misp-circl-feed/feeds/circl/misp/598626ea-83e0-4b11-a9a5-485b950d210f.json

270 lines
296 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--598626ea-83e0-4b11-a9a5-485b950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:34:04.000Z",
"modified": "2017-08-05T20:34:04.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--598626ea-83e0-4b11-a9a5-485b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:34:04.000Z",
"modified": "2017-08-05T20:34:04.000Z",
"name": "OSINT - Tale of the Two Payloads \u00e2\u20ac\u201c TrickBot and Nitol",
"published": "2017-08-05T20:34:08Z",
"object_refs": [
"observed-data--59862752-752c-4adc-9984-9603950d210f",
"url--59862752-752c-4adc-9984-9603950d210f",
"x-misp-attribute--59862767-ed94-49e9-84d2-4243950d210f",
"indicator--59862781-f178-47cf-9ac9-9533950d210f",
"observed-data--598627bd-bce0-49bc-b0fe-4842950d210f",
"file--598627bd-bce0-49bc-b0fe-4842950d210f",
"artifact--598627bd-bce0-49bc-b0fe-4842950d210f",
"indicator--598627f5-011c-4c56-aef4-953302de0b81",
"indicator--598627f5-7ab0-4b3a-a33e-953302de0b81",
"observed-data--598627f5-1190-41a7-ba3b-953302de0b81",
"url--598627f5-1190-41a7-ba3b-953302de0b81",
"x-misp-attribute--59862850-d16c-4b97-90bc-485b950d210f",
"indicator--59862bbc-fed0-48b7-9331-4674950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Trick Bot\"",
"europol-incident:availability=\"dos-ddos\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59862752-752c-4adc-9984-9603950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:17:57.000Z",
"modified": "2017-08-05T20:17:57.000Z",
"first_observed": "2017-08-05T20:17:57Z",
"last_observed": "2017-08-05T20:17:57Z",
"number_observed": 1,
"object_refs": [
"url--59862752-752c-4adc-9984-9603950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59862752-752c-4adc-9984-9603950d210f",
"value": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59862767-ed94-49e9-84d2-4243950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:17:57.000Z",
"modified": "2017-08-05T20:17:57.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan that first appeared late last year targeting banks in Europe, UK, Australia and other countries. This trojan injects malicious code into a web browser process and siphons sensitive data when the victim visits a target banking website. The Nitol family is well-known for its distributed denial of service (DDOS) and backdoor capabilities."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59862781-f178-47cf-9ac9-9533950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:17:57.000Z",
"modified": "2017-08-05T20:17:57.000Z",
"description": "Both spam campaign have the same payload:",
"pattern": "[file:hashes.SHA1 = 'd127c60b32fb4a83f711a4a38e9053f347ed90ec']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T20:17:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--598627bd-bce0-49bc-b0fe-4842950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:17:57.000Z",
"modified": "2017-08-05T20:17:57.000Z",
"first_observed": "2017-08-05T20:17:57Z",
"last_observed": "2017-08-05T20:17:57Z",
"number_observed": 1,
"object_refs": [
"file--598627bd-bce0-49bc-b0fe-4842950d210f",
"artifact--598627bd-bce0-49bc-b0fe-4842950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--598627bd-bce0-49bc-b0fe-4842950d210f",
"name": "6a01676411d5a7970b01b7c9124d75970b-800wi.png",
"content_ref": "artifact--598627bd-bce0-49bc-b0fe-4842950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--598627bd-bce0-49bc-b0fe-4842950d210f",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAAdkAAAQACAYAAACtTiNCAAAgAElEQVR4XuydB5wcZd2An6nb93rL5dILSQgkJJTQqxCCgEFB6RAg0gRFECwoivApIlIkH1FEQPCTKiBFQHoJJaSTkN7uLtf3tu9O+37v3O1l7xIwKkiAme+33+HOvO+885/JPvPvkuM4Dt7mScCTgCcBTwKeBDwJfOwSkDzIfuwy9Sb0JOBJwJOAJwFPAq4EPMh6D4InAU8CngQ8CXgS+IQk4EH2ExKsN60nAU8CngQ8CXgS8CDrPQOeBDwJeBLwJOBJ4BOSgAfZT0iw3rSeBDwJeBLwJOBJwIOs9wx4EvAk4EnAk4AngU9IAh5kPyHBetN6EvAk4EnAk4AnAQ+y3jPgScCTgCcBTwKeBD4hCXiQ/YQE603rScCTgCcBTwKeBDzIes+AJwFPAp4EPAl4EviEJOBB9hMSrDetJwFPAp4EPAl4EvAg6z0DngQ8CXgS8CTgSeATkoAH2U9IsN60ngQ8CXgS8CTgScCDrPcMeBLYGSTg2CD1LKS4LVbPf4sdPTt7/r+D5B5VOFLu2/NJXIpt2z3nliT307fIj+rfJZbkbZ4EPAl4DQK8Z+CLJ4GB3R37wPEpisJxrL6zO1IPPns+DrKjIBUI7OLURkIcXwCz/olBVsjKsnrWpihKzxoFZy2Q7F7gbkdujur0HNcL4p1Bxp/i7fVO/QWWgKfJfoFv/hf10ndGyJp96uFWjhXuj1xArEvdXvxK4q+ArCCZ+oneym1aTv8TyIoXA0fpr+bKsqfafqI3yZt8p5WAB9md9tZ4C/u8S6BghhXXackCpSBQJD6O7bhaoKvB2r1ariKD3F97FIf1mI574Vww5/4bwhMwLQbqQDCKfWLN4ntJqNvizWB7yqxYsmz3mZY9LfbfuBnekM+NBDzI/ju30rJw4vF+I6VwGDTN1TScVAoMY+sPXygEujDpeZsngR4JFIDmAkiSsOwcjm3hGBaSaeHkDSTTxjItMuk0ecPAFJBTVGR/gGhpOXrQh6pILvQKc/bzm/6Lwt4RyArTsTAbfxRkhSZrScKeDIqsbPXj/ovr8Q73JPB5kIAH2X/xLro+qmXLyE2d2m+k/sgjKEceCd3d5GbNwn766b792u9+h3bqqd6Pzb8o68/k4QWl8kODmHo01QIUTdPEtAxw0ig4KI6EJKzAeRPyJmYiSWe8m3jOJJ3JksobJA2LjAmq309VdRU1VVGqKivxB4IucHuWUAiZ6q9qFvyr4ggB5H/FjFvwz+4IZB25xyf7n0D/M3n/vUV7EhggAQ+yO/BIFExohTd9AVljr736jVR+8APkyy6DZBLzvPNwnnmmb79yxx19kC2YzjwT2g4I/rN2iLDqCp9pbzCwI7vxQcJz2qO5WiaqrCLCh1KpJD5dFdFDONioqh9Hksmblgs+TUDQymKm2zEzrTRtidHZ4Sebl0macWLpDlIZ0NQImtFNzaBqGkaMYlDDYIKBAKZtITsSiiwigrf6Q/9Tf7QY3y/CeMA9KvwbceH94XFRn7U7663Xk8C/LQEPsjsgusIPh/BHiY+1dCn2vvv2Hymg+/DDOLkc0gUXwLPP9u2X58xBOeUU98fT9Wf1+s080O6A8D9Lhwia9jhJ3U8Bsm6okm0gOwaOJbN00ftsXL+ZQXW1OLKMz6cjyQZDR44gGC7FcWxSiRiKbKOTIWd0sak1SaIzgpGXyBmdSHKWdALi3RLZbJKcnUf1ywwbOYQpu46jvCwKpo0kIKv2RgX/F2RpO7brT+6LRP4vnNM7hSeBnVkCHmT/yd0pBqwwtYmPuWQJykEH9R/p85F/6CHsESPQv/Ut5H/8o2+/feutyCefjKqqLmRdc1txzuHO/IR4a9txCbgWWuGR7Nm2/pfQJh3S2Rzz3lzEBx80ovvKaGrppGlLG7l8iq74Go489miOOfxQlnywlqefeQ6fplJVVk5WzbOqaQshqZ6A6gM7hZWJURWuR5LL2BhvJ56OYVlpKkp1aqI+jjpwb/bda1JfGpBYz3/j5a6fJrvjkvOO9CTwuZWAB9kdgKyrvQq4miaGYWAtWYLv8MO3GZn58Y/JHHMMJZdfjvLSS337jV//Gucb30DTNPcjrV4N8+djXnst5PPucfLee6OcfDLKIYcgR6PbzO1kMpgvvYT5u9/hvPeeu1/afXeUE09E/fKXkSKRvjH5yy/HeuihfnOos2cjH388xgUX4Kxb17dP3mcftJ/+FKelhfzZZ/cL2FJOPx317LOx/vEPrLvvxv/yy+44e/167IULMS6/HMye5BNp1KietZx4InJp6ef2H8xHXZhrLRZ5rYWDLNsNEBLfxeNp5r21jGxex5JLWbxiM+sa2ymvHkw8ncSJJAgFdVKpDJ3tcXy+MFkT4nGTvJbGkPMkW0GxDc47/SA2b1jLP55ejl+vI6tnseU8ie5WNCnLhOG1KJk4Z3/jWI48ZKprfSls3svdF/LR9C76U5SAB9kdgKwArICr+GSzWewlS4jMmLHNSHvQIBrvuYfqH/8Y3+uv9+1P/8//YH396/iEr+2FF5B+9jNYs2a7Z5YOOAD91ltRxo7t2S8AP38++bPOwvmQMeIw7ZlnUPbbD2QZY/ZsrD/9qd/8yqWXIn3961innoojIN+7ifMpN96I09yM9bWv9UHfBb84Z3s7zpNPIg0Zgm/JEqx58zAvuwxn8eLtr3/wYLQ770Q94AA3avaLYhIX2quIJxd/XeOsbaPYPSkx6XyOV554iub3llFePZQ3FqymJSkhh8sIlFYQqShnc7IVXYaSaCmypJPIghyoZuXaVjL+HGV1FaQ6bTraNnHkYaM47ODdUOwA9961nPWrV1JRGSGd7QIrRS7eRkNZFL9kc9ZpB7P//hP6UnM8M+6n+GvrnfoLKQEPsv/ktgstoKDB5nI5MpkM1qJFVMycud2RjTfcQMXDD+OfN69vf/xnPyP31a8SWrGCwFVXIa1Y0bfPGT0aLAtp7dp+4NP/8heIRnFWrcL81rewX321Z7/w51ZV4VRVIa1fLyJoer6vqUF54gkYMwZbaKv3399/fRdfDAKiZ53VH/D77w+//CU0N8M3vtEPspSV9cwvtO1hw5BExPTVV+M8+ODWuevrccrLkYR2nEz2fF9fj/7ssyjDh/9XTJQ7y79cyzGxHaHJKjiyhGla+GzYuHg5K/72BNXpThYtWUln0qSkdjjr2jrIOBKbuzvZ65Tj2We/g3ngd7+jeV0zFaX1dKZkgpE62jWThAaVJXVs3LSeRLINnyYxYdRYjJROrL2bvGmQSHYzdGgDWxo3Y6STTBg7hki0i3O/eTzjxu3iarS6sKT8B7m0O4usvXV4EvisSMCD7A5AVmiw+Xze1WJTqRT2okXUnHTSdkfGTjgBfeNGgu+807e/80c/In3ssZQ98gih66/vN86891437Ue96KJ+30t//CPSccfhPPAAzlVXQWdnz35Nc7VR6+ST0a68Emn+/J7vg0Gc734X68ILkYVPWEC6aDPPPx9r5kz02bP7Ad3Zd1+Ma69FamlBO/30fubi4vHO0KFYf/gDyne/i7RgQd8uYfK2DzwQ9aqrkIu0d/nuu1FnzuwL9Pr8mymF1poXEU5I6OQkyNgmgWSWRfc+hH/1RrREnLVr1jNixFiaO7tJ2g6xTJ7WfJrT/ngtZcEof/7Fr5j37KsMrh5Gd9LGIkDap5ELaISi5azbtIXOrhiKZONXJUIBhXimG1XT3chkR9GQVZ1UziBaUoIelth7v1359iWzCUfDPSUZRUSWm1/ziVVj/Kz8/nnr9CTwiUvAg+wOQFYAVnzS6bQLWWvhQupPOWW7I83qauxgEF1omb1b65VXkjzySGrnziX45z/3G5e8916cdJrI7Nn9vreF9vq97yHfdhtyMZh9PnJnnEHuxBMJXn016htv9IyTZayjjiJ96634v/c9tAE+2fSsWeSPPZbIJZegFK3N2ntvUldfjdzaSvi887aBrDl1Klnhfy4pgVGjCF12GdLGjX1rzVx/Pbn993dfHrSnnur73rnpJtSzzuoL9Cq
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--598627f5-011c-4c56-aef4-953302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:17:57.000Z",
"modified": "2017-08-05T20:17:57.000Z",
"description": "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec",
"pattern": "[file:hashes.SHA256 = 'b50904ae9527ed6ea09576db81bca8dc46a1921ae4e90f7c388e17ee034123b2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T20:17:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--598627f5-7ab0-4b3a-a33e-953302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:17:57.000Z",
"modified": "2017-08-05T20:17:57.000Z",
"description": "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec",
"pattern": "[file:hashes.MD5 = '2c5639ddaa3ed639e17a0fa669e35da1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T20:17:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--598627f5-1190-41a7-ba3b-953302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:17:57.000Z",
"modified": "2017-08-05T20:17:57.000Z",
"first_observed": "2017-08-05T20:17:57Z",
"last_observed": "2017-08-05T20:17:57Z",
"number_observed": 1,
"object_refs": [
"url--598627f5-1190-41a7-ba3b-953302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--598627f5-1190-41a7-ba3b-953302de0b81",
"value": "https://www.virustotal.com/file/b50904ae9527ed6ea09576db81bca8dc46a1921ae4e90f7c388e17ee034123b2/analysis/1501775685/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59862850-d16c-4b97-90bc-485b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:19:28.000Z",
"modified": "2017-08-05T20:19:28.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Support Tool\""
],
"x_misp_category": "Support Tool",
"x_misp_comment": "This malware avoids static analysis by encoding most of its strings using a lookup algorithm that involves a decoder table represented by this code:",
"x_misp_type": "text",
"x_misp_value": "def trickbot_decode(text):\r\n\tts = \"aZbwIiWO39SuApBFcPC/RGYomVxUNL01nr56le47Hv8DJsjQgEkKy+fT2dXtzhMq\"\r\n\talphabet = [n for n in ts]\r\n\tbit_str = \"\"\r\n\ttext_str = \"\"\r\n\r\n\tfor char in text:\r\n\t\tif char in alphabet:\r\n\t\t\tbin_char = bin(alphabet.index(char)).lstrip(\"0b\")\r\n\t\t\tbin_char = bin_char.zfill(6)\r\n\t\t\tbit_str += bin_char\r\n\r\n\tbrackets = [bit_str[x:x+8] for x in range(0,len(bit_str),8)]\r\n\r\n\tfor bracket in brackets:\r\n\t\ttext_str += chr(int(bracket,2))\r\n\r\n\treturn text_str.encode(\"UTF-8\")"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59862bbc-fed0-48b7-9331-4674950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T20:34:04.000Z",
"modified": "2017-08-05T20:34:04.000Z",
"description": "On port 40",
"pattern": "[domain-name:value = 'e.googlex.me']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T20:34:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
2023-04-21 13:25:09 +00:00
]
}