misp-circl-feed/feeds/circl/stix-2.1/19b55cd3-2c7f-4bb5-805c-308b412958b0.json

845 lines
245 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--19b55cd3-2c7f-4bb5-805c-308b412958b0",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T12:35:02.000Z",
"modified": "2022-08-25T12:35:02.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--19b55cd3-2c7f-4bb5-805c-308b412958b0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T12:35:02.000Z",
"modified": "2022-08-25T12:35:02.000Z",
"name": "Brazil malspam pushes Astaroth (Guildma) malware",
"published": "2022-08-29T10:06:03Z",
"object_refs": [
"indicator--0da40295-0f8f-47df-8d0c-9d532e983683",
"indicator--691be0a1-895e-419c-a04d-86ba3c13bbd5",
"indicator--f3f893fc-a551-4e28-b854-ab569b2c65e4",
"indicator--ee62be81-f12a-4483-8607-7466e33413fe",
"indicator--c2c89f4e-c684-40ad-b4a6-54298fe99aa4",
"observed-data--c8b27262-595e-43a2-852d-ef865c640198",
"file--c8b27262-595e-43a2-852d-ef865c640198",
"artifact--c8b27262-595e-43a2-852d-ef865c640198",
"x-misp-object--c2a30035-48ae-40f5-86f6-124413506cb7",
"x-misp-object--064047ba-5588-4b86-8de6-0995582dc8a0",
"indicator--84344391-a4b4-43be-9035-5097dfabfbd7",
"indicator--fd2a4aed-7106-4690-a4a7-409591d0f6aa",
"indicator--a8f32a60-264e-41f7-afbb-8389eeb20508",
"indicator--12b17044-0396-41a2-90d8-99c0a9d72800",
"indicator--9e37ae47-066a-419e-bf01-767ce62eec2a",
"indicator--341f6945-6d2e-4371-85d8-fdb865724cf3",
"indicator--763161ce-dd82-4b8f-ba22-d36bd98bc131",
"indicator--ed6b4e81-0f6a-486d-90cc-263516bde2b1",
"indicator--d5b5e0be-8ba1-4971-9b02-b989f0ffda1b",
"indicator--da91ab76-e168-4747-87c9-81f5e686d33f",
"indicator--0ee28202-8cc1-4e77-bc13-c213883f2e46",
"indicator--cda082db-9efd-41c0-9836-64395fe5300c",
"indicator--76598496-4b19-4a76-9b2a-91e206eec5d3",
"indicator--6f82506a-1b4e-4161-a0ea-a76a8989f6c5",
"indicator--c3ef89ed-bfa9-4cd9-9ab0-a68c59bac805",
"indicator--918d37c8-b620-4072-8b73-07cfe334fa3a",
"indicator--21c80502-62f4-4c8e-855f-d8989df45ad8",
"indicator--93621a33-455e-402d-929a-75d3c1ce5cf5",
"indicator--cea55e6a-2a6d-46c6-b8fd-dede0b4cc0ba",
"x-misp-object--aa63b00b-a7b2-4fda-9384-09ba97a9cd1c",
"indicator--8a53113d-2c57-4bfc-a001-1de27e002e50",
"indicator--9356c0e4-d1c3-42d9-a50b-c3ad66045487",
"relationship--3395e135-f0ca-48ca-a8f0-eb05535327c6",
"relationship--a4f8f3fe-5814-4406-bf43-4ce1ba519226",
"relationship--946c34b6-e0ee-4274-853c-4c9f475c0d45",
"relationship--d87343dc-ecfd-445f-bcf8-881379eff8ff"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:malpedia=\"Astaroth\"",
"misp-galaxy:mitre-malware=\"Astaroth - S0373\"",
"misp-galaxy:rat=\"Guildma\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0da40295-0f8f-47df-8d0c-9d532e983683",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:18:27.000Z",
"modified": "2022-08-25T07:18:27.000Z",
"description": "Link from email",
"pattern": "[url:value = 'http://w7oaer.infocloudgruposolucaoecia.link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloud']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:18:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--691be0a1-895e-419c-a04d-86ba3c13bbd5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:23:12.000Z",
"modified": "2022-08-25T07:23:12.000Z",
"description": "URL to legitimate website generated from iframe",
"pattern": "[url:value = 'http://www.intangiblesearch.it/search/home_page.php?db_name=\\\\%3Cscript\\\\%20src=\\\\%22https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js\\\\%22\\\\%3E\\\\%3C/script\\\\%3E\\\\%3Cscript\\\\%20type=\\\\%22text/javascript\\\\%22\\\\%20src=\\\\%22hxxp://w7oaer.infocloudgruposolucaoecia.link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloudAvDk.T036\\\\%22\\\\%3E\\\\%3C/script\\\\%3E?']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:23:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f3f893fc-a551-4e28-b854-ab569b2c65e4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:23:12.000Z",
"modified": "2022-08-25T07:23:12.000Z",
"description": "Traffic to initial malicious domain that provides zip archive download:",
"pattern": "[url:value = 'http://w7oaer.infocloudgruposolucaoecia.link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloudAvDk.T036']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:23:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ee62be81-f12a-4483-8607-7466e33413fe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:23:12.000Z",
"modified": "2022-08-25T07:23:12.000Z",
"description": "Traffic to initial malicious domain that provides zip archive download:",
"pattern": "[url:value = 'http://w7oaer.infocloudgruposolucaoecia.link//inc.php?/gruposolucaoeciainfocloud']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:23:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c2c89f4e-c684-40ad-b4a6-54298fe99aa4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:23:12.000Z",
"modified": "2022-08-25T07:23:12.000Z",
"description": "Traffic to initial malicious domain that provides zip archive download:",
"pattern": "[url:value = 'http://w7oaer.infocloudgruposolucaoecia.link/YBZJPTBQV/482NJ8NS74J9/N6D6WW/gruposolucaoeciainfocloud_097.88933.61414z64y64']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:23:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--c8b27262-595e-43a2-852d-ef865c640198",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T12:31:58.000Z",
"modified": "2022-08-25T12:31:58.000Z",
"first_observed": "2022-08-25T12:31:58Z",
"last_observed": "2022-08-25T12:31:58Z",
"number_observed": 1,
"object_refs": [
"file--c8b27262-595e-43a2-852d-ef865c640198",
"artifact--c8b27262-595e-43a2-852d-ef865c640198"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--c8b27262-595e-43a2-852d-ef865c640198",
"name": "2022-08-19-ISC-diary-image-01.jpg",
"content_ref": "artifact--c8b27262-595e-43a2-852d-ef865c640198"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--c8b27262-595e-43a2-852d-ef865c640198",
"payload_bin": "/9j/4AAQSkZJRgABAQEAYABgAAD//gA7Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcgSlBFRyB2NjIpLCBxdWFsaXR5ID0gODAK/9sAQwAGBAUGBQQGBgUGBwcGCAoQCgoJCQoUDg8MEBcUGBgXFBYWGh0lHxobIxwWFiAsICMmJykqKRkfLTAtKDAlKCko/9sAQwEHBwcKCAoTCgoTKBoWGigoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgo/8AAEQgEsAUkAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A9Q+GXw58GX/w98OXd74Y0ie5msIXklktVLOxUZJOOtdN/wAKt8Cf9Clon/gIn+FTfCP/AJJh4W/7B0P/AKAK60nigDjP+FXeBf8AoUtE/wDARP8ACl/4Vd4F/wChR0T/AMBE/wAKk8SeONN0hZEhdbm4Q4KIeAfc1z9r8Y9Be4EV1FcQ9i+NwBrojha0480Yuxg8TSUuRy1Nz/hV3gT/AKFLRP8AwET/AAo/4Vd4F/6FHRP/AAET/Cuj0fVbLWLRbnTbiOeE90PSr9c7TTszZO+qON/4Vb4E/wChR0T/AMBE/wAKP+FW+BP+hR0T/wABE/wrsqKBnG/8Kt8Cf9Cjon/gIn+FH/CrfAn/AEKOif8AgIn+FdlRQBxv/CrfAn/Qo6J/4Bp/hR/wq3wJ/wBCjon/AICJ/hXZUUAcb/wq3wJ/0KOif+Aif4Uf8Kt8Cf8AQo6J/wCAif4V2VFAHG/8Kt8Cf9Cjon/gIn+FH/CrfAn/AEKWif8AgIn+FdlRQBxv/CrfAn/Qo6J/4CJ/hR/wq3wJ/wBCjon/AICJ/hXZUUAcb/wq3wJ/0KOif+Aif4Uf8Kt8Cf8AQo6J/wCAif4V2VFAHG/8Kt8Cf9Cjon/gIn+FH/CrfAn/AEKOif8AgIn+FdlRQBxv/CrfAn/Qo6J/4CJ/hR/wq3wJ/wBCjon/AICJ/hXZUUAcb/wq3wJ/0KOif+Aif4Uf8Kt8Cf8AQo6J/wCAif4V2VFAHG/8Kt8Cf9Cjon/gIn+FH/CrfAn/AEKOif8AgIn+FdlRQBxv/CrfAn/Qo6J/4CJ/hR/wq3wJ/wBClon/AIBp/hXZUUAcb/wq3wJ/0KWif+Aaf4Uf8Kt8Cf8AQpaJ/wCAaf4V2VFAHG/8Kt8Cf9Clon/gGn+FH/CrfAn/AEKOif8AgIn+FdlRQBxv/CrfAn/Qo6J/4CJ/hR/wq3wJ/wBCjon/AICJ/hXZZooA4z/hVvgX/oUtE/8AANP8KP8AhV3gX/oUtE/8A0/wrs6KAOM/4Vd4F/6FLRP/AADT/Cj/AIVd4F/6FLRP/ANP8K7OigDjP+FXeBf+hS0T/wAA0/wo/wCFXeBf+hS0T/wDT/CuzooA43/hVvgT/oUdE/8AARP8KP8AhVvgT/oUdE/8BE/wrsqKAON/4Vb4E/6FHRP/AAET/Ck/4Vd4F/6FLRP/AADT/CuzooA4z/hV3gX/AKFLRP8AwDT/AAo/4Vd4F/6FLRP/AADT/CuzooA4z/hV3gX/AKFLRP8AwDT/AApf+FW+Bf8AoUtE/wDANP8ACuyooA43/hVvgT/oUdE/8BE/wo/4Vd4E/wChR0T/AMBE/wAK7KigDjf+FXeBf+hR0T/wET/Cj/hV3gT/AKFHRP8AwET/AArsqKAON/4Vb4E/6FHRP/ARP8KP+FW+BP8AoUdE/wDARP8ACuyooA43/hVvgT/oUdE/8BE/wpP+FW+Bf+hS0T/wDT/CuzooA43/AIVd4F/6FHRP/ARP8KP+FW+BP+hR0T/wET/CuyooA43/AIVb4E/6FHRP/ARP8KP+FW+BP+hR0T/wET/CuyooA4z/AIVd4F/6FLRP/ANP8KP+FXeBf+hS0T/wDT/CuzooA4z/AIVd4F/6FLRP/ANP8KX/AIVb4E/6FHRP/ARP8K7KigDjf+FW+BP+hR0T/wABE/wpP+FW+Bf+hS0T/wAA0/wrs6KAON/4Vb4E/wChR0T/AMBE/wAKT/hV3gX/AKFLRP8AwDT/AArs6KAOM/4Vd4F/6FLRP/ANP8KX/hVvgT/oUtE/8A0/wrsqKAON/wCFW+BP+hR0T/wET/Cj/hV3gT/oUdE/8BE/wrsqKAON/wCFXeBP+hR0T/wET/Cj/hV3gT/oUdE/8BE/wrsqM0Acb/wq7wL/ANCjon/gGn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gGn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gGn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gGn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gGn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gGn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gGn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gIn+FH/CrvAv/AEKOif8AgIn+FdlRQBxv/CrvAv8A0KOif+Aaf4Uf8Ku8C/8AQo6J/wCAaf4V2VFAHG/8Ku8C/wDQo6J/4Bp/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq3wL/ANCjon/gGn+FH/CrfAn/AEKOif8AgIn+FdlRQBxv/CrfAn/Qo6J/4CJ/hR/wq7wL/wBCjon/AIBp/hXZUUAcb/wq7wL/ANCjon/gIn+FH/CrvAv/AEKOif8AgGn+FdlRQBxv/CrvAv8A0KOif+A
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c2a30035-48ae-40f5-86f6-124413506cb7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:05:10.000Z",
"modified": "2022-08-25T07:05:10.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://isc.sans.edu/diary/rss/28962",
"category": "External analysis",
"uuid": "d43c3904-7b68-47cb-8e70-822df291fa49"
},
{
"type": "text",
"object_relation": "type",
"value": "Dairy",
"category": "Other",
"uuid": "942ecdc3-13a1-44fb-af08-2eb47a2a4e18"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--064047ba-5588-4b86-8de6-0995582dc8a0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:06:31.000Z",
"modified": "2022-08-25T07:06:31.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://otx.alienvault.com/pulse/6303804723bccc7e3caad737",
"category": "External analysis",
"uuid": "9d0fdc3e-65a6-43e9-a371-eb3b29e72c42"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--84344391-a4b4-43be-9035-5097dfabfbd7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:21:59.000Z",
"modified": "2022-08-25T07:21:59.000Z",
"description": "initial malicious domain",
"pattern": "[domain-name:value = 'w7oaer.infocloudgruposolucaoecia.link' AND domain-name:resolves_to_refs[*].value = '172.67.217.95' AND domain-name:x_misp_port = '80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:21:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fd2a4aed-7106-4690-a4a7-409591d0f6aa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:52:32.000Z",
"modified": "2022-08-25T07:52:32.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'ahaaer.pfktaacgojiozfehwkkimhkbkm.cfd') AND network-traffic:extensions.'http-request-ext'.request_method = 'GET' AND network-traffic:extensions.'http-request-ext'.request_value = '/?1/' AND network-traffic:x_misp_ip = '172.67.212.174']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:52:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a8f32a60-264e-41f7-afbb-8389eeb20508",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:55:07.000Z",
"modified": "2022-08-25T07:55:07.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'HEAD' AND network-traffic:extensions.'http-request-ext'.request_value = '/?59792746413628799' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:55:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--12b17044-0396-41a2-90d8-99c0a9d72800",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T07:57:49.000Z",
"modified": "2022-08-25T07:57:49.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'GET' AND network-traffic:extensions.'http-request-ext'.request_value = '/?59792746413628799' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T07:57:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9e37ae47-066a-419e-bf01-767ce62eec2a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:00:04.000Z",
"modified": "2022-08-25T08:00:04.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'HEAD' AND network-traffic:extensions.'http-request-ext'.request_value = '/?33954141807632999' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:00:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--341f6945-6d2e-4371-85d8-fdb865724cf3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:00:09.000Z",
"modified": "2022-08-25T08:00:09.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'GET' AND network-traffic:extensions.'http-request-ext'.request_value = '/?33954141807632999' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:00:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--763161ce-dd82-4b8f-ba22-d36bd98bc131",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:09:27.000Z",
"modified": "2022-08-25T08:09:27.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'GET' AND network-traffic:extensions.'http-request-ext'.request_value = '/?71576927405639060' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:09:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ed6b4e81-0f6a-486d-90cc-263516bde2b1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:09:31.000Z",
"modified": "2022-08-25T08:09:31.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'HEAD' AND network-traffic:extensions.'http-request-ext'.request_value = '/?71576927405639060' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:09:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d5b5e0be-8ba1-4971-9b02-b989f0ffda1b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:12:24.000Z",
"modified": "2022-08-25T08:12:24.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'HEAD' AND network-traffic:extensions.'http-request-ext'.request_value = '/?59784568396678051' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:12:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--da91ab76-e168-4747-87c9-81f5e686d33f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:12:29.000Z",
"modified": "2022-08-25T08:12:29.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'GET' AND network-traffic:extensions.'http-request-ext'.request_value = '/?59784568396678051' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:12:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0ee28202-8cc1-4e77-bc13-c213883f2e46",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:14:26.000Z",
"modified": "2022-08-25T08:14:26.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'GET' AND network-traffic:extensions.'http-request-ext'.request_value = '/?40018133101693668' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:14:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cda082db-9efd-41c0-9836-64395fe5300c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:14:31.000Z",
"modified": "2022-08-25T08:14:31.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'HEAD' AND network-traffic:extensions.'http-request-ext'.request_value = '/?40018133101693668' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:14:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--76598496-4b19-4a76-9b2a-91e206eec5d3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:16:21.000Z",
"modified": "2022-08-25T08:16:21.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'HEAD' AND network-traffic:extensions.'http-request-ext'.request_value = '/?33450285101613952' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:16:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6f82506a-1b4e-4161-a0ea-a76a8989f6c5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:16:26.000Z",
"modified": "2022-08-25T08:16:26.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cteasc.ijnkwnkxeguxaxmldwyogggwfk.sbs') AND network-traffic:extensions.'http-request-ext'.request_method = 'GET' AND network-traffic:extensions.'http-request-ext'.request_value = '/?33450285101613952' AND network-traffic:x_misp_ip = '104.21.11.4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c3ef89ed-bfa9-4cd9-9ab0-a68c59bac805",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:48:14.000Z",
"modified": "2022-08-25T08:48:14.000Z",
"description": "Data exfiltration through HTTP POST request",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'hcu11m2mkk2.rouepcgomfhejergdahjcfcugarfcmoa.tk') AND network-traffic:extensions.'http-request-ext'.request_method = 'POST' AND network-traffic:extensions.'http-request-ext'.request_value = '/' AND network-traffic:x_misp_ip = '104.21.25.34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:48:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--918d37c8-b620-4072-8b73-07cfe334fa3a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T08:48:53.000Z",
"modified": "2022-08-25T08:48:53.000Z",
"description": "Data exfiltration through HTTP POST request",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'j2vfrc7gddo.aeabihjpejprueuibdjmhfmdcpsfr.gq') AND network-traffic:extensions.'http-request-ext'.request_method = 'POST' AND network-traffic:extensions.'http-request-ext'.request_value = '/' AND network-traffic:x_misp_ip = '172.67.165.46']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T08:48:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"http-request\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--21c80502-62f4-4c8e-855f-d8989df45ad8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T10:01:27.000Z",
"modified": "2022-08-25T10:01:27.000Z",
"description": "Example of downloaded zip archive",
"pattern": "[file:hashes.SHA256 = 'f254f9deeb61f0a53e021c6c0859ba4e745169322fe2fb91ad2875f5bf077300' AND file:name = 'gruposolucaoeciainfocloud_097.88933.61414.zip' AND file:size = '1091']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T10:01:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--93621a33-455e-402d-929a-75d3c1ce5cf5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T10:00:48.000Z",
"modified": "2022-08-25T10:00:48.000Z",
"pattern": "[file:hashes.SHA256 = '5ca1e9f0e79185dde9655376b8cecc29193ad3e933c7b93dc1a6ce2a60e63bba' AND file:name = 'gruposolucaoeciainfocloud_097.88933157.086456.45192.cmd' AND file:size = '338']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T10:00:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cea55e6a-2a6d-46c6-b8fd-dede0b4cc0ba",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T10:00:30.000Z",
"modified": "2022-08-25T10:00:30.000Z",
"pattern": "[file:hashes.SHA256 = 'db136e87a5835e56d39c225e00b675727dc73a788f90882ad81a1500ac0a17d6' AND file:name = 'gruposolucaoeciainfocloud_097.88933157.086456.45192.lNk' AND file:size = '1341']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T10:00:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--aa63b00b-a7b2-4fda-9384-09ba97a9cd1c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T12:26:21.000Z",
"modified": "2022-08-25T12:26:21.000Z",
"labels": [
"misp:name=\"lnk\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "lnk-command-line-arguments",
"value": "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -Command C:\\W45784602214\\Asus.CertificateValidation.2022.1728.641.AutoIt3.exe C:\\W45784602214\\Asus.CertificateValidation.2022.1728.641.AutoIt3.log",
"category": "Other",
"uuid": "ae85c254-10d8-4ee9-96bb-aa1e353824dd"
}
],
"x_misp_comment": "Command from Windows shortcut in Windows Startup folder on the infected Windows host",
"x_misp_meta_category": "file",
"x_misp_name": "lnk"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8a53113d-2c57-4bfc-a001-1de27e002e50",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T12:30:06.000Z",
"modified": "2022-08-25T12:30:06.000Z",
"description": "Windows EXE for AutoIt v3, not inherently malicious",
"pattern": "[file:hashes.SHA256 = '237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d' AND file:name = 'Asus.CertificateValidation.2022.1728.641.AutoIt3.exe' AND file:size = '893608' AND file:parent_directory_ref.path = 'C:\\\\W45784602214\\\\' AND file:x_misp_fullpath = 'C:\\\\W45784602214\\\\Asus.CertificateValidation.2022.1728.641.AutoIt3.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T12:30:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9356c0e4-d1c3-42d9-a50b-c3ad66045487",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-08-25T12:31:11.000Z",
"modified": "2022-08-25T12:31:11.000Z",
"description": "Malicious data binary, AutoIt v3 compiled script run by above Windows EXE for AutoIt v3",
"pattern": "[file:hashes.SHA256 = 'e31658734d3e0de1d2764636d1b8726f0f8319b0e50b87e5949ec162ae1c0050' AND file:name = 'Asus.CertificateValidation.2022.1728.641.AutoIt3.log' AND file:size = '246116' AND file:parent_directory_ref.path = 'C:\\\\W45784602214\\\\' AND file:x_misp_fullpath = 'C:\\\\W45784602214\\\\Asus.CertificateValidation.2022.1728.641.AutoIt3.log']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-08-25T12:31:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3395e135-f0ca-48ca-a8f0-eb05535327c6",
"created": "2022-08-25T10:01:01.000Z",
"modified": "2022-08-25T10:01:01.000Z",
"relationship_type": "contains",
"source_ref": "indicator--21c80502-62f4-4c8e-855f-d8989df45ad8",
"target_ref": "indicator--93621a33-455e-402d-929a-75d3c1ce5cf5"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a4f8f3fe-5814-4406-bf43-4ce1ba519226",
"created": "2022-08-25T10:01:27.000Z",
"modified": "2022-08-25T10:01:27.000Z",
"relationship_type": "contains",
"source_ref": "indicator--21c80502-62f4-4c8e-855f-d8989df45ad8",
"target_ref": "indicator--cea55e6a-2a6d-46c6-b8fd-dede0b4cc0ba"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--946c34b6-e0ee-4274-853c-4c9f475c0d45",
"created": "2022-08-25T10:00:48.000Z",
"modified": "2022-08-25T10:00:48.000Z",
"relationship_type": "contained-within",
"source_ref": "indicator--93621a33-455e-402d-929a-75d3c1ce5cf5",
"target_ref": "indicator--21c80502-62f4-4c8e-855f-d8989df45ad8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d87343dc-ecfd-445f-bcf8-881379eff8ff",
"created": "2022-08-25T10:00:30.000Z",
"modified": "2022-08-25T10:00:30.000Z",
"relationship_type": "contained-within",
"source_ref": "indicator--cea55e6a-2a6d-46c6-b8fd-dede0b4cc0ba",
"target_ref": "indicator--21c80502-62f4-4c8e-855f-d8989df45ad8"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}