2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--58dcfe62-ed84-4e5e-b293-4991950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-04-28T18:23:44.000Z" ,
"modified" : "2017-04-28T18:23:44.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--58dcfe62-ed84-4e5e-b293-4991950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-04-28T18:23:44.000Z" ,
"modified" : "2017-04-28T18:23:44.000Z" ,
"name" : "OSINT - Carbon Paper: Peering into Turla\u00e2\u20ac\u2122s second stage backdoor" ,
"published" : "2017-04-28T20:02:31Z" ,
"object_refs" : [
"observed-data--58dcfe9d-297c-4342-9155-42b6950d210f" ,
"url--58dcfe9d-297c-4342-9155-42b6950d210f" ,
"x-misp-attribute--58dcfed4-9290-4b22-a5c4-4530950d210f" ,
"indicator--58dcfef9-5b0c-4d85-b0d8-4490950d210f" ,
"indicator--58dcfefa-f510-40f2-89a7-4b17950d210f" ,
"indicator--58dcfefa-25e0-413a-9a20-45b9950d210f" ,
"indicator--58dcfefb-62cc-407b-8f80-469b950d210f" ,
"indicator--58dcfefc-c1e0-45bc-8145-4d80950d210f" ,
"indicator--58dcfefd-d154-4651-8701-43e1950d210f" ,
"indicator--58dcfefe-4d10-40ba-b545-486f950d210f" ,
"indicator--58dcfeff-92dc-4bf1-93d7-4fb7950d210f" ,
"indicator--58dcfeff-6fac-4823-aab5-42c6950d210f" ,
"indicator--58dcff00-b88c-4883-808c-409b950d210f" ,
"indicator--58dcff01-9700-41b4-9edd-4ef4950d210f" ,
"indicator--58dcff02-93c4-4d80-8cf6-43f9950d210f" ,
"indicator--58dcff03-df24-4707-97e5-4199950d210f" ,
"indicator--58dcff04-7f1c-4262-9be6-4692950d210f" ,
"indicator--58dcff04-eb80-4341-85fb-44a7950d210f" ,
"indicator--58dcff05-ae78-4cf2-9304-4cdd950d210f" ,
"indicator--58dcff06-9a44-4ae6-847b-45ae950d210f" ,
"indicator--58dcff07-2680-4a30-b9d7-4011950d210f" ,
"indicator--58dcff08-1a34-4739-8962-4427950d210f" ,
"indicator--58dcff09-929c-4759-9bb9-41ea950d210f" ,
"indicator--58dcff09-ca80-4976-8dcc-402b950d210f" ,
"indicator--58dcff0a-1624-4412-a929-4c3a950d210f" ,
"indicator--58dcff0b-ee34-4335-909c-4b7e950d210f" ,
"indicator--58dcff6e-1954-4818-a306-44d9950d210f" ,
"indicator--58dcff6f-9334-4ff6-974f-41de950d210f" ,
"indicator--58dcff70-0fb0-4437-9781-4b6e950d210f" ,
"indicator--58dcff71-7df8-45e7-8147-43a9950d210f" ,
"indicator--58dcff72-f5c0-4a48-905e-449a950d210f" ,
"indicator--58dcff73-fb90-4c4e-9f60-4227950d210f" ,
"indicator--58dcffa3-f8f4-4c59-bbe4-4dc1950d210f" ,
"indicator--58dcffbe-0f98-439c-a916-4524950d210f" ,
"indicator--58dcffdf-e07c-4be4-b0af-4180950d210f" ,
"indicator--58dd0020-5a10-4542-bdee-436202de0b81" ,
"indicator--58dd0021-383c-416f-9302-4ba602de0b81" ,
"observed-data--58dd0021-2968-4da8-bfcb-481702de0b81" ,
"url--58dd0021-2968-4da8-bfcb-481702de0b81" ,
"indicator--58dd0022-213c-42a4-9fac-460602de0b81" ,
"indicator--58dd0023-17f4-444c-89ca-428302de0b81" ,
"observed-data--58dd0024-6ac8-434b-877c-430c02de0b81" ,
"url--58dd0024-6ac8-434b-877c-430c02de0b81" ,
"indicator--58dd0025-cec4-42ff-a43d-48ef02de0b81" ,
"indicator--58dd0026-146c-465b-acd3-434502de0b81" ,
"observed-data--58dd0027-e934-4d33-a983-412202de0b81" ,
"url--58dd0027-e934-4d33-a983-412202de0b81" ,
"indicator--58dd0028-37f4-473e-9d2f-4caf02de0b81" ,
"indicator--58dd0029-2d4c-47cb-ac4c-4beb02de0b81" ,
"observed-data--58dd002a-5acc-4d51-b75b-468e02de0b81" ,
"url--58dd002a-5acc-4d51-b75b-468e02de0b81" ,
"indicator--58dd002a-f7b4-4527-853e-4fa002de0b81" ,
"indicator--58dd002b-43c4-483a-b84e-4f0202de0b81" ,
"observed-data--58dd002c-2a44-4162-8831-449d02de0b81" ,
"url--58dd002c-2a44-4162-8831-449d02de0b81" ,
"indicator--58dd002d-ee14-4e08-83e8-468b02de0b81" ,
"indicator--58dd002e-38d0-496d-b553-488302de0b81" ,
"observed-data--58dd002f-e984-4cc5-93e2-427202de0b81" ,
"url--58dd002f-e984-4cc5-93e2-427202de0b81" ,
"indicator--58dd0030-18bc-45aa-9365-4a3502de0b81" ,
"indicator--58dd0030-6898-4767-9ad6-4ea602de0b81" ,
"observed-data--58dd0031-cac4-4c84-9ebc-4c4a02de0b81" ,
"url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81" ,
"indicator--58dd0032-fa80-4125-adbb-4e6f02de0b81" ,
"indicator--58dd0033-60e0-4e52-b5ba-4e4902de0b81" ,
"observed-data--58dd0034-c460-4ba5-b29d-44c802de0b81" ,
"url--58dd0034-c460-4ba5-b29d-44c802de0b81" ,
"indicator--58dd0035-adb0-4116-8b7f-4a3d02de0b81" ,
"indicator--58dd0035-62f8-4558-9033-4e4302de0b81" ,
"observed-data--58dd0036-68cc-4f5f-a571-4a3802de0b81" ,
"url--58dd0036-68cc-4f5f-a571-4a3802de0b81" ,
"indicator--58dd0037-8088-49e9-944f-45ff02de0b81" ,
"indicator--58dd0038-5144-4ed3-adfe-4d3102de0b81" ,
"observed-data--58dd0039-0208-4066-bc11-4eb502de0b81" ,
"url--58dd0039-0208-4066-bc11-4eb502de0b81" ,
"indicator--58dd003a-b738-4acc-a32b-470c02de0b81" ,
"indicator--58dd003b-134c-47ef-9ec6-431402de0b81" ,
"observed-data--58dd003c-06e4-456b-b541-4a0302de0b81" ,
"url--58dd003c-06e4-456b-b541-4a0302de0b81" ,
"indicator--58dd003d-9d0c-4261-9263-492e02de0b81" ,
"indicator--58dd003d-866c-493e-ab08-42ad02de0b81" ,
"observed-data--58dd003e-eca8-4aaa-ae60-4cca02de0b81" ,
"url--58dd003e-eca8-4aaa-ae60-4cca02de0b81" ,
"indicator--58dd003f-e27c-4949-aab7-490c02de0b81" ,
"indicator--58dd0040-c27c-4ff6-bc0d-41d902de0b81" ,
"observed-data--58dd0041-f364-447a-82a3-423c02de0b81" ,
"url--58dd0041-f364-447a-82a3-423c02de0b81" ,
"indicator--58dd0042-ff94-4d44-8926-42b202de0b81" ,
"indicator--58dd0043-e258-4a82-b1cf-4f5b02de0b81" ,
"observed-data--58dd0044-5cfc-4f5d-bed1-42ec02de0b81" ,
"url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81" ,
"indicator--58dd0045-00c8-447f-b23a-4da402de0b81" ,
"indicator--58dd0045-20e4-4b68-8b47-44a502de0b81" ,
"observed-data--58dd0046-5560-49b6-8f5d-428102de0b81" ,
"url--58dd0046-5560-49b6-8f5d-428102de0b81" ,
"indicator--58dd0047-efc8-49f9-8a9d-4bc502de0b81" ,
"indicator--58dd0048-f4bc-4507-9132-475902de0b81" ,
"observed-data--58dd0049-3be8-4d8a-8293-4d8d02de0b81" ,
"url--58dd0049-3be8-4d8a-8293-4d8d02de0b81" ,
"indicator--58dd004a-9f74-4c4d-94da-4c6802de0b81" ,
"indicator--58dd004b-5b70-47be-a686-4e3002de0b81" ,
"observed-data--58dd004b-4d28-44d7-9414-425902de0b81" ,
"url--58dd004b-4d28-44d7-9414-425902de0b81" ,
"indicator--58dd004c-71f0-4e9c-85c4-4a4d02de0b81" ,
"indicator--58dd004d-5b4c-46b6-8974-40c602de0b81" ,
"observed-data--58dd004e-33e8-45a4-825d-491d02de0b81" ,
"url--58dd004e-33e8-45a4-825d-491d02de0b81" ,
"indicator--58dd004f-1e20-4e75-8e21-477f02de0b81" ,
"indicator--58dd0050-d094-4d4f-86a3-4f4502de0b81" ,
"observed-data--58dd0051-ce8c-4059-9ecb-476902de0b81" ,
"url--58dd0051-ce8c-4059-9ecb-476902de0b81" ,
"indicator--58dd0052-8e84-4b91-908a-40af02de0b81" ,
"indicator--58dd0052-8680-469f-8cbb-4f3802de0b81" ,
"observed-data--58dd0053-5978-4766-94a4-468f02de0b81" ,
"url--58dd0053-5978-4766-94a4-468f02de0b81" ,
"indicator--58dd0054-7e04-4ad1-b86f-47d002de0b81" ,
"indicator--58dd0055-b800-4361-9aa0-47be02de0b81" ,
"observed-data--58dd0056-6e74-43d5-b58b-494802de0b81" ,
"url--58dd0056-6e74-43d5-b58b-494802de0b81" ,
"indicator--58dd0057-5a14-4f5d-884b-490202de0b81" ,
"indicator--58dd0057-cde0-4faa-a196-4a6302de0b81" ,
"observed-data--58dd0058-dcd4-4271-8e57-432702de0b81" ,
"url--58dd0058-dcd4-4271-8e57-432702de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:tool=\"Turla\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dcfe9d-297c-4342-9155-42b6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"first_observed" : "2017-03-30T12:54:26Z" ,
"last_observed" : "2017-03-30T12:54:26Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dcfe9d-297c-4342-9155-42b6950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dcfe9d-297c-4342-9155-42b6950d210f" ,
"value" : "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--58dcfed4-9290-4b22-a5c4-4530950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.\r\n\r\nThis blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.\r\n\r\nLooking at the different versions numbers of Carbon we have, it is clear that it is still under active development. Through the internal versions embedded in the code, we see the new versions are pushed out regularly. The group is also known to change its tools once they are exposed. As such, we have seen that between two major versions, mutexes and file names are being changed."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfef9-5b0c-4d85-b0d8-4490950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfefa-f510-40f2-89a7-4b17950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = 'a08b8371ead1919500a4759c2f46553620d5a9d9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfefa-25e0-413a-9a20-45b9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '4636dccac5acf1d95a474747bb7bcd9b1a506cc3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfefb-62cc-407b-8f80-469b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = 'cbde204e7641830017bb84b89223131b2126bc46']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfefc-c1e0-45bc-8145-4d80950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '1ad46547e3dc264f940bf62df455b26e65b0101f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfefd-d154-4651-8701-43e1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = 'a28164de29e51f154be12d163ce5818fceb69233']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfefe-4d10-40ba-b545-486f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '7c43f5df784bf50423620d8f1c96e43d8d9a9b28']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfeff-92dc-4bf1-93d7-4fb7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '7ce746bb988cb3b7e64f08174bdb02938555ea53']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcfeff-6fac-4823-aab5-42c6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '20393222d4eb1ba72a6536f7e67e139aadfa47fe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff00-b88c-4883-808c-409b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '1dbfcb9005abb2c83ffa6a3127257a009612798c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff01-9700-41b4-9edd-4ef4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '2f7e335e092e04f3f4734b60c5345003d10aa15d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff02-93c4-4d80-8cf6-43f9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '311f399c299741e80db8bec65bbf4b56109eedaf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff03-df24-4707-97e5-4199950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = 'fbc43636e3c9378162f3b9712cb6d87bd48ddbd3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff04-7f1c-4262-9be6-4692950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '554f59c1578f4ee77dbba6a23507401359a59f23']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff04-eb80-4341-85fb-44a7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '2227fd6fc9d669a9b66c59593533750477669557']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff05-ae78-4cf2-9304-4cdd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '87d718f2d6e46c53490c6a22de399c13f05336f0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff06-9a44-4ae6-847b-45ae950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '1b233af41106d7915f6fa6fd1448b7f070b47eb3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff07-2680-4a30-b9d7-4011950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '851e538357598ed96f0123b47694e25c2d52552b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff08-1a34-4739-8962-4427950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '744b43d8c0fe8b217acf0494ad992df6d5191ed9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff09-929c-4759-9bb9-41ea950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = 'bcf52240cc7940185ce424224d39564257610340']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff09-ca80-4976-8dcc-402b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '777e2695ae408e1578a16991373144333732c3f6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff0a-1624-4412-a929-4c3a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '56b5627debb93790fdbcc9ecbffc3260adeafbab']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff0b-ee34-4335-909c-4b7e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "Carbon sample" ,
"pattern" : "[file:hashes.SHA1 = '678d486e21b001deb58353ca0255e3e5678f9614']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff6e-1954-4818-a306-44d9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "C&C server addresses (hacked websites used as 1st level of proxies" ,
"pattern" : "[url:value = 'http://soheylistore.ir:80:/modules/mod_feed/feed.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff6f-9334-4ff6-974f-41de950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "C&C server addresses (hacked websites used as 1st level of proxies" ,
"pattern" : "[url:value = 'http://tazohor.com:80:/wp-includes/feed-rss-comments.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff70-0fb0-4437-9781-4b6e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "C&C server addresses (hacked websites used as 1st level of proxies" ,
"pattern" : "[url:value = 'http://jucheafrica.com:80:/wp-includes/class-wp-edit.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff71-7df8-45e7-8147-43a9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "C&C server addresses (hacked websites used as 1st level of proxies" ,
"pattern" : "[url:value = 'http://61paris.fr:80:/wp-includes/ms-set.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff72-f5c0-4a48-905e-449a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "C&C server addresses (hacked websites used as 1st level of proxies" ,
"pattern" : "[url:value = 'http://doctorshand.org:80:/wp-content/about/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcff73-fb90-4c4e-9f60-4227950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"description" : "C&C server addresses (hacked websites used as 1st level of proxies" ,
"pattern" : "[url:value = 'http://www.lasac.eu:80:/credit_payment/url/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcffa3-f8f4-4c59-bbe4-4dc1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"pattern" : "[rule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcffbe-0f98-439c-a916-4524950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:26.000Z" ,
"modified" : "2017-03-30T12:54:26.000Z" ,
"pattern" : "[rule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153ModuleStart\u00e2\u20ac\u009d\r\n$t1 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$t2 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dcffdf-e07c-4be4-b0af-4180950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-04-28T18:23:44.000Z" ,
"modified" : "2017-04-28T18:23:44.000Z" ,
"pattern" : "[import \"pe\"\r\nimport \"hash\"\r\n\r\nrule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$s3 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and all of them\r\n}\r\n\r\nrule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\nand not (tags contains \u00e2\u20ac\u0153signed\u00e2\u20ac\u009d)\r\n}\r\n\r\nrule carbon_2016_filenames\r\n{\r\ncondition:\r\nfile_name contains \u00e2\u20ac\u0153wkstrend.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153cifrado.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153fsbootfail.dat\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153encodebase.inf\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153zcerterror.png\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153mkfieldsec.dll\u00e2\u20ac\u009d\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-04-28T18:23:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0020-5a10-4542-bdee-436202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:56.000Z" ,
"modified" : "2017-03-30T12:54:56.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab" ,
"pattern" : "[file:hashes.SHA256 = 'af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0021-383c-416f-9302-4ba602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:57.000Z" ,
"modified" : "2017-03-30T12:54:57.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab" ,
"pattern" : "[file:hashes.MD5 = '4085820a53a7f8dd58d4ba5ecf94e42b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0021-2968-4da8-bfcb-481702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:57.000Z" ,
"modified" : "2017-03-30T12:54:57.000Z" ,
"first_observed" : "2017-03-30T12:54:57Z" ,
"last_observed" : "2017-03-30T12:54:57Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0021-2968-4da8-bfcb-481702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0021-2968-4da8-bfcb-481702de0b81" ,
"value" : "https://www.virustotal.com/file/af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4/analysis/1459899966/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0022-213c-42a4-9fac-460602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:58.000Z" ,
"modified" : "2017-03-30T12:54:58.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6" ,
"pattern" : "[file:hashes.SHA256 = '050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0023-17f4-444c-89ca-428302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:54:59.000Z" ,
"modified" : "2017-03-30T12:54:59.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6" ,
"pattern" : "[file:hashes.MD5 = '1fb407a20373f3970f08d3f3c086841d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:54:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0024-6ac8-434b-877c-430c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:00.000Z" ,
"modified" : "2017-03-30T12:55:00.000Z" ,
"first_observed" : "2017-03-30T12:55:00Z" ,
"last_observed" : "2017-03-30T12:55:00Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0024-6ac8-434b-877c-430c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0024-6ac8-434b-877c-430c02de0b81" ,
"value" : "https://www.virustotal.com/file/050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a/analysis/1487311234/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0025-cec4-42ff-a43d-48ef02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:01.000Z" ,
"modified" : "2017-03-30T12:55:01.000Z" ,
"description" : "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340" ,
"pattern" : "[file:hashes.SHA256 = '2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0026-146c-465b-acd3-434502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:02.000Z" ,
"modified" : "2017-03-30T12:55:02.000Z" ,
"description" : "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340" ,
"pattern" : "[file:hashes.MD5 = '13a81d857610d05f387c1aa86b4b49b9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0027-e934-4d33-a983-412202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:03.000Z" ,
"modified" : "2017-03-30T12:55:03.000Z" ,
"first_observed" : "2017-03-30T12:55:03Z" ,
"last_observed" : "2017-03-30T12:55:03Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0027-e934-4d33-a983-412202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0027-e934-4d33-a983-412202de0b81" ,
"value" : "https://www.virustotal.com/file/2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47/analysis/1460698324/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0028-37f4-473e-9d2f-4caf02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:04.000Z" ,
"modified" : "2017-03-30T12:55:04.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9" ,
"pattern" : "[file:hashes.SHA256 = '995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0029-2d4c-47cb-ac4c-4beb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:05.000Z" ,
"modified" : "2017-03-30T12:55:05.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9" ,
"pattern" : "[file:hashes.MD5 = '278e56c4b171d4d8799b9a77c31e4484']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd002a-5acc-4d51-b75b-468e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:06.000Z" ,
"modified" : "2017-03-30T12:55:06.000Z" ,
"first_observed" : "2017-03-30T12:55:06Z" ,
"last_observed" : "2017-03-30T12:55:06Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd002a-5acc-4d51-b75b-468e02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd002a-5acc-4d51-b75b-468e02de0b81" ,
"value" : "https://www.virustotal.com/file/995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16/analysis/1460698430/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd002a-f7b4-4527-853e-4fa002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:06.000Z" ,
"modified" : "2017-03-30T12:55:06.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b" ,
"pattern" : "[file:hashes.SHA256 = 'c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd002b-43c4-483a-b84e-4f0202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:07.000Z" ,
"modified" : "2017-03-30T12:55:07.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b" ,
"pattern" : "[file:hashes.MD5 = '3b28045c0636f455a3fdf75bd44256ba']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd002c-2a44-4162-8831-449d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:08.000Z" ,
"modified" : "2017-03-30T12:55:08.000Z" ,
"first_observed" : "2017-03-30T12:55:08Z" ,
"last_observed" : "2017-03-30T12:55:08Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd002c-2a44-4162-8831-449d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd002c-2a44-4162-8831-449d02de0b81" ,
"value" : "https://www.virustotal.com/file/c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47/analysis/1460104267/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd002d-ee14-4e08-83e8-468b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:09.000Z" ,
"modified" : "2017-03-30T12:55:09.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3" ,
"pattern" : "[file:hashes.SHA256 = 'd581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd002e-38d0-496d-b553-488302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:10.000Z" ,
"modified" : "2017-03-30T12:55:10.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3" ,
"pattern" : "[file:hashes.MD5 = '1c84038a7aac6342894d5896a390913d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd002f-e984-4cc5-93e2-427202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:11.000Z" ,
"modified" : "2017-03-30T12:55:11.000Z" ,
"first_observed" : "2017-03-30T12:55:11Z" ,
"last_observed" : "2017-03-30T12:55:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd002f-e984-4cc5-93e2-427202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd002f-e984-4cc5-93e2-427202de0b81" ,
"value" : "https://www.virustotal.com/file/d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db/analysis/1463398122/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0030-18bc-45aa-9365-4a3502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:12.000Z" ,
"modified" : "2017-03-30T12:55:12.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0" ,
"pattern" : "[file:hashes.SHA256 = '7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0030-6898-4767-9ad6-4ea602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:12.000Z" ,
"modified" : "2017-03-30T12:55:12.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0" ,
"pattern" : "[file:hashes.MD5 = 'ea23d67e41d1f0a7f7e7a8b59e7cb60f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0031-cac4-4c84-9ebc-4c4a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:13.000Z" ,
"modified" : "2017-03-30T12:55:13.000Z" ,
"first_observed" : "2017-03-30T12:55:13Z" ,
"last_observed" : "2017-03-30T12:55:13Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81" ,
"value" : "https://www.virustotal.com/file/7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121/analysis/1490735057/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0032-fa80-4125-adbb-4e6f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:14.000Z" ,
"modified" : "2017-03-30T12:55:14.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557" ,
"pattern" : "[file:hashes.SHA256 = '9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0033-60e0-4e52-b5ba-4e4902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:15.000Z" ,
"modified" : "2017-03-30T12:55:15.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557" ,
"pattern" : "[file:hashes.MD5 = 'd115532ed6189b3f74569f8012efe110']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0034-c460-4ba5-b29d-44c802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:16.000Z" ,
"modified" : "2017-03-30T12:55:16.000Z" ,
"first_observed" : "2017-03-30T12:55:16Z" ,
"last_observed" : "2017-03-30T12:55:16Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0034-c460-4ba5-b29d-44c802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0034-c460-4ba5-b29d-44c802de0b81" ,
"value" : "https://www.virustotal.com/file/9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839/analysis/1463724060/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0035-adb0-4116-8b7f-4a3d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:17.000Z" ,
"modified" : "2017-03-30T12:55:17.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23" ,
"pattern" : "[file:hashes.SHA256 = 'd1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0035-62f8-4558-9033-4e4302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:17.000Z" ,
"modified" : "2017-03-30T12:55:17.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23" ,
"pattern" : "[file:hashes.MD5 = '21802eb06e2b05b5db40381f296d67ad']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0036-68cc-4f5f-a571-4a3802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:18.000Z" ,
"modified" : "2017-03-30T12:55:18.000Z" ,
"first_observed" : "2017-03-30T12:55:18Z" ,
"last_observed" : "2017-03-30T12:55:18Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0036-68cc-4f5f-a571-4a3802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0036-68cc-4f5f-a571-4a3802de0b81" ,
"value" : "https://www.virustotal.com/file/d1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19/analysis/1487239958/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0037-8088-49e9-944f-45ff02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:19.000Z" ,
"modified" : "2017-03-30T12:55:19.000Z" ,
"description" : "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3" ,
"pattern" : "[file:hashes.SHA256 = 'e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0038-5144-4ed3-adfe-4d3102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:20.000Z" ,
"modified" : "2017-03-30T12:55:20.000Z" ,
"description" : "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3" ,
"pattern" : "[file:hashes.MD5 = 'b4096859121998c065896d3d19e46e50']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0039-0208-4066-bc11-4eb502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:21.000Z" ,
"modified" : "2017-03-30T12:55:21.000Z" ,
"first_observed" : "2017-03-30T12:55:21Z" ,
"last_observed" : "2017-03-30T12:55:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0039-0208-4066-bc11-4eb502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0039-0208-4066-bc11-4eb502de0b81" ,
"value" : "https://www.virustotal.com/file/e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed/analysis/1487240002/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd003a-b738-4acc-a32b-470c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:22.000Z" ,
"modified" : "2017-03-30T12:55:22.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf" ,
"pattern" : "[file:hashes.SHA256 = 'c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd003b-134c-47ef-9ec6-431402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:23.000Z" ,
"modified" : "2017-03-30T12:55:23.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf" ,
"pattern" : "[file:hashes.MD5 = '4ae7e6011b550372d2a73ab3b4d67096']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd003c-06e4-456b-b541-4a0302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:24.000Z" ,
"modified" : "2017-03-30T12:55:24.000Z" ,
"first_observed" : "2017-03-30T12:55:24Z" ,
"last_observed" : "2017-03-30T12:55:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd003c-06e4-456b-b541-4a0302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd003c-06e4-456b-b541-4a0302de0b81" ,
"value" : "https://www.virustotal.com/file/c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0/analysis/1472552183/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd003d-9d0c-4261-9263-492e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:25.000Z" ,
"modified" : "2017-03-30T12:55:25.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d" ,
"pattern" : "[file:hashes.SHA256 = '1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd003d-866c-493e-ab08-42ad02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:25.000Z" ,
"modified" : "2017-03-30T12:55:25.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d" ,
"pattern" : "[file:hashes.MD5 = '244505129d96be57134cb00f27d4359c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd003e-eca8-4aaa-ae60-4cca02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:26.000Z" ,
"modified" : "2017-03-30T12:55:26.000Z" ,
"first_observed" : "2017-03-30T12:55:26Z" ,
"last_observed" : "2017-03-30T12:55:26Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd003e-eca8-4aaa-ae60-4cca02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd003e-eca8-4aaa-ae60-4cca02de0b81" ,
"value" : "https://www.virustotal.com/file/1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72/analysis/1472508860/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd003f-e27c-4949-aab7-490c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:27.000Z" ,
"modified" : "2017-03-30T12:55:27.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c" ,
"pattern" : "[file:hashes.SHA256 = '31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0040-c27c-4ff6-bc0d-41d902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:28.000Z" ,
"modified" : "2017-03-30T12:55:28.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c" ,
"pattern" : "[file:hashes.MD5 = '91a5594343b47462ebd6266a9c40abbe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0041-f364-447a-82a3-423c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:29.000Z" ,
"modified" : "2017-03-30T12:55:29.000Z" ,
"first_observed" : "2017-03-30T12:55:29Z" ,
"last_observed" : "2017-03-30T12:55:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0041-f364-447a-82a3-423c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0041-f364-447a-82a3-423c02de0b81" ,
"value" : "https://www.virustotal.com/file/31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566/analysis/1487311644/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0042-ff94-4d44-8926-42b202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:30.000Z" ,
"modified" : "2017-03-30T12:55:30.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe" ,
"pattern" : "[file:hashes.SHA256 = 'ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0043-e258-4a82-b1cf-4f5b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:31.000Z" ,
"modified" : "2017-03-30T12:55:31.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe" ,
"pattern" : "[file:hashes.MD5 = 'df230db9bddf200b24d8744ad84d80e8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0044-5cfc-4f5d-bed1-42ec02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:32.000Z" ,
"modified" : "2017-03-30T12:55:32.000Z" ,
"first_observed" : "2017-03-30T12:55:32Z" ,
"last_observed" : "2017-03-30T12:55:32Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81" ,
"value" : "https://www.virustotal.com/file/ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f/analysis/1482320204/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0045-00c8-447f-b23a-4da402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:33.000Z" ,
"modified" : "2017-03-30T12:55:33.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53" ,
"pattern" : "[file:hashes.SHA256 = '8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0045-20e4-4b68-8b47-44a502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:33.000Z" ,
"modified" : "2017-03-30T12:55:33.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53" ,
"pattern" : "[file:hashes.MD5 = '554450c1ecb925693fedbb9e56702646']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0046-5560-49b6-8f5d-428102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:34.000Z" ,
"modified" : "2017-03-30T12:55:34.000Z" ,
"first_observed" : "2017-03-30T12:55:34Z" ,
"last_observed" : "2017-03-30T12:55:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0046-5560-49b6-8f5d-428102de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0046-5560-49b6-8f5d-428102de0b81" ,
"value" : "https://www.virustotal.com/file/8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb/analysis/1472540442/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0047-efc8-49f9-8a9d-4bc502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:35.000Z" ,
"modified" : "2017-03-30T12:55:35.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28" ,
"pattern" : "[file:hashes.SHA256 = 'ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0048-f4bc-4507-9132-475902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:36.000Z" ,
"modified" : "2017-03-30T12:55:36.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28" ,
"pattern" : "[file:hashes.MD5 = 'e6d1dcc6c2601e592f2b03f35b06fa8f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0049-3be8-4d8a-8293-4d8d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:37.000Z" ,
"modified" : "2017-03-30T12:55:37.000Z" ,
"first_observed" : "2017-03-30T12:55:37Z" ,
"last_observed" : "2017-03-30T12:55:37Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0049-3be8-4d8a-8293-4d8d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0049-3be8-4d8a-8293-4d8d02de0b81" ,
"value" : "https://www.virustotal.com/file/ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45/analysis/1472563917/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd004a-9f74-4c4d-94da-4c6802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:38.000Z" ,
"modified" : "2017-03-30T12:55:38.000Z" ,
"description" : "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233" ,
"pattern" : "[file:hashes.SHA256 = '1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd004b-5b70-47be-a686-4e3002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:39.000Z" ,
"modified" : "2017-03-30T12:55:39.000Z" ,
"description" : "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233" ,
"pattern" : "[file:hashes.MD5 = '43e896ede6fe025ee90f7f27c6d376a4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd004b-4d28-44d7-9414-425902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:39.000Z" ,
"modified" : "2017-03-30T12:55:39.000Z" ,
"first_observed" : "2017-03-30T12:55:39Z" ,
"last_observed" : "2017-03-30T12:55:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd004b-4d28-44d7-9414-425902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd004b-4d28-44d7-9414-425902de0b81" ,
"value" : "https://www.virustotal.com/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/1484282511/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd004c-71f0-4e9c-85c4-4a4d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:40.000Z" ,
"modified" : "2017-03-30T12:55:40.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f" ,
"pattern" : "[file:hashes.SHA256 = '02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd004d-5b4c-46b6-8974-40c602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:41.000Z" ,
"modified" : "2017-03-30T12:55:41.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f" ,
"pattern" : "[file:hashes.MD5 = '4c1017de62ea4788c7c8058a8f825a2d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd004e-33e8-45a4-825d-491d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:42.000Z" ,
"modified" : "2017-03-30T12:55:42.000Z" ,
"first_observed" : "2017-03-30T12:55:42Z" ,
"last_observed" : "2017-03-30T12:55:42Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd004e-33e8-45a4-825d-491d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd004e-33e8-45a4-825d-491d02de0b81" ,
"value" : "https://www.virustotal.com/file/02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198/analysis/1487306753/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd004f-1e20-4e75-8e21-477f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:43.000Z" ,
"modified" : "2017-03-30T12:55:43.000Z" ,
"description" : "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46" ,
"pattern" : "[file:hashes.SHA256 = '3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0050-d094-4d4f-86a3-4f4502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:44.000Z" ,
"modified" : "2017-03-30T12:55:44.000Z" ,
"description" : "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46" ,
"pattern" : "[file:hashes.MD5 = 'cb1b68d9971c2353c2d6a8119c49b51f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0051-ce8c-4059-9ecb-476902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:45.000Z" ,
"modified" : "2017-03-30T12:55:45.000Z" ,
"first_observed" : "2017-03-30T12:55:45Z" ,
"last_observed" : "2017-03-30T12:55:45Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0051-ce8c-4059-9ecb-476902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0051-ce8c-4059-9ecb-476902de0b81" ,
"value" : "https://www.virustotal.com/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/1490734934/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0052-8e84-4b91-908a-40af02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:46.000Z" ,
"modified" : "2017-03-30T12:55:46.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3" ,
"pattern" : "[file:hashes.SHA256 = '0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0052-8680-469f-8cbb-4f3802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:46.000Z" ,
"modified" : "2017-03-30T12:55:46.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3" ,
"pattern" : "[file:hashes.MD5 = '7ddee9311d7ab2d548e9b252383863ef']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0053-5978-4766-94a4-468f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:47.000Z" ,
"modified" : "2017-03-30T12:55:47.000Z" ,
"first_observed" : "2017-03-30T12:55:47Z" ,
"last_observed" : "2017-03-30T12:55:47Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0053-5978-4766-94a4-468f02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0053-5978-4766-94a4-468f02de0b81" ,
"value" : "https://www.virustotal.com/file/0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65/analysis/1485875623/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0054-7e04-4ad1-b86f-47d002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:48.000Z" ,
"modified" : "2017-03-30T12:55:48.000Z" ,
"description" : "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9" ,
"pattern" : "[file:hashes.SHA256 = '7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0055-b800-4361-9aa0-47be02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:49.000Z" ,
"modified" : "2017-03-30T12:55:49.000Z" ,
"description" : "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9" ,
"pattern" : "[file:hashes.MD5 = 'e664b6f5f50d1a7991e254e5e81a683f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0056-6e74-43d5-b58b-494802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:50.000Z" ,
"modified" : "2017-03-30T12:55:50.000Z" ,
"first_observed" : "2017-03-30T12:55:50Z" ,
"last_observed" : "2017-03-30T12:55:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0056-6e74-43d5-b58b-494802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0056-6e74-43d5-b58b-494802de0b81" ,
"value" : "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0057-5a14-4f5d-884b-490202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:51.000Z" ,
"modified" : "2017-03-30T12:55:51.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b" ,
"pattern" : "[file:hashes.SHA256 = 'aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58dd0057-cde0-4faa-a196-4a6302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:51.000Z" ,
"modified" : "2017-03-30T12:55:51.000Z" ,
"description" : "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b" ,
"pattern" : "[file:hashes.MD5 = '213ca4db4c2abd3b631da00c299d75ef']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-03-30T12:55:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58dd0058-dcd4-4271-8e57-432702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-03-30T12:55:52.000Z" ,
"modified" : "2017-03-30T12:55:52.000Z" ,
"first_observed" : "2017-03-30T12:55:52Z" ,
"last_observed" : "2017-03-30T12:55:52Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58dd0058-dcd4-4271-8e57-432702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58dd0058-dcd4-4271-8e57-432702de0b81" ,
"value" : "https://www.virustotal.com/file/aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c/analysis/1487398090/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}