misp-circl-feed/feeds/circl/stix-2.1/5b337664-88a4-4764-a97f-205b0acd0835.json

1599 lines
4.6 MiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5b337664-88a4-4764-a97f-205b0acd0835",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2021-05-24T09:50:04.000Z",
"modified": "2021-05-24T09:50:04.000Z",
"name": "Synovus Financial",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b337664-88a4-4764-a97f-205b0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2021-05-24T09:50:04.000Z",
"modified": "2021-05-24T09:50:04.000Z",
"name": "Blog Post: EMOTET INFECTION WITH ICEDID",
"published": "2020-07-06T13:50:27Z",
"object_refs": [
"observed-data--5b3376ba-1820-41de-aa23-0b5d0acd0835",
"url--5b3376ba-1820-41de-aa23-0b5d0acd0835",
"indicator--5b3376d3-2400-4353-a245-207d0acd0835",
"indicator--5b337841-99e4-435a-93d8-2d350acd0835",
"indicator--5b337841-581c-4b8f-869a-0b5a0acd0835",
"indicator--5b3378bc-e084-4c90-b51f-205b0acd0835",
"indicator--5b337f60-243c-4129-8a96-206a0acd0835",
"indicator--5b337f80-e620-4ada-a557-0b5d0acd0835",
"indicator--5b3380b2-fdd4-434e-9f71-39cb0acd0835",
"indicator--5b338286-dda0-4603-a72e-0b5d0acd0835",
"indicator--5b3382e3-d2b4-445b-99a2-0b5a0acd0835",
"observed-data--5b33885c-6c5c-4b29-9f13-55130acd0835",
"file--5b33885c-6c5c-4b29-9f13-55130acd0835",
"artifact--5b33885c-6c5c-4b29-9f13-55130acd0835",
"indicator--5b338896-dd80-41fc-9048-57290acd0835",
"indicator--5b338896-4b00-461e-b415-57290acd0835",
"indicator--5b338896-1d48-4510-b1b0-57290acd0835",
"indicator--5b338896-6efc-4c37-af55-57290acd0835",
"indicator--5b338896-6b60-4876-8b8c-57290acd0835",
"indicator--5b338896-31dc-48f7-842e-57290acd0835",
"indicator--5b338896-3378-452f-a624-57290acd0835",
"indicator--5b338896-0a64-48b2-b236-57290acd0835",
"indicator--5b338896-2e60-43a1-935f-57290acd0835",
"indicator--5b338896-bacc-4ba3-94ac-57290acd0835",
"indicator--5b338896-3f04-4aa3-acbf-57290acd0835",
"indicator--5b338896-be34-4fbf-91e3-57290acd0835",
"indicator--5b3389af-8e1c-4672-9dcc-4c970acd0835",
"indicator--5b3389b0-cef0-4a2d-af83-4c970acd0835",
"indicator--5b3389b0-da90-4642-86b3-4c970acd0835",
"indicator--5b3389b0-c1c4-45f7-8002-4c970acd0835",
"indicator--5b3389b0-3b48-4797-af77-4c970acd0835",
"indicator--5b3389b0-3e9c-42f9-b51b-4c970acd0835",
"indicator--5b3389b0-75c0-461c-9007-4c970acd0835",
"indicator--5b3389b0-1788-401b-8005-4c970acd0835",
"indicator--5b3389b0-307c-4a97-9571-4c970acd0835",
"indicator--5b3389b0-8058-44d3-a0a5-4c970acd0835",
"indicator--5b3389b0-6b74-4d52-83c6-4c970acd0835",
"indicator--5b3389b0-97f0-4bce-9846-4c970acd0835",
"indicator--5b3389b0-3954-4dcb-b163-4c970acd0835",
"indicator--5b3389b0-ba70-4001-8fdd-4c970acd0835",
"indicator--5b3389b0-04f8-47fa-ba75-4c970acd0835",
"indicator--5b3389b0-ebec-4bf4-bc17-4c970acd0835",
"indicator--5b3389b0-6b14-4ab4-af1a-4c970acd0835",
"indicator--5b3389b0-a878-43b9-b2c4-4c970acd0835",
"indicator--5b3389b0-cb30-41a6-8b0e-4c970acd0835",
"indicator--5b3389b0-8344-412d-8eea-4c970acd0835",
"indicator--5b3389b0-3c60-4513-8513-4c970acd0835",
"indicator--5b3389b0-81b8-4596-923d-4c970acd0835",
"indicator--5b3389b0-2710-4cd4-9dc6-4c970acd0835",
"indicator--5b3389b0-110c-433a-ac58-4c970acd0835",
"indicator--5b3389b0-02cc-4755-a16e-4c970acd0835",
"indicator--5b338636-f300-4c0a-9272-4d0c0acd0835",
"indicator--5b3386e8-364c-4bcd-a24c-55110acd0835"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:banker=\"IcedID\"",
"misp-galaxy:tool=\"Emotet\"",
"IcedID",
"ms-caro-malware-full:malware-family=\"Banker\"",
"veris:action:social:variety=\"Phishing\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"veris:action:malware:vector=\"Web download\"",
"veris:action:malware:variety=\"Downloader\"",
"veris:action:malware:variety=\"Export data\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b3376ba-1820-41de-aa23-0b5d0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:34:27.000Z",
"modified": "2018-06-27T12:34:27.000Z",
"first_observed": "2018-06-27T12:34:27Z",
"last_observed": "2018-06-27T12:34:27Z",
"number_observed": 1,
"object_refs": [
"url--5b3376ba-1820-41de-aa23-0b5d0acd0835"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b3376ba-1820-41de-aa23-0b5d0acd0835",
"value": "https://www.malware-traffic-analysis.net/2018/06/26/index.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3376d3-2400-4353-a245-207d0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:52:54.000Z",
"modified": "2018-06-27T12:52:54.000Z",
"pattern": "[domain-name:value = 'sandearth.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:52:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\"",
"diamond-model:Infrastructure"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b337841-99e4-435a-93d8-2d350acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T11:43:52.000Z",
"modified": "2018-06-27T11:43:52.000Z",
"pattern": "[domain-name:value = 'percalabia.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T11:43:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b337841-581c-4b8f-869a-0b5a0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T11:43:52.000Z",
"modified": "2018-06-27T11:43:52.000Z",
"pattern": "[domain-name:value = 'urnachay.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T11:43:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3378bc-e084-4c90-b51f-205b0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T11:45:15.000Z",
"modified": "2018-06-27T11:45:15.000Z",
"pattern": "[domain-name:value = 'thectrl24.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T11:45:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b337f60-243c-4129-8a96-206a0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:55:00.000Z",
"modified": "2018-06-27T12:55:00.000Z",
"pattern": "[url:value = 'http://thectrl24.com/gjogw/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:55:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-family=\"Banker\"",
"veris:action:malware:variety=\"Export data\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b337f80-e620-4ada-a557-0b5d0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:43:20.000Z",
"modified": "2018-06-27T12:43:20.000Z",
"description": "thectrl24[.]com",
"pattern": "[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '111.118.185.16']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:43:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"VT:More than 10 URLs detected"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3380b2-fdd4-434e-9f71-39cb0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:36:43.000Z",
"modified": "2018-06-27T12:36:43.000Z",
"pattern": "[url:value = 'http://69.193.199.50/whoami.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:36:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"diamond-model:Capability"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338286-dda0-4603-a72e-0b5d0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:43:24.000Z",
"modified": "2018-06-27T12:43:24.000Z",
"description": "HTTP over port 443, C2",
"pattern": "[url:value = 'http://88.79.210.243:443/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:43:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"veris:action:malware:variety=\"C2\"",
"veris:action:malware:variety=\"Export data\"",
"veris:attribute:confidentiality:state=\"Transmitted encrypted\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3382e3-d2b4-445b-99a2-0b5a0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:43:27.000Z",
"modified": "2018-06-27T12:43:27.000Z",
"description": "C2",
"pattern": "[url:value = 'http://110.143.116.201/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:43:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"veris:action:malware:variety=\"C2\"",
"veris:action:malware:variety=\"Export data\"",
"veris:attribute:confidentiality:state=\"Transmitted encrypted\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b33885c-6c5c-4b29-9f13-55130acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:52:54.000Z",
"modified": "2018-06-27T12:52:54.000Z",
"first_observed": "2018-06-27T12:52:54Z",
"last_observed": "2018-06-27T12:52:54Z",
"number_observed": 1,
"object_refs": [
"file--5b33885c-6c5c-4b29-9f13-55130acd0835",
"artifact--5b33885c-6c5c-4b29-9f13-55130acd0835"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"Support Tool\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b33885c-6c5c-4b29-9f13-55130acd0835",
"name": "2018-06-26-Emotet-infection-with-IcedID-in-AD-environment.pcap",
"content_ref": "artifact--5b33885c-6c5c-4b29-9f13-55130acd0835"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5b33885c-6c5c-4b29-9f13-55130acd0835",
"payload_bin": "1MOyoQIABAAAAAAAAAAAAP//AAABAAAAC6EyWzHtAgB9AQAAfQEAAP///////wAIAhxHrggARQABbwABAACAETl+AAAAAP////8ARABDAVtTkgEBBgBS+gwnAAAAAAAAAAAAAAAAAAAAAAAAAAAACAIcR64AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY4JTYzUBAz0HAQAIAhxHrjIErBAFwzYErBAF/gwOU25vdy1QYXRyb2wtUENRIAAAAFNub3ctUGF0cm9sLVBDLnJhcHRvci1uYXYuY29tPAhNU0ZUIDUuMDcMAQ8DBiwuLx8hefkr/wuhMluKCgMAVgEAAFYBAAAACAIcR64g5Sq2k/EIAEUQAUgAAAAAEBGAAqwQBf6sEAXDAEMARAE0KbcCAQYAUvoMJwAAAAAAAAAArBAFw6wQBf4AAAAAAAgCHEeuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGOCU2M1AQU2BKwQBf4zBAAABwgBBP///wAPC2xvY2FsZG9tYWluAwSsEAUBBgSsEAUBLASsEAUB/wAAAAAAAAALoTJbci0DADwAAAA8AAAAAQBeAAAWAAgCHEeuCABGAAAoAAIAAAECMCysEAXD4AAAFpQEAAAiAPoBAAAAAQMAAADgAAD8AAAAAAAAC6EyWys0AwA8AAAAPAAAAAEAXgAAFgAIAhxHrggARgAAKAADAAABAjArrBAFw+AAABaUBAAAIgD5AQAAAAEEAAAA4AAA/AAAAAAAAAuhMlv9OAMASgAAAEoAAAABAF4AAPwACAIcR64IAEUAADwABAAAARHEJawQBcPgAAD88LMU6wAoTAce7gAAAAEAAAAAAAAOU25vdy1QYXRyb2wtUEMAAP8AAQuhMlul7QMATgAAAE4AAACkH3LCCWoACAIcR64IAEUAAEAABQAAgBESEKwQBcOsEAUJz1sANQAsAdMrUwEAAAEAAAAAAAAGaXNhdGFwC2xvY2FsZG9tYWluAAABAAELoTJbw0oEAG4AAABuAAAAIOUqtpPxAAgCHEeuCABFAABgAAYAAIAREfCsEAXDrBAFAQCJAIkATLrajrkpAAABAAAAAAABIEZERU9FUEZIQ05GQUVCRkVGQ0VQRU1DTkZBRURDQUFBAAAgAAHADAAgAAEABJPgAAZgAKwQBcMLoTJbiEwEAG4AAABuAAAAIOUqtpPxAAgCHEeuCABFAABgAAcAAIAREe+sEAXDrBAFAQCJAIkATGbgjropAAABAAAAAAABIEZDRUJGQUZFRVBGQ0NORU9FQkZHQ0FDQUNBQ0FDQUFBAAAgAAHADAAgAAEABJPgAAbgAKwQBcMLoTJbaU0EAG4AAABuAAAAIOUqtpPxAAgCHEeuCABFAABgAAgAAIAREe6sEAXDrBAFAQCJAIkATLrWjrspAAABAAAAAAABIEZERU9FUEZIQ05GQUVCRkVGQ0VQRU1DTkZBRURDQUNBAAAgAAHADAAgAAEABJPgAAZgAKwQBcMLoTJbuF0EAJkAAACZAAAAAAgCHEeupB9ywglqCABFAACLG0cAAIAR9oKsEAUJrBAFwwA1z1sAd+qfK1OBgwABAAAAAQAABmlzYXRhcAtsb2NhbGRvbWFpbgAAAQABAAAGAAEAAAOEAEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHhJMKYAAAcIAAADhAAJOoAAAVGAC6EyW3zABABKAAAASgAAAAEAXgAA/AAIAhxHrggARQAAPAAJAAABEcQgrBAFw+AAAPzwsxTrAChMBx7uAAAAAQAAAAAAAA5Tbm93LVBhdHJvbC1QQwAA/wABC6EyW+pFCABfAAAAXwAAAKQfcsIJagAIAhxHrggARQAAUQAKAACAERH6rBAFw6wQBQn10gA1AD29l0ChAQAAAQAAAAAAAAVfbGRhcARfdGNwAmRjBl9tc2RjcwpyYXB0b3ItbmF2A2NvbQAAIQABC6EyW8tGCACfAAAAnwAAAAAIAhxHrqQfcsIJaggARQAAkRtIQACAEbZ7rBAFCawQBcMANfXSAH10SEChhYAAAQABAAAAAQVfbGRhcARfdGNwAmRjBl9tc2RjcwpyYXB0b3ItbmF2A2NvbQAAIQABwAwAIQABAAACWAAkAAAAZAGFDXJhcHRvci1uYXYtZGMKcmFwdG9yLW5hdgNjb20AwEcAAQABAAAOEAAErBAFCQuhMlssSggAWAAAAFgAAACkH3LCCWoACAIcR64IAEUAAEoACwAAgBESAKwQBcOsEAUJ5kkANQA24WNoPgEAAAEAAAAAAAANcmFwdG9yLW5hdi1kYwpyYXB0b3ItbmF2A2NvbQAAAQABC6EyW9VKCABoAAAAaAAAAAAIAhxHrqQfcsIJaggARQAAWhtJQACAEbaxrBAFCawQBcMANeZJAEZ6kmg+hYAAAQABAAAAAA1yYXB0b3ItbmF2LWRjCnJhcHRvci1uYXYDY29tAAABAAHADAABAAEAAA4QAASsEAUJC6EyWyadCADVAAAA1QAAAKQfcsIJagAIAhxHrggARQAAxwAMAACAERGCrBAFw6wQBQnmSwGFALNydDCEAAAApQIBAWOEAAAAnAQACgEACgEAAgEAAgEAAQEAoIQAAAB1o4QAAAAcBAlEbnNEb21haW4ED3JhcHRvci1uYXYuY29tLqOEAAAAFgQESG9zdAQOU05PVy1QQVRST0wtUEOjhAAAAB4ECkRvbWFpbkd1aWQEEBK63d+iHnhDnYe31VhYE6ijhAAAAA0EBU50VmVyBAQWAAAgMIQAAAAKBAhOZXRsb2dvbguhMlsBnwgA6AAAAOgAAAAACAIcR66kH3LCCWoIAEUAANobSkAAgBG2MKwQBQmsEAXDAYXmSwDGL+gwhAAAAKICAQFkhAAAAJkEADCEAAAAkTCEAAAAiwQIbmV0bG9nb24xhAAAAHsEeRcAAAD9MwAAErrd36IeeEOdh7fVWFgTqApyYXB0b3ItbmF2A2NvbQDAGA1SQVBUT1ItTkFWLURDwBgKUkFQVE9SLU5BVgANUkFQVE9SLU5BVi1EQwAAF0RlZmF1bHQtRmlyc3QtU2l0ZS1OYW1lAMBWBQAAAP////8whAAAABACAQFlhAAAAAcKAQAEAAQAC6EyWwh6CQA8AAAAPAAAAAEAXgAAFgAIAhxHrggARgAAKAANAAABAjAhrBAFw+AAABaUBAAAIgD5AQAAAAEEAAAA4AAA/AAAAAAAAAuhMltVLQoAdAAAAHQAAACkH3LCCWoACAIcR64IAEUAAGYADgAAgBER4awQBcOsEAUJ/zYANQBSGlxNDgEAAAEAAAAAAAAFX2xkYXAEX3RjcBdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQZfc2l0ZXMKcmFwdG9yLW5hdgNjb20AACEAAQuhMlt3LgoAtAAAALQAAAAACAIcR66kH3LCCWoIAEUAAKYbSwAAgBH2Y6wQBQmsEAXDADX/NgCSSIBNDoWAAAEAAQAAAAEFX2xkYXAEX3RjcBdEZWZhdWx0LUZpcnN0LVNpdGUtTmF
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-dd80-41fc-9048-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:01.000Z",
"modified": "2018-06-27T12:58:01.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://www.cycle-film.com/8TfTTH/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-4b00-461e-b415-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:57:59.000Z",
"modified": "2018-06-27T12:57:59.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://thectrl24.com/gjOGw/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:57:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-1d48-4510-b1b0-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:03.000Z",
"modified": "2018-06-27T12:58:03.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://amplajf.com.br/3YrZ/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-6efc-4c37-af55-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:06.000Z",
"modified": "2018-06-27T12:58:06.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://hydrodom.org/WadY9E/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-6b60-4876-8b8c-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:13.000Z",
"modified": "2018-06-27T12:58:13.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://iconholidays.com.bd/PHzC/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-31dc-48f7-842e-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:15.000Z",
"modified": "2018-06-27T12:58:15.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://amplajf.com.br/3YrZ']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-3378-452f-a624-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:17.000Z",
"modified": "2018-06-27T12:58:17.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://www.cycle-film.com/8TfTTH']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-0a64-48b2-b236-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:19.000Z",
"modified": "2018-06-27T12:58:19.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://www.database.z-flooring.com/k70w']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-2e60-43a1-935f-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:36.000Z",
"modified": "2018-06-27T12:58:36.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://www.trinityempire.org/pvYjZuR/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-bacc-4ba3-94ac-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:38.000Z",
"modified": "2018-06-27T12:58:38.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'https://ift.tt/2N22nAf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-3f04-4aa3-acbf-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:41.000Z",
"modified": "2018-06-27T12:58:41.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://gtechuae.com/3Dha4/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338896-be34-4fbf-91e3-57290acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:58:44.000Z",
"modified": "2018-06-27T12:58:44.000Z",
"description": "Additional sources of 2e2887fca7eb5a2ca32ac7cbaaee12cd via VT",
"pattern": "[url:value = 'http://gtechuae.com/3Dha4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:58:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"diamond-model:Infrastructure",
"kill-chain:Installation"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389af-8e1c-4672-9dcc-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:48.000Z",
"modified": "2018-06-27T12:59:48.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://csszsz.hu/Statement/Invoice-13058']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-cef0-4a2d-af83-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.orderauto.es/OVERDUE-ACCOUNT/Invoice-06-25-18/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-da90-4642-86b3-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.dotlenieni.pl/Client/INV153088091775668874/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-c1c4-45f7-8002-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://alpinewebgroup.com/Client/INV73405012321656/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-3b48-4797-af77-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.chalet12.de/Payment-and-address/Invoice-745407/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-3e9c-42f9-b51b-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.earthlinks.co.in/STATUS/Invoice-06-26-18/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-75c0-461c-9007-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://melondisc.co.th/doc/rechnungs-details-0541324/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-1788-401b-8005-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://tomsnyder.net/Rechnungsanschrift/Rechnung-028-486/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-307c-4a97-9571-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.cosmo-medica.pl/Statement/Invoice-766799/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-8058-44d3-a0a5-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.cosmo-medica.pl/Statement/Invoice-766799']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-6b74-4d52-83c6-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://carricusa.com/ssfm/OVERDUE-ACCOUNT/Invoice-92602/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-97f0-4bce-9846-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://wolffy.net/STATUS/Auditor-of-State-Notification-of-EFT-Deposit/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-3954-4dcb-b163-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.ambassade-de-russie.fr/Rechnungsanschrift/Rech-Nr028891/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-ba70-4001-8fdd-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:48.000Z",
"modified": "2018-06-27T12:59:48.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://ipsupportonline.com/STATUS/Services-06-26-18-New-Customer-ZM/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-04f8-47fa-ba75-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://ipsupportonline.com/STATUS/Services-06-26-18-New-Customer-ZM']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-ebec-4bf4-bc17-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://cosmo-medica.pl/Statement/Invoice-766799/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-6b14-4ab4-af1a-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://cosmo-medica.pl/Statement/Invoice-766799']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-a878-43b9-b2c4-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://turski.eu/OVERDUE-ACCOUNT/Payment/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-cb30-41a6-8b0e-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.ar.mtcuae.com/Statement/Invoice/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-8344-412d-8eea-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:48.000Z",
"modified": "2018-06-27T12:59:48.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://tomsnyder.net/Rechnungsanschrift/Rechnung-028-486']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-3c60-4513-8513-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:48.000Z",
"modified": "2018-06-27T12:59:48.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://tasomedia.com/Zahlung/Rechnungszahlung-017-6797/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-81b8-4596-923d-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:48.000Z",
"modified": "2018-06-27T12:59:48.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://r2consulting.net/Purchase/Invoice-06-25-18/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-2710-4cd4-9dc6-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:48.000Z",
"modified": "2018-06-27T12:59:48.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://jitkla.com/images/ACCOUNT/Client/Auditor-of-State-Notification-of-EFT-Deposit']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-110c-433a-ac58-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:48.000Z",
"modified": "2018-06-27T12:59:48.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.afpols-seminaires.fr/wp-content/Statement/Invoice-06-26-18']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3389b0-02cc-4755-a16e-4c970acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:59:49.000Z",
"modified": "2018-06-27T12:59:49.000Z",
"description": "Additional sources of c4796308953017c9dc69d340689e8efe via VT",
"pattern": "[url:value = 'http://www.chipsroofingloveland.com/STATUS/Services-06-26-18-New-Customer-VH/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:59:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"ms-caro-malware-full:malware-platform=\"VBA\"",
"ms-caro-malware-full:malware-type=\"Trojan\"",
"diamond-model:Infrastructure",
"kill-chain:Delivery"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b338636-f300-4c0a-9272-4d0c0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:42:30.000Z",
"modified": "2018-06-27T12:42:30.000Z",
"pattern": "[file:hashes.MD5 = 'c4796308953017c9dc69d340689e8efe' AND file:hashes.SHA1 = '754bbba270998733bec18a69b64e2c27cc17b7f1' AND file:hashes.SHA256 = 'fcbe9f4e5a8cbb6f74e4408d871ace98282ffc840245abeae3e158cc034cd094' AND file:x_misp_text = 'hxxp://www.sandearth[.]com/Client/Invoice-955175372-062618/' AND file:x_misp_ssdeep = '3072:pH9nBf4SuEjAhmAMOc7kkkko1rkGuF3tBInxGGq5xyXJm9YBmjDP7vlQsO:pFVeEsjdXRC3jexGG62YWofP 7PO' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:42:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b3386e8-364c-4bcd-a24c-55110acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-06-27T12:45:28.000Z",
"modified": "2018-06-27T12:45:28.000Z",
"pattern": "[file:hashes.MD5 = '2e2887fca7eb5a2ca32ac7cbaaee12cd' AND file:hashes.SHA1 = 'ac76fa40b2cf525fb13a09560b70093641929523' AND file:hashes.SHA256 = '263365202c3905ae95f8a138f22317bb1db30eee0ddee0fd6ecc70f785df9a91' AND file:hashes.SSDEEP = '1536:Hl6gpZcT7DTf/4Vy/prGquF9EXXXWqjplt4w7Or+tgyC:Ygu7vwVy/pqDeXWQpl13mx' AND file:x_misp_text = 'hxxp://thectrl24[.]com/gjOGw/' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-27T12:45:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}