fab02de0b81",
                "indicator--5720d996-99a0-4376-a595-0fab02de0b81",
                "observed-data--5720d997-a6e8-44a7-b706-0fab02de0b81",
                "url--5720d997-a6e8-44a7-b706-0fab02de0b81",
                "indicator--5720d997-6b7c-4b03-a65b-0fab02de0b81",
                "indicator--5720d998-7e78-4485-91c8-0fab02de0b81",
                "observed-data--5720d998-f688-4bcc-88e6-0fab02de0b81",
                "url--5720d998-f688-4bcc-88e6-0fab02de0b81",
                "indicator--5720d998-d3b0-4521-ae7a-0fab02de0b81",
                "indicator--5720d999-bb0c-4cf0-893b-0fab02de0b81",
                "observed-data--5720d999-1650-4442-aca5-0fab02de0b81",
                "url--5720d999-1650-4442-aca5-0fab02de0b81",
                "indicator--5720d99a-15e8-4e7a-9fe5-0fab02de0b81",
                "indicator--5720d99b-5644-4574-9a56-0fab02de0b81",
                "observed-data--5720d99b-82fc-49a4-9701-0fab02de0b81",
                "url--5720d99b-82fc-49a4-9701-0fab02de0b81",
                "indicator--5721bda7-9dfc-4984-b012-4e32950d210f",
                "indicator--5721bda6-8408-401a-96fe-40f3950d210f",
                "indicator--5721bda5-90e4-460c-b362-4667950d210f",
                "indicator--5721bda6-4520-4e2d-9136-4bd3950d210f",
                "indicator--5721bda7-d424-4f46-8138-4133950d210f"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "type:OSINT",
                "ecsirt:malicious-code=\"ransomware\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720bf30-342c-46e3-bbdd-49d2950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:31:28.000Z",
            "modified": "2016-04-27T13:31:28.000Z",
            "first_observed": "2016-04-27T13:31:28Z",
            "last_observed": "2016-04-27T13:31:28Z",
            "number_observed": 1,
            "object_refs": [
                "url--5720bf30-342c-46e3-bbdd-49d2950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5720bf30-342c-46e3-bbdd-49d2950d210f",
            "value": "https://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--5720bf3e-32fc-4d28-9a3a-45cc950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:31:42.000Z",
            "modified": "2016-04-27T13:31:42.000Z",
            "labels": [
                "misp:type=\"comment\"",
                "misp:category=\"External analysis\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "comment",
            "x_misp_value": "Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was downloaded by a macro-based downloader or a JavaScript downloader. However, in April 2016, FireEye Labs observed a new development in the way this ransomware is downloaded onto a compromised system."
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:33:18.000Z",
            "modified": "2016-04-27T13:33:18.000Z",
            "first_observed": "2016-04-27T13:33:18Z",
            "last_observed": "2016-04-27T13:33:18Z",
            "number_observed": 1,
            "object_refs": [
                "email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f"
            ],
            "labels": [
                "misp:type=\"email-subject\"",
                "misp:category=\"Payload delivery\""
            ]
        },
        {
            "type": "email-message",
            "spec_version": "2.1",
            "id": "email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f",
            "is_multipart": false,
            "subject": "Photos"
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720bfb2-7df0-4ffe-af65-472b950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:33:38.000Z",
            "modified": "2016-04-27T13:33:38.000Z",
            "first_observed": "2016-04-27T13:33:38Z",
            "last_observed": "2016-04-27T13:33:38Z",
            "number_observed": 1,
            "object_refs": [
                "email-message--5720bfb2-7df0-4ffe-af65-472b950d210f",
                "file--5720bfb2-7df0-4ffe-af65-472b950d210f"
            ],
            "labels": [
                "misp:type=\"email-attachment\"",
                "misp:category=\"Payload delivery\""
            ]
        },
        {
            "type": "email-message",
            "spec_version": "2.1",
            "id": "email-message--5720bfb2-7df0-4ffe-af65-472b950d210f",
            "is_multipart": true,
            "body_multipart": [
                {
                    "body_raw_ref": "file--5720bfb2-7df0-4ffe-af65-472b950d210f",
                    "content_disposition": "attachment; filename='Photos.zip'"
                }
            ]
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--5720bfb2-7df0-4ffe-af65-472b950d210f",
            "name": "Photos.zip"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720bfc6-86bc-4717-b4b8-4d86950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:33:58.000Z",
            "modified": "2016-04-27T13:33:58.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[url:value = 'http://mrsweeter.ru/87h78rf33g']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:33:58Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c036-f4b8-497c-ad91-45dc950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:35:50.000Z",
            "modified": "2016-04-27T13:35:50.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[file:hashes.SHA256 = '7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:35:50Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c036-f710-4da1-8d4c-4a7c950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:35:50.000Z",
            "modified": "2016-04-27T13:35:50.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[file:hashes.SHA256 = '9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:35:50Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c04c-a8bc-451d-9fe4-4e48950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:36:12.000Z",
            "modified": "2016-04-27T13:36:12.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[file:hashes.MD5 = 'b0ca8c5881c1d27684c23db7a88d11e1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:36:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c04c-3a88-4a9e-b201-4d39950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:36:12.000Z",
            "modified": "2016-04-27T13:36:12.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[file:hashes.MD5 = 'c5ad81d8d986c92f90d0462bc06ac9c6']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:36:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c04d-1d90-42ff-a0ef-4908950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:36:13.000Z",
            "modified": "2016-04-27T13:36:13.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[file:hashes.MD5 = 'ebf1f8951ec79f2e6bf40e6981c7dbfc']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:36:13Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c04d-54fc-4671-9e61-4f48950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:36:13.000Z",
            "modified": "2016-04-27T13:36:13.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[file:hashes.SHA256 = '357c162a35c3623d1a1791c18e9f56e72bcd76f6ef9f4cbcf5952f62b9bc8a08']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:36:13Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c04d-3fc0-4c67-9c91-47a8950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:36:13.000Z",
            "modified": "2016-04-27T13:36:13.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[file:hashes.MD5 = 'c325dcf4c6c1e2b62a7c5b1245985083']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:36:13Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c0fc-b0d8-4fe9-bcc8-41b4950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:39:08.000Z",
            "modified": "2016-04-27T13:39:08.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[url:value = 'http://185.130.7.22/files/sBpFSa.exe']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:39:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c0fd-a6a4-46e2-9458-4a9c950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:39:09.000Z",
            "modified": "2016-04-27T13:39:09.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[url:value = 'http://185.130.7.22/files/WRwe3X.exe']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:39:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c0fd-5da4-4b5f-95ea-4aeb950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:39:09.000Z",
            "modified": "2016-04-27T13:39:09.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[url:value = 'http://slater.chat.ru/gvtg77996']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:39:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c0fd-4d60-4474-b651-40ce950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:39:09.000Z",
            "modified": "2016-04-27T13:39:09.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[url:value = 'http://hundeschulegoerg.de/gvtg77996']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:39:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c0fe-dd94-46d5-a54a-4777950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:39:10.000Z",
            "modified": "2016-04-27T13:39:10.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[url:value = 'http://buhjolk.at/files/dIseJh.exe']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:39:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720c0fe-8dcc-4d81-8b03-4f6c950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T13:39:10.000Z",
            "modified": "2016-04-27T13:39:10.000Z",
            "description": "Imported via the freetext import.",
            "pattern": "[url:value = 'http://buhjolk.at/files/aY5TFn.exe']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T13:39:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d993-f430-46d3-8fa5-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:03.000Z",
            "modified": "2016-04-27T15:24:03.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10",
            "pattern": "[file:hashes.SHA1 = '39ad2102512f2d3b30e038354289b5b734d0d33f']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:03Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d994-4600-4933-8dd4-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:04.000Z",
            "modified": "2016-04-27T15:24:04.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10",
            "pattern": "[file:hashes.MD5 = '4df0079da5e37378b15bacc9e0631c33']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:04Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720d994-7ca4-455e-9f2e-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:04.000Z",
            "modified": "2016-04-27T15:24:04.000Z",
            "first_observed": "2016-04-27T15:24:04Z",
            "last_observed": "2016-04-27T15:24:04Z",
            "number_observed": 1,
            "object_refs": [
                "url--5720d994-7ca4-455e-9f2e-0fab02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5720d994-7ca4-455e-9f2e-0fab02de0b81",
            "value": "https://www.virustotal.com/file/9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10/analysis/1460046851/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d995-11b0-43a0-b5cc-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:05.000Z",
            "modified": "2016-04-27T15:24:05.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660",
            "pattern": "[file:hashes.SHA1 = '626d2953e329debdd9ad3feda65341413094fed6']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:05Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d995-8004-4dda-a959-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:05.000Z",
            "modified": "2016-04-27T15:24:05.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660",
            "pattern": "[file:hashes.MD5 = '829653e8f2a9453b440ca11975c9aaa0']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:05Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720d995-3140-46e7-b65a-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:05.000Z",
            "modified": "2016-04-27T15:24:05.000Z",
            "first_observed": "2016-04-27T15:24:05Z",
            "last_observed": "2016-04-27T15:24:05Z",
            "number_observed": 1,
            "object_refs": [
                "url--5720d995-3140-46e7-b65a-0fab02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5720d995-3140-46e7-b65a-0fab02de0b81",
            "value": "https://www.virustotal.com/file/7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660/analysis/1459558891/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d996-dce4-4184-ad02-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:06.000Z",
            "modified": "2016-04-27T15:24:06.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083",
            "pattern": "[file:hashes.SHA256 = 'f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:06Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d996-99a0-4376-a595-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:06.000Z",
            "modified": "2016-04-27T15:24:06.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083",
            "pattern": "[file:hashes.SHA1 = 'e701ff37e06e63232c0c47ae5867e7b05536ee36']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:06Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720d997-a6e8-44a7-b706-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:07.000Z",
            "modified": "2016-04-27T15:24:07.000Z",
            "first_observed": "2016-04-27T15:24:07Z",
            "last_observed": "2016-04-27T15:24:07Z",
            "number_observed": 1,
            "object_refs": [
                "url--5720d997-a6e8-44a7-b706-0fab02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5720d997-a6e8-44a7-b706-0fab02de0b81",
            "value": "https://www.virustotal.com/file/f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360/analysis/1461736669/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d997-6b7c-4b03-a65b-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:07.000Z",
            "modified": "2016-04-27T15:24:07.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc",
            "pattern": "[file:hashes.SHA256 = 'a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d998-7e78-4485-91c8-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:08.000Z",
            "modified": "2016-04-27T15:24:08.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc",
            "pattern": "[file:hashes.SHA1 = 'b3a7f553c32a551786d873fa26047170f6f9c2e1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720d998-f688-4bcc-88e6-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:08.000Z",
            "modified": "2016-04-27T15:24:08.000Z",
            "first_observed": "2016-04-27T15:24:08Z",
            "last_observed": "2016-04-27T15:24:08Z",
            "number_observed": 1,
            "object_refs": [
                "url--5720d998-f688-4bcc-88e6-0fab02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5720d998-f688-4bcc-88e6-0fab02de0b81",
            "value": "https://www.virustotal.com/file/a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae/analysis/1461571429/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d998-d3b0-4521-ae7a-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:08.000Z",
            "modified": "2016-04-27T15:24:08.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6",
            "pattern": "[file:hashes.SHA256 = '5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d999-bb0c-4cf0-893b-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:09.000Z",
            "modified": "2016-04-27T15:24:09.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6",
            "pattern": "[file:hashes.SHA1 = '21ac04e0d5acff88c83151a0e774001c0c06a744']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720d999-1650-4442-aca5-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:09.000Z",
            "modified": "2016-04-27T15:24:09.000Z",
            "first_observed": "2016-04-27T15:24:09Z",
            "last_observed": "2016-04-27T15:24:09Z",
            "number_observed": 1,
            "object_refs": [
                "url--5720d999-1650-4442-aca5-0fab02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5720d999-1650-4442-aca5-0fab02de0b81",
            "value": "https://www.virustotal.com/file/5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1/analysis/1460448282/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d99a-15e8-4e7a-9fe5-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:10.000Z",
            "modified": "2016-04-27T15:24:10.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1",
            "pattern": "[file:hashes.SHA256 = 'e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5720d99b-5644-4574-9a56-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:11.000Z",
            "modified": "2016-04-27T15:24:11.000Z",
            "description": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1",
            "pattern": "[file:hashes.SHA1 = 'b85a45350bc7c98bb9bae572cc861af51789ce69']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-27T15:24:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5720d99b-82fc-49a4-9701-0fab02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-27T15:24:11.000Z",
            "modified": "2016-04-27T15:24:11.000Z",
            "first_observed": "2016-04-27T15:24:11Z",
            "last_observed": "2016-04-27T15:24:11Z",
            "number_observed": 1,
            "object_refs": [
                "url--5720d99b-82fc-49a4-9701-0fab02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5720d99b-82fc-49a4-9701-0fab02de0b81",
            "value": "https://www.virustotal.com/file/e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9/analysis/1461052381/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5721bda7-9dfc-4984-b012-4e32950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-28T07:37:11.000Z",
            "modified": "2016-04-28T07:37:11.000Z",
            "pattern": "[domain-name:value = 'slater.chat.ru']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-28T07:37:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5721bda6-8408-401a-96fe-40f3950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-28T07:37:10.000Z",
            "modified": "2016-04-28T07:37:10.000Z",
            "pattern": "[domain-name:value = 'hundeschulegoerg.de']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-28T07:37:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5721bda5-90e4-460c-b362-4667950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-28T07:37:09.000Z",
            "modified": "2016-04-28T07:37:09.000Z",
            "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.130.7.22']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-28T07:37:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"ip-dst\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5721bda6-4520-4e2d-9136-4bd3950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-28T07:37:10.000Z",
            "modified": "2016-04-28T07:37:10.000Z",
            "pattern": "[domain-name:value = 'buhjolk.at']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-28T07:37:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5721bda7-d424-4f46-8138-4133950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-04-28T07:37:11.000Z",
            "modified": "2016-04-28T07:37:11.000Z",
            "pattern": "[domain-name:value = 'mrsweeter.ru']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-04-28T07:37:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}