misp-circl-feed/feeds/circl/stix-2.1/5b9162c3-90b4-423b-bd69-28330acd0835.json

331 lines
15 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5b9162c3-90b4-423b-bd69-28330acd0835",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2021-05-24T09:51:05.000Z",
"modified": "2021-05-24T09:51:05.000Z",
"name": "Synovus Financial",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b9162c3-90b4-423b-bd69-28330acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2021-05-24T09:51:05.000Z",
"modified": "2021-05-24T09:51:05.000Z",
"name": "powerpool-malware-exploits-zero-day-vulnerability",
"published": "2020-05-11T07:53:26Z",
"object_refs": [
"observed-data--5b9162d7-70bc-4802-a3e8-2efb0acd0835",
"url--5b9162d7-70bc-4802-a3e8-2efb0acd0835",
"indicator--5b916597-a96c-43dc-bcc0-2f0b0acd0835",
"indicator--5b916597-7bc0-45f8-a810-2f0b0acd0835",
"indicator--5b916597-dc78-43cb-b1df-2f0b0acd0835",
"indicator--5b916597-7ba8-4aaa-98b5-2f0b0acd0835",
"indicator--5b916597-ec48-4d1f-b15f-2f0b0acd0835",
"indicator--5b91638b-01d0-4303-9938-28310acd0835",
"indicator--5b916430-9e3c-4911-b3e9-ca520acd0835",
"indicator--5b91647e-fb8c-475d-a647-2eff0acd0835",
"indicator--5b916507-21cc-4a2f-aa8c-28280acd0835",
"indicator--5b91655c-3648-48a0-82e3-2f140acd0835"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b9162d7-70bc-4802-a3e8-2efb0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:28:38.000Z",
"modified": "2018-09-06T17:28:38.000Z",
"first_observed": "2018-09-06T17:28:38Z",
"last_observed": "2018-09-06T17:28:38Z",
"number_observed": 1,
"object_refs": [
"url--5b9162d7-70bc-4802-a3e8-2efb0acd0835"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b9162d7-70bc-4802-a3e8-2efb0acd0835",
"value": "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b916597-a96c-43dc-bcc0-2f0b0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:36:34.000Z",
"modified": "2018-09-06T17:36:34.000Z",
"description": "C2",
"pattern": "[domain-name:value = 'newsrental.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:36:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"veris:action:malware:variety=\"C2\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b916597-7bc0-45f8-a810-2f0b0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:36:34.000Z",
"modified": "2018-09-06T17:36:34.000Z",
"description": "C2",
"pattern": "[domain-name:value = 'rosbusiness.eu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:36:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"veris:action:malware:variety=\"C2\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b916597-dc78-43cb-b1df-2f0b0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:36:34.000Z",
"modified": "2018-09-06T17:36:34.000Z",
"description": "C2",
"pattern": "[domain-name:value = 'afishaonline.eu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:36:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"veris:action:malware:variety=\"C2\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b916597-7ba8-4aaa-98b5-2f0b0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:36:34.000Z",
"modified": "2018-09-06T17:36:34.000Z",
"description": "C2",
"pattern": "[domain-name:value = 'sports-collectors.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:36:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"veris:action:malware:variety=\"C2\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b916597-ec48-4d1f-b15f-2f0b0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:49:05.000Z",
"modified": "2018-09-06T17:49:05.000Z",
"description": "C2\r\nCountry: Korea, Republic Of\r\nRegion: Gyeonggi-do\r\nCity: Yongin\r\nISP: Daou Technology",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.102.106.149']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:49:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"veris:action:malware:variety=\"C2\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b91638b-01d0-4303-9938-28310acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:28:25.000Z",
"modified": "2018-09-06T17:28:25.000Z",
"pattern": "[file:hashes.MD5 = '32b8d08e67cf509236ae8142fbeb30b3' AND file:hashes.SHA1 = '038f75dcf1e5277565c68d57fa1f4f7b3005f3f3' AND file:hashes.SHA256 = '8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4' AND file:hashes.SSDEEP = '3072:y0FPC7QAKohdraoNpLOxx85wzWVTBfGGMZhm05Pb8QOutp:ba7zfragLOxx85JVTBezZXbLOut' AND file:size = '198656' AND file:x_misp_state = 'Malicious' AND file:x_misp_text = 'First stage backdoor']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:28:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
2023-12-14 14:30:15 +00:00
"Stage 1",
"veris:action:malware:variety=\"Backdoor\""
2023-04-21 14:44:17 +00:00
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b916430-9e3c-4911-b3e9-ca520acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:30:24.000Z",
"modified": "2018-09-06T17:30:24.000Z",
"pattern": "[file:hashes.MD5 = 'efe3518ee7d62299d01b7882f72ffd0a' AND file:hashes.SHA1 = '247b542af23ad9c63697428c7b77348681aadc9a' AND file:hashes.SHA256 = '035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5' AND file:hashes.SSDEEP = '3072:hMBIQ8vnQQgZKc1WZL0Az3jGSp0TBfmXnZS1m05xI8QOutt:eBIbPDgZK0yL0Az36e0TBeXZStILOut' AND file:size = '195072' AND file:x_misp_text = 'First stage backdoor' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:30:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
2023-12-14 14:30:15 +00:00
"Stage 1",
"veris:action:malware:variety=\"Backdoor\""
2023-04-21 14:44:17 +00:00
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b91647e-fb8c-475d-a647-2eff0acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:32:00.000Z",
"modified": "2018-09-06T17:32:00.000Z",
"pattern": "[file:hashes.MD5 = 'e2bd4044fab4214c4aa7dd65d65fca21' AND file:hashes.SHA1 = '0423672fe9201c325e33f296595fb70dcd81bcd9' AND file:hashes.SHA256 = 'af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1' AND file:size = '395776' AND file:x_misp_ssdeep = '6144:Py7VqCkozgC2uNmz/MbVflIaPhlHvuFFNTP9DZ8EX8kE5KRf+L8uvyvcQ0BiF:Py7V6N/wISZvk7TP9F1X8 hcRe8u6wW' AND file:x_misp_state = 'Malicious' AND file:x_misp_text = 'Second stage backdoor']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
2023-05-19 09:05:37 +00:00
"Stage 2",
"veris:action:malware:variety=\"Backdoor\""
2023-04-21 14:44:17 +00:00
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b916507-21cc-4a2f-aa8c-28280acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:33:59.000Z",
"modified": "2018-09-06T17:33:59.000Z",
"pattern": "[file:hashes.MD5 = '80e7a7789286d3fb69f083f1a2dddbe6' AND file:hashes.SHA1 = 'b4ec4837d07ff64e34947296e73732171d1c1586' AND file:hashes.SHA256 = '58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd' AND file:size = '396288' AND file:x_misp_text = 'Second stage backdoor' AND file:x_misp_ssdeep = '6144:kSH62LyBiglfDq9wD7aG2HODV9cF7Bt7/hNWhZHhvMKpA7KSgodwIFsA40Bia:kSH6F9DiY9udjNW7BvMKp yKsWI97' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:33:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
2023-05-19 09:05:37 +00:00
"Stage 2",
"veris:action:malware:variety=\"Backdoor\""
2023-04-21 14:44:17 +00:00
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b91655c-3648-48a0-82e3-2f140acd0835",
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
"created": "2018-09-06T17:35:24.000Z",
"modified": "2018-09-06T17:35:24.000Z",
"pattern": "[file:hashes.MD5 = '99670267cbece5f5cc3ce92efd5bb04b' AND file:hashes.SHA1 = '9dc173d4d4f74765b5fc1e1c9a2d188d5387beea' AND file:hashes.SHA256 = '97b5b4478d234632df4c65ec251051a6b032ce21e9e68495e31f077bf4074831' AND file:hashes.SSDEEP = '3072:STZt5j+T9LjP4JqIBhNV0St7TZEjOYI1TVmqG7rg:q5j+T9LjPPIBhN2Q7TZAfI1TVwg' AND file:size = '183296' AND file:x_misp_text = 'ALPC LPE exploit' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T17:35:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"veris:action:malware:variety=\"Exploit vuln\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}