adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/57aaeefd-0bd4-4a41-87ad-4e17950d210f.json

252 lines
11 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--57aaeefd-0bd4-4a41-87ad-4e17950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:40:36.000Z",
"modified": "2016-08-10T09:40:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57aaeefd-0bd4-4a41-87ad-4e17950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:40:36.000Z",
"modified": "2016-08-10T09:40:36.000Z",
"name": "OSINT - Cracking Orcus RAT",
"published": "2016-08-10T09:50:13Z",
"object_refs": [
"observed-data--57aaef08-62dc-4948-ac44-473b950d210f",
"url--57aaef08-62dc-4948-ac44-473b950d210f",
"x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f",
"indicator--57aaef5f-1808-4585-a00b-497c950d210f",
"indicator--57aaf016-8cf0-439a-b2a6-441002de0b81",
"indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81",
"observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81",
"url--57aaf016-ade0-4582-afcc-4d4602de0b81",
"observed-data--57aaf05f-b420-419c-bcc6-477d950d210f",
"url--57aaf05f-b420-419c-bcc6-477d950d210f",
"indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f",
"indicator--57aaf0e7-6fec-409e-9459-46ee950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"ms-caro-malware:malware-type=\"RemoteAccess\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaef08-62dc-4948-ac44-473b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:08:23.000Z",
"modified": "2016-08-10T09:08:23.000Z",
"first_observed": "2016-08-10T09:08:23Z",
"last_observed": "2016-08-10T09:08:23Z",
"number_observed": 1,
"object_refs": [
"url--57aaef08-62dc-4948-ac44-473b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaef08-62dc-4948-ac44-473b950d210f",
"value": "http://blog.deniable.org/blog/2016/08/09/cracking-orcus-rat/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:09:15.000Z",
"modified": "2016-08-10T09:09:15.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "At first I thought I could be dealing with someone trying to \u00e2\u20ac\u02dcphish\u00e2\u20ac\u2122 me, but the offer was legit. Challenge accepted. The zip file I got is for version 1.4.2 (which is the latest version available at the \u00e2\u20ac\u02dcOrcus RAT\u00e2\u20ac\u2122 website, at the time of this writing). The zip file is massive. Here\u00e2\u20ac\u2122s the whole contents of the zip file."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaef5f-1808-4585-a00b-497c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:09:51.000Z",
"modified": "2016-08-10T09:09:51.000Z",
"description": "Orcus.Administration.exe",
"pattern": "[file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:09:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf016-8cf0-439a-b2a6-441002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
"pattern": "[file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:12:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
"pattern": "[file:hashes.MD5 = 'd2140d8c9eb3889dee164f09014380d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:12:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"first_observed": "2016-08-10T09:12:54Z",
"last_observed": "2016-08-10T09:12:54Z",
"number_observed": 1,
"object_refs": [
"url--57aaf016-ade0-4582-afcc-4d4602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaf016-ade0-4582-afcc-4d4602de0b81",
"value": "https://www.virustotal.com/file/4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea/analysis/1467970246/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaf05f-b420-419c-bcc6-477d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:14:07.000Z",
"modified": "2016-08-10T09:14:07.000Z",
"first_observed": "2016-08-10T09:14:07Z",
"last_observed": "2016-08-10T09:14:07Z",
"number_observed": 1,
"object_refs": [
"url--57aaf05f-b420-419c-bcc6-477d950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaf05f-b420-419c-bcc6-477d950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:16:22.000Z",
"modified": "2016-08-10T09:16:22.000Z",
"description": "Sample",
"pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:16:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf0e7-6fec-409e-9459-46ee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:16:23.000Z",
"modified": "2016-08-10T09:16:23.000Z",
"description": "Sample",
"pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:16:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
}
Reference in a new issue Copy permalink