misp-circl-feed/feeds/circl/stix-2.1/5ce6aa86-9cd8-4302-9dc9-4a59950d210f.json

435 lines
130 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5ce6aa86-9cd8-4302-9dc9-4a59950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:20:54.000Z",
"modified": "2019-07-19T09:20:54.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5ce6aa86-9cd8-4302-9dc9-4a59950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:20:54.000Z",
"modified": "2019-07-19T09:20:54.000Z",
"name": "OSINT - A journey to Zebrocy land",
"published": "2019-07-19T09:21:33Z",
"object_refs": [
"observed-data--5ce793fc-bc54-401b-9e5b-4a08950d210f",
"url--5ce793fc-bc54-401b-9e5b-4a08950d210f",
"x-misp-attribute--5ce79415-9bf8-440b-9a53-4159950d210f",
"observed-data--5ce7b1db-b884-4b38-a71e-43b4950d210f",
"file--5ce7b1db-b884-4b38-a71e-43b4950d210f",
"artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f",
"indicator--5ce7b861-bc80-4e19-9006-4056950d210f",
"indicator--5ce7b861-0228-4ce2-b25a-4385950d210f",
"indicator--5ce7beff-ef98-4836-9ab1-44c3950d210f",
"indicator--5ce6ac5b-6d34-455b-b17d-765d950d210f",
"indicator--5ce7968d-a158-4d3a-aa56-4b70950d210f",
"indicator--5ce7c0fb-4f58-487e-b5d6-4593950d210f",
"indicator--5ce7c11c-1cec-4498-b21f-4ae8950d210f",
"indicator--5ce7c145-8fe8-4bc0-b828-463e950d210f",
"indicator--77e080d7-7231-44bb-a661-34fb1e1e2070",
"x-misp-object--f315bc29-020c-41cd-8585-cf94f546aa63",
2023-05-19 09:05:37 +00:00
"relationship--1272e0cb-1fa3-4cb7-bd67-50f109db0bbe"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"",
"misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"",
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"",
"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"",
"misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking - T1122\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"",
"misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\"",
"misp-galaxy:mitre-attack-pattern=\"File Deletion - T1107\"",
"misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"",
"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"",
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"",
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
"misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"",
"misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"",
"misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"",
"misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"",
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"",
"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"",
"misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"",
"misp-galaxy:mitre-attack-pattern=\"Data Encrypted - T1022\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"",
"misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"",
"misp-galaxy:mitre-attack-pattern=\"Custom Cryptographic Protocol - T1024\"",
"misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"",
"misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"",
"misp-galaxy:mitre-attack-pattern=\"Fallback Channels - T1008\"",
"misp-galaxy:mitre-attack-pattern=\"Multilayer Encryption - T1079\"",
"misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"",
"misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"",
"misp-galaxy:malpedia=\"Zebrocy\"",
"misp-galaxy:malpedia=\"Zebrocy (AutoIT)\"",
"misp-galaxy:mitre-malware=\"Zebrocy - S0251\"",
"misp-galaxy:tool=\"ZEBROCY\"",
"ecsirt:intrusions=\"backdoor\"",
"veris:action:malware:variety=\"Backdoor\"",
"ms-caro-malware:malware-type=\"Backdoor\"",
"ms-caro-malware-full:malware-type=\"Backdoor\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"workflow:todo=\"expansion\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ce793fc-bc54-401b-9e5b-4a08950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T06:49:32.000Z",
"modified": "2019-05-24T06:49:32.000Z",
"first_observed": "2019-05-24T06:49:32Z",
"last_observed": "2019-05-24T06:49:32Z",
"number_observed": 1,
"object_refs": [
"url--5ce793fc-bc54-401b-9e5b-4a08950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ce793fc-bc54-401b-9e5b-4a08950d210f",
"value": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ce79415-9bf8-440b-9a53-4159950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T06:49:57.000Z",
"modified": "2019-05-24T06:49:57.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "What happens when a victim is compromised by a backdoor and the operator is controlling it? It\u00e2\u20ac\u2122s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets.\r\n\r\nThe Sednit group \u00e2\u20ac\u201c also known as APT28, Fancy Bear, Sofacy or STRONTIUM \u00e2\u20ac\u201c has been operating since at least 2004 and has made headlines frequently in past years.\r\n\r\nRecently, we unveiled the existence of a UEFI rootkit, called LoJax, which we attribute to the Sednit group. This is a first for an APT group, and shows Sednit has access to very sophisticated tools to conduct its espionage operations.\r\n\r\nThree years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia. Since then, the number and diversity of components has increased drastically. ESET researchers and colleagues from other companies have documented these components; however, in this article we will focus on what\u00e2\u20ac\u2122s beyond the compromise, what the operators do once a victim system is running a Zebrocy Delphi backdoor."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ce7b1db-b884-4b38-a71e-43b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T08:56:59.000Z",
"modified": "2019-05-24T08:56:59.000Z",
"first_observed": "2019-05-24T08:56:59Z",
"last_observed": "2019-05-24T08:56:59Z",
"number_observed": 1,
"object_refs": [
"file--5ce7b1db-b884-4b38-a71e-43b4950d210f",
"artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ce7b1db-b884-4b38-a71e-43b4950d210f",
"name": "Figure-1-WM.png",
"content_ref": "artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAABZcAAAKFCAIAAAA/K0DVAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+lSURBVHhe7N0FYNtG2wdwy2yHmalJmkLKzIzrOmZm7Kjr1vHWjjtm5o6hwzJzCimkYWYGM0rfI0txncRps63bmu/9/z5/fa2TLJ1OJ03P5XRiOI6TAAAAAAAAAACc9qTi/wIAAAAAAAAAnN7QigEAAAAAAAAAvQNaMQAAAAAAAACgd0ArBgAAAAAAAAD0DmjFAAAAAAAAAIDeAa0YAAAAAAAAANA7oBUDAAAAAAAAAHoHtGIAAAAAAAAAQO+AVgwAAAAAAAAA6B3QigEAAAAAAAAAvQNaMQAAAAAAAACgd0ArBgAAAAAAAAD0DmjFAAAAAAAAAIDegeE4TvwKAAAAAADwP4xtrbdu+spxbAera5AwYiL8ZzgJo1DKEgcrJ1+o6DdaTIT/eT1rxWCdEkYqYXAeAwAAAADA/0+crtnw0nWssU01bgETFi+mwn/LZrZnbnIUH9Ze9aRyzHwx8VRwFBy07V/DGZopKBaT4L/EMb4hylHz5ClDxYTunagVgzO22Q9vceTvZ1sbGLVWFpemGD5LFtVHnH3acjoc5bkSm0UWk8L4BoqJAAAAAAAA3bOses22b43vfZ9JA0LFJDgdsKz5uxX2I1v8HvyG8fEXE/8e68Yvzd89yxpaJBwrJsF/jpFKfYM1Fz+kmnqhmNKNblsxnJUFpk8edOTv41gHI5Xxi7FOaWicz5VPKEbMERf6+5wOiVTeo8Yvu02iUIrfu8e21Jk+e8yRu4fWLA2P01z0oGLQJHEeAAAAAABAN/TLz1cMmaZeeJs4DacNtqFC9+Acvyd+lUUni0l/A4W6+mcv4fRNEplcTILThMPOBEb4Lf3yxAfa++ienKHV9N5ivi1AJmeUGolcyShUjErLNleZv1vB6ZrE5f4Gzmwwr3rd8NK1hleut239VtJ9lxC2rsz46SO0pPGtRY6cDDHVK9ZpXrnMtvcXzqzn7GZHaZbp04e5tkZxLgAAAAAAQDc4u0Wi1ogTcFpRaTjWear6TTiKMtmWWjRhnI7kCra5yll0WJzshvdWDOuOHx3FmRKlis5lz/YFRqF2VBXYj24Xp/8qzmYxfnC/+bvnbIc32w6sMX54n+W3d8V5HbHNNYbXb7Wu/dCWtc268wfDGzc7sneL87pw1pTas7YzKo1EKpUwUkapZhvKHeXZ4mwAAAAAAIDuMMwJ/rYK/6VTe1zsZgnnFL/D6cbp5Bxm8Xs3vLViOJ3Ogv2chJM4HYzKRyJX8G0Z7ejUduTuFSf+KkfObvv+Pxil2vXRSBipZcMnbH2FONuDfdcvztIjjNrH1RnEh9M1Wla/L87rgm2p4VgH5VGcJgzD6VvE7wAAAAAAAPC/DsN5nuZOcoC8tWJIpfLUkYxcJU8d5bv4U9WYhRKHQ5xFGIZtqhK//1XO6mIJyx5/6YmUkViMbH2ZOOnBUZ4jkcrECSKTO2sKOJtVnOyI4fe2yw6jpxAAAAAAAADA/wveWjEYRjXrKv9nN/re86E8dZgsId2zLwbN5ody/XtkkYmu1ob21bKcRKVhwuLESQ+cwyZ+c6MfdffOV5ncyyyZRyMIAAAAAAAAAPRa3sfFoMhfFpnIaPnX2DAqTeenkJhuftVj8gHjFUNncRaTxGHj7FaOdaqmXiaLSBBne/LSKiFn5N10r5DKujZvMFL0xQAAAAAAAAD4/6AH7RHCGJ8eGJlC/PZXMSqNz40vaC9+WJE+RTVirs8NL2rO6tkLjTiOkStpBeJkJ1JZ1xYWpgfvZwUAAAAAAACA09/JWzG6tAJwp2SkCcY3UL3wVp873/W5/Q3V5PO7X2eXBguFqrsnShgvK2H45QEAAAAAAACg9+tBXwy+70NHp26kCf6tqF3X344fFMPZdVwMhm2t5z+N1WxzDWf1eAuLXBgXo+MDMAq1+AUAAAAAAAAAerMetGJ0HVeCEVsxOLvVUXDQsvZj8zfPmT5+yLzySev6T+1Ht0scdmGBE2Pry227frbtX8cZ28QkD46CA8ZXb+bf6urZw0Imd1bltC2Z2rZkStvS6W33zzCsuMpZWSDO5Z8o6dhNg5Ew6IsBAAAAAAAA8P9CD54o8XzRqUChlNgstp0/65+60PDClabPHjH/8ppl42fmP94xfvyg4ZXr9Suush/ZKi7cDfuRbfpnLjW+fafx9ZsNL9/ANtWIM1w4Y6tp5XL7gdWc1di5YYLj+A4aTruEddIXe/Z2y+r3+UQxq50eNmH43HaP07dyNos4cTKcSc+ZjeIEAAAAAAAAAPy7etAXo9PzI4yMa6o2vHG78b27nCWHOZuZUWkYlZZRqvkvaq2EdTpydhpeucHyy9viT7rgTAbLz685G0olCrlEKrXn7LSs+1icJ7Db+A4aXftWiChRSGckjJSzGIVWDNfyrmQBJcoU3gbL4LHNtcb3l+ifu9Tw3OW2XT+Lqd3gLCbz9y8anqWFLzP//IbE4RBnAAAAAAAAAMC/pQetGB0aBugXUmd1vv3QBr51Q6bo+k4Qvt1BrpSwTvOPL5h/9d6QwbU1OmuKGbnK1QzBMHIl/+SIByYwXDXnWmlofOetE74vhl382G3S4GjVlAspV/ws/t8Oy/MvNPH6XliHzfTpI9bNK53lxxz5e02fPmTP2SPO6orjLD+9bF71iqP0iKM40/Ldc5Y1H4qzAAAAAAAAAODf0oNWDGmXdgS+nULRsb2Ac3088A0KnOXXNxwFB8QUD5zDytlMHfpZ2DwG6XRRz7zC77GfVDOulDg9Oj44nbLEwX5LvuA/937u9+A3/o+tUgyeIs6ljXbILMfns+sTMRKJoyTLkbNLHFtUoWYNLfa9v4nzumCbamz71zAyGb8wfaQy2+6fOJNenA0AAAAAAAAA/4oetGJ07Q3hyWF3jeVJy0j5L54tDlKZxGww//QqZzWJKW4cy49q4blib28SkQZFSAPDxadFBBwrCwiXp0/kP4MmyfuPlYbGiLNIp3ExOI6RKcRuGh2xDVUcn9X2hRkpq2/qsCEPnK5RfLxFIJVyJgOraxYnAQAAAAAAAOBf0YNWjO4aMfgnOxyy+AGaMxf5XLvC58aX1AtulYbG8c0TbgqlI3unszBTnGzH6ZslDluHVXf3PlSWFb+4dTPOBa/rwyP8u1e97SPXZbWUGe9jcJAurRu0YHfL9lIOG9dSx7XUe3zq2LZGvvxZJ9dazx+yjjh9C6VTSXJmQ5ff8j/nDK38Ysa2rmvmhzKhWWa9x6w6Wo9rxSJahmvuZi5lqa2h/bd1HOXTswWKZVma27GZiSad5blsfbnnC3Q4o84jA+0bMunE2f8cp4PPYTf552zmjllyLUO7416GdbJ15c7yPDoEYkontEB9hbOyoFOREv5gNddydqs4LbBb+UShexFfeo3H89ZKdcDjjPZAq6JNOKuKPMfH5ezdVyRxCY7PW3ku19YkpvyLxN038jXzOI6jQ+CRbaq6Xt6aJGCbapwVeULd9sRZzfyaOxW408Gv0LUwf750LhnXtixdGnkBAAAA4P8xuqunG2y6PfYMYQiFqJ1SiLiw09vCXUJaWsZLnNue7mXlHoniMu2friHw6YShG3jxazccBQd0y87p/L5S+hXDqOdcp55/E+MXJCbSTXtlvuGVG9iGiuNjgjrsqjnXay97WJx0sW752vTRUtdjKS5Ou2LAJN/7PxcnPVh+fcf83bPHl3TYlGPP8bn1FXGyI7alVvfIGXyIIrRcsA5ZWJLfI98x/iGu+cfZdv5s/Og+vja4Wi4oblSNp9W+LsztxFl8VP/85ZzV4F6tNCTOb+mX0rBY1/z/D5yFmYZ37uIrq7t1iXUywVF+iz+hwjG8cLVEKvO59jlZ8mDX4vxc49t3OqoK/B/+zrrpK+ua98WHd+hfp4P/OOzy9Ck+N79o/uxx26EN4lnhQkGv5szbVPOut/zylnXrV3y6EOIqNfL4AeqFt8ni+9OUddNKyy9v8Ovko2h
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce7b861-bc80-4e19-9006-4056950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T09:52:46.000Z",
"modified": "2019-05-24T09:52:46.000Z",
"description": "Distribution URL",
"pattern": "[url:value = 'http://45.124.132.127/DOVIDNIL - (2018).zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T09:52:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce7b861-0228-4ce2-b25a-4385950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T09:24:49.000Z",
"modified": "2019-05-24T09:24:49.000Z",
"pattern": "[url:value = 'bitly.com/2vZyzgL']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T09:24:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce7beff-ef98-4836-9ab1-44c3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T09:53:03.000Z",
"modified": "2019-05-24T09:53:03.000Z",
"description": "C&C server",
"pattern": "[url:value = 'http://45.124.132.127/action-center/centerforserviceandaction/service-and-action.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T09:53:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce6ac5b-6d34-455b-b17d-765d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T07:01:12.000Z",
"modified": "2019-05-24T07:01:12.000Z",
"description": ".exe, displays .doc icon",
"pattern": "[file:name = '\u00d0\u201d\u00d0\u017e\u00d0\u2019I\u00d0\u201d\u00d0\u009dI\u00d0\u0161 - (2018).exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T07:01:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce7968d-a158-4d3a-aa56-4b70950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T07:00:29.000Z",
"modified": "2019-05-24T07:00:29.000Z",
"pattern": "[file:name = '\u00d0\u201d\u00d0\u00be\u00d1\u20ac\u00d1\u0192\u00d1\u2021\u00d0\u00b5\u00d0\u00bd\u00d0\u00bd\u00d1\u008f 97.pdf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T07:00:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce7c0fb-4f58-487e-b5d6-4593950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T10:01:31.000Z",
"modified": "2019-05-24T10:01:31.000Z",
"description": "Win32/TrojanDownloader.Sednit.CMT",
"pattern": "[file:hashes.SHA1 = '48f8b152b86bed027b9152725505fbf4a24a39fd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T10:01:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce7c11c-1cec-4498-b21f-4ae8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T10:02:04.000Z",
"modified": "2019-05-24T10:02:04.000Z",
"description": "Win32/HackTool.PSWDump.D",
"pattern": "[file:hashes.SHA1 = '1e9f40ef81176190e1ed9a0659473b2226c53f57']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T10:02:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce7c145-8fe8-4bc0-b828-463e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-24T10:02:45.000Z",
"modified": "2019-05-24T10:02:45.000Z",
"description": "Win32/PSW.Agent.OGE",
"pattern": "[file:hashes.SHA1 = 'bfa26857575c49abb129aac87207f03f2b062e07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-24T10:02:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--77e080d7-7231-44bb-a661-34fb1e1e2070",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:20:53.000Z",
"modified": "2019-07-19T09:20:53.000Z",
"pattern": "[file:hashes.MD5 = '5e4e8cab7fcb43ed39b2feac92ddc2e7' AND file:hashes.SHA1 = '48f8b152b86bed027b9152725505fbf4a24a39fd' AND file:hashes.SHA256 = 'b677cce4a844495a20eed2486ef71f4782c06630df34a6ce085880a045a07902']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-07-19T09:20:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f315bc29-020c-41cd-8585-cf94f546aa63",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:20:54.000Z",
"modified": "2019-07-19T09:20:54.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-06-14T09:31:17",
"category": "Other",
"uuid": "c8f06757-89ce-4b93-8508-e5441a5ea6ae"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/b677cce4a844495a20eed2486ef71f4782c06630df34a6ce085880a045a07902/analysis/1560504677/",
"category": "Payload delivery",
"uuid": "9cb47e12-6ce5-4243-ba79-952caa74b562"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/62",
"category": "Payload delivery",
"uuid": "0fb9588d-b59b-4604-b9a2-4c488151806a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-05-19 09:05:37 +00:00
"id": "relationship--1272e0cb-1fa3-4cb7-bd67-50f109db0bbe",
2023-04-21 14:44:17 +00:00
"created": "2019-07-19T09:20:54.000Z",
"modified": "2019-07-19T09:20:54.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--77e080d7-7231-44bb-a661-34fb1e1e2070",
"target_ref": "x-misp-object--f315bc29-020c-41cd-8585-cf94f546aa63"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}