misp-circl-feed/feeds/circl/stix-2.1/58e902cd-dae8-49b9-882b-186c02de0b81.json

932 lines
42 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--58e902cd-dae8-49b9-882b-186c02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58e902cd-dae8-49b9-882b-186c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"name": "OSINT - Analysis of Malware in Brazilian Bank Attack Reveals Prolonged Campaign",
"published": "2017-04-08T15:41:11Z",
"object_refs": [
"observed-data--58e902e7-686c-44a9-a6c6-46d302de0b81",
"url--58e902e7-686c-44a9-a6c6-46d302de0b81",
"x-misp-attribute--58e902fa-2778-4a63-a261-428802de0b81",
"indicator--58e903ac-8d0c-47a8-8958-4e7b02de0b81",
"indicator--58e903ad-a7c0-4abe-8bd8-453b02de0b81",
"indicator--58e903af-6394-4f04-9733-404302de0b81",
"indicator--58e903b0-c870-43b3-ac58-482902de0b81",
"indicator--58e903b1-b8dc-4c58-9323-458302de0b81",
"indicator--58e903b2-5110-43ca-839b-48a202de0b81",
"indicator--58e903d1-e914-495a-b29b-186802de0b81",
"indicator--58e903d2-ddac-48a3-b609-186802de0b81",
"indicator--58e903d3-d7e8-42d2-a77c-186802de0b81",
"indicator--58e903d4-fce4-4cf8-aaca-186802de0b81",
"indicator--58e903d5-d904-4f2a-9b5b-186802de0b81",
"indicator--58e903d6-7f34-4a11-864e-186802de0b81",
"indicator--58e903d7-b490-43ab-887b-186802de0b81",
"indicator--58e903d8-c32c-4310-b275-186802de0b81",
"indicator--58e903d9-2da8-4c77-88d8-186802de0b81",
"x-misp-attribute--58e903e9-6da0-4b79-8e52-186c02de0b81",
"indicator--58e9041c-9d0c-4c2f-8c3b-483602de0b81",
"indicator--58e9041d-9244-4755-ba63-4f3002de0b81",
"observed-data--58e9041e-89f0-4f32-b2fa-450d02de0b81",
"url--58e9041e-89f0-4f32-b2fa-450d02de0b81",
"indicator--58e9041f-8f8c-44b7-82bd-46ef02de0b81",
"indicator--58e90420-5e58-4ce0-a5a2-426202de0b81",
"observed-data--58e90421-9330-4368-b0b1-47c002de0b81",
"url--58e90421-9330-4368-b0b1-47c002de0b81",
"indicator--58e90422-95bc-46fc-9768-491902de0b81",
"indicator--58e90424-3f58-4f7e-96c4-4a6302de0b81",
"observed-data--58e90425-6ea0-4ba7-baeb-482102de0b81",
"url--58e90425-6ea0-4ba7-baeb-482102de0b81",
"indicator--58e90426-5768-426d-8ee6-468302de0b81",
"indicator--58e90427-6020-41a8-b8e5-4cd402de0b81",
"observed-data--58e90427-fd3c-4710-b14e-480d02de0b81",
"url--58e90427-fd3c-4710-b14e-480d02de0b81",
"indicator--58e90428-e7bc-48df-92d5-4e7a02de0b81",
"indicator--58e90429-2798-4faa-b1a9-4c5f02de0b81",
"observed-data--58e9042a-7cc4-4d68-97db-406c02de0b81",
"url--58e9042a-7cc4-4d68-97db-406c02de0b81",
"indicator--58e9042b-53a4-4e0c-85a2-4b2c02de0b81",
"indicator--58e9042c-91ac-4cb5-8f81-4b1602de0b81",
"observed-data--58e9042d-8c2c-4831-b31d-4b2602de0b81",
"url--58e9042d-8c2c-4831-b31d-4b2602de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:topic=\"finance\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:information-credibility=\"6\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58e902e7-686c-44a9-a6c6-46d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"first_observed": "2017-04-08T15:38:48Z",
"last_observed": "2017-04-08T15:38:48Z",
"number_observed": 1,
"object_refs": [
"url--58e902e7-686c-44a9-a6c6-46d302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"likely\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58e902e7-686c-44a9-a6c6-46d302de0b81",
"value": "https://blog.cyber4sight.com/2017/04/analysis-of-malware-in-brazilian-bank-attack-reveals-prolonged-campaign/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58e902fa-2778-4a63-a261-428802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"likely\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "During a security conference held on 4 April 2017, Kaspersky Lab revealed details of an attack in which attackers took control of dozens of domains owned by a Brazilian bank and leveraged this access to deliver malware and phishing pages to users. Our identification and analysis of the malware used in this campaign determined that it is a Java-based downloader that acquires and extracts a zip file from an IP address under the control of the attackers.\r\n\r\nThis zip contains several additional files, including a legitimate rootkit removal executable, a malicious DLL file, a text file used by the rootkit removal tool to delete antivirus programs, and a batch file used to leverage these files to install the malicious payload. Through further research, Cyber4Sight determined that this infection method dates back to at least 2009, but shared tools, techniques, and procedures (TTP) identified in other public sandbox reports suggest that the actor responsible for this attack likely continued their operations through April of this year."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903ac-8d0c-47a8-8958-4e7b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"description": "Atualizar.jar\tFirst submitted to VirusTotal 22 October 2016.",
"pattern": "[file:hashes.MD5 = '95980f46ce76d862029b45908476532d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903ad-a7c0-4abe-8bd8-453b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"description": "fatura11.vbs\t191.101.230.149 162.222.177.155 191.101.230.149\tFirst submitted to VirusTotal 22 December 2016. Second and third IP address comment out as a backup. Delivered via Dropbox links and from 181.215.114.231.",
"pattern": "[file:hashes.MD5 = 'cdd5f47935a2a45afff20b222124177d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903af-6394-4f04-9733-404302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"description": "191.101.237.196\tDelivered via Dropbox links and from 181.215.114.231.",
"pattern": "[file:hashes.MD5 = '722050c1b3f110c0ac9f80bc80723407']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903b0-c870-43b3-ac58-482902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"description": "f893nuf9sdyfewnI98SDAJN787DHH.zip\t181.215.97.223 162.222.177.155191.101.159.215208.113.128.118\tFirst submitted to VirusTotal 12 January 2017. Delivered via Bit.ly link. Additional IP addresses are commented out backups.",
"pattern": "[file:hashes.MD5 = '907466374f7ef3787e4b8f8232a9c52e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903b1-b8dc-4c58-9323-458302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"description": "Planilha SAQUE FGTS INATIVO5.zip\t107.178.111.39\tFirst submitted 4 April 2017.Delivered via Bit.ly link.",
"pattern": "[file:hashes.MD5 = '74dee72c97399c308863a4cba5689f87']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903b2-5110-43ca-839b-48a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"description": "Nota-Fiscal-abril.2017.jar\t185.141.164.210\tUnknown delivery mechanism",
"pattern": "[file:hashes.MD5 = '28ef8b976f7c076b1651d57f30bbacee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d1-e914-495a-b29b-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.232.182']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d2-ddac-48a3-b609-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.230.149']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d3-d7e8-42d2-a77c-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.222.177.155']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d4-fce4-4cf8-aaca-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.237.196']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d5-d904-4f2a-9b5b-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '181.215.97.223']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d6-7f34-4a11-864e-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.159.215']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d7-b490-43ab-887b-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '208.113.128.118']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d8-c32c-4310-b275-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.178.111.39']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e903d9-2da8-4c77-88d8-186802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.141.164.210']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:38:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58e903e9-6da0-4b79-8e52-186c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:38:48.000Z",
"modified": "2017-04-08T15:38:48.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-location",
"x_misp_value": "BR"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e9041c-9d0c-4c2f-8c3b-483602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:08.000Z",
"modified": "2017-04-08T15:39:08.000Z",
"description": "Nota-Fiscal-abril.2017.jar\t185.141.164.210\tUnknown delivery mechanism - Xchecked via VT: 28ef8b976f7c076b1651d57f30bbacee",
"pattern": "[file:hashes.SHA256 = 'bd61be5ad60f2b1af3dea88493107868d507c7671c17c3faf61df22b0e0e3d77']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e9041d-9244-4755-ba63-4f3002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:09.000Z",
"modified": "2017-04-08T15:39:09.000Z",
"description": "Nota-Fiscal-abril.2017.jar\t185.141.164.210\tUnknown delivery mechanism - Xchecked via VT: 28ef8b976f7c076b1651d57f30bbacee",
"pattern": "[file:hashes.SHA1 = '3c7a86e7194c2d5d2ce89912720fb8091e187066']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58e9041e-89f0-4f32-b2fa-450d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:10.000Z",
"modified": "2017-04-08T15:39:10.000Z",
"first_observed": "2017-04-08T15:39:10Z",
"last_observed": "2017-04-08T15:39:10Z",
"number_observed": 1,
"object_refs": [
"url--58e9041e-89f0-4f32-b2fa-450d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58e9041e-89f0-4f32-b2fa-450d02de0b81",
"value": "https://www.virustotal.com/file/bd61be5ad60f2b1af3dea88493107868d507c7671c17c3faf61df22b0e0e3d77/analysis/1491468051/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e9041f-8f8c-44b7-82bd-46ef02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:11.000Z",
"modified": "2017-04-08T15:39:11.000Z",
"description": "Planilha SAQUE FGTS INATIVO5.zip\t107.178.111.39\tFirst submitted 4 April 2017.Delivered via Bit.ly link. - Xchecked via VT: 74dee72c97399c308863a4cba5689f87",
"pattern": "[file:hashes.SHA256 = '44aa0025d46e9ddf5a56914115e5ebd59bd825556e42644c382c06fb1c81fdb2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e90420-5e58-4ce0-a5a2-426202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:12.000Z",
"modified": "2017-04-08T15:39:12.000Z",
"description": "Planilha SAQUE FGTS INATIVO5.zip\t107.178.111.39\tFirst submitted 4 April 2017.Delivered via Bit.ly link. - Xchecked via VT: 74dee72c97399c308863a4cba5689f87",
"pattern": "[file:hashes.SHA1 = '62f37b93270b424b7bda905f0b8b4bd5057751c2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58e90421-9330-4368-b0b1-47c002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:13.000Z",
"modified": "2017-04-08T15:39:13.000Z",
"first_observed": "2017-04-08T15:39:13Z",
"last_observed": "2017-04-08T15:39:13Z",
"number_observed": 1,
"object_refs": [
"url--58e90421-9330-4368-b0b1-47c002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58e90421-9330-4368-b0b1-47c002de0b81",
"value": "https://www.virustotal.com/file/44aa0025d46e9ddf5a56914115e5ebd59bd825556e42644c382c06fb1c81fdb2/analysis/1491375986/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e90422-95bc-46fc-9768-491902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:14.000Z",
"modified": "2017-04-08T15:39:14.000Z",
"description": "f893nuf9sdyfewnI98SDAJN787DHH.zip\t181.215.97.223 162.222.177.155191.101.159.215208.113.128.118\tFirst submitted to VirusTotal 12 January 2017. Delivered via Bit.ly link. Additional IP addresses are commented out backups. - Xchecked via VT: 907466374f7ef3787e4b8f8232a9c52e",
"pattern": "[file:hashes.SHA256 = 'f808b3f0ebc605e9c73d579997b2b1b8bfbed78656ba4f6e96d6daac028a7427']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e90424-3f58-4f7e-96c4-4a6302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:16.000Z",
"modified": "2017-04-08T15:39:16.000Z",
"description": "f893nuf9sdyfewnI98SDAJN787DHH.zip\t181.215.97.223 162.222.177.155191.101.159.215208.113.128.118\tFirst submitted to VirusTotal 12 January 2017. Delivered via Bit.ly link. Additional IP addresses are commented out backups. - Xchecked via VT: 907466374f7ef3787e4b8f8232a9c52e",
"pattern": "[file:hashes.SHA1 = 'cc655b747087cc161ceafee69f001cad650bbd96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58e90425-6ea0-4ba7-baeb-482102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:17.000Z",
"modified": "2017-04-08T15:39:17.000Z",
"first_observed": "2017-04-08T15:39:17Z",
"last_observed": "2017-04-08T15:39:17Z",
"number_observed": 1,
"object_refs": [
"url--58e90425-6ea0-4ba7-baeb-482102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58e90425-6ea0-4ba7-baeb-482102de0b81",
"value": "https://www.virustotal.com/file/f808b3f0ebc605e9c73d579997b2b1b8bfbed78656ba4f6e96d6daac028a7427/analysis/1491592255/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e90426-5768-426d-8ee6-468302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:18.000Z",
"modified": "2017-04-08T15:39:18.000Z",
"description": "191.101.237.196\tDelivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: 722050c1b3f110c0ac9f80bc80723407",
"pattern": "[file:hashes.SHA256 = '32153446ba27778f4731c9acbba3df6e66071a49d12f4079c5f1b29097f790a4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e90427-6020-41a8-b8e5-4cd402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:19.000Z",
"modified": "2017-04-08T15:39:19.000Z",
"description": "191.101.237.196\tDelivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: 722050c1b3f110c0ac9f80bc80723407",
"pattern": "[file:hashes.SHA1 = '8764a362913f379a844dab0fb49b51b526ac2fe1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58e90427-fd3c-4710-b14e-480d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:19.000Z",
"modified": "2017-04-08T15:39:19.000Z",
"first_observed": "2017-04-08T15:39:19Z",
"last_observed": "2017-04-08T15:39:19Z",
"number_observed": 1,
"object_refs": [
"url--58e90427-fd3c-4710-b14e-480d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58e90427-fd3c-4710-b14e-480d02de0b81",
"value": "https://www.virustotal.com/file/32153446ba27778f4731c9acbba3df6e66071a49d12f4079c5f1b29097f790a4/analysis/1482681227/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e90428-e7bc-48df-92d5-4e7a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:20.000Z",
"modified": "2017-04-08T15:39:20.000Z",
"description": "fatura11.vbs\t191.101.230.149 162.222.177.155 191.101.230.149\tFirst submitted to VirusTotal 22 December 2016. Second and third IP address comment out as a backup. Delivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: cdd5f47935a2a45afff20b222124177d",
"pattern": "[file:hashes.SHA256 = 'f7c50c386c0800781258809f01a2fde67bb5896282178e400b78cb0b21bb1247']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e90429-2798-4faa-b1a9-4c5f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:21.000Z",
"modified": "2017-04-08T15:39:21.000Z",
"description": "fatura11.vbs\t191.101.230.149 162.222.177.155 191.101.230.149\tFirst submitted to VirusTotal 22 December 2016. Second and third IP address comment out as a backup. Delivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: cdd5f47935a2a45afff20b222124177d",
"pattern": "[file:hashes.SHA1 = 'f6d4c612acd7e1864b7ae3490fcc4f962d6ff8e3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58e9042a-7cc4-4d68-97db-406c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:22.000Z",
"modified": "2017-04-08T15:39:22.000Z",
"first_observed": "2017-04-08T15:39:22Z",
"last_observed": "2017-04-08T15:39:22Z",
"number_observed": 1,
"object_refs": [
"url--58e9042a-7cc4-4d68-97db-406c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58e9042a-7cc4-4d68-97db-406c02de0b81",
"value": "https://www.virustotal.com/file/f7c50c386c0800781258809f01a2fde67bb5896282178e400b78cb0b21bb1247/analysis/1491592256/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e9042b-53a4-4e0c-85a2-4b2c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:23.000Z",
"modified": "2017-04-08T15:39:23.000Z",
"description": "Atualizar.jar\tFirst submitted to VirusTotal 22 October 2016. - Xchecked via VT: 95980f46ce76d862029b45908476532d",
"pattern": "[file:hashes.SHA256 = 'cd73460714bf2dc2326b3eef53d707b00ad64131a529ed27b2ba07362799a7dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58e9042c-91ac-4cb5-8f81-4b1602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:24.000Z",
"modified": "2017-04-08T15:39:24.000Z",
"description": "Atualizar.jar\tFirst submitted to VirusTotal 22 October 2016. - Xchecked via VT: 95980f46ce76d862029b45908476532d",
"pattern": "[file:hashes.SHA1 = '5b70fca8c5f6e312f9633cb9eeea10bfd3384f86']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-04-08T15:39:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58e9042d-8c2c-4831-b31d-4b2602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-04-08T15:39:25.000Z",
"modified": "2017-04-08T15:39:25.000Z",
"first_observed": "2017-04-08T15:39:25Z",
"last_observed": "2017-04-08T15:39:25Z",
"number_observed": 1,
"object_refs": [
"url--58e9042d-8c2c-4831-b31d-4b2602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58e9042d-8c2c-4831-b31d-4b2602de0b81",
"value": "https://www.virustotal.com/file/cd73460714bf2dc2326b3eef53d707b00ad64131a529ed27b2ba07362799a7dc/analysis/1477399542/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}