2023-06-14 17:31:25 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5b58330e-b924-4828-b3a5-4986950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-26T07:17:17.000Z" ,
"modified" : "2018-07-26T07:17:17.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5b58330e-b924-4828-b3a5-4986950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-26T07:17:17.000Z" ,
"modified" : "2018-07-26T07:17:17.000Z" ,
"name" : "OSINT - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5b58331e-7b14-4ec5-bf29-42e7950d210f" ,
"url--5b58331e-7b14-4ec5-bf29-42e7950d210f" ,
"indicator--5b583b7d-41d0-4051-8331-4746950d210f" ,
"indicator--5b583b7e-9420-4436-9201-4f93950d210f" ,
"indicator--5b583b7e-ac24-421f-83f7-48d7950d210f" ,
"indicator--5b583b7e-3b34-4162-970f-4b59950d210f" ,
"indicator--5b583b7f-80e8-4230-a77e-4453950d210f" ,
"indicator--5b583b7f-aba8-44df-bee9-4880950d210f" ,
"indicator--5b583b80-8898-45cc-a722-4932950d210f" ,
"indicator--5b583b80-50c4-483b-a57b-4b34950d210f" ,
"indicator--5b583b81-666c-47cc-82d7-418c950d210f" ,
"indicator--5b583b81-0354-4c37-9f23-4699950d210f" ,
"indicator--5b583b82-b2a0-4c3e-a7f6-4f40950d210f" ,
"indicator--5b583b82-7384-4bc0-ad26-4fa1950d210f" ,
"indicator--5b583b82-8e54-4390-b12a-42c1950d210f" ,
"indicator--5b583b83-a568-4200-8c7a-48c2950d210f" ,
"indicator--5b583b83-8390-470a-ae42-4e22950d210f" ,
"indicator--5b5842d8-8e0c-45c9-ae13-451b950d210f" ,
"x-misp-attribute--5b587469-3e60-43ba-91fb-9146950d210f" ,
"indicator--5b583628-807c-4168-843b-43eb950d210f" ,
"indicator--5b58365c-aa24-4e3d-a908-49e6950d210f" ,
"indicator--5b583698-e9f8-428f-8754-4eed950d210f" ,
"indicator--5b583727-3fe0-4c85-81b7-41a1950d210f" ,
"indicator--5b58374c-d1a8-4736-8cea-42e9950d210f" ,
"observed-data--5b58375c-ae60-4530-8186-425b950d210f" ,
"file--5b58375c-ae60-4530-8186-425b950d210f" ,
"indicator--5b58389b-2f00-49cc-b0ac-4454950d210f" ,
"indicator--5b5838b0-acf8-4d3e-8b64-4fa7950d210f" ,
"indicator--5b5838c7-ae6c-4367-903a-4975950d210f" ,
"indicator--5b5838da-60ac-4477-be0d-41d4950d210f" ,
"indicator--5b5838e9-b540-4e30-ad63-44aa950d210f" ,
"indicator--a9d88727-e3a0-4095-b1d0-2b156670a502" ,
"x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543" ,
"indicator--98a247a0-d160-4eee-be67-362795be9206" ,
"x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f" ,
"indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab" ,
"x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04" ,
"indicator--ef42d127-90f8-425a-8866-83310e33e640" ,
"x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0" ,
"indicator--f734d0d6-468b-4c5d-8883-d137f6140100" ,
"x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1" ,
"indicator--31d38205-0b87-4063-a326-2e4f1a2459db" ,
"x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae" ,
"indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb" ,
"x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02" ,
"indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4" ,
"x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768" ,
"indicator--16984ff8-41a2-42d9-a859-87df65432e94" ,
"x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6" ,
"indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0" ,
"x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b" ,
"indicator--0d95e126-39c8-4048-be62-5470568b0f0f" ,
"x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae" ,
"relationship--736b03dd-eec1-443d-8c29-150c224a8a4b" ,
"relationship--7121db55-c648-4658-b41f-c498da0cc314" ,
"relationship--9612ca2b-9ac4-42e2-9bc5-15daed0cc64b" ,
"relationship--064e7c6c-4fb7-4a6d-b2d5-708036c1e023" ,
"relationship--7835cacf-6643-4ae9-852a-e3aa49091f6f" ,
"relationship--1500ac51-e910-45fb-b39b-d6818faf28cf" ,
"relationship--e6ff039d-3ba4-46f6-964e-829ecd5d40e5" ,
"relationship--7c8eb544-fee2-45db-8256-18ba2bd218bc" ,
"relationship--5cbe67e0-57c5-4463-85a9-28f2a53562d4" ,
"relationship--7ab0e094-1d1c-4335-af39-c277a3b65202" ,
"relationship--de3baebf-c58b-46f2-81ee-13b21a2bc4f9"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"malware_classification:malware-category=\"Trojan\"" ,
"ms-caro-malware-full:malware-family=\"Banker\"" ,
"misp-galaxy:banker=\"Kronos\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b58331e-7b14-4ec5-bf29-42e7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-26T07:17:06.000Z" ,
"modified" : "2018-07-26T07:17:06.000Z" ,
"first_observed" : "2018-07-26T07:17:06Z" ,
"last_observed" : "2018-07-26T07:17:06Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b58331e-7b14-4ec5-bf29-42e7950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b58331e-7b14-4ec5-bf29-42e7950d210f" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b7d-41d0-4051-8331-4746950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T10:13:57.000Z" ,
"modified" : "2018-07-25T10:13:57.000Z" ,
"description" : "Phishing link on Nov 8" ,
"pattern" : "[url:value = 'http://invoice.docs-sharepoint.com/profile/profile.php?id=[base64 e-mail address]']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T10:13:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b7e-9420-4436-9201-4f93950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:34.000Z" ,
"modified" : "2018-07-25T08:57:34.000Z" ,
"description" : "Redirect from phishing link on Nov 8" ,
"pattern" : "[url:value = 'http://invoice.docs-sharepoint.com/profile/download.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b7e-ac24-421f-83f7-48d7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:34.000Z" ,
"modified" : "2018-07-25T08:57:34.000Z" ,
"description" : "ZeuS C&C on Nov 8" ,
"pattern" : "[url:value = 'https://feed.networksupdates.com/feed/webfeed.xml']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b7e-3b34-4162-970f-4b59950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:34.000Z" ,
"modified" : "2018-07-25T08:57:34.000Z" ,
"description" : "EmployeeID-847267.doc downloading payload (Kronos) on Nov 10" ,
"pattern" : "[url:value = 'http://info.docs-sharepoint.com/officeup.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b7f-80e8-4230-a77e-4453950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:35.000Z" ,
"modified" : "2018-07-25T08:57:35.000Z" ,
"pattern" : "[file:name = 'EmployeeID-847267.doc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b7f-aba8-44df-bee9-4880950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:35.000Z" ,
"modified" : "2018-07-25T08:57:35.000Z" ,
"description" : "Kronos C&C on Nov 10" ,
"pattern" : "[url:value = 'http://www.networkupdate.club/kbps/connect.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b80-8898-45cc-a722-4932950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:36.000Z" ,
"modified" : "2018-07-25T08:57:36.000Z" ,
"description" : "Payload DL by Kronos on Nov 10" ,
"pattern" : "[url:value = 'http://networkupdate.online/kbps/upload/c1c06f7d.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b80-50c4-483b-a57b-4b34950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:36.000Z" ,
"modified" : "2018-07-25T08:57:36.000Z" ,
"description" : "Payload DL by Kronos on Nov 10" ,
"pattern" : "[url:value = 'http://networkupdate.online/kbps/upload/1f80ff71.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b81-666c-47cc-82d7-418c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:37.000Z" ,
"modified" : "2018-07-25T08:57:37.000Z" ,
"description" : "Payload DL by Kronos on Nov 10" ,
"pattern" : "[url:value = 'http://networkupdate.online/kbps/upload/a8b05325.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b81-0354-4c37-9f23-4699950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T10:13:53.000Z" ,
"modified" : "2018-07-25T10:13:53.000Z" ,
"description" : "Phishing link on Nov 10" ,
"pattern" : "[url:value = 'http://intranet.excelsharepoint.com/profile/Employee.php?id=[base64 e-mail address]']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T10:13:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b82-b2a0-4c3e-a7f6-4f40950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:38.000Z" ,
"modified" : "2018-07-25T08:57:38.000Z" ,
"description" : "SmokeLoader C&C" ,
"pattern" : "[url:value = 'http://webfeed.updatesnetwork.com/feedweb/feed.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b82-7384-4bc0-ad26-4fa1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:38.000Z" ,
"modified" : "2018-07-25T08:57:38.000Z" ,
"description" : "ScanPOS C&C" ,
"pattern" : "[url:value = 'http://invoicesharepoint.com/gateway.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b82-8e54-4390-b12a-42c1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T10:13:34.000Z" ,
"modified" : "2018-07-25T10:13:34.000Z" ,
"description" : "Phishing link on Nov 14" ,
"pattern" : "[url:value = 'http://intranet.excel-sharepoint.com/doc/employee.php?id=[base64 e-mail address]']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T10:13:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b83-a568-4200-8c7a-48c2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:39.000Z" ,
"modified" : "2018-07-25T08:57:39.000Z" ,
"description" : "EmployeeID-6283.doc downloading payload (Kronos) on Nov 14" ,
"pattern" : "[url:value = 'http://profile.excel-sharepoint.com/doc/office.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583b83-8390-470a-ae42-4e22950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:57:39.000Z" ,
"modified" : "2018-07-25T08:57:39.000Z" ,
"pattern" : "[file:name = 'EmployeeID-6283.doc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:57:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b5842d8-8e0c-45c9-ae13-451b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T09:28:56.000Z" ,
"modified" : "2018-07-25T09:28:56.000Z" ,
"description" : "RIG-v domain on Nov 8" ,
"pattern" : "[domain-name:value = 'add.souloventure.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T09:28:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b587469-3e60-43ba-91fb-9146950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-26T07:17:14.000Z" ,
"modified" : "2018-07-26T07:17:14.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads. Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583628-807c-4168-843b-43eb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:34:48.000Z" ,
"modified" : "2018-07-25T08:34:48.000Z" ,
"description" : "containing SmokeLoader from /download.php on Nov 8" ,
"pattern" : "[file:hashes.SHA256 = '4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5' AND file:name = 'EmployeeID-47267.zip' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:34:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b58365c-aa24-4e3d-a908-49e6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:35:40.000Z" ,
"modified" : "2018-07-25T08:35:40.000Z" ,
"description" : "containing ZeuS from /download.php on Nov 8" ,
"pattern" : "[file:hashes.SHA256 = '711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c' AND file:name = 'EmployeeID-47267.zip' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:35:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583698-e9f8-428f-8754-4eed950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:36:40.000Z" ,
"modified" : "2018-07-25T08:36:40.000Z" ,
"description" : "SmokeLoader" ,
"pattern" : "[file:hashes.SHA256 = '90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0' AND file:name = 'EmployeeID-47267.pif' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:36:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b583727-3fe0-4c85-81b7-41a1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:39:03.000Z" ,
"modified" : "2018-07-25T08:39:03.000Z" ,
"description" : "ZeuS" ,
"pattern" : "[file:hashes.SHA256 = '4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74' AND file:name = 'EmployeeID-47267.pif' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:39:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b58374c-d1a8-4736-8cea-42e9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:39:40.000Z" ,
"modified" : "2018-07-25T08:39:40.000Z" ,
"description" : "downloaded from phishing links on Nov 10" ,
"pattern" : "[file:hashes.SHA256 = 'a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156' AND file:name = 'EmployeeID-847267.doc' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b58375c-ae60-4530-8186-425b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:40.000Z" ,
"modified" : "2018-07-25T21:02:40.000Z" ,
"first_observed" : "2018-07-25T21:02:40Z" ,
"last_observed" : "2018-07-25T21:02:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5b58375c-ae60-4530-8186-425b950d210f"
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"False\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5b58375c-ae60-4530-8186-425b950d210f" ,
"hashes" : {
"SHA-256" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
} ,
"x_misp_state" : "Malicious"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b58389b-2f00-49cc-b0ac-4454950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:45:15.000Z" ,
"modified" : "2018-07-25T08:45:15.000Z" ,
"description" : "SmokeLoader" ,
"pattern" : "[file:hashes.SHA256 = 'd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984' AND file:name = 'c1c06f7d.exe' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:45:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b5838b0-acf8-4d3e-8b64-4fa7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:45:36.000Z" ,
"modified" : "2018-07-25T08:45:36.000Z" ,
"description" : "SmokeLoader" ,
"pattern" : "[file:hashes.SHA256 = 'd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98' AND file:name = '1f80ff71.exe' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:45:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b5838c7-ae6c-4367-903a-4975950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:45:59.000Z" ,
"modified" : "2018-07-25T08:45:59.000Z" ,
"description" : "ScanPOS" ,
"pattern" : "[file:hashes.SHA256 = '093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e' AND file:name = 'a8b05325.exe' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:45:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b5838da-60ac-4477-be0d-41d4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:46:18.000Z" ,
"modified" : "2018-07-25T08:46:18.000Z" ,
"description" : "downloaded from phishing links on Nov 14" ,
"pattern" : "[file:hashes.SHA256 = 'fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:46:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b5838e9-b540-4e30-ad63-44aa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T08:46:33.000Z" ,
"modified" : "2018-07-25T08:46:33.000Z" ,
"description" : "Kronos on Nov 14 (same C&C as previous)" ,
"pattern" : "[file:hashes.SHA256 = '269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T08:46:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a9d88727-e3a0-4095-b1d0-2b156670a502" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:24.000Z" ,
"modified" : "2018-07-25T21:02:24.000Z" ,
"pattern" : "[file:hashes.MD5 = 'f99d1571ce9be023cc897522f82ec6cc' AND file:hashes.SHA1 = '9b931700d85a5fb986575f89c7c29d03dc5f4c1e' AND file:hashes.SHA256 = 'd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:02:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:25.000Z" ,
"modified" : "2018-07-25T21:02:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-07-23 10:53:44" ,
"category" : "Other" ,
"uuid" : "87767aea-51ec-4953-993c-f4a3db01bf9a"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/d0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984/analysis/1532343224/" ,
"category" : "External analysis" ,
"uuid" : "b5192082-ba75-490e-abe7-4244a424182a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "51/68" ,
"category" : "Other" ,
"uuid" : "7fc96d39-bd29-47e8-be21-3bab9cd4738e"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--98a247a0-d160-4eee-be67-362795be9206" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:31.000Z" ,
"modified" : "2018-07-25T21:02:31.000Z" ,
"pattern" : "[file:hashes.MD5 = '73871970ccf1b551a29f255605d05f61' AND file:hashes.SHA1 = 'f74b2c624c6cffccec2680679a26fd863040828f' AND file:hashes.SHA256 = 'd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:02:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:32.000Z" ,
"modified" : "2018-07-25T21:02:32.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-07-23 10:55:04" ,
"category" : "Other" ,
"uuid" : "5e3f9c64-39c9-4b35-b4e4-a8435f37c780"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/d9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98/analysis/1532343304/" ,
"category" : "External analysis" ,
"uuid" : "a96cf4aa-68b4-4c69-b511-928a17309792"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "53/68" ,
"category" : "Other" ,
"uuid" : "ddfade3b-fda0-4c64-b533-d1c78daf7927"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:38.000Z" ,
"modified" : "2018-07-25T21:02:38.000Z" ,
"pattern" : "[file:hashes.MD5 = '4a03b999b87cfe3c44e617ac911a2018' AND file:hashes.SHA1 = 'b1a62023dc97668ce5ad0ed78788c79f797753c3' AND file:hashes.SHA256 = '4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:02:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:38.000Z" ,
"modified" : "2018-07-25T21:02:38.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-09-27 17:35:43" ,
"category" : "Other" ,
"uuid" : "0d79d2bd-bd94-4ac7-983d-9d804def7917"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74/analysis/1506533743/" ,
"category" : "External analysis" ,
"uuid" : "e76cf28d-af73-426f-bdfe-0d795cc4ac0b"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "43/65" ,
"category" : "Other" ,
"uuid" : "0e1d278b-6aa8-49d3-afe9-d32dd68d13cf"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ef42d127-90f8-425a-8866-83310e33e640" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:44.000Z" ,
"modified" : "2018-07-25T21:02:44.000Z" ,
"pattern" : "[file:hashes.MD5 = '5cac0a88767a301d7df64cfc84ccc951' AND file:hashes.SHA1 = '1e207f9cfadd92bf56a827cb6b7765abe0fa3bac' AND file:hashes.SHA256 = '4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:02:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:46.000Z" ,
"modified" : "2018-07-25T21:02:46.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2016-11-17 19:05:53" ,
"category" : "Other" ,
"uuid" : "58be0aad-494f-48dc-a412-02bd982d577a"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5/analysis/1479409553/" ,
"category" : "External analysis" ,
"uuid" : "8f5efb1a-9343-4079-a3fe-3d8d9994f4eb"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "31/57" ,
"category" : "Other" ,
"uuid" : "f93324bc-edc7-4330-9ec3-8c50d17168ab"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f734d0d6-468b-4c5d-8883-d137f6140100" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:51.000Z" ,
"modified" : "2018-07-25T21:02:51.000Z" ,
"pattern" : "[file:hashes.MD5 = 'dfef3c6bf91ddbc2784bda187670983b' AND file:hashes.SHA1 = 'd97139b60ec56ddf87d5a1798ca840fa872a580f' AND file:hashes.SHA256 = 'fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:02:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:52.000Z" ,
"modified" : "2018-07-25T21:02:52.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-07-18 21:20:03" ,
"category" : "Other" ,
"uuid" : "31088d4b-45b8-4012-8414-4d6c62cf9959"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462/analysis/1500412803/" ,
"category" : "External analysis" ,
"uuid" : "a7973cf8-6939-41d7-8745-ada586d7accc"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "17/58" ,
"category" : "Other" ,
"uuid" : "c7fa26cf-cf90-4317-95d6-e7cb733aae80"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--31d38205-0b87-4063-a326-2e4f1a2459db" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:58.000Z" ,
"modified" : "2018-07-25T21:02:58.000Z" ,
"pattern" : "[file:hashes.MD5 = '11180b265b010fbfa05c08681261ac57' AND file:hashes.SHA1 = '0eed43d63b6f3e5e696e7b99cfa538c12a13321d' AND file:hashes.SHA256 = '269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:02:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:02:59.000Z" ,
"modified" : "2018-07-25T21:02:59.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-03-15 10:30:38" ,
"category" : "Other" ,
"uuid" : "bb0f567b-3154-4c7a-9f5d-478efc6fa6b8"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3/analysis/1489573838/" ,
"category" : "External analysis" ,
"uuid" : "bff87e3b-7d19-4641-94ca-2d92f7683cde"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "52/60" ,
"category" : "Other" ,
"uuid" : "44855b6c-b687-4d04-8cd0-a297a0f47c32"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:05.000Z" ,
"modified" : "2018-07-25T21:03:05.000Z" ,
"pattern" : "[file:hashes.MD5 = 'dc31516a473d8b9cb634bf1f48a7065f' AND file:hashes.SHA1 = '10301bf7f1202c57df484ebcc125b84d8d427014' AND file:hashes.SHA256 = '711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:03:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:06.000Z" ,
"modified" : "2018-07-25T21:03:06.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2016-11-10 15:50:58" ,
"category" : "Other" ,
"uuid" : "58e7f184-7092-463f-a342-2b475e53aec4"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c/analysis/1478793058/" ,
"category" : "External analysis" ,
"uuid" : "e18d6539-c159-47bf-91be-068da68abe71"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "26/54" ,
"category" : "Other" ,
"uuid" : "884a8c07-14d5-4574-aaa4-7aac53dde5c8"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:12.000Z" ,
"modified" : "2018-07-25T21:03:12.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e' AND file:hashes.SHA1 = 'da39a3ee5e6b4b0d3255bfef95601890afd80709' AND file:hashes.SHA256 = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:03:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:13.000Z" ,
"modified" : "2018-07-25T21:03:13.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-07-25 20:49:30" ,
"category" : "Other" ,
"uuid" : "d5580362-b4ad-4ee2-9c38-7bb05878a591"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1532551770/" ,
"category" : "External analysis" ,
"uuid" : "887aea02-9162-47a8-9684-0cb42bda0520"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "0/61" ,
"category" : "Other" ,
"uuid" : "6d26efdf-e637-4a26-a036-b21a524e663a"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--16984ff8-41a2-42d9-a859-87df65432e94" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:19.000Z" ,
"modified" : "2018-07-25T21:03:19.000Z" ,
"pattern" : "[file:hashes.MD5 = '6fcc13563aad936c7d0f3165351cb453' AND file:hashes.SHA1 = '8b1757b95b7b7f9c4dfa09b52b0d3c6451b269fc' AND file:hashes.SHA256 = '093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:03:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:20.000Z" ,
"modified" : "2018-07-25T21:03:20.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-19 00:26:19" ,
"category" : "Other" ,
"uuid" : "520c34d4-ed53-4cf2-be8d-0d6dbcc95604"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e/analysis/1513643179/" ,
"category" : "External analysis" ,
"uuid" : "1c2745c4-6d74-407c-aef0-dc86e8edce38"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "44/67" ,
"category" : "Other" ,
"uuid" : "473e0959-9f52-4d7c-82d1-1540cb995bb3"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:26.000Z" ,
"modified" : "2018-07-25T21:03:26.000Z" ,
"pattern" : "[file:hashes.MD5 = '83d21d808f7408ebcb3947cb88366172' AND file:hashes.SHA1 = 'ef12b3c274c02a68f678b618828ee4c92a297e59' AND file:hashes.SHA256 = 'a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:03:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:27.000Z" ,
"modified" : "2018-07-25T21:03:27.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-07-18 20:58:26" ,
"category" : "Other" ,
"uuid" : "e01b2c15-aa53-4020-82d3-0f1f7ce840e2"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156/analysis/1500411506/" ,
"category" : "External analysis" ,
"uuid" : "684f43f7-25ca-47f6-be6d-5739d4f57d72"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "36/58" ,
"category" : "Other" ,
"uuid" : "8a2f71fb-df0f-41c0-9950-db186f88f8f4"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0d95e126-39c8-4048-be62-5470568b0f0f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:33.000Z" ,
"modified" : "2018-07-25T21:03:33.000Z" ,
"pattern" : "[file:hashes.MD5 = '8758b7984fa2f20ada64e95cf9d5d192' AND file:hashes.SHA1 = 'd35ee56d673fa44a72cf43e6c16f9270dea33f2d' AND file:hashes.SHA256 = '90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-25T21:03:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-25T21:03:34.000Z" ,
"modified" : "2018-07-25T21:03:34.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2016-12-13 19:02:03" ,
"category" : "Other" ,
"uuid" : "2aed675b-f09b-4b27-aa4e-d8cef860ee81"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0/analysis/1481655723/" ,
"category" : "External analysis" ,
"uuid" : "57b62add-1e94-406b-9081-eac88b655b27"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "40/55" ,
"category" : "Other" ,
"uuid" : "3208bb65-c286-4c9b-958f-f1d7488b957c"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--736b03dd-eec1-443d-8c29-150c224a8a4b" ,
"created" : "2018-07-25T21:03:36.000Z" ,
"modified" : "2018-07-25T21:03:36.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--a9d88727-e3a0-4095-b1d0-2b156670a502" ,
"target_ref" : "x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--7121db55-c648-4658-b41f-c498da0cc314" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--98a247a0-d160-4eee-be67-362795be9206" ,
"target_ref" : "x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--9612ca2b-9ac4-42e2-9bc5-15daed0cc64b" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab" ,
"target_ref" : "x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--064e7c6c-4fb7-4a6d-b2d5-708036c1e023" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--ef42d127-90f8-425a-8866-83310e33e640" ,
"target_ref" : "x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--7835cacf-6643-4ae9-852a-e3aa49091f6f" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--f734d0d6-468b-4c5d-8883-d137f6140100" ,
"target_ref" : "x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--1500ac51-e910-45fb-b39b-d6818faf28cf" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--31d38205-0b87-4063-a326-2e4f1a2459db" ,
"target_ref" : "x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--e6ff039d-3ba4-46f6-964e-829ecd5d40e5" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb" ,
"target_ref" : "x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--7c8eb544-fee2-45db-8256-18ba2bd218bc" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4" ,
"target_ref" : "x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--5cbe67e0-57c5-4463-85a9-28f2a53562d4" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--16984ff8-41a2-42d9-a859-87df65432e94" ,
"target_ref" : "x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--7ab0e094-1d1c-4335-af39-c277a3b65202" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0" ,
"target_ref" : "x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--de3baebf-c58b-46f2-81ee-13b21a2bc4f9" ,
"created" : "2018-07-25T21:03:37.000Z" ,
"modified" : "2018-07-25T21:03:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--0d95e126-39c8-4048-be62-5470568b0f0f" ,
"target_ref" : "x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}