adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5a1e6038-a088-46ac-95ef-ad9e950d210f.json

706 lines
123 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--5a1e6038-a088-46ac-95ef-ad9e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:50.000Z",
"modified": "2017-11-29T07:47:50.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a1e6038-a088-46ac-95ef-ad9e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:50.000Z",
"modified": "2017-11-29T07:47:50.000Z",
"name": "OSINT - ROKRAT Reloaded",
"published": "2017-11-29T07:48:34Z",
"object_refs": [
"observed-data--5a1e604b-d290-4404-a793-7e40950d210f",
"url--5a1e604b-d290-4404-a793-7e40950d210f",
"x-misp-attribute--5a1e606f-95f0-465c-a739-7e43950d210f",
"indicator--5a1e60c1-6e50-4137-bd1c-ac4e950d210f",
"indicator--5a1e60c1-0c24-4ec1-b1e0-ac4e950d210f",
"indicator--5a1e60c1-4574-482c-9c2b-ac4e950d210f",
"indicator--5a1e60c1-efbc-4f55-958d-ac4e950d210f",
"indicator--5a1e60c1-d4ac-47cb-8344-ac4e950d210f",
"indicator--5a1e60c1-9c24-4de8-ad40-ac4e950d210f",
"indicator--5a1e60c1-347c-4331-b888-ac4e950d210f",
"indicator--5a1e60c1-afd0-4b33-af92-ac4e950d210f",
"observed-data--5a1e6121-04f0-4644-a9d9-ad77950d210f",
"file--5a1e6121-04f0-4644-a9d9-ad77950d210f",
"artifact--5a1e6121-04f0-4644-a9d9-ad77950d210f",
"indicator--5a1e6613-1044-4d30-820a-ad0902de0b81",
"indicator--5a1e6613-2f20-433d-94cb-ad0902de0b81",
"observed-data--5a1e6613-55a8-4765-a515-ad0902de0b81",
"url--5a1e6613-55a8-4765-a515-ad0902de0b81",
"indicator--5a1e6613-72d0-4ce7-ab5e-ad0902de0b81",
"indicator--5a1e6613-65a4-4371-a044-ad0902de0b81",
"observed-data--5a1e6613-2e08-41a8-83e8-ad0902de0b81",
"url--5a1e6613-2e08-41a8-83e8-ad0902de0b81",
"indicator--5a1e6613-84c0-4417-8a0b-ad0902de0b81",
"indicator--5a1e6613-6328-43f1-8e68-ad0902de0b81",
"observed-data--5a1e6613-f690-455a-aa14-ad0902de0b81",
"url--5a1e6613-f690-455a-aa14-ad0902de0b81",
"indicator--5a1e6613-1638-444b-8524-ad0902de0b81",
"indicator--5a1e6613-cba4-48ef-a655-ad0902de0b81",
"observed-data--5a1e6613-9fb8-4216-8710-ad0902de0b81",
"url--5a1e6613-9fb8-4216-8710-ad0902de0b81",
"indicator--5a1e6613-aab8-4af7-ba7b-ad0902de0b81",
"indicator--5a1e6613-1860-4197-bee8-ad0902de0b81",
"observed-data--5a1e6613-db8c-4aec-8523-ad0902de0b81",
"url--5a1e6613-db8c-4aec-8523-ad0902de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:source-type=\"blog-post\"",
"misp-galaxy:rat=\"rokrat\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a1e604b-d290-4404-a793-7e40950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"first_observed": "2017-11-29T07:47:31Z",
"last_observed": "2017-11-29T07:47:31Z",
"number_observed": 1,
"object_refs": [
"url--5a1e604b-d290-4404-a793-7e40950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a1e604b-d290-4404-a793-7e40950d210f",
"value": "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a1e606f-95f0-465c-a739-7e43950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case \"Evil New Years\". The second one was about the analysis and discovery of the ROKRAT malware.\r\n\r\nThis month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:\r\n\r\n It contains the same reconnaissance code used;\r\n Similar PDB pattern that the \"Evil New Years\" samples used;\r\n it contains the same cloud features and similar copy-paste methods that ROKRAT used;\r\n It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-6e50-4137-bd1c-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"pattern": "[file:name = 'BIN0001.OLE']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-0c24-4ec1-b1e0-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Path",
"pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\HncModuleUpdate.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-4574-482c-9c2b-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "MalDoc",
"pattern": "[file:hashes.SHA256 = '171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-efbc-4f55-958d-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #1",
"pattern": "[file:hashes.SHA256 = 'a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-d4ac-47cb-8344-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #2",
"pattern": "[file:hashes.SHA256 = 'eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-9c24-4de8-ad40-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #3",
"pattern": "[file:hashes.SHA256 = '9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-347c-4331-b888-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "ROKRAT",
"pattern": "[file:hashes.SHA256 = 'b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e60c1-afd0-4b33-af92-ac4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Freenki",
"pattern": "[file:hashes.SHA256 = '99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a1e6121-04f0-4644-a9d9-ad77950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"first_observed": "2017-11-29T07:47:31Z",
"last_observed": "2017-11-29T07:47:31Z",
"number_observed": 1,
"object_refs": [
"file--5a1e6121-04f0-4644-a9d9-ad77950d210f",
"artifact--5a1e6121-04f0-4644-a9d9-ad77950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5a1e6121-04f0-4644-a9d9-ad77950d210f",
"name": "malicious HWP document.png",
"content_ref": "artifact--5a1e6121-04f0-4644-a9d9-ad77950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5a1e6121-04f0-4644-a9d9-ad77950d210f",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAAuMAAARVCAIAAACYXFmhAAAAA3NCSVQICAjb4U/gAAAAX3pUWHRSYXcgcHJvZmlsZSB0eXBlIEFQUDEAAAiZ40pPzUstykxWKCjKT8vMSeVSAANjEy4TSxNLo0QDAwMLAwgwNDAwNgSSRkC2OVQo0QAFmJibpQGhuVmymSmIzwUAT7oVaBst2IwAACAASURBVHic7L0/i+tKm/YrHR6YOfEwMCwWm0ZWNHA4wYGGs4/cAw5kf4AO5BU5MlhxIycOHYxExzJ05GhZQX8A24Fht8XmpeOZJ7KFaRYrGSac2Ceodxe1q6RSqSTbWmtfv6hbLan+qKruq+66q9o8n8+GGv/1X//1X//1X//6r/+qeD8AAAAAAMff//73f/7nf/7nf/5nxfv/j4vmBgAAAACgDlAqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9QKgAAAABoL1AqAAAAAGgvUCoAAAAAaC9/++2339Tv9n3/P//zPy+XGwAAAAD89Pz9739Xv9k8n88V7jar3Q8AAAAAUIe2rP74vp8kSe6foiiKokjlYpsZDAZpmt46FxVoYYazLLNtu9Ijtm1nWVY/6SRJfN9X/BPNZ5qmg8GgkVSKaKqAEjSqXYR28Kp1UictdapW46Wr3TRNo6GaB+AnQFOppGlqlsHauSiKxBuqjiaKGWt2HPR9n8u2xJbYtk1vUxFSSZJIKlBeP1mWiTmplFuNDCuSmzcVBoNBaVtiyW1XennOTVqvFEUUfW6JNdLQLpKEGv/QjSDPbSOfILed/MWrHYAfCE2l4jjOmeF4PBqGcTwe2YuO49D7gyA4/5l+v39/f99MIS5DlmWmad7d3XE5v7u7yzWHpmmOx2N62263UxnsJpPJuQDP8yQPuq4bx7F2bjUynDvc5w7ElmU9PDxoDM3r9Vqsh36/X3S/2K6qpsiy3++5t7E1zEFrYzgcLhaLUuNnGIbneWyhaHKHw6FOtnMJw7CoXQVBwN3MClYWvaRpzSjOGdhq4VitVvKE1NsYVyFkyGoc9WonHZbATvwukSsAfnSaWf3xfT8Mw+fnZ8X7syw7HA6WZdH+uVgs2BvYCe50Op1Op/TXS7uOKa+vr6vVShzWgyAIw5AbIqMoCsOQvXm9XmdZVrqAQo2ciOTZwWCw3W61c6ud4aKBOAxD7k7P806n063Wj2j7uZBBMhiRtFqtqNyspDm+fft2obxV5XA4iN+00+lovCpJkpeXF/IGy7KadUr9TFiWRWqp3+9/+vSpTp0D8NPTgFIZDAa9Xi8IgoeHB0UZ8fz8PJ/PDcOgw+JkMmFvyJ1bE9brdf08N85ut3t8fOQu9nq9Umsk8amwTimWJEl6vZ5lWTfJsDpxHI9Go0Ze9enTp0r30/bTzqGfhDi8vb3dOiPNM5vNqIaO43i73daM57i7u2sgWy2GzNnIz4hKASCXWkqFzFxnsxmZmnueN5vNSt0eZH4vX9qgaPiiN5tNkZeikj/m8fFxOByK3gjf96fTqei9uBrL5VIUGe3Mreu6em4VxYhFcUFKIy1FqPer/qt835/NZlmWiWVsKhXWDclxOT8HKQ6roV3XfX9/v1Byp9PpQm/Wpma115x+APCzoqlUyML2aDSiU38ytpL4ldFoVDTa+r5/Op3I8j+7Usut/tC/0rX8/X4vXxAhcAE0dfwxxD17Op1EW3gW4iF6vd7r6yt3cbfblcbiSFZ/coc2unBWJ7d1MlyJh4eHr1+/1nwJW97j8UjKRW28uCBlMIEXDa7+UO8Xd/3j44NmhiQqd+T4vt/r9RzHieNYvLMolUpIIj/O0uCbmnz//p3zCtzd3X18fGi/UP5slmW73U775Y2jUe3s7p4syxpUwwD8TGgqFbKwXeQXoT2WvUgC4x8eHmiPpSu1Z2H1xzAM3/dXqxVdAXEcZ7/fkzWjaxLHMS2LZMQJgmA6nbIujcFgYFmWfJLEDW0GsxxWlJBoDDRyq53hqnz+/Ln+Zk42+KPT6ZByyfNJAy+usPqz2+02mw35mSQqkUfEV0RcXJZlqejvIi3buGuE2xPLloIKxDr79YbDoWma3W6XXimK5KXQGDWxzRPJfolgZMJ1qv319bXX65Gf39/fqexuMAkAfgKucZ4KiWx/e3uTiBuRw+HA3ew4DjUJBuNobTxsM3cANf68FEVgB9Dz+bzb7eifRqPRJSavYhyJXm71Mlzk3J5Op0WPqNsS9oXH47HT6bBXrhBJ3e12xaKV7hXfbDaTyUTFhA8GA9d1Wcce0d/dbrdIz0mm6bkfq9T2FzUGEVbkUYGo3n9FVqvV+Xze7/f0Sm4kr/FnvU4QW9Hz8/N4PB6Px4rbf7imK5ewV6v2l5cXupL79vYmruoCAAzD+JvGM7Zt584aTcFp2el0DocDWZHRyZ0UbutKUa5ESK4kN2hP1NRXl6rWIf318+fP3A11ppWVlsOCIGAr3FQ7sFg9SLD0bbnmnEy72Sul3zcXvUjt19fXyWTy5cuX0WhUasVzk6jZO7iSNuVj0POEffr0icvA6XR6eHhoJEssaZouFgtSb6ZpPj4+yn1sXNOtTyPVniSJ67o051mWIU4FgFx0fCq5M6FccjuwOP+IoiiOY26gd12Xm6emaSo5WqNmrkTUjw/RQDu3ojG4Qm61+fbt20UHX/E8FfXvW58sy6bT6dPTk+M4rutWqmTxe9m27XmexpRdVBX1G4NlWRrVSL41m5/tdnuJY5O63S49amW/319oje/S1T4cDunnjqKoqY1yAPx86K/+aJxnT0JVlsslZ1pIHCh389PT03A4pCs7aZp2u93ZbFaaRFMLyblWkCAeH0LQO4E+d1wrutmyrNx9MRq51c6wOm9vb1++fKn0iMYJ4hqnpzeStOu6q9WKmOc4jqfTqWI2TNM8nU7cZ1oul2bxYhN3rCIl10jrNYZGmM/nruuSn33fZ30GRXCCwPhzj+AGGRJoH4Yhndg4jhOGYa504NBoJ5erdtu2qdjKsuzl5aXOyhoAPzdX/b8/s9nseDyKx4TEcSyeTkbibWnoQLfbPRcfMXIJJDMkSVhGEev1Wsw8kW7iaEgCGItG1dFoJG7baTa3RRmuyna7bfCTaUz0c/dJaSB6O4gZZq3L8XgcDoel9pKcuSf6ThzHOR6PpVpchcYbgzqe543HY5JWlmUqoVoS/6Jo4H3fn0wm3FIOOd6wzhSlkXZSqdrZODzXdZfLZc3UAfiJact/KCyCHbaun3qlI8k1eHt7o5NyFsuyVqtV0clgnuflbs68XG71gnajKPqJx984jjkzTLR1S0IN1BsD/XadTofu8aForBtS18IlDmlcr9dFm+/acCakXh8kwXzyN5PDq5rOLwA/BjoRtdrM5/NOp7Pf77lu6fs+jY/7S/Hw8DAcDu/v7znzlmXZcDiU/NOT9Xo9GAyuNjRrhCyQRaVr+sB+FIIgME2TnipEIeub8v90cwlK+92l/1czUGE2m202mzRN0afAX5BaPhXJgYy56/1k7x89F45C/q9enZywSM5Sq7rTtWoBjYKdrkWpkwrhtuOapkk2hcrXrWezGefu1sht1QwrkmXZfD7XduSIM3uW3MAaclZHLpUWBeRJN2Wzz3/850gWco5i0UcXGwmhaL+bXmP46anaTtpT7Y7jdDodyBTw10Rpo2kLIU7pGx5pD0ApaZrO5/M2rErUIcsy13Wb2lFVqU70urnv+w8PDz9BgCpb80QetWRtEYAr86MqFQAAAAD8FWh7RC0AAAAA/spAqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAAAAKC9QKkAAAAAoL1AqQAAAACgvUCpAAA
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-1044-4d30-820a-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Freenki - Xchecked via VT: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5",
"pattern": "[file:hashes.SHA1 = 'f7fcadc8c71752ce5d47af1e8069069cc70e6e27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-2f20-433d-94cb-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Freenki - Xchecked via VT: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5",
"pattern": "[file:hashes.MD5 = '6c668fd6a98f0659abc54d88c1db209e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a1e6613-55a8-4765-a515-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"first_observed": "2017-11-29T07:47:31Z",
"last_observed": "2017-11-29T07:47:31Z",
"number_observed": 1,
"object_refs": [
"url--5a1e6613-55a8-4765-a515-ad0902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a1e6613-55a8-4765-a515-ad0902de0b81",
"value": "https://www.virustotal.com/file/99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5/analysis/1511910425/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-72d0-4ce7-ab5e-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #3 - Xchecked via VT: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f",
"pattern": "[file:hashes.SHA1 = '6b79d3519b09d6162a1d3ec55fed3ee7a4adf436']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-65a4-4371-a044-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #3 - Xchecked via VT: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f",
"pattern": "[file:hashes.MD5 = 'b441d9a75c60b222e3c9fd50c0d14c5b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a1e6613-2e08-41a8-83e8-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"first_observed": "2017-11-29T07:47:31Z",
"last_observed": "2017-11-29T07:47:31Z",
"number_observed": 1,
"object_refs": [
"url--5a1e6613-2e08-41a8-83e8-ad0902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a1e6613-2e08-41a8-83e8-ad0902de0b81",
"value": "https://www.virustotal.com/file/9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f/analysis/1511903258/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-84c0-4417-8a0b-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #2 - Xchecked via VT: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14",
"pattern": "[file:hashes.SHA1 = 'bd97943835cb3749ce2b1dc6ba89961555d92c38']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-6328-43f1-8e68-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #2 - Xchecked via VT: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14",
"pattern": "[file:hashes.MD5 = 'bdbabe7d5605c00d24d15e3fac6eda1e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a1e6613-f690-455a-aa14-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"first_observed": "2017-11-29T07:47:31Z",
"last_observed": "2017-11-29T07:47:31Z",
"number_observed": 1,
"object_refs": [
"url--5a1e6613-f690-455a-aa14-ad0902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a1e6613-f690-455a-aa14-ad0902de0b81",
"value": "https://www.virustotal.com/file/eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14/analysis/1511903362/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-1638-444b-8524-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #1 - Xchecked via VT: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037",
"pattern": "[file:hashes.SHA1 = '96d8142c72942a84f6e45f5ec9f2a8f8e97bf28e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-cba4-48ef-a655-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "Dropper #1 - Xchecked via VT: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037",
"pattern": "[file:hashes.MD5 = '9cf931c33319f2a23d0b49cb805a4a34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a1e6613-9fb8-4216-8710-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"first_observed": "2017-11-29T07:47:31Z",
"last_observed": "2017-11-29T07:47:31Z",
"number_observed": 1,
"object_refs": [
"url--5a1e6613-9fb8-4216-8710-ad0902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a1e6613-9fb8-4216-8710-ad0902de0b81",
"value": "https://www.virustotal.com/file/a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037/analysis/1511903459/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-aab8-4af7-ba7b-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "MalDoc - Xchecked via VT: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824",
"pattern": "[file:hashes.SHA1 = '359c953832b9c71363b87f66638d8b573214cb6f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a1e6613-1860-4197-bee8-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"description": "MalDoc - Xchecked via VT: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824",
"pattern": "[file:hashes.MD5 = '7ca1e08fc07166a440576d1af0a15bb1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-11-29T07:47:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a1e6613-db8c-4aec-8523-ad0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-29T07:47:31.000Z",
"modified": "2017-11-29T07:47:31.000Z",
"first_observed": "2017-11-29T07:47:31Z",
"last_observed": "2017-11-29T07:47:31Z",
"number_observed": 1,
"object_refs": [
"url--5a1e6613-db8c-4aec-8523-ad0902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a1e6613-db8c-4aec-8523-ad0902de0b81",
"value": "https://www.virustotal.com/file/171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824/analysis/1511881919/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
}
Reference in a new issue Copy permalink