misp-circl-feed/feeds/circl/stix-2.1/59a25cc4-e870-4bef-a7d1-48a802de0b81.json

886 lines
39 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--59a25cc4-e870-4bef-a7d1-48a802de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59a25cc4-e870-4bef-a7d1-48a802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"name": "OSINT - Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks",
"published": "2017-08-27T05:56:47Z",
"object_refs": [
"vulnerability--59a25cf6-d7a0-4d00-8b4e-45f902de0b81",
"vulnerability--59a25cf6-9670-4c50-a443-409202de0b81",
"vulnerability--59a25cf6-affc-42cf-948f-4f5b02de0b81",
"indicator--59a25d41-4b6c-4cbc-8e15-44a602de0b81",
"indicator--59a25d41-974c-4dad-b1d5-40fc02de0b81",
"indicator--59a25d41-d920-44d6-a046-4bf002de0b81",
"indicator--59a25d41-8a74-4e53-a3bb-43ab02de0b81",
"indicator--59a25d41-ac30-47e6-832d-411102de0b81",
"indicator--59a25d7d-17d8-48c9-9f7a-45aa02de0b81",
"x-misp-attribute--59a25da6-2424-4517-af23-4b6702de0b81",
"x-misp-attribute--59a25da6-eea4-46cf-a439-400c02de0b81",
"observed-data--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"file--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"observed-data--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"file--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"observed-data--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"observed-data--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"file--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"observed-data--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"file--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"x-misp-attribute--59a25dd9-bf68-45c0-9374-494302de0b81",
"indicator--59a25dec-e044-4ab0-a56f-b60e02de0b81",
"indicator--59a25dec-a75c-45e3-89eb-b60e02de0b81",
"observed-data--59a25dec-f1ac-4268-8c34-b60e02de0b81",
"url--59a25dec-f1ac-4268-8c34-b60e02de0b81",
"indicator--59a25dec-cd54-489e-ada2-b60e02de0b81",
"indicator--59a25dec-eb38-4439-88b3-b60e02de0b81",
"observed-data--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
"url--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
"indicator--59a25dec-5794-402f-a588-b60e02de0b81",
"indicator--59a25dec-2500-44c2-b562-b60e02de0b81",
"observed-data--59a25dec-0d44-442b-b613-b60e02de0b81",
"url--59a25dec-0d44-442b-b613-b60e02de0b81",
"indicator--59a25dec-a084-4101-8ba1-b60e02de0b81",
"indicator--59a25dec-2e20-4de3-90c2-b60e02de0b81",
"observed-data--59a25dec-6aa8-4213-a915-b60e02de0b81",
"url--59a25dec-6aa8-4213-a915-b60e02de0b81",
"indicator--59a25dec-bc48-4a8a-8977-b60e02de0b81",
"indicator--59a25dec-355c-4c9b-8590-b60e02de0b81",
"observed-data--59a25dec-c0d8-4432-a038-b60e02de0b81",
"url--59a25dec-c0d8-4432-a038-b60e02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--59a25cf6-d7a0-4d00-8b4e-45f902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"name": "CVE-2015-2545",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\"",
"circl:incident-classification=\"vulnerability\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-2545"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--59a25cf6-9670-4c50-a443-409202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"name": "CVE-2017-0261",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\"",
"circl:incident-classification=\"vulnerability\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2017-0261"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--59a25cf6-affc-42cf-948f-4f5b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"name": "CVE-2017-0262",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\"",
"circl:incident-classification=\"vulnerability\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2017-0262"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25d41-4b6c-4cbc-8e15-44a602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"pattern": "[file:hashes.SHA256 = 'ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25d41-974c-4dad-b1d5-40fc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"pattern": "[file:hashes.SHA256 = '430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25d41-d920-44d6-a046-4bf002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"pattern": "[file:hashes.SHA256 = '1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25d41-8a74-4e53-a3bb-43ab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"pattern": "[file:hashes.SHA256 = 'e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25d41-ac30-47e6-832d-411102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"pattern": "[file:hashes.SHA256 = '647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25d7d-17d8-48c9-9f7a-45aa02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "Once the malware has managed to infect a system, it tries to connect to a server based in France over TCP port 80",
"pattern": "[url:value = 'http://137.74.224.142/z/get.php?name=3c6*****']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59a25da6-2424-4517-af23-4b6702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"labels": [
"misp:type=\"pattern-in-file\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware",
"x_misp_type": "pattern-in-file",
"x_misp_value": "%%Icantdestroywhatisntthere"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59a25da6-eea4-46cf-a439-400c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"labels": [
"misp:type=\"pattern-in-file\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware",
"x_misp_type": "pattern-in-file",
"x_misp_value": "%%Myheartisjusttoodarktocare"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"file--59a25dc1-ee70-4f02-9db8-b60e02de0b81"
],
"labels": [
"misp:type=\"email-attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"is_multipart": true,
"body_multipart": [
{
"body_raw_ref": "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0.docx'"
}
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0.docx"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"file--59a25dc1-7764-4a0b-89c0-b60e02de0b81"
],
"labels": [
"misp:type=\"email-attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"is_multipart": true,
"body_multipart": [
{
"body_raw_ref": "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d1\u0081\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u0192.docx'"
}
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d1\u0081\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u0192.docx"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81"
],
"labels": [
"misp:type=\"email-attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"is_multipart": true,
"body_multipart": [
{
"body_raw_ref": "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5.docx'"
}
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5.docx"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"file--59a25dc1-36c4-412d-8b6d-b60e02de0b81"
],
"labels": [
"misp:type=\"email-attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"is_multipart": true,
"body_multipart": [
{
"body_raw_ref": "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5 \u00d0\u00ba\u00d0\u00bb\u00d0\u00b8\u00d0\u00b5\u00d0\u00bd\u00d1\u201a\u00d0\u00b0.docx'"
}
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5 \u00d0\u00ba\u00d0\u00bb\u00d0\u00b8\u00d0\u00b5\u00d0\u00bd\u00d1\u201a\u00d0\u00b0.docx"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"file--59a25dc1-9058-4d49-b0e9-b60e02de0b81"
],
"labels": [
"misp:type=\"email-attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"is_multipart": true,
"body_multipart": [
{
"body_raw_ref": "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"content_disposition": "attachment; filename='12.docx'"
}
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
"name": "12.docx"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59a25dd9-bf68-45c0-9374-494302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Last week, the Ukrainian Central Bank issued a warning around an attack being launched against Ukrainian banks. Thanks to one of our contacts in the region, we received the malware at an early stage and were able to provide coverage for our customers\u00e2\u20ac\u201dalways our first priority. Now that local authorities have publicly disclosed the matter, we would like to share some insights into the campaign.\r\n\r\nThe attacks appear to have targeted banks in Russia as well as Ukraine, and we are aware of reports of similar attack vectors and payloads in other countries.\r\n\r\nThe initial threat started with emails sent to the banks around August 10, 2017, and a second wave on August 18 that carried attachments containing a payload. The subject of the emails were triggered to get the attention of the users and lure them into opening the attachments."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-e044-4ab0-a56f-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51",
"pattern": "[file:hashes.SHA1 = '583570d92cc49ec7661c055c4900c439446307f9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-a75c-45e3-89eb-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51",
"pattern": "[file:hashes.MD5 = '4eee1c5db5c4678cfa7ad6262a18253d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dec-f1ac-4268-8c34-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"url--59a25dec-f1ac-4268-8c34-b60e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a25dec-f1ac-4268-8c34-b60e02de0b81",
"value": "https://www.virustotal.com/file/647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51/analysis/1503366922/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-cd54-489e-ada2-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f",
"pattern": "[file:hashes.SHA1 = 'dfaa3825b6bf2fc21978bf3234f38ffbd2966b96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-eb38-4439-88b3-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f",
"pattern": "[file:hashes.MD5 = '98c5c33f5c0bd07ac3e24935edab202a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"url--59a25dec-7f9c-4fd1-8047-b60e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
"value": "https://www.virustotal.com/file/e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f/analysis/1503021378/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-5794-402f-a588-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6",
"pattern": "[file:hashes.SHA1 = 'a85e66a654ca056a14f64516af62e82c07036e06']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-2500-44c2-b562-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6",
"pattern": "[file:hashes.MD5 = 'cfc0b41a7cde01333f10d48e9997d293']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dec-0d44-442b-b613-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"url--59a25dec-0d44-442b-b613-b60e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a25dec-0d44-442b-b613-b60e02de0b81",
"value": "https://www.virustotal.com/file/1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6/analysis/1503475768/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-a084-4101-8ba1-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952",
"pattern": "[file:hashes.SHA1 = 'a8bcbaedfbd3eff1e3d5005c35bd8f4c4f6f325c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-2e20-4de3-90c2-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952",
"pattern": "[file:hashes.MD5 = '5df8067a6fcb6c45c3b5c14adb944806']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dec-6aa8-4213-a915-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"url--59a25dec-6aa8-4213-a915-b60e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a25dec-6aa8-4213-a915-b60e02de0b81",
"value": "https://www.virustotal.com/file/430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952/analysis/1503474922/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-bc48-4a8a-8977-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d",
"pattern": "[file:hashes.SHA1 = '5983b31b80b7f3d84d9d0436574a7351d8522e9c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a25dec-355c-4c9b-8590-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"description": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d",
"pattern": "[file:hashes.MD5 = 'c43f1716d6dbb243f0b8cd92944a04bd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-27T05:51:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a25dec-c0d8-4432-a038-b60e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-27T05:51:40.000Z",
"modified": "2017-08-27T05:51:40.000Z",
"first_observed": "2017-08-27T05:51:40Z",
"last_observed": "2017-08-27T05:51:40Z",
"number_observed": 1,
"object_refs": [
"url--59a25dec-c0d8-4432-a038-b60e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a25dec-c0d8-4432-a038-b60e02de0b81",
"value": "https://www.virustotal.com/file/ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d/analysis/1503475773/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}