2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--57fddaac-da34-43f7-8844-4430950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T08:17:28.000Z" ,
"modified" : "2016-10-12T08:17:28.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--57fddaac-da34-43f7-8844-4430950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T08:17:28.000Z" ,
"modified" : "2016-10-12T08:17:28.000Z" ,
"name" : "OSINT - Odinaff: New Trojan used in high level financial attacks" ,
"published" : "2016-10-12T08:17:36Z" ,
"object_refs" : [
"x-misp-attribute--57fdde4c-94e0-4df7-9483-4fdd950d210f" ,
"indicator--57fddf71-e4ec-4761-8086-400b950d210f" ,
"indicator--57fddf71-2ce0-462d-852c-4e0d950d210f" ,
"indicator--57fddf72-00e8-4312-ad2c-4bfc950d210f" ,
"indicator--57fddf72-bd10-4bb0-be12-4adc950d210f" ,
"indicator--57fddf72-8ed0-4368-9e0d-4786950d210f" ,
"indicator--57fddf73-9810-4caf-bab9-46cb950d210f" ,
"indicator--57fddf73-b1e8-4def-a8d0-4c34950d210f" ,
"indicator--57fddf73-97d8-4718-8a0c-47cc950d210f" ,
"indicator--57fddf73-0274-4cf4-b03c-4d63950d210f" ,
"indicator--57fddf73-7e40-48f5-bd90-4c79950d210f" ,
"indicator--57fddf74-ee28-401a-907f-4315950d210f" ,
"indicator--57fddf74-fed0-4b1d-8c2b-4f80950d210f" ,
"indicator--57fddf74-3950-4cc8-bc10-4885950d210f" ,
"indicator--57fddf74-7e44-4216-b895-4fad950d210f" ,
"indicator--57fddf74-fa54-4bf6-8241-4e2b950d210f" ,
"indicator--57fddf75-8ed8-476b-a1ba-4efa950d210f" ,
"indicator--57fddf75-7f04-48c7-9149-4cf9950d210f" ,
"indicator--57fddf75-1558-4803-a029-4df3950d210f" ,
"indicator--57fddf75-851c-445b-a531-46e5950d210f" ,
"indicator--57fddf75-3320-44fd-b747-4602950d210f" ,
"indicator--57fddf76-472c-4d24-a2f2-48ce950d210f" ,
"indicator--57fddf76-62b4-4241-88d4-468d950d210f" ,
"indicator--57fddf76-e494-4a66-a49b-499d950d210f" ,
"indicator--57fddf76-32bc-41f0-95d7-4d41950d210f" ,
"indicator--57fddf76-2254-458f-8a93-4dd3950d210f" ,
"indicator--57fddf77-e278-4d41-acd7-4438950d210f" ,
"indicator--57fddf77-b6a4-4dfc-b0d2-4a3b950d210f" ,
"indicator--57fddf77-07d0-47b7-b171-4889950d210f" ,
"indicator--57fddf77-ea98-44df-aeba-4e5b950d210f" ,
"indicator--57fddf78-3230-485d-b5be-49e3950d210f" ,
"indicator--57fddf78-53cc-4c39-ac80-44ee950d210f" ,
"indicator--57fddf78-4154-4ea6-8878-4590950d210f" ,
"indicator--57fddf78-7570-4b7a-8b6a-47dc950d210f" ,
"indicator--57fddf78-0db0-476d-845b-4fc5950d210f" ,
"indicator--57fddf79-a820-43b1-b9a4-4105950d210f" ,
"indicator--57fddf79-1288-4be7-b3c2-482d950d210f" ,
"indicator--57fddf79-6e6c-420b-bc38-4557950d210f" ,
"indicator--57fddf79-601c-414f-93e6-4700950d210f" ,
"indicator--57fddf79-2608-4a83-ba00-4392950d210f" ,
"indicator--57fddf7a-5db0-4d77-af58-4c17950d210f" ,
"indicator--57fddf7a-e494-44b1-9a11-4027950d210f" ,
"indicator--57fddf7a-ac7c-4bae-ba07-4ffd950d210f" ,
"x-misp-attribute--57fddfe1-51bc-4ff5-95e2-4932950d210f" ,
"indicator--57fde03d-56a4-47cc-84e9-441402de0b81" ,
"indicator--57fde03d-41a4-43cf-846d-42c802de0b81" ,
"observed-data--57fde03d-11bc-4656-a0c7-40da02de0b81" ,
"url--57fde03d-11bc-4656-a0c7-40da02de0b81" ,
"indicator--57fde03d-dc60-4ac4-86d6-453902de0b81" ,
"indicator--57fde03d-c4e4-496c-b206-4fd702de0b81" ,
"observed-data--57fde03e-68ec-408d-9fa0-47e302de0b81" ,
"url--57fde03e-68ec-408d-9fa0-47e302de0b81" ,
"indicator--57fde03e-f658-4a2f-b63a-44dd02de0b81" ,
"indicator--57fde03e-c798-42c0-b509-471a02de0b81" ,
"observed-data--57fde03e-7dac-497a-8d15-47c502de0b81" ,
"url--57fde03e-7dac-497a-8d15-47c502de0b81" ,
"indicator--57fde03e-9fd4-4395-a7d0-462202de0b81" ,
"indicator--57fde03f-d4c0-4eb4-b5ef-4e1702de0b81" ,
"observed-data--57fde03f-bc70-4d3b-b7b2-4a0702de0b81" ,
"url--57fde03f-bc70-4d3b-b7b2-4a0702de0b81" ,
"indicator--57fde03f-faa0-40ef-95ed-478602de0b81" ,
"indicator--57fde03f-7d30-43df-b4f5-441d02de0b81" ,
"observed-data--57fde03f-0794-4278-b254-45a302de0b81" ,
"url--57fde03f-0794-4278-b254-45a302de0b81" ,
"indicator--57fde040-c7e0-42cc-94ce-4df602de0b81" ,
"indicator--57fde040-e520-47ba-88f8-457e02de0b81" ,
"observed-data--57fde040-d378-4048-8ab0-447302de0b81" ,
"url--57fde040-d378-4048-8ab0-447302de0b81" ,
"indicator--57fde040-6648-439f-a4f6-4c7c02de0b81" ,
"indicator--57fde040-9ab0-4352-a9ee-456e02de0b81" ,
"observed-data--57fde041-004c-456d-ad30-4c1e02de0b81" ,
"url--57fde041-004c-456d-ad30-4c1e02de0b81" ,
"indicator--57fde041-0b0c-45d0-a8f0-441e02de0b81" ,
"indicator--57fde041-91c8-4069-9478-4e6902de0b81" ,
"observed-data--57fde041-4d38-4251-b2a1-48da02de0b81" ,
"url--57fde041-4d38-4251-b2a1-48da02de0b81" ,
"indicator--57fde042-da1c-4301-9d13-4bd002de0b81" ,
"indicator--57fde042-4bb0-4bd0-8f3c-406e02de0b81" ,
"observed-data--57fde042-8a74-4daf-88b4-4a9302de0b81" ,
"url--57fde042-8a74-4daf-88b4-4a9302de0b81" ,
"indicator--57fde042-de18-4a5f-a7cd-4aa202de0b81" ,
"indicator--57fde042-7dbc-4fa3-b2fb-49ed02de0b81" ,
"observed-data--57fde043-9b48-46e6-8323-486e02de0b81" ,
"url--57fde043-9b48-46e6-8323-486e02de0b81" ,
"indicator--57fde043-32ec-4f9f-b57c-440f02de0b81" ,
"indicator--57fde043-bea4-42bf-a355-4d5b02de0b81" ,
"observed-data--57fde043-0c68-49a0-a4c1-490702de0b81" ,
"url--57fde043-0c68-49a0-a4c1-490702de0b81" ,
"indicator--57fde043-eec0-4763-b546-45cb02de0b81" ,
"indicator--57fde044-c49c-4684-bc39-4e6002de0b81" ,
"observed-data--57fde044-6f74-4d4d-b8d4-465502de0b81" ,
"url--57fde044-6f74-4d4d-b8d4-465502de0b81" ,
"indicator--57fde044-d460-4adc-87fc-45bd02de0b81" ,
"indicator--57fde044-f26c-45eb-b08d-421a02de0b81" ,
"observed-data--57fde044-1498-4ac3-892c-487202de0b81" ,
"url--57fde044-1498-4ac3-892c-487202de0b81" ,
"indicator--57fde045-4624-4119-93fc-4b1e02de0b81" ,
"indicator--57fde045-5bc4-417e-bf93-4b5102de0b81" ,
"observed-data--57fde045-1870-433d-b771-496002de0b81" ,
"url--57fde045-1870-433d-b771-496002de0b81" ,
"indicator--57fde045-7b84-43b7-9cdb-4d4d02de0b81" ,
"indicator--57fde046-dd9c-4d99-bb17-45c302de0b81" ,
"observed-data--57fde046-5dac-4442-bc23-465902de0b81" ,
"url--57fde046-5dac-4442-bc23-465902de0b81" ,
"indicator--57fde046-245c-44eb-a7c2-495302de0b81" ,
"indicator--57fde046-dbb4-4fbf-ac48-425502de0b81" ,
"observed-data--57fde046-0f18-4adc-9b70-497e02de0b81" ,
"url--57fde046-0f18-4adc-9b70-497e02de0b81" ,
"indicator--57fde047-2214-4122-a2d7-421502de0b81" ,
"indicator--57fde047-298c-4606-9bd9-49f602de0b81" ,
"observed-data--57fde047-eca0-4e14-ab3c-40d502de0b81" ,
"url--57fde047-eca0-4e14-ab3c-40d502de0b81" ,
"indicator--57fde047-f254-4d6d-9372-4e1402de0b81" ,
"indicator--57fde047-e070-44de-8bf2-4bd302de0b81" ,
"observed-data--57fde048-0e48-4f1d-96a8-4f4502de0b81" ,
"url--57fde048-0e48-4f1d-96a8-4f4502de0b81" ,
"indicator--57fde048-ddb8-4cbf-ba19-495c02de0b81" ,
"indicator--57fde048-617c-4542-a355-4fae02de0b81" ,
"observed-data--57fde048-bb20-4954-b4a7-44ed02de0b81" ,
"url--57fde048-bb20-4954-b4a7-44ed02de0b81" ,
"indicator--57fde048-1490-42b6-842b-4bc702de0b81" ,
"indicator--57fde049-51f4-4881-b4a8-4ef202de0b81" ,
"observed-data--57fde049-8418-4226-8a72-414002de0b81" ,
"url--57fde049-8418-4226-8a72-414002de0b81" ,
"indicator--57fde049-7ef4-4fff-bc00-465502de0b81" ,
"indicator--57fde049-8b1c-4430-9e25-4ab002de0b81" ,
"observed-data--57fde04a-b590-4ec7-8adf-48a702de0b81" ,
"url--57fde04a-b590-4ec7-8adf-48a702de0b81" ,
"indicator--57fde04a-ec90-4ccf-87cc-473202de0b81" ,
"indicator--57fde04a-44b8-44ac-ac79-483102de0b81" ,
"observed-data--57fde04a-dac8-4b85-94e4-4fe702de0b81" ,
"url--57fde04a-dac8-4b85-94e4-4fe702de0b81" ,
"indicator--57fde04a-fcb0-4068-9015-451c02de0b81" ,
"indicator--57fde04b-f598-4f22-841d-448702de0b81" ,
"observed-data--57fde04b-73c4-4483-aef6-4f8f02de0b81" ,
"url--57fde04b-73c4-4483-aef6-4f8f02de0b81" ,
"indicator--57fde04b-4044-4d59-af0a-4bb302de0b81" ,
"indicator--57fde04b-1ea0-4353-89b5-4b2a02de0b81" ,
"observed-data--57fde04b-b4bc-4471-bfbc-4ee602de0b81" ,
"url--57fde04b-b4bc-4471-bfbc-4ee602de0b81" ,
"indicator--57fde04c-4188-4ef7-9927-488b02de0b81" ,
"indicator--57fde04c-bad0-4e18-90b3-427a02de0b81" ,
"observed-data--57fde04c-6ab8-4daf-9e46-4dc402de0b81" ,
"url--57fde04c-6ab8-4daf-9e46-4dc402de0b81" ,
"indicator--57fde04c-a668-442d-aa27-48a202de0b81" ,
"indicator--57fde04c-35ec-4314-8b01-409702de0b81" ,
"observed-data--57fde04d-7008-4a76-a1e5-461102de0b81" ,
"url--57fde04d-7008-4a76-a1e5-461102de0b81" ,
"indicator--57fde04d-8208-42b6-bdf1-4cc402de0b81" ,
"indicator--57fde04d-a474-4fcf-9c39-448002de0b81" ,
"observed-data--57fde04d-62d0-421c-a93a-48ab02de0b81" ,
"url--57fde04d-62d0-421c-a93a-48ab02de0b81" ,
"indicator--57fde04e-2250-4e88-afa0-41fd02de0b81" ,
"indicator--57fde04e-76b8-4e3a-8fde-4f5e02de0b81" ,
"observed-data--57fde04e-e7a4-4a18-b158-423b02de0b81" ,
"url--57fde04e-e7a4-4a18-b158-423b02de0b81" ,
"indicator--57fde04e-7aa8-4151-9d3b-4aa002de0b81" ,
"indicator--57fde04e-e334-4850-af7f-471802de0b81" ,
"observed-data--57fde04f-5340-42e2-a6d0-472e02de0b81" ,
"url--57fde04f-5340-42e2-a6d0-472e02de0b81" ,
"indicator--57fde04f-aab8-4d00-9c1d-41ef02de0b81" ,
"indicator--57fde04f-ee58-4ee9-96ac-4fef02de0b81" ,
"observed-data--57fde04f-9110-431a-bac5-469f02de0b81" ,
"url--57fde04f-9110-431a-bac5-469f02de0b81" ,
"indicator--57fde04f-74c4-4860-8436-4f2702de0b81" ,
"indicator--57fde050-7ff4-450e-95c6-4b0702de0b81" ,
"observed-data--57fde050-ba58-41e9-9dcf-404202de0b81" ,
"url--57fde050-ba58-41e9-9dcf-404202de0b81" ,
"indicator--57fde050-56e8-4208-b04a-4ff902de0b81" ,
"indicator--57fde050-c154-4baf-be74-42b902de0b81" ,
"observed-data--57fde050-1704-4d6b-9546-4c0c02de0b81" ,
"url--57fde050-1704-4d6b-9546-4c0c02de0b81" ,
"indicator--57fde051-1e78-4685-80e6-4cbe02de0b81" ,
"indicator--57fde051-6e4c-4510-b5ca-481202de0b81" ,
"observed-data--57fde051-5ac4-4296-ba39-44ed02de0b81" ,
"url--57fde051-5ac4-4296-ba39-44ed02de0b81" ,
"indicator--57fde051-0c38-4419-bdc2-4fb602de0b81" ,
"indicator--57fde051-7fec-485a-bf27-43ed02de0b81" ,
"observed-data--57fde052-079c-4c27-af94-45ca02de0b81" ,
"url--57fde052-079c-4c27-af94-45ca02de0b81" ,
"indicator--57fde052-d714-4fcf-9e34-4b3202de0b81" ,
"indicator--57fde052-634c-4ce1-8a44-450602de0b81" ,
"observed-data--57fde052-fcb0-462e-9d5d-46cc02de0b81" ,
"url--57fde052-fcb0-462e-9d5d-46cc02de0b81" ,
"indicator--57fde052-31ec-4597-b3d9-476f02de0b81" ,
"indicator--57fde053-d670-45e0-ad52-489402de0b81" ,
"observed-data--57fde053-227c-4b6a-a763-41fe02de0b81" ,
"url--57fde053-227c-4b6a-a763-41fe02de0b81" ,
"indicator--57fde053-8eec-40d3-91c6-4d0802de0b81" ,
"indicator--57fde053-1ac0-4357-92c8-443c02de0b81" ,
"observed-data--57fde054-38a4-464a-99a0-402a02de0b81" ,
"url--57fde054-38a4-464a-99a0-402a02de0b81" ,
"indicator--57fde054-5d58-4d93-8f12-49da02de0b81" ,
"indicator--57fde054-157c-4f68-9ecb-4bd702de0b81" ,
"observed-data--57fde054-a1f4-4f89-9d69-479502de0b81" ,
"url--57fde054-a1f4-4f89-9d69-479502de0b81" ,
"indicator--57fde055-cdb4-404d-80bd-4cc302de0b81" ,
"indicator--57fde055-2a2c-470d-9093-4d8b02de0b81" ,
"observed-data--57fde055-6d90-475b-837e-4e3002de0b81" ,
"url--57fde055-6d90-475b-837e-4e3002de0b81" ,
"indicator--57fde055-39b8-4c3b-a15c-4f9902de0b81" ,
"indicator--57fde055-4aac-4898-ab81-4f7502de0b81" ,
"observed-data--57fde056-b2d0-4e81-a161-454502de0b81" ,
"url--57fde056-b2d0-4e81-a161-454502de0b81" ,
"observed-data--57fdf198-5894-4cdf-9b84-4487950d210f" ,
"url--57fdf198-5894-4cdf-9b84-4487950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"circl:topic=\"finance\"" ,
"circl:incident-classification=\"malware\"" ,
"type:OSINT" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--57fdde4c-94e0-4df7-9483-4fdd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T06:55:08.000Z" ,
"modified" : "2016-10-12T06:55:08.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide. These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations who provide support services to these industries are also of interest.\r\n\r\nOdinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013\u00e2\u20ac\u201cCarbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.\r\n\r\nThese attacks require a large amount of hands on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed.\r\n\r\nAlthough difficult to perform, these kinds of attacks on banks can be highly lucrative. Estimates of total losses to Carbanak-linked attacks range from tens of millions to hundreds of millions of dollars."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf71-e4ec-4761-8086-400b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:01.000Z" ,
"modified" : "2016-10-12T07:00:01.000Z" ,
"description" : "Odinaff droppers" ,
"pattern" : "[file:hashes.SHA256 = 'f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf71-2ce0-462d-852c-4e0d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:01.000Z" ,
"modified" : "2016-10-12T07:00:01.000Z" ,
"description" : "Odinaff droppers" ,
"pattern" : "[file:hashes.SHA256 = 'c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf72-00e8-4312-ad2c-4bfc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:02.000Z" ,
"modified" : "2016-10-12T07:00:02.000Z" ,
"description" : "Odinaff document droppers" ,
"pattern" : "[file:hashes.SHA256 = '102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf72-bd10-4bb0-be12-4adc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:02.000Z" ,
"modified" : "2016-10-12T07:00:02.000Z" ,
"description" : "Odinaff document droppers" ,
"pattern" : "[file:hashes.SHA256 = '60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf72-8ed0-4368-9e0d-4786950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:02.000Z" ,
"modified" : "2016-10-12T07:00:02.000Z" ,
"description" : "Odinaff samples" ,
"pattern" : "[file:hashes.SHA256 = '22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf73-9810-4caf-bab9-46cb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:03.000Z" ,
"modified" : "2016-10-12T07:00:03.000Z" ,
"description" : "Odinaff samples" ,
"pattern" : "[file:hashes.SHA256 = '2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf73-b1e8-4def-a8d0-4c34950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:03.000Z" ,
"modified" : "2016-10-12T07:00:03.000Z" ,
"description" : "SWIFT log suppressors" ,
"pattern" : "[file:hashes.SHA256 = '84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf73-97d8-4718-8a0c-47cc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:03.000Z" ,
"modified" : "2016-10-12T07:00:03.000Z" ,
"description" : "Backdoor.Batel RTF document dropper" ,
"pattern" : "[file:hashes.SHA256 = '21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf73-0274-4cf4-b03c-4d63950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:03.000Z" ,
"modified" : "2016-10-12T07:00:03.000Z" ,
"description" : "Backdoor.Batel stagers" ,
"pattern" : "[file:hashes.SHA256 = '001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf73-7e40-48f5-bd90-4c79950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:03.000Z" ,
"modified" : "2016-10-12T07:00:03.000Z" ,
"description" : "Backdoor.Batel stagers" ,
"pattern" : "[file:hashes.SHA256 = '1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf74-ee28-401a-907f-4315950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:04.000Z" ,
"modified" : "2016-10-12T07:00:04.000Z" ,
"description" : "Older Batel *.CPL droppers" ,
"pattern" : "[file:hashes.SHA256 = '1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf74-fed0-4b1d-8c2b-4f80950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:04.000Z" ,
"modified" : "2016-10-12T07:00:04.000Z" ,
"description" : "Older Batel *.CPL droppers" ,
"pattern" : "[file:hashes.SHA256 = '298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf74-3950-4cc8-bc10-4885950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:04.000Z" ,
"modified" : "2016-10-12T07:00:04.000Z" ,
"description" : "Cobalt Strike, possible ATM implants" ,
"pattern" : "[file:hashes.SHA256 = '429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf74-7e44-4216-b895-4fad950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:04.000Z" ,
"modified" : "2016-10-12T07:00:04.000Z" ,
"description" : "Cobalt Strike, possible ATM implants" ,
"pattern" : "[file:hashes.SHA256 = '44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf74-fa54-4bf6-8241-4e2b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:04.000Z" ,
"modified" : "2016-10-12T07:00:04.000Z" ,
"description" : "Cobalt Strike implants" ,
"pattern" : "[file:hashes.SHA256 = '1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf75-8ed8-476b-a1ba-4efa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:05.000Z" ,
"modified" : "2016-10-12T07:00:05.000Z" ,
"description" : "Cobalt Strike implants" ,
"pattern" : "[file:hashes.SHA256 = '48fb5e3c3dc17f549a76e1b1ce74c9fef5c94bfc29119a248ce1647644b125c7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf75-7f04-48c7-9149-4cf9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:05.000Z" ,
"modified" : "2016-10-12T07:00:05.000Z" ,
"description" : "Backdoor.Batel loaders" ,
"pattern" : "[file:hashes.SHA256 = '0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf75-1558-4803-a029-4df3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:05.000Z" ,
"modified" : "2016-10-12T07:00:05.000Z" ,
"description" : "Backdoor.Batel loaders" ,
"pattern" : "[file:hashes.SHA256 = '174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf75-851c-445b-a531-46e5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:05.000Z" ,
"modified" : "2016-10-12T07:00:05.000Z" ,
"description" : "Stagers (MINGW)" ,
"pattern" : "[file:hashes.SHA256 = 'd94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf75-3320-44fd-b747-4602950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:05.000Z" ,
"modified" : "2016-10-12T07:00:05.000Z" ,
"description" : "Stagers (MINGW)" ,
"pattern" : "[file:hashes.SHA256 = '3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf76-472c-4d24-a2f2-48ce950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:06.000Z" ,
"modified" : "2016-10-12T07:00:06.000Z" ,
"description" : "Disk wipers" ,
"pattern" : "[file:hashes.SHA256 = '72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf76-62b4-4241-88d4-468d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:06.000Z" ,
"modified" : "2016-10-12T07:00:06.000Z" ,
"description" : "Disk wipers" ,
"pattern" : "[file:hashes.SHA256 = 'c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf76-e494-4a66-a49b-499d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:06.000Z" ,
"modified" : "2016-10-12T07:00:06.000Z" ,
"description" : "Keylogger" ,
"pattern" : "[file:hashes.SHA256 = 'e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf76-32bc-41f0-95d7-4d41950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:06.000Z" ,
"modified" : "2016-10-12T07:00:06.000Z" ,
"description" : "Screengrabbers" ,
"pattern" : "[file:hashes.SHA256 = 'a7c3f125c8b9ca732832d64db2334f07240294d74ba76bdc47ea9d4009381fdc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf76-2254-458f-8a93-4dd3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:06.000Z" ,
"modified" : "2016-10-12T07:00:06.000Z" ,
"description" : "Screengrabbers" ,
"pattern" : "[file:hashes.SHA256 = 'ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf77-e278-4d41-acd7-4438950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:07.000Z" ,
"modified" : "2016-10-12T07:00:07.000Z" ,
"description" : "Command shells" ,
"pattern" : "[file:hashes.SHA256 = '9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf77-b6a4-4dfc-b0d2-4a3b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:07.000Z" ,
"modified" : "2016-10-12T07:00:07.000Z" ,
"description" : "Command shells" ,
"pattern" : "[file:hashes.SHA256 = 'e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf77-07d0-47b7-b171-4889950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:07.000Z" ,
"modified" : "2016-10-12T07:00:07.000Z" ,
"description" : "HTTP Backconnect" ,
"pattern" : "[file:hashes.SHA256 = 'b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf77-ea98-44df-aeba-4e5b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:07.000Z" ,
"modified" : "2016-10-12T07:00:07.000Z" ,
"description" : "Connection checkers" ,
"pattern" : "[file:hashes.SHA256 = '28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf78-3230-485d-b5be-49e3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:08.000Z" ,
"modified" : "2016-10-12T07:00:08.000Z" ,
"description" : "Connection checkers" ,
"pattern" : "[file:hashes.SHA256 = 'd9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf78-53cc-4c39-ac80-44ee950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:08.000Z" ,
"modified" : "2016-10-12T07:00:08.000Z" ,
"description" : "PoisonIvy loaders" ,
"pattern" : "[file:hashes.SHA256 = '25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf78-4154-4ea6-8878-4590950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:08.000Z" ,
"modified" : "2016-10-12T07:00:08.000Z" ,
"description" : "PoisonIvy loaders" ,
"pattern" : "[file:hashes.SHA256 = '91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf78-7570-4b7a-8b6a-47dc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:08.000Z" ,
"modified" : "2016-10-12T07:00:08.000Z" ,
"description" : "Ammyy Admin remote administration tools" ,
"pattern" : "[file:hashes.SHA256 = '0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf78-0db0-476d-845b-4fc5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:08.000Z" ,
"modified" : "2016-10-12T07:00:08.000Z" ,
"description" : "Ammyy Admin remote administration tools" ,
"pattern" : "[file:hashes.SHA256 = '295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf79-a820-43b1-b9a4-4105950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:09.000Z" ,
"modified" : "2016-10-12T07:00:09.000Z" ,
"description" : "Ammyy Admin, Trojanized" ,
"pattern" : "[file:hashes.SHA256 = 'cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf79-1288-4be7-b3c2-482d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:09.000Z" ,
"modified" : "2016-10-12T07:00:09.000Z" ,
"description" : "RemoteUtilities remote administration toolsRemoteUtilities remote administration tools" ,
"pattern" : "[file:hashes.SHA256 = '2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf79-6e6c-420b-bc38-4557950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:09.000Z" ,
"modified" : "2016-10-12T07:00:09.000Z" ,
"description" : "RemoteUtilities remote administration tools" ,
"pattern" : "[file:hashes.SHA256 = '3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf79-601c-414f-93e6-4700950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:09.000Z" ,
"modified" : "2016-10-12T07:00:09.000Z" ,
"description" : "Runas" ,
"pattern" : "[file:hashes.SHA256 = '170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf79-2608-4a83-ba00-4392950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:09.000Z" ,
"modified" : "2016-10-12T07:00:09.000Z" ,
"description" : "Mimikatz" ,
"pattern" : "[file:hashes.SHA256 = '7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf7a-5db0-4d77-af58-4c17950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:10.000Z" ,
"modified" : "2016-10-12T07:00:10.000Z" ,
"description" : "Mimikatz" ,
"pattern" : "[file:hashes.SHA256 = 'e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf7a-e494-44b1-9a11-4027950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:10.000Z" ,
"modified" : "2016-10-12T07:00:10.000Z" ,
"description" : "Kasidet" ,
"pattern" : "[file:hashes.SHA256 = 'c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fddf7a-ac7c-4bae-ba07-4ffd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:00:10.000Z" ,
"modified" : "2016-10-12T07:00:10.000Z" ,
"description" : "Kasidet" ,
"pattern" : "[file:hashes.SHA256 = 'cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:00:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--57fddfe1-51bc-4ff5-95e2-4932950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:01:53.000Z" ,
"modified" : "2016-10-12T07:01:53.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Antivirus detection\""
] ,
"x_misp_category" : "Antivirus detection" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Trojan.Odinaff"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03d-56a4-47cc-84e9-441402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:25.000Z" ,
"modified" : "2016-10-12T07:03:25.000Z" ,
"description" : "Kasidet - Xchecked via VT: cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba" ,
"pattern" : "[file:hashes.SHA1 = 'ce46b856e77ed458db1846fa6f9e8df422d582b3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03d-41a4-43cf-846d-42c802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:25.000Z" ,
"modified" : "2016-10-12T07:03:25.000Z" ,
"description" : "Kasidet - Xchecked via VT: cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba" ,
"pattern" : "[file:hashes.MD5 = '074db802aa499ac108216e2c031657d0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde03d-11bc-4656-a0c7-40da02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:25.000Z" ,
"modified" : "2016-10-12T07:03:25.000Z" ,
"first_observed" : "2016-10-12T07:03:25Z" ,
"last_observed" : "2016-10-12T07:03:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde03d-11bc-4656-a0c7-40da02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde03d-11bc-4656-a0c7-40da02de0b81" ,
"value" : "https://www.virustotal.com/file/cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba/analysis/1464288443/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03d-dc60-4ac4-86d6-453902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:25.000Z" ,
"modified" : "2016-10-12T07:03:25.000Z" ,
"description" : "Kasidet - Xchecked via VT: c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2" ,
"pattern" : "[file:hashes.SHA1 = 'f7f5434539290ba88781237da086331030a4f051']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03d-c4e4-496c-b206-4fd702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:25.000Z" ,
"modified" : "2016-10-12T07:03:25.000Z" ,
"description" : "Kasidet - Xchecked via VT: c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2" ,
"pattern" : "[file:hashes.MD5 = 'ec84d9d8ce82455214d36f7ab6e3dc56']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde03e-68ec-408d-9fa0-47e302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:26.000Z" ,
"modified" : "2016-10-12T07:03:26.000Z" ,
"first_observed" : "2016-10-12T07:03:26Z" ,
"last_observed" : "2016-10-12T07:03:26Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde03e-68ec-408d-9fa0-47e302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde03e-68ec-408d-9fa0-47e302de0b81" ,
"value" : "https://www.virustotal.com/file/c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2/analysis/1476234896/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03e-f658-4a2f-b63a-44dd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:26.000Z" ,
"modified" : "2016-10-12T07:03:26.000Z" ,
"description" : "Mimikatz - Xchecked via VT: e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6" ,
"pattern" : "[file:hashes.SHA1 = 'fac724a7b6d1bdd6e2ca697c239d39dd4aa8a52b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03e-c798-42c0-b509-471a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:26.000Z" ,
"modified" : "2016-10-12T07:03:26.000Z" ,
"description" : "Mimikatz - Xchecked via VT: e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6" ,
"pattern" : "[file:hashes.MD5 = '12613ac87e6e550057ab5eb770f98f35']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde03e-7dac-497a-8d15-47c502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:26.000Z" ,
"modified" : "2016-10-12T07:03:26.000Z" ,
"first_observed" : "2016-10-12T07:03:26Z" ,
"last_observed" : "2016-10-12T07:03:26Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde03e-7dac-497a-8d15-47c502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde03e-7dac-497a-8d15-47c502de0b81" ,
"value" : "https://www.virustotal.com/file/e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6/analysis/1469035595/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03e-9fd4-4395-a7d0-462202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:26.000Z" ,
"modified" : "2016-10-12T07:03:26.000Z" ,
"description" : "Mimikatz - Xchecked via VT: 7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4" ,
"pattern" : "[file:hashes.SHA1 = '052c8587aed8dbd775f179f670e822da4d2a1eb6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03f-d4c0-4eb4-b5ef-4e1702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:27.000Z" ,
"modified" : "2016-10-12T07:03:27.000Z" ,
"description" : "Mimikatz - Xchecked via VT: 7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4" ,
"pattern" : "[file:hashes.MD5 = 'db34ce686d2b911589667cbcae3a920c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde03f-bc70-4d3b-b7b2-4a0702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:27.000Z" ,
"modified" : "2016-10-12T07:03:27.000Z" ,
"first_observed" : "2016-10-12T07:03:27Z" ,
"last_observed" : "2016-10-12T07:03:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde03f-bc70-4d3b-b7b2-4a0702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde03f-bc70-4d3b-b7b2-4a0702de0b81" ,
"value" : "https://www.virustotal.com/file/7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4/analysis/1476213199/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03f-faa0-40ef-95ed-478602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:27.000Z" ,
"modified" : "2016-10-12T07:03:27.000Z" ,
"description" : "Runas - Xchecked via VT: 170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20" ,
"pattern" : "[file:hashes.SHA1 = 'bd1d24f63f2f25a6eb4a7f6f3bc97a443e728b17']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde03f-7d30-43df-b4f5-441d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:27.000Z" ,
"modified" : "2016-10-12T07:03:27.000Z" ,
"description" : "Runas - Xchecked via VT: 170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20" ,
"pattern" : "[file:hashes.MD5 = '424872148d3e84ed99cedd5bfbb8740c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde03f-0794-4278-b254-45a302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:27.000Z" ,
"modified" : "2016-10-12T07:03:27.000Z" ,
"first_observed" : "2016-10-12T07:03:27Z" ,
"last_observed" : "2016-10-12T07:03:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde03f-0794-4278-b254-45a302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde03f-0794-4278-b254-45a302de0b81" ,
"value" : "https://www.virustotal.com/file/170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20/analysis/1476195264/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde040-c7e0-42cc-94ce-4df602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:28.000Z" ,
"modified" : "2016-10-12T07:03:28.000Z" ,
"description" : "RemoteUtilities remote administration tools - Xchecked via VT: 3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51" ,
"pattern" : "[file:hashes.SHA1 = '88de72284fb04b40efda6b7edd8793a4a79f2f11']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde040-e520-47ba-88f8-457e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:28.000Z" ,
"modified" : "2016-10-12T07:03:28.000Z" ,
"description" : "RemoteUtilities remote administration tools - Xchecked via VT: 3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51" ,
"pattern" : "[file:hashes.MD5 = '5615449487df19589bd69207d7f2c6cd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde040-d378-4048-8ab0-447302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:28.000Z" ,
"modified" : "2016-10-12T07:03:28.000Z" ,
"first_observed" : "2016-10-12T07:03:28Z" ,
"last_observed" : "2016-10-12T07:03:28Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde040-d378-4048-8ab0-447302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde040-d378-4048-8ab0-447302de0b81" ,
"value" : "https://www.virustotal.com/file/3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51/analysis/1476195266/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde040-6648-439f-a4f6-4c7c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:28.000Z" ,
"modified" : "2016-10-12T07:03:28.000Z" ,
"description" : "RemoteUtilities remote administration toolsRemoteUtilities remote administration tools - Xchecked via VT: 2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1" ,
"pattern" : "[file:hashes.SHA1 = 'b500c2f9310b28719383a8b5fdd78d0ff7fd5b80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde040-9ab0-4352-a9ee-456e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:28.000Z" ,
"modified" : "2016-10-12T07:03:28.000Z" ,
"description" : "RemoteUtilities remote administration toolsRemoteUtilities remote administration tools - Xchecked via VT: 2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1" ,
"pattern" : "[file:hashes.MD5 = '42552c5ac5fb48975115fe8b020073f3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde041-004c-456d-ad30-4c1e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:29.000Z" ,
"modified" : "2016-10-12T07:03:29.000Z" ,
"first_observed" : "2016-10-12T07:03:29Z" ,
"last_observed" : "2016-10-12T07:03:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde041-004c-456d-ad30-4c1e02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde041-004c-456d-ad30-4c1e02de0b81" ,
"value" : "https://www.virustotal.com/file/2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1/analysis/1476195266/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde041-0b0c-45d0-a8f0-441e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:29.000Z" ,
"modified" : "2016-10-12T07:03:29.000Z" ,
"description" : "Ammyy Admin, Trojanized - Xchecked via VT: cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f" ,
"pattern" : "[file:hashes.SHA1 = '01317404282c428b9d2a48ad5c542bd951b45268']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde041-91c8-4069-9478-4e6902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:29.000Z" ,
"modified" : "2016-10-12T07:03:29.000Z" ,
"description" : "Ammyy Admin, Trojanized - Xchecked via VT: cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f" ,
"pattern" : "[file:hashes.MD5 = 'c7f1c6f20161ab9f703cc1c5d7498655']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde041-4d38-4251-b2a1-48da02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:29.000Z" ,
"modified" : "2016-10-12T07:03:29.000Z" ,
"first_observed" : "2016-10-12T07:03:29Z" ,
"last_observed" : "2016-10-12T07:03:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde041-4d38-4251-b2a1-48da02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde041-4d38-4251-b2a1-48da02de0b81" ,
"value" : "https://www.virustotal.com/file/cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f/analysis/1462449891/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde042-da1c-4301-9d13-4bd002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:30.000Z" ,
"modified" : "2016-10-12T07:03:30.000Z" ,
"description" : "Ammyy Admin remote administration tools - Xchecked via VT: 295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130" ,
"pattern" : "[file:hashes.SHA1 = 'cf4a4ea4be619856bd19cb63cdd15efdc23dcec8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde042-4bb0-4bd0-8f3c-406e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:30.000Z" ,
"modified" : "2016-10-12T07:03:30.000Z" ,
"description" : "Ammyy Admin remote administration tools - Xchecked via VT: 295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130" ,
"pattern" : "[file:hashes.MD5 = '084df0be594c98d868377de12d74703c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde042-8a74-4daf-88b4-4a9302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:30.000Z" ,
"modified" : "2016-10-12T07:03:30.000Z" ,
"first_observed" : "2016-10-12T07:03:30Z" ,
"last_observed" : "2016-10-12T07:03:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde042-8a74-4daf-88b4-4a9302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde042-8a74-4daf-88b4-4a9302de0b81" ,
"value" : "https://www.virustotal.com/file/295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130/analysis/1476213496/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde042-de18-4a5f-a7cd-4aa202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:30.000Z" ,
"modified" : "2016-10-12T07:03:30.000Z" ,
"description" : "Ammyy Admin remote administration tools - Xchecked via VT: 0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687" ,
"pattern" : "[file:hashes.SHA1 = 'edcfcb4124dcc23bd75fcd69c2e7d8617a36554a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde042-7dbc-4fa3-b2fb-49ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:30.000Z" ,
"modified" : "2016-10-12T07:03:30.000Z" ,
"description" : "Ammyy Admin remote administration tools - Xchecked via VT: 0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687" ,
"pattern" : "[file:hashes.MD5 = '070b6925b020c92e7f1cb0ad2c553a54']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde043-9b48-46e6-8323-486e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:31.000Z" ,
"modified" : "2016-10-12T07:03:31.000Z" ,
"first_observed" : "2016-10-12T07:03:31Z" ,
"last_observed" : "2016-10-12T07:03:31Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde043-9b48-46e6-8323-486e02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde043-9b48-46e6-8323-486e02de0b81" ,
"value" : "https://www.virustotal.com/file/0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687/analysis/1476252610/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde043-32ec-4f9f-b57c-440f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:31.000Z" ,
"modified" : "2016-10-12T07:03:31.000Z" ,
"description" : "PoisonIvy loaders - Xchecked via VT: 91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c" ,
"pattern" : "[file:hashes.SHA1 = '4ec0b0f33afc35a59eca1efc37a74ff87d760d8c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde043-bea4-42bf-a355-4d5b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:31.000Z" ,
"modified" : "2016-10-12T07:03:31.000Z" ,
"description" : "PoisonIvy loaders - Xchecked via VT: 91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c" ,
"pattern" : "[file:hashes.MD5 = '5014f2c3850dedee06218e1585a7fc2d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde043-0c68-49a0-a4c1-490702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:31.000Z" ,
"modified" : "2016-10-12T07:03:31.000Z" ,
"first_observed" : "2016-10-12T07:03:31Z" ,
"last_observed" : "2016-10-12T07:03:31Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde043-0c68-49a0-a4c1-490702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde043-0c68-49a0-a4c1-490702de0b81" ,
"value" : "https://www.virustotal.com/file/91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c/analysis/1476213746/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde043-eec0-4763-b546-45cb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:31.000Z" ,
"modified" : "2016-10-12T07:03:31.000Z" ,
"description" : "PoisonIvy loaders - Xchecked via VT: 25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da" ,
"pattern" : "[file:hashes.SHA1 = 'b853c10fe548e8136ded8301586bc3c01b724bb0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde044-c49c-4684-bc39-4e6002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:32.000Z" ,
"modified" : "2016-10-12T07:03:32.000Z" ,
"description" : "PoisonIvy loaders - Xchecked via VT: 25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da" ,
"pattern" : "[file:hashes.MD5 = '5cbee6f706d9c6ee96ce159cdf2c2967']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde044-6f74-4d4d-b8d4-465502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:32.000Z" ,
"modified" : "2016-10-12T07:03:32.000Z" ,
"first_observed" : "2016-10-12T07:03:32Z" ,
"last_observed" : "2016-10-12T07:03:32Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde044-6f74-4d4d-b8d4-465502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde044-6f74-4d4d-b8d4-465502de0b81" ,
"value" : "https://www.virustotal.com/file/25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da/analysis/1476195267/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde044-d460-4adc-87fc-45bd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:32.000Z" ,
"modified" : "2016-10-12T07:03:32.000Z" ,
"description" : "Connection checkers - Xchecked via VT: d9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874" ,
"pattern" : "[file:hashes.SHA1 = 'c01d318abcff123fd5561dbba1dfacc8aaa65ca8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde044-f26c-45eb-b08d-421a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:32.000Z" ,
"modified" : "2016-10-12T07:03:32.000Z" ,
"description" : "Connection checkers - Xchecked via VT: d9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874" ,
"pattern" : "[file:hashes.MD5 = 'e1cd4de9afb99bee3568bb0bdc34e122']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde044-1498-4ac3-892c-487202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:32.000Z" ,
"modified" : "2016-10-12T07:03:32.000Z" ,
"first_observed" : "2016-10-12T07:03:32Z" ,
"last_observed" : "2016-10-12T07:03:32Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde044-1498-4ac3-892c-487202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde044-1498-4ac3-892c-487202de0b81" ,
"value" : "https://www.virustotal.com/file/d9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874/analysis/1476195269/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde045-4624-4119-93fc-4b1e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:33.000Z" ,
"modified" : "2016-10-12T07:03:33.000Z" ,
"description" : "Connection checkers - Xchecked via VT: 28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5" ,
"pattern" : "[file:hashes.SHA1 = '163ef2b5b25270934c967627c49225aed747f3f0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde045-5bc4-417e-bf93-4b5102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:33.000Z" ,
"modified" : "2016-10-12T07:03:33.000Z" ,
"description" : "Connection checkers - Xchecked via VT: 28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5" ,
"pattern" : "[file:hashes.MD5 = '2ff170c0da366c94351877e977546541']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde045-1870-433d-b771-496002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:33.000Z" ,
"modified" : "2016-10-12T07:03:33.000Z" ,
"first_observed" : "2016-10-12T07:03:33Z" ,
"last_observed" : "2016-10-12T07:03:33Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde045-1870-433d-b771-496002de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde045-1870-433d-b771-496002de0b81" ,
"value" : "https://www.virustotal.com/file/28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5/analysis/1476195265/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde045-7b84-43b7-9cdb-4d4d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:33.000Z" ,
"modified" : "2016-10-12T07:03:33.000Z" ,
"description" : "HTTP Backconnect - Xchecked via VT: b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec" ,
"pattern" : "[file:hashes.SHA1 = '9c5b16ad07e3e58de697dafc546f0af7b8fea08f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde046-dd9c-4d99-bb17-45c302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:34.000Z" ,
"modified" : "2016-10-12T07:03:34.000Z" ,
"description" : "HTTP Backconnect - Xchecked via VT: b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec" ,
"pattern" : "[file:hashes.MD5 = '0aeabdd4e5fe8b181147f555bd02e5e9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde046-5dac-4442-bc23-465902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:34.000Z" ,
"modified" : "2016-10-12T07:03:34.000Z" ,
"first_observed" : "2016-10-12T07:03:34Z" ,
"last_observed" : "2016-10-12T07:03:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde046-5dac-4442-bc23-465902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde046-5dac-4442-bc23-465902de0b81" ,
"value" : "https://www.virustotal.com/file/b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec/analysis/1476218183/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde046-245c-44eb-a7c2-495302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:34.000Z" ,
"modified" : "2016-10-12T07:03:34.000Z" ,
"description" : "Command shells - Xchecked via VT: e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a" ,
"pattern" : "[file:hashes.SHA1 = '28a9c74d62d14909ab91ebbb8eef27776584cf27']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde046-dbb4-4fbf-ac48-425502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:34.000Z" ,
"modified" : "2016-10-12T07:03:34.000Z" ,
"description" : "Command shells - Xchecked via VT: e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a" ,
"pattern" : "[file:hashes.MD5 = '3bbc51cfc5c1c1d51a26f61f3c0182bf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde046-0f18-4adc-9b70-497e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:34.000Z" ,
"modified" : "2016-10-12T07:03:34.000Z" ,
"first_observed" : "2016-10-12T07:03:34Z" ,
"last_observed" : "2016-10-12T07:03:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde046-0f18-4adc-9b70-497e02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde046-0f18-4adc-9b70-497e02de0b81" ,
"value" : "https://www.virustotal.com/file/e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a/analysis/1476195269/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde047-2214-4122-a2d7-421502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:35.000Z" ,
"modified" : "2016-10-12T07:03:35.000Z" ,
"description" : "Command shells - Xchecked via VT: 9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a" ,
"pattern" : "[file:hashes.SHA1 = '7b7a219c7539e173eb39acc6136a39359ad3db67']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde047-298c-4606-9bd9-49f602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:35.000Z" ,
"modified" : "2016-10-12T07:03:35.000Z" ,
"description" : "Command shells - Xchecked via VT: 9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a" ,
"pattern" : "[file:hashes.MD5 = 'b77b8cde7ca6b6345caaf94bddbff9f1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde047-eca0-4e14-ab3c-40d502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:35.000Z" ,
"modified" : "2016-10-12T07:03:35.000Z" ,
"first_observed" : "2016-10-12T07:03:35Z" ,
"last_observed" : "2016-10-12T07:03:35Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde047-eca0-4e14-ab3c-40d502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde047-eca0-4e14-ab3c-40d502de0b81" ,
"value" : "https://www.virustotal.com/file/9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a/analysis/1472306542/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde047-f254-4d6d-9372-4e1402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:35.000Z" ,
"modified" : "2016-10-12T07:03:35.000Z" ,
"description" : "Screengrabbers - Xchecked via VT: ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c" ,
"pattern" : "[file:hashes.SHA1 = 'abc6d05f9e4631deeaa06e4116f3907fc4135585']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde047-e070-44de-8bf2-4bd302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:35.000Z" ,
"modified" : "2016-10-12T07:03:35.000Z" ,
"description" : "Screengrabbers - Xchecked via VT: ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c" ,
"pattern" : "[file:hashes.MD5 = '64b40780a94c4c4d1c1b4a0b12ce4b7d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde048-0e48-4f1d-96a8-4f4502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:36.000Z" ,
"modified" : "2016-10-12T07:03:36.000Z" ,
"first_observed" : "2016-10-12T07:03:36Z" ,
"last_observed" : "2016-10-12T07:03:36Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde048-0e48-4f1d-96a8-4f4502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde048-0e48-4f1d-96a8-4f4502de0b81" ,
"value" : "https://www.virustotal.com/file/ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c/analysis/1469035651/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde048-ddb8-4cbf-ba19-495c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:36.000Z" ,
"modified" : "2016-10-12T07:03:36.000Z" ,
"description" : "Keylogger - Xchecked via VT: e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90" ,
"pattern" : "[file:hashes.SHA1 = '4a861db8310b2eb51818aea93238347f156fd4b6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde048-617c-4542-a355-4fae02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:36.000Z" ,
"modified" : "2016-10-12T07:03:36.000Z" ,
"description" : "Keylogger - Xchecked via VT: e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90" ,
"pattern" : "[file:hashes.MD5 = 'e91fc5e15fa391d180779b47d511980b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde048-bb20-4954-b4a7-44ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:36.000Z" ,
"modified" : "2016-10-12T07:03:36.000Z" ,
"first_observed" : "2016-10-12T07:03:36Z" ,
"last_observed" : "2016-10-12T07:03:36Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde048-bb20-4954-b4a7-44ed02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde048-bb20-4954-b4a7-44ed02de0b81" ,
"value" : "https://www.virustotal.com/file/e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90/analysis/1476195269/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde048-1490-42b6-842b-4bc702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:36.000Z" ,
"modified" : "2016-10-12T07:03:36.000Z" ,
"description" : "Disk wipers - Xchecked via VT: c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da" ,
"pattern" : "[file:hashes.SHA1 = 'ffb9cda0584eb2d0663bc8c98d8c0be889179855']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde049-51f4-4881-b4a8-4ef202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:37.000Z" ,
"modified" : "2016-10-12T07:03:37.000Z" ,
"description" : "Disk wipers - Xchecked via VT: c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da" ,
"pattern" : "[file:hashes.MD5 = '80bee18fba8db4ae56120ef860cf82a2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde049-8418-4226-8a72-414002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:37.000Z" ,
"modified" : "2016-10-12T07:03:37.000Z" ,
"first_observed" : "2016-10-12T07:03:37Z" ,
"last_observed" : "2016-10-12T07:03:37Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde049-8418-4226-8a72-414002de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde049-8418-4226-8a72-414002de0b81" ,
"value" : "https://www.virustotal.com/file/c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da/analysis/1467353193/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde049-7ef4-4fff-bc00-465502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:37.000Z" ,
"modified" : "2016-10-12T07:03:37.000Z" ,
"description" : "Disk wipers - Xchecked via VT: 72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17" ,
"pattern" : "[file:hashes.SHA1 = '63534363ccb1b8495599fb3056e6610ece49ac11']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde049-8b1c-4430-9e25-4ab002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:37.000Z" ,
"modified" : "2016-10-12T07:03:37.000Z" ,
"description" : "Disk wipers - Xchecked via VT: 72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17" ,
"pattern" : "[file:hashes.MD5 = '32eae3a8fd4a06819466dd07ca363c4f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04a-b590-4ec7-8adf-48a702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:38.000Z" ,
"modified" : "2016-10-12T07:03:38.000Z" ,
"first_observed" : "2016-10-12T07:03:38Z" ,
"last_observed" : "2016-10-12T07:03:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04a-b590-4ec7-8adf-48a702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04a-b590-4ec7-8adf-48a702de0b81" ,
"value" : "https://www.virustotal.com/file/72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17/analysis/1470794579/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04a-ec90-4ccf-87cc-473202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:38.000Z" ,
"modified" : "2016-10-12T07:03:38.000Z" ,
"description" : "Stagers (MINGW) - Xchecked via VT: 3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e" ,
"pattern" : "[file:hashes.SHA1 = 'e8903fb954896cb9db4dd5c3bc79c5cd8e20910d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04a-44b8-44ac-ac79-483102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:38.000Z" ,
"modified" : "2016-10-12T07:03:38.000Z" ,
"description" : "Stagers (MINGW) - Xchecked via VT: 3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e" ,
"pattern" : "[file:hashes.MD5 = 'c61dc9d26ac2b0bebca00c9c1b8bb9b3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04a-dac8-4b85-94e4-4fe702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:38.000Z" ,
"modified" : "2016-10-12T07:03:38.000Z" ,
"first_observed" : "2016-10-12T07:03:38Z" ,
"last_observed" : "2016-10-12T07:03:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04a-dac8-4b85-94e4-4fe702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04a-dac8-4b85-94e4-4fe702de0b81" ,
"value" : "https://www.virustotal.com/file/3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e/analysis/1476208783/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04a-fcb0-4068-9015-451c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:38.000Z" ,
"modified" : "2016-10-12T07:03:38.000Z" ,
"description" : "Stagers (MINGW) - Xchecked via VT: d94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455" ,
"pattern" : "[file:hashes.SHA1 = 'ec13e1fcd1731dcaf008d6b0394f016c7c2afbaf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04b-f598-4f22-841d-448702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:39.000Z" ,
"modified" : "2016-10-12T07:03:39.000Z" ,
"description" : "Stagers (MINGW) - Xchecked via VT: d94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455" ,
"pattern" : "[file:hashes.MD5 = '1c02c6b68025768d056805d26d33af4f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04b-73c4-4483-aef6-4f8f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:39.000Z" ,
"modified" : "2016-10-12T07:03:39.000Z" ,
"first_observed" : "2016-10-12T07:03:39Z" ,
"last_observed" : "2016-10-12T07:03:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04b-73c4-4483-aef6-4f8f02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04b-73c4-4483-aef6-4f8f02de0b81" ,
"value" : "https://www.virustotal.com/file/d94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455/analysis/1469556139/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04b-4044-4d59-af0a-4bb302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:39.000Z" ,
"modified" : "2016-10-12T07:03:39.000Z" ,
"description" : "Backdoor.Batel loaders - Xchecked via VT: 174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed" ,
"pattern" : "[file:hashes.SHA1 = '384d80934a6efaba7c858891a2253b9dd1a1327b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04b-1ea0-4353-89b5-4b2a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:39.000Z" ,
"modified" : "2016-10-12T07:03:39.000Z" ,
"description" : "Backdoor.Batel loaders - Xchecked via VT: 174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed" ,
"pattern" : "[file:hashes.MD5 = '2cd6451bf78b588bb253acaf899f74f5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04b-b4bc-4471-bfbc-4ee602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:39.000Z" ,
"modified" : "2016-10-12T07:03:39.000Z" ,
"first_observed" : "2016-10-12T07:03:39Z" ,
"last_observed" : "2016-10-12T07:03:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04b-b4bc-4471-bfbc-4ee602de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04b-b4bc-4471-bfbc-4ee602de0b81" ,
"value" : "https://www.virustotal.com/file/174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed/analysis/1475980072/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04c-4188-4ef7-9927-488b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:40.000Z" ,
"modified" : "2016-10-12T07:03:40.000Z" ,
"description" : "Backdoor.Batel loaders - Xchecked via VT: 0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24" ,
"pattern" : "[file:hashes.SHA1 = '544cab0b08f4d3992bfd9fa69abf5633ed29d0b8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04c-bad0-4e18-90b3-427a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:40.000Z" ,
"modified" : "2016-10-12T07:03:40.000Z" ,
"description" : "Backdoor.Batel loaders - Xchecked via VT: 0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24" ,
"pattern" : "[file:hashes.MD5 = '5f95d9936344c9f294d5471ffd53d8aa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04c-6ab8-4daf-9e46-4dc402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:40.000Z" ,
"modified" : "2016-10-12T07:03:40.000Z" ,
"first_observed" : "2016-10-12T07:03:40Z" ,
"last_observed" : "2016-10-12T07:03:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04c-6ab8-4daf-9e46-4dc402de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04c-6ab8-4daf-9e46-4dc402de0b81" ,
"value" : "https://www.virustotal.com/file/0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24/analysis/1476195269/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04c-a668-442d-aa27-48a202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:40.000Z" ,
"modified" : "2016-10-12T07:03:40.000Z" ,
"description" : "Cobalt Strike implants - Xchecked via VT: 1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486" ,
"pattern" : "[file:hashes.SHA1 = 'a9c8a39e8000efa388d73c1d340e359738441170']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04c-35ec-4314-8b01-409702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:40.000Z" ,
"modified" : "2016-10-12T07:03:40.000Z" ,
"description" : "Cobalt Strike implants - Xchecked via VT: 1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486" ,
"pattern" : "[file:hashes.MD5 = '03bead6a263c179e848f14bf81b6f038']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04d-7008-4a76-a1e5-461102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:41.000Z" ,
"modified" : "2016-10-12T07:03:41.000Z" ,
"first_observed" : "2016-10-12T07:03:41Z" ,
"last_observed" : "2016-10-12T07:03:41Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04d-7008-4a76-a1e5-461102de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04d-7008-4a76-a1e5-461102de0b81" ,
"value" : "https://www.virustotal.com/file/1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486/analysis/1469035649/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04d-8208-42b6-bdf1-4cc402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:41.000Z" ,
"modified" : "2016-10-12T07:03:41.000Z" ,
"description" : "Cobalt Strike, possible ATM implants - Xchecked via VT: 44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579" ,
"pattern" : "[file:hashes.SHA1 = 'c9661008ffb49964e12ec6ed331098afdf2394a9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04d-a474-4fcf-9c39-448002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:41.000Z" ,
"modified" : "2016-10-12T07:03:41.000Z" ,
"description" : "Cobalt Strike, possible ATM implants - Xchecked via VT: 44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579" ,
"pattern" : "[file:hashes.MD5 = '59453862a00339305eb848a95fba4782']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04d-62d0-421c-a93a-48ab02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:41.000Z" ,
"modified" : "2016-10-12T07:03:41.000Z" ,
"first_observed" : "2016-10-12T07:03:41Z" ,
"last_observed" : "2016-10-12T07:03:41Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04d-62d0-421c-a93a-48ab02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04d-62d0-421c-a93a-48ab02de0b81" ,
"value" : "https://www.virustotal.com/file/44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579/analysis/1476199268/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04e-2250-4e88-afa0-41fd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:42.000Z" ,
"modified" : "2016-10-12T07:03:42.000Z" ,
"description" : "Cobalt Strike, possible ATM implants - Xchecked via VT: 429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e" ,
"pattern" : "[file:hashes.SHA1 = '835e8f56faa46cc31a9964c46604076111ba2537']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04e-76b8-4e3a-8fde-4f5e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:42.000Z" ,
"modified" : "2016-10-12T07:03:42.000Z" ,
"description" : "Cobalt Strike, possible ATM implants - Xchecked via VT: 429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e" ,
"pattern" : "[file:hashes.MD5 = '7acb0eeca94a6eb902ba516f465bcfc6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04e-e7a4-4a18-b158-423b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:42.000Z" ,
"modified" : "2016-10-12T07:03:42.000Z" ,
"first_observed" : "2016-10-12T07:03:42Z" ,
"last_observed" : "2016-10-12T07:03:42Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04e-e7a4-4a18-b158-423b02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04e-e7a4-4a18-b158-423b02de0b81" ,
"value" : "https://www.virustotal.com/file/429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e/analysis/1476214207/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04e-7aa8-4151-9d3b-4aa002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:42.000Z" ,
"modified" : "2016-10-12T07:03:42.000Z" ,
"description" : "Older Batel *.CPL droppers - Xchecked via VT: 298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd" ,
"pattern" : "[file:hashes.SHA1 = '55af5e3c1c5fcee9aeccd19eb19768f268efba5d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04e-e334-4850-af7f-471802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:42.000Z" ,
"modified" : "2016-10-12T07:03:42.000Z" ,
"description" : "Older Batel *.CPL droppers - Xchecked via VT: 298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd" ,
"pattern" : "[file:hashes.MD5 = '966d9e07d1a75fa6867bbf02748c4212']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04f-5340-42e2-a6d0-472e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:43.000Z" ,
"modified" : "2016-10-12T07:03:43.000Z" ,
"first_observed" : "2016-10-12T07:03:43Z" ,
"last_observed" : "2016-10-12T07:03:43Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04f-5340-42e2-a6d0-472e02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04f-5340-42e2-a6d0-472e02de0b81" ,
"value" : "https://www.virustotal.com/file/298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd/analysis/1476195265/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04f-aab8-4d00-9c1d-41ef02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:43.000Z" ,
"modified" : "2016-10-12T07:03:43.000Z" ,
"description" : "Older Batel *.CPL droppers - Xchecked via VT: 1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d" ,
"pattern" : "[file:hashes.SHA1 = '2cfc22acaa3fc6660eb058a13cab81b9bd07536a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04f-ee58-4ee9-96ac-4fef02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:43.000Z" ,
"modified" : "2016-10-12T07:03:43.000Z" ,
"description" : "Older Batel *.CPL droppers - Xchecked via VT: 1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d" ,
"pattern" : "[file:hashes.MD5 = '0cf14d472410589c920fb55a97adaab1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde04f-9110-431a-bac5-469f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:43.000Z" ,
"modified" : "2016-10-12T07:03:43.000Z" ,
"first_observed" : "2016-10-12T07:03:43Z" ,
"last_observed" : "2016-10-12T07:03:43Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde04f-9110-431a-bac5-469f02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde04f-9110-431a-bac5-469f02de0b81" ,
"value" : "https://www.virustotal.com/file/1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d/analysis/1476213381/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde04f-74c4-4860-8436-4f2702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:43.000Z" ,
"modified" : "2016-10-12T07:03:43.000Z" ,
"description" : "Backdoor.Batel stagers - Xchecked via VT: 1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a" ,
"pattern" : "[file:hashes.SHA1 = 'af062457e4dfbc5256fee58db6eb4873a2c649c1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde050-7ff4-450e-95c6-4b0702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:44.000Z" ,
"modified" : "2016-10-12T07:03:44.000Z" ,
"description" : "Backdoor.Batel stagers - Xchecked via VT: 1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a" ,
"pattern" : "[file:hashes.MD5 = '61054bdfd5220ecc37956c713f126d43']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde050-ba58-41e9-9dcf-404202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:44.000Z" ,
"modified" : "2016-10-12T07:03:44.000Z" ,
"first_observed" : "2016-10-12T07:03:44Z" ,
"last_observed" : "2016-10-12T07:03:44Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde050-ba58-41e9-9dcf-404202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde050-ba58-41e9-9dcf-404202de0b81" ,
"value" : "https://www.virustotal.com/file/1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a/analysis/1475469967/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde050-56e8-4208-b04a-4ff902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:44.000Z" ,
"modified" : "2016-10-12T07:03:44.000Z" ,
"description" : "Backdoor.Batel stagers - Xchecked via VT: 001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746" ,
"pattern" : "[file:hashes.SHA1 = 'c510fc1e20bbf80390c7fce23863608fc2d843a2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde050-c154-4baf-be74-42b902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:44.000Z" ,
"modified" : "2016-10-12T07:03:44.000Z" ,
"description" : "Backdoor.Batel stagers - Xchecked via VT: 001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746" ,
"pattern" : "[file:hashes.MD5 = 'd4c1af678b3afa099f21ab5c29065fca']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde050-1704-4d6b-9546-4c0c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:44.000Z" ,
"modified" : "2016-10-12T07:03:44.000Z" ,
"first_observed" : "2016-10-12T07:03:44Z" ,
"last_observed" : "2016-10-12T07:03:44Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde050-1704-4d6b-9546-4c0c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde050-1704-4d6b-9546-4c0c02de0b81" ,
"value" : "https://www.virustotal.com/file/001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746/analysis/1475586974/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde051-1e78-4685-80e6-4cbe02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:45.000Z" ,
"modified" : "2016-10-12T07:03:45.000Z" ,
"description" : "Backdoor.Batel RTF document dropper - Xchecked via VT: 21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f" ,
"pattern" : "[file:hashes.SHA1 = 'bb607fec8569a0ec4eec30e37c3e2eeafafb5fab']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde051-6e4c-4510-b5ca-481202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:45.000Z" ,
"modified" : "2016-10-12T07:03:45.000Z" ,
"description" : "Backdoor.Batel RTF document dropper - Xchecked via VT: 21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f" ,
"pattern" : "[file:hashes.MD5 = '1fa19e329bd5f2eaf933c39eba13d869']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde051-5ac4-4296-ba39-44ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:45.000Z" ,
"modified" : "2016-10-12T07:03:45.000Z" ,
"first_observed" : "2016-10-12T07:03:45Z" ,
"last_observed" : "2016-10-12T07:03:45Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde051-5ac4-4296-ba39-44ed02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde051-5ac4-4296-ba39-44ed02de0b81" ,
"value" : "https://www.virustotal.com/file/21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f/analysis/1471377471/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde051-0c38-4419-bdc2-4fb602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:45.000Z" ,
"modified" : "2016-10-12T07:03:45.000Z" ,
"description" : "SWIFT log suppressors - Xchecked via VT: 84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8" ,
"pattern" : "[file:hashes.SHA1 = 'c31d3002d9f1bebc85b41d4c55a87ea1b797d4d2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde051-7fec-485a-bf27-43ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:45.000Z" ,
"modified" : "2016-10-12T07:03:45.000Z" ,
"description" : "SWIFT log suppressors - Xchecked via VT: 84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8" ,
"pattern" : "[file:hashes.MD5 = '6d355ffa06ae39fc8671cc8ac38f984e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde052-079c-4c27-af94-45ca02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:46.000Z" ,
"modified" : "2016-10-12T07:03:46.000Z" ,
"first_observed" : "2016-10-12T07:03:46Z" ,
"last_observed" : "2016-10-12T07:03:46Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde052-079c-4c27-af94-45ca02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde052-079c-4c27-af94-45ca02de0b81" ,
"value" : "https://www.virustotal.com/file/84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8/analysis/1476234908/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde052-d714-4fcf-9e34-4b3202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:46.000Z" ,
"modified" : "2016-10-12T07:03:46.000Z" ,
"description" : "Odinaff samples - Xchecked via VT: 2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098" ,
"pattern" : "[file:hashes.SHA1 = 'dd913de9bf860b5f33d745413cc08f60d12d64b3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde052-634c-4ce1-8a44-450602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:46.000Z" ,
"modified" : "2016-10-12T07:03:46.000Z" ,
"description" : "Odinaff samples - Xchecked via VT: 2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098" ,
"pattern" : "[file:hashes.MD5 = '5a45366da2a8023464d7ea09fd80ba9f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde052-fcb0-462e-9d5d-46cc02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:46.000Z" ,
"modified" : "2016-10-12T07:03:46.000Z" ,
"first_observed" : "2016-10-12T07:03:46Z" ,
"last_observed" : "2016-10-12T07:03:46Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde052-fcb0-462e-9d5d-46cc02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde052-fcb0-462e-9d5d-46cc02de0b81" ,
"value" : "https://www.virustotal.com/file/2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098/analysis/1476251166/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde052-31ec-4597-b3d9-476f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:46.000Z" ,
"modified" : "2016-10-12T07:03:46.000Z" ,
"description" : "Odinaff samples - Xchecked via VT: 22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96" ,
"pattern" : "[file:hashes.SHA1 = 'd2951010b16e82c124ec8938f1968a4f3c141995']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde053-d670-45e0-ad52-489402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:47.000Z" ,
"modified" : "2016-10-12T07:03:47.000Z" ,
"description" : "Odinaff samples - Xchecked via VT: 22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96" ,
"pattern" : "[file:hashes.MD5 = '342652dab8a5fb7073a99438abd5d28a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde053-227c-4b6a-a763-41fe02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:47.000Z" ,
"modified" : "2016-10-12T07:03:47.000Z" ,
"first_observed" : "2016-10-12T07:03:47Z" ,
"last_observed" : "2016-10-12T07:03:47Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde053-227c-4b6a-a763-41fe02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde053-227c-4b6a-a763-41fe02de0b81" ,
"value" : "https://www.virustotal.com/file/22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96/analysis/1476251715/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde053-8eec-40d3-91c6-4d0802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:47.000Z" ,
"modified" : "2016-10-12T07:03:47.000Z" ,
"description" : "Odinaff document droppers - Xchecked via VT: 60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa" ,
"pattern" : "[file:hashes.SHA1 = '325cf43226632978166765737d8858170d0a56b7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde053-1ac0-4357-92c8-443c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:47.000Z" ,
"modified" : "2016-10-12T07:03:47.000Z" ,
"description" : "Odinaff document droppers - Xchecked via VT: 60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa" ,
"pattern" : "[file:hashes.MD5 = 'a19f48cae862d4e550ca2b54b3395374']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde054-38a4-464a-99a0-402a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:48.000Z" ,
"modified" : "2016-10-12T07:03:48.000Z" ,
"first_observed" : "2016-10-12T07:03:48Z" ,
"last_observed" : "2016-10-12T07:03:48Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde054-38a4-464a-99a0-402a02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde054-38a4-464a-99a0-402a02de0b81" ,
"value" : "https://www.virustotal.com/file/60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa/analysis/1473849020/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde054-5d58-4d93-8f12-49da02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:48.000Z" ,
"modified" : "2016-10-12T07:03:48.000Z" ,
"description" : "Odinaff document droppers - Xchecked via VT: 102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990" ,
"pattern" : "[file:hashes.SHA1 = 'f661d7d16b4b73f6dc8452b7b5a598b00a411037']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde054-157c-4f68-9ecb-4bd702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:48.000Z" ,
"modified" : "2016-10-12T07:03:48.000Z" ,
"description" : "Odinaff document droppers - Xchecked via VT: 102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990" ,
"pattern" : "[file:hashes.MD5 = '62659e1c3ab3b1feb85614ec15e1d701']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde054-a1f4-4f89-9d69-479502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:48.000Z" ,
"modified" : "2016-10-12T07:03:48.000Z" ,
"first_observed" : "2016-10-12T07:03:48Z" ,
"last_observed" : "2016-10-12T07:03:48Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde054-a1f4-4f89-9d69-479502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde054-a1f4-4f89-9d69-479502de0b81" ,
"value" : "https://www.virustotal.com/file/102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990/analysis/1476196967/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde055-cdb4-404d-80bd-4cc302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:49.000Z" ,
"modified" : "2016-10-12T07:03:49.000Z" ,
"description" : "Odinaff droppers - Xchecked via VT: c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14" ,
"pattern" : "[file:hashes.SHA1 = '025dd881f20381357f96f1a3e802214a1168a78f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde055-2a2c-470d-9093-4d8b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:49.000Z" ,
"modified" : "2016-10-12T07:03:49.000Z" ,
"description" : "Odinaff droppers - Xchecked via VT: c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14" ,
"pattern" : "[file:hashes.MD5 = '88718cc6c00683af78a6f04e4d977bb9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde055-6d90-475b-837e-4e3002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:49.000Z" ,
"modified" : "2016-10-12T07:03:49.000Z" ,
"first_observed" : "2016-10-12T07:03:49Z" ,
"last_observed" : "2016-10-12T07:03:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde055-6d90-475b-837e-4e3002de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde055-6d90-475b-837e-4e3002de0b81" ,
"value" : "https://www.virustotal.com/file/c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14/analysis/1466577613/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde055-39b8-4c3b-a15c-4f9902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:49.000Z" ,
"modified" : "2016-10-12T07:03:49.000Z" ,
"description" : "Odinaff droppers - Xchecked via VT: f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5" ,
"pattern" : "[file:hashes.SHA1 = '3151247681a1f220aafe11b70580fad7c92ef065']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57fde055-4aac-4898-ab81-4f7502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:49.000Z" ,
"modified" : "2016-10-12T07:03:49.000Z" ,
"description" : "Odinaff droppers - Xchecked via VT: f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5" ,
"pattern" : "[file:hashes.MD5 = 'f425e731d0cee5b49dc4d32b74156b80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-10-12T07:03:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fde056-b2d0-4e81-a161-454502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T07:03:50.000Z" ,
"modified" : "2016-10-12T07:03:50.000Z" ,
"first_observed" : "2016-10-12T07:03:50Z" ,
"last_observed" : "2016-10-12T07:03:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fde056-b2d0-4e81-a161-454502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fde056-b2d0-4e81-a161-454502de0b81" ,
"value" : "https://www.virustotal.com/file/f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5/analysis/1476193606/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57fdf198-5894-4cdf-9b84-4487950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-10-12T08:17:28.000Z" ,
"modified" : "2016-10-12T08:17:28.000Z" ,
"first_observed" : "2016-10-12T08:17:28Z" ,
"last_observed" : "2016-10-12T08:17:28Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57fdf198-5894-4cdf-9b84-4487950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57fdf198-5894-4cdf-9b84-4487950d210f" ,
"value" : "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}