adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5b2ccc9d-6f68-4295-86f4-47fd950d210f.json

379 lines
1.5 MiB
JSON
Raw Normal View History

chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
{
"type": "bundle",
"id": "bundle--5b2ccc9d-6f68-4295-86f4-47fd950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-25T13:43:49.000Z",
"modified": "2018-06-25T13:43:49.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5b2ccc9d-6f68-4295-86f4-47fd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-25T13:43:49.000Z",
"modified": "2018-06-25T13:43:49.000Z",
"name": "OSINT - GZipDe: An Encrypted Downloader Serving Metasploit",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5b2cccb1-8ed0-4df0-97c0-41d5950d210f",
"url--5b2cccb1-8ed0-4df0-97c0-41d5950d210f",
"x-misp-attribute--5b2cccc5-17d8-4ba2-b4df-403e950d210f",
"observed-data--5b2ccf7c-784c-4e3e-a718-4933950d210f",
"file--5b2ccf7c-784c-4e3e-a718-4933950d210f",
"artifact--5b2ccf7c-784c-4e3e-a718-4933950d210f",
"indicator--5b2cd80f-2a5c-4d93-bf64-4fbc950d210f",
"indicator--5b2cd81e-0d14-4439-9a24-497f950d210f",
"indicator--5b2cf38f-6c54-40a0-8875-499a950d210f",
"indicator--5b2cfc1c-6040-4cc1-95da-4d56950d210f",
"indicator--5b2cfc6e-7fc8-45fe-9266-4fef950d210f",
"indicator--5b2cce26-9a8c-4a25-b350-43e2950d210f",
"indicator--5b2cee98-5da0-4606-882d-44e1950d210f",
"indicator--5b2cf76a-036c-4c69-b4a8-4b12950d210f",
"indicator--5b2cf897-f024-40ae-aa28-40fa950d210f",
"indicator--5b2ce98e-aa64-4a50-ad47-f54e950d210f",
"relationship--f714b8f5-7043-4974-8709-27e1e527150f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\"",
"osint:source-type=\"blog-post\"",
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\"",
"workflow:todo=\"expansion\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b2cccb1-8ed0-4df0-97c0-41d5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-25T12:53:43.000Z",
"modified": "2018-06-25T12:53:43.000Z",
"first_observed": "2018-06-25T12:53:43Z",
"last_observed": "2018-06-25T12:53:43Z",
"number_observed": 1,
"object_refs": [
"url--5b2cccb1-8ed0-4df0-97c0-41d5950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b2cccb1-8ed0-4df0-97c0-41d5950d210f",
"value": "https://www.alienvault.com/blogs/labs-research/gzipde-an-encrypted-downloader-serving-metasploit"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b2cccc5-17d8-4ba2-b4df-403e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-25T12:53:51.000Z",
"modified": "2018-06-25T12:53:51.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b2ccf7c-784c-4e3e-a718-4933950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T10:29:16.000Z",
"modified": "2018-06-22T10:29:16.000Z",
"first_observed": "2018-06-22T10:29:16Z",
"last_observed": "2018-06-22T10:29:16Z",
"number_observed": 1,
"object_refs": [
"file--5b2ccf7c-784c-4e3e-a718-4933950d210f",
"artifact--5b2ccf7c-784c-4e3e-a718-4933950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b2ccf7c-784c-4e3e-a718-4933950d210f",
"name": "GZipDe_malicious_document.png",
"content_ref": "artifact--5b2ccf7c-784c-4e3e-a718-4933950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5b2ccf7c-784c-4e3e-a718-4933950d210f",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAA+gAAALiCAYAAAE9SMygAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+lSURBVHhe7P11mF3XnSaM3r++77lz79xnvpme7k6HuzsdjkNOHDsOOjEmsR2TbMkCSxbZYmZmZmasElOJSiqpVFIxMzMdZj7vfd91qmQlLaVtJ5npifWTTu29117840X7/4WH8ImDh0j/BMJDpH8C4SHSP4HwEOmfQHgg0uPxeM/dQ/hbgwci/cj7M3Die7+Cy+tFzO+FM+bF9aFDEAt7ELU3IxYMIO6xI+61AxErAhEHfC4bQjEX4tEo4i4X4I3CH7cg4vEhFvECYSfgiwFMG/a6kb96AyId7QjFfShYvMeEJ//uZVyevgLxFififlYkQAL0BBEPRxENenDkCz9HvLoZkZCb+XsQb7LAk1+F/QMmwu/zwWnpYNomRFnPuDOMSNAG2C1wlNawbGboCwHuTsTtftijfsSiLpwaNxae5Gy2jeV1kditLC8UYlqWEfUizHoJ/lbY4IFIbxw/Csk//inCt2y4vHwlYpVVsL40GPFOF6493wcts1ag/K1hgKsO13/1DG4tXYjiR36DeE0L4CBBtLNjy1sQfWeWQVLemME4+2ofxDu6UDRtCeK5BcgY+HtkzJ6Nc0/9GvXzt8JLRN2euxltYxYiZ8pCXBz4BmK1DYhfPIbaBVuR8voQHP/nJxAvrCTympD92vskFKKii4j0EtntLqQPeBbxm6lI7z8I8YJ6FC+ZjHNPPo64zwo03UbJun2MV4Dstwajc28a21OKrB8/QcIlgTQ34sL3nyfSi1A1byPitwsQO7QHd6YsQTjAMv5G4MHiPQLESPqxkA8R0ngkGkGnh5xKorfxZZjcF2B/SwuE4QP8IXh4HwuQXdg/sVgUMXcQ1l0nEIoyGTk/yHzFvAgGmSYCrxKzHH+YmSqSO8RyKRUkDEKMzV8kTg5nNE80BG8khC5KiBjTe30krEAQMXsYTuYTD8XJ3TG4JVWCLlaT9QgznL9YTHkyfwobBsDH/EQr/hilVoStYz2jis4GuVSfgAdeP9sdZkP8EQRiEbgkdpjmbwEeGnKfQHiI9E8gPET6JxAeIv0TCA+R/gmEvzjSaSOb31/c0FWGvb+H8GfBQ07/BMIDkR4OhxEIBOjfxsz9vcOyEfm2fNY73d8LPo8XIfrP9+PIUCgxwNGbVlefj/4w84hG6df3hAl03wuJdDHG0ZBZIlxpesu+N67u9VN+vfW8F/74+ZMID0T6iR374fY5AE8QN6qLkHLjOOL+GMaNG4bighpsWrEQB04cRaTZj6N7FmHLhdvscXYoZbvHasHZcycR7HZh5Yx3cLuhCRM2LIO/sxW/fPxJxuvCZb7XIM3ZA1fR7fHgXMoa+IWPWBRhTxwTRgwzQ6CT3x+J3NZuRN3AsDefgdvpwfWbN3Au/RoLcqLPMz9HgAj2+ANYMncJqTWKZVvW42LWbZR2duHxf/57MyC0dUsS8nJz4Kk+iS9+78eIBIBNE2aivaULdVW1WLZzk2n3JwEeLN6jEQT8PuTn3MDOCweIex9upN1GXUsV7C4v7qTfgMPtROaNO+hoL0e9xWZG14S3UCSEUNiP2zdvoqGyAN1ePw4cOkwkexm3gVm7YLdZgIAH2Xcy4YlEYXfkIrew0IyCZVy/jdamJnJsGF6XB2mZ2byPwtreaEYKu7u7cTP7Du6kpSHz1i1E4jFKmCBqG9tQ3dWNeDAOm6OL7y7BbW8jMcXR3Kb5AUqUiBO+cBy3r6ehvqoEsUicUiGOsvqGRLs/AfBApPs0NEppGot6iEAPIuTycNiLYMCGsI80oQkQdmKQHR6DHUGJZiOF+cx3MSI+GnYi7Gf8IDs7FIcn5kA4HqAwCMJLLo+HLHC4QggwTYTICDPjSDSIQNCPsPKOBXkNGXEd1NhuKIxozG+epXKiUYazrGCQRBbxwevz8NmDmCZ1KHECJJgACcrnsSHG5sR8vGe8IN9FvZQoMRfz0DBrGKG4zM9PBnwkQ85ow57OifeIcrKZeU6A7qlLzV3UPPX+En8E1LfSyySWB0JP3D9Ify+YAFKkufbE6InUc7kHSKH8xUQ0rC/Jj88q37wkfJBCd72/3uAPSwom3gdZEf7g4T+Eu+Wqbnd/H0Dv+w9yvffpg9APA3/CkAvSyPLAF/CSc8kmPWWEowljTDh3+Zx3OyUY8pj3Ls2qRNzqYoIMKgbGw+TaOPHcY3iRQ8PksDgR76E+10/ZR/kcTcyKkOMTOYure40vGX0C0V3QZzXdEgwk8gz3cio5+wNJEIXfG6LUYkz+jwQ9moMx07Qx1icoacMkoajPSA2TvMc4NAl6fspHcXtB9XFpAqk3jGUqToj11zuTBzOOUWrFTDsThmuvISswcVgHTex4gwmDWe91FfS2ufdZ7THlqf58dnncRhqyB2hwJ/rlw8KDDbljhzF52jSMfH8o9u9chltpKWhoTEdzKxEd8xlxOHrqDHRJlBLWrl+MQQPewaOP/RKB7nwimZWTTCUu/NT92w8fQp++v0WEjYgGovjZz55CSVkmGxPC2/3fwRe/+mU8/uQTWLBoFFVBEFtWbMSrr76G/ds34tlf/wpzlizEiHeHY+y7Q2G1dDFzC0W6C9aOZlPWjsNHMXjwuyi4U4DnfvMs0tLSSRwR9H39HXz3sR/guWd+QcS48a/f+DauXb7EcuO4fOkinnnyV2Zm70TScfzohz+kkVph7IZxk8bgZ7/4CV741VPYu3cDli5eTTvEjv5vD8AzTz3N/K/B7XDi2WdfQP6dDPzyF7/GF7/+VZSXleKpp36BxYuWUK0RGZSEESKwq6MbV69eQ1VlE5587IdIvX4ZK5Yvx5t93sJ3f/wEYh6am+yrH/PeR2by0gNqaW1BVs5t/OKXv0ZdbSVGjHgPx5MO4sL1Kwj4gjh59BiqKzJoxNKe+gjwQKTfSL0KHztNlR722nO4c+UgBg/9Lbq7nDi4/xwlgI86OgiL4eA4hgzth5ysLGxZtgquzjL0efUtRKjHZ0yYCj+lxYCRozF/xSzs2bIHja3tmMbwqup86mEHpYQLy3dsxYSpEzF70TsoqSzEgJeGwkkbYt30wZgwZjT2HTqESe9PIpc6WaVGsqcN5TT8dm9ciU5vEOOmLcamtVtQmNkMV9yDGdMW0KDzoaI0C++OnUBdH8aq1QuRll+A9PQs6nkPtm7bgtUrF8Dv92IJvZFpi2bgQmEp2u1WVJeXo91jweT3xmDFysHYseMwGlpaMWf+IkwdNwnHk/cgN/0mJkyaipz0qxg3fgrW7NxGJBRjwtj30WlvoQRh+yfOgCdqRfKhHbB7rHju2ZEkRieSjm7HnqP7MG/WDIycMQfpR88iL7OC3kktGupv4E5VNabNnIPc4nQ5JPRuTsBBY2Tl6hm4Wl6El9/oj5tsS3F1HRyhBON9WHiweKdoitJlAg0vidBYjAaSRA1lS5CcGqWojhDpgQiNLnaoxKXUdICGl+bcg2SXWCRG0UMKVp3oY2tuO+rzUyBRFCoew40U5zXIeDEaZFGWF2c5QRl/yjBCE46cHw1SvEl8MnqcojhGkS1tEaFoDfp5Q8ljxCvzC0gdKY+wwhP1YO3gp4EosRpTXSjSwyEfQ6UG+JdlyNCzh+0sgeFaD0ADT+2UGPVTNUiYh9QHxuInF1NtBUIBY8PQKmReifaaMpguyrqF2Dd+f0INRFmPUIj1ZR5x1iHCuPEY+4HSTmsBglqLoPoyTCMSyodygn0RMuI+qrIVLjXHuJK2EXoqWirwUeCBSG9vruBfFsi/Z08epC6kHvN4WdkAhs5ZSXeOrpGpQ4zi22H0fpydEWYguxPFTXSveBfxs3GqlGwEpw8lWZlMQfEs65/EZLScJIqaKYUrHe2OYcqq1Ub3CsmyF+KkpAid6//29/8Ddrp61sYSFh009YOTTjzr4idB+XzdJEI+SqxKlzO7GJHjJwHEwm52tNfYIVKZMepQl88FCccoO1tqwttj8Anhxj5
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cd80f-2a5c-4d93-bf64-4fbc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T11:05:51.000Z",
"modified": "2018-06-22T11:05:51.000Z",
"pattern": "[url:value = 'http://118.193.251.137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T11:05:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cd81e-0d14-4439-9a24-497f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T11:06:06.000Z",
"modified": "2018-06-22T11:06:06.000Z",
"pattern": "[url:value = 'http://118.193.251.137/dropbox/?p=BT67HU78HZ']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T11:06:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cf38f-6c54-40a0-8875-499a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T13:03:11.000Z",
"modified": "2018-06-22T13:03:11.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '175.194.42.8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T13:03:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cfc1c-6040-4cc1-95da-4d56950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T13:39:40.000Z",
"modified": "2018-06-22T13:39:40.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.251.137']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T13:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cfc6e-7fc8-45fe-9266-4fef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T13:41:02.000Z",
"modified": "2018-06-22T13:41:02.000Z",
"pattern": "[rule gzipde_hunt {\r\n\r\n meta:\r\n\r\n author = \"AlienVault Labs\"\r\n\r\n description = \"Hunt rule to identify files related to Gzipde\"\r\n\r\n copyright = \"Alienvault Inc. 2018\"\r\n\r\n reference = \"https://otx.alienvault.com/pulse/5b239254174e5d5edab34e05\"\r\n\r\n strings:\r\n\r\n $a = \"118.193.251.137\" nocase wide ascii\r\n\r\n $b = \"BT67HU78HZ\" nocase wide ascii\r\n\r\n $c = \"2E0EB747-BE46-441A-A8B1-97AB27B49EC5\" nocase wide ascii\r\n\r\n $d = \"gzipde.pdb\" nocase wide ascii\r\n\r\n $e = \"C:\\\\Users\\\\jhon\\\\Documents\\\\Visual Studio 2008\" nocase wide ascii\r\n\r\n condition:\r\n\r\n any of them\r\n\r\n}\r\n\r\n\r\nimport \"dotnet\"\r\n\r\nrule MeterpreterEncryptedPayloadDotNetGzipDE {\r\n\r\n meta:\r\n\r\n type = \"malware\"\r\n\r\n description = \"GZipDe\"\r\n\r\n author = \"jblasco@alienvault.com\"\r\n\r\n reference1 = \"https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp/blob/master/NativePayload_Reverse_tcp.cs\"\r\n\r\n reference2= \"https://otx.alienvault.com/indicator/file/33c03d94f75698fac6a39a5a6c328c2be4a079717520e0ec411597b9ca3a9bef\"\r\n\r\n strings:\r\n\r\n $pdb = \"gzipde.pdb\"\r\n\r\n $st1 = \"PAGE_EXECUTE_READWRITE\"\r\n\r\n $st2 = \"EncryptInitalize\"\r\n\r\n $st3 = \"EncryptOutput\"\r\n\r\n $st4 = \"CreateThread\"\r\n\r\n $st5 = \"VirtualAlloc\"\r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and\r\n\r\n ((dotnet.typelib == \"c1181bc0-0102-44e9-82ba-7c1ca7d24219\" and\r\n\r\n dotnet.guids[0] == \"2e0eb747-be46-441a-a8b1-97ab27b49ec5\") or\r\n\r\n $pdb or\r\n\r\n (dotnet.number_of_modulerefs == 1 and\r\n\r\n dotnet.modulerefs[0] == \"kernel32\" and\r\n\r\n all of ($st*)))\r\n\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2018-06-22T13:41:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cce26-9a8c-4a25-b350-43e2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T10:23:34.000Z",
"modified": "2018-06-22T10:23:34.000Z",
"pattern": "[file:hashes.MD5 = '951d9f3320da660593930d3425a9271b' AND file:hashes.SHA1 = '6bd48d65d8e32d37a509080be53643791a5dcbbe' AND file:hashes.SHA256 = 'faf003c38758cf70b12bc4899714833e4713096c8f66163e753b3f0e70f2ba28' AND file:size = '60416' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T10:23:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cee98-5da0-4606-882d-44e1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T13:22:26.000Z",
"modified": "2018-06-22T13:22:26.000Z",
"pattern": "[file:hashes.MD5 = '7c104c07e094cc09b8f1882bdf655bda' AND file:hashes.SHA1 = '3eaafe3bbeafc945da28bcd80955eec9fe4def65' AND file:hashes.SHA256 = '33c03d94f75698fac6a39a5a6c328c2be4a079717520e0ec411597b9ca3a9bef' AND file:size = '10240' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T13:22:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cf76a-036c-4c69-b4a8-4b12950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T13:19:38.000Z",
"modified": "2018-06-22T13:19:38.000Z",
"description": " File Type: Microsoft Word 2007+ ",
"pattern": "[file:hashes.MD5 = '54e656314099112450323bc75e3f9dbd' AND file:hashes.SHA1 = 'e61f5f699471bed8e6b0bf4f9ee420e69bede4f7' AND file:hashes.SHA256 = '148d280586de3a62d366c396c8bfedd6683a2e3eb1c3d956da57dbfc19d1983c' AND file:size = '17951' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T13:19:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2cf897-f024-40ae-aa28-40fa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T13:24:39.000Z",
"modified": "2018-06-22T13:24:39.000Z",
"pattern": "[file:hashes.MD5 = '9f21b385d7463265869e4945a3da60f0' AND file:hashes.SHA1 = '6b88f823174705c0980d0bd63fb3e081da05207d' AND file:hashes.SHA256 = '3932999be863d5844168e3bbb09ffc2f8d572a8f4a93946adb7e9c438f35c711' AND file:size = '483840' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T13:24:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b2ce98e-aa64-4a50-ad47-f54e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-22T12:42:50.000Z",
"modified": "2018-06-22T12:42:50.000Z",
"pattern": "[file:extensions.'windows-pebinary-ext'.imphash = 'f34d5f2d4577ed6d9ceec516c1f5a744' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_text = 'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows' AND file:extensions.'windows-pebinary-ext'.x_misp_pehash = 'aad3abd1afba000356bbc35a20351b2ab466bc8c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-22T12:42:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"pe\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f714b8f5-7043-4974-8709-27e1e527150f",
"created": "2018-06-22T12:42:46.000Z",
"modified": "2018-06-22T12:42:46.000Z",
"relationship_type": "related-to",
"source_ref": "indicator--5b2ce98e-aa64-4a50-ad47-f54e950d210f",
"target_ref": "indicator--5b2cee98-5da0-4606-882d-44e1950d210f"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink