2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--57dff9a6-b4b0-4e79-9271-4a10950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:50.000Z" ,
"modified" : "2016-09-19T14:48:50.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--57dff9a6-b4b0-4e79-9271-4a10950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:50.000Z" ,
"modified" : "2016-09-19T14:48:50.000Z" ,
"name" : "OSINT - Malicious Macros Add Sandbox Evasion Techniques to Distribute New Dridex" ,
"published" : "2016-09-19T14:49:42Z" ,
"object_refs" : [
"observed-data--57dff9f5-8e50-47cc-a804-4513950d210f" ,
"url--57dff9f5-8e50-47cc-a804-4513950d210f" ,
"x-misp-attribute--57dffa06-a2e0-4cf0-a86e-4f4e950d210f" ,
"indicator--57dffa2d-edc8-443d-8ca8-4bdd950d210f" ,
"indicator--57dffa2e-0ca0-4410-bbdd-448c950d210f" ,
"indicator--57dffa2f-b5e8-41b5-a6ff-41d9950d210f" ,
"indicator--57dffa87-f8a8-452f-babe-4de0950d210f" ,
"indicator--57dffa88-2170-436e-938e-484a950d210f" ,
"indicator--57dffa88-7840-4208-8208-476b950d210f" ,
"indicator--57dffaaf-ff20-46d6-bb8f-49a8950d210f" ,
"indicator--57dffab0-c890-4dbb-9467-4351950d210f" ,
"indicator--57dffab0-39b8-4880-bcc9-472c950d210f" ,
"indicator--57dffad3-d5a8-4a68-880e-4a5d02de0b81" ,
"indicator--57dffad3-efe4-4839-a28d-4b6b02de0b81" ,
"observed-data--57dffad4-d364-4f79-b4e9-453602de0b81" ,
"url--57dffad4-d364-4f79-b4e9-453602de0b81" ,
"indicator--57dffad5-63a4-45ab-a6e0-4af502de0b81" ,
"indicator--57dffad5-2378-4608-b880-457b02de0b81" ,
"observed-data--57dffad6-a830-41f2-adb9-480302de0b81" ,
"url--57dffad6-a830-41f2-adb9-480302de0b81" ,
"indicator--57dffad7-5278-4962-91b7-43a002de0b81" ,
"indicator--57dffad7-ddb8-4af6-846a-457f02de0b81" ,
"observed-data--57dffad8-dae4-4425-bf3b-410202de0b81" ,
"url--57dffad8-dae4-4425-bf3b-410202de0b81" ,
"indicator--57dffad9-de4c-44b7-a374-405102de0b81" ,
"indicator--57dffad9-6b2c-43de-883a-4dbe02de0b81" ,
"observed-data--57dffada-9154-4c95-b067-43ea02de0b81" ,
"url--57dffada-9154-4c95-b067-43ea02de0b81" ,
"indicator--57dffadb-7b64-4794-89dc-452502de0b81" ,
"indicator--57dffadb-5cf0-490d-8b2b-4b6402de0b81" ,
"observed-data--57dffadc-f574-41e3-8413-489f02de0b81" ,
"url--57dffadc-f574-41e3-8413-489f02de0b81" ,
"indicator--57dffadd-6bf0-4f60-957a-422102de0b81" ,
"indicator--57dffadd-5800-46d8-a22a-472c02de0b81" ,
"observed-data--57dffade-be88-4afb-a678-46f702de0b81" ,
"url--57dffade-be88-4afb-a678-46f702de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57dff9f5-8e50-47cc-a804-4513950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:45:09.000Z" ,
"modified" : "2016-09-19T14:45:09.000Z" ,
"first_observed" : "2016-09-19T14:45:09Z" ,
"last_observed" : "2016-09-19T14:45:09Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57dff9f5-8e50-47cc-a804-4513950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57dff9f5-8e50-47cc-a804-4513950d210f" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/malicious-macros-add-to-sandbox-evasion-techniques-to-distribute-new-dridex"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--57dffa06-a2e0-4cf0-a86e-4f4e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:45:26.000Z" ,
"modified" : "2016-09-19T14:45:26.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized phishing campaigns [1] [2]. This new campaign included evasive macros, which, while not unusual for this group (earlier versions were analyzed by Mcafee [3] and Checkpoint [4]), demonstrated continued evolution in their latest iteration. Most notably their new macro looks up the public IP address of the client and does not download the payload if it finds that the IP address is associated with a security vendor, certain cloud services, or a sandbox environment.\r\n\r\nThis week, we observed TA530 using their evasive macros to deliver Nymaim, Ursnif, and Dridex 124. The Dridex payload with botnet ID 124 is a previously unseen sub-botnet which is targeting Swiss banking sites, while the Nymaim and Ursnif payloads targeted North America and Australia, respectively."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffa2d-edc8-443d-8ca8-4bdd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:46:05.000Z" ,
"modified" : "2016-09-19T14:46:05.000Z" ,
"description" : "Nymaim Document" ,
"pattern" : "[file:hashes.SHA256 = 'a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:46:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffa2e-0ca0-4410-bbdd-448c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:46:06.000Z" ,
"modified" : "2016-09-19T14:46:06.000Z" ,
"description" : "Ursnif Document" ,
"pattern" : "[file:hashes.SHA256 = 'f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:46:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffa2f-b5e8-41b5-a6ff-41d9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:46:07.000Z" ,
"modified" : "2016-09-19T14:46:07.000Z" ,
"description" : "Dridex Document" ,
"pattern" : "[file:hashes.SHA256 = '72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:46:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffa87-f8a8-452f-babe-4de0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:47:35.000Z" ,
"modified" : "2016-09-19T14:47:35.000Z" ,
"description" : "Example Ursnif Download" ,
"pattern" : "[url:value = 'http://britcart.com/britstar/office12.data']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:47:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffa88-2170-436e-938e-484a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:47:36.000Z" ,
"modified" : "2016-09-19T14:47:36.000Z" ,
"description" : "Example Nymaim Download" ,
"pattern" : "[url:value = 'http://arabtradenet.com/info/content.dat']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:47:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffa88-7840-4208-8208-476b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:47:36.000Z" ,
"modified" : "2016-09-19T14:47:36.000Z" ,
"description" : "Example Dridex Download" ,
"pattern" : "[url:value = 'http://onehealthpublishing.com/image/office.gif']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:47:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffaaf-ff20-46d6-bb8f-49a8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:15.000Z" ,
"modified" : "2016-09-19T14:48:15.000Z" ,
"description" : "Example Nymaim Payload" ,
"pattern" : "[file:hashes.SHA256 = 'f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffab0-c890-4dbb-9467-4351950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:16.000Z" ,
"modified" : "2016-09-19T14:48:16.000Z" ,
"description" : "Example Ursnif Payload" ,
"pattern" : "[file:hashes.SHA256 = '6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffab0-39b8-4880-bcc9-472c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:16.000Z" ,
"modified" : "2016-09-19T14:48:16.000Z" ,
"description" : "Example Dridex Payload" ,
"pattern" : "[file:hashes.SHA256 = '97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad3-d5a8-4a68-880e-4a5d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:51.000Z" ,
"modified" : "2016-09-19T14:48:51.000Z" ,
"description" : "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629" ,
"pattern" : "[file:hashes.SHA1 = '50d2d8cceb257b074e37265da537cf493c805210']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad3-efe4-4839-a28d-4b6b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:51.000Z" ,
"modified" : "2016-09-19T14:48:51.000Z" ,
"description" : "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629" ,
"pattern" : "[file:hashes.MD5 = '59b569b8875fd3847ae0308af85e3440']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57dffad4-d364-4f79-b4e9-453602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:52.000Z" ,
"modified" : "2016-09-19T14:48:52.000Z" ,
"first_observed" : "2016-09-19T14:48:52Z" ,
"last_observed" : "2016-09-19T14:48:52Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57dffad4-d364-4f79-b4e9-453602de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57dffad4-d364-4f79-b4e9-453602de0b81" ,
"value" : "https://www.virustotal.com/file/97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629/analysis/1465971238/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad5-63a4-45ab-a6e0-4af502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:53.000Z" ,
"modified" : "2016-09-19T14:48:53.000Z" ,
"description" : "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879" ,
"pattern" : "[file:hashes.SHA1 = '61996a309d84daf441cd7a3e71ed45c8fe210824']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad5-2378-4608-b880-457b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:53.000Z" ,
"modified" : "2016-09-19T14:48:53.000Z" ,
"description" : "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879" ,
"pattern" : "[file:hashes.MD5 = '86a50ac34b6e18b5bec0a24a1b4f12d3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57dffad6-a830-41f2-adb9-480302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:54.000Z" ,
"modified" : "2016-09-19T14:48:54.000Z" ,
"first_observed" : "2016-09-19T14:48:54Z" ,
"last_observed" : "2016-09-19T14:48:54Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57dffad6-a830-41f2-adb9-480302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57dffad6-a830-41f2-adb9-480302de0b81" ,
"value" : "https://www.virustotal.com/file/6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879/analysis/1473668183/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad7-5278-4962-91b7-43a002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:55.000Z" ,
"modified" : "2016-09-19T14:48:55.000Z" ,
"description" : "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9" ,
"pattern" : "[file:hashes.SHA1 = 'c28bec7ce1d0bcfd1a007cefe086571d5d49b975']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad7-ddb8-4af6-846a-457f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:55.000Z" ,
"modified" : "2016-09-19T14:48:55.000Z" ,
"description" : "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9" ,
"pattern" : "[file:hashes.MD5 = '12abc10d3c37841f4f4f7e193b045f6b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57dffad8-dae4-4425-bf3b-410202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:56.000Z" ,
"modified" : "2016-09-19T14:48:56.000Z" ,
"first_observed" : "2016-09-19T14:48:56Z" ,
"last_observed" : "2016-09-19T14:48:56Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57dffad8-dae4-4425-bf3b-410202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57dffad8-dae4-4425-bf3b-410202de0b81" ,
"value" : "https://www.virustotal.com/file/f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9/analysis/1465970739/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad9-de4c-44b7-a374-405102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:57.000Z" ,
"modified" : "2016-09-19T14:48:57.000Z" ,
"description" : "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06" ,
"pattern" : "[file:hashes.SHA1 = '27c3ff564efbf5db343feba688236c180846b61b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffad9-6b2c-43de-883a-4dbe02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:57.000Z" ,
"modified" : "2016-09-19T14:48:57.000Z" ,
"description" : "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06" ,
"pattern" : "[file:hashes.MD5 = '64d133b98ab00c9f5409e4ab29a70250']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57dffada-9154-4c95-b067-43ea02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:58.000Z" ,
"modified" : "2016-09-19T14:48:58.000Z" ,
"first_observed" : "2016-09-19T14:48:58Z" ,
"last_observed" : "2016-09-19T14:48:58Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57dffada-9154-4c95-b067-43ea02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57dffada-9154-4c95-b067-43ea02de0b81" ,
"value" : "https://www.virustotal.com/file/72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06/analysis/1466780189/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffadb-7b64-4794-89dc-452502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:59.000Z" ,
"modified" : "2016-09-19T14:48:59.000Z" ,
"description" : "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70" ,
"pattern" : "[file:hashes.SHA1 = 'cfb624f1b220b96e51214a58a29e596334cf975d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffadb-5cf0-490d-8b2b-4b6402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:48:59.000Z" ,
"modified" : "2016-09-19T14:48:59.000Z" ,
"description" : "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70" ,
"pattern" : "[file:hashes.MD5 = '89968ce9689ffcf42cd5e8b1702ad6a3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:48:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57dffadc-f574-41e3-8413-489f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:49:00.000Z" ,
"modified" : "2016-09-19T14:49:00.000Z" ,
"first_observed" : "2016-09-19T14:49:00Z" ,
"last_observed" : "2016-09-19T14:49:00Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57dffadc-f574-41e3-8413-489f02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57dffadc-f574-41e3-8413-489f02de0b81" ,
"value" : "https://www.virustotal.com/file/f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70/analysis/1465721182/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffadd-6bf0-4f60-957a-422102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:49:01.000Z" ,
"modified" : "2016-09-19T14:49:01.000Z" ,
"description" : "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369" ,
"pattern" : "[file:hashes.SHA1 = 'f5249c827757e4ef4bc107e7ca0e8e5b3e361bdc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:49:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57dffadd-5800-46d8-a22a-472c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:49:01.000Z" ,
"modified" : "2016-09-19T14:49:01.000Z" ,
"description" : "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369" ,
"pattern" : "[file:hashes.MD5 = 'ad9c255868ab55652555e47d8985ea2f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-09-19T14:49:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57dffade-be88-4afb-a678-46f702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-09-19T14:49:02.000Z" ,
"modified" : "2016-09-19T14:49:02.000Z" ,
"first_observed" : "2016-09-19T14:49:02Z" ,
"last_observed" : "2016-09-19T14:49:02Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57dffade-be88-4afb-a678-46f702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57dffade-be88-4afb-a678-46f702de0b81" ,
"value" : "https://www.virustotal.com/file/a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369/analysis/1465720444/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
